[openssl-users] Unable to run Configure for msys/mingw
I had been always successful with Configure for last several releases. But with 1.0.2h, I am not able to run Configure correctly. Note that I am on Windows msys. Here is what I get : $ ./configure no-symlinks shared mingw Configuring for mingw no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-libunbound [experimental] OPENSSL_NO_LIBUNBOUND (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl2 [default] OPENSSL_NO_SSL2 (skip dir) no-store [experimental] OPENSSL_NO_STORE (skip dir) no-symlinks [option] no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC =gcc CFLAG =-D_WINDLL -DOPENSSL_USE_APPLINK -DOPENSSL_PIC -DOPENSSL_THREADS -D_MT -DDSO_WIN32 -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -fomit-frame-pointer -O3 -march=i486 -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM EX_LIBS =-lws2_32 -lgdi32 -lcrypt32 CPUID_OBJ =x86cpuid.o uplink.o uplink-x86.o BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o EC_ASM = DES_ENC =des-586.o crypt586.o AES_ENC =aes-586.o vpaes-x86.o aesni-x86.o BF_ENC =bf-586.o CAST_ENC =c_enc.o RC4_ENC =rc4-586.o RC5_ENC =rc5-586.o MD5_OBJ_ASM =md5-586.o SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o RMD160_OBJ_ASM=rmd-586.o CMLL_ENC =cmll-x86.o MODES_OBJ =ghash-x86.o ENGINES_OBJ = PROCESSOR = RANLIB =true ARFLAGS = PERL =perl THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Configured for mingw. *** Because of configuration changes, you MUST do the following before *** building: make depend The configure script abruptly stops at "RC4_CHUNK is undefined", and no other error messages are given. I'm not a familiar with Shell script so I am not able to locate the bug. Need help. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] regarding ssl_server test
On Thu, May 26, 2016 at 5:51 PM, Jakob Bohmwrote: > On 26/05/2016 18:33, R-D intern wrote: >> >> Hello, >> I have implemented ssl for my internal server that listens over >> a >> private ip. Can anyone suggest how can I test my ssl_server? For eg. >> Qualys >> test shows the amount of ssl implementation of a server listening over >> public ip and even checks for vulnerabilities in ssl implementation. How >> can such a thing be tested for a server listening over private ip? >> Please help. Awaiting response. >> Regards, >> R-D Intern >> > > Indeed, there are many servers that cannot be reached by the > online configuration tests such as the one run by Qualsys. > > What would be really nice would be if one of the good test > suites could be downloaded and run locally on internal servers, > non-web servers, staging servers etc. to verify that > configurations are correct, or at least as good as possible. That's sslscan (http://sourceforge.net/projects/sslscan/). You need a modern fork because the original version by Ventura-Whiting and Bowman has been abandoned. The abandoned version lacks things like TLV 1.2 support and SNI support. You can find lots of forks of the original sslscan on GitHub: http://www.google.com/search?q=sslscan+site:github.com Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
On 27/05/16 13:23, counterpoint wrote: > Thanks for the comments, Matt. > >> read_ahead and SSL_pending() do not play nicely together unfortunately. >> See the master (1.1.0) version of the SSL_pending() documentation which >> discusses this issue and introduced the new function SSL_has_pending() >> which addresses it: > >> https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html > > I looked at SSL_has_pending, but can't easily use it as the software needs > to build on standard distributions, as far as possible, and it isn't in e.g. > CentOS 6.5 > >> So it sounds like this is during reading of application data? Has >> SSL_accept() returned successfully, and you are now wanting to call >> SSL_read()? > > It's getting a lot further than that. The SSL_accept returns success, and a > whole series of SSL_read and SSL_write calls look to be operating fine. It > appears that most of the 500KB of data used in the test is transferred, but > (probably near the end) the process hangs. Presumably SSL_pending is > returning 0 and there are no further EPOLLIN events. Or something like > that. > > I expected that turning off read ahead would fix both server and client, but > it seems not. I've read all the configuration options I can find, but so far > haven't found a solution to the server side application. It would be interesting to know what the value of "s->s3->rbuf.left" is (where "s" is your SSL object) when it gets to this point. SSL_pending() tells you how much buffered and processed data is left that OpenSSL can provide. The above value tells you how much buffered and raw *unprocessed* data is left. If you've turned read_ahead off it should be zero. I wouldn't recommend looking at that in a production app (you won't be able to access it in 1.1.0) but for debugging purposes it would be interesting. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Missing EVP_aes_128_gcm() in openssl 1.0.2g
Hi, I cannot find the implementation of EVP_aes_128_gcm() in openssl-1.0.2g (2016-Mar-01). I searched all files but it's not there. Also when compiling openssl as a lib, it's missing. I can only find the header prototype of EVP_aes_128_gcm() which doesn't help much. Any idea where I can find the implementation of EVP_aes_128_gcm() ? Thanks! Jens -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
