Question on ECC (openssl vs wcurve)

2014-03-28 Thread Gayathri Sundar
Hi All, Have a basic ECC question, I have a predefined scalar K, and I used the x9.62 256 prime curve. Invoking the scalar multiplication method EC_POINT_mul with the generator of that curve, I get a different output, when compared with wcurve of python. The curve is fixed, K is fixed but the

Re: openssl on a home LAN

2012-09-13 Thread Gayathri Sundar
...@openssl.org] *On Behalf Of *Gayathri Sundar *Sent:* Wednesday, September 12, 2012 10:07 AM *To:* openssl-users@openssl.org *Subject:* Re: openssl on a home LAN ** ** Hi John, ** ** I definitely do not agree with charles's email, but what I think he meant is, you need to write

Re: openssl on a home LAN

2012-09-12 Thread Gayathri Sundar
Hi John, I definitely do not agree with charles's email, but what I think he meant is, you need to write programs to use OpenSSL. Its an installable library, which you need to invoke from your application using its exposed APIs and recompile your code, link OpenSSL library and execute for it to

Re: openssl on a home LAN

2012-09-11 Thread Gayathri Sundar
unless somebody is gonna tap your LAN connection, I don't see a point in using SSL. Generally its useful only when you want to send secure application data over the internet. Intranets are safe esp ur 2 home computers :). thanks --Gayathri On Tue, Sep 11, 2012 at 11:36 AM, John A. Wallace

Re: Deadlock - SSL_Connect()

2012-01-16 Thread Gayathri Sundar
did you try making use of non blocking fd? it cannot deadlock in if you use that. Thanks --Gayathri On Mon, Jan 16, 2012 at 10:17 AM, Nathan Smyth naf...@ymail.com wrote: Just seeking advice/things to consider for deadlock (or 'wait') on a SSL_Connect(). Unfortunately it stalls here, so

Re: Deadlock - SSL_Connect()

2012-01-16 Thread Gayathri Sundar
there be some issue with numerous SSL connections between the same parties? Or maybe it's some threading issue - perhaps SSL has some special considerations? -- *From:* Gayathri Sundar suraj...@gmail.com *To:* openssl-users@openssl.org *Sent:* Monday, 16 January 2012, 16

Re: hi

2011-08-24 Thread Gayathri Sundar
-- *From:* owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On Behalf Of Gayathri Sundar [suraj...@gmail.com] *Sent:* Thursday, August 18, 2011 8:14 PM *To:* openssl-users@openssl.org *Subject:* Re: hi Hi, First of all your question is really strange. Please check your client

Re: creating Master-Key for encryption/decryption

2011-08-24 Thread Gayathri Sundar
key. How i can get this in server side? is there any code sample or snippet to get this key? Krishna On Tue, Aug 23, 2011 at 11:54 PM, Gayathri Sundar suraj...@gmail.com wrote: Master key is unique per session, and its same for both client and server, thats the concept

Re: creating Master-Key for encryption/decryption

2011-08-23 Thread Gayathri Sundar
side program is running in C. JDBC clients will establish the connection to the server. will the same Mester key generated in the cross platforms(JDBC client side)? Any help will be great. Thanks for your time, Krishnamurthy On Mon, Aug 22, 2011 at 9:03 PM, Gayathri Sundar suraj

Re: hi

2011-08-22 Thread Gayathri Sundar
-openssl-us...@openssl.org] On Behalf Of Gayathri Sundar [suraj...@gmail.com] *Sent:* Thursday, August 18, 2011 8:14 PM *To:* openssl-users@openssl.org *Subject:* Re: hi Hi, First of all your question is really strange. Please check your client and server settings as to which highest ssl

Re: creating Master-Key for encryption/decryption

2011-08-22 Thread Gayathri Sundar
Please read the RFC, it would clearly explain how the master secret is dervied, and from that how the read and write keys are derived. With that you can get to know how to extract the read n write keys. Meanwhile the read and wirte keys are available as part of the ssl object. Check that structure

Re: hi

2011-08-18 Thread Gayathri Sundar
Hi, First of all your question is really strange. Please check your client and server settings as to which highest ssl version is enabled. Generally SSLv2 should be disabled and never negotiated. The code your referring to is a piece of code that would be called when sslv3 is negotiated during

Re: Which openssl.cnf?

