Will TLSv1.3 always send session ticket?
As I can read from the documents mentioned below, "or not at all" worries me. Is there a situation when a session ticket is not sent at all (other than when reused)? https://www.openssl.org/docs/manmaster/man3/SSL_CTX_sess_set_new_cb.html Note that in TLSv1.3, sessions are established after the main handshake has completed. The server decides when to send the client the session information and this may occur some time after the end of the handshake (or not at all). https://wiki.openssl.org/index.php/TLS1.3#Sessions In TLSv1.3 sessions are not established until after the main handshake has completed. The server sends a separate post-handshake message to the client containing the session details. Typically this will happen soon after the handshake has completed, but it could be sometime later (or not at all).
Re: Getting SSL_SESSION remaining lifetime
On Thu, Sep 16, 2021 at 08:11:44AM +0530, Jaya Muthiah wrote: > I am trying to get the remaining lifetime of the ticket so that server can > decide to renew ticket or not In Postfix, I rotate ticket keys every hour, and sessions are valid for two hours. For the first hour when they were issued by the current ticket the ticket is accepted without forcing a new ticket to be generated. Durign the second hour when accepting tickets signed by the previous key, a fresh ticket is generated. I don't rely on OpenSSL to tell me the ticket age, it is implied by the key id. Since ticket keys should be rotated anyway, something like that might also work for you. What I haven't yet built is a mechanism to rotate keys consistely across multiple machines in a load-balancer pool. That would be generally useful. -- Viktor.
SSL_SESSION - sending custom data to the client
Is it possible to send custom data to the client along with the ticket? I tried using SSL_SESSION_set1_ticket_appdata but it didn't work.
Getting SSL_SESSION remaining lifetime
I am trying to get the remaining lifetime of the ticket so that server can decide to renew ticket or not I have defined callback like this, and it is working. However, the SSL_SESSION_get_ticket_lifetime_hint() always returns zero. SSL_CTX_set_session_ticket_cb(ctx->ctx, ticket_gen_cb, ticket_dec_cb, NULL); SSL_TICKET_RETURN ticket_dec_cb(SSL *s, SSL_SESSION *ss, const unsigned char *keyname, size_t keyname_len, SSL_TICKET_STATUS status, void *arg) { SSL_TICKET_RETURN res; int lifetime = 0; switch (status) { case SSL_TICKET_EMPTY: case SSL_TICKET_NO_DECRYPT: res = SSL_TICKET_RETURN_IGNORE_RENEW; break; case SSL_TICKET_SUCCESS: //get_session_ticket_appdata(ssl, ssl_session); res = SSL_TICKET_RETURN_USE; break; case SSL_TICKET_SUCCESS_RENEW: lifetime = SSL_SESSION_get_ticket_lifetime_hint(ss); //res = SSL_TICKET_RETURN_USE_RENEW; // generate new ticket res = SSL_TICKET_RETURN_USE; // reuse old break; default: res = SSL_TICKET_RETURN_IGNORE; } return res; } Is this the right way? Can someone help please?
Re: Reducing the footprint of a simple application
Jakob, That's reasonable, although I wouldn't use the word "low" to describe it. I did try to include 10.1.2 from NIST's SP 800-90C but it didn't make it. There is nothing preventing the use of the existing DRBGs with longer digests which Could increase number of bits. Pauli On 15/9/21 11:34 pm, Jakob Bohm via openssl-users wrote: On 2021-09-14 12:14, Dr Paul Dale wrote: > ...low security RNGs and other antifeatures. Huh Where? Why plural? The only **one** I'm aware of is the one I added to stochastically flush the property cache where it doesn't need to be cryptographically secure. Some applications need more than 256 independent random bits to satisfy their security design. Some of the newer RNGs in OpenSSL presume otherwise in their government design. Enjoy Jakob
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
Great, thanks! On 15 September 2021 17:07:59 BST, Matt Caswell wrote: > > >On 15/09/2021 16:57, Matt Caswell wrote: >> >> >> On 15/09/2021 16:50, Kris Kwiatkowski wrote: >>> Can you point to instructions on how to load provider >>> it into OpenSSL? >>> >>> Is there something similar to "[engine_section]", >>> that can be used to configure loading from openssl.conf? >> >> Yes. See the "config" man page here: >> >> https://www.openssl.org/docs/man3.0/man5/config.html > >And here are some simple config files that do this: > >https://github.com/openssl/openssl/blob/master/test/default.cnf >https://github.com/openssl/openssl/blob/master/test/default-and-fips.cnf >https://github.com/openssl/openssl/blob/master/test/default-and-legacy.cnf >https://github.com/openssl/openssl/blob/master/test/fips-and-base.cnf >https://github.com/openssl/openssl/blob/master/test/fips.cnf > >Matt > > >> >> In particular look at the section "Provider Configuration" >> >> You can also load providers through the API. See: >> >> https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_load.html >> >> Matt >> >> >>> >>> BR, >>> Kris >>> >>> On 9/15/21 4:39 PM, Matt Caswell wrote: