use SSL_read in parts
Hi I am using non blocking socket I am receiving on the SSL socket a buffer of size 200 bytes. The way I read this buffer is first I read 10 bytes using SSL_read(ssl, buf, 10), and then I want to read the rest of the buffer. The problem I see is that using select to find out if there is data in the socket after the first read (of 10 bytes) return with zero (no data). It seems like on the first SSL_read openssl reads the entire data from the socket and returns only the first 10 bytes. How can I findout before calling SSL_read once more if I have data ready ? Thanks Ofer -- View this message in context: http://old.nabble.com/use-SSL_read-in-parts-tp27611396p27611396.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL 1.0.0 beta5 release v. VMS
Hello, Also if it is not too late, it would be nice to add 32 at the end of the sharable images if the are build with 32 bits pointer size (64 is the default). I mean to have like this: LIBCRYPTO32.OLB;1 LIBSSL32.OLB;1 LIBCRYPTO.OLB;1 LIBSSL.OLB;1 SSL_LIBCRYPTO_SHR32.EXE;1 SSL_LIBSSL_SHR32.EXE;1 SSL_LIBCRYPTO_SHR.EXE;1 SSL_LIBSSL_SHR.EXE;1 This is also just a thought. Regards, Z -Original Message- From: Steven M. Schweda [mailto:s...@antinode.info] Sent: den 17 februari 2010 06:09 Speaking of which, it's still not too late to add those SSL_ prefixes to the shared image names. Just a thought. -Original Message- From: Steven M. Schweda [mailto:s...@antinode.info] Sent: den 17 februari 2010 06:09 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: use SSL_read in parts
Take a look at the SSL_peek() function. *** Doug Fajardo -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of oavitzur Sent: Tuesday, February 16, 2010 8:52 AM To: openssl-dev@openssl.org Subject: use SSL_read in parts Hi I am using non blocking socket I am receiving on the SSL socket a buffer of size 200 bytes. The way I read this buffer is first I read 10 bytes using SSL_read(ssl, buf, 10), and then I want to read the rest of the buffer. The problem I see is that using select to find out if there is data in the socket after the first read (of 10 bytes) return with zero (no data). It seems like on the first SSL_read openssl reads the entire data from the socket and returns only the first 10 bytes. How can I findout before calling SSL_read once more if I have data ready ? Thanks Ofer -- View this message in context: http://old.nabble.com/use-SSL_read-in-parts-tp27611396p27611396.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2173] [enhancement request] -showcerts option to always show certificates
Hi, I'm trying to diagnose a problem with a SSL server. I'm using s_client to attempt to investigate further. My initial investigation was to obtain the list of certificates the server is supplying. From reading the documentation, I had thought that the showcerts option would do this. However, it seems that showcerts is ignored if the SSL handshake fails. Here is the output with OpenSSL v0.9.8k (Debian package 0.9.8k-8) without specifying showcerts p...@zitpcx6184:~$ openssl s_client -connect grid-vomrs1.desy.de:8443 CONNECTED(0003) depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de verify error:num=21:unable to verify the first certificate verify return:1 21653:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1061:SSL alert number 42 21653:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Here's the output with the -showcerts option: p...@zitpcx6184:~$ openssl s_client -showcerts -connect grid- vomrs1.desy.de:8443 CONNECTED(0003) depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/O=GermanGrid/OU=DESY/CN=host/grid-vomrs.desy.de verify error:num=21:unable to verify the first certificate verify return:1 21724:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1061:SSL alert number 42 21724:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Note that adding the showcerts option generates no additional output and the server-supplied certificates are missing. I would like the showcerts option to be honoured, even if the SSL handshake fails. (This is either a bug-fix or a feature request, depending on what showcerts is supposed to do :-) Cheers, Paul. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option
Hi! SSL_CTX_new currently contains: /* Setup RFC4507 ticket keys */ if ((RAND_pseudo_bytes(ret-tlsext_tick_key_name, 16) = 0) || (RAND_bytes(ret-tlsext_tick_hmac_key, 16) = 0) || (RAND_bytes(ret-tlsext_tick_aes_key, 16) = 0)) ret-options |= SSL_OP_NO_TICKET; followed by: /* Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ ret-options = SSL_OP_LEGACY_SERVER_CONNECT; So even if SSL_OP_NO_TICKET is set, it should be unset again due to a SSL_OP_LEGACY_SERVER_CONNECT default. Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once SSL_OP_LEGACY_SERVER_CONNECT is no longer default? -- Tomas Hoger __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
when does RAND_pseudo_bytes() return 0?
