Re: Auto Reply to your message ...
Please remove [EMAIL PROTECTED] from the list. I've received enough of these alredy... Thanx! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: BN functions and Solaris 7 'bc' disagree
-Original Message- From: Ted Powell [mailto:"Ted Powell ted"@tgivan.com] Sent: Friday, April 28, 2000 5:59 PM When I ran openssl-0.9.5a's "make test", the tmp.bntest file that was written contained (out of 1800+ tests) seven expressions which Solaris 7's 'bc' evaluated to give non-zero results. When I feed the problematic tmp.bntest to GNU bc all the expressions evaluate to zero, as they should. I had similar results on AIX 3.2.5 with SSLeay: the native bc produced errors, Gnu bc passed the files. A little testing revealed a bona fide error in the native bc (fixed in AIX 4.2.1). Unfortunately, it's been a while since I ran across this, and I don't remember what I used to verify that the error existed. Of course, it may not be a bug per se. I don't recall what statements, if any, the AIX or Solaris bc man pages make about precision and scale limits. (Yes, bc is supposed to be "arbitrary precision", but obviously it has finite limits, since the machine it's running on is finite. I suppose a bc implementation could impose limits too strict to pass all the OpenSSL BN tests.) Do Unix95 or any of the other specs require a bc implementation sufficient to pass all the BN tests? I don't know. Michael Wojcik [EMAIL PROTECTED] MERANT Department of English, Miami University __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
patent issues
I am looking into using OpenSSL commercially in the US but I can't find anything about the legal issues other than that there are some. So I know that RSA holds patents on their algorithms in the US until September 2000. Can I just not use their algorithms and still use OpenSSL and if so how would I do that. Is there any helpful up-to-date source of information about this topic? And what other patent issues have to be taken into account in the US in relation with OpenSSL? Thanks. Stefan Schmidt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ssl3_write_pending error
On Sun, Apr 30, 2000 at 08:01:30PM -0700, Jeff Magnusson wrote: I'm using Net::SSLeay for a non-blocking server and it sets up new client connections fine, but when I write to the client (SSL_write) I get the following error: SSL_write 17655: 1 - error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry Any help would be appreciated, I've looked at the source and I'm not sure why I would be getting this. When SSL_write is called again after SSL_ERROR_WANT_..., it must get exactly the same buffer because parts of the buffer contents may already have been encrypted and wait in interal buffers while others may not yet have been looked at. What's really important is that buffer *contents* stay the same, but as a sanity check to avoid application bugs the OpenSSL library checks whether the buffer *address* is not changed. This check can be disabled by setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER for that SSL object, using SSL_set_mode (or SSL_CTX_set_mode on the SSL_CTX before SSL_new is called). I don't know about Net::SSLeay, but it would not surprise me if the same string can be at a different memory location when SSL_write is called again. If so, look if SSL_set_mode is available; and you might want to ask the Net::SSLeay maintainers to consider always setting SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER if the library default doesn't work for it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Proxy or Firewall
OK, so how does this differ from a "man-in-the-middle" attack? Since there are two SSL sessions, there must be two session encryption keys and the proxy must be decrypting and re-encrypting everything it sees. If I'm a client, shouldn't I reject such a connection? