Re: [openssl-users] How to make a rehandshake(renegotiation)?
Hi, I managed to do a renegotiation. My mistake was that I start renegotiation when not all data were received or sended. Probably there was a situation when not all packets(records) were processed and i got a error: unexpected record or bad length. Really only one function SSL_renegotiate and flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION are quite enough. Seems to be all others was for old OpenSLL versions. Only one question remain, it's opposite to the first one: if i want don't use renegotiation at all, how to disable it? I see that insecure renegotiation can be disabled by: SSL_CTX_clear_options(ctx,SSL_OP_LEGACY_SERVER_CONNECT) that is enabled by default. But what about secure renegotiation? Is it possible to disable it at all for client and server. So, Server rejects queries on secure renegotiation from client and client rejects queries on secure renegotiation from server. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
11.03.2015, 20:38, Salz, Rich rs...@akamai.com: Many servers have disabled client-initiated renegotation. I thought you were testing your client/server. Yes I want to test my own client and server. I don't disable renegotation manually. I don't know how to do this. Maybe it disabled by default? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Dynamic link openssl with Visual Studio
11.03.2015, 20:22, Ken Goldman kgold...@us.ibm.com: I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? I think you must simply build static libraries yourself with Visual C++. And it will work. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Dynamic link openssl with Visual Studio
11.03.2015, 20:22, Ken Goldman kgold...@us.ibm.com: I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? I think you must simply build static or dynamic libraries(as you need) with Visual C++ yourself. And they will work. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
10.03.2015, 21:40, Salz, Rich rs...@akamai.com: Yes. You probably need more than that. :) Take a look at the apps/s_client and look for the 'R' constant to see how to do client-initiated reneg. I have took a look at the apps/s_client. I see only several lines of code about renegotiation: //... static int ; if (++ == 52) { SSL_renegotiate(con); = 0; } //... if ((!c_ign_eof) (cbuf[0] == 'R')) { BIO_printf(bio_err, RENEGOTIATING\n); SSL_renegotiate(con); cbuf_len = 0; } //... So only one function is used: SSL_renegotiate I also use it - but nothing happens or error: OpenSSL error: 5044:error:140940F5:SSL routines:ssl3_read_bytes:unexpected record:.\ssl\s3_pkt.c:1611: NO renegotioation! More than that I tested s_client on several domains. I typed R after s_client was connected but got a error: 2992:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:.\ssl\s3_pkt.c:644: error in s_client I also have took a look at the s_server and saw only one function: SSL_renegotiate that seems to be must make a renegotioation. I do some else in code but: NO renegotioation happens! Why? Can anybody help and though explain about renegotiation at all? Maybe I don't know something... When it can be used? Maybe it's disable by default for security reasons in OpenSSL? There is a function SSL_get_secure_renegotiation_support. Seems to be renegotiation can be secure or no. Maybe something else But right now I want to perform ANY type of renegotiation )) Nothing happens or error... Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delay of email delivery for the list
11.03.2015, 08:20, Kurt Roeckx k...@roeckx.be: The mta.opensslfoundation.net was only very temporary and should not be used. openssl-users@openssl.org works just fine and doesn't have any delay for me. Ok. You can always check the headers why or where it has any delay. It's not so important for me as for example How to make a rehandshake(renegotiation) )) but let's see in my email's headers: Was sent: Date: Wed, 11 Mar 2015 19:02:30 +0300 The path: Received: by web8g.yandex.ru with HTTP; Wed, 11 Mar 2015 19:02:30 +0300 Received: from forward20.mail.yandex.net (forward20.mail.yandex.net by mta.openssl.org (Postfix) with ESMTPS id E6E9D2015F for openssl-users@openssl.org; Wed, 11 Mar 2015 16:10:20 + (UTC) [for my timezone 19:10:20 +0300] . Received: by mta.openssl.org (Postfix, from userid 106) id 7505E2044B; Wed, 11 Mar 2015 16:50:48 + (UTC) [for my timezone 19:50:48 +0300] . Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) by mxfront7j.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id yN2OVojEOL-onhON31U; Wed, 11 Mar 2015 19:50:49 +0300 Received: from mxfront7j.mail.yandex.net ([127.0.0.1]) by mxfront7j.mail.yandex.net with LMTP id nT56hQSL for ra...@yandex.com; Wed, 11 Mar 2015 19:50:50 +0300 So, it was sent by me at 19:02 (GMT+3). It was received by mta.openssl.org from my mail server already at 19:10 (GMT+3). And was delayed there until 19:50 (GMT+3). My mail server received it only at 19:50 (GMT+3). Once again, it's not so important. But the delay is on the mta.openssl.org mail server(s). Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