2011-08-12 Thread Gayathri Sundar
strace is a unix command wherein u need to attach the process which is linking with ur openssl library. It would tell the path from which all the libraries are loaded (for that process) along with a ton of other info. You would need to search the output of strace manually to figure out ur library

Re: Query Regarding usage of SSL_Connect()

2011-07-14 Thread Gayathri Sundar
Please dont expect much response to this question. Going thro the man pages of openssl will have all the necessary answers you are expecting. Do you homework before coding. Thanks --Gayathri On Thu, Jul 14, 2011 at 8:17 AM, Amit Kumar amit.kumar...@gmail.com wrote: Hi team, I am using

Re: State Machine with Managed C++

2011-07-01 Thread Gayathri Sundar
Did you implement fd timeouts and appropriate cleanups after some expiration? It's impossible for non blocking sockets to hang..so I am assuming ur having a lot of unused fds on ur poll table. On Friday, July 1, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi,   I have implemented the state

Re: SSL Communication using BIO

2011-05-25 Thread Gayathri Sundar
So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair of memory bios and attach them to the ssl obj, one is for read and the other is for write. C. Create the tcp fds and

Re: SSL Communication using BIO

2011-05-25 Thread Gayathri Sundar
, unknown protocol Thanks. // Harshvir On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar suraj...@gmail.comwrote: So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair

Re: SSL Communication using BIO

2011-05-23 Thread Gayathri Sundar
actually I would seriously recommend you read the OpenSSL book written by Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync usages..so that you get an idea of how OpenSSL itself works. On Mon, May 23, 2011 at 6:02 PM, Neo Liu diablo...@gmail.com wrote: I think you can

Re: SSL Communication using BIO

2011-05-22 Thread Gayathri Sundar
as Neo Liu has pointed out, if you try to use memory bio pair for communcation, then its ur responsibility to read and write every byte out the fd using tcp_send and recv() calls, as openssl would only read and write into the bio. This approach is very very tedious and not sure if thats the only

Re: Application is failing with cipher or hash unavailable

2011-05-16 Thread Gayathri Sundar
You could hack ur client and server to use cipher null and see the alert in clear..most,y should be digest failure. On Monday, May 16, 2011, pradeepreddy pradeepreddy@gmail.com wrote: Hi, After lot of struggles, finally get rid of this error, but I cant tell the reason, how was it

Re: Application is failing with cipher or hash unavailable

2011-05-16 Thread Gayathri Sundar
Alert 21 seems to be decryption failure. Sent from my iPad On May 16, 2011, at 6:12 AM, pradeepreddy pradeepreddy@gmail.com wrote: Hi, After lot of struggles, finally get rid of this error, but I cant tell the reason, how was it rectified. We installed our libs on a new machine.

Re: Application is failing with cipher or hash unavailable

2011-05-16 Thread Gayathri Sundar
Of Gayathri Sundar Sent: Monday, 16 May, 2011 10:18 You could hack ur client and server to use cipher null and see the alert in clear..most,y should be digest failure. If you mean MAC failure (actually MAC-or-decryption-failure, since they were combined to avoid possibly helping

Re: Application is failing with cipher or hash unavailable

2011-05-12 Thread Gayathri Sundar
can you give some specific cipher like rc4-md5 using the --cipher command and see if it goes thro? maybe the 1st cipher suite sent by the client is not available with the server or something..you can use mozilla and edit the cipher suites in the advance tab or use openssl client connect command

Re: Clients glomming onto a listener

2011-05-11 Thread Gayathri Sundar
Eric, you must be really kidding this time :), servers with this architecture are susceptible to dos and what not..am sure for embedded systems where memory is a big limiting factor the best would be async design, also code becomes easily portable in future. On Wed, May 11, 2011 at 10:39 AM, Eric

Re: Core occurred while executing SSL_library_init() and call back method locking_function()

2011-05-11 Thread Gayathri Sundar
Can u share the parsed core file? On Wednesday, May 11, 2011, Mani Suresh suresh84...@gmail.com wrote: While executing the below code its coring randomly in two cases, 1) While executing the method SSL_library_init() in the constructor. 2) Coring while executing the call back method

