Hi Guys,
I came across a case where ERR_get_erro() returns 0 whereas I expect it to
return some valid error code. The case is when an invalid certificate file is
passed to SSL_CTX_load_verify_locations().
You may want to refer to the following url:
Looks like the server doesn't even get the Client hello message.
Did you check the state of your client. Is it stuck in SSL_connect (it
should be, I believe)? where is it stuck ?
use s_client / s_server applications (comes with openssl.), if possible to
figure out the issue.
You may wish to use
These functions do perform the encryption / decryption along with some other
functionality. So you don't have to encrypt the message before you pass the
buffer to SSL_write, or decrypt the data in the buffer you use with SSL_read.
- Original Message -
From: AlokBhatnagar
To:
Hello everyone,
I would like to know your view on Would the performance impact for
transmitting 'X' bytes of unencrypted data over SSLized channel be almost same
irrespective of the number of SSL_* calls ?
Consider I am using a buffer of size 'buf_size' for SSL_read/write
You can either build these from the source, or get the binaries.
If you prefer to build from the source, download the source from
http://www.openssl.org/source and read INSTALL.W32
If you prefer to get the precompiled libraries, you can get them from
http://www.openssl.org/related/binaries.html
Hello,
I had sent this mail to the list some time back, and didnt hear back. So I am
not sure if it even reached the group.
Here is the second attempt. Any help/suggestion is highly appricited.
~ Urjit
I observed that on few platforms, the random device is missing. Due to
Hello,
I observed that on few platforms, the random device is missing. Due to this,
the SSL_connect fails. I would have to use -rand option of s_client for
successful connection.
On such platforms, even my client application fails due to the missing random
number generator device.
For eg. On
Hello everyone,
I have a client that attempts to open a secured session with the server. After
calling SSL_connect(), on failure, the client would free the SSL object, and
read the response on normal tcp socket.
On the other hand, the server calls SSL_accept(), and on failure, would free
the
To begin with, when the client calls SSL_connect(), it is guaranteed that
the server is waiting / looping in SSL_accept(). So I believe there is no
chance that SSL_connect() will read any plaintext data.
In my scenario, the ERR_reason_error_string(ERR_get_error()) tells me that
there was a
However, when I want to link openssl from my application, linker
cannot resolve the functions that are archived into libcrypto, and as
I could see from the make command line outputs libcrypto is not
archived into libssl.
Is it possible to combine libcrypto into libssl? Or is it worth to
No response yet :-(
Please let me know if you guys need any more information in order to help me
understand what is going wrong here.
ERR_reason_error_string() and ERR_get_error() do not give me anything back.
- Original Message -
From: Urjit Gokhale
To: Urjit Gokhale ; openssl
on AIX box. Note that the above
two lines are still there.
strace on the AIX box doesn't give any output at all.
I have no clue why the SSL_connect is failing.
It will be great if anyone could suggest a way to figure out what is going
wrong here.
~ Urjit
- Original Message -
From: Urjit
considered as proposition to discussion. Real, secure programming
should
be based on existing, well checked protocols (which is possible in
this
case).
The OP was going to embed his CA's private key in his installer.
The OP was not thinking clearly about key management. My first
Hi,
I am running an application on HPUX 11i.
The application fails in SSL_connect(). I tried to print the error message with
the following code snippet:
==
ret = SSL_connect(ssl)
if (ret != 1)
{
char *m_file, *m_data;
int m_line = 0 , m_flags = 0;
Thank you very much David for your response.
I doubt if self signed certificate will be a good idea, as
against a signed
certificate.
With the approach I am proposing, the server installer itself works like
a
CA.
Only an authorized person will have access to this installer (say
For now, my purpose is not to establish and identity of a server with
the
certificate. I plan to use a signed certificate, so that the client can
be
sure
that the server indeed holds the private key associated with the
public key
provided by the server in its certificate.
You have a
Thank you very much for your response , David and Victor. I really
appreciate it.
So could someone guide me with the best practices used in such
scenarios?
Is there a way to securely embed the private key in the installers / CA
certificate?
I guess I'm confused. What purpose would a
Hello everyone,
I have a server application that will use Openssl to communicate with its
clients over SSL secured channel.
This server requires a unique signed server certificate.
I plan to use my personal CA to issue these server certificates.
