Re: [openssl-users] Difference between libssl.a in static openssl build versus libssl.a in dynamic openssl build ???
> You know you are going from something horribly out of date to something very out of date, right? Yes. > Can’t you at least move to 1.0.2? That is out of my hands and is almost entirely irrelevant to the information I asked for and need. Even if I could upgrade to 1.0.2 the same problem and same question would remain. On Mon, Jul 24, 2017 at 7:42 AM, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > You know you are going from something horribly out of date to something > very out of date, right? > > > > Can’t you at least move to 1.0.2? > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Difference between libssl.a in static openssl build versus libssl.a in dynamic openssl build ???
Hi Everyone, 1. I am trying to upgrade some libraries of an older version of openssl (~0.9.7) with the libraries of a less old version of openssl (1.0.0e). 2. When I perform a dynamic openssl build with the following commands, I get (among other files) a libssl.a file. cd /joe/openssl-1.0.1e/dynamic/64bit/openssl-1.0.1e make clean setarch x86_64 ./config -m64 -D_GNU_SOURCE -fPIC shared no-zlib make 3. When I perform a static openssl build with the following commands, I get (among other files) another libssl.a file. cd /joe/openssl-1.0.1e/static/64bit/openssl-1.0.1e ./config -D_GNU_SOURCE make clean make 4. I am trying to determine which one of these two newer libssl.a files I should use to replace the older ~0.9.7 libssl.a file. Any ideas how to do this? I have been trying to use the "readelf " and "file" commands on these 3 different libssl.a files, but I am not seeing a pattern in the files which allows me to determine which one should be used. 5. I am compiling on a SLES11 SP1 64-bit machine. Thanks!!! Joe -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Source code to build "OpenSSL 1.0.1e-fips 11 Feb 2013"?
Andrew, Thank you very much. This is very helpful. On Jun 2, 2017 9:17 PM, "Porter, Andrew" <andrew_por...@bmc.com> wrote: > If that version string was printed by a Linux system-provided "openssl" > command you'd be best off downloading the system-specific source packages. > To make your best guess at building it manually yourself from original > source: > > (a) your old OpenSSL source here: > > https://www.openssl.org/source/old/1.0.1/ > > (b) that string doesn't tell you which exact FIPS module source, the > current version is here: > > https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz > > (c) The FIPS-140 User Guide here, which covers how to build first the FIPS > module and then fips-enabled OpenSSL: > > https://www.openssl.org/docs/fips/UserGuide-2.0.pdf > > Andrew > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Joe Flowers > Sent: Friday, June 02, 2017 14:37 > To: openssl-users@openssl.org > Subject: [openssl-users] Source code to build "OpenSSL 1.0.1e-fips 11 Feb > 2013"? > > Hello Everyone, > > Will someone tell me where the source code is to build this version of > openssl, please? > > "OpenSSL 1.0.1e-fips 11 Feb 2013" > > > Thanks! > > Joe > - > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Source code to build "OpenSSL 1.0.1e-fips 11 Feb 2013"?
Hello Everyone, Will someone tell me where the source code is to build this version of openssl, please? "OpenSSL 1.0.1e-fips 11 Feb 2013" Thanks! Joe - -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL 0.9.8 - No more security fixes, nor updates and support, But NO CVEs listed either?
Thanks, Matt! I did not know that OpenSSL.org is the only organization that creates CVEs for OpenSSL. Thanks for clearing this up for me! Joe -- On 12/01/16 22:43, Joe Flowers wrote: >* Hello OpenSSL Developers, *> > >* I understand through your previous announcements that OpenSSL 0.9.8 is no longer "supported", and no more "security fixes", nor "security updates" will be provided by OpenSSL.org. *> > >* Does this mean that we can expect no more CVEs to be generated or listed for OpenSSL 0.9.8 also? * Not supported means we will no longer being doing work on the 0.9.8 or 1.0.0 branches. This includes any analysis which may lead to a CVE assignment. Matt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 0.9.8 - No more security fixes, nor updates and support, But NO CVEs listed either?
Hello OpenSSL Developers, I understand through your previous announcements that OpenSSL 0.9.8 is no longer "supported", and no more "security fixes", nor "security updates" will be provided by OpenSSL.org. Does this mean that we can expect no more CVEs to be generated or listed for OpenSSL 0.9.8 also? Thanks! Joe "NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS." "As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these versions will be provided after that date. In the absence of significant security issues being identified prior to that date, the 1.0.0t and 0.9.8zh releases will be the last for those versions. Users of these versions are advised to upgrade." per http://openssl.org/news/secadv/20151203.txt. - ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL 0.9.8 - No more security fixes, nor updates and support, But NO CVEs listed either?
Hello OpenSSL Developers, I understand through your previous announcements that OpenSSL 0.9.8 is no longer "supported", and no more "security fixes", nor "security updates" will be provided by OpenSSL.org. Does this mean that we can expect no more CVEs to be generated or listed for OpenSSL 0.9.8 also? Thanks! Joe "NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE 0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS." "As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these versions will be provided after that date. In the absence of significant security issues being identified prior to that date, the 1.0.0t and 0.9.8zh releases will be the last for those versions. Users of these versions are advised to upgrade." per http://openssl.org/news/secadv/20151203.txt. - ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
recommendations for encrypting a document on a distributed CD?
Hello Everyone, I would like recommendations and suggestions for encrypting a document on a distributed CD. I would like someone to be able to open and read the document only if they have a password or secret string or other(?). I understand there is a limit to how secure this really is, but I would like it to be reasonably secure for what it is, and that's why I'm asking the question here. Down the same lines, I'm wondering if something like AES-256 should be used with several rounds (encrypting the encrypted data N times) to help prevent (slow down) an exhaustive attack? How is something like this usually done? Any suggestions/recommendations inside or outside the box? It would also be nice if a common, widely available unencrypting tool could be easily used to unencrypt the document if the secret string is known. Thanks! joe.flow...@nofreewill.com ---
Re: recommendations for encrypting a document on a distributed CD?
