Re: [openssl-users] Loading CA from memory

2018-02-20 Thread Devchandra L Meetei 
Thanks Viktor
As usual, Your answer throws light. Now, it is time to get started.
Will revert if got obstructed on the way

On Wed, Feb 21, 2018 at 9:58 AM, Viktor Dukhovni <openssl-us...@dukhovni.org
> wrote:

>
>
> > On Feb 20, 2018, at 12:58 PM, Devchandra L Meetei <dlmee...@gmail.com>
> wrote:
> >
> > By the way, Is there any plan to port SSL_CTX_load_verify_mem to openssl?
>
> The basic functionality is already there:
>
> If you want to parse in-memory PEM, see the use of
> PEM_X509_INFO_read_bio() [needs documentation] at:
>
>https://github.com/openssl/openssl/blob/master/apps/crl2p7.c#L179
>
> if have a PKCS7 DER or PEM structure, there are suitable functions for
> pulling
> out a chain from that.  Then you can set a "trusted stack" for your
> X509_STORE_CTX.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did,” Steve Jobs
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Loading CA from memory

2018-02-20 Thread Devchandra L Meetei 
Thanks Jakob for the hint
Let me try out the suggested approach.

By the way, Is there any plan to port SSL_CTX_load_verify_mem to openssl?

On Tue, Feb 20, 2018 at 9:23 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:

> On 20/02/2018 16:38, Devchandra L Meetei wrote:
>
>> I have been looking for  API like `SSL_CTX_load_verify_mem` which will
>> load
>> CA[s] from mem buffer.
>>
>> Looks like OpenSSL does not have it yet, Is there any other way to work
>> around
>> this ?
>>
>>
>> I think it can be done step by step, at least in 1.0.x:
>
> First allocate an empty STACK_OF X509 certificates
>
> Then loop over your in-memory CA certificates, passing each to d2i_X509,
> then adding the resulting X509 object to the stack.
>
> Finally pass that stack as the CA collection to an appropriate SSL_CTX
> function.
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did,” Steve Jobs
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Loading CA from memory

2018-02-20 Thread Devchandra L Meetei 
I have been looking for  API like `SSL_CTX_load_verify_mem` which will load
CA[s] from mem buffer.

Looks like OpenSSL does not have it yet, Is there any other way to work
around
this ?

-- 
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did,” Steve Jobs
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using SSL with wokring sockets and events

2016-06-29 Thread Devchandra L Meetei 
If you are intending to use asynchronous event based NIO library libuv,
then
you might like to use BIO pair.

I have done some abstraction  on top
of openSSL so that it becomes easy for callback based async lib.

May be you can have a look at it


On Wed, Jun 29, 2016 at 2:16 PM, Oz  wrote:

> I have a running program, the program is written in C
> I want to convert it from connecting to an HTTP to HTTPS (SSL)
>
> I have an event for write/read/timeout/error and such
>
> How do I continue and use the current sockets FD I have, but using openSSL
> over it? the most easy and simple way?
>
> I have created a CTX object, and an SSL object over it (SSL_new(..))
>
> I thought about using BIO_new_socket, but having problems with the
> connection/ hand shake and reading/writing data (I am the client code only)
>
>
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did,” Steve Jobs
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Getting role of SSL endpoint

2015-09-24 Thread Devchandra L Meetei 
Hello all
In a bid to use openssl's non blocking mode with bio pair, we are calling
SSL_do_handshake to perform handshake and we would like to do callback
based on role of SSL.

Is there any API that can be used to get the role of SSL ptr?
If not, will using the member, int server, in struct ssl_st help?
If so please let us know if openssl community will be interested in patch,
perhaps a macro to get the endpoint role.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Integrating openSSL with libuv's event loop

2015-02-26 Thread Devchandra L Meetei 
Will somebody please kind enough to answer
On Feb 25, 2015 10:57 PM, Devchandra L Meetei dlmee...@gmail.com wrote:

 Hi lists
 I am in the process of enabling TLS support on top of libuv.
 The approach being employed is to feed the data ,received from stream, to
 a BIO from BIO pair.

 and write back the data from the BIO read using BIO_read after a call to
 BIO_pending.
 Will this read/write cycle drive the SSL handshake? Do we need to
 explicitly do handshake in case
 of server?

 Currently, we do SSL_read to read application data manually by checking if
 handshake is completed.
 Is there a better way to do this? is there a way to get notified?

 All the code run on the event loop thread.

 The real reason for the mail is that, the approach highlighted above works
 fine for a single client.
 But it is unable to handle multiple client.
 Will somebody please guide me through with what is wrong.

