Re: Code goes into a loop
On Tue, Jun 10, 2008 at 10:20:56PM -0700, David Schwartz wrote:
This code just goes into a loop and keeps writing the first piece
of info it reads. What am I doing wrong here?
while (nread = BIO_gets(out, buf, sizeof(buf) ) )
{
err = BIO_write(out,buf,nread );
}
That's precisely what it's coded to do. Get a byte, then write that byte
out, then get that byte then write it out. (Perhaps you meant to 'gets' from
a different 'BIO' than you 'write' to?)
I have been trying BIO_read, BIO_write, BIO_gets, and BIO_puts and I
can't seem to get a simple echo server and client to work. BIO_gets is
supposed to read a line, correct?
Server
while ( nread = BIO_gets(out, buf, sizeof(buf) ) )
{
err = BIO_write(out,buf,nread );
}
Client
fgets(buf, sizeof(buf), stdin);
{
n = strlen(buf);
buf[n+1] = '\0';
p = BIO_write(bio,buf, n + 1 );
while ( n = BIO_gets(bio, buf2,
sizeof(buf2) ) )
{
printf(%s, buf2);
}
}
--
Brian Lavender
http://www.brie.com/brian/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Simple echo server and client?
I have been trying to put together a simple echo server and client with the OpenSSL library, as you may have seen from my previous posts. I have the O'Reilly OpenSSL book and it has a discussion on non-blocking IO. I am not sure if I understand the non-blocking example either. So, it seems like even with blocking IO, I ought to be able to have a simple server that receives a connection, receives the input from a client and sends it back? The OpenSSL book only has the client send data and the server prints it out. :( Any cooked examples out there? brian -- Brian Lavender http://www.brie.com/brian/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Using Openssl with ECC
Hi, I am using OpenSSL 0.9.8d 28 Sep 2006 (Library: OpenSSL 0.9.8g 19 Oct 2007) with ECC certificates, and Free Radius server, During the authentication process I get the error ciphersuite is not supported (ECDH with EDCSA). I am using a third party client to perform the authentication. How do I get Openssl to use the ECCdraft so that the ecc cipher suites will be used as a default. Thanks, Priya _ Priya Kubher Telematics Software, Software Controls General Motors Corporation Phone: (586) 492-6867 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to add an extension to a X509 certificate ? the answer
HEllo, here is the solution of my problem : I want to have this extension in my X509v3 certificate : X509v3 Authority Key Identifier: keyid:6B:FC:14:20:72:EE:15:6E:D1:29:7A:4D:40:69:90:F7:AE:B1:3A:FF DirName:/O=o/OU=ou/CN=vn/dnQualifier=a/wUIHLuFW7RKXpNQGmQ966xOv8= serial:01 To made this possible, you will need to write this code : (_d_cert is a X509*) X509_EXTENSION *ex; // create a new extension X509V3_CTX ctx;// create a context X509V3_set_ctx(ctx, _d_cert , _d_cert, NULL, NULL, 0); // here, it's mean self signed certificate ex = X509V3_EXT_conf_nid(NULL, ctx, NID_authority_key_identifier , issuer:always,keyid:always ); if (ex == NULL) return 0; // run badly :( X509_add_ext(_d_cert,ex, -1);// add it to the certificate extension (at the end of the stack) X509_EXTENSION_free(ex);// free temp extension return 1; __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL Problem
Hello, I hope you can help me. I have been looking on the Internet and testing for a week now and have not had much luck. I am currently trying to automate a few manual activities within our organisation and I am trying to connect to our supplier to submit XML to them. Please see below, openssl s_client -connect www.ws-onramp1.wholesale.bt.com:5443/XmldiagWsTransport -cert C:\curl\new_private_050608.pem -CAfile c:\curl\ca\ca.pem CONNECTED(0784) depth=1 /O=BT Group Plc/CN=Northside verify return:1 depth=0 /C=GB/ST=England/L=London/O=BT Wholesale/OU=BTW/CN=www.ws-onramp1.wholesale.bt.com/emailAddress=gopiram [EMAIL PROTECTED] verify return:1 3052:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46 3052:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: Kind Regards Ravi Karia, Infrastructure Services Networks FUJITSU * Fujitsu Services, Infinity House, Mallard Way, Crewe Business Park, CW1 6ZQ * +44 (0) 7867829174 * E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web: http://uk.fujitsu.com http://uk.fujitsu.com/ Fujitsu Services Limited, Registered in England no 96056, Registered Office 22 Baker Street, London, W1U 3BW This e-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu Services does not guarantee that this e-mail has not been intercepted and amended or that it is virus-free. P Please consider the environment - do you really need to print this email?
