Building OpenSSL without Crypto Support
Hi all , The application I am developing requires HTTP over SSL connection and hence I am using OpenSSL for SSL support . But Using OpenSSL with all the cryptographic libraries included increases the size of my app heavily . To deal with that , I want to build a OpenSSL library with NULL encryption ( No Crypto Support at all ) so that the size comes down fairly . My application uses OpenSSL for SSL handshake and I/O only with no encryption/decryption needed at all for data transfer . Is there any way to build OpenSSL in such a manner so that I dont have to compromise on size and go on to use basic SSL ?? Help needed Urgently ... Thanks, ~Vaibhav Bindroo
SSL_connect using select.
Hi,
My client application tries to establish SSL connection as shown below:
//
err = SSL_connect (ssl);
l_ssl_err_code=SSL_get_error(ssl, err);
struct timeval l_connect_timeout;
l_connect_timeout.tv_usec=0;
l_connect_timeout.tv_sec=time_remaining;
//time remaining is calculated by application. The SSL connect , data
exchange should happen within stipulated time.
while(1)
{
if(err == -1)
{
if(l_ssl_err_code == SSL_ERROR_WANT_READ || l_ssl_err_code ==
SSL_ERROR_WANT_WRITE)
{
l_fds=select(sd+1, filedes_set,NULL,NULL,
l_connect_timeout);
if(l_fds == 0)
{
//select timed out ..This does happen under stress test
and server is slow in its response.
return 0;
}
else if(l_fds 0)
{
//select failed
return 0;
}
else
{
if(FD_ISSET(sd,filedes_set))
{
err = SSL_connect (ssl);
l_ssl_err_code=SSL_get_error(ssl, err);
}
}
else
{
//handshake failure
//check the status of l_ssl_err_code
return 0;
}
}
else if(err == 0)
{
//handshake failure
//check the status of l_ssl_err_code
return 0;
}
else if(err == 1)
{
//SSL handshake succesful.
}
}//end of while
One constraint is that the SSL connect , data exchange should happen
within stipulated time.As such
when my client is under stress with hundreds of threads trying to
connect to server, the select may timeout and return
with out completing the handshake.
In such scenarios is it appripriate to call methods like SSL_read()
,SSL_shutdown().
Currently my application tries SSL_shutdown() even after select times
out in SSL handshake phase. Under stress, the application aborts. The
stack in core dumps is not consistent.
#0 0x4402 in __kernel_vsyscall ()
#1 0x00b7b1f8 in raise () from /lib/libc.so.6
#2 0x00b7c948 in abort () from /lib/libc.so.6
#3 0x00bb052a in __libc_message () from /lib/libc.so.6
#4 0x00bb6424 in _int_free () from /lib/libc.so.6
#5 0x00bb695f in free () from /lib/libc.so.6
#6 0x4057477a in CRYPTO_free (str=0x8e96090) at mem.c:378
#7 0x405dfc5c in x509_name_ex_d2i (val=0x22e, in=0x0, len=0,
it=0x405e65cf, tag=149510012, aclass=2021933032, opt=0 '\0',
ctx=0x4064197c) at x_name.c:194
#8 0x08f1d13d in ?? ()
#9 0x08e95688 in ?? ()
#10 0x08e96090 in ?? ()
#11 0x40641964 in X509_NAME_INTERNAL_it () from
../lib/libcrypto.so.0.9.8
#12 0x022e in ?? ()
Previous frame inner to this frame (corrupt stack?)
Is it due to calling methods like SSL_shutdown() in cases where
SSL_handshake process was terminated abruptly.