Re: Multiple connection from 1 client

2011-05-10 Thread Gayathri Sundar
, 2011 at 6:03 PM, Gayathri Sundar mailto:suraj...@gmail.comsuraj...@gmail.com wrote: Harsh, Okay from what I can understand, if you make ur underlying fd non blocking then it would work fine. Blocking FDs, unless and until one client is finished with its processing the other client

Re: Multiple connection from 1 client

2011-05-09 Thread Gayathri Sundar
change the socket to non blocking, then my current read write code will not work. i mean the one in which i use FD_SET and select to perform operations. Thanks. // Harshvir On Fri, May 6, 2011 at 10:33 PM, Gayathri Sundar suraj...@gmail.com wrote: Harsh., If u have any specific

Re: Multiple connection from 1 client

2011-05-06 Thread Gayathri Sundar
Harshvir, SO_REUSEADDR sock option has noting to do with ur problem, please go thro the socket ops man page to get a better understanding. First find out if ur server code is a blocking i/o or non blocking I/O..if former then connections will be handled sequentially..only after the 1st client is

Re: Using OpenSSL with non-blocking I/O

2011-05-06 Thread Gayathri Sundar
I think the openssl src already has sample server and client programs which are written in non blocking mode ..check wserver2.c if I am able to recall. On Fri, May 6, 2011 at 2:42 PM, Graham Leggett minf...@sharp.fm wrote: On 06 May 2011, at 9:23 PM, derleader mail wrote: Can you show us

Re: Multiple connection from 1 client

2011-05-06 Thread Gayathri Sundar
WireShark to see packets, then it shows that machine has received the packet from client. But server dont show that alert. Thats why i think it could be some socket option which is affecting it. // Harshvir On Fri, May 6, 2011 at 5:37 PM, Gayathri Sundar suraj...@gmail.comwrote: Harshvir

Re: Multiple connection from 1 client

2011-05-06 Thread Gayathri Sundar
to make that as non blocking? Thanks. On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar suraj...@gmail.com wrote: Harsh, Okay from what I can understand, if you make ur underlying fd non blocking then it would work fine. Blocking FDs, unless and until one client is finished with its processing

Re: Multiple connection from 1 client

2011-05-06 Thread Gayathri Sundar
: Thanks for the reply Gayathri. Do you mean to changing the sockets to non blocking, or when i create bio for ssl to make that as non blocking? Thanks. On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar mailto:suraj...@gmail.comsuraj...@gmail.com wrote: Harsh, Okay from what I can

Re:SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option...

2008-04-10 Thread Gayathri Sundar
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is used to thwart some CBC attacks. check out this link for details http://www.openssl.org/~bodo/tls-cbc.txt Thanks --Gayathri Hi, The client is configured with SSLv3_client_method. *ctx = SSL_CTX_new(SSLv3_client_method());* Whenever the client tries

Fwd: [Fwd: Re: How to handle dead sessions with SSL_write]

2008-03-03 Thread Gayathri Sundar
From: Gayathri Sundar [EMAIL PROTECTED] Date: Fri, Feb 29, 2008 at 9:35 AM Subject: [Fwd: Re: How to handle dead sessions with SSL_write] Original Message Subject: Re: How to handle dead sessions with SSL_write From:Gayathri Sundar

Re: Problem with SSL_WRITE

2008-02-28 Thread Gayathri Sundar
Hi, We are using OPEN SSL library in our client server application. We are using SSL_WRITE and SSL_READ api used to read and write operations between them. Connection is broken When server sends very large message (more than 56K) using SSL_WRITE api. We fixed problem with set

Query: DH Cipher Suite -- HELP

2007-08-17 Thread Gayathri Sundar
Hi There., Marek, hope ur reading this mail. I am hitting a strange problem with Openssl. Recently I migrated from OpenSSL-0.9.8a to OpenSSL-0.9.8d, from the release notes, I see that some fixes have gone into cipher selection logic of OpenSSL. Now for the same CLIENT HELLO message (same as in

Re: Rehandshake in tls1

2007-05-06 Thread Gayathri Sundar
Thanks marek, I didnt know abt the R option on s_server. Is it possible to make IE renegotiate? I have a rather complex testing requirement and I cannot test using s_client, somehow I need to ensure the client triggers renegotiation. I got a KB on IE http://support.microsoft.com/kb/265369 and