PGP? On Wed, Nov 2, 2011 at 8:27 AM, Joe Flowers joe.flow...@nofreewill.comwrote: Hello Everyone, I would like recommendations and suggestions for encrypting a document on a distributed CD. I would like someone to be able to open and read the document only if they have a password or secret string or other(?). I understand there is a limit to how secure this really is, but I would like it to be reasonably secure for what it is, and that's why I'm asking the question here. Down the same lines, I'm wondering if something like AES-256 should be used with several rounds (encrypting the encrypted data N times) to help prevent (slow down) an exhaustive attack? How is something like this usually done? Any suggestions/recommendations inside or outside the box? It would also be nice if a common, widely available unencrypting tool could be easily used to unencrypt the document if the secret string is known. Thanks! joe.flow...@nofreewill.com ---
Re: OpenSSL Web Server Certificate renewed
Thanks a lot Steve! We'll definitely be keeping Globalsign is mind. Joe - On Fri, Sep 12, 2008 at 1:49 PM, Lutz Jaenicke [EMAIL PROTECTED]wrote: Hi! I have just installed a new (2048bit) certificate and key to the OpenSSL Project webserver. It is a wildcard certifcate for *.openssl.org catching both www.openssl.org and rt.openssl.org. Many thanks go to Steve Roylance from Globalsign for donating a 3 year wildcard SSL certificate!! Best regards, Lutz
Re: Basic question on version number..
We're thinking of using openssl in our company but wondering about the version number. Rach, OpenSSL is a great product. It is very widely used and adopted throughout the world. If you ripped it off the face of the planet right now, it would be catastrophic because so many people and systems and programs and etc. depend on it. Care none what version numbering scheme they use. Joe --
Re: OpenSSL HTTPS application and Wireshark v1.0.0 (Win32)
Thanks for the specific detail and recommendations Matt. Yes, this will help for sure. Thank you! Joe On Wed, Jun 4, 2008 at 9:21 AM, Matt Tesauro [EMAIL PROTECTED] wrote: If you only need to look at the HTTP traffic, I'd suggest you use a local proxy and place it between your client and server. This will establish 2 SSL connections, I between the client and the proxy and a second between the proxy and your server. At the proxy, everything is in the clear. There are a bunch of good (and free) proxy's to do this and keep a log of all the HTTP traffic they pass. My favorite is burp: http://portswigger.net/proxy/ OWASP also has WebScarab: http://www.owasp.org/index.php/OWASP_WebScarab_Project or even Paros: http://www.parosproxy.org/index.shtml HTH. -- Matt Tesauro On Mon, 2008-06-02 at 11:54 -0400, Joe Flowers wrote: Hello everyone, Does anyone have ideas on how I can get Wireshark to decrypt my OpenSSL HTTPS client application data? I can decrypt the HTTPS traffic OK to the server machine from the client machine with Wireshark installed on the client machine, where the HTTPS traffic is initiated from a web browser (IE) on the client machine. BUT, when I try my HTTPS client application (on the client machine, talking to the server machine), the application seems to work correctly other than I am not able to see the decrypted data in Wireshark. This is killing me when trying to troubleshoot this application on other client machines. Is there a trick to getting Wireshark to work with OpenSSL applications or is there something wrong with my application which prevents Wireshark from decrypting the data? Thanks for any help or ideas to try! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL HTTPS application and Wireshark v1.0.0 (Win32)
Hello everyone, Does anyone have ideas on how I can get Wireshark to decrypt my OpenSSL HTTPS client application data? I can decrypt the HTTPS traffic OK to the server machine from the client machine with Wireshark installed on the client machine, where the HTTPS traffic is initiated from a web browser (IE) on the client machine. BUT, when I try my HTTPS client application (on the client machine, talking to the server machine), the application seems to work correctly other than I am not able to see the decrypted data in Wireshark. This is killing me when trying to troubleshoot this application on other client machines. Is there a trick to getting Wireshark to work with OpenSSL applications or is there something wrong with my application which prevents Wireshark from decrypting the data? Thanks for any help or ideas to try! Joe
Re: OpenSSL HTTPS application and Wireshark v1.0.0 (Win32)
Thanks Jean-Marc. Do you think that because my OpenSSL app uses AES-256 for the cipher that that could be the problem? Joe
Re: Netware CLIB libraries
Zack, This is what I got back from a different friend: http://www.novell.com/documentation/oes/nlm_list/index.html?page=/documentation/oes/nlm_list/data/ai39ik3.html Search for NTLS.NLM. Novell TLS Library * SSL stack based on OpenSSL. * If unloaded, there is no SSL services for consuming applications, which is only LDAP in NetWare 6.5. * Dependent on nldap.nlm, nici.nlm, and npkit.nlm. * Loaded by default. This seems to indicate that it probably exports the OpenSSL functions. Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl clients for windows
Gary, Have you tried running your application in a Dependency Walker profile? http://support.microsoft.com/kb/256872 Joe gary clark wrote: Hey Victor, Thanks for the response. I dont think its an attribute issue of dlls or files. I checked and they seem to be ok. Not read only. The two dlls I'm using are ssleay32.dll and libeay32.dll and of type application extension. I want to load the libraries dynamically using LoadLibrary(Lssleay32) is this fine? When I do the above I get a new error message failure. The application failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem. This is going to be something really,reall silly. Can somebody shed some light on this? Thanks, Garyc --- Victor B. Wagner [EMAIL PROTECTED] wrote: On 2007.05.31 at 22:28:27 -0700, gary clark wrote: Hello, Using 0.8.9e. Attempting to port my openssl testclient to a XP machine which does not have the complete install of openssl. I took the ssleay32.dll and libeay32.dll and installed them in the system32 directory. When running the client I am seeing it crash with the message The application has failed to start because the application configuration is incorrect.Reinstalling the application may fix this problem. I built the application with \MD in the Code Generation section. On NTFS such problem can occur if executable file or some dll doesn't have execute permission. If you've send dlls as mail attachment or use some archiver to pack and transfer them, attribute which allows execution can be lost. Check attributes of both your client and dlls. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Netware CLIB libraries