Thanks,
Prabhu. S
Need help to compile openssl programs in Linux
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=0-1322688959-1210150709=:70790
--0-1322688959-1210150709=:70790
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi All,=0AI=C2=A0have installed latest version of the Openssl in my PC.=0AI=
have written a program which will use AES encryption functions from openss=
l.=0AI am trying to compile the program in linux using=C2=A0gcc but it is g=
iving linking errors.=0A$gcc aes_test.c=C2=A0 (My program name)=0AError: Un=
defined refference to AES_CBC_ENCRYPT=0ACan any body please tell me how to =
compile openssl based programs in linux.=0ARegards,=0AKRSC=0A=0A=0A Fr=
om Chandigarh to Chennai - find friends all over India. Go to http://in.pro=
mos.yahoo.com/groups/citygroups/
--0-1322688959-1210150709=:70790
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
htmlheadstyle type=3Dtext/css!-- DIV {margin:0px;} --/style/he=
adbodydiv style=3Dfont-family:times new roman, new york, times, serif;=
font-size:12ptDIVHi All,/DIV=0ADIVnbsp;/DIV=0ADIVInbsp;have i=
nstalled latest version of the Openssl in my PC./DIV=0ADIVI have writte=
n a program which will use AES encryption functions from openssl./DIV=0A=
DIVI am trying to compile the program in linux usingnbsp;gcc but it is gi=
ving linking errors./DIV=0ADIVnbsp;/DIV=0ADIV$gcc aes_test.cnbsp;=
(My program name)/DIV=0ADIVError: Undefined refference to AES_CBC_ENCR=
YPT/DIV=0ADIVnbsp;/DIV=0ADIVCan any body please tell me how to com=
pile openssl based programs in linux./DIV=0ADIVnbsp;/DIV=0ADIVRega=
rds,/DIV=0ADIVKRSC/DIV=0ADIVnbsp;/DIV/divbr=0A=0A=0A !=
--9--hr size=3D1/hr Bring your gang together. Do your thing. a href=
=3Dhttp://in.rd.yahoo.com/tagline_groups_9/*http://in.promos.yahoo.com/gro=
ups/Find your favourite Yahoo! Group./a/body/html
--0-1322688959-1210150709=:70790--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Building OpenSSL without Crypto Support
The application I am developing requires HTTP over SSL connection and hence I am using OpenSSL for SSL support . But Using OpenSSL with all the cryptographic libraries included increases the size of my app heavily . To deal with that , I want to build a OpenSSL library with NULL encryption ( No Crypto Support at all ) so that the size comes down fairly . My application uses OpenSSL for SSL handshake and I/O only with no encryption/decryption needed at all for data transfer . You can certainly disable algorithms you don't really need. You can eliminate elliptic curve, RC5, MDC2, IDEA, SSLv2, SHA0, blowfish, and probably quite a few others. But I'm not sure I understand (or that you understand) what you're really asking for. SSL is a security protocol, and if you take away the encryption, what do you think is left? Without crypto support, how is the SSL handshake going to work? The SSL handhake is largely a succession of cryptographic operations. For example, one of the steps of the SSL handshake requires the server to decrypt the pre-master secret, which the client encrypts with the server's public key. If the server cannot decrypt this because it has no encryption libraries, how can it prove that it is the owner of its certificate? And if it can't do that, why would the client continue talking to it? What do you think is left if you subtract all encryption operations from SSL? Authentication doesn't work without encryption. It's no use to make absolutely sure you are talking to www.securesite.com if the subsequent data is sent in the clear (because a man-in-the-middle could change it). I would love to see the requirements that require SSL but do not require any actual security. What do you think basic SSL is? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL_connect using select.
Prabhu S wrote:
if(l_ssl_err_code == SSL_ERROR_WANT_READ || l_ssl_err_code ==
SSL_ERROR_WANT_WRITE)
{
l_fds=select(sd+1, filedes_set,NULL,NULL,
l_connect_timeout);
Why are you 'select'ing for readability even if the library returns
'SSL_ERROR_WANT_WRITE'?
One constraint is that the SSL connect , data exchange should happen
within
stipulated time.As such
when my client is under stress with hundreds of threads trying to
connect
to server, the select may timeout and return
with out completing the handshake.
Having hundreds of threads is a telltale sign of extremely poor design.
It
is very silly to have a large number of threads that are all waiting for
various different things. This creates many problems, but the biggest one is
atrocious performance due to the large number of context switches needed to
do a small amount of work for each of a large number of connections.
Currently my application tries SSL_shutdown() even after select times
out
in SSL handshake phase.
That's perfectly fine. The SSL engine is not trying to complete the
handshake 'in the background' or anything. It only performs operations when
you call into it.
Under stress, the application aborts. The stack in core dumps is not
consistent.
Is it due to calling methods like SSL_shutdown() in cases where
SSL_handshake process was terminated abruptly.
I don't think so. If you only ever let a single thread touch a
particular
SSL structure, it should be impossible to cause a race. Just make sure one
thread doesn't call SSL_shutdown, SSL_read, or SSL_write, while another
thread is or might be calling one of those functions on the same connection.