Rehandshake in tls1

2007-05-03 Thread Gayathri Sundar
Hi folks., I would like to know as an ssl server, when do I send a Hello request on the wire? Based on what parameters should I trigger that? I have quite a few questions based on this A) Does the re-handshake happen on the existing tcp connection? i.e the tcp connection over which the hello

Re:do_cipher

2007-05-01 Thread Gayathri Sundar
Hi All, I am using EVP functions for AES encryption/Decryption. Please can any one tell me how to find the exact AES encryption/decryption routines called when do_cipher is invoked? did you try single stepping using gdb or something? thats the easiest way to find out..or checkout the cipher

Re:Verification error

2007-04-09 Thread Gayathri Sundar
Hi, I'm trying to verify a cert chain against a trusted chain of cert, and here's what i get error 20 at 1 depth lookup:unable to get local issuer certificate can someone shed some more light at the error, like 1) what doest it mean Its not able to find the CA that signed your

Re:RSA Key Block

2007-04-09 Thread Gayathri Sundar
Whatever you have mailed is correct, but I believe the TLS 1.0 RFC explains all these in details. Try reading 2246 from ietf.org. Thanks --Gayathri Hi All I have a general question about RSA Key Block. The output of PRF with the master_secret to give us many keys. It includes:

Re:BIO or no BIO ?

2007-04-08 Thread Gayathri Sundar
its always better to use BIO for easier migration in the future if for some reason some enhancement/changes are to be done in your product. Also while using SSL_set_fd, socket BIO is automatically created and attaches to the TCP fd. What you can do is to create explicitely a read bio and a write

Re: SSL_connect and SSL_accept

2007-03-30 Thread Gayathri Sundar
- From: Gayathri Sundar [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Friday, March 30, 2007 9:25 AM Subject: Re: SSL_connect and SSL_accept I am quite clear with your problem and am not confused. The only point I have been stressing from beginning is that SSL_connect due to WHATEVER error

RE: SSL_connect and SSL_accept

2007-03-29 Thread Gayathri Sundar
Yes, I agree with you, but then why would the CLIENT get an ERROR? 2) The client calls SSL_connect(). The underlying socket is in blocking mode 3) SSL_connect() returns error. 4) The server does not notice this, and continues to wait in SSL_accept(). if SSL_connect indeed has returned with

Re: Regarding ssl3_mac

2007-03-29 Thread Gayathri Sundar
update? Thanks --Gayathri Gayathri Sundar wrote: Can someone give me inputs on the function ssl3_mac, especially where it is called s-method-ssl3_enc-mac(s,(p[wr-length]),1); I need to know what p[wr-length] is pointing to and why we do a digest update of 2 bytes from that. The code

Re: SSL_connect and SSL_accept

2007-03-29 Thread Gayathri Sundar
with respect to the current thread. So I will send a new post for that. Thank you everyone for responding. ~ Urjit - Original Message - From: Gayathri Sundar [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Thursday, March 29, 2007 1:02 PM Subject: RE: SSL_connect and SSL_accept Yes, I agree

Re: SSL_connect and SSL_accept

2007-03-29 Thread Gayathri Sundar
by SSL_accept() and SSL_accept() will now error out saying it read invalid SSL handshake packet. Now as I write down this whole thing, I wonder if even non-blocking sockets can help. Does it look more like a design issue ? ~ Urjit - Original Message - From: Gayathri Sundar [EMAIL PROTECTED

Regarding ssl3_mac

2007-03-28 Thread Gayathri Sundar
Can someone give me inputs on the function ssl3_mac, especially where it is called s-method-ssl3_enc-mac(s,(p[wr-length]),1); I need to know what p[wr-length] is pointing to and why we do a digest update of 2 bytes from that. The code is taken from s3_pkt.c function ssl3_write_bytes. Thanks

Re: SSL_connect and SSL_accept

2007-03-28 Thread Gayathri Sundar
I am wondering if the following scenario possible: 1) The server calls SSL_accept(). The underlying socket is in blocking mode 2) The client calls SSL_connect(). The underlying socket is in blocking mode 3) SSL_connect() returns error. 4) The server does not notice this, and continues to wait in