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of James Dabbs Sent: Saturday, April 29, 2000 6:41 AM To: [EMAIL PROTECTED] Subject: RE: Proxy or Firewall I believe that many enterprises that do not allow an unbroken SSL connection directly from the client throught the proxy/firewall to the remote server. This is because security policy may allows/disallow certain MIME types in the entity of the HTTP response. For this reason, SSL is "broken" at the proxy, and reestablished with a seperate SSL session between the proxy and the remote server. This is not quite as tansparent to the client, but still fairly so. The proxy is much more complicated. It is my understanding that this scheme is becoming the prevailing security strategy in large corporations, gaining favor over transparent SSL pass through. Am I wrong on this? James Dabbs James Dabbs [EMAIL PROTECTED] Director of Engineering TGA Technologies, Inc. Suite 140, 100 Pinnacle Way Norcross, GA 30071 770-441-2100 ext 126 -Original Message- From: Hansknecht, Deborah A [SMTP:[EMAIL PROTECTED]] Sent: Friday, April 28, 2000 2:57 PM To: '[EMAIL PROTECTED]' Subject: RE: Proxy or Firewall A few comments included within... -Original Message- From: James Dabbs [mailto:[EMAIL PROTECTED]] Sent: April 28, 2000 5:37 AM To: [EMAIL PROTECTED] Subject: RE: Proxy or Firewall ..deleted stuff HTTP over SSL, though, works transparently through almost any proxy. This is because the HTTP client knows that the proxy exists. It sets an SSL session up with the proxy, and tells the proxy to set up a seperate SSL session with the actual server. As long as requests are initiated by the client, everything is OK. Perhaps I missed some context in other messages that makes the above statements correct (and I am probably veering off-topic), but as written this is not true. HTTP works over SSL thru a proxy transparently because the client knows that a proxy exists, (that much is true) but it DOES NOT set up an SSL session. The client sends HTTPS via CONNECT which the proxy just passes on to the end server. Your standard HTTP proxy does not negotiate any SSL session with either client or server. (that is obvious if you remember that you do not need an SSL aware proxy - i.e. Apache with mod-ssl or Apache-SSL - if all you want to do is proxy HTTP or HTTPS requests.) If you are "reverse-proxying" then the proxy DOES negotiate separate SSL sessions with client and server, but that is an entirely different bucket of worms and the client browser doesn't even know that you are using a proxy. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: list and questions
Monday, May 01, 2000, 7:13:49 AM, you wrote: S 1. are there any list about openssl in spanish ? S 2. can somebody send a example of a openssl.cnf ? Here it is: [ req ] default_bits= 1024 default_keyfile = key.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no [ req_distinguished_name ] countryName = two_symbol_country_code countryName_default = two_symbol_country_code stateOrProvinceName = your_province_name localityName= your_city_name localityName_default= your_city_name organizationName= organization_name organizationName_default= organization_name organizationalUnitName = organizational_unit_name commonName = common_name (www.your_server.com in the case of a server cert) emailAddress= your_email S thanks S S Ramon Alvarez Rayo S Contacto tecnico S e-mail: [EMAIL PROTECTED] S --- S __ S OpenSSL Project http://www.openssl.org S User Support Mailing List[EMAIL PROTECTED] S Automated List Manager [EMAIL PROTECTED] -- Best regards, Lenyamailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: BN functions and Solaris 7 'bc' disagree
Date: Sat, 29 Apr 2000 20:51:01 +0200
From: [EMAIL PROTECTED] (Bodo Moeller)
To: Ted Powell [EMAIL PROTECTED]
Ted Powell [EMAIL PROTECTED]:
When I ran openssl-0.9.5a's "make test", the tmp.bntest file that was
written contained (out of 1800+ tests) seven expressions which Solaris 7's
'bc' evaluated to give non-zero results.
[...]
When I feed the problematic tmp.bntest to GNU bc (version 1.05a, on Red Hat
Linux 6.2) all the expressions evaluate to zero, as they should.
[...]
GNU bc does not use the BN library, so it would be strange if they had
the same bugs; so this looks like problem of Solaris bc.
Most likely, but it would be reassuring to rule out the possibility of
authors working on the same problem making the same slip.
Why don't
you post the offending lines so that the computations can be verified
with yet other software?
Included below.
Michael Wojcik [EMAIL PROTECTED] commented (in part):
Of course, it may not be a bug per se. I don't recall what statements, if
any, the AIX or Solaris bc man pages make about precision and scale limits.
(Yes, bc is supposed to be "arbitrary precision", but obviously it has
finite limits, since the machine it's running on is finite.
Whatever the limits of the Solaris bc are, I would expect to get something
like the following (actual Solaris output) when they are reached:
$ bc
10^1
exp too big
empty stack
save:args
quit
$
As shown below, the anomalous answers are simply numbers that are non-zero.