Zack, I've done a lot of NetWare programming but have never heard of a OpenSSL .lib for Novell Netware's CLIB library. I don't think such a beast exists. If you are looking to make .exe files then you can probably use the free Borland compiler (http://www.johnsmiley.com/cis18.notfree/smiley029/smiley029.htm). You can use Borland's implib.exe to create .lib files from .dll files, although you probably don't have to. I haven't had experience with Borland and Netware in a long time because I usually use MSVC6 (for .exe) and CodeWarrior (for .nlm) for all of my NetWare programming. You can determine exactly what Netware .lib files you need from http://developer.novell.com/ by looking closely toward the bottom of the online API docs. Look for the NDK, and I think those downloads are free still. They include the .lib files. I know there are some free utils under Linux that will compile EXEs and NLMs, but I haven't dealt with them in a long time either. Joe Zack Payton wrote: Hello all, I am looking for an OpenSSL .lib for Novell Netware's CLIB library. I'm looking at all the documentation and it appears this is only supported with Code Warrior which costs $. Does anybody know where I could find a precompiled lib, could anybody send me one, or give any advice for building with a free compiler such as Watcom? Thanks and have a good weekend! Sincerely, Zachary Bell Payton __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Netware CLIB libraries
Zack, I'm sorry I have an old mind and memory, but I actually do have a program that requires libeay32.lib and libssl32.lib to make a specific NLM. Unfortunately, I did not make them myself, but I do have an inside contact that I have queried on how to make these for Netware. It may just turn out to be a CodeWarrior util like implib.exe for Borland. The ones I have probably only work with CodeWarrior anyway. Joe Zack Payton wrote: Joe, Thank you for the response. I guess I am looking to compile openssl into a static library that will work with older versions of netware. The netware readme file makes mention of this but documentation suggests that Code Warrior is a requirement (which I do not have). I will take a look at the borland stuff, but I was trying to wing it without having to purchase anything as this was a one time shot. Thanks, Zack On 6/1/07, Joe Flowers [EMAIL PROTECTED] wrote: Zack, I've done a lot of NetWare programming but have never heard of a OpenSSL .lib for Novell Netware's CLIB library. I don't think such a beast exists. If you are looking to make .exe files then you can probably use the free Borland compiler (http://www.johnsmiley.com/cis18.notfree/smiley029/smiley029.htm). You can use Borland's implib.exe to create .lib files from .dll files, although you probably don't have to. I haven't had experience with Borland and Netware in a long time because I usually use MSVC6 (for .exe) and CodeWarrior (for .nlm) for all of my NetWare programming. You can determine exactly what Netware .lib files you need from http://developer.novell.com/ by looking closely toward the bottom of the online API docs. Look for the NDK, and I think those downloads are free still. They include the .lib files. I know there are some free utils under Linux that will compile EXEs and NLMs, but I haven't dealt with them in a long time either. Joe Zack Payton wrote: Hello all, I am looking for an OpenSSL .lib for Novell Netware's CLIB library. I'm looking at all the documentation and it appears this is only supported with Code Warrior which costs $. Does anybody know where I could find a precompiled lib, could anybody send me one, or give any advice for building with a free compiler such as Watcom? Thanks and have a good weekend! Sincerely, Zachary Bell Payton __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
%OSVERSION% is not defined at util/pl/VC-32.pl line 41.
Hello All- I can't remember getting this error the last time I built OpenSSL from source. I saw a recent archived post where Steve said that this is caused by the MS VC++ v6.0 SP6 environment not being setup correctly, but I'm not sure this is the case here. This is my second development machine with the exact same fatal error message. Arg... Any ideas please? Joe --- F:\joe\openssl-0.9.8ever Microsoft Windows XP [Version 5.1.2600] F:\joe\openssl-0.9.8emd c:\openssl F:\joe\openssl-0.9.8eg:\Program Files\Microsoft Visual Studio\VC98\Bin\VCVARS32.BAT Setting environment for using Microsoft Visual C++ tools. F:\joe\openssl-0.9.8eperl -v This is perl, v5.8.8 built for MSWin32-x86-multi-thread (with 50 registered patches, see perl -V for more detail) Copyright 1987-2006, Larry Wall Binary build 820 [274739] provided by ActiveState http://www.ActiveState.com Built Jan 23 2007 15:57:46 Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit. Complete documentation for Perl, including FAQ lists, should be found on this system using man perl or perldoc perl. If you have access to the Internet, point your browser at http://www.perl.org/, the Perl Home Page. F:\joe\openssl-0.9.8eperl Configure VC-WIN32 --prefix=c:/openssl Configuring for VC-WIN32 no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [default] OPENSSL_NO_MDC2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-shared [default] no-zlib [default] no-zlib-dynamic [default] IsMK1MF=1 CC=cl CFLAG =-DOPENSSL_THREADS -DDSO_WIN32 EX_LIBS = CPUID_OBJ = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o AES_ASM_OBJ =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=true ARFLAGS = PERL =perl THIRTY_TWO_BIT mode BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Configured for VC-WIN32. F:\joe\openssl-0.9.8ems\do_ms F:\joe\openssl-0.9.8eperl util\mkfiles.pl 1MINFO F:\joe\openssl-0.9.8eperl util\mk1mf.pl no-asm VC-WIN32 1ms\nt.mak F:\joe\openssl-0.9.8eperl util\mk1mf.pl dll no-asm VC-WIN32 1ms\ntdll.mak F:\joe\openssl-0.9.8eperl util\mk1mf.pl no-asm VC-CE 1ms\ce.mak %OSVERSION% is not defined at util/pl/VC-32.pl line 41. Compilation failed in require at util\mk1mf.pl line 138. F:\joe\openssl-0.9.8eperl util\mk1mf.pl dll no-asm VC-CE 1ms\cedll.mak %OSVERSION% is not defined at util/pl/VC-32.pl line 41. Compilation failed in require at util\mk1mf.pl line 138. F:\joe\openssl-0.9.8eperl util\mkdef.pl 32 libeay 1ms\libeay32.def F:\joe\openssl-0.9.8eperl util\mkdef.pl 32 ssleay 1ms\ssleay32.def F:\joe\openssl-0.9.8e --- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: %OSVERSION% is not defined at util/pl/VC-32.pl line 41.
