Re: [openssl-users] How to make a rehandshake(renegotiation)?
Hi, I managed to do a renegotiation. My mistake was that I start renegotiation when not all data were received or sended. Probably there was a situation when not all packets(records) were processed and i got a error: unexpected record or bad length. Really only one function SSL_renegotiate and flag SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION are quite enough. Seems to be all others was for old OpenSLL versions. Only one question remain, it's opposite to the first one: if i want don't use renegotiation at all, how to disable it? I see that insecure renegotiation can be disabled by: SSL_CTX_clear_options(ctx,SSL_OP_LEGACY_SERVER_CONNECT) that is enabled by default. But what about secure renegotiation? Is it possible to disable it at all for client and server. So, Server rejects queries on secure renegotiation from client and client rejects queries on secure renegotiation from server. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
11.03.2015, 20:38, Salz, Rich rs...@akamai.com: Many servers have disabled client-initiated renegotation. I thought you were testing your client/server. Yes I want to test my own client and server. I don't disable renegotation manually. I don't know how to do this. Maybe it disabled by default? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Dynamic link openssl with Visual Studio
11.03.2015, 20:22, Ken Goldman kgold...@us.ibm.com: I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? I think you must simply build static libraries yourself with Visual C++. And it will work. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Dynamic link openssl with Visual Studio
11.03.2015, 20:22, Ken Goldman kgold...@us.ibm.com: I would like to use the Shining Light precompiled openssl binaries within Visual Studio. I can dynamic link with gcc and the libraries in OpenSSL/lib/MinGW I can static link with VS and the libraries in OpenSSL/lib/VC/static When I dynamic link with VS and the libraries in OpenSSL/lib/VC, it crashes on a call to PEM_read_PUBKEY(), and appears the stack is corrupted. I believe that the libeay32MDd.lib matches the VS /MDd setting. I tried with and without applink.c. Static link would not be the end of the world, but shouldn't it work? I think you must simply build static or dynamic libraries(as you need) with Visual C++ yourself. And they will work. Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
10.03.2015, 21:40, Salz, Rich rs...@akamai.com: Yes. You probably need more than that. :) Take a look at the apps/s_client and look for the 'R' constant to see how to do client-initiated reneg. I have took a look at the apps/s_client. I see only several lines of code about renegotiation: //... static int ; if (++ == 52) { SSL_renegotiate(con); = 0; } //... if ((!c_ign_eof) (cbuf[0] == 'R')) { BIO_printf(bio_err, RENEGOTIATING\n); SSL_renegotiate(con); cbuf_len = 0; } //... So only one function is used: SSL_renegotiate I also use it - but nothing happens or error: OpenSSL error: 5044:error:140940F5:SSL routines:ssl3_read_bytes:unexpected record:.\ssl\s3_pkt.c:1611: NO renegotioation! More than that I tested s_client on several domains. I typed R after s_client was connected but got a error: 2992:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:.\ssl\s3_pkt.c:644: error in s_client I also have took a look at the s_server and saw only one function: SSL_renegotiate that seems to be must make a renegotioation. I do some else in code but: NO renegotioation happens! Why? Can anybody help and though explain about renegotiation at all? Maybe I don't know something... When it can be used? Maybe it's disable by default for security reasons in OpenSSL? There is a function SSL_get_secure_renegotiation_support. Seems to be renegotiation can be secure or no. Maybe something else But right now I want to perform ANY type of renegotiation )) Nothing happens or error... Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delay of email delivery for the list
11.03.2015, 08:20, Kurt Roeckx k...@roeckx.be: The mta.opensslfoundation.net was only very temporary and should not be used. openssl-users@openssl.org works just fine and doesn't have any delay for me. Ok. You can always check the headers why or where it has any delay. It's not so important for me as for example How to make a rehandshake(renegotiation) )) but let's see in my email's headers: Was sent: Date: Wed, 11 Mar 2015 19:02:30 +0300 The path: Received: by web8g.yandex.ru with HTTP; Wed, 11 Mar 2015 19:02:30 +0300 Received: from forward20.mail.yandex.net (forward20.mail.yandex.net by mta.openssl.org (Postfix) with ESMTPS id E6E9D2015F for openssl-users@openssl.org; Wed, 11 Mar 2015 16:10:20 + (UTC) [for my timezone 19:10:20 +0300] . Received: by mta.openssl.org (Postfix, from userid 106) id 7505E2044B; Wed, 11 Mar 2015 16:50:48 + (UTC) [for my timezone 19:50:48 +0300] . Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) by mxfront7j.mail.yandex.net (nwsmtp/Yandex) with ESMTPS id yN2OVojEOL-onhON31U; Wed, 11 Mar 2015 19:50:49 +0300 Received: from mxfront7j.mail.yandex.net ([127.0.0.1]) by mxfront7j.mail.yandex.net with LMTP id nT56hQSL for ra...@yandex.com; Wed, 11 Mar 2015 19:50:50 +0300 So, it was sent by me at 19:02 (GMT+3). It was received by mta.openssl.org from my mail server already at 19:10 (GMT+3). And was delayed there until 19:50 (GMT+3). My mail server received it only at 19:50 (GMT+3). Once again, it's not so important. But the delay is on the mta.openssl.org mail server(s). Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