Note that although the expressions giving non-zero results appear on
consecutive lines in the file below, they were spread across about fifty
lines in the original test data, with the expressions in between evaluating
to zero.
On the one hand, Solaris bc gives the answers shown every time I run it
on the same test data, so in that sense the problem is perfectly replicatable.
On the other hand, although I ran the OpenSSL "make test" nine more times,
all the "tmp.bntest" files produced (a random number generator is used) gave
clean results.
I suspect that the mailing list doesn't accept messages with attachments,
so I'll attempt to include the files inline. If they don't come through
properly, I can send them as attachments to anyone who asks.
The first file is input for bc ("bc foo" where foo is the file) and
second is the output from Solaris bc. (GNU bc simply outputs ten zeros.)
bc input:
obase=16
ibase=16
-6F5829FFAC4B691288C810DDF5CB98F83B9E1D18D575FF69A9C57C7DDD452F586A59F30B8A99AC38BC6523CAC76E9835D67A9147654471C6297D58BD6270AA04572A22F86E64DA55FAC1A1390E18B29A97DF95D59822A9836AB7F7F5B725FCE7DFD5B818C2B9FA04A
*
18EFC3737948677221A603C3701D80178D75B816A8134F2734E901C23207671D29359379CFC64F6E1888C89BB3D82FEFF614071CE00C18F4DD05E63C3C0696F27ADF1479CA161FE81D72CB134BB270AD7F19005399F56B40E6315D1AFADCDBEC4149484421A773
%
DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A83C69209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D3ED0E2017D60A68775B75481449
-
-5AE0D998836E2267E3EAE4705C322761602583251769178E70A0FA4FE0DC144A1A066D433EB237CC1D65DA4E38DAB894C1EE84A296ECE73C536EF1BA393BACA843C57C70ED053AB4088437619F48C636DDD7FB9C4B9CB19022E50A6F89F0A79A00B9F7982E2B419698B86AD0A11B8B737728C1AE68BDA268ABB6D2EB3CBA0E8E
-5CD00DDF814676931E491F57F36E577B2385009B477672A5C1EE07C05E691CD597AF66AE24E1E7ED7FF4224D3B75D75BE7866F369FE883746FC5C38A2B19690B9B39AC477200AC5E7B3DD1EC55F55800F7DEB59777999D02B77A6DAA23B2AC6E82FD7E1EF2C0FD9D5F0182479A0063116EBE29578BCD401318940BD5F708B5B66FC
*
1811C5E0E40079127FFA83E1B97F76A2092DADE78AC5DEE4B540B0FCA718A56ED02B87D09149F095CEFB633C23272D0D5DB57419B0A9AC4D5D4191D7C3B668363D14B1EBF018DB0D52BFBA554A3483DDB72E74A2B16410BC81556F6EE7249F9F035AD79A23831C94A414FBC013973DA4C4859218A7C32EE5D1AC6CD2D06B47FDC738E
%
DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A83C69209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D3ED0E2017D60A68775B75481449
-
-503FA7D4E10455DA04DC5E9D71ED3EF2ED74451DB1FC70B3372A2DC00569FB8A886E52FB3D4CED5499C28CCB557C275651C56583767B6778A27BB0D147F49BBB072F63B555E293277783FA7096501476E7A35B5D9C04F51599DA4233096F5B40C93D580591!
DD!
1162E3794E584AA246587773047EFF8F5736D8AC78FA2C5C79E7
-694C15FD8A6B586C9C1191E0E194259EE329106A82EDC94E07AC79F46430439576FF6D7E4B0A16DAE48A312EE0FDA6545E6ACE3733F4EC31EE4154DC944A2A46CD00D80277B05A34A3DB4B6EFA61B304B60BE8D03E338813B3D24BC643BBB514C757E21EFD4C309C0FB709F9410C89CED5DFA5D8876D33C60C9CB6AA8DE04F44BFA9813AB
*
1C32674B734B94F077A60CBDC44DA99C23DFB6614FE73EB04C9595D730E433E891B13DA70AED04BFF65DA3C99B0587B47D1B57B1C52127C6106DC9BCAB2751E255724FF53D169DC033EB37D6746CDD8C679AEDA094A7F6DA552B9692C64551D0372DD700662AE6940BDB9D36735505F59D642DDB20EE871E9F9CE38277730A5257358843DE38B223
%
Multiple CNs inside a single cert?