RE: SSL Problem
IMO the public-key of the signer of the server certificate CN=www.ws-onramp1.wholesale.bt.com should be in the CAfile (c:\curl\ca\ca.pem) -HTH _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karia Ravi Sent: Wednesday, June 11, 2008 5:23 AM To: openssl-users@openssl.org Subject: SSL Problem Hello, I hope you can help me. I have been looking on the Internet and testing for a week now and have not had much luck. I am currently trying to automate a few manual activities within our organisation and I am trying to connect to our supplier to submit XML to them. Please see below, openssl s_client -connect www.ws-onramp1.wholesale.bt.com:5443/XmldiagWsTransport -cert C:\curl\new_private_050608.pem -CAfile c:\curl\ca\ca.pem CONNECTED(0784) depth=1 /O=BT Group Plc/CN=Northside verify return:1 depth=0 /C=GB/ST=England/L=London/O=BT Wholesale/OU=BTW/CN=www.ws-onramp1.wholesale.bt.com/emailAddress=gopiramesh. [EMAIL PROTECTED] verify return:1 3052:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46 3052:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: Kind Regards Ravi Karia, Infrastructure Services Networks FUJITSU * Fujitsu Services, Infinity House, Mallard Way, Crewe Business Park, CW1 6ZQ * +44 (0) 7867829174 * E-mail: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Web: http://uk.fujitsu.com/ http://uk.fujitsu.com Fujitsu Services Limited, Registered in England no 96056, Registered Office 22 Baker Street, London, W1U 3BW This e-mail is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu Services does not guarantee that this e-mail has not been intercepted and amended or that it is virus-free. P Please consider the environment - do you really need to print this email?
Re: OPENSSL Problem
Hello, [EMAIL PROTECTED] wrote on 06/11/2008 08:51:45 AM: Hi All, I have install the open ssl from the http://www.slproweb.com/products/Win32OpenSSL.html now when i check it with the link point api then it giving me the following error “ Unable to load/validate private_key ERRs: wsa=33558530 err=33558530 ssl=537317504 sys=33558530. INFO: ACE_SSL (2792|2668) error code: 33558530 - error:02001002:lib (2):func(1):reason(2) “ I don’t know what is going on because I have created the certificate (i.e. .PEM file) through the OPEN SSL and added the same into the IIS and it uploaded perfectly. Is there any way to check where the OPEN SSL is installed properly or not. Also give me some solution how we can solve the following problem. $ (echo obase=16; echo 33558530) | bc 2001002 $ openssl errstr 2001002 error:02001002:system library:fopen:No such file or directory Best regards, -- Marek Marcola [EMAIL PROTECTED]
problem with certificates
Hi All, I am new to openssl, and having trouble with certificates. I have setup a local CA and issued a self signed trusted certificate for this, say root.pem. From this trusted certificate, generated a client certificate from the root.pem CA certificate. Created a ServerCA certificate from root.pem CA certificate. Generated a server.pem server certificate from ServerCA certificate. My server program uses the server.pem and client uses client.pem certificates respectively. After issuing SSL_connect() from client, the below error is displayed and the program exists. -Error with certificate at depth: 0 issuer = /CN=Example CA/ST=Virginia/C=US/emailAddress= [EMAIL PROTECTED]/O=Root Certification Authority subject = /CN=Example CA/ST=Virginia/C=US/emailAddress= [EMAIL PROTECTED]/O=Root Certification Authority err 18:self signed certificate The Server also exists stating the below error ** server.c:59 Error accepting SSL connection 16386:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 Why is the certification verification failing. Any help is appreciated.. -- thanks, Lakshmi Prasanna
duplicating an SSL struct
Hello,
I am wrapping an ssl socket using c++ and use a third party library
steam implementation. the library I use requires an implementation of a
copy constructor. I managed to dup and initialize a simple BIO and then
free it as required, but when it comes to SSL struct, thing don't seem
to work the same way.
