On 19/01/18 16:32, Michael Richardson wrote:
> Matt Caswell wrote:
> > Please raise a separate PR for this work. It *must* be portable though
> > and work across all our platforms (e.g. including VisualC etc). My
> > suggestion is that your
Matt Caswell wrote:
> Please raise a separate PR for this work. It *must* be portable though
> and work across all our platforms (e.g. including VisualC etc). My
> suggestion is that your BIO_CTRL_DGRAM_GET_ADDR/BIO_CTRL_DGRAM_SET_ADDR
> ctrls should return an
On 17/01/18 16:34, Michael Richardson wrote:
>
> > It seems like a fairly simple solution could solve this. Currently we
> > have BIO_dgram_get_peer() which returns the peer's address for the last
> > message read from a BIO. You could imagine a new call being introduced
> > to
Matt Caswell wrote:
>> Matt Caswell wrote:
>> >> Matt Caswell wrote: >> a) when the existing FD is
>> >> connect(2) any future traffic to the bound >> port will get rejected
>> >> with no port. So the application really has
Matt Caswell wrote:
>> Matt Caswell wrote: >> a) when the existing FD is
>> connect(2) any future traffic to the bound >> port will get rejected
>> with no port. So the application really has to >> open a new socket
>> first. The application
On 16/01/18 19:44, Michael Richardson wrote:
>
> Matt Caswell wrote:
> >> a) when the existing FD is connect(2) any future traffic to the bound
> >> port will get rejected with no port. So the application really has to
> >> open a new socket first. The
Matt Caswell wrote:
>> a) when the existing FD is connect(2) any future traffic to the bound
>> port will get rejected with no port. So the application really has to
>> open a new socket first. The application can do this two ways: it can
>> open a new socket
On 16/01/18 15:32, Michael Richardson wrote:
>
> a) when the existing FD is connect(2) any future traffic to the bound port
>will get rejected with no port. So the application really has to open a
>new socket first.
>The application can do this two ways: it can open a new socket on
please see https://github.com/openssl/openssl/pull/5024
mattcaswell asks on github:
mattcaswell> I am unclear about the underlying premise of this PR:
mcr> This patch refactors the DTLSv1_listen() to create an
mcr> alternative API that is called DTLSv1_accept().
mcr>
d:
./Configure no-shared --debug linux-x86_64
"no-dso" seemed like it ought to help, but it made things worse...
I hope that I added the new exposed symbols correctly.
I have yet to validate the complete david/coap/ruby-openssl/dtls
functionality, but I wanted to post this sooner fo
> I don't know if anyone has ever created any metrics on how far it
> can be scaled. I've certainly not seen it if they have. But there
> are no knownlimitations on this approach (this is the intended
> way to do things).
Our Delphi OpenSSL implementation on Windows mostly uses a single
thread
https://github.com/openssl/openssl/pull/3009
On 21/03/17 15:24, Raja ashok wrote:
> Hi All,
>
>
>
> Looks like there is a typo mistake in dtls1_read_bytes, because of this
> alert is not send for bad CCS.
>
>
>
> In dtls1_read_bytes, incase of bad change cipher spec we are setting
> alert
Hi All,
Looks like there is a typo mistake in dtls1_read_bytes, because of this alert
is not send for bad CCS.
In dtls1_read_bytes, incase of bad change cipher spec we are setting alert code
(SSL_AD_ILLEGAL_PARAMETER) to variable “i” and doing “goto err”. I feel we are
trying to send alert in
On Thu, 2016-10-13 at 23:48 +0100, Matt Caswell wrote:
>
> > Any dissenting opinions?
>
> Not from me. It's broken. Lets fix it.
Thanks. https://github.com/openssl/openssl/pull/1705 updated accordingly.
With that fixed, I think https://github.com/openssl/openssl/pull/1666
is now ready to be
On 13/10/16 11:45, David Woodhouse wrote:
> ... is broken in 1.1. We negotiate it, then don't actually *do* it.