Re: Key files in dat formats

2007-03-28 Thread Gayathri Sundar
its probably a shown as a data file coz its encrypted..how did you generate the cert? U should be using a PKCS12 format for importing that stuff into the browser/server..btw are you telling it from windows's perspective? Hi, I have a SSL server application in which the certificate file is

IE not working with DSA certificates

2006-12-04 Thread Gayathri Sundar
Hi Folks., Am facing a persistant problem with Internet Explorer not able to talk to SSL Server when configured with a DSA certificate. SSL CTX has the set_tmp_dh_params enabled and the code looks pretty much correct as Mozilla/Firefox/Opera is working fine with the exact same SSL Server

RE: Compiling OpenSSL 0.9.8d for Win32

2006-11-29 Thread Gayathri Sundar
Check out ssl/ssl_ciph.c to get an idea. Thanks --Gayathri From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Krishna Vennamaneni Sent: Thursday, November 30, 2006 9:13 AM To: openssl-users@openssl.org

RE: What does PEM mean?

2006-07-31 Thread Gayathri Sundar
Wow, I was thinking its Privacy Enhanced Mode!! ?? No? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mouse Sent: Tuesday, August 01, 2006 6:47 AM To: openssl-users@openssl.org Subject: RE: What does PEM mean? PEM = Privacy-Enhanced Mail.

RE: openssl command

2006-07-28 Thread Gayathri Sundar
Wonder why you need a pfd format!! Does man openssl mean anything to you? Now how could anyone respond to ur query?? First of all let us know what you want to use it for Coz openssl commands are plenty.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of

RE: Query On SSL Processing

2006-07-24 Thread Gayathri Sundar
Hi Marek., Thanks once again for the detailed response.. Me now have a few more doubts.. Does this read_mac_secret and write_mac_secret change with Every md5 hash verification? I am not able to locate the code which actually updates this tcp Seq numbers and so on..what does this hash_update

RE: Query On SSL Processing

2006-07-24 Thread Gayathri Sundar
Marek, There seems to be no such function in openssl (ssl3_record_sequence_update())!! Can you pls tell where exactly this SSL sequence number is updated. Thanks --Gayathri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Monday,

RE: Query On SSL Processing

2006-07-24 Thread Gayathri Sundar
Thanks Marek..appreciate ur help.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Monday, July 24, 2006 4:04 PM To: openssl-users@openssl.org Subject: RE: Query On SSL Processing Hello, There seems to be no such function in openssl

Query On SSL Processing

2006-07-21 Thread Gayathri Sundar
Title: intoto Stationery What would happen if openssl is starved of application data records and is fed only control messages? Would it misbehave? Thanks --Gayathri

RE: Query On SSL Processing

2006-07-21 Thread Gayathri Sundar
Thanks Marek, can you explain more on this MAC verification errors? When I can ensure only control records are read by SSL_read, why should I get such errors? Yeah, ur correct, I will discard appliation records ;) (don't ask me how!!) but then openssl will work rite? What I have to do next

RE: Query On SSL Processing

2006-07-21 Thread Gayathri Sundar
Ok, what I meant is I will be removing the SSL record along with the app data!! So this should be fine right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Salz Sent: Friday, July 21, 2006 5:28 PM To: openssl-users@openssl.org Subject: RE:

RE: Query On SSL Processing

2006-07-21 Thread Gayathri Sundar
Thanks Richard..but I was thinking only SSL RECORDS with Record Type APP DATA Contain application data!!! If I can ensure that only complete SSL Records of Type Handshake, Change cipher spec, and Alerts are given to OpenSSL, it can process it rite? This way how can openssl know that app data

RE: Does Openssl cache App data -- 2nd Try..

2006-07-07 Thread Gayathri Sundar
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of David SchwartzSent: Friday, July 07, 2006 10:57 AMTo: openssl-users@openssl.orgSubject: RE: Does Openssl cache App data -- 2nd Try.. a. Does this msg_callback get executed after peek? or after read? if

RE: Does Openssl cache App data -- 2nd Try..

