Re: [openssl-users] Where is mttest.c?
Are you sure you are using the correct man pages? There is no reference to mttest.c in the repository anymore. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Charles Mills [mailto:charl...@mcn.org] Sent: Thursday, 19 October 2017 7:23 AM To: openssl-users@openssl.org Subject: [openssl-users] Where is mttest.c? Sorry - OpenSSL is not what I do every day. I see in the man pages a reference to crypto/threads/mttest.c. I've got the 1.1.0f tar and the crypto directory does not contain a threads directory. Where do I find mttest.c? Thanks, Charles -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110
Yes. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Charles Mills [mailto:charl...@mcn.org] Sent: Thursday, 19 October 2017 7:20 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110 Wow! Thanks. You are saying to just drop out this array, and the two CRYPTO_set_..._callback() functions, and the functions they reference? Charles From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Paul Dale Sent: Wednesday, October 18, 2017 2:14 PM To: HYPERLINK "mailto:openssl-users@openssl.org"openssl-users@openssl.org Subject: Re: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110 OpenSSL 1.1.x handle the locking themselves. You don't need to install the locking call backs and don't need to provide locking functionality. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Charles Mills [mailto:charl...@mcn.org] Sent: Thursday, 19 October 2017 6:09 AM To: HYPERLINK "mailto:openssl-users@openssl.org"openssl-users@openssl.org Subject: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110 I am migrating a multi-threaded Windows application from OpenSSL 1.0.1h to 1.1.0f. I am using the Shining Light pre-built Windows DLLs. The code, which I wrote some time ago, has a statement HANDLE Comm::sslMutexArray[CRYPTO_NUM_LOCKS]; The array is referenced by my sslLockingFunction. When I compile with the 1.1.0f headers I get at undefined symbol on CRYPTO_NUM_LOCKS. Is my understanding of http://www.manpagez.com/man/3/CRYPTO_num_locks/osx-10.3.php correct? Basically, I need to replace the static array sslMutexArray[CRYPTO_NUM_LOCKS] with a malloc() or new to get an array of the size returned by a call to CRYPTO_num_locks(void)? Is that correct? Anything else I need to do in this regard? Thanks, Charles -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Where is mttest.c?
Sorry - OpenSSL is not what I do every day. I see in the man pages a reference to crypto/threads/mttest.c. I've got the 1.1.0f tar and the crypto directory does not contain a threads directory. Where do I find mttest.c? Thanks, Charles -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110
Wow! Thanks. You are saying to just drop out this array, and the two CRYPTO_set_..._callback() functions, and the functions they reference? Charles From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Paul Dale Sent: Wednesday, October 18, 2017 2:14 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110 OpenSSL 1.1.x handle the locking themselves. You don't need to install the locking call backs and don't need to provide locking functionality. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Charles Mills [mailto:charl...@mcn.org] Sent: Thursday, 19 October 2017 6:09 AM To: openssl-users@openssl.org Subject: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110 I am migrating a multi-threaded Windows application from OpenSSL 1.0.1h to 1.1.0f. I am using the Shining Light pre-built Windows DLLs. The code, which I wrote some time ago, has a statement HANDLE Comm::sslMutexArray[CRYPTO_NUM_LOCKS]; The array is referenced by my sslLockingFunction. When I compile with the 1.1.0f headers I get at undefined symbol on CRYPTO_NUM_LOCKS. Is my understanding of http://www.manpagez.com/man/3/CRYPTO_num_locks/osx-10.3.php correct? Basically, I need to replace the static array sslMutexArray[CRYPTO_NUM_LOCKS] with a malloc() or new to get an array of the size returned by a call to CRYPTO_num_locks(void)? Is that correct? Anything else I need to do in this regard? Thanks, Charles -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110