Dr. Stephen Henson wrote: Note that the two errors are produced when generating the WinCE makefiles which aren't used so they can be safely ignored. Steve, Yeah, I noticed the ce warning messages too and tried to continue on to the next step (nmake -f ms\ntdll.mak) but it failed repeatedly at the same place with something like *version* in the fatal error message. So, I assumed it had something to do with the earlier OSVERSION error messages. Alas though, today I am embarrassed because I just tried again on my 1st development machine and it ran through like a charm with no problems at all, other than the original CE benign warning message. Arg So, now I'm embarrassed for wasting everyones time. Arg I'm very sorry Steve. I'll have to try it again at home on my 2nd dev. machine. Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: memory leaks - what am I doing wrong?
Lars,
I assume you are running this inside a loop inside of main() and that is
how you can tell there is a leak?
Joe
Lars Uhlmann wrote:
Please reference http://www.openssl.org/support/faq.html#PROG13 --
I think I've detected a memory leak, is this a bug?
Thanks!
It doesn't matter if I call those cleaning functions, the leaks are
still there.
/* --- cut here --- */
#include openssl/ssl.h
#include openssl/bio.h
#include openssl/err.h
#include openssl/engine.h
#include openssl/conf.h
int main(int argc, char *argv[])
{
SSL_library_init();
//ERR_remove_state(0);
//ERR_free_strings();
ENGINE_cleanup();
CONF_modules_unload(1);
return 1;
}
/* --- cut here --- */
valgrind: still reachable: 1,336 bytes in 81 blocks.
What now?
My problem is, I dont't know _where to read_ about doing it right. The
large output about blocks allocated from openssl makes it hard to find
my own leaks. That's quite confusing.
These functions I'm now using. Can someone please look at it and tell
me a little bit more where I should pay attention about freeing things?
,-
| SSL_library_init();
|
| SSL_CTX* pCtx = SSL_CTX_new(SSLv3_client_method())
|
| SSL_CTX_use_certificate_chain_file(pCtx, client.crt)
| SSL_CTX_use_PrivateKey_file(pCtx, client.key, SSL_FILETYPE_PEM)
| SSL_CTX_check_private_key(pCtx)
| SSL_CTX_load_verify_locations(pCtx, ca.crt, NULL))
|
| BIO* pBio = BIO_new_buffer_ssl_connect(pCtx)
|
| BIO_get_ssl(pBio, pSsl);
| SSL_set_mode(pSsl, SSL_MODE_AUTO_RETRY);
|
| BIO_set_conn_hostname(pBio, HOSTNAME);
| BIO_set_conn_port(pBio, HTTPS_PORT);
| BIO_do_connect(pBio)
|
| SSL_CTX_set_verify(pCtx, VERIFY_SWITCHES, NULL);
| SSL_CTX_set_verify_depth(pCtx, 1);
|
| SSL_get_verify_result(pSsl)
|
| BIO_write(pBio, REQUEST, sizeof(REQUEST));
| BIO_flush(pBio)
| BIO_gets(pBio, buffer, buffer_size);
|
| SSL_CTX_free(pCtx);
| BIO_free_all(pBio);
`-
thanks in advance
Lars
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: When to use CRYPTO_set_locking_callback() and
Marek,
I really appreciate this code snippet **a lot**. It looks like an
excellent snippet of code...as best as I can tell.
Can anyone else please confirm that these functions (listed below) are
what I need to implement for making OpenSSL thead-safe?
No offense intended Marek. I'm just looking for a second confirming source.
I'm running this on a Win32 platform, so I'm going to have to convert
from pthreads to Win32 speak, but I think I can do that. Any gotchas
will be appreciated though. For example, do I need the Win32 keyword
CALLBACK or EXPORT in the function prototypes?
I'm also wondering if there is someway I can test this to make sure this
is working correctly?
Thanks a million.again!
Joe
Marek Marcola wrote:
You may use something like that:
struct CRYPTO_dynlock_value
{
pthread_mutex_t mutex;
};
static pthread_mutex_t *mutex_buf = NULL;
/**
* OpenSSL locking function.
