suspending and continuing handshake
Hi! I'm not sure if this is the appropriate list to send this to but since I believe it would need a modification in openssl source code that's why I'm sending this to here. So the problem I'm trying to solve is this. In a proxying environment when the client connects to the proxy and it sends the SNI, you have to suspend the handshake with the client side, start the handshake on the serverside, get the certificate from the server, and send that certificate back to the client. This is only possible, if I can suspend the handshake procedure with the client, and continue when I have the certificate from the server. Right now openssl has some callbacks like the info and msg callbacks but you cannot return from it with let's say: SSL_HANDSHAKE_SUSPEND, or SSL_HANDSHAKE_INTERRUPT or something like that to be able to continue it later. So right now when you return from these and you don't have the certificate set you'll get the: No shared cipher error. The question is that will there'be some kind of way to suspend and continue the handshake? Thank you.
Fwd: Using Frankencerts for Automated Adversarial,Testing of Certificate Validation,in SSL/TLS Implementations
-- Forwarded message -- From: Martin Haufschild martin.haufsch...@uni-rostock.de Date: 23 May 2014 07:34 Subject: Using Frankencerts for Automated Adversarial,Testing of Certificate Validation,in SSL/TLS Implementations Hello, FYI https://www.cs.utexas.edu/~shmat/shmat_oak14.pdf There seem to be two discrepancies with OpenSSL on page 11. Regards Martin -- This is a pretty nice paper, well worth a read, IMO. Anyway, the two discrepancies: not clear to me that accepting basic constraints in V1 certs is a bug. In any case it can only (I think) tighten the constraints on the chain, so doesn't seem harmful. Rejecting a leaf CA below an intermediate with zero path length may be strictly incorrect, but ... what does it mean? Would you ever see such a thing? When? In any case, for the second issue at least, patches welcome. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
build failure when using OPENSSL_NO_HEARTBEATS
Hey guys! Since commit 6af080acaf (Unit/regression test for TLS heartbeats.), when compiling master/OpenSSL_1_0_2-stable/OpenSSL_1_0_1-stable with -DOPENSSL_NO_HEARTBEATS the build fails with: heartbeat_test.c: In function ‘set_up_dtls’: heartbeat_test.c:127:30: error: ‘dtls1_process_heartbeat’ undeclared (first use in this function) heartbeat_test.c:127:30: note: each undeclared identifier is reported only once for each function it appears in heartbeat_test.c: In function ‘set_up_tls’: heartbeat_test.c:151:30: error: ‘tls1_process_heartbeat’ undeclared (first use in this function) make[1]: *** [heartbeat_test.o] Error 1 make[1]: Leaving directory `/home/lukas/openssl/test' make: *** [build_tests] Error 1 Regards, Lukas __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3364] misleading description for -noout in the sess_id application
Hi, please find attached a trivial patch to correct the description of -noout in the sess_id application. At the moment, it mentions a CRL, that's probably a copypaste mistake. I modified it to match the manpage. Best regards, Martin From 8360cbb13ee0d52ec88e859678d8858e55332d58 Mon Sep 17 00:00:00 2001 From: Martin Kaiser mar...@kaiser.cx Date: Wed, 21 May 2014 14:12:30 +0200 Subject: [PATCH 1/2] modify the description of -noout to match the manpage --- apps/sess_id.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/apps/sess_id.c b/apps/sess_id.c index b16686c..c5823a5 100644 --- a/apps/sess_id.c +++ b/apps/sess_id.c @@ -78,7 +78,7 @@ static const char *sess_id_usage[]={ -out arg- output file - default stdout\n, -text - print ssl session id details\n, -cert - output certificate \n, - -noout - no CRL output\n, + -noout - no output of encoded session info\n, -context arg- set the session ID context\n, NULL }; -- 1.7.6.5