Dear readers,
I've just came back to ssl since a long time away with LDAP...
Now, I've just encountered a problem with a DNS CNAME based "multiple
server" configuration.
I know I could generate a cert for cn=*.mydomain.my, and both NS and
latest MS products are supposed to accept that cert for any system with
DNS name anything.mydomain.com, but this would lead to small glitches with
more granular requests: suppose I have a cert for cn=*.mydomain.my, and
then I want to use another one for cn=host.specialgrp.mydomain.com... the
first cert would do as well for the new host, and I wouldn't like this...
What I'd like to know is if it is possible to put in multiple CNs inside
a cert, like in
0.CommonName = sthg.mydomain.my
1.CommonName = sthgelse.mydomain.my
and so on; if it is possible, how do I do to generate such a cert, and,
last but not least, if client software is supposed to accept the same
cert, both if connecting to sthg.mydomain.my and to sthgelse.mydomain.my,
if I have configured sthgelse.mydomain.my as a DNS alias for
sthg.mydomain.my ("sthgelse.mydomain.my CNAME sthg.mydomain.my")
Thank you very much,
Yours,
lorenzo
PS Please CC: me any replies you send to the list. Thank you
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Proxy or Firewall
PMFJI... How does one utilize something like a Cisco PIX firewall in an SSL environment? On option the firewall seems to offer is translation of network addresses, so a message that might be routed to vvv.xxx.yyy.zzz (a web-registered address) could rerouted to a private network address by the firewall. But wouldn't that cause some grief at the SSL server when it's fielding a message destined for some private network address, but it's certificate is registered for vvv.xxx.yyy.zzz and an associated domain name? Or is it only the client that is concerned with this match? TIA Harry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Nelson Sent: Monday, May 01, 2000 9:35 AM To: [EMAIL PROTECTED] Subject: Re: Proxy or Firewall On Mon, May 01, 2000 at 08:44:17AM -0600, Mike Nigbor wrote: OK, so how does this differ from a "man-in-the-middle" attack? Since there are two SSL sessions, there must be two session encryption keys and the proxy must be decrypting and re-encrypting everything it sees. If I'm a client, shouldn't I reject such a connection? It doesn't .. it actually is a man-in-the-middle attack.. however, the "attack" is being done by the corporation that writes your paycheck.. and there are very valid reasons for a company to be doing such things.. as a client, (or server) you really have no way of detecting that this is happening.. Basically, you end up w/ this picutre.. --- -- | user | --- session 1 --- | f/w | --- session 2 --- | server | --- -- Hope this helps, Tony Nelson TIS Worldwide, Firewall Admin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of James Dabbs Sent: Saturday, April 29, 2000 6:41 AM To: [EMAIL PROTECTED] Subject: RE: Proxy or Firewall I believe that many enterprises that do not allow an unbroken SSL connection directly from the client throught the proxy/firewall to the remote server. This is because security policy may allows/disallow certain MIME types in the entity of the HTTP response. For this reason, SSL is "broken" at the proxy, and reestablished with a seperate SSL session between the proxy and the remote server. This is not quite as tansparent to the client, but still fairly so. The proxy is much more complicated. It is my understanding that this scheme is becoming the prevailing security strategy in large corporations, gaining favor over transparent SSL pass through. Am I wrong on this? James Dabbs James Dabbs [EMAIL PROTECTED] Director of Engineering TGA Technologies, Inc. Suite 140, 100 Pinnacle Way Norcross, GA 30071 770-441-2100 ext 126 -Original Message- From: Hansknecht, Deborah A [SMTP:[EMAIL PROTECTED]] Sent: Friday, April 28, 2000 2:57 PM To: '[EMAIL PROTECTED]' Subject:RE: Proxy or Firewall A few comments included within... -Original Message- From: James Dabbs [mailto:[EMAIL PROTECTED]] Sent: April 28, 2000 5:37 AM To: [EMAIL PROTECTED] Subject: RE: Proxy or Firewall ..deleted stuff HTTP over SSL, though, works transparently through almost any proxy. This is because the HTTP client knows that the proxy exists. It sets an SSL session up