Thanks for the comments, Matt. > read_ahead and SSL_pending() do not play nicely together unfortunately. > See the master (1.1.0) version of the SSL_pending() documentation which > discusses this issue and introduced the new function SSL_has_pending() > which addresses it: > https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html I looked at SSL_has_pending, but can't easily use it as the software needs to build on standard distributions, as far as possible, and it isn't in e.g. CentOS 6.5 > So it sounds like this is during reading of application data? Has > SSL_accept() returned successfully, and you are now wanting to call > SSL_read()? It's getting a lot further than that. The SSL_accept returns success, and a whole series of SSL_read and SSL_write calls look to be operating fine. It appears that most of the 500KB of data used in the test is transferred, but (probably near the end) the process hangs. Presumably SSL_pending is returning 0 and there are no further EPOLLIN events. Or something like that. I expected that turning off read ahead would fix both server and client, but it seems not. I've read all the configuration options I can find, but so far haven't found a solution to the server side application. -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66383.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Missing EVP_aes_128_gcm() in openssl 1.0.2g
On 27/05/16 14:49, Jensen, Jens H wrote: > Hi, > > > > I cannot find the implementation of EVP_aes_128_gcm() in openssl-1.0.2g > (2016-Mar-01). I searched all files but it’s not there. Also when > compiling openssl as a lib, it’s missing. > > > > I can only find the header prototype of EVP_aes_128_gcm() which doesn’t > help much. > > > > Any idea where I can find the implementation of EVP_aes_128_gcm() ? It's defined via a macro. crypto/evp/e_aes.c line 1602. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
On 27/05/16 07:32, counterpoint wrote: > Hmm, some progress, but still puzzled. When my code is acting as the client, > it seems that the problem can be overcome by calling SSL_set_read_ahead with > a zero parameter, to turn off reading ahead. This is done just before > calling SSL_connect. The application now seems able to read megabytes of > data from the server without hanging. read_ahead and SSL_pending() do not play nicely together unfortunately. See the master (1.1.0) version of the SSL_pending() documentation which discusses this issue and introduced the new function SSL_has_pending() which addresses it: https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html > > However, adding a similar call just before SSL_accept does not solve the > problem when the application is the server, and is reading a lot of data > from the client. It looks as if the data is read (certainly hundreds of KB > in packets of 16384 bytes) but the application then hangs. Presumably for > lack of any trigger (such as EPOLLIN) to generate any further activity. So it sounds like this is during reading of application data? Has SSL_accept() returned successfully, and you are now wanting to call SSL_read()? Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL shutdown timeout - Please add timeout function
Two or more calls to ssl_shutdown() resulted in a lock. ssl_shutdown would not return for over 60 seconds or more. The server, or host, is Microsoft IIS. Could OpenSSL add a setting function to the library which will set the timeout/waketime for ssl_shutdown() (process)? Thank you. Gary Pham ostradegr...@gmail.com -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
Seems to always be zero, Matt, as it should be. This gives some idea of what is going on: Breakpoint 4, dcb_basic_read_SSL (dcb=0x7fffdc0158d0, nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:12181218 switch (SSL_get_error(dcb->ssl, *nsingleread))$352 = 16384Breakpoint 5, dcb_basic_read_SSL (dcb=0x7fffdc0158d0,nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:12221222MXS_DEBUG("%lu [%s] Read %d bytes from dcb %p in state %s "Fri May 27 16:47:12 BST 2016$353 = "Successful SSL read"Breakpoint 1, dcb_read_SSL (dcb=0x7fffdc0158d0, head=0x7fff87d0)at /root/MaxScale/server/core/dcb.c:11911191 ss_dassert(gwbuf_length(*head) == (start_length + nreadtotal));$354 = 0Breakpoint 9, dcb_write (dcb=0x678ef0, queue=0x67d300)at /root/MaxScale/server/core/dcb.c:13701370below_water = (dcb->high_water && dcb->writeqlen < dcb->high_water);Fri May 27 16:47:12 BST 2016$355 = 16384$356 = "Writing to the client" Breakpoint 4 shows the number of bytes read.Breakpoint 5 shows the case for analysis of the return code from the read.Breakpoint 1 shows the value of s->s3->rbuf.leftBreakpoint 9 shows the number of bytes being passed to the write function. -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66394.html Sent from the OpenSSL - User mailing list archive at Nabble.com.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] regarding ssl_server test
Thank you so much.I tried searching for a downloadable ssl_server test source code for internal servers but couldn't get any.how could I get one? Thanks and regards, R-D Intern -- View this message in context: http://openssl.6102.n7.nabble.com/regarding-ssl-server-test-tp66354p66400.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
Thanks Matt, good points. Not easy to implement though! In the problem case, my code is the server (it is a proxy), and the standard MariaDB command line client is the client. Yes, it does look as if everything is happening as it should, except that the process stops before all the data has been handled. The client is sending a large query (about 500 KB, using "load data local infile '/root/bigdata.txt' into table upload;"). If the client is connected directly to the database, using SSL, the query runs successfully. If the client is connected through the proxy without SSL (most of the logic exactly the same), the query runs successfully. If a shorter query is chosen, it works with SSL. Looking at the data flows with Wireshark, it looks about right, but I can't see the data in detail because of the SSL :) I thought the read ahead issue would have fixed both sides, but somehow the interface to the client still doesn't work. So it's hard to find things to diagnose, leaving me scratching round for inspiration and something to change that might fix things. And ideally, I need a quick result! Such is life. -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66396.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