 In case, anybody want to have a look at the code. It is available at
 https://github.com/deleisha/libuv-tls




 --
 Warm Regards
 --Dev
 OpenPegasus Developer

 I'm one of those people that think Thomas Edison and the light bulb
 changed the world more than Karl Marx ever did, Steve Jobs

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Integrating openSSL with libuv's event loop

2015-02-25 Thread Devchandra L Meetei 
Hi lists
I am in the process of enabling TLS support on top of libuv.
The approach being employed is to feed the data ,received from stream, to a
BIO from BIO pair.

and write back the data from the BIO read using BIO_read after a call to
BIO_pending.
Will this read/write cycle drive the SSL handshake? Do we need to
explicitly do handshake in case
of server?

Currently, we do SSL_read to read application data manually by checking if
handshake is completed.
Is there a better way to do this? is there a way to get notified?

All the code run on the event loop thread.

The real reason for the mail is that, the approach highlighted above works
fine for a single client.
But it is unable to handle multiple client.
Will somebody please guide me through with what is wrong.

In case, anybody want to have a look at the code. It is available at
https://github.com/deleisha/libuv-tls




-- 
Warm Regards
--Dev
OpenPegasus Developer

I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did, Steve Jobs
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Which openssl to use for `void SSL_set_cert_cb`

2015-01-17 Thread Devchandra L Meetei 
I am on ubuntu 14.04 with

root@deleisha:/Codespace/TackleBio# openssl version
OpenSSL 1.0.1f 6 Jan 2014

and I am not use SSL_set_cert_cb, the ssl.h does not have declaration for
this
and I am not able to link.
The particular code seems to committed on 2012
http://marc.info/?l=openssl-cvsm=133521832004237

Which version of openSSL used I used for this? or is it ubunutu packaging
issue



-- 
Warm Regards
--Dev
OpenPegasus Developer

I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did, Steve Jobs
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: Linux Foundation Core Infrastructure Initiative fellowships

2014-05-29 Thread Devchandra L Meetei 
A big Applause, Congrats


On Thu, May 29, 2014 at 11:36 PM, Mark H. Wood mw...@iupui.edu wrote:

 \applause all around!

 --
 Mark H. Wood, Lead System Programmer   mw...@iupui.edu
 Machines should not be friendly.  Machines should be obedient.




-- 
Warm Regards
--Dev
OpenPegasus Developer

I'm one of those people that think Thomas Edison and the light bulb
changed the world more than Karl Marx ever did, Steve Jobs

Re: Forcing an application to use SHA512

2014-02-04 Thread Devchandra L Meetei 
Guessing that there are no Defined ciphersuite for this

Search for There is no defined cipher suite that uses SHA-512
at [1].
Again, I am also very new to SSL programming and this mail might not be
perfect. Let us try to see few more doc


[1]
https://community.emc.com/community/edn/rsashare/blog/2010/11/01/sha-2-algorithms-when-sha-512-is-more-secure-and-faster


On Tue, Feb 4, 2014 at 2:53 PM, Gnanasekar R gnanasekar@gmail.comwrote:

 Hi,

 Just a more specific question. I am trying to locate a CipherSuite that
 could use SHA512. But I dont see any such suites. Currently I am using
 AES128-SHA but I wanted to use AES128-SHA512 going forward. Does that mean
 that SHA512 has not been made part of TLS CipherSuites?


 On 4 February 2014 13:01, Gnanasekar R gnanasekar@gmail.com wrote:

 Hi,

 I am trying to write a cli-ser app and in that I want to force SHA512 to
 be used. I am always seeing SHA1 being used. Is there a way to force that
 in the application?

 Thanks in advance!





-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler

Re: OpenSSL 0.9.8r crashed in libcrypto.so.0.9.8 with BIO_test_flags

2014-01-29 Thread Devchandra L Meetei 
Seems that null pointer is passed at
#8  0x01ad0ad9 in BIO_test_flags (b=0x0, flags=15) at bio_lib.c:151

evident from  b =0x0


On Wed, Jan 29, 2014 at 5:28 AM, myphamngc my.p...@ngc.com wrote:

 More information on the crash from our core file.  Any help/insight is
 appreciated!

