Re: Certificate validation problem
Thanks Dave, today I rechecked the dump of the certificates which cause the problem. The AUTHORITY_KEYID was really missing in them. They were created using some MS .Net stuff. My certificates which I create with openssl work fine. I told the guy who created the wrong certificates about the missing field. In our protocol this field is mandatory because our commonNames are not always unique. On Friday 10 October 2008 02:03:44 Dave Thompson wrote: -Original Message- From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier Sent: Wednesday, 08 October, 2008 08:14 I've a problem with validating self-signed certificates. In my use case it's possible (but unlikely) to have multiple self-signed certificates with the same commonName. More to the point, they are root CA certs -- selfsigned, AND used to sign child certs. Your problem is with child linkage, not selfsigned as such. In the used protocol the URI field in subjectAltName fulfills the purpose of distinguishing the application instances. That appears to be irrelevant. When validating a certificate using X509_verify_cert it seems that OpenSSL finds the wrong certificate in the store due to the same commonName and then the validation fails. As far as I understood the code - but I'm not sure - the problem is, that X509_check_issued() that is called indirectly by find_issuer() doesn't check the certificate serial number when searching for the issuer certificate and only looks for the commonName. This happens because no AUTHORITY_KEYID (subject-akid) is available in the subject structure. (why?) See the screenshot for details. Your screenshot came out totally illegible, at least for me. AKID is an optional extension, with several optional subformats. Do you have a copy (e.g. in a file) of the cert you want to validate i.e. the subject=child cert? If so, check the extension is present, and has (child.)AKID.keyid = parent.subjkeyid and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) . How did you obtain, or create, the child cert? (Commercial CA, inhouse CA, openssl CA.pl, openssl commandline, etc.) The certificate of course has a serial number so I want this to be checked when looking up a certificate in the store. Which cert? When you want to look up the parent you need attributes of the parent, not the child. If you want to look up the parent by issuer+serial (serial alone is not enough) (although in this case parent is selfsigned so its issuer and subject are the same), use child.AKID.(issuer+serial) as above. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Issue getting enough entropy on Windows NT 4.0 system
Hello, The Windows NT 4.0 system has the workstation service stopped. This causes the following snippet from rand_win.c to return 0 if (netstatget(NULL, LLanmanWorkstation, 0, 0, outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45); netfree(outbuf); } Add to this a large section of calls are #if 0 out due to a reported problem by Wolfgang Marczy and there isn't many places this function gets entropy from. Any suggestions? Thanks, Ray Casterline __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: non-blocking version of SSL_peek
David Schwartz wrote: Hi, Can anyone tell me if SSL_peek is a blocking or non-blocking call ? It can be either. When I use it inside my code, then the program blocks on this fuction call where there is no data on the socket. If you're using blocking socket calls, that's what will happen. vne Yes you are right. I made the socket non-blocking and then SSL_peek returned when there is no data. /vne The reason I want to use this call is that before closing the SSL connection by using 'SSL_shutdown', I want to make sure that there is no pending data present on this connection. SSL_peek won't help. You need to call SSL_shutdown first and then check for any pending data. No matter when and how you call SSL_peek, there will still be a point before you call SSL_shutdown and after you call SSL_peek. If your protocol requires you to do this, the protocol is broken and really should be fixed. If it doesn't, why do this? vne Actually before closing a TLS connection I need to make sure that no pending data is present on the that socket. So, calling SSL_peek would tell if this is the case or not. As you are saying that SSL_peek should be called before SSL_shutdown, then how is it ensured that the connection gets closed only if all the data arrived on that socket is processed ? Does SSL_shutdown takes care of this ? or what is the significance of calling SSL_peek after SSL_shutdown ? I am using SIP over TLS and it does not specify any such thing related to tls. thanks !!! /vne Is there any method to make the call SSL_peek non-blocking,i.e. it should return if there is no data present on SSL connection like that happens with tcp peek by using option MSG_PEEK|MSG_DONTWAIT. Or can SSL_pending be used for this purpose? Please suggest... I am using openSSL version 0.9.7b. What is your outer problem? Why do you think you need to do this? What protocol are you implementing over SSL? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/non-blocking-version-of-SSL_peek-tp19876548p19917760.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