BIO code:
used in copy constructor:
SSLSocketBase SSLSocketBase::operator=(const SSLSocketBase sslsock)
{
if (sslsock != this) {
int fd;
m_bio = BIO_new_socket((fd = dup(BIO_get_fd(sslsock.m_bio, NULL))),
0);
BIO_set_fd(m_bio, fd, 0);
}
return *this;
}
and the destructor:
SSLSocketBase::~SSLSocketBase()
{
if (m_bio != NULL) {
BIO_free(m_bio);
m_bio = NULL;
}
}
I am looking for a way to duplicate the SSL struct with all of it's
components in order to keep using it without a new handshake.
destructor is pretty straight forward, but copy/duplication is trickier.
this is what i got so far:
SSLSocketSecure SSLSocketSecure::operator=(const SSLSocketSecure
sslsock)
{
if (sslsock != this) {
try {
static_castSSLSocketBase(*this) = sslsock; // uses the above
operator example
SSL_CTX *ctx = SSL_get_SSL_CTX(sslsock.m_ssl);
if (!(m_ssl = SSL_new(ctx)))
THROW(SocketException, Error creating SSL context);
SSL_set_bio(m_ssl, m_bio, m_bio);
} catch (Exception e) {
std::cerr e.msg() std::endl;
}
}
return *this;
}
I'm lost as to what is missing here.
any help would be greatly appreciated.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
X509_dup bug ?
Hello, I wrote this code : X509* CA = X509_new(); X509* cert = X509_dup ( CA ); Each time i got a segmentation fault when i use cert (cert == NULL is true). For me, X509_dup duplicate the given X509 certificate, so i don't think that cert == NULL is a good behavior. . I'm using openssl 0.9.8g with kubuntu 8.04 64bit edition. Am i right ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unable to resolve the OpenSSL functions while linking
Hi, I am using the OpenSSL 0.9.7g 11 Apr 2005 on solaris machine for one appliacation.We are porting the same application to the Redhat Linux (Linux tam1 2.4.21-27.ELsmp #1 SMP ). We successfully deployed the above openssl version in the linux box.And we successfully compiled the application. In this application I am using these OpenSSL functions in one shared library.Checked the shared library using ldd command whether these functions are correctly linked or not.That time we are facing undefined symbol errors against the OpenSSL functions.For more calrity please have a look at the below snapshot. === [EMAIL PROTECTED] libcode]# ldd -r libxauthn.so libpthread.so.0 = /lib/tls/libpthread.so.0 (0x00717000) libpdxauthnutils.so = /usr/lib/libpdxauthnutils.so (0x006f) libpdauthzn.so = /usr/lib/libpdauthzn.so (0x00da4000) libc.so.6 = /lib/tls/libc.so.6 (0x0015e000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x002c4000) libdl.so.2 = /lib/libdl.so.2 (0x009d4000) libpdira.so = /usr/lib/libpdira.so (0x002da000) libpdutil.so = /usr/lib/libpdutil.so (0x00423000) libpdauthn.so = /usr/lib/libpdauthn.so (0x00b4f000) undefined symbol: d2i_X509 (./libxauthn.so) undefined symbol: ERR_get_error (./libxauthn.so) undefined symbol: X509_get_issuer_name (./libxauthn.so) undefined symbol: X509_NAME_get_entry (./libxauthn.so) undefined symbol: ASN1_STRING_data (./libxauthn.so) undefined symbol: OBJ_sn2nid(./libxauthn.so) undefined symbol: X509_get_ext_d2i (./libxauthn.so) undefined symbol: sk_num(./libxauthn.so) undefined symbol: sk_value (./libxauthn.so) undefined symbol: ASN1_STRING_length(./libxauthn.so) undefined symbol: regcmp(./libxauthn.so) undefined symbol: regex (./libxauthn.so) undefined symbol: __loc1(./libxauthn.so) undefined symbol: X509_get_subject_name (./libxauthn.so) undefined symbol: X509_NAME_oneline (./libxauthn.so) undefined symbol: BIO_new_fp(./libxauthn.so) undefined symbol: ERR_print_errors_fp (./libxauthn.so) undefined symbol: X509_signature_print (./libxauthn.so) May I know why I am getting there errors And onemore thing is whether the openSSL executable will be different from Unix to Linux operating system.? Please help me out from this situation. Regards Sunil. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com winmail.dat
duplicating an SSL struct
Hello,
I am wrapping an ssl socket using c++ and use a third party library
steam implementation. the library I use requires an implementation of a
copy constructor. I managed to dup and initialize a simple BIO and then
free it as required, but when it comes to SSL struct, thing don't seem
to work the same way.