OpenSSL 1.1.x handle the locking themselves. You don't need to install the locking call backs and don't need to provide locking functionality. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia From: Charles Mills [mailto:charl...@mcn.org] Sent: Thursday, 19 October 2017 6:09 AM To: openssl-users@openssl.org Subject: [openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110 I am migrating a multi-threaded Windows application from OpenSSL 1.0.1h to 1.1.0f. I am using the Shining Light pre-built Windows DLLs. The code, which I wrote some time ago, has a statement HANDLE Comm::sslMutexArray[CRYPTO_NUM_LOCKS]; The array is referenced by my sslLockingFunction. When I compile with the 1.1.0f headers I get at undefined symbol on CRYPTO_NUM_LOCKS. Is my understanding of http://www.manpagez.com/man/3/CRYPTO_num_locks/osx-10.3.php correct? Basically, I need to replace the static array sslMutexArray[CRYPTO_NUM_LOCKS] with a malloc() or new to get an array of the size returned by a call to CRYPTO_num_locks(void)? Is that correct? Anything else I need to do in this regard? Thanks, Charles -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Replacing CRYPTO_NUM_LOCKS on migration 101 to 110
I am migrating a multi-threaded Windows application from OpenSSL 1.0.1h to 1.1.0f. I am using the Shining Light pre-built Windows DLLs. The code, which I wrote some time ago, has a statement HANDLE Comm::sslMutexArray[CRYPTO_NUM_LOCKS]; The array is referenced by my sslLockingFunction. When I compile with the 1.1.0f headers I get at undefined symbol on CRYPTO_NUM_LOCKS. Is my understanding of http://www.manpagez.com/man/3/CRYPTO_num_locks/osx-10.3.php correct? Basically, I need to replace the static array sslMutexArray[CRYPTO_NUM_LOCKS] with a malloc() or new to get an array of the size returned by a call to CRYPTO_num_locks(void)? Is that correct? Anything else I need to do in this regard? Thanks, Charles -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CRL signature verification
➢ I used libcrypto to parse out the OCSP URL from the certificate validate it against a whitelist of valid OCSP URLs, send an OCSP request and validate the response and its signature against a custom certificate store, and then parse out the result. Two points on that: ➢ - This seems like something that should be in libcrypto rather than in my own code. Did I miss something obvious? We generally don’t do any kind of network traffic (except SSL) and would rather leave that up to the application. Especially because there are all sorts of other frameworks, blocking issues, DNS, etc., that make things a non-simple matter. ➢ - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious failure). Alternatively, is there an obvious alternative thing that I should be doing, rather than manually parsing the CRL? X509_CRL_verify. And yes, looking through to find the serial# is what you have to do. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] CRL signature verification
Hi, I have an application which wants to do verification of a certificate. Not in the context of a context or a signature, but simply to verify if the certificates are still valid and from a source that is correct in the context in which the application runs. I used libcrypto to parse out the OCSP URL from the certificate validate it against a whitelist of valid OCSP URLs, send an OCSP request and validate the response and its signature against a custom certificate store, and then parse out the result. Two points on that: - This seems like something that should be in libcrypto rather than in my own code. Did I miss something obvious? - Currently I don't fall back to CRLs when the OCSP server is unavailable. I would like to do so; however, I can't figure out how to validate the signature on a CRL (which would be a pretty obvious failure). Alternatively, is there an obvious alternative thing that I should be doing, rather than manually parsing the CRL? Thanks, -- Wouter Verhelst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SSL_shutdown:shutdown while in init
On 17/10/17 21:27, Chris Bare wrote: > I have the following code: > > setup_ssl (char *server_name, char *port, SSL_CTX *ctx) > { > BIO *output = BIO_new_ssl_connect (ctx); > if (!output) > { > return (NULL); > } > BIO_get_ssl (output, ); > SSL_set_mode (ssl, SSL_MODE_AUTO_RETRY); > SSL_set_verify (ssl, true, NULL); > BIO_set_conn_hostname (output, server_name); > BIO_set_conn_port(output, port); > > if (BIO_do_connect (output) <= 0) > { > BIO_free (output); > return (NULL); > } > } > > If the server I'm trying to connect to does not have ssl enabled, I get > the error: > SSL23_GET_SERVER_HELLO:unknown protocol > and BIO_do_connect fails as expected, but BIO_free gives this error: > SSL_shutdown:shutdown while in init Hmmm...that looks like an OpenSSL bug to me. It should not call SSL_shutdown() if we are still in init. I raised this issue: https://github.com/openssl/openssl/issues/4545 > > If I don't free it, I have a memory leak. > Is there something else I need to do to clean up the BIO? As a workaround for this I think you can just ignore the error. From code inspection it looks to me like it should go ahead and free everything anyway. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users