Have you enabled CRL checking too? You can also get that if the nextUpdate time in a CRL has passed. That might explain things if the CRL runs for a month or so. WOW! That's it! Thank you so much! CRL expired exactly the day it stopped working. I did not know that a CRL could expire. Never explored it with openssl crl -text ... before. Now I know it has those two dates, just like a certificate. Added CRL updates to cron tables on the server and all the clients. I would like to apologize for all the mess around this issue. This was simply my mistake. (However, it would be nice if the error message said 'CRL expired' instead of 'certificate expired'. Had I seen 'CRL' in the message, I would have checked that first.) Once more many thanks for your advice. My db connection works again. Andrej __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B ERROR shutting down SSL CONNECTION CLOSED ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B ERROR shutting down SSL CONNECTION CLOSED ACCEPT bad gethostbyaddr Thanks Regards, Byju Joy +91-9902511344, +91-80-67245657, *7098068 - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Issue getting enough entropy on Windows NT 4.0 system
Hello, The Windows NT 4.0 system has the workstation service stopped. This causes the following snippet from rand_win.c to return 0 if (netstatget(NULL, LLanmanWorkstation, 0, 0, outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45); netfree(outbuf); } Add to this a large section of calls are #if 0 out due to a reported problem by Wolfgang Marczy and there isn't many places this function gets entropy from. Any suggestions? Why not grab some entropy from the system entropy provider? #include wincrypt.h bool GetSysEntropy(void *ptr, int len) { char namebuf[512]; HCRYPTPROV handle; DWORD count=500; if(!CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_MACHINE_DEFAULT, namebuf, count)) return false; if(!CryptAcquireContext(handle, NULL, namebuf, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) return false; if(!CrytpGenRandom(handle, len (BYTE *) ptr)) { CryptReleaseContext(handle, 0); return false; } CryptReleaseContext(handle, 0); return true; } DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS fail
On Fri, Oct 10, 2008, joshi chandran wrote: Hi All, Can any body give me small program which set in fips mode and uses non fips algorithm ,hence fails while running . Well the standard OpenSSL utility will do that e.g. OPENSSL_FIPS=1 openssl md5 somefile Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS fail
Hi All, Can any body give me small program which set in fips mode and uses non fips algorithm ,hence fails while running . Thanks Joshi On Thu, Oct 9, 2008 at 5:13 PM, Steve Marquess [EMAIL PROTECTED]wrote: Kyle Hamilton wrote: Okay. Let's see if I can piece together everything I've learned about the FIPS experience so far... FIPS-1.1.2 only generates a static fipscanister, which can only be used to generate a static library. (except on Windows, where it can be built into a shared library.) The fipscanister.o for v1.1.2 is generated with position independent code or not depending on the default build options borrowed from the 0.9.7 baseline at the time. On Windows it happens that position independent code is generated automatically, hence that object module can be incorporated in shared code. On Linux and some other platforms that isn't the case. Note we were originally going to test both shared and non-shared builds, but ran out of money for the test lab fees (each such platform variation drives up the price). For v1.2 we decided to just force position independent code generation universally. ... FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is currently submitted for review, but there is no timeframe (other than 'it could take until the end of the next ice age') for its validation. The latest info I've heard is that there is a new reviewer (new hire) who has decided to revisit the entire history of the original validation from the beginning, i.e. effectively second guessing the CMVP reviewers of those prior validations. That first validation took five years, an Internet ice age indeed. If you want to test the functionality of FIPS-1.2.0, you need to download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz from the same location. If you want a currently-validated solution, you need openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. Anyone got any comments on whether I've gotten this right? You did. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Regards Joshi Chandran
RE: RE: Issue getting enough entropy on Windows NT 4.0 system
Thanks for the suggestionb but the RAND_poll function already pulls from the system right after the big #if 0 block as described below in the stetup for the calls. if (advapi) { /* * If it's available, then it's available in both ANSI * and UNICODE flavors even in Win9x, documentation says. * We favor Unicode... */ acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi, CryptAcquireContextW); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, CryptGenRandom); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, CryptReleaseContext); } So, still looking for other suggestions. I also tried finding an EGD for Win NT 4.0 and the only one that looked promising was EGADS which is no longer available. Thanks Again for any suggestions, Ray Hello, Why not grab some entropy from the system entropy provider? #include wincrypt.h bool GetSysEntropy(void *ptr, int len) { char namebuf[512]; HCRYPTPROV handle; DWORD count=500; if(!CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_MACHINE_DEFAULT, namebuf, count)) return false; if(!CryptAcquireContext(handle, NULL, namebuf, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) return false; if(!CrytpGenRandom(handle, len (BYTE *) ptr)) { CryptReleaseContext(handle, 0); return false; } CryptReleaseContext(handle, 0); return true; } DS The Windows NT 4.0 system has the workstation service stopped. This causes the following snippet from rand_win.c to return 0 if (netstatget(NULL, LLanmanWorkstation, 0, 0, outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45); netfree(outbuf); } Add to this a large section of calls are #if 0 out due to a reported problem by Wolfgang Marczy and there isn't many places this function gets entropy from. Any suggestions? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: non-blocking version of SSL_peek