Nobody knows? Does OpenSSL support renegotiation? I will be very grateful for answers because there is no any info about this in the net. 09.03.2015, 00:36, Serj Rakitov ra...@yandex.com: Hello I want to test SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. I have client and server. Server is sending data to the client. Client is reading data. After some bytes sent server initiates a rehandshake to cause SSL_ERROR_WANT_WRITE on client. But there is no rehandshake. On server SSL_do_handshake returns 0 and SSL_get_error returns SSL_ERROR_WANT_READ. And on client SSL_read returns0 and SSL_get_error also returns SSL_ERROR_WANT_READ. The code to rehandshake is: SSL_set_session_id_context(...); SSL_renegotiate(...) SSL_do_handshake(...); ssl-state=SSL_ST_ACCEPT; //process SSL_do_handshake (WANT_READ/WANT_WRITE) How to make a rehandshake from server side? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Nobody knows? 09.03.2015, 15:30, Serj Rakitov ra...@yandex.com: I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Delay of email delivery for the list
Hello, I see some delay about 30-40 min for my emails. They arrive and I see them in the incoming messages in the list only after 30-40 min. And one email was delivered for 2 hours. Is it normal for the openssl-users@openssl.org? Some time ago I see an email with message: Welcome to the openssl-us...@mta.opensslfoundation.net mailing list! Maybe now when something have changed we must send emails to the openssl-us...@mta.opensslfoundation.net not to the openssl-users@openssl.org? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Hi, Jakob. Thanks for reply. Now I have seen OpenSSL code and something clear for me. WANT_READ/WANT_WRITE it's just an implementation for WOULDBLOCK: not fatal error for non-blocking IO. So, for example for socket and Windows it's just WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by BIO_sock_should_retry/BIO_sock_non_fatal_error in sock_read/sock_write. There was some incomprehension for me because I forgot that SSL_read/SSL_write can perform a handshake if it didn't happen before. This is the key, because if handshake took place when SSL_write never will want read(to my mind), because it's just perform writesocket(send) operation. But with Rehandshaking (renegotiation) still incomprehension... I don't know why there is a silence about this here and in the net! I have read Eric Rescorla's old(January 10, 2002) article and there he told about Rehandshaking on the Server and on the Client, so it's possible with OpenSSL, but maybe in newer versions of OpenSSL it is not possible? Jakob, can you tell me: is it possible to renegotiate a connection in OpenSSL? And if yes how to do it right? 10.03.2015, 19:06, Jakob Bohm jb-open...@wisemo.com: Not having tested or read the relevant OpenSSL code, I presume that SSL_write could want a read if it has sent a handshake message, but not yet received the reply, thus it cannot (encrypt and) send user data until it has received and acted on the handshake reply message. Maybe the easier scenarios are at the start of a session, where the initial handshake has not yet completed, as happens in a HTTPS client (always writes a request before the first read) or a simple SMTPS server (always writes a banner line before the first read of client commands, except in some servers that do an early read to check if a broken/spammer client is trying to send before receiving the banner). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
I can't start rehandshake even from client side. If I try something like this on client side: SSL_renegotiate(...) //process SSL_do_handshake(SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE) nothing happens. Neither client nor server can't start a new handshake! How to do a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to make a rehandshake(renegotiation)?