*
* @parammodelock mode
* @paramnlock number
* @paramfilesource file name
* @paramlinesource file line number
* @returnnone
*/
static void locking_function(int mode, int n, const char *file, int line)
{
if (mode CRYPTO_LOCK) {
pthread_mutex_lock(mutex_buf[n]);
} else {
pthread_mutex_unlock(mutex_buf[n]);
}
}
/**
* OpenSSL uniq id function.
*
* @returnthread id
*/
static unsigned long id_function(void)
{
return ((unsigned long) pthread_self());
}
/**
* OpenSSL allocate and initialize dynamic crypto lock.
*
* @paramfilesource file name
* @paramlinesource file line number
*/
static struct CRYPTO_dynlock_value *dyn_create_function(const char
*file, int line)
{
struct CRYPTO_dynlock_value *value;
value = (struct CRYPTO_dynlock_value *)
malloc(sizeof(struct CRYPTO_dynlock_value));
if (!value) {
goto err;
}
pthread_mutex_init(value-mutex, NULL);
return value;
err:
return (NULL);
}
/**
* OpenSSL dynamic locking function.
*
* @parammodelock mode
* @paramllock structure pointer
* @paramfilesource file name
* @paramlinesource file line number
* @returnnone
*/
static void dyn_lock_function(int mode, struct CRYPTO_dynlock_value *l,
const char *file, int line)
{
if (mode CRYPTO_LOCK) {
pthread_mutex_lock(l-mutex);
} else {
pthread_mutex_unlock(l-mutex);
}
}
/**
* OpenSSL destroy dynamic crypto lock.
*
* @paramllock structure pointer
* @paramfilesource file name
* @paramlinesource file line number
* @returnnone
*/
static void dyn_destroy_function(struct CRYPTO_dynlock_value *l,
const char *file, int line)
{
pthread_mutex_destroy(l-mutex);
free(l);
}
/**
* Initialize TLS library.
*
* @return0 on success, -1 on error
*/
int tls_init(void)
{
int i;
/* static locks area */
mutex_buf = malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
if (mutex_buf == NULL) {
return (-1);
}
for (i = 0; i CRYPTO_num_locks(); i++) {
pthread_mutex_init(mutex_buf[i], NULL);
}
/* static locks callbacks */
CRYPTO_set_locking_callback(locking_function);
CRYPTO_set_id_callback(id_function);
/* dynamic locks callbacks */
CRYPTO_set_dynlock_create_callback(dyn_create_function);
CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
CRYPTO_set_dynlock_destroy_callback(dyn_destroy_function);
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
RAND_load_file(/dev/urandom, 1024);
return (0);
}
/**
* Cleanup TLS library.
*
* @return0
*/
int tls_cleanup(void)
{
int i;
if (mutex_buf == NULL) {
return (0);
}
CRYPTO_set_dynlock_create_callback(NULL);
CRYPTO_set_dynlock_lock_callback(NULL);
CRYPTO_set_dynlock_destroy_callback(NULL);
CRYPTO_set_locking_callback(NULL);
CRYPTO_set_id_callback(NULL);
for (i = 0; i CRYPTO_num_locks(); i++) {
pthread_mutex_destroy(mutex_buf[i]);
}
free(mutex_buf);
mutex_buf = NULL;
return (0);
}
Best regards,
-- Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: SSL_read returns SSL_ERROR_WANT_READ
David Schwartz wrote: Make sure that you protect the SSL session with a mutex. You are not allowed to call SSL_read and SSL_write at the same time on the same session from different threads. DS David, Does same session mean, same instance of an ssl object, or same instance of a ctx object? Thanks! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Wrapping SSL_read/SSL_write so they behave like read/write.]
Do something like this for a SSL_read() and something very similar for
SSL_write() and SSL_shutdown(), etc. (I'm assuming non-blocking sockets):
-
totalbytesread=0;
stop='n';
unsigned char buf[bufsize]=\0;
totaltime=0;
memset(buf, 0, bufsize);
do {
ret=select(maxfd + 1, readfds, writefds, exceptionfds, timeout);
if(select() fails, times out, or has exceptionfds) {
bail='y';
}
if((stop=='n')(bail=='n')) {
if(bufsize-1-totalbytesread 1) {
stop='y'; and/or bail='y'; depending on your situation; }
if((stop=='n')(bail=='n')) {
ret2=SSL_Read(buf[totalbytesread], bufsize-1-totalbytesread);
if(ret21) {
ret3=SSL_get_error(ret2);
if((ret3!=WANT_READ)(ret3!=WANT_WRITE)) {
bail='y';
} if((ret3!=WANT_READ)(ret3!=WANT_WRITE))
} //if(ret21)
else { //OK, we've read more bytes
oldtotalbytesread=totalbytesread;
totalbytesread=ret2+totalbytesread;
if((bufsize-1-totalbytesread)1) {
buf[oldtotalbytesread]='\0';
stop='y'; and/or bail='y'; depending on your situation;
} else {
buf[totalbytesread]='\0';
}
if((bail=='n')(stop=='n')) {
totaltime=totaltime+(this time here - last time here);
Check to see if buf contains information that tells you it's time to stop or
if too much time has been taken for this whole SSL_Read() routine.
if(time to stop) {
stop='y'; (and/or bail='y' for too much time) ; depending on your situation.
} //if(time to stop)
} //if((bail=='n')(stop=='n'))
} //else OK, we've read more bytes
} //if((stop=='n')(bail=='n'))
} //if((stop=='n')(bail=='n'))
} //while((stop=='n')(bail=='n'));
if(bail=='n'){
printf(\nbuf=(%s).\0, buf);
} else {
printf(\nFatal Error!\0);
}
-
Good luck!
Joe
Steven Young wrote:
Apologies if this is a duplicate; I was messing around with my e-mail
yesterday and it was broken for a while. I didn't see this go through.