Re: OPENSSL for windows mobile 5/6
Hello, In the scripts, you only have to tweak : 1/ the CUSTOMIZE block (line 12 to 15) 2/ the WCECOMPAT path (line 60) AND NOTHING ELSE : so you can remove all your stuff about WCE600 which is completely IRRELEVANT. STANDARDSDK is just the name of one of the subfolders in MS SDK installation, referring to an SDK suited for WCE5/WM6. YOU MUST DO AS I STATED on my webpage and install the WCE420 : presently, we just DON'T care about your WM6 target (WCE6 just DOES NOT exist ! this is just the second time I say that...). so ...live OSVERSION and PLATFORM as they are Forget your present concern about WM6 ( W-M-6 not W-C-E-6 ! understood ?), JUST TRY to install and recompile my V100a stuff, (EVC4+sp4) tools+ WCE420 SDK. then MY wcecompat stuff (which is ready to compile provided you have correctly installed ms tools and sdk and tweaked some bat script). For wcecompat / wcedefs.mak : DO NOT CHANGE ANYTHING THERE ! forget your WCE600 stuff. go back to my file. For the SDK / . WCEARMV4.bat Well, ok, in fact it is better that you let it as it IS ! either keeping the original one of MS, or mine, BUT DO NOT CHANGE ANYTHING in it ! Got it ? See you Pierre Le 23/05/2014 12:37, RaviVyas a écrit : Hello Pierre DELAAGE, Now i Am Following our Steps. I Changed File makece.bat and wcedefs.bat file. also make a Chnage in Bat File of WCEARMV4. Title WCE ARMV4 Environment MYBAT FILE IS:- You are Setting Platform is PLATFORM=STANDARDSDK WHat is STANDARDSDK? REM This batch file sets up an environment for building for a specific CPU from the command line. REM The build environment defaults to the Standard SDK for Windows CE .NET platform. The macros that control the REM platform are: PLATFORM, OSVERSION, WCEROOT and SDKROOT. The Standard SDK for Windows CE .NET default settings REM are as follows: REMPLATFORM=STANDARDSDK REMOSVERSION=WCE600 REMWCEROOT=C:\Windows CE Tools//Root dir for VCCE REMSDKROOT=C:\Windows CE Tools//Root dir for Standard SDK for Windows CE .NET REM The batch file uses these macros to set the PATH, INCLUDE, LIB macros for the default REM platform. Please note that if the default setup options were altered during REM installation (for example, if the install directories were changed), then the user needs REM to modify these macros accordingly. if %OSVERSION%== set OSVERSION=WCE600 if %PLATFORM%== set PLATFORM=STANDARDSDK if %WCEROOT%== set WCEROOT=C:\Program Files\Microsoft eMbedded C++ 4.0 if %SDKROOT%== set SDKROOT=C:\Program Files\Microsoft SDKs.. The Customization of mywcebuild.bat @echo off :: created by pdelaage on 20100928 :: usage : makece ARMV4|X86|... other targets: see bat scripts in evc/bin :: Note : adapt EVC/bin/WCEtarget.bat scripts Title WCE COMPAT :: !! :: CUSTOMIZE THIS according to your EVC INSTALLED ENVIRONMENT :: !! set OSVERSION=WCE600 set PLATFORM=STANDARDSDK set WCEROOT=C:\Program Files\Microsoft eMbedded C++ 4.0 set SDKROOT=C:\Program Files\Microsoft SDKs :: !! :: END CUSTOMIZATION :: !! :: Define TARGET CPU :: - :: define new target (useful if one wants to compile for various WCE target CPUs) if %1== echo USAGE : makece TARGETCPU other_make_options... if %1== echo TARGETCPU=(ARMV4|ARMV4I|ARMV4T|R4100|R4111|R4300|SH3|SH4|X86|X86EM|X86EMnset), other