Actually before closing a TLS connection I need to make sure that no pending data is present on the that socket. So, calling SSL_peek would tell if this is the case or not. No, it won't. Okay, you call SSL_peek, and there's no pending data. Now, you're about to call SSL_shutdown. How do you know there's no pending data *NOW*? Just because there wasn't before, it doesn't mean there isn't now. The only way to know that there's no pending data when you call SSL_shutdown is for the protocol you are implementing to ensure that. Otherwise, you will always have a race. As you are saying that SSL_peek should be called before SSL_shutdown, No, there's no point. If you didn't know there was no data before SSL_peek, you still won't know there's no data *now* after. then how is it ensured that the connection gets closed only if all the data arrived on that socket is processed ? Does SSL_shutdown takes care of this ? or what is the significance of calling SSL_peek after SSL_shutdown ? No, the higher-level protocol takes care of this. When a request is completed, the other end will have nothing more to send. When you finish replying, what else would the other end send? If there's a keep the connection in case and close it after a timeout, the protocol handles a close with pending data smoothly (since there's always a race in a timeout). I am using SIP over TLS and it does not specify any such thing related to tls. If nobody else knows offhand, I'll do some research into SIP and see how it handles that case. No sane protocol requires you to race to shutdown and hope and pray the other end doesn't send some data at the wrong time. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RE: Issue getting enough entropy on Windows NT 4.0 system
Thanks for the suggestionb but the RAND_poll function already pulls from the system right after the big #if 0 block as described below in the stetup for the calls. if (advapi) { /* * If it's available, then it's available in both ANSI * and UNICODE flavors even in Win9x, documentation says. * We favor Unicode... */ acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi, CryptAcquireContextW); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, CryptGenRandom); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, CryptReleaseContext); } So, still looking for other suggestions. Umm, so what's the problem exactly? Did this fail to get entropy from the system? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Microsoft Visual C++
Hello, I'm trying to compile in Microsoft Visual C++ Express and I'm getting linker errors like: error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@ @YAPADPADPAU_iobuf@@@Z) I got the header files all setup, but I can't get the libs working. I followed the help and copied the lib files to C:\Program Files\Microsoft Visual Studio 9.0\VC\lib . Anybody know what i'm missing? Mike Luich 1-- Build started: Project: sr_trillian_plugin, Configuration: Debug Win32 -- 1Compiling... 1stdafx.cpp 1Compiling... 1sr_trillian_plugin.cpp 1c:\users\mluich\documents\visual studio 2008\projects\sr_trillian_plugin\sr_trillian_plugin\sr_trillian_plugin.cpp(194) : warning C4129: '%' : unrecognized character escape sequence 1c:\users\mluich\documents\visual studio 2008\projects\sr_trillian_plugin\sr_trillian_plugin\sr_trillian_plugin.cpp(247) : warning C4129: '%' : unrecognized character escape sequence 1Compiling... 1dllmain.cpp 1Linking... 1 Creating library C:\Users\mluich\Documents\Visual Studio 2008\Projects\sr_trillian_plugin\Debug\sr_trillian_plugin.lib and object C:\Users\mluich\Documents\Visual Studio 2008\Projects\sr_trillian_plugin\Debug\sr_trillian_plugin.exp 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_ctrl referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_ctrl_pending referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _SMIME_write_PKCS7 referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _PKCS7_encrypt referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _sk_push referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _PEM_read_X509 referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_new referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_s_mem referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_new_mem_buf referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _RAND_load_file referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_load_crypto_strings referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _OPENSSL_add_all_algorithms_noconf referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _sk_new_null referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _EVP_des_ede3_cbc referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_error_string referenced in function char * __cdecl sr_decrypt(char *,char *) (?sr_decrypt@@[EMAIL PROTECTED]) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_get_error referenced in function char * __cdecl sr_decrypt(char *,char *) (?sr_decrypt@@[EMAIL PROTECTED]) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _PKCS7_decrypt referenced in function char * __cdecl sr_decrypt(char *,char *) (?sr_decrypt@@[EMAIL PROTECTED]) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_print_errors_fp referenced in function char * __cdecl sr_decrypt(char *,char *) (?sr_decrypt@@[EMAIL PROTECTED]) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _SMIME_read_PKCS7