>
> https://github.com/openssl/openssl/pull/1705 contains a patch to
> disable it unconditionally for DTLS, on both server and client.
>
> In that same PR there's also a patch to
On 03/06/16 12:19, Matt Caswell wrote:
On 03/06/16 10:52, Alfred E. Heggestad wrote:
Hi Matt,
thanks for the suggested API and code. Please find below a suggested
patch that implements this new callback.
the patch is based on 1.0.2-dev from GIT:
url:
On 03/06/16 10:52, Alfred E. Heggestad wrote:
> Hi Matt,
>
> thanks for the suggested API and code. Please find below a suggested
> patch that implements this new callback.
>
>
> the patch is based on 1.0.2-dev from GIT:
>
> url: git://git.openssl.org/openssl.git
> branch:
On 02/06/16 16:03, Matt Caswell wrote:
On 02/06/16 14:33, Alfred E. Heggestad wrote:
On 01/06/16 13:58, Matt Caswell wrote:
On 01/06/16 11:15, Alfred E. Heggestad wrote:
hi,
we are using DTLS from OpenSSL to implement DTLS-SRTP in our
product (Wire.com) .. The code and implementation
On 02/06/16 14:33, Alfred E. Heggestad wrote:
>
>
> On 01/06/16 13:58, Matt Caswell wrote:
>>
>>
>> On 01/06/16 11:15, Alfred E. Heggestad wrote:
>>> hi,
>>>
>>> we are using DTLS from OpenSSL to implement DTLS-SRTP in our
>>> prod
On 01/06/16 13:58, Matt Caswell wrote:
On 01/06/16 11:15, Alfred E. Heggestad wrote:
hi,
we are using DTLS from OpenSSL to implement DTLS-SRTP in our
product (Wire.com) .. The code and implementation works really well
and is very robust. We are using OpenSSL version 1.0.2g
since our
On 01/06/16 11:15, Alfred E. Heggestad wrote:
> hi,
>
> we are using DTLS from OpenSSL to implement DTLS-SRTP in our
> product (Wire.com) .. The code and implementation works really well
> and is very robust. We are using OpenSSL version 1.0.2g
>
>
> since our prod
hi,
we are using DTLS from OpenSSL to implement DTLS-SRTP in our
product (Wire.com) .. The code and implementation works really well
and is very robust. We are using OpenSSL version 1.0.2g
since our product is deployed globally on mobile data networks,
we have quite variable latency
On 17/05/16 17:43, Rajeswari K wrote:
> Hi Matt,
>
> Can you share s3_srvr.c file which is based on 1.1.0 release where DTLS
> session resumption works? I tried downloading 1.1.0-pre5 but i didnt see
> any file related with s3_srvr.c.
See the tls_process_client_hello() function in
Hi Matt,
Can you share s3_srvr.c file which is based on 1.1.0 release where DTLS
session resumption works? I tried downloading 1.1.0-pre5 but i didnt see
any file related with s3_srvr.c.
Thanks,
Rajeswari.
On Mon, May 16, 2016 at 11:20 AM, Rajeswari K
wrote:
> Hi
Hi Matt,
Yes, i tested with your patch. Honestly, before writing to openssl-dev
team, i tried session resumption with moving the version just like what you
gave as patch. But, still session resumption didn't work for me. Am
debugging same at openssl front.
Just to confirm on the issue, i tried
On 13/05/16 18:33, Rajeswari K wrote:
> Hi Matt,
>
> Thanks for the response.
>
> But, this fix doesn't perform session resumption.
Did you try the patch?
As you pointed out we hit the following line:
if (i == 1 && s->version == s->session->ssl_version) { /* previous
Hi Matt,
Thanks for the response.
But, this fix doesn't perform session resumption.
Thanks,
Rajeswari.