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Building OpenSSL without Crypto Support
Hello, [EMAIL PROTECTED] wrote on 05/07/2008 12:51:21 PM: The application I am developing requires HTTP over SSL connection and hence I am using OpenSSL for SSL support . But Using OpenSSL with all the cryptographic libraries included increases the size of my app heavily . To deal with that , I want to build a OpenSSL library with NULL encryption ( No Crypto Support at all ) so that the size comes down fairly . My application uses OpenSSL for SSL handshake and I/O only with no encryption/decryption needed at all for data transfer . You can certainly disable algorithms you don't really need. You can eliminate elliptic curve, RC5, MDC2, IDEA, SSLv2, SHA0, blowfish, and probably quite a few others. But I'm not sure I understand (or that you understand) what you're really asking for. SSL is a security protocol, and if you take away the encryption, what do you think is left? Without crypto support, how is the SSL handshake going to work? The SSL handhake is largely a succession of cryptographic operations. For example, one of the steps of the SSL handshake requires the server to decrypt the pre-master secret, which the client encrypts with the server's public key. If the server cannot decrypt this because it has no encryption libraries, how can it prove that it is the owner of its certificate? And if it can't do that, why would the client continue talking to it? What do you think is left if you subtract all encryption operations from SSL? Authentication doesn't work without encryption. It's no use to make absolutely sure you are talking to www.securesite.com if the subsequent data is sent in the clear (because a man-in-the-middle could change it). I would love to see the requirements that require SSL but do not require any actual security. What do you think basic SSL is? Protocol only, cryptographic algorithms may come from other source. You may use some other library (gmp for RSA or IPP for RSA/EC/AES) ... You may use your customer crypto library ... You may use some crypto hardware ... In this case you do not need any software algorithms which comes with OpenSSL. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Building OpenSSL without Crypto Support
Hi , Thanks for the quick reply from your side . I understand and respect your opinion regarding OpenSSL usage .But I need to strip the Openssl library to the bare minimum for my own use with the app as I wil be using my own crypto library . I wanted to ask how can I do it , which linker flags to pass and where ..what is the optimum procedure to come up with such a lib ?? I have tried on editing the 32.mak file for such case bt that results in a cumbersome task as u have to remove all concerned entries manually Any pointers to this ?? Thanks ~Vaibhav
RE: Building OpenSSL without Crypto Support
Thanks for the quick reply from your side . I understand and respect your opinion regarding OpenSSL usage .But I need to strip the Openssl library to the bare minimum for my own use with the app as I wil be using my own crypto library . So is your question really how can I plug my own implementations of crypto algorithms into OpenSSL? That's a completely different question, being one of integration not configuration. I wanted to ask how can I do it , which linker flags to pass and where The linker's not going to plug your RSA implementation into OpenSSL. ..what is the optimum procedure to come up with such a lib ?? I have tried on editing the 32.mak file for such case bt that results in a cumbersome task as u have to remove all concerned entries manually Any pointers to this ?? Unless I'm still misunderstanding what you're trying to do, it sounds like you're starting at step 38. Are you trying to get OpenSSL to work without implementations of algorithms or are you trying to plug your own implementations into OpenSSL? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Private key storage support in ts (TSA).
Hi all. Is it possible to use a private key stored in a SmartCard in a time stamp response generation using ts?. Thanks, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
DH key generation call back not called?
Hi, I am implementing a server that accepts connections from clients over SSL. I am using Fedora Core 7 which comes with openssl 0.9.8b. I create an SSL CTX and I disable the SSL session cache (SSL_CTX_set_session_cache_mode), set the SSL_OP_SINGLE_DH_USE flag (SSL_CTX_set_options) and setup the DH key gen call back function (SSL_CTX_set_tmp_dh_callback). After the BIO_do_accept, I create a new SSL object from the SSL CTX and associate the SSL object with the BIO. The problem is that the call back function never seems to be called. Is there something else I need to do to get the SSL connection to use DH? Thanks, Bruce
Re: Building OpenSSL without Crypto Support
Hi, I'm trying to build OpenSSL with least support for crypto algorithms expt the cases where they are really needed for it to work . My sole purpose of all this is to reduce the memory footprint of the application that uses OpenSSL.. All I want is the procedure to do so on a WIN32 platform ?? ~Thanks Vaibhav Bindroo