2006-07-06 Thread Gayathri Sundar
Thanks once again for the responses...I would like to add few more points here..there seems to be a callback function (msg_callback) within the ssl_st structure, which when registered by the application for a specific content type, SSL_read, seems to call that if a pkt of that content type is seen

Does Openssl cache App data

2006-07-04 Thread Gayathri Sundar
Title: intoto Stationery Hi., Following isthe comments written on s3_pkt.c before the function ssl3_read_bytes Return up to 'len' payload bytes received in 'type' records.* 'type' is one of the following:** - SSL3_RT_HANDSHAKE (when ssl3_get_message calls us)* - SSL3_RT_APPLICATION_DATA

SSL_read/SSL_write from kernel

2006-06-28 Thread Gayathri Sundar
Hi., Does openssl as such provide support for packet processing from kernel..i.e what do I have to do to invoke SSL_read/write from kernel..has anyone attempted this before. Thanks --Gayathri __ OpenSSL Project

SSL_read/SSL_write from kernel

2006-06-28 Thread Gayathri Sundar
Title: intoto Stationery Hi., Does openssl as such provide support for packet processing from kernel..i.e what do I have to do to invoke SSL_read/write from kernel..has anyone attempted this before. Thanks --Gayathri

RE: SSL_read/SSL_write from kernel

2006-06-28 Thread Gayathri Sundar
Title: intoto Stationery Thanks, but let me rephrase my question. There seems to be a requirement for us to process SSL app data from kernel, wherein I would like to read the sk_buff and pass it to a crypto acclerator (hardware/software), but we face a problem wherein for block ciphers, we

RE: SSL_read/SSL_write from kernel

2006-06-28 Thread Gayathri Sundar
Thanks Marek..yeah, its more to do with processing block ciphers from kernel rather than SSL as such, my question to be exactly precise is for me to find out how to feed exact multiples of block cipher length from sk_buff, when they are internally fragmented in physical/virtual memory within an

RE: SSL_connect returns 0, with no error

2006-05-06 Thread Gayathri Sundar
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Andrew DennisonSent: Friday, May 05, 2006 7:23 PMTo: openssl-users@openssl.orgSubject: SSL_connect returns 0, with no error I am currently experiencing an issue using SSL_connect() on a

Re: [Resending] Export 1024 ciphers

2006-04-28 Thread Gayathri Sundar
did you try man ciphers? EXP1024 has to work on 1024 bit key, which is why it is called so, definitely they are stronger than normal EXP ciphers..once again EXP ciphers are reduced in strength so that it can be exportable in US, and I believe now there are no such restrictions..atleast thats what

RE: Question on PEM_read_RSA_PUBKEY

2006-04-27 Thread Gayathri Sundar
what do you mean by decrypt a signed message? either u have to decrypt the encrypted message, or rehash and check the msg digest i.e the sha/md5 signature. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ambarish Mitra Sent: Thursday, April 27, 2006 5:16 PM

RE: errno=5 in SSL_read( )

2006-04-20 Thread Gayathri Sundar
. thanks,Haridharan On 4/20/06, Gayathri Sundar [EMAIL PROTECTED] wrote: I too faced similar problem when I pumped heavy data via smart bits.. this piece of code worked for me..btw the underlying bio in non blocking.. do { ERR_clear_error(); nbytesread

RE: errno=5 in SSL_read( )

2006-04-19 Thread Gayathri Sundar
I too faced similar problem when I pumped heavy data via smart bits.. this piece of code worked for me..btw the underlying bio in non blocking.. do { ERR_clear_error(); nbytesread = SSL_read(pSSLObject,pBuffer,BufSize); if(nbytesread 0 ) { totalbytesread += nbytesread; pBuffer =

RE: Problem connecting using SSL_connect

2006-04-05 Thread Gayathri Sundar
The accept could have failed for any reason such as mismatch of ssl versions/ no matching ciphers/ untrusted certificate / so check on the wire whats going on. From your code snipped, am not sure what exactly setup_client_ctx() does or what ciphers have been set on the server ctx..the SSL_METHOD

RE: closing client connection problem

2006-04-05 Thread Gayathri Sundar
AFAIK, tcp read can return Zero, as numbytes read, and does not mean than the fd is invalidated. I think you should use SSL_received_shutdown or something which checks if any close has been initiated by the server.. Attempting write when a close was received will result in sigpipe..