Another, slightly more complicated, but fully self contained provider is here: https://github.com/openssl/openssl/blob/master/test/tls-provider.c And another one here: https://github.com/openssl/openssl/blob/master/test/p_test.c A minimal bare bones provider is here: https://github.com/openssl/openssl/blob/master/providers/nullprov.c The legacy provider is also worth looking at: https://github.com/openssl/openssl/blob/master/providers/legacyprov.c Matt On 15/09/2021 13:26, Petr Gotthard wrote: > Shiva, > you may also have a look at > thehttps://github.com/provider-corner/vigenere > That's (as far as I know) the most simple provider implementation > available. > > Petr > > -Original Message- > From: openssl-users On Behalf Of > Tomas Mraz > Sent: Wednesday, September 15, 2021 2:18 PM > To: Shivakumar > Poojari;openssl-users@openssl.org > Cc: Paramashivaiah, Sunil; > Bhattacharjee, Debapriyo (c) > Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 > > I am sorry but as I said providers are not a direct replacement for > ENGINEs. It is a completely different implementation of the same > concept of pluggable cryptographical modules for OpenSSL. You can > look at the OpenSSL manual pages for the providers. > > This is the starting point: > https://www.openssl.org/docs/man3.0/man7/provider.html > > There is no tutorial as for how to implement your own provider. And > as I said on the application side if the application loads an > OpenSSL configuration file the providers loaded can be configured > via the config file and does not require any explicit API calls from > the application. > > I'd recommend looking at some of the test sources in the tests > directory for some code examples. > > Tomas > > On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: >> Hi Tomas, >> As Engine function are deprecated I tried using providers >> >> But how to use providers to get engine functionality tried in man >> pages >> >> Some sample program will help, maybe some sample program will give the >> clear idea how to use provider >> >> Struggling in understand the providers >> >> Please share the sample program and the links to understand the >> providers >> >> Thanks, >> shiva kumar >> > -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: OpenSSL session reuse does not work with TLS_client_method()
On Wed, Sep 15, 2021 at 05:26:51PM +0530, Jaya Muthiah wrote: > I am trying to reuse SSL_SESSION as below, it works fine when I use > TLSv1_2_client_method() to create context. However, it does not work > when I use TLS_client_method(). > [...] > if (SSL_connect(ssl) != 1) { return -1; } > int reused = SSL_session_reused(ssl); > ssl_session = SSL_get1_session(ssl); // for future connections That's because with TLS_client_method() you end up negotiating TLS 1.3, and with TLS 1.3 session tickets are sent by servers *after* the completion of the handshake. A TLS 1.3 session saved manually, immediately at the completion of the handshake will have no session tickets, and will not be able to perform resumption. The robust way to save the session state for resumption is to implement the session callbacks. For example, in Postfix, you'll find: SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE | SSL_SESS_CACHE_NO_AUTO_CLEAR); SSL_CTX_sess_set_new_cb(client_ctx, new_client_session_cb); static int new_client_session_cb(SSL *ssl, SSL_SESSION *session) { ... /* * The cache name (if caching is enabled in tlsmgr(8)) and the cache ID * string for this session are stored in the TLScontext. It cannot be * null at this point. */ if ((TLScontext = SSL_get_ex_data(ssl, TLScontext_index)) == 0) msg_panic("%s: null TLScontext in new session callback", myname); ... } -- Viktor. [ We all miss the little details sometimes, but I'd have expected Matt to not miss this one... ]
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
On 15/09/2021 16:57, Matt Caswell wrote: On 15/09/2021 16:50, Kris Kwiatkowski wrote: Can you point to instructions on how to load provider it into OpenSSL? Is there something similar to "[engine_section]", that can be used to configure loading from openssl.conf? Yes. See the "config" man page here: https://www.openssl.org/docs/man3.0/man5/config.html And here are some simple config files that do this: https://github.com/openssl/openssl/blob/master/test/default.cnf https://github.com/openssl/openssl/blob/master/test/default-and-fips.cnf https://github.com/openssl/openssl/blob/master/test/default-and-legacy.cnf https://github.com/openssl/openssl/blob/master/test/fips-and-base.cnf https://github.com/openssl/openssl/blob/master/test/fips.cnf Matt In particular look at the section "Provider Configuration" You can also load providers through the API. See: https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_load.html Matt BR, Kris On 9/15/21 4:39 PM, Matt Caswell wrote: Another, slightly more complicated, but fully self contained provider is here: https://github.com/openssl/openssl/blob/master/test/tls-provider.c And another one here: https://github.com/openssl/openssl/blob/master/test/p_test.c A minimal bare bones provider is here: https://github.com/openssl/openssl/blob/master/providers/nullprov.c The legacy provider is also worth looking at: https://github.com/openssl/openssl/blob/master/providers/legacyprov.c Matt On 15/09/2021 13:26, Petr Gotthard wrote: Shiva, you may also have a look at thehttps://github.com/provider-corner/vigenere That's (as far as I know) the most simple provider implementation available. Petr -Original Message- From: openssl-users On Behalf Of Tomas Mraz Sent: Wednesday, September 15, 2021 2:18 PM To: Shivakumar Poojari;openssl-users@openssl.org Cc: Paramashivaiah, Sunil; Bhattacharjee, Debapriyo (c) Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 I am sorry but as I said providers are not a direct replacement for ENGINEs. It is a completely different implementation of the same concept of pluggable cryptographical modules for OpenSSL. You can look at the OpenSSL manual pages for the providers. This is the starting point: https://www.openssl.org/docs/man3.0/man7/provider.html There is no tutorial as for how to implement your own provider. And as I said on the application side if the application loads an OpenSSL configuration file the providers loaded can be configured via the config file and does not require any explicit API calls from the application. I'd recommend looking at some of the test sources in the tests directory for some code examples. Tomas On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: Hi Tomas, As Engine function are deprecated I tried using providers But how to use providers to get engine functionality tried in man pages Some sample program will help, maybe some sample program will give the clear idea how to use provider Struggling in understand the providers Please share the sample program and the links to understand the providers Thanks, shiva kumar
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
On 15/09/2021 16:50, Kris Kwiatkowski wrote: Can you point to instructions on how to load provider it into OpenSSL? Is there something similar to "[engine_section]", that can be used to configure loading from openssl.conf? Yes. See the "config" man page here: https://www.openssl.org/docs/man3.0/man5/config.html In particular look at the section "Provider Configuration" You can also load providers through the API. See: https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER_load.html Matt BR, Kris On 9/15/21 4:39 PM, Matt Caswell wrote: Another, slightly more complicated, but fully self contained provider is here: https://github.com/openssl/openssl/blob/master/test/tls-provider.c And another one here: https://github.com/openssl/openssl/blob/master/test/p_test.c A minimal bare bones provider is here: https://github.com/openssl/openssl/blob/master/providers/nullprov.c The legacy provider is also worth looking at: https://github.com/openssl/openssl/blob/master/providers/legacyprov.c Matt On 15/09/2021 13:26, Petr Gotthard wrote: Shiva, you may also have a look at thehttps://github.com/provider-corner/vigenere That's (as far as I know) the most simple provider implementation available. Petr -Original Message- From: openssl-users On Behalf Of Tomas Mraz Sent: Wednesday, September 15, 2021 2:18 PM To: Shivakumar Poojari;openssl-users@openssl.org Cc: Paramashivaiah, Sunil; Bhattacharjee, Debapriyo (c) Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 I am sorry but as I said providers are not a direct replacement for ENGINEs. It is a completely different implementation of the same concept of pluggable cryptographical modules for OpenSSL. You can look at the OpenSSL manual pages for the providers. This is the starting point: https://www.openssl.org/docs/man3.0/man7/provider.html There is no tutorial as for how to implement your own provider. And as I said on the application side if the application loads an OpenSSL configuration file the providers loaded can be configured via the config file and does not require any explicit API calls from the application. I'd recommend looking at some of the test sources in the tests directory for some code examples. Tomas On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: Hi Tomas, As Engine function are deprecated I tried using providers But how to use providers to get engine functionality tried in man pages Some sample program will help, maybe some sample program will give the clear idea how to use provider Struggling in understand the providers Please share the sample program and the links to understand the providers Thanks, shiva kumar
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