Nobody knows? Does OpenSSL support renegotiation? I will be very grateful for answers because there is no any info about this in the net. 09.03.2015, 00:36, Serj Rakitov ra...@yandex.com: Hello I want to test SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. I have client and server. Server is sending data to the client. Client is reading data. After some bytes sent server initiates a rehandshake to cause SSL_ERROR_WANT_WRITE on client. But there is no rehandshake. On server SSL_do_handshake returns 0 and SSL_get_error returns SSL_ERROR_WANT_READ. And on client SSL_read returns0 and SSL_get_error also returns SSL_ERROR_WANT_READ. The code to rehandshake is: SSL_set_session_id_context(...); SSL_renegotiate(...) SSL_do_handshake(...); ssl-state=SSL_ST_ACCEPT; //process SSL_do_handshake (WANT_READ/WANT_WRITE) How to make a rehandshake from server side? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Nobody knows? 09.03.2015, 15:30, Serj Rakitov ra...@yandex.com: I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Delay of email delivery for the list
Hello, I see some delay about 30-40 min for my emails. They arrive and I see them in the incoming messages in the list only after 30-40 min. And one email was delivered for 2 hours. Is it normal for the openssl-users@openssl.org? Some time ago I see an email with message: Welcome to the openssl-us...@mta.opensslfoundation.net mailing list! Maybe now when something have changed we must send emails to the openssl-us...@mta.opensslfoundation.net not to the openssl-users@openssl.org? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Hi, Jakob. Thanks for reply. Now I have seen OpenSSL code and something clear for me. WANT_READ/WANT_WRITE it's just an implementation for WOULDBLOCK: not fatal error for non-blocking IO. So, for example for socket and Windows it's just WSAEWOULDBLOCK returns by WSAGetLastError. Peforms by BIO_sock_should_retry/BIO_sock_non_fatal_error in sock_read/sock_write. There was some incomprehension for me because I forgot that SSL_read/SSL_write can perform a handshake if it didn't happen before. This is the key, because if handshake took place when SSL_write never will want read(to my mind), because it's just perform writesocket(send) operation. But with Rehandshaking (renegotiation) still incomprehension... I don't know why there is a silence about this here and in the net! I have read Eric Rescorla's old(January 10, 2002) article and there he told about Rehandshaking on the Server and on the Client, so it's possible with OpenSSL, but maybe in newer versions of OpenSSL it is not possible? Jakob, can you tell me: is it possible to renegotiate a connection in OpenSSL? And if yes how to do it right? 10.03.2015, 19:06, Jakob Bohm jb-open...@wisemo.com: Not having tested or read the relevant OpenSSL code, I presume that SSL_write could want a read if it has sent a handshake message, but not yet received the reply, thus it cannot (encrypt and) send user data until it has received and acted on the handshake reply message. Maybe the easier scenarios are at the start of a session, where the initial handshake has not yet completed, as happens in a HTTPS client (always writes a request before the first read) or a simple SMTPS server (always writes a banner line before the first read of client commands, except in some servers that do an early read to check if a broken/spammer client is trying to send before receiving the banner). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
I have to open discussion again. I want to test situations when SSL_read WANT_WRITE and SSL_write WANT_READ. But I can't do this. SSL_read never wants write and SSL_write never wants read! I don't know how to catch these situations. I don't know how to rehandshake. I tried after connect and handshake to send data simultaneously both to server and to client and never got one of those situations, SSL_read only wanted to read and SSL_write only wanted to write, all data was received by both client and server. I don't even understand how SSL_write can want to read? In what cases? I can understand when SSL_read wants to write, for example when client got HelloRequest or server got a new ClientHello while reading data. But I can't test it, because I don't know how to start handshake again, how to perform a rehandshake(renegotiation). Can anybody help me? How to test these situations or how to perform a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to make a rehandshake(renegotiation)?
I can't start rehandshake even from client side. If I try something like this on client side: SSL_renegotiate(...) //process SSL_do_handshake(SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE) nothing happens. Neither client nor server can't start a new handshake! How to do a rehandshake? Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to make a rehandshake(renegotiation)?