RE: SSL_accept blocks forever

2006-03-10 Thread Gayathri Sundar
Have you set the the underlying FD to nonblocking (FIONBIO?)..I dont see why if the socket non blocking flag is set, you should have this problem..it doesnt make sense.. Thanks --G3 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Henry Yip

RE: Choice of CAs in SSL/TLS handshake

2006-03-07 Thread Gayathri Sundar
you can put CA2 as part of the revocation list? if CA2 is part of the client's CRL, then it will automatically be rejected..is this what you want? Thanks --G3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Olaf Gellert Sent: Tuesday, March 07, 2006 5:26 PM

RE: Choice of CAs in SSL/TLS handshake

2006-03-07 Thread Gayathri Sundar
I think verify depth of 1 will work only for self signed certificates, in this case it wont work, you should override the default certificate checking functions by registering ur own callback for this function pointer in ssl_st. int (*verify_callback)(int ok,X509_STORE_CTX *ctx) as you already

RE: Testing private key - public key consistency

2006-03-06 Thread Gayathri Sundar
Probably you can try the openssl verify command? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Julien ALLANOS Sent: Monday, February 06, 2006 6:38 PM To: openssl-users@openssl.org Subject: Testing private key - public key consistency Hello, is there a

RE: SSL_shutdown and SIGPIPE

2006-02-13 Thread Gayathri Sundar
on (if you needed that). -Kyle H On 2/12/06, Gayathri Sundar [EMAIL PROTECTED] wrote: Probably you can call the following iRet = SSL_get_shutdown(pSSL); if(iRet = 0) SSL_shutdown(pSSL); This is because, SSL_shutdown writes data on the wire, i.e the closure alerts..and if a FIN was received

RE: Certificate chain question

2006-02-12 Thread Gayathri Sundar
I think you should load myside.com as well onto the browser.. as it is needed to verify part.myside.com. Thanks --G3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Zaid Sent: Sunday, February 12, 2006 5:33 AM To: openssl-users@openssl.org Subject:

RE: SSL_shutdown and SIGPIPE

2006-02-12 Thread Gayathri Sundar
Probably you can call the following iRet = SSL_get_shutdown(pSSL); if(iRet = 0) SSL_shutdown(pSSL); This is because, SSL_shutdown writes data on the wire, i.e the closure alerts..and if a FIN was received meanwhile, you will catch a SIGPIPE..this piece of code, actually saves me from this..

Query on IE's SSL Renegotiation

2006-01-20 Thread Gayathri Sundar
Hi there., Have some queries on the way IE is handling SSL Renegotiation. 1. Whenever IE receives a Client Cert req from the Server, say when it is talking for the 1st time (IE gonna connect to this ssl server for the very 1st time), it immediately closes the TCP connection abrubtly by sending a

Re: BIO_read is continuously returning -1

2005-12-28 Thread Gayathri Sundar
Hi Pankaj., This difference in the HTTP response header is very critical. It influences the way in which the Client is going to behave. In case of 1, as the Connection: Close header is sent as part of the response, the http server will initiate the tcp teardown and need not bother sending the

Re: BIO_read is continuously returning -1

2005-12-28 Thread Gayathri Sundar
Forgot to mention that perhaps your client does not understand HTTP 1.1? Check whether the redirect request came back to the server. Hi Pankaj., This difference in the HTTP response header is very critical. It influences the way in which the Client is going to behave. In case of 1, as the

problems generating certificates

2005-12-28 Thread Gayathri Sundar
edit ur openssl.cnf to point to the correct ca certificate and its private key..obviously the file is not the path that the cnf is looking at.. hi everybody, well finally get install openssl v0.9.8a, now when i try to generate certificates to be used with freeradius (eap-tls or eap-peap) i use

Re:Re: BIO_read is continuously returning -1

2005-12-28 Thread Gayathri Sundar
Original Message Subject: Re:Re: BIO_read is continuously returning -1 From:Gayathri Sundar [EMAIL PROTECTED] Date:Wed, December 28, 2005 4:59 am To: openssl-users@openssl.org

RE: How do I correctly handle SSL_shutdown?

2005-12-21 Thread Gayathri Sundar
AFAIK, if a close notify is not sent, the the ssl connection termination is considered premature and the session cannot be reused. The specification does not define it as a MUST, rather it is defined as a SHOULD. If session reuse is not a necessary criteria (if your willing to compromise

Re: How do I correctly handle SSL_shutdown?