Can you point to instructions on how to load provider it into OpenSSL? Is there something similar to "[engine_section]", that can be used to configure loading from openssl.conf? BR, Kris On 9/15/21 4:39 PM, Matt Caswell wrote: > Another, slightly more complicated, but fully self contained provider is > here: > > https://github.com/openssl/openssl/blob/master/test/tls-provider.c > > And another one here: > > https://github.com/openssl/openssl/blob/master/test/p_test.c > > A minimal bare bones provider is here: > > https://github.com/openssl/openssl/blob/master/providers/nullprov.c > > The legacy provider is also worth looking at: > > https://github.com/openssl/openssl/blob/master/providers/legacyprov.c > > Matt > > On 15/09/2021 13:26, Petr Gotthard wrote: >> Shiva, >> you may also have a look at the https://github.com/provider-corner/vigenere >> That's (as far as I know) the most simple provider implementation available. >> >> Petr >> >> -Original Message- >> From: openssl-users On Behalf Of Tomas >> Mraz >> Sent: Wednesday, September 15, 2021 2:18 PM >> To: Shivakumar Poojari ; >> openssl-users@openssl.org >> Cc: Paramashivaiah, Sunil ; Bhattacharjee, >> Debapriyo (c) >> Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 >> >> I am sorry but as I said providers are not a direct replacement for ENGINEs. >> It is a completely different implementation of the same concept of pluggable >> cryptographical modules for OpenSSL. You can look at the OpenSSL manual >> pages for the providers. >> >> This is the starting point: >> https://www.openssl.org/docs/man3.0/man7/provider.html >> >> There is no tutorial as for how to implement your own provider. And as I >> said on the application side if the application loads an OpenSSL >> configuration file the providers loaded can be configured via the config >> file and does not require any explicit API calls from the application. >> >> I'd recommend looking at some of the test sources in the tests directory for >> some code examples. >> >> Tomas >> >> On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: >>> Hi Tomas, >>> As Engine function are deprecated I tried using providers >>> >>> But how to use providers to get engine functionality tried in man >>> pages >>> >>> Some sample program will help, maybe some sample program will give the >>> clear idea how to use provider >>> >>> Struggling in understand the providers >>> >>> Please share the sample program and the links to understand the >>> providers >>> >>> Thanks, >>> shiva kumar
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
Another, slightly more complicated, but fully self contained provider is here: https://github.com/openssl/openssl/blob/master/test/tls-provider.c And another one here: https://github.com/openssl/openssl/blob/master/test/p_test.c A minimal bare bones provider is here: https://github.com/openssl/openssl/blob/master/providers/nullprov.c The legacy provider is also worth looking at: https://github.com/openssl/openssl/blob/master/providers/legacyprov.c Matt On 15/09/2021 13:26, Petr Gotthard wrote: Shiva, you may also have a look at the https://github.com/provider-corner/vigenere That's (as far as I know) the most simple provider implementation available. Petr -Original Message- From: openssl-users On Behalf Of Tomas Mraz Sent: Wednesday, September 15, 2021 2:18 PM To: Shivakumar Poojari ; openssl-users@openssl.org Cc: Paramashivaiah, Sunil ; Bhattacharjee, Debapriyo (c) Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 I am sorry but as I said providers are not a direct replacement for ENGINEs. It is a completely different implementation of the same concept of pluggable cryptographical modules for OpenSSL. You can look at the OpenSSL manual pages for the providers. This is the starting point: https://www.openssl.org/docs/man3.0/man7/provider.html There is no tutorial as for how to implement your own provider. And as I said on the application side if the application loads an OpenSSL configuration file the providers loaded can be configured via the config file and does not require any explicit API calls from the application. I'd recommend looking at some of the test sources in the tests directory for some code examples. Tomas On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: Hi Tomas, As Engine function are deprecated I tried using providers But how to use providers to get engine functionality tried in man pages Some sample program will help, maybe some sample program will give the clear idea how to use provider Struggling in understand the providers Please share the sample program and the links to understand the providers Thanks, shiva kumar
Re: OpenSSL session reuse does not work with TLS_client_method()
Was the original connection that you obtained the session from cleanly closed down? From the man pages: "A session will be automatically removed from the session cache and marked as non-resumable if the connection is not closed down cleanly, e.g. if a fatal error occurs on the connection or L is not called prior to L." https://www.openssl.org/docs/man1.1.1/man3/SSL_get_session.html You can check whether a session is valid for resumption using SSL_SESSION_is_resumable(): https://www.openssl.org/docs/man1.1.1/man3/SSL_SESSION_is_resumable.html mATT On 15/09/2021 12:56, Jaya Muthiah wrote: I am trying to reuse SSL_SESSION as below, it works fine when I use TLSv1_2_client_method() to create context. However, it does not work when I use TLS_client_method(). if (!SSL_set_session(ssl, ssl_session)) { //code never reaches here so SSL_set_session is successful } if (SSL_connect(ssl) != 1) { return -1; } int reused = SSL_session_reused(ssl); <-- always returns zero for TLS_client_method(). ssl_session = SSL_get1_session(ssl); // for future connections Above code works fine with TLSv1_2_client_method() and SSL_session_reused() returns 1, handshake time is also reduced considerably. However, if I use TLS_client_method(), reuse does not work and SSL_session_reused() returns zero. Any idea what is wrong? OpenSSL version is 1.1.1.g