Now for the ease of deployment, I plan to create
Sent: Monday, September 10, 2007 2:37 PM
Subject: Re: Openssl 0.9.8e build fails on HP Itanium
On 9/10/07, Urjit Gokhale [EMAIL PROTECTED] wrote:
ld: Duplicate symbol __divxf3 in files
/usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/hpux64/libgcc.a[__divxf3.oS]
and
/usr/local/lib/gcc/ia64-hp
-
From: Grzegorz Rusin [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Monday, September 10, 2007 2:37 PM
Subject: Re: Openssl 0.9.8e build fails on HP Itanium
On 9/10/07, Urjit Gokhale [EMAIL PROTECTED] wrote:
ld: Duplicate symbol __divxf3 in files
/usr/local/lib/gcc/ia64-hp
Hello all,
I had sent this mail on openssl-dev, and havent heard back yet. Thought of
asking it here.
Apologies if there are unnecessary details, but I felt like providing as much
information as possible.
I am building openssl0.9.8e on HP Itanium system.
---
bash-2.05b$ uname -a
HP-UX
Thank you everyone for your replies.
I will try them out and will get back to you again in case I have any more
questions.
Thanks a lot.
~ Urjit
- Original Message -
From: Smith, Ryan-P56787 [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wednesday, August 08, 2007 11:37 PM
Hi,
while creating certificate requests using openssl, one is prompted for some
information like Country name, Sate, Locality name etc.
Though these parameters have defaults set, one has to hit return to move ahead.
Is there a way to achieve this without being prompted for any information
Hello everyone,
I have been writing code to secure my client-server application. It has been
almost a year now, since I entered the world of OpenSSL. I have been reading
about key exchange, symmetric ciphers, certificates etc. and for that matter I
have used all this in the code through the
This has nothing to do with openssl in particular. This is a general socket
programming scenario.
You can set your socket to non-blocking mode using fcntl(socket, F_SETFL,
O_NONBLOCK) / ioctlsocket(AcceptSocket, FIONBIO, NonBlock)
Google or RTFM if you wish to know more about these functions.
As per my understanding, using public key cryptography for encryption is much
more expensive than using symmetric key cryptography. So generally the main
communication is encrypted using symmetric key cryptography, whereas public key
cryptography is used to exchange keys and other information
Still no response :-(
Could someone please help me clarify my doubts?
thanks,
~ Urjit
- Original Message -
From: Urjit Gokhale [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, May 24, 2007 4:28 PM
Subject: Re: Certificates, users and machines
Thanks for your reply.
I
Thank you very much for the response.
For both the responses I got, it looks like the server need to access the
information (whether identity or attribute or whatever) present in the
certificate
and use that to decide the permissions for the peer that represented this
certificate.
Is my
of that attack, and set your
policies appropriately.)
I hope this information helps.
-Kyle H
On May 16, 2007, at 3:33 AM, Urjit Gokhale wrote:
Hello everyone,
I have some doubts about certificates, which I wish to get
clarification on.
Here is my understanding about certificates
Hello everyone,
I have some doubts about certificates, which I wish to get clarification on.
Here is my understanding about certificates:
* Certificates bind the public key with some other information like the name of
the owner(user), who generated the certificate, the validity period etc.
*
Hello all,
As we all know, the SSL object can work either with direct tcp sockets
(SSL_set_fd()) or can work on top of socket BIO objects.
In my current project, I am using SSL directly on top of tcp sockets (no BIOs).
I wonder whether I loose some functionality provided by BIO layer?
What are
Thanks for replying. I guess we are on the same page now. The only thing is
that you are asking the same question that I am asking everyone on this list
What scenario may cause the SSL_connect to return error to the caller,
without writing a single byte on the underlying tcp connection (which
snip
I have spent quite some time with SSL_connect, and apart from tcp level
socket failures (transient/fatal) and SSL Handshake failures it cannot
return error, so ur case is NOT POSSIBLE unless the HOST has run out of
memory wherein Openssl_malloc itself fails. So I dont suppose you need to
Hmm...
I am surprised to see how I have managed to confuse you. I thought my
previous post was pretty clear.
Anyway, I will try to explain again.
The client and server have and existing tcp connection, which is healthy.
There is no problem with the tcp connection throughout the scenario.
The
Hello,
I am wondering if the following scenario possible:
1) The server calls SSL_accept(). The underlying socket is in blocking mode
2) The client calls SSL_connect(). The underlying socket is in blocking mode
3) SSL_connect() returns error.
4) The server does not notice this, and continues to
If the scenario mentioned above is possible, then the server
will be blocked in the SSL_accept() (until the underlying tcp
connection is broken) and hence wont be able to service other
clients' connection requests
This is the Toyota Principle, you asked for it, you got it. If you don't
Hello,
Could someone help me understand what is happening here?