Hello I want to test SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. I have client and server. Server is sending data to the client. Client is reading data. After some bytes sent server initiates a rehandshake to cause SSL_ERROR_WANT_WRITE on client. But there is no rehandshake. On server SSL_do_handshake returns 0 and SSL_get_error returns SSL_ERROR_WANT_READ. And on client SSL_read returns0 and SSL_get_error also returns SSL_ERROR_WANT_READ. The code to rehandshake is: SSL_set_session_id_context(...); SSL_renegotiate(...) SSL_do_handshake(...); ssl-state=SSL_ST_ACCEPT; //process SSL_do_handshake (WANT_READ/WANT_WRITE) How to make a rehandshake from server side? -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Thanks, Graham. Sorry for too late answer )) Now i am testing... 21.02.2015, 14:42, Graham Leggett minf...@sharp.fm: On 21 Feb 2015, at 12:58 PM, Serj Rakitov ra...@yandex.com wrote: I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? In both cases you return back to your poll and ask the OS to wait for the event that openssl asked for. If openssl asked for read, you poll until the socket is readable. If openssl asked for a write, you poll until the socket is writable. When you get the event you asked for, you just run whatever you were running again. For example, if you were running SSL_read, run SSL_read again. If you were running SSL_write, run SSL write again. So to write it out: - Call SSL_read(), it returns SSL_ERROR_WANT_WRITE - Poll for the socket being writable. - It’s writable! call SSL_read() again. it might return SSL_ERROR_WANT_READ - Poll for the socket being readable. - It’s readable! Call SSL_read() again, and so on. If openssl wants read, poll for read. If openssl wants write, poll for write. Don’t arbitrarily swap round SSL_read and SSL_write, those two calls are what *you* want to do, not what openssl wants to do. Regards, Graham -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Hello. I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to retrieve the commonName / Alt-Name (DNS-Name) from a .crt file
Hi, Christian 17.02.2015, 12:55, Christian Parpart tra...@gmail.com: I am rather new to OpenSSL development, but I'd like to integrate SSL communication in my little HTTP server. While this one is working so far, for SNI I actually need to read out the server certificates DNS name extenion and commonName subject. How to get CN and subject alternative names from cert you can see this wiki page: http://wiki.openssl.org/index.php/Hostname_validation But how do I come from the SSL_CTX to my X509 struct, or how to I do it else? 1. SSL_CTX_set_verify() or SSL_set_verify(), then in callback X509_STORE_CTX_get_current_cert() 2. SSL_get_peer_certificate() -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY
Hello. I see many functions have prefixes: i2d_ d2i_ b2i_ i2b_ For example: i2d_PublicKey i2d_PrivateKey d2i_PublicKey d2i_PrivateKey b2i_PublicKey b2i_PrivateKey i2b_PublicKey_bio i2b_PrivateKey_bio I think these letters: 'i', 'd', 'b' have some meaning. Can somebody help me to understand what they are mean? And one more question. In accordance to: https://www.openssl.org/docs/crypto/EVP_PKEY_new.html, EVP_PKEY structure is used by OpenSSL to store private keys. But there are above functions which use as parameters pointer to EVP_PKEY structure and as they are named they can work with both public and private keys. So the questions are: 1. can we save to EVP_PKEY structure public key not private? 2. can we save to EVP_PKEY structure public and private keys at once? For example: EVP_PKEY * pkey; pkey = EVP_PKEY_new(); RSA * rsa; rsa = RSA_generate_key(...) EVP_PKEY_assign_RSA(pkey, rsa); What key or keys will be in pkey after that? -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY
I have found some info and now some questions more clear for me. But still have 2 questions... i2d_ functions write the DER representation of the object into a buffer.d2i_ functions read the DER representation of the object from a buffer and creates the appropriate object in memory. 1. What is b2i_ and i2b_ functions? EVP_PKEY structure can hold public or private key. It's strangely why there is no this info in the official documentation on www.openssl.org 2. Can EVP_PKEY structure hold both private and public keys at once? I have some example of code and there is a use of EVP_PKEY in this manner, that's why I am asking. 03.02.2015, 13:21, "Serj" ra...@yandex.com: Hello. I see many functions have prefixes: i2d_ d2i_ b2i_ i2b_ For example: i2d_PublicKey i2d_PrivateKey d2i_PublicKey d2i_PrivateKey b2i_PublicKey b2i_PrivateKey i2b_PublicKey_bio i2b_PrivateKey_bio I think these letters: 'i', 'd', 'b' have some meaning. Can somebody help me to understand what they are mean? And one more question. In accordance to: https://www.openssl.org/docs/crypto/EVP_PKEY_new.html, EVP_PKEY structure is used by OpenSSL to store private keys. But there are above functions which use as parameters pointer to EVP_PKEY structure and as they are named they can work with both public and private keys. So the questions are: 1. can we save to EVP_PKEY structure public key not private? 2. can we save to EVP_PKEY structure public and private keys at once? For example: EVP_PKEY * pkey; pkey = EVP_PKEY_new(); RSA * rsa; rsa = RSA_generate_key(...) EVP_PKEY_assign_RSA(pkey, rsa); What key or keys will be in pkey after that? --Best Regards, Serj___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY
Hi, Michael. Thank you very much for your answer. Now it's clear. 03.02.2015, 16:08, "Michael Wojcik" michael.woj...@microfocus.com:Lots of things in OpenSSL aren't documented. It's not strange at all - programmers tend to write code first, documentation second (or later). This is true of a great many open-source projects, and many commercial ones as well. If you want something documented, your best bet is to research it in the code and write the documentation yourself. Ok. Will try to write code first, deal with code next time. And after that - questions. I am a beginner in OpenSSL API, that's why I have these questions...I think some simple things because they are already are known by skilled programmers can be asked here via openssl-users@openssl.org. Isn't it?It's too hard to deal with not full documentation. And some help is very necessary at this stage. I think you understand me. "i" is an abbreviation for "internal", meaning OpenSSL's internal format."2" means "to"."d" means "DER"."b" means "blob", and refers to a "key blob" format used by Microsoft. (That's based on the OpenSSL source code; I haven't looked into the actual provenance of this blob format.) It appears the key blob format typically uses the "PVK" file extension. Lots of things in OpenSSL aren't documented. It's not strange at all - programmers tend to write code first, documentation second (or later). This is true of a great many open-source projects, and many commercial ones as well. If you want something documented, your best bet is to research it in the code and write the documentation yourself. Regarding your second question: EVP_KEY is defined in evp.h, where we see it contains a pointer to one of the specific key types, such as rsa_st. rsa_st is defined in rsa.h, and if we look there we see that it contains all the RSA parameters, so it implicitly contains both the public and private key. Michael Wojcik Technology Specialist, Micro Focus --Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What is the best practise for shutdown SSL connections?
Hi, Viktor. 02.02.2015, 18:04, "Viktor Dukhovni" openssl-us...@dukhovni.org:It should be sufficient for the server to send its close notifywithout waiting for a client response. If the server destroys theSSL connection without calling SSL_shutdown() I am not sure whetherthe session remains cached. I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid?Try it, see what happens. The client is certainly free to *try*to the reuse the session, worst-case the server will perform a fullhandshake anyway. Thank you for answers. I will try. --Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] What is the best practise for shutdown SSL connections?
Hello, What is the best practise for shutdown SSL connections? When client and server both not mine. For example, http client or server. I have read: https://www.openssl.org/docs/ssl/SSL_shutdown.html https://www.openssl.org/docs/ssl/SSL_set_shutdown.html I use non-blocking sockets and create sockets manually, then with BIO_new_socket() and SSL_set_bio() associate them with SSL object. I have 3 themes and corresponding questions: 1. Return values for SSL_shutdown() I never get 2 as a return value! Only 1 as successful then SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN are both set. Maybe something wrong at the documentation? 2. What is the best practise for shutdown SSL connections for CLIENT? As I understand unidirectional shutdown for client is more suitable, doesn't require special work for waiting close_notify. But we must be sure that server got a close_notify - this is the question! So, the code for CLIENT: //all data were obtained from the server SSL_shutdown(ssl); //here we must be sure that close_notify alert is gotten by server //... closesocket(s); How to do this check: server got the close_notify alert? What is the best practise? I see that SSL_get_shutdown() returns SSL_SENT_SHUTDOWN immediatly after we have called SSL_shutdown() first time, so it only sets the flag after sending close_notify but doesn't wait. 3. What is the best practise for shutdown SSL connections for SERVER? As I understand SERVER must get close_notify from client otherwise it will not be able to save a session, am i right? And the session will be invalid in this case. So, for server the code is: //all data has been sent to the client SSL_shutdown(ssl); //will not be superfluous //here we must wait a close_notify alert from client //we can do this by examine flag SSL_RECEIVED_SHUTDOWN with SSL_get_shutdown() //... //and only after this we can safely close the connection closesocket(s); I will be very glad if these 3 themes and corresponding questions will not go unanswered! -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What is the best practise for shutdown SSL connections?
