Re: SSL_CTX_set_alpn_select_cb and Other OpenSSL API ALPN Functions + Their Callbacks

2022-07-29 Thread Angus Robertson - Magenta Systems Ltd 
> I don't understand how to write the callback functions some of 
> the OpenSSL ALPN functions expect, and the manual really isn't 
> helping there either, so I'd like some help.

Use SSL_CTX_set_client_hello_cb to set a SSL_client_hello_cb_fn
function, which you can parse to get TLSEXT_TYPE_server_name and
TLSEXT_TYPE_application_layer_protocol_negotiation, and everything else
sent in the Client Hello (if you need it) like SSL versions and ciphers
supported.  

Within this callback you can change SSL_CTX depending on SNI and ALPN.


Ignore the SNI and ALPN callbacks.  client_hello_cb was only added in
1.1.1 so is often missing from old examples, FAQs and manuals. 

Angus

SSL_CTX_set_alpn_select_cb and Other OpenSSL API ALPN Functions + Their Callbacks

2022-07-29 Thread Osman Zakir 
Hi again.

I don't understand how to write the callback functions some of the OpenSSL ALPN 
functions expect, and the manual really isn't helping there either, so I'd like 
some help.

I have a HTTP/2 upgrade request inside the ClientHello and it's causing my 
server app to give an error about an unknown protocol.  That's why I want to do 
this.  I understand that I need to call the ALPN functions somewhere in the 
function I'm using to run the server.  I'm already using TLS for HTTPS, so I 
have to use ALPN.  Please help me out here.  Thanks.

Fwd: Need Help for iOS and MacOS Build of OpenSSL

2022-07-29 Thread Seraj Ahmad 
Hi Everyone,

I am working on a project where I have to build OpenSSL "3.0.5" version for
multiple targets related to MacOS and iOS.

I am able to successfully build the OpenSSL "1.1.1x" version by using
targets mentioned in "20-ios-tvos-cross.conf".
I used to give commands like the below:

> ./Configure macosx-cross-x86_64 --prefix=gen/out/bin/Debug-MacOSX-x86_64
> no-shared no-async -fembed-bitcode-marker enable-ec_nistp_64_gcc_128


Now for version "3.0.5" when I give the above command, I am getting the
below error:

./Configure macosx-cross-x86_64 --prefix=gen/out/bin/Debug-MacOSX-x86_64
> no-shared no-async -fembed-bitcode-marker enable-ec_nistp_64_gcc_128
> Undefined subroutine ::asm called at (eval 15) line 46.
> Configuring OpenSSL version 3.0.5 for target macosx-cross-x86_64
> Using os-specific seed configuration
> Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx]
> [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
> [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR]
> [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE]
> os/compiler[:flags]
>
> pick os/compiler from:
> ...
> android-armeabi android-mips android-mips64 android-x86 android-x86_64
> android64 android64-aarch64 android64-mips64 android64-x86_64 bsdi-elf-gcc
> cc
> darwin-i386 darwin-i386-cc darwin-ppc darwin-ppc-cc darwin64-arm64
> darwin64-arm64-cc darwin64-debug-test-64-clang darwin64-ppc
> darwin64-ppc-cc
> darwin64-x86_64 darwin64-x86_64-cc gcc haiku-x86 haiku-x86_64 hpux-ia64-cc
> ...
>

When I give the "os/compiler" details in the above command, I get the below
error:

./Configure macosx-cross-x86_64 --prefix=gen/out/bin/Debug-MacOSX-x86_64
> no-shared no-async -fembed-bitcode-marker enable-ec_nistp_64_gcc_128
> darwin64-x86_64-cc
> Undefined subroutine ::asm called at (eval 15) line 46.
>
> Failure!  build file wasn't produced.
> Please read INSTALL.md and associated NOTES-* files.  You may also have to
> look over your available compiler tool chain or change your configuration.
>
> target already defined - macosx-cross-x86_64 (offending arg:
> darwin64-x86_64-cc)
>

Now, my question is I want to build the OpenSSL using the targets defined
in my "20-ios-tvos-cross.conf" and without "OS/Compiler" flags? I have
tried to find the solution over the internet but no luck.
Will really appreciate the help in this. Feel free to ask any questions you
have.

Thanks,
Seraj

Re: Unable to load self-signed certificate

2022-07-29 Thread radiatejava 
Actually the error is:

533:error:02001002:system library:fopen:No such file or
directory:bss_file.c:175:fopen('/opt/ssl-v1.02u/ssl/cert.pem','r')
533:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:182: 533:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:254:
533:error:0B065068:x509 certificate routines:BY_FILE_CTRL:loading
defaults:by_file.c:112:

as we are having 2 different versions of ssl on the system.
Is there anything we need to do if we have 2 different versions? I am
building my app pointing libs and includes to /opt/ssl-v1.02u

Thanks

On Wed, Jul 27, 2022 at 8:14 AM radiatejava  wrote:
>
> Hello experts
> I used to load a self-signed cert using a program like below:
>
> X509_STORE_set_verify_cb_func(lCertCtx, UserCert_cb_check_cert);
> lLookup = X509_STORE_add_lookup(lCertCtx, X509_LOOKUP_file());
> error = X509_LOOKUP_load_file(lLookup, NULL, X509_FILETYPE_DEFAULT);
>
> It was all working great till I was on openssl 1.0.2k.
> We have shifted to openssl 1.0.2u and now the call
> X509_LOOKUP_load_file(..) for self-siged cert is not working. Somehow
> it seems to be looking for a default CA certificate. This is the error
> I get:
>
> 533:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:175:fopen('/usr/lib/ssl/cert.pem','r')
> 533:error:2006D080:BIO routines:BIO_new_file:no such
> file:bss_file.c:182: 533:error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib:by_file.c:254:
> 533:error:0B065068:x509 certificate routines:BY_FILE_CTRL:loading
> defaults:by_file.c:112:
>
> I do not have any /usr/lib/ssl/cert.pem file on my system. I am on ubuntu 
> 20.04.
>
> Appreciate your help!
> -Satish