BIO code:
used in copy constructor:
SSLSocketBase SSLSocketBase::operator=(const SSLSocketBase sslsock)
{
if (sslsock != this) {
int fd;
m_bio = BIO_new_socket((fd = dup(BIO_get_fd(sslsock.m_bio, NULL))),
0);
BIO_set_fd(m_bio, fd, 0);
}
return *this;
}
and the destructor:
SSLSocketBase::~SSLSocketBase()
{
if (m_bio != NULL) {
BIO_free(m_bio);
m_bio = NULL;
}
}
I am looking for a way to duplicate the SSL struct with all of it's
components in order to keep using it without a new handshake.
destructor is pretty straight forward, but copy/duplication is trickier.
this is what i got so far:
SSLSocketSecure SSLSocketSecure::operator=(const SSLSocketSecure
sslsock)
{
if (sslsock != this) {
try {
static_castSSLSocketBase(*this) = sslsock; // uses the above
operator example
SSL_CTX *ctx = SSL_get_SSL_CTX(sslsock.m_ssl);
if (!(m_ssl = SSL_new(ctx)))
THROW(SocketException, Error creating SSL context);
SSL_set_bio(m_ssl, m_bio, m_bio);
} catch (Exception e) {
std::cerr e.msg() std::endl;
}
}
return *this;
}
I'm lost as to what is missing here.
any help would be greatly appreciated.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: RAND_load_file takes a long time to load 1K bytes from /dev/random
I forgot to mention that the systems in question are severs that do not have the keyboard or mouse as sources of entropy. Yes indeed, the problem seems a lack of entropy. What I find surprising is that on these systems, I seem to be able to get approx 400 bytes from /dev/random and it doesn't matter how long the system has been running for (hours, days, weeks or months). This seems a little odd to me. Bruce On Tue, Jun 10, 2008 at 11:25 PM, David Schwartz [EMAIL PROTECTED] wrote: What is the acceptable lower limit for the number of bytes for RAND_load_file()? Nobody can tell you what your requirements are. Some people will consider it acceptable just to read 1KB from /dev/urandom. This is only a problem if the entropy pool was never seeded, which is always at least possible. If you aren't comfortable reading from /dev/urandom, an acceptable compromise might be to read a small number of bytes from /dev/random (accepting that this might take a while in exchange for a stronger guarantee of security) and a larger number of bytes from /dev/urandom (in the hopes that this will increase security because it is quite likely to do so). IMO, 16 or 32 bytes from /dev/random and 256 bytes from /dev/urandom is sufficient for almost all imaginable applications. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem with certificates
Hi, The below error is obtained when no CA is setup in the machine, ie., cacert.pem and cakey.pem file are not present and the root certificate is not signed by the CA. The root certificate is signed by the root key generated while creating the certificate using command: *openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey rootkey.pem -out rootcert.pem* -Error with certificate at depth: 2 issuer = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root Intoto/[EMAIL PROTECTED] subject = /C=IN/ST=AP/L=HYD/O=Intoto Software (I) Pvt. Ltd/OU=Root/CN=Root Intoto/[EMAIL PROTECTED] err 19:self signed certificate in certificate chain SSL_connect failed ** client.c:80 Error connecting SSL object 16384:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:843: Any help regarding this... -- thanks, Lakshmi Prasanna
Re: Unable to resolve the OpenSSL functions while linking
[EMAIL PROTECTED] wrote: Hi, I am using the OpenSSL 0.9.7g 11 Apr 2005 on solaris machine for one appliacation.We are porting the same application to the Redhat Linux (Linux tam1 2.4.21-27.ELsmp #1 SMP ). We successfully deployed the above openssl version in the linux box.And we successfully compiled the application. In this application I am using these OpenSSL functions in one shared library.Checked the shared library using ldd command whether these functions are correctly linked or not.That time we are facing undefined symbol errors against the OpenSSL functions.For more calrity please have a look at the below snapshot. === [EMAIL PROTECTED] libcode]# ldd -r libxauthn.so libpthread.so.0 = /lib/tls/libpthread.so.0 (0x00717000) libpdxauthnutils.so = /usr/lib/libpdxauthnutils.so (0x006f) libpdauthzn.so = /usr/lib/libpdauthzn.so (0x00da4000) libc.so.6 = /lib/tls/libc.so.6 (0x0015e000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x002c4000) libdl.so.2 = /lib/libdl.so.2 (0x009d4000) libpdira.so = /usr/lib/libpdira.so (0x002da000) libpdutil.so = /usr/lib/libpdutil.so (0x00423000) libpdauthn.so = /usr/lib/libpdauthn.so (0x00b4f000) undefined symbol: d2i_X509 (./libxauthn.so) undefined symbol: ERR_get_error (./libxauthn.so) undefined symbol: X509_get_issuer_name (./libxauthn.so) undefined symbol: X509_NAME_get_entry (./libxauthn.so) undefined symbol: ASN1_STRING_data (./libxauthn.so) undefined symbol: OBJ_sn2nid(./libxauthn.so) undefined symbol: X509_get_ext_d2i (./libxauthn.so) undefined symbol: sk_num(./libxauthn.so) undefined symbol: sk_value (./libxauthn.so) undefined symbol: ASN1_STRING_length(./libxauthn.so) undefined symbol: regcmp(./libxauthn.so) undefined symbol: regex (./libxauthn.so) undefined symbol: __loc1(./libxauthn.so) undefined symbol: X509_get_subject_name (./libxauthn.so) undefined symbol: X509_NAME_oneline (./libxauthn.so) undefined symbol: BIO_new_fp(./libxauthn.so) undefined symbol: ERR_print_errors_fp (./libxauthn.so) undefined symbol: X509_signature_print (./libxauthn.so) May I know why I am getting there errors And onemore thing is whether the openSSL executable will be different from Unix to Linux operating system.? Please help me out from this situation. So did you link with libssl and libcrypto while building the shared library (libxauthn.so)? Regards Sunil. -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RAND_load_file takes a long time to load 1K bytes from /dev/random
The entropy pool size is configurable on some systems. For Linux see /proc/sys/kernel/random/poolsize Glenn On Wed, Jun 11, 2008 at 7:52 AM, Bruce Keats [EMAIL PROTECTED] wrote: I forgot to mention that the systems in question are severs that do not have the keyboard or mouse as sources of entropy. Yes indeed, the problem seems a lack of entropy. What I find surprising is that on these systems, I seem to be able to get approx 400 bytes from /dev/random and it doesn't matter how long the system has been running for (hours, days, weeks or months). This seems a little odd to me. Bruce On Tue, Jun 10, 2008 at 11:25 PM, David Schwartz [EMAIL PROTECTED] wrote: What is the acceptable lower limit for the number of bytes for RAND_load_file()? Nobody can tell you what your requirements are. Some people will consider it acceptable just to read 1KB from /dev/urandom. This is only a problem if the entropy pool was never seeded, which is always at least possible. If you aren't comfortable reading from /dev/urandom, an acceptable compromise might be to read a small number of bytes from /dev/random (accepting that this might take a while in exchange for a stronger guarantee of security) and a larger number of bytes from /dev/urandom (in the hopes that this will increase security because it is quite likely to do so). IMO, 16 or 32 bytes from /dev/random and 256 bytes from /dev/urandom is sufficient for almost all imaginable applications. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RAND_load_file takes a long time to load 1K bytes from /dev/random
I noticed that this parameter is reported on these systems as 4096, but the man page (man 4 random) says it should normally be 512 (bytes). It also goes on to say it can be changed to 32, 64, 128, 256, 512, 1024, 2048 which I assume is bytes. 4096 bits = 512 byes, so it kinda makes sense. When I try and change the value with sysctl -w kernel.random.poolsize=2048 as root I get error: permission denied on key 'kernel.random.poolsize' Bruce On Wed, Jun 11, 2008 at 2:18 PM, Glenn [EMAIL PROTECTED] wrote: The entropy pool size is configurable on some systems. For Linux see /proc/sys/kernel/random/poolsize Glenn On Wed, Jun 11, 2008 at 7:52 AM, Bruce Keats [EMAIL PROTECTED] wrote: I forgot to mention that the systems in question are severs that do not have the keyboard or mouse as sources of entropy. Yes indeed, the problem seems a lack of entropy. What I find surprising is that on these systems, I seem to be able to get approx 400 bytes from /dev/random and it doesn't matter how long the system has been running for (hours, days, weeks or months). This seems a little odd to me. Bruce On Tue, Jun 10, 2008 at 11:25 PM, David Schwartz [EMAIL