Server used for spamming....
As you see openssl.org is used for relaying spam... This does not look good.. Can somebody fix it quickly? Cheers Franck Received: from cobalt.sopac.org.fj (COBALT [10.0.0.150]) by bigiron.sopac.org.fj with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id WN7YMG9R; Sat, 9 Aug 2003 23:53:00 +1200 Received: by cobalt.sopac.org.fj (Postfix, from userid 416) id C82EF17C2F; Sat, 9 Aug 2003 23:50:00 +1200 (FJT) Received: from mmx.engelschall.com (mmx.engelschall.com [195.27.130.252]) by cobalt.sopac.org.fj (Postfix) with ESMTP id DC05A17C0B for [EMAIL PROTECTED]; Sat, 9 Aug 2003 23:49:57 +1200 (FJT) Received: by mmx.engelschall.com (Postfix) id 7ABE219370; Sat, 9 Aug 2003 13:50:19 +0200 (CEST) Received: from master.openssl.org (master.openssl.org [195.27.176.155]) by mmx.engelschall.com (Postfix) with ESMTP id 62B8E1936B for [EMAIL PROTECTED]; Sat, 9 Aug 2003 13:50:19 +0200 (CEST) Received: by master.openssl.org (Postfix) id 2FAD727F606; Sat, 9 Aug 2003 13:50:20 +0200 (CEST) Received: from host8.globalsecureserver.com (host8.globalsecureserver.com [209.239.41.30]) by master.openssl.org (Postfix) with ESMTP id BF61927F601; Sat, 9 Aug 2003 13:50:19 +0200 (CEST) Received: from User (d150-58-26.home.cgocable.net [24.150.58.26]) by host8.globalsecureserver.com (8.12.9/8.12.9) with SMTP id h79BnwN9029785; Sat, 9 Aug 2003 07:50:01 -0400 Delivered-To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: *SPAM* Re: what da fuck is this? DUFRJTBQQW Reply-To: [EMAIL PROTECTED] X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Windows Eudora Pro Version 3.0 (32) Organization: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/html; charset=koi8-r Date: Sat, 9 Aug 2003 15:50:59 -0500 To: undisclosed-recipients: ; X-Spam-Status: Yes, hits=15.1 required=5.0 tests=SUBJ_HAS_SPACES,UNDISC_RECIPS,SUBJ_HAS_Q_MARK,_javascript_,REALLY_UNSAFE_JAVASCRIPT,CTYPE_JUST_HTML,SUBJ_HAS_UNIQ_ID version=2.20 X-Spam-Flag: YES X-Spam-Level: *** X-Spam-Checker-Version: SpamAssassin 2.20 (devel $Id: SpamAssassin.pm,v 1.77 2002/04/06 19:28:30 hughescr Exp $) X-Evolution-Source: imap://franck;[EMAIL PROTECTED]/ SPAM: Start SpamAssassin results -- SPAM: This mail is probably spam. The original message has been altered SPAM: so you can recognise or block similar unwanted mail in future. SPAM: See http://spamassassin.org/tag/ for more details. SPAM: SPAM: Content analysis details: (15.1 hits, 5 required) SPAM: Hit! (2.7 points) Subject contains lots of white space SPAM: Hit! (1.2 points) Valid-looking To undisclosed-recipients SPAM: Hit! (1.0 point) Subject: contains a question mark SPAM: Hit! (1.7 points) BODY: _javascript_ code SPAM: Hit! (3.3 points) BODY: Auto-executing _javascript_ code SPAM: Hit! (3.2 points) HTML-only mail, with no text version SPAM: Hit! (2.0 points) Subject contains a unique ID number SPAM: SPAM: End of SpamAssassin results - html head meta http-equiv=Content-Type content=text/html; charset=windows-1251 titleNo name/title /head script language=_javascript_!-- function popupwindow() { window.open(http://www.wm-cards.y2.org/promotion.html); } // --/script body > p align=leftWhat do you mean?/p div style=FONT: 10pt arial p- Original Message - /p /divdiv style=BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: blackb pFrom:/b me /p /divdiv style=FONT: 10pt arialb pTo:/b you/p /divdiv style=FONT: 10pt arialb pSent:/b Saturday, August 09, 2003 6:34 PM/p /divdiv style=FONT: 10pt arialb pSubject: /bwhat da fuck is this?/p /divdiv p align=leftfont face=ArialstrongsmallWhat da fuck is this???/small/strong/font/p p align=leftstrongsmallfont face=ArialThere is fraud services on your site./font/small/strong/p p align=leftstrongsmallfont face=ArialHow could you explain this?/font/small/strong/p p align=leftstrongsmallfont face=Arial /fonta href="" face=ArialSupport/font/a/small/strong/p /div /body /html DUFRJTBQQWGCUENXLNQOGVGUHDOHVXUTRBCYKM
RE: tcp urgent data
At the moment I let OpenSSL API calls take care of all the reads and writes. Can I send/receive TCP urgent data (out-of-band data) with direct calls on the socket, without interfering with the operation of SSL? You can only do this if you do all the reads yourself. You have to remove the urgent data from the data going to OpenSSL because OpenSSL will have no idea what to do with it. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Why SSL_write() fails....HELP REQUIRED!!!!!!!!!!!!