 (gdb) where
 #0  0x004f4424 in __kernel_vsyscall ()
 #1  0x00c1caf1 in raise () from /lib/libc.so.6
 #2  0x00c1e3ca in abort () from /lib/libc.so.6
 #3  0x0117c161 in os::abort(bool) () from
 /usr/java/jdk1.7.0_21/jre/lib/i386/client/libjvm.so
 #4  0x01264654 in VMError::report_and_die() () from
 /usr/java/jdk1.7.0_21/jre/lib/i386/client/libjvm.so
 #5  0x011803f3 in JVM_handle_linux_signal () from
 /usr/java/jdk1.7.0_21/jre/lib/i386/client/libjvm.so
 #6  0x01178746 in signalHandler(int, siginfo*, void*) () from
 /usr/java/jdk1.7.0_21/jre/lib/i386/client/libjvm.so
 #7  signal handler called
 #8  0x01ad0ad9 in BIO_test_flags (b=0x0, flags=15) at bio_lib.c:151
 #9  0x01ad16bc in BIO_copy_next_retry (b=0xb41db140) at bio_lib.c:569
 #10 0x01ad509a in buffer_ctrl (b=0xb41db140, cmd=11, num=0, ptr=0x0) at
 bf_buff.c:410
 #11 0x01ad1182 in BIO_ctrl (b=0xb41db140, cmd=11, larg=0, parg=0x0) at
 bio_lib.c:370
 #12 0x00b16c13 in dtls1_retransmit_message (s=0x6585eff0, seq=0,
 frag_off=0,
 found=0xb34fdca0) at d1_both.c:1306
 #13 0x00b16683 in dtls1_retransmit_buffered_messages (s=0x6585eff0) at
 d1_both.c:1142
 #14 0x00b11e8a in dtls1_handle_timeout (s=0x6585eff0) at d1_lib.c:384
 #15 0x00b12c65 in dtls1_read_bytes (s=0x6585eff0, type=22, buf=0xb34fde0c
 \rGp, len=12, peek=0) at d1_pkt.c:735
 #16 0x00b15c36 in dtls1_get_message_fragment (s=0x6585eff0, st1=4384,
 stn=4385, max=2, ok=0xb34fdee4)
 at d1_both.c:801
 #17 0x00b14fcf in dtls1_get_message (s=0x6585eff0, st1=4384, stn=4385,
 mt=-1, max=2, ok=0xb34fdee4)
 at d1_both.c:438
 #18 0x00afd1d1 in ssl3_get_server_hello (s=0x6585eff0) at s3_clnt.c:700
 #19 0x00b0fcb4 in dtls1_connect (s=0x6585eff0) at d1_clnt.c:256
 #20 0x00b1b31d in SSL_do_handshake (s=0x6585eff0) at ssl_lib.c:2194
 #21 0x00704f5c in NDDS_Transport_DTLS_Connection_try_connect ()
from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddstransporttls.so
 #22 0x00705302 in NDDS_Transport_DTLS_Connection_send ()
from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddstransporttls.so
 #23 0x0070a057 in NDDS_Transport_DTLS_send () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddstransporttls.so
 #24 0x0048472a in ZRTPS_Transport_Send () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.2/librtizrtps.so
 #25 0x00133af8 in LBRTPS_Transport_Send () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.2/librtilbrtps.so
 #26 0x04ae7c1c in RTINetioSender_send () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddscore.so
 #27 0x04ad82cf in MIGGeneratorContext_flush () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddscore.so
 #28 0x04add4d6 in MIGGenerator_finishMessage () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddscore.so
 #29 0x04acc1b5 in COMMENDAnonWriterService_onBroadcastEvent ()
from /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddscore.so
 #30 0x04afc3bf in RTIEventActiveGeneratorThread_loop ()
from /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddscore.so
 #31 0x04b315ef in RTIOsapiThreadChild_onSpawned () from
 /opt/RTI/ndds-current/lib/i86Linux2.6gcc4.1.1/libnddscore.so
 #32 0x00dbda09 in start_thread () from /lib/libpthread.so.0
 #33 0x00ccf00e in clone () from /lib/libc.so.6





 --
 View this message in context:
 http://openssl.6102.n7.nabble.com/OpenSSL-0-9-8r-crashed-in-libcrypto-so-0-9-8-with-BIO-test-flags-tp48314p48334.html
 Sent from the OpenSSL - User mailing list archive at Nabble.com.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler

./config help

2014-01-28 Thread Devchandra L Meetei 
when I run ./config, The final lines says following things

Since you've disabled or enabled at least one algorithm, you need to do
the following before building:

make depend

is there any way to check which algo are disabled or
How do I enabled all algo?




-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler

Re: ./config help

2014-01-28 Thread Devchandra L Meetei 
That helps a lot,
Thanks, Let me look again


On Wed, Jan 29, 2014 at 11:44 AM, Jeffrey Walton noloa...@gmail.com wrote:




 On Wed, Jan 29, 2014 at 12:51 AM, Devchandra L Meetei 
 dlmee...@gmail.comwrote:

 when I run ./config, The final lines says following things

 Since you've disabled or enabled at least one algorithm, you need to do
 the following before building:

 make depend
 
 is there any way to check which algo are disabled or

 Yes. Look at the output after type 'config'. It summarizes the
 configuration before the output fills with the other commands. You should
 see something like:

 Configuring for linux-x86_64
 no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip
 dir)
 no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
 no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir)
 no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
 no-md2  [default]  OPENSSL_NO_MD2 (skip dir)
 no-rc5  [default]  OPENSSL_NO_RC5 (skip dir)
 no-rfc3779  [default]  OPENSSL_NO_RFC3779 (skip dir)
 no-sctp [default]  OPENSSL_NO_SCTP (skip dir)
 no-shared   [default]
 no-store[experimental] OPENSSL_NO_STORE (skip dir)
 no-zlib [default]
 no-zlib-dynamic [default]
 ...


