Re: Is connection active
Maybe you could do with a select(). You test the return of select and you will know if conection has been closed ;) Milan Křápek a écrit : Hi I have problem, Is there any function in Openssl, that says me, that connection is active?? I create a new TCP connection with BIO_do_connect, it returns me, that connection was established. Than I make some another things in my program, after a while a send through this connection some data, but it returns me, that connection was closed. I need some function is_connected(bio), that says me, if the connection is still active. thanks for help __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Ce message et toutes les pi�ces jointes sont confidentiels et �tablis a l'intention exclusive de ses destinataires. Toute modification, �dition, utilisation ou diffusion non autoris�e est interdite. Tout message �lectronique est susceptible d'alt�ration. CXR Anderson Jacobson d�cline toute responsabilit� au titre de ce message s'il a �t� alt�r�, d�form�, falsifi�, �dit� ou diffus� sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: session caching with multiple threads
I still have another question, how can I read the reference counter of a SSL_SESSION object? If I can read it, I could know if another task is using the SESSION. It could prevent me from deleting the pointer to the SESSION. Regards, Alexis Alexis Lefort a écrit : Hello all, I am doing, in C language, a SSL client with openSSL 0.9.7g I have multiple clients (about 10) using the same SSL_CTX and connecting to 2 different servers. (5 clients on each for example). I wonder how SSL_get_session, SSL_set_session ans SSL_SESSION_free have to be used there. What I did was about (for each client): if (session for server A in cache) { SSL_set_session(ssl, session) SSL_SESSION_free(session) } if (SSL_connect (ssl) == OK) session = SSL_get1_session(ssl) SSL_shutdown (ssl) But I fear problems with other threads : - will memory be freed when one client does a new handshake ? - will session be kept as it is valid ? Please help :) Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
session caching with multiple threads
Hello all, I am doing, in C language, a SSL client with openSSL 0.9.7g I have multiple clients (about 10) using the same SSL_CTX and connecting to 2 different servers. (5 clients on each for example). I wonder how SSL_get_session, SSL_set_session ans SSL_SESSION_free have to be used there. What I did was about (for each client): if (session for server A in cache) { SSL_set_session(ssl, session) SSL_SESSION_free(session) } if (SSL_connect (ssl) == OK) session = SSL_get1_session(ssl) SSL_shutdown (ssl) But I fear problems with other threads : - will memory be freed when one client does a new handshake ? - will session be kept as it is valid ? Please help :) Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: My ssl client connects without the knowledge of root CA certificate
Hi, Do you use: SSL_CTX_set_verify (sslctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); If not it is probably the solution ;) Alexis Urjit Gokhale a écrit : Hi, I have a sample SSLized client server program. I am not using SSL_CTX_load_verify_locations() in the client and still my client is able to connect to the server. I wonder how this could be possible. How would the client be able to authenticate the server certificate without the knowledge of the root CA certificate that signed the server certificate. The server certificate, as far as I know, is not self signed. (server certificate file is attached). Could someone explain to how my client connects to the server without the knowledge of the root CA? Could someone list down the necessary and sufficient conditions, for a certificate to be considered as self-signed? Thank you, ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man pages of PKCS12
I found it using google code search: http://www.google.com/codesearch For example one is: http://www.google.com/codesearch?q=+PKCS12_parse+show:eeHJRh5kAqQ:7aZjvmBSuiI:xYw6oBzZOkksa=Ncd=8ct=rccs_p=http://www.openssl.org/source/openssl-0.9.7f.tar.gzcs_f=openssl-0.9.7f/apps/apps.c#a0 Regards. Alexis Kaushalye Kapuruge a écrit : Alexis Lefort wrote: I found a source code in the openssl examples. Could you please point me to a such :) Thanks. Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man pages of PKCS12