Hi, Viktor. 01.02.2015, 23:50, Viktor Dukhovni openssl-us...@dukhovni.org: On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote: 1. Return values for SSL_shutdown() 0 initially if shutdown alert sent, but not yet received from the peer. I never get 2 as a return value! Why do you expect 2? [ Note, something is screwing up itemized lists in the on-line documentation. Instead of showing item labels, item numbers are showing up instead. ] Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this: - RETURN VALUES The following return values can occur: 1. The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 2. The shutdown was successfully completed. The close notify alert was sent and the peer's close notify alert was received. 0 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error with the return value ret to find out the reason. - The nroff manpage says: RETURN VALUES The following return values can occur: 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error(3) may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 1 The shutdown was successfully completed. The close notify alert was sent and the peer's close notify alert was received. -1 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error(3) with the return value ret to find out the reason. Seems to be this is right. This is exactly what I wanted to see here: https://www.openssl.org/docs/ssl/SSL_shutdown.html 2. What is the best practise for shutdown SSL connections for CLIENT? Call ssl_shutdown() and if it returns 0, call it again processing WANT_READ/WANT_WRITE as required. I use non-blocking sockets. That's why I got -1 as return value after first ssl_shutdown(). I process WANT_READ/WANT_WRITE. But some servers don't send close_notify, so we never got a 1 as a return value. We must be sure that server got a close_notify - this is the question! What is the best practise for that? -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL/TLS sessions of client
Hello, I want to use only internal cache right now. SSL_SESS_CACHE_CLIENT is not set by default. As I understand for client we must: 1. Set SSL_SESS_CACHE_CLIENT flag with SSL_CTX_set_session_cache_mode() 2. Manually save SSL_SESSION object to be able to choose session with SSL_set_session() next time or we can only save a pointer to SSL_SESSION object with SSL_get1_session() (because all data already will be kept in memory until we explicitly call SSL_SESSION_free()) and then we can give this pointer to the SSL_set_session()? -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What is the best practise for shutdown SSL connections?
02.02.2015, 01:13, Viktor Dukhovni openssl-us...@dukhovni.org: The formatting of itemized lists in the on-line HTML is broken. Ok. But what about the best practise for shutdown of connection on the client side? Server can don't send close notify alert. And what about the best practise for shutdown of connection on the server side? Is it mandatory to wait close_notify from client to be able to save valid session for this client or not? If server close the connection after all data has been sent to the client and don't receive close_notify, will be the session kept? -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What is the best practise for shutdown SSL connections?
Hi, Viktor. 02.02.2015, 02:08, Viktor Dukhovni openssl-us...@dukhovni.org: On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote: But what about the best practice for shutdown of connection on the client side? http://tools.ietf.org/html/rfc5246#section-7.2.1 I read RFC. Have read 7.2.1. Closure Alerts once again. But this is the normative document. I ask: what in practise in terms of OpenSSL API? As I already said some servers don't send close_notify and just close the connection. So I think the shutdown algorithm for SSL client must be the following: - //... //all data was obtained from the server if (SSL_shutdown(ssl)==1) { closesocket(s) goto l_shutdown_complete; } shutdown(s,SD_SEND); //set timeout for getting close_notify from SERVER //in the cycle... waiting events from socket or timeout (which comes first): // //1. process SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE (in this case only SSL_ERROR_WANT_READ because seems to be SSL_shutdown() send close_notify alert to SERVER), call SSL_shutdown() once again and examine it's return value for 1 OR examine SSL_get_shutdown() for (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN) // //2. Wait FD_CLOSE // //3. Timeout //if one of three happens closesocket(s) - And what about the best practice for shutdown of connection on the server side? Is it mandatory to wait close_notify from client to be able to save valid session for this client or not? If server close the connection after all data has been sent to the client and don't receive close_notify, will be the session kept? http://tools.ietf.org/html/rfc5246#section-7.2.1 I ask: what in practise in terms of OpenSSL API? If SERVER close the connection after all data has been sent to the client and will not wait for close_notify alert from CLIENT, will be the session kept and valid in OpenSLL API? I mean, can CLIENT then reuse this session, if it doesn't send close_notify alert? Or this session will be invalid? -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Intermediate certificates