Hi Henrik Nordstrom, I am working as a software developer in India I am having some problem with the SSL_write() function. I am new to the SSL standard and i am in the learning stage I have been given some assignments which involves lot of SSL too. I dont know much about SSL, and what you ask you aquestion regarding failing of SSL_write() fucntion. My code looks likes this SSL_write(sslConnection, data + bytesTransmitted, bytesToSend); This SSL_write fucntion fails and returns 5 as error code. Error code is retrieved by -- nError = SSL_get_error(sslConnection, bytesSent);Error string is retrieved by -- ERR_error_string(nError, str); Erro string which i get is -- error:0005::lib(0) :func(0) : bad asn1 object header Now my question is what does the string "bad asn1 object header" means? I dont see any help regarding this. Why does the function SSL_write() function fails? Is this some IO related error and if yes, how do i over come it. I also read your friends comments regarding solution of this problem, which said... char buf[20]; RAND_seed(buf,sizeof buf) ; He did the above change in the code and got it working. I am using a windows 2K machine. Your help would be of great help for me in solving my problem... waiting for your reply... Best RegardsSunil RashinkarPersistent Systems Pvt. Ltd.Ph. +91 20 5678900 Ext 821
SSL_connect() problem?
Hi. I'm writing a small class that uses the ssl library. The problem ( I'm not sure who has the problem :-P ) is that SSL_connect() blocks when the verify callback function returns 0. If it returns 1 all goes as expected. I'm using a blocking connect bio as the underlaying bio for the SSL object. And i'm programming my client in windows. Is this a wrong behaviour or i'm missing something?? Thanks in advance, Juan. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
On Mon, Aug 11, 2003, [EMAIL PROTECTED] wrote: Thank you for the hint it is worth thinking about another approach but I think I am through (and tested) with all but the last line that is: openssl ca -in server.csr -out server.crt -config openssl.conf -passin pass:password and the only problem sees to be that The commonName field needed to be supplied and was missing And I do not see any error in the declaration of openssl.conf Your openssl.cnf file is saying that it is a fatal error if the request does not contain the commonName field and the request you are trying to sign doesn't include commonName. Either edit openssl.cnf if that isn't what you want or makes sure he request includes commonName. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Configuring SSL Handshake
Hi girish, As I said I am no wizard in ssl internals :-( however what do you mean in negative flow ? do you refer ssl handshake failure ? I am now trying using the libwww-perl with the SSLeay for client authentication against an apache server running mod_ssl (something like the s_server util) and it should work (alas it is for https connections) I think you should look at the SSleay.c code that comes with CRypt-SSleay-0.5.1 it is generated by the Ssleay.xs perl wrapper and should give you good idea on how things are done in a web application which should not be to hard to copy into any other server. Actually I need to learn that my self since I am now trying to enable ENGINE openssl concept in the perl library (so that one can use hardware keys for perl client authentication) Sorry for not being able to be more specific but this stuff is new for me too :-) Gilad -Original Message- From: Girish Hegde [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 4:52 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Configuring SSL Handshake Hi Gilad, First of all let me thank you for the kind positive response. Yes, I am using the SSLeay libraries for the handshake thing to be done, to test the positive flow. But by using those APIs i cannot do the testing for negtive flow, i started writing a TCP/IP server(non SSL) and tried to send the messages( like ServerHello, ServerHelloDone etc) mannually. I created the structures as defined in the SSL drafts in perl and tried to send them to the SSL Client. But it always says 1344:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:475: I even tweeked into the ssl/s23_clnt.c code, which gave me no proper reason why is it failing :( I have also used the s_server.exe provided with Openssl to test some of the negative flows, but even that has no option to configure the handshake messages, like changing the sequence of messages, changing the format of messages, not sending some of the messages etc. I am not using HTTPS as it is not a web application! Can you pls let me know if i can do anything other than this to format the messages and send the same to the SSL client? Thanks a lot regards girish From: Gilad Finkelstein [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: RE: Configuring SSL Handshake Date: Mon, 11 Aug 2003 13:24:33 +0200 Hi Girish, I do not now if you can change / configure the SSL Handshake message and there is probably no need to do so anyway. There is a perl library for html (if that is your final goal) called libwww-perl and it uses openssl as it's crypto and ssl engine for https connections I