with the proxy, and tells the proxy to set up a seperate SSL session with the actual server. As long as requests are initiated by the client, everything is OK. Perhaps I missed some context in other messages that makes the above statements correct (and I am probably veering off-topic), but as written this is not true. HTTP works over SSL thru a proxy transparently because the client knows that a proxy exists, (that much is true) but it DOES NOT set up an SSL session. The client sends HTTPS via CONNECT which the proxy just passes on to the end server. Your standard HTTP proxy does not negotiate any SSL session with either client or server. (that is obvious if you remember that you do not need an SSL aware proxy - i.e. Apache with mod-ssl or Apache-SSL - if all you want to do is proxy HTTP or HTTPS requests.) If you are "reverse-proxying" then the proxy DOES negotiate separate SSL sessions with client and server, but that is an entirely different bucket of worms and the client browser doesn't even know that you are using a proxy. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List
Decrypting a key
I found the answer to this once in the list archives, but neglected to write it down. I have a key that I need to decrypt so that I can run multiple keys on my server without have to type in the PEM phrase. Can someone help me with this? Thanks. -- John Banghart (mailto:[EMAIL PROTECTED], 717-735-7061x118) Director of Web Services, SuperNet (http://www.supernet.com) A OneMain.com Company (http://www.onemain.com) "your hometown Internet" (877-873-7638) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Proxy or Firewall
From: Tony Nelson [EMAIL PROTECTED] tnelson On Mon, May 01, 2000 at 08:44:17AM -0600, Mike Nigbor wrote: tnelson OK, so how does this differ from a "man-in-the-middle" attack? tnelson tnelson Since there are two SSL sessions, there must be two session tnelson encryption keys and the proxy must be decrypting and tnelson re-encrypting everything it sees. tnelson tnelson If I'm a client, shouldn't I reject such a connection? tnelson tnelson tnelson It doesn't .. it actually is a man-in-the-middle tnelson attack.. however, the "attack" is being done by the tnelson corporation that writes your paycheck.. and there are very tnelson valid reasons for a company to be doing such things.. as a tnelson client, (or server) you really have no way of detecting that tnelson this is happening.. I understand that some corporations choose to do that, although I do not agree with that kind of practice. What I can't understand is how it would go undetected, at least of the client or server does certificate verification (and I'm especially thinking of servers that might have a very strict check on the client certificate)... tnelson Basically, you end up w/ this picutre.. tnelson tnelson --- -- tnelson | user | --- session 1 --- | f/w | --- session 2 --- | server | tnelson --- -- -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: patent issues
OpenSSL so far is patent free and probably will remain generally so unless some hotshot chooses to try to patent something which has already been done - but they don't know about. This has happened - I have examples. RSA's stuff is patented in the US only and it expires as you say in Sept. Thus - if you simply exclude it then you are fine (Use blowfish or DSA) - or if you use it outside of the USA then you are fine and finally - just wait until September. Good luck. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Proxy or Firewall
On Mon, May 01, 2000 at 10:16:28PM +0200, Richard Levitte - VMS Whacker wrote: From: Tony Nelson [EMAIL PROTECTED] I understand that some corporations choose to do that, although I do not agree with that kind of practice. Basically, companies do it to protect themselves.. for the very technical folks it is a pain, and they don't like it.. but we have many users that we need to protect from themselves. We also need to keep detailed logs of network traffic for legal reasons. What I can't understand is how it would go undetected, at least of the client or server does certificate verification (and I'm especially thinking of servers that might have a very strict check on the client certificate)... All that the 'man-in-the-middle' is doing is creating a dummy session.. when