29.01.2015, 20:18, Dr. Stephen Henson st...@openssl.org: On Tue, Jan 27, 2015, Serj wrote: Ok. But is there any documentation how to set intermediate certificates for my SSL connections? Maybe I want to support these broken sites... You can add intermediate certificates to the trusted store: they'll then be used when it can no longer find suitable intermediates from the peer. Ok. This is the decision I think. Really, it makes no sense if we will add only intermediate cert for some site without it's self-signed root cert. And so always if we will have another cert of some web-site which is signed with this intermediate cert, the last in the chain will be trusted self-signed root cert anyway. So, no any problems with security in this case! Thanks, Steve. -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Hostname validation
Hi, Viktor. I have some questions. I didn't find docs on such functions as SSL_get0_param Why there is no corresponding functions as SSL_set0_param in your code? Where can I found documentation on functions operating with params? I found only this code: X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); here: https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html But there is no any description how SSL_CTX_set1_param works! Does it clear all previous flags on CTX or ORing with them? And there are no any docs on GET params functions! For example, like docs on SSL_CTX_set_options,SSL_CTX_get_option,SSL_set_options,SSL_get_options. -- Best Regards, Serj 25.01.2015, 20:59, Viktor Dukhovni openssl-us...@dukhovni.org: On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: What is the best way to make hostname validation? 1. http://wiki.openssl.org/index.php/Hostname_validation 2. X509_check_host that was added in OpenSSL 1.1.0. The X509_check_host() interface is also available in OpenSSL 1.0.2 released a few days ago https://www.openssl.org/docs/crypto/X509_check_host.html (the documentation should be updated to note the earlier availability). Starting with 1.0.2, you can also ask OpenSSL to automatically perform hostname checks during the SSL handshake on the application's behalf: https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html https://www.openssl.org/docs/ssl/SSL_set_verify.html Sadly, we're still lacking documentation of SSL_get0_param() which is needed for a complete SSL hostname check recipe: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = www.example.com; ssl = SSL_new(...); param = SSL_get0_param(ssl); /* Enable automatic hostname checks */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); /* Configure a non-zero callback if desired */ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); /* * Establish SSL connection, hostname should be checked * automatically test with a hostname that should not match, * the connection will fail (unless you specify a callback * that returns despite the verification failure. In that * case SSL_get_verify_status() can expose the problem after * connection completion. */ ... I don't know does the first one support wildcards or no! Seems to be: how does Curl_cert_hostcheck work - is the answer, but I don't know how it works. Wildcard support is configured via the flags documented for X509_check_host(), the two most frequently useful are: X509_CHECK_FLAG_NO_WILDCARDS X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Hostname validation
Hi, Viktor. 27.01.2015, 20:23, Viktor Dukhovni openssl-us...@dukhovni.org: I would set SSL verification parameters is to obtain the parameter handle via SSL_get0_param() or where appropriate SSL_CTX_get0_param(), and use the various X509_VERIFY_PARAM_mumble() functions to tweak the parameter object in place. Why are not there any X509_VERIFY_PARAM_mumble() functions in your code? So your code is not complete? And if so why it was already added to wiki here: http://wiki.openssl.org/index.php/Hostname_validation As I mentioned, this function should be documented, but is not yet. The documentation for these functions is not yet written. The way Yes, these need (more) documentation. That's why maybe it is better to use X509_check_host() in post conection checks now? It's strangely, why I read in documentaion: -- Applications are strongly advised to use this interface in preference to explicitly calling X509_check_host(3), hostname checks are out of scope with the DANE-EE(3) certificate usage, and the internal check will be suppressed as appropriate when DANE support is added to OpenSSL. and no any documentation on how to set properly params for SSL or CTX! NOTES Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling X509_check_host(3). Host name checks are out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when DANE support is added to OpenSSL. -- and no any documentation on how to set properly params for SSL or CTX! Maybe this code is right, while there is no full documentation yet: char servername[]=www.openssl.org\x0; X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_new(); //enable automatic hostname checks X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername,0); SSL_CTX_set1_param(ctx, param); //is right if combined by a bitwise 'OR' operation //free param X509_VERIFY_PARAM_free(param); -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Intermediate certificates
Hello. Some web-sites don't send all intermediate certs during SSL Handshake. For example, www.verisign.com sends only server's cert but doesn't send next intermediate cert: s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 So, I need to set a list of intermediate certs for my SSL connections. How to do this? With SSL_CTX_load_verify_locations() I can set only trusted root certs, but not intermediate certs. -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Hostname validation