2005-12-20 Thread Gayathri Sundar
Gayathri Sundar wrote: Hi., I think that depends on the mode of SSL meaning blocking/non blocking, If its the latter then you need to select again before calling the 2nd ssl shutdown and check whether the close notify from the peer is received by checking the ssl_received_shutdown flag

Re: How do I correctly handle SSL_shutdown?

2005-12-19 Thread Gayathri Sundar
Hi., I think that depends on the mode of SSL meaning blocking/non blocking, If its the latter then you need to select again before calling the 2nd ssl shutdown and check whether the close notify from the peer is received by checking the ssl_received_shutdown flag. If this flag is not set, then

RE: Enable Client Authentication using [ Openssl s_server ]

2005-12-08 Thread Gayathri Sundar
Try using one of these two -verify arg - turn on peer certificate verification -Verify arg - turn on peer certificate verification, must have a cert. in the command, btw u can get the whole list of options in man s_server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL

Doubt on SSL_ERROR_SYSCALL

2005-09-28 Thread Gayathri Sundar
Hi., Have a small doubt on how the application needs to react for an SSL_ERROR_SYSCALL. What do I have to do when I actually attempted an SSL_READ and endedup with that error code, now should the operation need to be retried based on errno or should this be regarded as a fatal? If it needs to be

Re: Client authentication problem

2005-07-14 Thread Gayathri Sundar
Hi Again., This is what I found from the log file you sent..is this pointing to the same CA cert itcilo-ca.crt, I put it in ssl.crt ? debug] ssl_engine_init.c(1112): CA certificate: /C=IT/ST=Piemonte/L=Turin/O=ITCILO/OU=MIS/CN=ITCILO CA/[EMAIL PROTECTED] [Wed Jul 13 11:48:34 2005] [debug]

Re: Client authentication problem

2005-07-14 Thread Gayathri Sundar
Hey can you try setting verify depth to Zero and not pointing to any CA cert i.e SSLCACertificatePath pointing to null? Thanks --Gayathri Hi Again., This is what I found from the log file you sent..is this pointing to the same CA cert itcilo-ca.crt, I put it in ssl.crt ? debug]

Re: Client authentication problem

2005-07-13 Thread Gayathri Sundar
Hi. Have you imported the CA of the client cert on the server side? A verify depth of 1 has been set, which could mean that the client cert is self signed? Can you set it to some higher value and try? Also can you check whether the option SSL_VERIFY_FAIL_IF_NO_PEER_CERT? It looks to me a

Re: Reducing size of the OpenSSL library

2005-06-24 Thread Gayathri Sundar
Original Message Subject: Re: Reducing size of the OpenSSL library From:Gayathri Sundar [EMAIL PROTECTED] Date:Fri, June 24, 2005 12:05 am To: [EMAIL PROTECTED

RE: [Fwd: Re: Queries over OpenSSL programs]

2005-06-15 Thread Gayathri Sundar
Hi there, Can any body please tell me, where can I find the answers to these questions? Thanks -Rohan Original Message Subject: Re: Queries over OpenSSL programs From:Rohan Shrivastava [EMAIL PROTECTED] Date:Wed, June 8, 2005

RE: [Fwd: Re: Queries over OpenSSL programs]

2005-06-15 Thread Gayathri Sundar
Hi there, Can any body please tell me, where can I find the answers to these questions? Thanks -Rohan Original Message Subject: Re: Queries over OpenSSL programs From:Rohan Shrivastava [EMAIL PROTECTED] Date:Wed, June 8, 2005

[Fwd: Need help on NonBlock SSL Renegotiation]

2005-06-09 Thread Gayathri Sundar
Original Message Subject: Need help on NonBlock SSL Renegotiation From:Gayathri Sundar [EMAIL PROTECTED] Date:Thu, June 9, 2005 1:39 am To: 'openssl-users@openssl.org

[Fwd: RE:I am having a hard time getting SSL_Accept to work with a non blocking socket]

2005-06-06 Thread Gayathri Sundar
Original Message Subject: RE:I am having a hard time getting SSL_Accept to work with a non blocking socket From:Gayathri Sundar [EMAIL PROTECTED] Date:Sun, June 5, 2005 11:33 pm To: openssl-users@openssl.org

  1   2   >