bug in gost engine
I found a bug in implementation of gost89 algorithm in gost engine of OpenSSL library. I installed openssl-SNAP-20081006. Simple program shows an error in decryption of buffer encrypted with gost89 algorithm. #include openssl/evp.h #include stdlib.h static void print_buffer(void *buffer, int len) { u_int i; u_char *ucp = buffer; for (i = 0; i len; i++) { printf( %02x, ucp[i]); if (i%16==15) printf( \r\n ); else if (i%2==1) printf( ); } printf( \r\n ); } int main() { OPENSSL_config( NULL ); ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); // //Initialize key and iv // u_char iv[512]; u_char key[512]; int i; for( i = 0; i sizeof( iv ); i++ ) { iv[i] = rand(); key[i] = rand(); } // //Initialize cipher context for encryption // EVP_CIPHER_CTX encCtx; EVP_CIPHER_CTX_init( encCtx ); if ( EVP_CipherInit( encCtx, EVP_get_cipherbyname( gost89 ), key, iv, 1 ) ) { // //Initialize plain text and cipher text buffers // char plainText[32] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31 }; printf( plain text :\n ); print_buffer( plainText, 32 ); char cipherText[32] = ; // //Encrypt plaint text // if ( EVP_Cipher( encCtx, cipherText, plainText, sizeof( cipherText ) ) ) { printf( cipher text :\n ); print_buffer( cipherText, 32 ); // //Initialize cipher context for decryption // EVP_CIPHER_CTX decCtx; EVP_CIPHER_CTX_init( decCtx ); if ( EVP_CipherInit( decCtx, EVP_get_cipherbyname( gost89 ), key, iv, 0 ) ) { char decryptedText[32] = ; // //Decrypt first 8 byte block of cipher text // if ( EVP_Cipher( decCtx, decryptedText, cipherText, 8 ) ) { printf( decrypted text after first block decryption :\n ); print_buffer( decryptedText, 32 ); // //Decrypt rest of cipher text // if ( EVP_Cipher( decCtx, decryptedText + 8, cipherText + 8, 24 ) ) { printf( decrypted text after rest blocks decryption :\n ); print_buffer( decryptedText, 32 ); // //Compare plain text with decrypted text // if( 0 == memcmp( plainText, decryptedText, sizeof( decryptedText ) ) ) { printf( Success\n ); } else { printf( Error\n ); } } } } EVP_CIPHER_CTX_cleanup( decCtx ); } } EVP_CIPHER_CTX_cleanup( encCtx ); EVP_cleanup(); ERR_free_strings(); CONF_modules_free(); return 0; } The output of the program: plain text : 0001 0203 0405 0607 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f cipher text : fa25 cc1e 8c89 5ec1 1939 af98 b105 fc49 6204 1fcb 4586 35cc bdcd d264 80df 2979 decrypted text after first block decryption : 0001 0203 0405 0607 decrypted text after rest blocks decryption : 0001 0203 0405 0607 c51a dd70 0553 dffb 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f Error Cipher text is decryted by two parts. First block size is 8 bytes. The decryption of it is correct. The size of rest of cipher text is 24 bytes. The decrypted text is corrupted (first 8 bytes are not correct, other 16 bytes are correct ). If first block size is 16 bytes, then whole decrypted buffer is correct. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
-Original Message- From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Friday, 10 October, 2008 09:03 - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: s_server calls do_server calls do_accept which, after the actual (TCP) accept, calls gethostbyaddr to try to get the client host's name. If your system/network doesn't have DNS set up to do reverse-mapping for that host, you get this printed. (That would include DNS not set up at all, but I don't think Svr03 can do that. It could include using a bad/wrong nameserver, or zone; or unreachable/down one; or using a good nameserver but the zone admin doesn't do reverse-mapping at all -- some don't; or didn't do it for that host -- particularly if it's a dynamic host e.g. a(nother) PC many admins don't consider it worth the trouble.) But it causes no harm; it just passes back a nullptr for the hostname string, which the actual logic (sv_body or www_body) never uses. The connection can still be completed and used, at least through 0.9.8g and I doubt this would be changed. (If you actually want to fix the revlookup, you need to say more about the type and relative network location of the client machine, and if it's not something simple you'll probably need to go elsewhere to a network-mgt group/list/forum.) D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B This is your actual problem: you are not receiving the client hello. You appear to be getting a normal TCP shutdown instead i.e. FIN not RST. This might mean the client deliberately closed; on some system types it also occurs if the client fails e.g. segfault; it might also occur if something between you in the network like a firewall dislikes you. ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Microsoft Visual C++
Michael Luich wrote: Hello, I'm trying to compile in Microsoft Visual C++ Express and I'm getting linker errors like: error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@ @YAPADPADPAU_iobuf@@@Z) I got the header files all setup, but I can't get the libs working. I followed the help and copied the lib files to C:\Program Files\Microsoft Visual Studio 9.0\VC\lib . Anybody know what i'm missing? Mike Luich You have to add the .lib files to your project's Linker properties. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]