~ Urjit
- Original Message -
From: Urjit Gokhale [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, January 18, 2007 9:13 PM
Subject: Re: My ssl client connects without the knowledge of root CA
certificate
the knowledge of root
CAcertificate
Hello,
Could someone help me understand what is happening here?
~ Urjit
- Original Message -
From: Urjit Gokhale [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, January 18, 2007 9:13 PM
Subject: Re: My ssl client connects
Hi,
I have a sample SSLized client server program.
I am not using SSL_CTX_load_verify_locations() in the client and still my
client is able to connect to the server.
I wonder how this could be possible. How would the client be able to
authenticate the server certificate without the knowledge of
:
SSL_CTX_set_verify (sslctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
If not it is probably the solution ;)
Alexis
Urjit Gokhale a écrit :
Hi,
I have a sample SSLized client server program.
I am not using SSL_CTX_load_verify_locations() in the client and still
my client
Check this out
http://www.openssl.org/docs/crypto/ERR_error_string.html
HTH
~ Urjit
- Original Message -
From: Carlo Agopian [EMAIL PROTECTED]
To: openssl-users@openssl.org
Cc: Carlo Agopian [EMAIL PROTECTED]
Sent: Tuesday, October 24, 2006 9:58 PM
Subject: RE: SSL_read()
Hi Mark,
Why are you forking a child that you want to directly access the SSL
stream, then? Why not have the child write into shared memory, and
have the parent send it out itself?
Well ... an option of creating a thread in the parent that would work as
a proxy for the child, taking care of all the
I think that all SSL read/write operation may be performed in parent.
Child may communicate with socket/pipe/popen or other IPC mechanism.
For example assume that server parent has established SSL connection
with client parent and waits for commands from client.
Client sends information to
Hi,
Hello,
For the moment, i have a kind of supervisor which,
accept a connection, read some datas on the socket and
then start the process which is able to handle this
datas. ( using createprocess/execv). The socket's
handle is shared to this process and therefor the
process is able
Thank you for the quick reply.
Please find my comments inline
- Original Message -
From: Kyle Hamilton [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Tuesday, October 10, 2006 11:48 PM
Subject: Re: How to share SSL session when using CreateProcess/execv
The receiver state and
Hi all,
I am in the process of securing an existing
application, and am weighing the feasibility of different approaches. I have
already asked a few questions on the list in this regard and got pretty good
response, that helped me understand OpenSSL implementation better. I thank you
all for
- Original Message -
From: Darryl Miles [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Friday, October 06, 2006 4:50 PM
Subject: Re: Need help: Understanding SSL object in multi-threaded
environment
Mark wrote:
I think it would be helpful for me. If we need to prevent
Hi all,
I have some doubts about openssl and
multithreaded environment. I will appreciate if you could help me understand
this better.
It is said that openssl is thread-safe with a
limitation that "an SSL connection may not
concurrently be used by multiple threads"
I am not clear on this
- Original Message -
From: Mark [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, October 05, 2006 2:49 PM
Subject: RE: Need help: Understanding SSL object in multi-threaded
environment
you may use the same H_SSL_CTX (handle to an SSL context) in
concurrent threads.
server process should not handle SSL
for the current connection at all.
E.g.:
/*
sock is the socket descriptor,
ctx is a pointer to SSL_CTX
*/
...
SSL *ssl = SSL_new(ctx);
SSL_set_fd(sock);
...
/* continue with SSL handshake */
Thanks,
Vlad
On 9/28/06, Urjit Gokhale [EMAIL PROTECTED
Of Urjit Gokhale
Sent: Friday, September 29, 2006 5:03 AM
To: openssl-users@openssl.org
Subject: Re: SSL objects in fork() - exec scenario
Hi Vlad and Dave,
Thank you for your response.
Unfortunately I do not have the freedom to change the existing
implementation from fork/exec to threads
Hi,
Mentioned below is a normal tcp scenario. Could
someone tell me how the following scenario be handled in SSL secured
environment
A. Client establishes a tcp connection with the
Server
B. Server Forks.
C. Server exec's to start a new process. It
passes its socket descriptor to the new
as in 0.9.7 and I have now managed to
build shared libraries. I'm running the tests as I write this and it looks
at least some test works okay now. :-)
/Leif
Urjit Gokhale wrote:
Hi everyone,
I am having problem building openssl on HP Itanium 64 bit box.
Attached are the files that show
Hi everyone,
I am having problem building openssl on HP
Itanium 64 bit box.
Attached are the files that show the output of
Configure and make. The output of make is stripped to show the last section
where error is reported.