On 27/05/16 15:51, counterpoint wrote: > Seems to always be zero, Matt, as it should be. This gives some idea of > what is going on: > > Breakpoint 4, dcb_basic_read_SSL (dcb=0x7fffdc0158d0, > nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:1218 > 1218switch (SSL_get_error(dcb->ssl, *nsingleread)) > $352 = 16384 > > Breakpoint 5, dcb_basic_read_SSL (dcb=0x7fffdc0158d0, > nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:1222 > 1222MXS_DEBUG("%lu [%s] Read %d bytes from dcb %p in state %s " > Fri May 27 16:47:12 BST 2016 > $353 = "Successful SSL read" > > Breakpoint 1, dcb_read_SSL (dcb=0x7fffdc0158d0, head=0x7fff87d0) > at /root/MaxScale/server/core/dcb.c:1191 > 1191ss_dassert(gwbuf_length(*head) == (start_length + nreadtotal)); > $354 = 0 > > Breakpoint 9, dcb_write (dcb=0x678ef0, queue=0x67d300) > at /root/MaxScale/server/core/dcb.c:1370 > 1370below_water = (dcb->high_water && dcb->writeqlen < > dcb->high_water); > Fri May 27 16:47:12 BST 2016 > $355 = 16384 > $356 = "Writing to the client" > > Breakpoint 4 shows the number of bytes read. Breakpoint 5 shows the case > for analysis of the return code from the read. Breakpoint 1 shows the > value of s->s3->rbuf.left Breakpoint 9 shows the number of bytes being > passed to the write function. So, if I understand you correctly, s->s3->rbuf.left is always 0 (indicating that there is no unprocessed data that OpenSSL has buffered) and SSL_pending() returns 0 (indicating that OpenSSL has no processed data bufferred). And this is the point where the hang in epoll occurs? It sounds to me like OpenSSL on the server is behaving as expected. Its processed all the data it has received and sent it on to your application. This looks like either: - the client hasn't sent the data that you're expecting to receive (perhaps because of a problem on the client side) or - your server application hasn't correctly responded to something that the client sent you. Either way it looks to me like an application protocol level issue rather than an SSL/TLS level issue. So the question is what data are you waiting for from the client at this point? Does the client think it sent it? Perhaps its sitting in some buffer somewhere. You need to work out at the application protocol level what state things are in, and why the client and server are apparently out of sync with each other. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
On 27/05/16 16:20, counterpoint wrote: > Thanks Matt, good points. Not easy to implement though! > > In the problem case, my code is the server (it is a proxy), and the standard > MariaDB command line client is the client. Yes, it does look as if > everything is happening as it should, except that the process stops before > all the data has been handled. > > The client is sending a large query (about 500 KB, using "load data local > infile '/root/bigdata.txt' into table upload;"). > > If the client is connected directly to the database, using SSL, the query > runs successfully. > > If the client is connected through the proxy without SSL (most of the logic > exactly the same), the query runs successfully. > > If a shorter query is chosen, it works with SSL. > > Looking at the data flows with Wireshark, it looks about right, but I can't > see the data in detail because of the SSL :) Perhaps using an eNULL ciphersuite might help? Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
> Perhaps using an eNULL ciphersuite might help? > Matt Good idea, I'll give it a try. -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66398.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL/TLS /AES-GCM IV/Key uniqueness compliance with SP800-38D Section 8
All, We are using OpenSSL 1.0.1e/FIPS 2.0.11 on CentOS6 x86_64 and I have a question about the TLS GCM Cipher suites - Do the TLS GCM suites satisfy the requirements of Section 8 of SP 800-38D ? If I am reading the document right, the following are the requirements therein. 1) The probability that the authenticated encryption function ever will be invoked with the same IV and same key on two (or more) distinct sets of input data shall be no greater than 2-32. 2) Any GCM key that is established among its intended users shall, with high probability, be fresh. 3) The total number of invocations of the authenticated encryption function shall not exceed 232, including all IV lengths and all instances of the authenticated encryption function with the given key. TIA. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving
Hmm, some progress, but still puzzled. When my code is acting as the client, it seems that the problem can be overcome by calling SSL_set_read_ahead with a zero parameter, to turn off reading ahead. This is done just before calling SSL_connect. The application now seems able to read megabytes of data from the server without hanging. However, adding a similar call just before SSL_accept does not solve the problem when the application is the server, and is reading a lot of data from the client. It looks as if the data is read (certainly hundreds of KB in packets of 16384 bytes) but the application then hangs. Presumably for lack of any trigger (such as EPOLLIN) to generate any further activity. Any suggestions please? -- View this message in context: http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66370.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users