On Sun, Aug 20, 2006 at 06:54:36PM -0400, Joe Flowers wrote:
It means call exactly the same SSL function you just did with the exact
same parameters as you just did that produced this SSL_ERROR_WANT_WRITE
return.
Pardon me, I think I'm a little thick today. I get what you're
all saying but I'm still not 100% sure of how this should be applied.
Here's the program flow, without SSL:
while(!quit) {
for(i in all file descriptors) {
if(we have something buffered up to say to the server)
FD_SET(thisfd, writefds)
/* we are always interested in what the server has to say
* to us */
FD_SET(thisfd, readfds);
}
select(maxfd + 1, readfds, writefds, NULL, timeout);
if(FD_ISSET(thisfd, readfds)) {
read(thisfd), process it, probably send a reply with write()
} else if(FD_ISSET(thisfd, writefds) {
write(thisfd) whatever we have buffered up; if it was a partial
write, update the buffer.
}
}
Using SSL, how should this look? From what I'm hearing, it shouldn't
use select() at all. So how do I find out if the server has something
to say short of polling it with SSL_read?
Thanks,
Steve.
- End forwarded message -
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Wrapping SSL_read/SSL_write so they behave like read/write.
I wouldn't advise that. Read the docs: When calling |SSL_write()| with num=0 bytes to be sent the behaviour is undefined. I still stand by me first reply on this thread, as I believe it follows directly from the docs. Read the docs on SSL_read() and SSL_write(). SSL_ERROR_WANT_WRITE does not mean call SSL_write(). It means the exactly same SSL function you just did with the exact same parameters as you ust did that produced this SSL_ERROR_WANT_WRITE return. Again, it's clearly explained in the docs. Joe Kyle Hamilton wrote: If you get SSL_ERROR_WANT_WRITE, even if you have no application data to send, the protocol itself requires data to be written -- so you need to call SSL_write(). If you get SSL_ERROR_WANT_READ, even if you're writing application data, that means that the protocol itself is requiring data to be read from the peer, so you need to call SSL_read(). Both situations can happen in either case. If you have no data to write, call it with a NULL buffer and a length of 0. -Kyle H On 8/19/06, Steven Young [EMAIL PROTECTED] wrote: I'm a little unclear on how this should be implemented.. so if I call SSL_read, get -1 back, and err = SSL_ERROR_WANT_READ, do I just call SSL_read again? Because that's what I've been doing and it ends up in an infinite loop. Also, is err = SSL_ERROR_WANT_WRITE, but I have no data to write (because I'm waiting to see what the server sends me before replying), what should I write in my call to SSL_write? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Wrapping SSL_read/SSL_write so they behave like read/write.
Joe Flowers wrote: It means the exactly same SSL function you just did with the exact same parameters as you ust did that produced this SSL_ERROR_WANT_WRITE return. Again, it's clearly explained in the docs. Joe Good grief. Pardon my grammar. The sentence should have read: It means call exactly the same SSL function you just did with the exact same parameters as you just did that produced this SSL_ERROR_WANT_WRITE return. Kyle Hamilton wrote: If you get SSL_ERROR_WANT_WRITE, even if you have no application data to send, the protocol itself requires data to be written -- so you need to call SSL_write(). If you get SSL_ERROR_WANT_READ, even if you're writing application data, that means that the protocol itself is requiring data to be read from the peer, so you need to call SSL_read(). Both situations can happen in either case. If you have no data to write, call it with a NULL buffer and a length of 0. -Kyle H On 8/19/06, Steven Young [EMAIL PROTECTED] wrote: I'm a little unclear on how this should be implemented.. so if I call SSL_read, get -1 back, and err = SSL_ERROR_WANT_READ, do I just call SSL_read again? Because that's what I've been doing and it ends up in an infinite loop. Also, is err = SSL_ERROR_WANT_WRITE, but I have no data to write (because I'm waiting to see what the server sends me before replying), what should I write in my call to SSL_write? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Wrapping SSL_read/SSL_write so they behave like read/write.
Steve,
You need to put select(ready to read or write) inside each (BOTH
SSL_read() and SSL_write()) of your while loops at the beginning, and
then cycle on WANT_READ or WANT_WRITE for BOTH SSL_read() and
SSL_write() loops.
You're getting high utilization because you are not putting select
inside the while loops.
Joe
Steven Young wrote:
Hello,
I'm writing a program which can be compiled either with SSL support or
without. In order to limit the amount of #ifdef'ing I have to put
throughout the rest of my program, I'm trying to wrap SSL_read and
SSL_write so they can be treated like read/write on a regular socket.
This is not meeting with much success.
In the non-SSL case, I do connect(), set it nonblocking, and start
select()ing on the fd(s) that I have connected to. This works okay.
In the SSL case, I connect(), create a new context with SSL_new,
set it nonblocking, do SSL_set_fd, then do
int ret;
[...]
do {
ret = SSL_connect(sslobject);
if(ret != 1)
err = ERR_get_error();
} while (ret != 1 (err == SSL_ERROR_WANT_READ ||
err == SSL_ERROR_WANT_WRITE));
This part also seems to work okay.
The part where everything falls apart is in my read/write wrappers.
They look like this:
read_wrapper:
[...]
do {
ret = SSL_read(sslobject, buf, bufsz);
err = SSL_get_error(sslobject, ret);
} while (ret = 0 (err == SSL_ERROR_WANT_READ));
my write_wrapper looks pretty much the same, except s/read/write/,
s/READ/WRITE/.