On Wed, May 11, 2016 at 2:56 PM, Matt Caswell wrote:
>
>
> On 10/05/16 18:34, Rajeswari K wrote:
> > Hello openssl-dev team,
> >
> > Having query regarding DTLS session
On 10/05/16 18:34, Rajeswari K wrote:
> Hello openssl-dev team,
>
> Having query regarding DTLS session resumption when configured SSL_CTX
> with DTLS_ANY_VERSION.
>
> When we select SSL_CTX with DTLS_ANY_VERSION, method will be of
> DTLS_Server_method(), which will have ssl_ctx->version as
Hello openssl-dev team,
Having query regarding DTLS session resumption when configured SSL_CTX with
DTLS_ANY_VERSION.
When we select SSL_CTX with DTLS_ANY_VERSION, method will be of
DTLS_Server_method(), which will have ssl_ctx->version as 0xFEFD to support
both the versions (i.e. DTLS1.0 and
Bug report
OS: Red hat enterprise Linux 6.5
OpenSSL Version: 1.0.1e-30
While doing DTLS testing with openssl-1.0.1e-30 Version and patches
for RT3327, RT3470 and RT3483 on top of that, we are facing an issue
where our process is crashing during the duration run of 24 hours.
Use Case
Matt tried to explain this before.
1.0.1e-30 is not a version that OpenSSL provides. You will have to contact
your vendor.
The backtrace information is not usable as there are no function names; you
will have to build a debugging version.
We cannot help you.
--
Principal Security Engineer,
Matt tried to explain this before.
1.0.1e-30 is not a version that OpenSSL provides. You will have to contact
your vendor.
The backtrace information is not usable as there are no function names; you
will have to build a debugging version.
We cannot help you.
--
Principal Security Engineer,
On Thu Jan 15 17:21:35 2015, matt wrote:
In response to your previous documentation question it is
(unfortunately)
undocumented. :-(
The best I can offer you is the source code:
int read_ahead; /* Read as many input bytes as possible * (for non-
blocking
reads) */
With regards to your
On Thu Jan 15 17:01:51 2015, shir...@gmail.com wrote:
Hi all,
Also, just for completeness, I want to point out I'm a fortunate case
where I can actually touch the code and recompile it to fix the
issue. I'm sure that other cases are not so fortunate. IMHO, when
DTLS method is used, that call
Matt,
Thank you for the support. This was lucrative and good response time!
Best regards,
Andrei
On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT r...@openssl.org
wrote:
Hi all,
I believe I have found a bug which is only present in the latest versions
(1.0.1k)
I have
Matt,
Thank you for the support. This was lucrative and good response time!
Best regards,
Andrei
On Jan 14, 2015, at 22:21, Eugen-Andrei Gavriloaie via RT r...@openssl.org
wrote:
Hi all,
I believe I have found a bug which is only present in the latest versions
(1.0.1k)
I have
Hi,
Adding SSL_CTX_set_read_ahead(pSslContext, 1); fixed both the test app and
the real app I'm working on.
May I ask where should I read more about this function? I'm grateful that it
now works, but is kind of a tough thing to just swallow this info without
chewing on it a bit :)
Best
Hi,
Adding SSL_CTX_set_read_ahead(pSslContext, 1); fixed both the test app and
the real app I'm working on.
May I ask where should I read more about this function? I'm grateful that it
now works, but is kind of a tough thing to just swallow this info without
chewing on it a bit :)
Best
Hi all,
Also, just for completeness, I want to point out I'm a fortunate case where I
can actually touch the code and recompile it to fix the issue. I'm sure that
other cases are not so fortunate. IMHO, when DTLS method is used, that call
should be made by default in the internals of OpenSSL
Hi all,
Also, just for completeness, I want to point out I'm a fortunate case where I
can actually touch the code and recompile it to fix the issue. I'm sure that
other cases are not so fortunate. IMHO, when DTLS method is used, that call
should be made by default in the internals of OpenSSL
Please could you try making the following call:
SSL_CTX_set_read_ahead(ctx, 1);
Insert it immediately after these lines in your test code:
pSslContext = SSL_CTX_new(DTLSv1_server_method()); assert(pSslContext != NULL);
assert(SSL_CTX_use_certificate(pSslContext, pX509) == 1);
On Wed Jan 14 21:21:46 2015, shir...@gmail.com wrote:
Hi all,
I believe I have found a bug which is only present in the latest
versions (1.0.1k)
I have created a simple C test which does the following things in this
order:
1. initialize the SSL library
2. creates an X509 key and cert
3.