PROTECTED] wrote: What is the acceptable lower limit for the number of bytes for RAND_load_file()? Nobody can tell you what your requirements are. Some people will consider it acceptable just to read 1KB from /dev/urandom. This is only a problem if the entropy pool was never seeded, which is always at least possible. If you aren't comfortable reading from /dev/urandom, an acceptable compromise might be to read a small number of bytes from /dev/random (accepting that this might take a while in exchange for a stronger guarantee of security) and a larger number of bytes from /dev/urandom (in the hopes that this will increase security because it is quite likely to do so). IMO, 16 or 32 bytes from /dev/random and 256 bytes from /dev/urandom is sufficient for almost all imaginable applications. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
matching keys
I'm attempting to write a C function to match a private key to either it's corresponding public key or certificate for both RSA and DSA algorithms. At this point, I have the keys loaded into their corresponding RSA and DSA structures. From here, what parameter checks are necesary to verify that the corresponding keys match? I'm guessing rsa-n would suffice for RSA, would dsa-p and dsa-q be an appropriate choice? Thanks! Brian
RE: duplicating an SSL struct
I am wrapping an ssl socket using c++ and use a third party library steam implementation. the library I use requires an implementation of a copy constructor. I managed to dup and initialize a simple BIO and then free it as required, but when it comes to SSL struct, thing don't seem to work the same way. BIO code: used in copy constructor: [snip] I am looking for a way to duplicate the SSL struct with all of it's components in order to keep using it without a new handshake. destructor is pretty straight forward, but copy/duplication is trickier. this is what i got so far: [snip] I'm lost as to what is missing here. any help would be greatly appreciated. An SSL structure represents the actual connection itself. The connection cannot be duplicated -- there is no way to turn one connection into two identical connections. So what you're trying to do does not make logical sense. If you want to have two handles to the connection, such that the same single connection can be used from two different places, what you want is a structure that acts as a handle to a connection. You can then safely duplicate *this* structure, since it now represents a way to get to a connection, which you can logically have more than one of. SSL structures are already reference count, but there's no easy way to increment it. So you may want to use your own reference count. Create two structures, one that holds the SSL pointer and a reference count, and another one that contains pointers to that first structure. It's that second structure that you can use as a hook to an SSL connection and safely duplicate. When the second structure is destroyed, dec the ref count on the first structure, and if it hits zero, SSL_free the underlying SSL object. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: duplicating an SSL struct
On Wed, Jun 11, 2008 at 09:08:48PM -0700, David Schwartz wrote: I am wrapping an ssl socket using c++ and use a third party library steam implementation. the library I use requires an implementation of a copy constructor. I managed to dup and initialize a simple BIO and then free it as required, but when it comes to SSL struct, thing don't seem to work the same way. BIO code: used in copy constructor: [snip] I am looking for a way to duplicate the SSL struct with all of it's components in order to keep using it without a new handshake. destructor is pretty straight forward, but copy/duplication is trickier. this is what i got so far: [snip] I'm lost as to what is missing here. any help would be greatly appreciated. An SSL structure represents the actual connection itself. The connection cannot be duplicated -- there is no way to turn one connection into two identical connections. So what you're trying to do does not make logical sense. An SSL_SESSION can be obtained from one SSL connection and used to speed up the handshake (bypass public-key operations) for a new connection. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