the server requests a client cert, the firewall will pass the request along, and the client will get it, just as the server sent it.. when the server sends the replied cert back it will forward it just as the client sent it.. Having the client or server verify remote ip's is simply impractical as most corporations hide all of their internal machines behind non-routeable ip's and masquerade at their firewall. Anything that requires ip handshaking will fail at most firewalls. By definition, 'man-in-the-middle' attacks are so deadly because they are so difficult to detect. In the case of a firewall, they are implemented as 'man-in-the-middle' on purpose. They act as a single point of control for defining network policies and logging network usage. Hope this helps. Tony -- Tony Nelson www.gnupg.org keyid 136C5B87 - Standard Disclaimers Apply - Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html PGP signature
Re: Memory leaks when PEM_read_bio_PrivateKey fails
Amit Chopra [EMAIL PROTECTED]: I had reported some leaks some time back, but got no response from the mailing list. OpenSSL 0.9.4 leaks 332 bytes for ERR_STATE struct allocated while doing SSL_read. ERR_get_state [err.c:561] = ret=(ERR_STATE *)Malloc(sizeof(ERR_STATE)); It also leaks 12 bytes allocated for an LHASH_NODE in SSL_read . lh_insert [lhash.c:196] ((nn=(LHASH_NODE*)Malloc(sizeof(LHASH_NODE))) Are these the leaks in question ? I still havent found a way to fix them. Please try the latest snapshost. If your program calls ERR_remove_state(0) before exiting, there should be no such leaks now. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SIGBUS on solaris w/ C++ wrapper class.... any ideas???
Hi all,
I am writing a C++ wrapper class as an interface into certain openSSL
commands, and when I call SSL_write, I get a SIGBUS. I traced through with
gdb and where this call takes place, I tried to 'print ssl' I get:
$5 = (SSL*) 0x656e7449,
then I do 'print *ssl' I get:
Cannot access memory at address 0x656e7449
This is obviously the cause for the SIGBUS as SSL_write(ssl...) tries to
make use of this structure.
Here are my machine stats:
~ 73 uname -a
SunOS candlestick 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
~ 74 g++ --version
2.95.2
~ 76 gdb --version
GNU gdb 4.17
Here is my class definition, constructor, and write function... if it will
help, Ill post all my code. I get no return codes that would alert me to
any problems up until the SIGBUS.
Ive never seen anything like this before, anyone have any advise...
#ifndef __SSLWRAPPERH__
#define __SSLWRAPPERH__
#include stdio.h
#include stdlib.h
extern "C"
{
#include openssl/ssl.h
}
#include OsTypes.h
class SSLhandler
{
private:
char hostName[80];
char request[200];
int port;
SSL *ssl;
SSL_CTX *ssl_ctx;
int sock;
static bool initialized;
public:
SSLhandler(char *HostName,int Port=4433);
~SSLhandler();
void getEventKey(ulong eventID,char *key,uint16_t maxLen);
private:
SSLhandler(); //hide
SSLhandler(SSLhandler);//hide
int prngSeed();
void openSocket(char *host,int port);
inline int writeSSL(char *request,int length);
int readSSL(char *response,int maxLen);
};
#endif //__SSLWRAPPERH__
int SSLhandler::writeSSL(char *request,int length)
{
=uint16_t ret = SSL_write(ssl,request,length);
#ifdef __DEBUG
cout "Bytes Written:" ret endl;
cout "Chars Written:" request endl;
#endif
return ret;
}
//This can throw a couple different string errors, be prepared!
SSLhandler::SSLhandler(char *HostName,int Port)
: ssl(NULL),ssl_ctx(NULL),port(Port)
{
if (initialized == false)
{ //One time per program execution
if (prngSeed()==false) //Seed the random number generator!
throw "PRNG Error";
//Load all necessary support routines as definied by openSLL
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
initialized = true;
}
strcpy(hostName,HostName);
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
ssl = SSL_new(ssl_ctx);
//openSocket could throw an error, otherwise sets up sock
openSocket(hostName,port);
SSL_set_fd(ssl, sock);
int result = SSL_connect(ssl);
if (SSL_get_error(ssl,result) != SSL_ERROR_NONE)
{
printf ("SSL Connect Errors!\n");
while (ERR_peek_error()!=0)
printf("%s\n",ERR_error_string(ERR_get_error(),NULL));
throw "SSL Error";
}
}
Brian Snyder.vcf
FW: SIGBUS on solaris w/ C++ wrapper class.... any ideas???... IGNORE!!