Re: Reducing the footprint of a simple application
On 2021-09-14 12:14, Dr Paul Dale wrote: > ...low security RNGs and other antifeatures. Huh Where? Why plural? The only **one** I'm aware of is the one I added to stochastically flush the property cache where it doesn't need to be cryptographically secure. Some applications need more than 256 independent random bits to satisfy their security design. Some of the newer RNGs in OpenSSL presume otherwise in their government design. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
RE: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
Shiva, you may also have a look at the https://github.com/provider-corner/vigenere That's (as far as I know) the most simple provider implementation available. Petr -Original Message- From: openssl-users On Behalf Of Tomas Mraz Sent: Wednesday, September 15, 2021 2:18 PM To: Shivakumar Poojari ; openssl-users@openssl.org Cc: Paramashivaiah, Sunil ; Bhattacharjee, Debapriyo (c) Subject: Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 I am sorry but as I said providers are not a direct replacement for ENGINEs. It is a completely different implementation of the same concept of pluggable cryptographical modules for OpenSSL. You can look at the OpenSSL manual pages for the providers. This is the starting point: https://www.openssl.org/docs/man3.0/man7/provider.html There is no tutorial as for how to implement your own provider. And as I said on the application side if the application loads an OpenSSL configuration file the providers loaded can be configured via the config file and does not require any explicit API calls from the application. I'd recommend looking at some of the test sources in the tests directory for some code examples. Tomas On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: > Hi Tomas, > As Engine function are deprecated I tried using providers > > But how to use providers to get engine functionality tried in man > pages > > Some sample program will help, maybe some sample program will give the > clear idea how to use provider > > Struggling in understand the providers > > Please share the sample program and the links to understand the > providers > > Thanks, > shiva kumar
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
I am sorry but as I said providers are not a direct replacement for ENGINEs. It is a completely different implementation of the same concept of pluggable cryptographical modules for OpenSSL. You can look at the OpenSSL manual pages for the providers. This is the starting point: https://www.openssl.org/docs/man3.0/man7/provider.html There is no tutorial as for how to implement your own provider. And as I said on the application side if the application loads an OpenSSL configuration file the providers loaded can be configured via the config file and does not require any explicit API calls from the application. I'd recommend looking at some of the test sources in the tests directory for some code examples. Tomas On Wed, 2021-09-15 at 10:34 +, Shivakumar Poojari wrote: > Hi Tomas, > As Engine function are deprecated I tried using providers > > But how to use providers to get engine functionality tried in man > pages > > Some sample program will help, maybe some sample program will give the > clear idea how to use provider > > Struggling in understand the providers > > Please share the sample program and the links to understand the > providers > > Thanks, > shiva kumar > From: Tomas Mraz > Sent: Wednesday, September 8, 2021 7:00 PM > To: Shivakumar Poojari ; > openssl-users@openssl.org > Cc: Paramashivaiah, Sunil ; > Bhattacharjee, Debapriyo (c) > Subject: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 > Hello, > > there is no direct replacement. The ENGINEs as a pluggable crypto > modules concept is replaced with the providers concept which is much > more sophisticated and capable. > > Please look at > https://clicktime.symantec.com/3NTnN1ZFia2bCryEiZnkRmY6H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Fmigration_guide.html > > ENGINEs support is not removed from OpenSSL 3.0 however it is > deprecated. If you cannot use deprecated functions you have to drop > support for engines which means those functions just should not be > called and there is no replacement. > > Providers allow for configuration via the default configuration file