Forgot to add the 1.0.1k version info:
$ /tmp/ssl/bin/openssl version
OpenSSL 1.0.1k 8 Jan 2015
On Jan 14, 2015, at 22:54, Eugen-Andrei Gavriloaie shir...@gmail.com wrote:
Hi Matt,
Here are more explanations:
On my Mac OS X Yosemite, the OS provided OpenSSL version
$ openssl version
Sorry for the mistake. here is the attachment again
/*
* Created by Gavriloaie Eugen-Andrei (shir...@gmail.com)
*
* The logical steps:
* 1. initialize the SSL library
* 2. creates an X509 key and cert
* 3. creates an DTLS server SSL context
* 4. Setup 2 memory BIO instances on the SSL
Hi all,
I believe I have found a bug which is only present in the latest versions
(1.0.1k)
I have created a simple C test which does the following things in this order:
1. initialize the SSL library
2. creates an X509 key and cert
3. creates an DTLS server SSL context
4. Setup 2 memory BIO
Hi Matt,
Here are more explanations:
On my Mac OS X Yosemite, the OS provided OpenSSL version
$ openssl version
OpenSSL 1.0.1j 15 Oct 2014
Compiling the test
$ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl -lcrypto
-o /tmp/dtls_bug
Running the test
$ /tmp/dtls_bug
$
As
And from an Ubuntu box (apparently, it runs 1.0.1f)
shiretu@ubuntu:/tmp$ gcc -std=c99 dtls_bug.c -lssl -lcrypto -o dtls_bug
shiretu@ubuntu:/tmp$ ./dtls_bug
dtls_bug: dtls_bug.c:110: main: Assertion `pSSLBuffer-length != 0' failed.
Aborted (core dumped)
shiretu@ubuntu:/tmp$ uname -a
Linux
On Wed, Jan 14, 2015 at 10:54:57PM +0200, Eugen-Andrei Gavriloaie wrote:
On my Mac OS X Yosemite, manually compiled OpenSSL 1.0.1k and installed it
into /tmp/ssl as a static lib (with shared lib behaves the same) Compiling:
$ gcc dtls_bug.c -Wno-deprecated-declarations /tmp/ssl/lib/libssl.a
On Wed Jan 14 21:55:17 2015, shir...@gmail.com wrote:
Hi Matt,
Here are more explanations:
On my Mac OS X Yosemite, the OS provided OpenSSL version
$ openssl version
OpenSSL 1.0.1j 15 Oct 2014
Compiling the test
$ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl
And from an Ubuntu box (apparently, it runs 1.0.1f)
shiretu@ubuntu:/tmp$ gcc -std=c99 dtls_bug.c -lssl -lcrypto -o dtls_bug
shiretu@ubuntu:/tmp$ ./dtls_bug
dtls_bug: dtls_bug.c:110: main: Assertion `pSSLBuffer-length != 0' failed.