I will do so, thank you :) Alexis Dr. Stephen Henson a écrit : Don't post in HTML. Easiest option is to call d2i_PKCS12() and friends and see if you get an error. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man pages of PKCS12
I found a source code in the openssl examples. But I still don't know how to test the type of the file (X.509 or PKCS#12). Is there a mean to do so? regards Alexis Alexis Lefort a crit: I have now several other questions: - does PKCS#12 files always have the ".p12" extension in their filename? - If no, how can I know (programatically) if they are in X.509 or PKCS#12 format? - When using d2i_PKCS12_fp(FILE *fp, PKCS12 **p12), how can I free the p12 object? thanks again for your time and answers :) regards Alexis Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man pages of PKCS12
I have now several other questions: - does PKCS#12 files always have the ".p12" extension in their filename? - If no, how can I know (programatically) if they are in X.509 or PKCS#12 format? - When using d2i_PKCS12_fp(FILE *fp, PKCS12 **p12), how can I free the p12 object? thanks again for your time and answers :) regards Alexis Alexis Lefort a crit: I want to do it progammatically, thanks a lot for help :) regards Alexis Brad Hards a crit: On Saturday 28 October 2006 01:58, Alexis Lefort wrote: I can't find much information about parsing a PKSC12 file, or testing the content of a file to know if it is PEM or PKCS12. Do you want to do this programmatically, or from the command line. Where could I find that please? man pkcs12 will provide the command line tool options the man pages for * PKCS12_create * PKCS12_parse will provide details on how to do it programmatically. These documents are also available on-line. For example, see: http://www.openssl.org/docs/crypto/PKCS12_parse.html http://www.drh-consultancy.demon.co.uk/pkcs12faq.html may also help. Brad Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
man pages of PKCS12
Hi all, I can't find much information about parsing a PKSC12 file, or testing the content of a file to know if it is PEM or PKCS12. Where could I find that please? regards -- Alexis Lefort Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange certificate verification
Thanks for your reply :) This is what I already do, and there is only one certificate in the file. regards Vincenzo Sciarra a écrit : Try c_rehash in the certificate folder. bye 2006/10/25, Alexis Lefort [EMAIL PROTECTED]: Hi all, I did a software that verifies the certificate of the server it connects to, but when I specify the CA file with SSL_CTX_set_client_CA_list () the certificate is accepted, and when I only specify a path to the directory containing the certificate it fails at depth 1. I do not understand! regards -- Alexis Lefort Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange certificate verification
There is no man page on SSL_CTX_set_verify_locations, do you mean SSL_CTX_load_verify_locations? what I do is : SSL_CTX_set_client_CA_list (sslctx, SSL_load_client_CA_file (caList)); SSL_CTX_load_verify_locations (sslctx, caList, caPath); Vincenzo Sciarra a crit: The software must verify server certificate with a local CA? SSL_CTX_set_client_CA_list () Try to use SSL_CTX_set_verify_locations() You can specify file containing CA cert file 2006/10/26, Alexis Lefort [EMAIL PROTECTED]: Thanks for your reply :) This is what I already do, and there is only one certificate in the file. regards Vincenzo Sciarra a crit : Try c_rehash in the certificate folder. bye 2006/10/25, Alexis Lefort [EMAIL PROTECTED]: Hi all, I did a software that verifies the certificate of the server it connects to, but when I specify the CA file with "SSL_CTX_set_client_CA_list ()" the certificate is accepted, and when I only specify a path to the directory containing the certificate it fails at depth 1. I do not understand! regards -- Alexis Lefort Ce message et toutes les pices jointes sont confidentiels et tablis a l'intention exclusive de ses