use it to do things like connecting to an ssl server (letting the library do the hard work of ssl handshake) The code that translate things from perl to openssl C (actually it is Crypt-SSLeay-05.51 but there are other alternatives) can help you figure out how to write your own ssl handshake for non web servers (like your echo server). Gilad -Original Message- From: Girish Hegde [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 7:17 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Configuring SSL Handshake Hello there, This is my 3rd or 4th request for the group. Pls if any one has any clue about this, reply me. I am trying to test an SSL compliant Client application with a dummy echo server i have written in PERL. Is there any way to configure the SSL Handshake messages, change the sequences etc? Since all these are done internally by OpenSSL, how can acheive this in PERL? Pls reply me as soon as possible..I m in a DARK ROOM AT PRESENT :(( Thanks and regards Girish _ Dress up your desktop! Get the best wallpapers. http://server1.msn.co.in/msnchannels/Entertainment/wallpaperhome.asp Just click here! __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Dress up your desktop! Get the best wallpapers. http://server1.msn.co.in/msnchannels/Entertainment/wallpaperhome.asp Just click here! __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Configuring SSL Handshake
On Mon, Aug 11, 2003 at 02:51:44PM +, Girish Hegde wrote: But by using those APIs i cannot do the testing for negtive flow, i started writing a TCP/IP server(non SSL) and tried to send the messages( like ServerHello, ServerHelloDone etc) mannually. I created the structures as defined in the SSL drafts in perl and tried to send them to the SSL Client. If you're sending incomplete or wrong protocol messages, But it always says 1344:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:475: of course you will get unknown protocol responses. That's a positive outcome for your negative flow testing. ;-) What are you attempting to do and what do you expect to see when you send protocol messages not according to protocol? -- Ng Pheng Siong [EMAIL PROTECTED] http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto SSL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Configuring SSL Handshake
Hi Gilad, First of all let me thank you for the kind positive response. Yes, I am using the SSLeay libraries for the handshake thing to be done, to test the positive flow. But by using those APIs i cannot do the testing for negtive flow, i started writing a TCP/IP server(non SSL) and tried to send the messages( like ServerHello, ServerHelloDone etc) mannually. I created the structures as defined in the SSL drafts in perl and tried to send them to the SSL Client. But it always says 1344:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:475: I even tweeked into the ssl/s23_clnt.c code, which gave me no proper reason why is it failing :( I have also used the s_server.exe provided with Openssl to test some of the negative flows, but even that has no option to configure the handshake messages, like changing the sequence of messages, changing the format of messages, not sending some of the messages etc. I am not using HTTPS as it is not a web application! Can you pls let me know if i can do anything other than this to format the messages and send the same to the SSL client? Thanks a lot regards girish From: Gilad Finkelstein [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: RE: Configuring SSL Handshake Date: Mon, 11 Aug 2003 13:24:33 +0200 Hi Girish, I do not now if you can change / configure the SSL Handshake message and there is probably no need to do so anyway. There is a perl library for html (if that is your final goal) called libwww-perl and it uses openssl as it's crypto and ssl engine for https connections I use it to do things like connecting to an ssl server (letting the library do the hard work of ssl handshake) The code that translate things from perl to openssl C (actually it is Crypt-SSLeay-05.51 but there are other alternatives) can help you figure out how to write your own ssl handshake for non web servers (like your echo server). Gilad -Original Message- From: Girish Hegde [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 7:17 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Configuring SSL Handshake Hello there, This is my 3rd or 4th request for the group. Pls if any one has any clue about this, reply me. I am trying to test an SSL compliant Client application with a dummy echo server i have written in PERL. Is there any way to configure the SSL Handshake messages, change the sequences etc? Since all these are done internally by OpenSSL, how can acheive this in PERL? Pls reply me as soon as possible..I m in a DARK ROOM AT PRESENT :(( Thanks and regards Girish _ Dress up your desktop! Get the best wallpapers. http://server1.msn.co.in/msnchannels/Entertainment/wallpaperhome.asp Just click here! __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Dress up your desktop! Get the best wallpapers. http://server1.msn.co.in/msnchannels/Entertainment/wallpaperhome.asp Just click here! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]