Aborted (core dumped)
shiretu@ubuntu:/tmp$ uname -a
Linux
Forgot to add the 1.0.1k version info:
$ /tmp/ssl/bin/openssl version
OpenSSL 1.0.1k 8 Jan 2015
On Jan 14, 2015, at 22:54, Eugen-Andrei Gavriloaie shir...@gmail.com wrote:
Hi Matt,
Here are more explanations:
On my Mac OS X Yosemite, the OS provided OpenSSL version
$ openssl version
On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote:
Dynamic:
$ ls -Al /tmp/ssl/lib/
total 11336
drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines
-r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib
-rw-r--r-- 1 shiretu wheel 3196880
Hi all,
I believe I have found a bug which is only present in the latest versions
(1.0.1k). I ran this test on a linux 64 ubuntu 14.10 and mac os x yosemite
I have created a simple C test which does the following things in this order:
1. initialize the SSL library
2. creates an X509 key and
Dynamic:
$ ls -Al /tmp/ssl/lib/
total 11336
drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines
-r-xr-xr-x 1 shiretu wheel 1602352 Jan 14 23:27 libcrypto.1.0.0.dylib
-rw-r--r-- 1 shiretu wheel 3196880 Jan 14 23:27 libcrypto.a
lrwxr-xr-x 1 shiretu wheel 21 Jan 14 23:27
Hi Matt,
Here are more explanations:
On my Mac OS X Yosemite, the OS provided OpenSSL version
$ openssl version
OpenSSL 1.0.1j 15 Oct 2014
Compiling the test
$ gcc ~/Dropbox/Public/dtls_bug.c -Wno-deprecated-declarations -lssl -lcrypto
-o /tmp/dtls_bug
Running the test
$ /tmp/dtls_bug
$
As
On Jan 14, 2015, at 23:39, Viktor Dukhovni openssl-us...@dukhovni.org wrote:
On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote:
Dynamic:
$ ls -Al /tmp/ssl/lib/
total 11336
drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines
-r-xr-xr-x 1 shiretu wheel
Looks like dtls1_get_record is always returning -1
Still digging...
On Jan 15, 2015, at 00:01, Eugen-Andrei Gavriloaie shir...@gmail.com wrote:
On Jan 14, 2015, at 23:39, Viktor Dukhovni openssl-us...@dukhovni.org
wrote:
On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei
On Jan 14, 2015, at 23:39, Viktor Dukhovni openssl-us...@dukhovni.org wrote:
On Wed, Jan 14, 2015 at 11:31:02PM +0200, Eugen-Andrei Gavriloaie wrote:
Dynamic:
$ ls -Al /tmp/ssl/lib/
total 11336
drwxr-xr-x 14 shiretu wheel 476 Jan 14 23:27 engines
-r-xr-xr-x 1 shiretu wheel
The openssl s_server/s_client -dtls1 works
I now suspect a special edge case of dtls1_get_record function. That buffer I'm
feeding into OpenSSL is taken from Chrome WebRTC DTLS handshake, and as we saw,
is perfectly valid in older OpenSSL versions.
Still digging...
On Jan 14, 2015, at 22:21,
The openssl s_server/s_client -dtls1 works
I now suspect a special edge case of dtls1_get_record function. That buffer I'm
feeding into OpenSSL is taken from Chrome WebRTC DTLS handshake, and as we saw,
is perfectly valid in older OpenSSL versions.
Still digging...
On Jan 14, 2015, at 22:21,
Hi,
I don't know if any other person met this issue.
I use openssl1.0.0e, and working on dtls, in client side, if I
set SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(ss_ssl, 1500);
I met a segmentation fault on the client side, using gdb I saw the error
happens in:
memcpy()
On Sep 21, 2011, at 9:40 PM, Huaqing Wang wrote:
Hi,
I don't know if any other person met this issue.
I use openssl1.0.0e, and working on dtls, in client side, if I set
SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_QUERY_MTU);
SSL_set_mtu(ss_ssl, 1500);
I met a segmentation fault on the
Hello openssl-dev,
When I has asked about securing the UDP traffic - I was told to use
DTLS in OpenSSL v0.9.8.
The UDP traffic of mine is a multicasting stream actually.
Are there any ways to secure the multicasting with DTLS?
(I'm looking for UDP/multicast support in the stunnel
/
of the DTLS spec authors.
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL
Hello Group,
Does OpenSsl has plans to support DTLS ? Is there any good open source prototype implementation?
Regards,
Prashant kumar.
Celebrate Yahoo!'s 10th Birthday!
Yahoo! Netrospective: 100 Moments of the Web
65 matches
Mail list logo