destinataires. Toute modification, dition, utilisation ou diffusion non autorise est interdite. Tout message lectronique est susceptible d'altration. CXR Anderson Jacobson dcline toute responsabilit au titre de ce message s'il a t altr, dform, falsifi, dit ou diffus sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pices jointes sont confidentiels et tablis a l'intention exclusive de ses destinataires. Toute modification, dition, utilisation ou diffusion non autorise est interdite. Tout message lectronique est susceptible d'altration. CXR Anderson Jacobson dcline toute responsabilit au titre de ce message s'il a t altr, dform, falsifi, dit ou diffus sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange certificate verification
Yes, if I load the file it works, but I want it to work even if the file is only in the directory. I have just seen something else: I did by myself a software that does the equivalent of c_rehash, but my software accept to rename the file whereas c_rehash refuses to do so! Why c_rehash can refuses to rename the file??? Vincenzo Sciarra a écrit : Yes I'm sorry. try this : // SSL_CTX_set_client_CA_list (sslctx, SSL_load_client_CA_file (caList)); SSL_CTX_load_verify_locations (sslctx, /path/of/CA/cert/file, NULL); 2006/10/26, Alexis Lefort [EMAIL PROTECTED]: There is no man page on SSL_CTX_set_verify_locations, do you mean SSL_CTX_load_verify_locations? what I do is : SSL_CTX_set_client_CA_list (sslctx, SSL_load_client_CA_file (caList)); SSL_CTX_load_verify_locations (sslctx, caList, caPath); Vincenzo Sciarra a écrit : The software must verify server certificate with a local CA? SSL_CTX_set_client_CA_list () Try to use SSL_CTX_set_verify_locations() You can specify file containing CA cert file 2006/10/26, Alexis Lefort [EMAIL PROTECTED]: Thanks for your reply :) This is what I already do, and there is only one certificate in the file -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: strange certificate verification
hu ho, the way I rename the file was bad, I omitted the firsts characters if they were 0. I feel just a little bit stupid sorry and thanks for your help :) Alexis Lefort a écrit : Yes, if I load the file it works, but I want it to work even if the file is only in the directory. I have just seen something else: I did by myself a software that does the equivalent of c_rehash, but my software accept to rename the file whereas c_rehash refuses to do so! Why c_rehash can refuses to rename the file??? Vincenzo Sciarra a écrit : Yes I'm sorry. try this : // SSL_CTX_set_client_CA_list (sslctx, SSL_load_client_CA_file (caList)); SSL_CTX_load_verify_locations (sslctx, /path/of/CA/cert/file, NULL); 2006/10/26, Alexis Lefort [EMAIL PROTECTED]: There is no man page on SSL_CTX_set_verify_locations, do you mean SSL_CTX_load_verify_locations? what I do is : SSL_CTX_set_client_CA_list (sslctx, SSL_load_client_CA_file (caList)); SSL_CTX_load_verify_locations (sslctx, caList, caPath); Vincenzo Sciarra a écrit : The software must verify server certificate with a local CA? SSL_CTX_set_client_CA_list () Try to use SSL_CTX_set_verify_locations() You can specify file containing CA cert file 2006/10/26, Alexis Lefort [EMAIL PROTECTED]: Thanks for your reply :) This is what I already do, and there is only one certificate in the file Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
note on c_rehash
Hello all again ;) c_rehash does symbolic links to files containing certificates, but it does only one link per file. If there are more than one certificate in a file it will lead to problems for openssl because only one certificate is alowed in renamed files. It was just a little note to point this. cheers Alexis Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
strange certificate verification
Hi all, I did a software that verifies the certificate of the server it connects to, but when I specify the CA file with "SSL_CTX_set_client_CA_list ()" the certificate is accepted, and when I only specify a path to the directory containing the certificate it fails at depth 1. I do not understand! regards -- Alexis Lefort Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: is any documentation for programmers?