cpu: see wcedefs.mak and bat scripts in evc/bin if %1== echo do not hesitate to adapt this script for CPU and/or better compilation flags! if %1== exit /B :: old code to default to ARMV4, but it is better that users are WARNED that the script now need an explicit target! ::if %1== set NEWTGTCPU=ARMV4 if NOT DEFINED TARGETCPU set TARGETCPU=X if NOT %1== set NEWTGTCPU=%1 if NOT %1== shift echo WCE TARGET CPU is %NEWTGTCPU% rem Adjust MS EVC env vars rem -- rem Check MSenv vars against our ref values set isenvok=0 if %NEWTGTCPU%==%TARGETCPU% set /A isenvok+=1 if %isenvok%==1 echo WCE ENVIRONMENT OK if %isenvok%==1 goto envisok :: if env is NOT ok, adjust MS EVC env vars to be used by MS WCECPU.BAT :: (this is to avoid repetitive pollution of PATH) echo WCE TARGET CPU changed :: , destroying every obj files :: no more if sep dirs del .\obj\*.obj ::if EXIST .\obj\%TARGETCPU% del .\obj\%TARGETCPU%\*.obj :: if env is NOT ok, adjust MS EVC env vars to be used by MS WCECPU.BAT :: (this is to avoid repetitive pollution of PATH) echo WCE ENVIRONMENT ADJUSTED ::call C:\Program Files\Microsoft eMbedded C++ 4.0\EVC\WCE600\BIN\WCEARMV4.BAT call C:\Program Files\Microsoft eMbedded C++ 4.0\EVC\WCE600\BIN\WCEARMV4.BAT set TARGETCPU=%NEWTGTCPU% :envisok ::exit /B rem make everything rem --- nmake /NOLOGO -f makefile %1 %2 %3 %4 %5 %6 %7 %8 %9 Is This Allright? and WCEDEFS.mak File # 20100928 pdelaage : PLATFORM is STANDARDSDK... # Set WCEVERSION and WCELDVERSION !IF $(OSVERSION)==WCE200 WCEVERSION=200 WCELDVERSION=2.00 !ELSEIF
Re: OPENSSL for windows mobile 5/6
hello sir, i am done with my WCECompat and gets the libs. now when building Openssl 0.9.8i i got an error like this. Building OpenSSL perl util/copy.pl .\crypto\buildinf.h tmp32dll_ARMV4I\buildinf.h Copying: ./crypto/buildinf.h to tmp32dll_ARMV4I/buildinf.h perl util/copy.pl .\crypto\opensslconf.h inc32\openssl\opensslconf.h Copying: ./crypto/opensslconf.h to inc32/openssl/opensslconf.h link /nologo /opt:ref /subsystem:windowsce,6.00 /machine:THUMB /dll /out :out32dll_ARMV4I\libeay32.dll /def:ms/LIBEAY32.def @C:\Users\kits\AppData\Local\ Temp\nm4532.tmp LIBCMT.lib(strnicmp.obj) : fatal error LNK1112: module machine type 'X86' confli cts with target machine type 'THUMB' NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 9.0\ VC\ce\bin\x86_arm\link.EXE' : return code '0x458' Stop. please help me out Thank you -- View this message in context: http://openssl.6102.n7.nabble.com/OPENSSL-for-windows-mobile-5-6-tp38606p50255.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3343] [PATCH] implements name contraint for IP Address
Hi Luiz Thanks for the patch. I've reviewed it and it looks good. With regards to your comments around X509_V_ERR_PERMITTED_VIOLATION vs X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, I think you did it right. Therefore: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dd36fce023a64d90058b8fefbd95dadaca98f9ca Many thanks for your contribution. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3352] export session id and master key in NSS keylog format
Hi Martin Thanks for your contribution. I have applied your updated patch: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=189ae368d91d2c9de5ed1fa21e993f5c83fc4445 Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3364] misleading description for -noout in the sess_id application
Patch applied: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c5f0b9bd8650a92eac1ef2fa28c726bbbc272904 Thanks for your contribution. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org