Hello I want to test SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. I have client and server. Server is sending data to the client. Client is reading data. After some bytes sent server initiates a rehandshake to cause SSL_ERROR_WANT_WRITE on client. But there is no rehandshake. On server SSL_do_handshake returns 0 and SSL_get_error returns SSL_ERROR_WANT_READ. And on client SSL_read returns0 and SSL_get_error also returns SSL_ERROR_WANT_READ. The code to rehandshake is: SSL_set_session_id_context(...); SSL_renegotiate(...) SSL_do_handshake(...); ssl-state=SSL_ST_ACCEPT; //process SSL_do_handshake (WANT_READ/WANT_WRITE) How to make a rehandshake from server side? -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Thanks, Graham. Sorry for too late answer )) Now i am testing... 21.02.2015, 14:42, Graham Leggett minf...@sharp.fm: On 21 Feb 2015, at 12:58 PM, Serj Rakitov ra...@yandex.com wrote: I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? In both cases you return back to your poll and ask the OS to wait for the event that openssl asked for. If openssl asked for read, you poll until the socket is readable. If openssl asked for a write, you poll until the socket is writable. When you get the event you asked for, you just run whatever you were running again. For example, if you were running SSL_read, run SSL_read again. If you were running SSL_write, run SSL write again. So to write it out: - Call SSL_read(), it returns SSL_ERROR_WANT_WRITE - Poll for the socket being writable. - It’s writable! call SSL_read() again. it might return SSL_ERROR_WANT_READ - Poll for the socket being readable. - It’s readable! Call SSL_read() again, and so on. If openssl wants read, poll for read. If openssl wants write, poll for write. Don’t arbitrarily swap round SSL_read and SSL_write, those two calls are what *you* want to do, not what openssl wants to do. Regards, Graham -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
Hello. I set socket to non-blocking mode. 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE what must I to do? Is it enough to call SSL_write(ssl,0,0) one time and then again call SSL_read() untill it successed. Is this right? 2. If I do SSL_write() and get result =0 and then SSL_get_error() returns SSL_ERROR_WANT_READ what must I to do? If I must read some data can it be application data or no? So, if I call SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or never? And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() untill it returns with success? 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() returns SSL_ERROR_WANT_WRITE? What to do in this case for non-blocking socket? -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to retrieve the commonName / Alt-Name (DNS-Name) from a .crt file
Hi, Christian 17.02.2015, 12:55, Christian Parpart tra...@gmail.com: I am rather new to OpenSSL development, but I'd like to integrate SSL communication in my little HTTP server. While this one is working so far, for SNI I actually need to read out the server certificates DNS name extenion and commonName subject. How to get CN and subject alternative names from cert you can see this wiki page: http://wiki.openssl.org/index.php/Hostname_validation But how do I come from the SSL_CTX to my X509 struct, or how to I do it else? 1. SSL_CTX_set_verify() or SSL_set_verify(), then in callback X509_STORE_CTX_get_current_cert() 2. SSL_get_peer_certificate() -- Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY
Hi, Michael. Thank you very much for your answer. Now it's clear. 03.02.2015, 16:08, "Michael Wojcik" michael.woj...@microfocus.com:Lots of things in OpenSSL aren't documented. It's not strange at all - programmers tend to write code first, documentation second (or later). This is true of a great many open-source projects, and many commercial ones as well. If you want something documented, your best bet is to research it in the code and write the documentation yourself. Ok. Will try to write code first, deal with code next time. And after that - questions. I am a beginner in OpenSSL API, that's why I have these questions...I think some simple things because they are already are known by skilled programmers can be asked here via openssl-users@openssl.org. Isn't it?It's too hard to deal with not full documentation. And some help is very necessary at this stage. I think you understand me. "i" is an abbreviation for "internal", meaning OpenSSL's internal format."2" means "to"."d" means "DER"."b" means "blob", and refers to a "key blob" format used by Microsoft. (That's based on the OpenSSL source code; I haven't looked into the actual provenance of this blob format.) It appears the key blob format typically uses the "PVK" file extension. Lots of things in OpenSSL aren't documented. It's not strange at all - programmers tend to write code first, documentation second (or later). This is true of a great many open-source projects, and many commercial ones as well. If you want something documented, your best bet is to research it in the code and write the documentation yourself. Regarding your second question: EVP_KEY is defined in evp.h, where we see it contains a pointer to one of the specific key types, such as rsa_st. rsa_st is defined in rsa.h, and if we look there we see that it contains all the RSA parameters, so it implicitly contains both the public and private key. Michael Wojcik Technology Specialist, Micro Focus --Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What is the best practise for shutdown SSL connections?
Hi, Viktor. 02.02.2015, 18:04, "Viktor Dukhovni" openssl-us...@dukhovni.org:It should be sufficient for the server to send its close notifywithout waiting for a client response. If the server destroys theSSL connection without calling SSL_shutdown() I am not sure whetherthe session remains cached. I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid?Try it, see what happens. The client is certainly free to *try*to the reuse the session, worst-case the server will perform a fullhandshake anyway. Thank you for answers. I will try. --Best Regards, Serj Rakitov ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users