Hi, There is another book from O'Reilly: "Network Security with OpenSSL", from John Viega, Matt Messier and Pravir Chandra. Hope it will help ;) Marek Marcola a crit: Hello, I'm newbie at using openssl libs, and i need a documantation where i can read about the function of libssl, for example: i want to use aes for message encrypting, and i have to know things like what length of key can i use.. I tried some keys and i found that the key length must be 16 or 32bytes, but i'm not sure about things what i found out.. So if there is any online documentation of using libssh in programming in c, please somebody tell me, where can i find it. O'Reilly: Secure Programming Cookbook for C and C++ It is not online and not free ... but is very good and You will find there answers to your questions. Worth to buy. Best regards, -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Accept error
No one can help me? :( Alexis Lefort wrote: I have forgotten one thing, the call to SSL_connect() returns "-1", and SSL_get_error() returns SSL_ERROR_SYSCALL. The error string is empty and errno is NULL. Alexis Lefort wrote: Hi list, When my client (0.9.8a) tries to connect (SSL_connect) to an "openssl s_server"(0.9.7g) (openssl s_server -cert server_cert.pem -key server_priv_key.pem), the server crashes: gethostbyname failure 0 items in the session cache 0 client connects (SSL_connect()) 0 client renegotiates (SSL_connect()) 0 client connects that finished 0 server accepts (SSL_accept()) 0 server renegotiates (SSL_accept()) 0 server accepts that finished 0 session cache hits 0 session cache misses 0 session cache timeouts 0 callback cache hits 0 cache full overflows (128 allowed) But when this client tries to connect to my own SSL server, it is all OK! Can you help me debugging that please? thx Alexis __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Accept error
Hi list, When my client (0.9.8a) tries to connect (SSL_connect) to an openssl s_server(0.9.7g) (openssl s_server -cert server_cert.pem -key server_priv_key.pem), the server crashes: gethostbyname failure 0 items in the session cache 0 client connects (SSL_connect()) 0 client renegotiates (SSL_connect()) 0 client connects that finished 0 server accepts (SSL_accept()) 0 server renegotiates (SSL_accept()) 0 server accepts that finished 0 session cache hits 0 session cache misses 0 session cache timeouts 0 callback cache hits 0 cache full overflows (128 allowed) But when this client tries to connect to my own SSL server, it is all OK! Can you help me debugging that please? thx Alexis Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Accept error
I have forgotten one thing, the call to SSL_connect() returns "-1", and SSL_get_error() returns SSL_ERROR_SYSCALL. The error string is empty and errno is NULL. Alexis Lefort wrote: Hi list, When my client (0.9.8a) tries to connect (SSL_connect) to an "openssl s_server"(0.9.7g) (openssl s_server -cert server_cert.pem -key server_priv_key.pem), the server crashes: gethostbyname failure 0 items in the session cache 0 client connects (SSL_connect()) 0 client renegotiates (SSL_connect()) 0 client connects that finished 0 server accepts (SSL_accept()) 0 server renegotiates (SSL_accept()) 0 server accepts that finished 0 session cache hits 0 session cache misses 0 session cache timeouts 0 callback cache hits 0 cache full overflows (128 allowed) But when this client tries to connect to my own SSL server, it is all OK! Can you help me debugging that please? thx Alexis Ce message et toutes les pices jointes sont confidentiels et tablis a l'intention exclusive de ses destinataires. Toute modification, dition, utilisation ou diffusion non autorise est interdite. Tout message lectronique est susceptible d'altration. CXR Anderson Jacobson dcline toute responsabilit au titre de ce message s'il a t altr, dform, falsifi, dit ou diffus sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alexis Lefort Ingenieur departement etudes Tel: +33 (0)2 37 62 88 88 Fax: +33 (0)2 37 62 88 01 CXR - Rue de l'Ornette - 28410 ABONDANT [EMAIL PROTECTED] http://cxr.anderson-jacobson.com/ Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Do I need multi-threading?