so > for an application to support crypto modules in form of providers the > application does not necessarily have to have any extra functions > called. Just the default configuration file has to be present and the > configuration of the desired provider(s) needs to be there. > > Tomas > > > On Wed, 2021-09-08 at 13:07 +, Shivakumar Poojari wrote: > > Hi > > Upgrading our code to openssl 3.0. the below function we trying to > > replace > > > > ENGINE_load_dynamic() > > > > Replacment for 3.0 what i > > found OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL) > > > > ENGINE_by_id("dynamic") > > > > ENGINE_ctrl_cmd_string() > > > > ENGINE_set_default() > > > > ENGINE_get_DH() > > > > ENGINE_free() > > > > Need a replacement for the above-highlighted function. I searched in > > man pages did not find any replacement and searched in google for > > sample programs also not found > > > > > > Thanks, > > shiva kumar. > > > > > > > > > > > > > > > > > > Notice: This e-mail together with any attachments may contain > > information of Ribbon Communications Inc. and its Affiliates that is > > confidential and/or proprietary for the sole use of the intended > > recipient. Any review, disclosure, reliance or distribution by others > > or forwarding without express permission is strictly prohibited. If > > you > > are not the intended recipient, please notify the sender immediately > > and then delete all copies, including any attachments. > -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
OpenSSL session reuse does not work with TLS_client_method()
I am trying to reuse SSL_SESSION as below, it works fine when I use TLSv1_2_client_method() to create context. However, it does not work when I use TLS_client_method(). if (!SSL_set_session(ssl, ssl_session)) { //code never reaches here so SSL_set_session is successful } if (SSL_connect(ssl) != 1) { return -1; } int reused = SSL_session_reused(ssl); <-- always returns zero for TLS_client_method(). ssl_session = SSL_get1_session(ssl); // for future connections Above code works fine with TLSv1_2_client_method() and SSL_session_reused() returns 1, handshake time is also reduced considerably. However, if I use TLS_client_method(), reuse does not work and SSL_session_reused() returns zero. Any idea what is wrong? OpenSSL version is 1.1.1.g
Re: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0
Hi Tomas, As Engine function are deprecated I tried using providers But how to use providers to get engine functionality tried in man pages Some sample program will help, maybe some sample program will give the clear idea how to use provider Struggling in understand the providers Please share the sample program and the links to understand the providers Thanks, shiva kumar From: Tomas Mraz Sent: Wednesday, September 8, 2021 7:00 PM To: Shivakumar Poojari ; openssl-users@openssl.org Cc: Paramashivaiah, Sunil ; Bhattacharjee, Debapriyo (c) Subject: [EXTERNAL] Re: ENGINE API replacement for Openssl3.0 Hello, there is no direct replacement. The ENGINEs as a pluggable crypto modules concept is replaced with the providers concept which is much more sophisticated and capable. Please look at https://clicktime.symantec.com/3NTnN1ZFia2bCryEiZnkRmY6H2?u=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2Fmigration_guide.html ENGINEs support is not removed from OpenSSL 3.0 however it is deprecated. If you cannot use deprecated functions you have to drop support for engines which means those functions just should not be called and there is no replacement. Providers allow for configuration via the default configuration file so for an application to support crypto modules in form of providers the application does not necessarily have to have any extra functions called. Just the default configuration file has to be present and the configuration of the desired provider(s) needs to be there. Tomas On Wed, 2021-09-08 at 13:07 +, Shivakumar Poojari wrote: > Hi > Upgrading our code to openssl 3.0. the below function we trying to > replace > > ENGINE_load_dynamic() > > Replacment for 3.0 what i > found OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL) > > ENGINE_by_id("dynamic") > > ENGINE_ctrl_cmd_string() > > ENGINE_set_default() > > ENGINE_get_DH() > > ENGINE_free() > > Need a replacement for the above-highlighted function. I searched in > man pages did not find any replacement and searched in google for > sample programs also not found > > > Thanks, > shiva kumar. > > > > > > > > > Notice: This e-mail together with any attachments may contain > information of Ribbon Communications Inc. and its Affiliates that is > confidential and/or proprietary for the sole use of the intended > recipient. Any review, disclosure, reliance or distribution by others > or forwarding without express permission is strictly prohibited. If you > are not the intended recipient, please notify the sender immediately > and then delete all copies, including any attachments. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.