 How do I enabled all algo?

  With enable-XXX, where XXX is an algorithm that you want to enable.

 But it might not be wise to enable some algorithms. For example, there's
 usually no reason enable MD2 with 'enable-md2'.

 You might want to enable a shared library. Rather than 'enable-shared',
 all you need is: './config shared'

 You can also disable things you don't need. For example, PSK and SRP are
 rarely used, so 'no-psk' and 'no-srp' could be appropriate. (Its a shame
 PSK and SRP are not used more often. They provide mutual authentication and
 channel binding; and don't do dumb things like separating channel setup for
 application authentication and putting a plain text username/password on
 the wire in a basic_auth scheme).

 Jeff




-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler

Re: Selecting TLSv1.2 only protocol

2014-01-25 Thread Devchandra L Meetei 
Aah, As you asked me correctly, Would prefer the TLSv1.2,
Thank you Viktor.


On Sat, Jan 25, 2014 at 10:53 AM, Viktor Dukhovni 
openssl-us...@dukhovni.org wrote:

 On Sat, Jan 25, 2014 at 10:29:58AM +0530, Devchandra L Meetei wrote:

  What is the best way to support TLS1.2 procotol alone in an application

 Do you really mean only TLSv1.2, or do you in fact want = TLSv1.2,
 so that when TLSV1.3 comes out the same code will also work with
 TLSv1.3?

  currently it is done by creating protocol
  sslProtocolMethod = TLSv1_2_method();
   ctx = SSL_CTX_new(sslProtocolMethod);

 This gives you exclusively TLSv1.2.

  options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2;
 options |= SSL_OP_NO_SSLv3;
 
  and used options to
  SSL_CTX_set_options(ctx, options);

 This gives you = TLSv1.2.

 You can decide which is right for you.

 --
 Viktor.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler

Re: Selecting TLSv1.2 only protocol

2014-01-25 Thread Devchandra L Meetei 
Just one more thing, for = TLSv1.2,

Protocol should be selected as SSLv23_method()?


On Sat, Jan 25, 2014 at 8:33 PM, Devchandra L Meetei dlmee...@gmail.comwrote:

 Aah, As you asked me correctly, Would prefer the TLSv1.2,
 Thank you Viktor.


 On Sat, Jan 25, 2014 at 10:53 AM, Viktor Dukhovni 
 openssl-us...@dukhovni.org wrote:

 On Sat, Jan 25, 2014 at 10:29:58AM +0530, Devchandra L Meetei wrote:

  What is the best way to support TLS1.2 procotol alone in an application

 Do you really mean only TLSv1.2, or do you in fact want = TLSv1.2,
 so that when TLSV1.3 comes out the same code will also work with
 TLSv1.3?

  currently it is done by creating protocol
  sslProtocolMethod = TLSv1_2_method();
   ctx = SSL_CTX_new(sslProtocolMethod);

 This gives you exclusively TLSv1.2.

  options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2;
 options |= SSL_OP_NO_SSLv3;
 
  and used options to
  SSL_CTX_set_options(ctx, options);

 This gives you = TLSv1.2.

 You can decide which is right for you.

 --
 Viktor.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




 --
 Warm Regards
 --Dev
 OpenPegasus Developer/Committer

 Any fool can write code that a computer can understand. Good programmers
 write code that humans can understand.
 --- Martin Fowler




-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler

Selecting TLSv1.2 only protocol

2014-01-24 Thread Devchandra L Meetei 
Hi All
What is the best way to support TLS1.2 procotol alone in an application

currently it is done by creating protocol
sslProtocolMethod = TLSv1_2_method();
 ctx = SSL_CTX_new(sslProtocolMethod)
;

options = SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2;
#ifndef OPENSSL_NO_SSL3
   options |= SSL_OP_NO_SSLv3;

and used options to
SSL_CTX_set_options(ctx, options);



and this is supoosed to be used by both client and server

Can I change it to
ctx = SSL_CTX_new( SSLv23_method());
and disable all other by settings options
SSL_CTX_set_options( ctx, SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 |SSL_OP_NO_SSLv2
#ifnded OPENSSL_NO_SSLv3
| SSL_OP_NO_SSLv3
#end
 );

If not, Would somebody please  explain me why




-- 
Warm Regards
--Dev
OpenPegasus Developer/Committer

Any fool can write code that a computer can understand. Good programmers
write code that humans can understand.
--- Martin Fowler