Hi all, I am compiling OpenSSL for an ARM9, running RTEMS. I do not know if I need the multi-threading support when I configure OpenSSL. My software will execute several tasks each running OpenSSL, but these tasks are not threads (At least I guess so). So can I build OpenSSL with the no-thread option, or do I need to pass some options to support multi-threading? In this last case, what are the options needed? Thanks for help :) Alexis Ce message et toutes les pièces jointes sont confidentiels et établis a l'intention exclusive de ses destinataires. Toute modification, édition, utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération. CXR Anderson Jacobson décline toute responsabilité au titre de ce message s'il a été altéré, déformé, falsifié, édité ou diffusé sans autorisation. This message and any attachments are confidential and intended solely for the addressees. Any unauthorised alteration, printing, use or dissemination is prohibited. E-mails are susceptible to alteration. CXR Anderson Jacobson shall not be liable for the message if altered, changed, falsified, printed or disseminated without authorisation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
valgrind errors
Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: ==23622== Syscall param write(buf) points to uninitialised byte(s) ==23622==at 0x82C573: __write_nocancel (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D202A: _IO_do_write@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D17C4: _IO_file_close_it@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7C83F1: fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x8073637: RAND_write_file (in /home/tools/version_courante/mybin) ==23622==by 0xCF39EAD1: ??? ==23622== Address 0x25989000 is not stack'd, malloc'd or (recently) free'd ==23622== ==23622== Thread 3: ==23622== Conditional jump or move depends on uninitialised value(s) ==23622==at 0x8072F5E: lh_retrieve (in /home/tools/version_courante/mybin) ==23622== ==23622== Use of uninitialised value of size 4 ==23622==at 0x8072F73: lh_retrieve (in /home/tools/version_courante/mybin) ... The first lines are retruned when calling RAND_write_file(), the other lines are all returned when calling SSL_accept(). Does anyone know if it is an error of my own or not? Alexis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: valgrind errors
I have just tried the option -DPURIFY and unfortunately it does not help. I still have hundreds of Conditional jump... and Use of uninitialised value Any other suggestion would be greatly appreciated. :) Alexis Nils Larsch a écrit : Alexis Lefort wrote: Hello all, I develeopped a server which seems to work quite fine. When I use Valgrind to check for problems, it returns me thousands of problems wich seems to be caused by the OpenSSL librairie! follows some of the returns: ==23622== Syscall param write(buf) points to uninitialised byte(s) ==23622==at 0x82C573: __write_nocancel (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D202A: _IO_do_write@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7D17C4: _IO_file_close_it@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x7C83F1: fclose@@GLIBC_2.1 (in /lib/tls/libc-2.3.3.so) ==23622==by 0x8073637: RAND_write_file (in /home/tools/version_courante/mybin) ==23622==by 0xCF39EAD1: ??? ==23622== Address 0x25989000 is not stack'd, malloc'd or (recently) free'd ==23622== ==23622== Thread 3: ==23622== Conditional jump or move depends on uninitialised value(s) ==23622==at 0x8072F5E: lh_retrieve (in /home/tools/version_courante/mybin) ==23622== ==23622== Use of uninitialised value of size 4 ==23622==at 0x8072F73: lh_retrieve (in /home/tools/version_courante/mybin) ... The first lines are retruned when calling RAND_write_file(), the other lines are all returned when calling SSL_accept(). Does anyone know if it is an error of my own or not? build openssl with ./config ... -DPURIFY ... and then try again. most of the uninitialized ... warnings are caused by the fact that openssl uses uninitialized memory during the random number generation (and using uninitialized memory there isn't/shouldn't be problematic). I guess this should be put in the FAQ Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
IE5 client authentication
