Error revoking a certificate

We are in the process of migrating from box A (AIX 4.3.3.0 running openssl 0.9.6g) to box B (also AIX 5.3.0.0 running openssl 0.9.8). Both A and B access the same file system which contains our CA files. When I revoke a certificate from box A, the process works as expected. When I revoke a

create_serial

Hi I am trying to install a new certificate with CA.pl, but it terminates telling me that the create_serial option doesnt exist. I am using version 0.9.8b_1 and it should be introduced in version 0.9.7j The command openssl ca create_serial tells me the same. OS: FreeBSD 6.1. In the

Re: CSR Without Prompting

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 9 Jun 2006 [EMAIL PROTECTED] wrote: I need to generate a CSR without prompting the user (I am getting the info from an HTML form). Likely you are already in a Perl script? What about copying a template config to a scratch file, making

Re: No client certificate CA names sent

On 6/9/06, Victor Duchovni [EMAIL PROTECTED] wrote: On Fri, Jun 09, 2006 at 07:18:30AM -0500, [Yatta] wrote: snip LS trace: SSL_accept:SSLv3 flush data connection_read(12): unable to get TLS client DN, error=49 id=0 snip- Why is that??? --- No client certificate CA

Re: No client certificate CA names sent

On 6/9/06, Marek Marcola [EMAIL PROTECTED] wrote: Hello, SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write

Re: No client certificate CA names sent

Marek, Thanks for ur help Like i was saying earlier I keep seeing that error message connection_read(11): unable to get TLS client DN, error=49 id=0 and when i look at teh debug info none of my information is being encrypted Sorry if i seem dumb in this whole process, want to get a

Error in 20060610 releases

Script started on Sat Jun 10 06:12:11 2006 doctor.nl2k.ab.ca//usr/source/openssl-0.9.8-stable-SNAP-20060610$ make        cat /usr/contr ib/bin/configopenssl ./Configure threads shared no-sse2 --prefix=/usr/contrib --openssldir=/usr/contrib debug-bsdi-x86-elf -g -O3 -Wall; make

Re: CSR Without Prompting

Likely you are already in a Perl script? What about copying a template config to a scratch file, making appropriate substitutions from the form data? Or if your form processor isn't a convenient place to do this, you could fork a command that pipes the template through e.g. sed. Actually

Re: No client certificate CA names sent

I got it... i understand what is going on, i guess my head was gathering water why i never noticed it before. Thanks Marek On 6/9/06, Kenyatta Senior [EMAIL PROTECTED] wrote: Marek, Thanks for ur help Like i was saying earlier I keep seeing that error message connection_read(11): unable

Re: No client certificate CA names sent

Hello, Like i was saying earlier I keep seeing that error message connection_read(11): unable to get TLS client DN, error=49 id=0 After looking in OpenLDAP code this seems that server tries to get from client SSL object certificate DN name. Of course client did not supply this certificate

RE: renegotiating problem - connection hanging?

I always call SSL_pending() before going into select(), as far as I understand that should be sufficient. Anyways, the server is not hanging in select(), it is definitely inside SSL_read(). Is your socket non-blocking? No, socket is blocking. When I run s_client in

RE: renegotiating problem - connection hanging?

Is your socket non-blocking? No, socket is blocking. When I run s_client in non-blocking mode it doesn't get stuck. You can't use 'select' reliably with blocking sockets. Well, it is possible to do so, but it is extremely difficult and can only be done with OpenSSL using

Re: No client certificate CA names sent

On Fri, Jun 09, 2006 at 05:25:59PM -0500, Kenyatta Senior wrote: No client certificate CA names sent The server is not asking for client certificates. You need to configure it to do that and give it a non-empty CAfile. Shouldn't i see something like: Acceptable client certificate CA

RE: renegotiating problem - connection hanging?

Well, we are talking about s_client here... part of openssl executable. select() is used with the blocking sockets to make sure that, well, they don't block. It doesn't work that way. The only way to ensure that socket operations don't block is to set the sockets non-blocking. If

Re: renegotiating problem - connection hanging?