According to http://www.openssl.org/docs/crypto/RAND_bytes.html, RAND_bytes() returns 1 on success, 0 otherwise. The error code can be obtained by ERR_get_error(3). RAND_pseudo_bytes() returns 1 if the bytes generated are cryptographically strong, 0 otherwise. Both functions return -1 if they are not supported by the current RAND method. From http://cvs.openssl.org/fileview?f=openssl/crypto/rand/ rand_lib.cv=1.20: int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); if (meth meth-pseudorand) return meth-pseudorand(buf,num); return(-1); } Where is pseudorand defined? I figured maybe each of the rand_win.c, rand_unix.c, etc, would define it, but the string pseudorand doesn't appear to occur in any of those files. Any ideas? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option
I think that line should be ret-options |= SSL_OP_LEGACY_SERVER_CONNECT;, not simply an =. -Kyle H On Wed, Feb 17, 2010 at 10:03 AM, Tomas Hoger via RT r...@openssl.org wrote: Hi! SSL_CTX_new currently contains: /* Setup RFC4507 ticket keys */ if ((RAND_pseudo_bytes(ret-tlsext_tick_key_name, 16) = 0) || (RAND_bytes(ret-tlsext_tick_hmac_key, 16) = 0) || (RAND_bytes(ret-tlsext_tick_aes_key, 16) = 0)) ret-options |= SSL_OP_NO_TICKET; followed by: /* Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ ret-options = SSL_OP_LEGACY_SERVER_CONNECT; So even if SSL_OP_NO_TICKET is set, it should be unset again due to a SSL_OP_LEGACY_SERVER_CONNECT default. Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once SSL_OP_LEGACY_SERVER_CONNECT is no longer default? -- Tomas Hoger __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2174] SSL_CTX_new SSL_OP_LEGACY_SERVER_CONNECT may clear previously set option
[tho...@redhat.com - Wed Feb 17 19:03:12 2010]: Hi! SSL_CTX_new currently contains: /* Setup RFC4507 ticket keys */ if ((RAND_pseudo_bytes(ret-tlsext_tick_key_name, 16) = 0) || (RAND_bytes(ret-tlsext_tick_hmac_key, 16) = 0) || (RAND_bytes(ret-tlsext_tick_aes_key, 16) = 0)) ret-options |= SSL_OP_NO_TICKET; followed by: /* Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ ret-options = SSL_OP_LEGACY_SERVER_CONNECT; Fixed to |= now. Will SSL_OP_LEGACY_SERVER_CONNECT remain part of SSL_OP_ALL once SSL_OP_LEGACY_SERVER_CONNECT is no longer default? Well I'd say yes but that does have the problem that unless existing software is recompiled it will still use the old value (since it is a #define). Ideally it should be an option outside SSL_OP_ALL but 1.0.0 has run out of new option bits and final beta isn't the time to completely reorganise the way they are handled. For 1.1.0 (and possibly a backport to 1.0.1) the options will be reorganised. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: when does RAND_pseudo_bytes() return 0?
Hi, If you are not using an engine, then pseudorand is implemented in md_rand.c : function ssleay_rand_pseudo_bytes (line 524). Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/17/2010 8:10 PM, Thomas Anderson wrote: According tohttp://www.openssl.org/docs/crypto/RAND_bytes.html, RAND_bytes() returns 1 on success, 0 otherwise. The error code can be obtained by ERR_get_error(3). RAND_pseudo_bytes() returns 1 if the bytes generated are cryptographically strong, 0 otherwise. Both functions return -1 if they are not supported by the current RAND method. Fromhttp://cvs.openssl.org/fileview?f=openssl/crypto/rand/ rand_lib.cv=1.20: int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); if (meth meth-pseudorand) return meth-pseudorand(buf,num); return(-1); } Where is pseudorand defined? I figured maybe each of the rand_win.c, rand_unix.c, etc, would define it, but the string pseudorand doesn't appear to occur in any of those files. Any ideas? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- -- Mounir IDRASSI IDRIX http://www.idrix.fr __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: when does RAND_pseudo_bytes() return 0?
ssleay_rand_pseudo_bytes(): /* pseudo-random bytes that are guaranteed to be unique but not unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { int ret; unsigned long err; ret = RAND_bytes(buf, num); if (ret == 0) { err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_RAND ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) ERR_clear_error(); } return (ret); } RAND_bytes(): int RAND_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); if (meth meth-bytes) return meth-bytes(buf,num); return(-1); } So, basically, if no engine is being used, then RAND_pseudo_bytes() will only ever return cryptographically strong random bytes or no bytes at all? If that's correct then are there any engines that behave differently? That can return random bytes that aren't cryptographically strong? On Wed, Feb 17, 2010 at 5:20 PM, Mounir IDRASSI mounir.idra...@idrix.net wrote: Hi, If you are not using an engine, then pseudorand is implemented in md_rand.c : function ssleay_rand_pseudo_bytes (line 524). Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 2/17/2010 8:10 PM, Thomas Anderson wrote: According tohttp://www.openssl.org/docs/crypto/RAND_bytes.html, RAND_bytes() returns 1 on success, 0 otherwise. The error code can be obtained by ERR_get_error(3). RAND_pseudo_bytes() returns 1 if the bytes generated are cryptographically strong, 0 otherwise. Both functions return -1 if they are not supported by the current RAND method. Fromhttp://cvs.openssl.org/fileview?f=openssl/crypto/rand/ rand_lib.cv=1.20: int RAND_pseudo_bytes(unsigned char *buf, int num) { const RAND_METHOD *meth = RAND_get_rand_method(); if (meth meth-pseudorand) return meth-pseudorand(buf,num); return(-1); } Where is pseudorand defined? I figured maybe each of the rand_win.c, rand_unix.c, etc, would define it, but the string pseudorand doesn't appear to occur in any of those files. Any ideas? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org -- -- Mounir IDRASSI IDRIX http://www.idrix.fr __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org