The error is
ld: Unknown input
file type: "./libcrypto.so"Fatal
Hi,
how does openssl 0.9.8b support tls? I went
through the code and it looks like tls is just like an alias for
SSLv3.
Can someone tell me where exactly TLS1 and SSLv3
differ? What are the changes that they will differ in future?
Thank you,
~ UrjitDISCLAIMER
==
This e-mail may
- Original Message -
From: Marek Marcola [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Tuesday, August 22, 2006 3:41 PM
Subject: Re: TLS1 support in openssl?
Hello,
how does openssl 0.9.8b support tls? I went through the code and it
looks like tls is just like an alias for
Hi,
The application I am writing has requirement that
after a request is sent to server, it should hear from the server in xyz
seconds.
With normal tcp socket, i can achieve this
through select() function. But how do I achieve this for SSL_read?
As I understand from last few threads on this
Hi,
I am facing problem while building openssl on my
windows box (Windows 2000 Professional) with Cygwin
(CYGWIN_NT-5.0).
I downloaded the source for openssl
0.9.8b.
I followed the steps given
inINSTALL.W32:
1) ./config: This goes smooth without any
problem
Hi,
I am planning to ssl enable my client server
application, that I will be making available for commercial use. In this process
I had planned to use openssl command line utility as CA to give out certificates
(I am going to work as private CA). But just then, I came across a
Hi,
I have attached the sample server and client programs for your
consideration. As these are minimal sample codes that reproduce my problem,
error handling is not done.
To run the server, you need to provide the port on the command line
To run the client, you need to provide host and port where
Hi,
Thanks for the reply. Urjit,
I got it working once I replaced
EXP-DES-CBC-SHA with
DES-CBC-SHA
I think you might have to do something special to
enable export quality ciphers.
They can place restrictions on the size of the RSA key used for kex
exchange.
That means that if
Well ... In that case,
A] how is it that s_server and s_client can
communicate
1) Using the same ssl library
2) Using the same certificates
3) Using the same cipher suits
You mean can't , don't u? That is bcoz SSL protocol
itself is different in the export case. As Steve
mentioned there is
SSL protocol differs in server_key_exchange packet
(with may be used not only for export restriction).
This requires temporary RSA key in context.
If you add to server initialization routine something like:
RSA *rsa;
rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
if
Hello everyone,
I have a sample client-server application written in C, that communicates
using SSL. I observed that for some cipher suites, the client and server
fail to establish ssl connection. But for the same cipher, the s_client and
s_server can establish ssl connection and exchange data.
Hi,
I am facing problem while building openssl on my
windows box (Windows 2000 Professional) with Cygwin.
I downloaded the source for openssl
0.9.8b.
I followed the steps given
inINSTALL.W32:
1) ./config: This goes smooth without any
problem
2) make: At this stage I am facing a problem.
Hi,
I am facing problem while building openssl on my
windows box (Windows 2000 Professional) with Cygwin.
I downloaded the source for openssl
0.9.8b.
I followed the steps given
inINSTALL.W32:
1) ./config: This goes smooth without any
problem
2) make: At this stage I am facing a problem.
Hi,
I am facing problem while building openssl on my
windows box (Windows 2000 Professional) with Cygwin.
I downloaded the source for openssl
0.9.8b.
I followed the steps given
inINSTALL.W32:
1) ./config: This goes smooth without any
problem
2) make: At this stage I am facing a problem.
My earlier mail was sent thrice to the list. I
guess there was some problem with my mail client. Apologies to all.
~ Urjit
- Original Message -
From:
Urjit Gokhale
To: openssl-users@openssl.org
Sent: Monday, May 08, 2006 6:42 PM
Subject: Problem building openssl
- Original Message -
From: Dr. Stephen Henson [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Saturday, March 04, 2006 5:24 AM
Subject: Re: How is default cipher selected ?
On Sat, Mar 04, 2006, Urjit Gokhale wrote:
Hi All,
I have an echo server (a C application) which
authentication only? (and not for data
encryption)
On 2/2/06, Katie Lucas [EMAIL PROTECTED] wrote:
On Tue, Jan 24, 2006 at 06:44:30PM +0530, Urjit Gokhale wrote:
Hi all,
I am planning to use SSL for the communication between my client and
server. The idea is to use SSL *mainly* for peer
Hi all,
I am planning to use SSL for the communication
between my client and server. The idea is to use SSL *mainly* for peer
authentication and validation (Both server and client authentication by means of
certificates). Regarding the data encryption, I would like to have it as an
71 matches
Mail list logo