This and variations on these themes have given me a number of novel
results, such as the read loop eating 100% CPU time as SSL_read starts
to always return ret = -1 and error = SSL_ERROR_WANT_READ. SSL_write
seems to be behaving a bit better. I am mystefied as to why select()
would mark the fd as ready to read, and yet SSL_read returns nothing,
resulting in a 100% CPU loop.
Is there some other way I should be doing this? I have tried putting
if(ret = 0 (err == SSL_ERROR_WANT_WRITE))
SSL_write(sslobject, NULL, 0):
in my read loop after the err = ... statement, but it didn't do
anything.
If anybody can make any suggestions, or even point me to an example
of how this should be done, I would be much obliged. Is there an
IRC channel for OpenSSL support?
Thanks,
Steve.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
When to use CRYPTO_set_locking_callback() and CRYPTO_set_id_callback()?
Help please. I have a program/parent thread that launches 4 child threads. It's a Win32 application that has to be linked using the /MT VC compiler option for reasons other than OpenSSL. The parent thread calls the following OpenSSL calls. CRYPTO_malloc_init(); SSL_library_init(); SSL_load_error_strings(); RAND_seed(); ERR_free_strings(); Two of the 4 child threads make OpenSSL calls. One child thread is a very simple single-threaded HTTPS web server. One child thread is a very simple single-threaded HTTPS web browser. As per the OpenSSL FAQ (http://www.openssl.org/support/faq.html#PROG1), do I need to implement the CRYPTO_set_locking_callback() and CRYPTO_set_id_callback() functions? Quoted from the FAQ: Multi-threaded applications must provide two callback functions to OpenSSL by calling CRYPTO_set_locking_callback() and CRYPTO_set_id_callback(). (For OpenSSL 0.9.9 or later, the new function CRYPTO_set_idptr_callback() may be used in place of CRYPTO_set_id_callback().) This is described in the threads(3) manpage. I was thinking that since these child threads are not multi-threaded, then I may not need to implement these functions? However, since I've had to use the /MT option in VC and since the program/parent thread does have children threads, then maybe I do? NOTE: I am linking with the the non-static versions of libeay32MT.lib and ssleay32MT.lib in MS Visual C++ v6. In any case, does it hurt anything if I try to implement these two OpenSSL functions anyway? And, if it's quick and easy to do, can someone sent code snippets of implementations of these two functions? Thanks a million... again! Love this OpenSSL stuff! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: When to use CRYPTO_set_locking_callback() and CRYPTO_set_id_callback()?
Joe Flowers wrote: In any case, does it hurt anything if I try to implement these two OpenSSL functions anyway? And, if it's quick and easy to do, can someone sent code snippets of implementations of these two functions? In my parent thread, should I just call the following two OpenSSL functions (mentioned in \openssl-0.9.8b.tar\openssl-0.9.8b\crypto\threads\th-lock.c)? CRYPTO_thread_setup(); CRYPTO_thread_cleanup(); Thanks! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Putting just SSL_read() and SSL_write() inside the non-blocking regions
I am not 100% sure I understand your question. It is necessary that I make a very simple HTTPS browser in one thread and a very simple HTTPS server in another thread. I'd like to make the HTTPS browser thread impervious (not get hung in a blocking state) to web servers that are rebooted at any time during a socket/HTTPS session or CGI/PHP scripts that it is talking to. Likewise, I'd like to make the HTTPS server program impervious (not get hung in a blocking state) to full-fledged web browsers or CGI/PHP scripts acting like simple web browsers. I'd be surprised if I couldn't get in a blocking hung state if the SSL_read() and SSL_write() operations were being run over a blocking socket connection, but I'm not sure I need to leave all of the other SSL function calls running over a non-blocking socket and wrap a lot of code around them to deal with the SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE/etc. return values. Sorry for the confusion. I hope this is making sense now. Joe David Schwartz wrote: Is it safe to put just SSL_read() and SSL_write() inside the non-blocking BIO regions and leaving SSL_accept(), SSL_connect(), SSL_shutdown(), accept(), socket(), bind(), listen(), connect(), shutdown(), close(), SSL_CTX_new(meth), SSL_new(ctx), SSL_CTX_free(ctx), etc. in the blocking BIO regions? David Schwartz are you listening I hope? I am not 100% sure I understand your question. But it should be perfectly safe and legal to create a socket in blocking mode, perform blocking operations to establish the connection, then switch the socket to non-blocking mode and use the connection in non-blocking mode with non-blocking operations. It should similarly be safe to set the socket to blocking mode and then tear down the connection with blocking operations. The only problem I can think of would be that while the socket is blocking, operations can always block. However, if you only set the socket blocking and call functions that you want to block, I can't see any possible problem. I have never done anything like this, however. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Putting just SSL_read() and SSL_write() inside the non-blocking regions
David Schwartz wrote: I have never done anything like this, however. DS H. Then, I'm curious to know at what point (between what socket functions) you put your socket in the non-blocking state and when/if you ever set it back to blocking? Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Putting just SSL_read() and SSL_write() inside the non-blocking regions
Is it safe to put just SSL_read() and SSL_write() inside the non-blocking BIO regions and leaving SSL_accept(), SSL_connect(), SSL_shutdown(), accept(), socket(), bind(), listen(), connect(), shutdown(), close(), SSL_CTX_new(meth), SSL_new(ctx), SSL_CTX_free(ctx), etc. in the blocking BIO regions? David Schwartz are you listening I hope? Thanks! Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: On select and blocking
Darryl Miles wrote: David Schwartz wrote: I don't get it. DS Ah, finally something concrete. Hey thats ok; sit back and relax. I'm sure a patch is on its way. God I hope so.. I'm right in the middle of trying to get this non-blocking stuff to work consistently (with a timeline fast approachingarg!) and I can't tell if it's something I am doing wrong and what exactly that is. Too many variables to be easy. Joe Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: On select and blocking
David Schwartz wrote: God I hope so.. I'm right in the middle of trying to get this non-blocking stuff to work consistently (with a timeline fast approachingarg!) and I can't tell if it's something I am doing wrong and what exactly that is. Too many variables to be easy. If you are trying to use blocking socket operations and be sure you will not block, you can never be certain that your code will work. If you do not ask for non-blocking behavior, there is no way for the implementation to know that you want it. DS Thanks David. This helps me A LOT. Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: renegotiating problem - connection hanging?