Hi, Viktor. 27.01.2015, 23:07, Viktor Dukhovni openssl-us...@dukhovni.org: It is complete enough. The word mumble is not meant to be taken You full code from wiki is: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = www.example.com; ssl = SSL_new(...); param = SSL_get0_param(ssl); /* Enable automatic hostname checks */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); /* Configure a non-zero callback if desired */ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); /* * Establish SSL connection, hostname should be checked * automatically test with a hostname that should not match, * the connection will fail (unless you specify a callback * that returns despite the verification failure. In that * case SSL_get_verify_status() can expose the problem after * connection completion. */ ... You set here only param: X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); But how this variable is associated with ssl object or ctx object? I don't understand really! Please explain more in detail. I know this function only SSL_CTX_set1_param() that associates param with context ctx. -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Hostname validation
28.01.2015, 00:04, Dr. Stephen Henson st...@openssl.org: It's this: param = SSL_get0_param(ssl); Because SSL_get0_param retrieves the internal pointer to parameters used by ssl: so if you modify those parameters the modified versions will be used by ssl. Thanks, Stephen. Now it's clear. -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Hostname validation
25.01.2015, 20:59, Viktor Dukhovni openssl-us...@dukhovni.org: On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: What is the best way to make hostname validation? 1. http://wiki.openssl.org/index.php/Hostname_validation 2. X509_check_host that was added in OpenSSL 1.1.0. The X509_check_host() interface is also available in OpenSSL 1.0.2 released a few days ago https://www.openssl.org/docs/crypto/X509_check_host.html (the documentation should be updated to note the earlier availability). Starting with 1.0.2, you can also ask OpenSSL to automatically perform hostname checks during the SSL handshake on the application's behalf: https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html https://www.openssl.org/docs/ssl/SSL_set_verify.html Sadly, we're still lacking documentation of SSL_get0_param() which is needed for a complete SSL hostname check recipe: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = www.example.com; ssl = SSL_new(...); param = SSL_get0_param(ssl); /* Enable automatic hostname checks */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); /* Configure a non-zero callback if desired */ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); /* * Establish SSL connection, hostname should be checked * automatically test with a hostname that should not match, * the connection will fail (unless you specify a callback * that returns despite the verification failure. In that * case SSL_get_verify_status() can expose the problem after * connection completion. */ ... I don't know does the first one support wildcards or no! Seems to be: how does Curl_cert_hostcheck work - is the answer, but I don't know how it works. Wildcard support is configured via the flags documented for X509_check_host(), the two most frequently useful are: X509_CHECK_FLAG_NO_WILDCARDS X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Best Regards, Serj 25.01.2015, 20:59, Viktor Dukhovni openssl-us...@dukhovni.org: On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: What is the best way to make hostname validation? 1. http://wiki.openssl.org/index.php/Hostname_validation 2. X509_check_host that was added in OpenSSL 1.1.0. The X509_check_host() interface is also available in OpenSSL 1.0.2 released a few days ago https://www.openssl.org/docs/crypto/X509_check_host.html (the documentation should be updated to note the earlier availability). Starting with 1.0.2, you can also ask OpenSSL to automatically perform hostname checks during the SSL handshake on the application's behalf: https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html https://www.openssl.org/docs/ssl/SSL_set_verify.html Sadly, we're still lacking documentation of SSL_get0_param() which is needed for a complete SSL hostname check recipe: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = www.example.com; ssl = SSL_new(...); param = SSL_get0_param(ssl); /* Enable automatic hostname checks */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); /* Configure a non-zero callback if desired */ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); /* * Establish SSL connection, hostname should be checked * automatically test with a hostname that should not match, * the connection will fail (unless you specify a callback * that returns despite the verification failure. In that * case SSL_get_verify_status() can expose the problem after * connection completion. */ ... I don't know does the first one support wildcards or no! Seems to be: how does Curl_cert_hostcheck work - is the answer, but I don't know how it works. Wildcard support is configured via the flags documented for X509_check_host(), the two most frequently useful are: X509_CHECK_FLAG_NO_WILDCARDS X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS -- Viktor
Re: [openssl-users] Hostname validation