Hi all, Is it possible for a Windows client using IE5.0 to authenticate itself in order to connect to a SSL server? My server works fine with many clients, but not with this one... The great tool ssldump dumps that: 18 5 0.1324 (0.0295) CSV3.0(273) Handshake Certificate ClientKeyExchange EncryptedPreMasterSecret[128]= 8b f7 ee 95 2d 26 88 4e 61 ea af 29 b8 76 ed 1b 86 d2 97 27 63 30 60 16 e3 b6 1c b8 5b 1c 9d 2f 68 19 68 7d 39 4f 60 9f 22 7a 72 06 56 b2 c5 18 6c 76 34 12 a3 75 4c e3 bb 05 d0 12 b0 62 b5 57 c4 f2 a0 c5 40 c0 aa d1 da dd e9 2e 25 90 35 c7 7f bf 61 c4 f3 e8 fa aa 9b ae 3d 9e 49 41 f7 2e CertificateVerify Signature[128]= 2a c6 6e 30 bb ba 47 25 3c 2f 69 28 13 3f 67 5f bf 9d d7 d8 0e 53 c1 18 64 e2 03 dc ce 74 28 3c 27 d4 5e 69 95 ab 5d 21 9f 17 e0 bd ff 62 25 70 d8 73 46 86 4f d8 30 d2 56 ca a0 7f 30 54 82 e3 d0 21 8a a2 e5 2a 0c 93 cf d7 7c 2b 10 94 34 92 bf 79 20 5c bc 9a 5d 61 fe f2 26 46 fc 50 e9 02 2d 7f 92 ba db 01 1a 96 6e 48 99 ba 71 e6 f3 1d 16 a0 2b 88 fa 1c eb b0 b7 a6 64 4a 4c ef b5 d1 18 6 0.1324 (0.) CSV3.0(1) ChangeCipherSpec 18 7 0.1324 (0.) CSV3.0(60) Handshake Finished md5_hash[16]= 95 d2 94 d4 e4 07 da 7f d7 35 7e 08 46 c8 06 9f sha_hash[20]= 6d a2 df aa ce d1 f5 9b ed 4b c9 c2 46 d5 7c 4d 7e d5 24 f5 18 8 0.1382 (0.0058) SCV3.0(2) Alert level fatal value handshake_failure 180.1388 (0.0005) CS TCP FIN 180.1446 (0.0058) SC TCP FIN Thanks for reading me, and why not for answering me :) Alexis. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: non-blocking BIO
Thank you, I missed that! BIOs don't need any special settings to support non blocking I/O: if the underlying transport signals a call should be retried the BIO takes appropriate action. In other words you just have to set the underlying transport (socket normally) to a non blocking mode. Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Handshake returns error
Hi all, I have a problem with my handshake. When the server does not require the client certificate, all works fine. But when it requires the client certificate, It stops in the handshake and return me that error: 1:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1993: and the client returns: CONNECTED(0003) depth=1 /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517 verify error:num=19:self signed certificate in certificate chain verify return:0 16433:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 16433:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: I have compiled OpenSSL-0.9.7c for an arm7tdmi, and I use RTEMS operating system. I really don't know why that happens whereas the same program works fine on my PC! please help! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Embedded OpenSSL
Thanks a lot! It seems to be what I was looking for. :) Mathias Brossard a crit: On Tue, 2004-01-13 at 14:44, Alexis Lefort wrote: Because of the very limited storage capacity of the flash memory, I'd like to reduce the size of libraries. In order to do that, I tried: [...] (I only need RSA, DES, 3DES, AES, SHA and MD5) [...] libcrypto.a was only 300ko less big than if I did not use any of those options (exept no-asm). Is there a way to more reduce the size of libraries? Maybe you can use parts of Martin Witzel's work: http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=533 and in a lesser extent: http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=569 Sincerely, __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Embedded OpenSSL
Hi all, I am a newbie in OpenSSL and my job is to build a secured server embedded on an ARM processor. The OS I am using is RTEMS and OpenSSL is 0.9.7c. I have two questions. Because of the very limited storage capacity of the flash memory, I'd like to reduce the size of libraries. In order to do that, I tried: ./Configure arm-rtems --prefix=/opt/openssl-0.9.7c --openssldir=/opt/openssl-0.9.7c/openssl no-asm no-dso no-krb5 no-hw no-idea no-rc4 no-rc2 no-bf no-cast no-cast5 no-ede no-cbc no-cfb no-ofb no-ede3 no-ecb no-base64 no-md2 no-md4 no-rmd160 no-engine no-zlib make depend make (I only need RSA, DES, 3DES, AES, SHA and MD5) I also had to add a line to the Configure file: arm-rtems,arm-rtems-gcc:-DL_ENDIAN -idirafter/opt/rtems-4.6.0pre5/arm-rtems/lib/include -idirafter/usr/lib/bcc/include -O5::(unknown):::BN_LLONG:::, libcrypto.a was only 300ko less big than if I did not use any of those options (exept no-asm). Is there a way to more reduce the size of libraries? The second question I have (and the more important for me) is: I took the examples of Eric Rescola on his web site and it works fine on my computer. It even seemed to work fine on my target but when the server (wserver2 on the target) requires a certificate from the client (wclient2 on the computer), I just have this message from the server: 1:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1993: Of course I first uploaded to the server the certificates it needs (those given with the examples). I also used ssldump0.9b3 and saw that the client certificate seems to be well sent. I don't know what to do, any help would be welcome. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]