We are in the process of migrating from box A (AIX 4.3.3.0 running
openssl 0.9.6g) to box B (also AIX 5.3.0.0 running openssl 0.9.8). Both
A and B access the same file system which contains our CA files.
When I revoke a certificate from box A, the process works as expected.
When I revoke a
Hi
I am trying to install a new certificate with CA.pl,
but it terminates telling me that the create_serial option doesnt exist.
I am using version 0.9.8b_1 and it should be introduced in version
0.9.7j
The command openssl ca create_serial tells me
the same.
OS: FreeBSD 6.1.
In the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 9 Jun 2006 [EMAIL PROTECTED] wrote:
I need to generate a CSR without prompting the user (I am getting the
info from an HTML form).
Likely you are already in a Perl script? What about copying a template
config to a scratch file, making
On 6/9/06, Victor Duchovni [EMAIL PROTECTED] wrote:
On Fri, Jun 09, 2006 at 07:18:30AM -0500, [Yatta] wrote:
snip
LS trace: SSL_accept:SSLv3 flush data
connection_read(12): unable to get TLS client DN, error=49 id=0
snip-
Why is that???
---
No client certificate CA
On 6/9/06, Marek Marcola [EMAIL PROTECTED] wrote:
Hello,
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write
Marek,
Thanks for ur help
Like i was saying earlier I keep seeing that error message
connection_read(11): unable to get TLS client DN, error=49 id=0
and when i look at teh debug info none of my information is being encrypted
Sorry if i seem dumb in this whole process, want to get a
Script started on Sat Jun 10 06:12:11 2006
doctor.nl2k.ab.ca//usr/source/openssl-0.9.8-stable-SNAP-20060610$ make
cat /usr/contr
ib/bin/configopenssl
./Configure threads shared no-sse2 --prefix=/usr/contrib
--openssldir=/usr/contrib debug-bsdi-x86-elf -g -O3 -Wall; make
Likely you are already in a Perl script? What about copying a
template config to a scratch file, making appropriate substitutions
from the form data? Or if your form processor isn't a convenient
place to do this, you could fork a command that pipes the template
through e.g. sed.
Actually
I got it... i understand what is going on, i guess my head was
gathering water why i never noticed it before.
Thanks Marek
On 6/9/06, Kenyatta Senior [EMAIL PROTECTED] wrote:
Marek,
Thanks for ur help
Like i was saying earlier I keep seeing that error message
connection_read(11): unable
Hello,
Like i was saying earlier I keep seeing that error message
connection_read(11): unable to get TLS client DN, error=49 id=0
After looking in OpenLDAP code this seems that server tries to get
from client SSL object certificate DN name.
Of course client did not supply this certificate
I always call SSL_pending() before going into select(), as far as I
understand that should be sufficient. Anyways, the server is
not hanging
in select(), it is definitely inside SSL_read().
Is your socket non-blocking?
No, socket is blocking. When I run s_client in
Is your socket non-blocking?
No, socket is blocking. When I run s_client in non-blocking mode it
doesn't get stuck.
You can't use 'select' reliably with blocking sockets. Well, it is
possible
to do so, but it is extremely difficult and can only be done with OpenSSL
using
On Fri, Jun 09, 2006 at 05:25:59PM -0500, Kenyatta Senior wrote:
No client certificate CA names sent
The server is not asking for client certificates. You need to
configure it to do that and give it a non-empty CAfile.
Shouldn't i see something like:
Acceptable client certificate CA
Well, we are talking about s_client here... part of openssl executable.
select() is used with the blocking sockets to make sure that, well, they
don't block.
It doesn't work that way. The only way to ensure that socket operations
don't block is to set the sockets non-blocking.
If
I'm watching this thread with great interest as I have not figured out
the correct way to handling OpenSSL with non-blocking sockets which are
a requirement in my case.
Can anyone expand on the correct way to handle OpenSSL over non-blocking
sockets please?
I haven't been able to find any
The discussion below wherein the term you're screwed is used seems to
indicate that there is a deadlock situation, which isn't the case. There may or
may not be performance issues associated with the scenario/use-case, but
there's no deadlock.
R
-Original Message-
From: [EMAIL
The discussion below wherein the term you're screwed is used seems to
indicate that there is a deadlock situation, which isn't the case. There
may or may not be performance issues associated with the
scenario/use-case, but there's no deadlock.
Did you look at my logs with s_client? I'm
If you call SSL_read on a blocking socket when select says
it is readable you expect it not to block [forever]. Of course
it might block
if there is some data available on the underlying socket but not
enough to
complete SSL deciphering, but under normal circumstances it will only
I'd agree with you if it was not working consistently.
It's a race condition.
But in most cases
blocking SSL_read returns helpful WANT_READ. My understanding is that
WANT_READ return from SSL_read is especially for avoiding the
deadlock I'm
running into.
You would be
The discussion below wherein the term you're screwed is used
seems to indicate that there is a deadlock situation, which isn't
the case. There may or may not be performance issues associated
with the scenario/use-case, but there's no deadlock.
R
There is a deadlock. You are blocked
Did you look at my logs with s_client? I'm starting to suspect that the
correct way to put it is: there is *spposed* to be no deadlock,
but there
is a bug in SSL_read that can make you screwed.
The bug is not in SSL_read. The bug is in the decision to call SSL_read.
There
Hello,
Here's a hypothetical. The 'select' function gives you a 'read' hit. You
call SSL_read (thinking there's application-level data, but you don't really
know, do you?). SSL_read reads part of a re-negotiation but has no data to
return to you, so it calls 'read' again (how does it
It is very simple - if SSL_read() has to do other work than reading
application data records (encrypted user data) like renegotiation
it should return WANT_READ.
An SSL_read on a blocking socket should block until data can be read,
just
as a regular 'read' on a TCP connection does.
Hello,
It is very simple - if SSL_read() has to do other work than reading
application data records (encrypted user data) like renegotiation
it should return WANT_READ.
An SSL_read on a blocking socket should block until data can be read,
just
as a regular 'read' on a TCP
Hello,
If you call SSL_read, an application-level read function, with a
blocking
socket, you are asking it to block until it can read application-level data.
Here is information from www.openssl.org:
-- If the underlying BIO is blocking, SSL_read() will only return, once
-- the read
On Sat, Jun 10, 2006 at 03:54:18PM -0700, David Schwartz wrote:
I do not agree. SSL_read() should be corrected.
If you call SSL_read, an application-level read function, with a blocking
socket, you are asking it to block until it can read application-level data.
The error is simple --
Hello,
An SSL_read on a blocking socket should block until data can be read,
just
as a regular 'read' on a TCP connection does.
Even in regular read() from blocking socket there may be situation
when -1 is returned but no critical error occur and you should simply
retry read() - when
Hello,
If you call SSL_read, an application-level read function,
with a blocking
socket, you are asking it to block until it can read
application-level data.
Here is information from www.openssl.org:
-- If the underlying BIO is blocking, SSL_read() will only return, once
-- the
On Sat, Jun 10, 2006 at 06:25:33AM -0600, The Doctor wrote:
[...]
making all in crypto/evp...
make: don't know how to make e_camellia.o. Stop
*** Error code 1
Oops ... a new file that I forgot to add to the CVS. This will be
fixed in the next snapshot (20060611).
29 matches
Mail list logo