I'm watching this thread with great interest as I have not figured out the correct way to handling OpenSSL with non-blocking sockets which are a requirement in my case. Can anyone expand on the correct way to handle OpenSSL over non-blocking sockets please? I haven't been able to find any reliable literature on it yet, even the O'Reilly book is very sketchy on this. Joe David Schwartz wrote: Well, we are talking about s_client here... part of openssl executable. select() is used with the blocking sockets to make sure that, well, they don't block. It doesn't work that way. The only way to ensure that socket operations don't block is to set the sockets non-blocking. If you call SSL_read on a blocking socket when select says it is readable you expect it not to block [forever]. Of course it might block if there is some data available on the underlying socket but not enough to complete SSL deciphering, but under normal circumstances it will only block until the rest of the record is received. Am I missing something? Here's a hypothetical. The 'select' function gives you a 'read' hit. You call SSL_read (thinking there's application-level data, but you don't really know, do you?). SSL_read reads part of a re-negotiation but has no data to return to you, so it calls 'read' again (how does it know it's not supposed to block until it has data?). That 'read' blocks forever because there was never any application-level data to read. Sorry, you're screwed. You are blocked in 'read' but the other side is waiting for you to send protocol-level data. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL != HTTPS ???
Please help me understand what's going on. I've successfully used OpenSSL (latest released version - 0.9.7f) to communicate with a https:// site. (See my pseudo-code at the bottom of this message.) However, nowhere in my code is a public key for the https:// site specified. But, when I look at the converstations with a packet sniffer, it looks like the communication is indeed encrypted? Is it using some sort of defaults known (in advance) by both OpenSSL and the https:// server - like a default public key for the initial SSL connection and then a default symmetric encryption algorithm for the rest of the conversation? Is the https:// server sending my OpenSSL client it's public key to help establish the initial connection? If this is so, then I assume my OpenSSL client could, at that point, try to do some checks on that public key to see if it's a regular, valid SSL certificate as given by Verisign, et. al.? And, how is the symmetric encrytion algorithm chosen to finish the communications? Among the infinite things I do not understand, I don't undertstand how this is working without the public key of the https:// site. Why isn't the https:// site telling me to buggar off? And, since it is working, how is it doing the apparent encryption and deciding which encryption algorithms to use? Is this considered secure? (I know that's a relative term.) Where are the security weaknesses and strengths in this? If this was to be done better, more secure, what would be the next features to add? I assume requiring the public key of the https:// server be used by the client and maybe doing some sort of CRL check on the client side would be a couple of the suggestions? And, if so, can someone give me pointers to the functions that I'd need to use, please? If this current setup is weak or insecure, what can be done at the server-side to tell my client to grow up or get lost? Thanks a ton for teaching me this! Joe P.S. OpenSSL rocks! You guys are incredibly awesome! //-- sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); ret=connect(sock, (struct sockaddr *) ServAddr, sizeof(ServAddr)); SSL_library_init(); SSL_load_error_strings(); RAND_seed(buffer, MaxBufferSize); ctx=SSL_CTX_new(SSLv2_client_method()); ssl=SSL_new(ctx); ret=SSL_set_fd(ssl, sock); ret=SSL_connect(ssl); //ret=1=no error ret=SSL_write(ssl, buffer, ret2); ret=SSL_read(ssl, buffer[numread], sizeof(buffer[numread])-1); SSL_shutdown(ssl); SSL_free(ssl); SSL_CTX_free(ctx); ERR_free_strings(); shutdown(sock, 2); closesocket(sock); //-- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compile error on Maurice loadkeys
Mohamed: Add an extra NULL parameter to the end of the arguments in each of these two functions in the loadkeys.h and/or loadkeys.c files. Joe //--- Mohamed Nadjar wrote: I am a new user of openssl and I try to understand how it works by looking at the demos! But I have the same problem and the same message ! Could anyone help us ?? -- Mohamed NADJAR, Inria - Rhône-alpes, Planete project, France Darryl Wagoner wrote: It seems that most of the demo programs will not compile. Any ideas? dwagoner: - make loadkeys.c: In function `ReadPublicKey': loadkeys.c:36: too few arguments to function `PEM_ASN1_read' loadkeys.c: In function `ReadPrivateKey': loadkeys.c:67: too few arguments to function `PEM_ASN1_read' make: *** [loadkeys.o] Error 1 -- Darryl Wagoner - WA1GON __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Maurice Gittens' ReadPrivateKey(), ReadPublicKey(), etc.
I am trying to port pieces of OpenSSL to NetWare. I have been able to compile and link a program with the following function OK. RSA_private_decrypt(pubKeySize, input, buf_dec, privKey-pkey.rsa, RSA_PKCS1_PADDING); However, I would like alternative functions to ERR_load_crypto_strings(); //Well, maybe not this one. privKey = ReadPrivateKey(PRIVFILE); pubKey = ReadPublicKey(PUBFILE); that read the Public and Private Keys from simple character strings instead of files. Then, I want to input the returned values to the RSA_private_decrypt() function to get the unencrypted data back in clear text form. Please help! [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