I'm watching this thread with great interest as I have not figured out the correct way to handling OpenSSL with non-blocking sockets which are a requirement in my case. Can anyone expand on the correct way to handle OpenSSL over non-blocking sockets please? I haven't been able to find any

RE: renegotiating problem - connection hanging?

The discussion below wherein the term you're screwed is used seems to indicate that there is a deadlock situation, which isn't the case. There may or may not be performance issues associated with the scenario/use-case, but there's no deadlock. R -Original Message- From: [EMAIL

RE: renegotiating problem - connection hanging?

The discussion below wherein the term you're screwed is used seems to indicate that there is a deadlock situation, which isn't the case. There may or may not be performance issues associated with the scenario/use-case, but there's no deadlock. Did you look at my logs with s_client? I'm

RE: renegotiating problem - connection hanging?

If you call SSL_read on a blocking socket when select says it is readable you expect it not to block [forever]. Of course it might block if there is some data available on the underlying socket but not enough to complete SSL deciphering, but under normal circumstances it will only

RE: renegotiating problem - connection hanging?

I'd agree with you if it was not working consistently. It's a race condition. But in most cases blocking SSL_read returns helpful WANT_READ. My understanding is that WANT_READ return from SSL_read is especially for avoiding the deadlock I'm running into. You would be

RE: renegotiating problem - connection hanging?

The discussion below wherein the term you're screwed is used seems to indicate that there is a deadlock situation, which isn't the case. There may or may not be performance issues associated with the scenario/use-case, but there's no deadlock. R There is a deadlock. You are blocked

RE: renegotiating problem - connection hanging?

Did you look at my logs with s_client? I'm starting to suspect that the correct way to put it is: there is *spposed* to be no deadlock, but there is a bug in SSL_read that can make you screwed. The bug is not in SSL_read. The bug is in the decision to call SSL_read. There

RE: renegotiating problem - connection hanging?

Hello, Here's a hypothetical. The 'select' function gives you a 'read' hit. You call SSL_read (thinking there's application-level data, but you don't really know, do you?). SSL_read reads part of a re-negotiation but has no data to return to you, so it calls 'read' again (how does it

RE: renegotiating problem - connection hanging?

It is very simple - if SSL_read() has to do other work than reading application data records (encrypted user data) like renegotiation it should return WANT_READ. An SSL_read on a blocking socket should block until data can be read, just as a regular 'read' on a TCP connection does.

RE: renegotiating problem - connection hanging?

Hello, It is very simple - if SSL_read() has to do other work than reading application data records (encrypted user data) like renegotiation it should return WANT_READ. An SSL_read on a blocking socket should block until data can be read, just as a regular 'read' on a TCP

RE: renegotiating problem - connection hanging?

Hello, If you call SSL_read, an application-level read function, with a blocking socket, you are asking it to block until it can read application-level data. Here is information from www.openssl.org: -- If the underlying BIO is blocking, SSL_read() will only return, once -- the read

Re: renegotiating problem - connection hanging?

On Sat, Jun 10, 2006 at 03:54:18PM -0700, David Schwartz wrote: I do not agree. SSL_read() should be corrected. If you call SSL_read, an application-level read function, with a blocking socket, you are asking it to block until it can read application-level data. The error is simple --

RE: renegotiating problem - connection hanging?

Hello, An SSL_read on a blocking socket should block until data can be read, just as a regular 'read' on a TCP connection does. Even in regular read() from blocking socket there may be situation when -1 is returned but no critical error occur and you should simply retry read() - when

RE: renegotiating problem - connection hanging?

Hello, If you call SSL_read, an application-level read function, with a blocking socket, you are asking it to block until it can read application-level data. Here is information from www.openssl.org: -- If the underlying BIO is blocking, SSL_read() will only return, once -- the

Re: Error in 20060610 releases

On Sat, Jun 10, 2006 at 06:25:33AM -0600, The Doctor wrote: [...] making all in crypto/evp... make: don't know how to make e_camellia.o. Stop *** Error code 1 Oops ... a new file that I forgot to add to the CVS. This will be fixed in the next snapshot (20060611).