Hi, Thank you for answer. So, your recomendation is to use X509_check_host rather than code from wiki? 25.01.2015, 20:59, Viktor Dukhovni openssl-us...@dukhovni.org: On Sun, Jan 25, 2015 at 07:43:14PM +0300, Serj wrote: Starting with 1.0.2, you can also ask OpenSSL to automatically perform hostname checks during the SSL handshake on the application's behalf: https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set_hostflags.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_set1_host.html https://www.openssl.org/docs/crypto/X509_VERIFY_PARAM_add1_host.html https://www.openssl.org/docs/ssl/SSL_set_verify.html Sadly, we're still lacking documentation of SSL_get0_param() which is needed for a complete SSL hostname check recipe: const char *servername; SSL *ssl; X509_VERIFY_PARAM *param; servername = www.example.com; ssl = SSL_new(...); param = SSL_get0_param(ssl); /* Enable automatic hostname checks */ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); X509_VERIFY_PARAM_set1_host(param, servername, 0); /* Configure a non-zero callback if desired */ SSL_set_verify(ssl, SSL_VERIFY_PEER, 0); /* * Establish SSL connection, hostname should be checked * automatically test with a hostname that should not match, * the connection will fail (unless you specify a callback * that returns despite the verification failure. In that * case SSL_get_verify_status() can expose the problem after * connection completion. */ ... I don't know does the first one support wildcards or no! Seems to be: how does Curl_cert_hostcheck work - is the answer, but I don't know how it works. Wildcard support is configured via the flags documented for X509_check_host(), the two most frequently useful are: X509_CHECK_FLAG_NO_WILDCARDS X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Hostname validation
Hello. What is the best way to make hostname validation? 1. http://wiki.openssl.org/index.php/Hostname_validation 2. X509_check_host that was added in OpenSSL 1.1.0. I don't know does the first one support wildcards or no! Seems to be: how does Curl_cert_hostcheck work - is the answer, but I don't know how it works. So, I think the second is better and more clearly? -- Best Regards, Serj ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Hostname validation
Hi, I found in CURL's sources that function: Curl_cert_hostcheck Seems to be it support wildcards and my question is still the same: what is the best way to make hostname validation? Maybe from practise somebody knows what is the better? CURLS's hostcheck.c: /* * Match a hostname against a wildcard pattern. * E.g. * foo.host.com matches *.host.com. * * We use the matching rule described in RFC6125, section 6.4.3. * http://tools.ietf.org/html/rfc6125#section-6.4.3 * * In addition: ignore trailing dots in the host names and wildcards, so that * the names are used normalized. This is what the browsers do. * * Do not allow wildcard matching on IP numbers. There are apparently * certificates being used with an IP address in the CN field, thus making no * apparent distinction between a name and an IP. We need to detect the use of * an IP address and not wildcard match on such names. * * NOTE: hostmatch() gets called with copied buffers so that it can modify the * contents at will. */ static int hostmatch(char *hostname, char *pattern) { const char *pattern_label_end, *pattern_wildcard, *hostname_label_end; int wildcard_enabled; size_t prefixlen, suffixlen; struct in_addr ignored; #ifdef ENABLE_IPV6 struct sockaddr_in6 si6; #endif /* normalize pattern and hostname by stripping off trailing dots */ size_t len = strlen(hostname); if(hostname[len-1]=='.') hostname[len-1]=0; len = strlen(pattern); if(pattern[len-1]=='.') pattern[len-1]=0; pattern_wildcard = strchr(pattern, '*'); if(pattern_wildcard == NULL) return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; /* detect IP address as hostname and fail the match if so */ if(Curl_inet_pton(AF_INET, hostname, ignored) 0) return CURL_HOST_NOMATCH; #ifdef ENABLE_IPV6 else if(Curl_inet_pton(AF_INET6, hostname, si6.sin6_addr) 0) return CURL_HOST_NOMATCH; #endif /* We require at least 2 dots in pattern to avoid too wide wildcard match. */ wildcard_enabled = 1; pattern_label_end = strchr(pattern, '.'); if(pattern_label_end == NULL || strchr(pattern_label_end+1, '.') == NULL || pattern_wildcard pattern_label_end || Curl_raw_nequal(pattern, xn--, 4)) { wildcard_enabled = 0; } if(!wildcard_enabled) return Curl_raw_equal(pattern, hostname) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; hostname_label_end = strchr(hostname, '.'); if(hostname_label_end == NULL || !Curl_raw_equal(pattern_label_end, hostname_label_end)) return CURL_HOST_NOMATCH; /* The wildcard must match at least one character, so the left-most label of the hostname is at least as large as the left-most label of the pattern. */ if(hostname_label_end - hostname pattern_label_end - pattern) return CURL_HOST_NOMATCH; prefixlen = pattern_wildcard - pattern; suffixlen = pattern_label_end - (pattern_wildcard+1); return Curl_raw_nequal(pattern, hostname, prefixlen) Curl_raw_nequal(pattern_wildcard+1, hostname_label_end - suffixlen, suffixlen) ? CURL_HOST_MATCH : CURL_HOST_NOMATCH; } int Curl_cert_hostcheck(const char *match_pattern, const char *hostname) { char *matchp; char *hostp; int res = 0; if(!match_pattern || !*match_pattern || !hostname || !*hostname) /* sanity check */ ; else { matchp = strdup(match_pattern); if(matchp) { hostp = strdup(hostname); if(hostp) { if(hostmatch(hostp, matchp) == CURL_HOST_MATCH) res= 1; free(hostp); } free(matchp); } } return res; } ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users