Sorry all I figured it out, I had my own memory leak that was screwing me
up.
Apologizes to all for the interruption,
brian
-Original Message-
From: Brian Snyder
Sent: Monday, May 01, 2000 5:37 PM
To: Ssl (E-mail)
Subject: SIGBUS on solaris w/ C++ wrapper class any ideas???
Hi all,
I am writing a C++ wrapper class as an interface into certain openSSL
commands, and when I call SSL_write, I get a SIGBUS. I traced through with
gdb and where this call takes place, I tried to 'print ssl' I get:
$5 = (SSL*) 0x656e7449,
then I do 'print *ssl' I get:
Cannot access memory at address 0x656e7449
This is obviously the cause for the SIGBUS as SSL_write(ssl...) tries to
make use of this structure.
Here are my machine stats:
~ 73 uname -a
SunOS candlestick 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
~ 74 g++ --version
2.95.2
~ 76 gdb --version
GNU gdb 4.17
Here is my class definition, constructor, and write function... if it will
help, Ill post all my code. I get no return codes that would alert me to
any problems up until the SIGBUS.
Ive never seen anything like this before, anyone have any advise...
#ifndef __SSLWRAPPERH__
#define __SSLWRAPPERH__
#include stdio.h
#include stdlib.h
extern "C"
{
#include openssl/ssl.h
}
#include OsTypes.h
class SSLhandler
{
private:
char hostName[80];
char request[200];
int port;
SSL *ssl;
SSL_CTX *ssl_ctx;
int sock;
static bool initialized;
public:
SSLhandler(char *HostName,int Port=4433);
~SSLhandler();
void getEventKey(ulong eventID,char *key,uint16_t maxLen);
private:
SSLhandler(); //hide
SSLhandler(SSLhandler);//hide
int prngSeed();
void openSocket(char *host,int port);
inline int writeSSL(char *request,int length);
int readSSL(char *response,int maxLen);
};
#endif //__SSLWRAPPERH__
int SSLhandler::writeSSL(char *request,int length)
{
=uint16_t ret = SSL_write(ssl,request,length);
#ifdef __DEBUG
cout "Bytes Written:" ret endl;
cout "Chars Written:" request endl;
#endif
return ret;
}
//This can throw a couple different string errors, be prepared!
SSLhandler::SSLhandler(char *HostName,int Port)
: ssl(NULL),ssl_ctx(NULL),port(Port)
{
if (initialized == false)
{ //One time per program execution
if (prngSeed()==false) //Seed the random number generator!
throw "PRNG Error";
//Load all necessary support routines as definied by openSLL
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
initialized = true;
}
strcpy(hostName,HostName);
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
ssl = SSL_new(ssl_ctx);
//openSocket could throw an error, otherwise sets up sock
openSocket(hostName,port);
SSL_set_fd(ssl, sock);
int result = SSL_connect(ssl);
if (SSL_get_error(ssl,result) != SSL_ERROR_NONE)
{
printf ("SSL Connect Errors!\n");
while (ERR_peek_error()!=0)
printf("%s\n",ERR_error_string(ERR_get_error(),NULL));
throw "SSL Error";
}
}
Brian Snyder.vcf
BF_cbc_encrypt()
I'm fooling around trying to figure out how to use the OpenSSL C API. I've read the docs and some things are clear some are not. In the functions BF_cbc_encrypt() what is the ivec variable. What does it do and what is it for and what is it supposed to do? Thanx for any help. Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory leaks when PEM_read_bio_PrivateKey fails
Odpowiedz automatyczna: Do 5 maja przebywam na zasluzonym urlopie. W pilnych sprawach prosze o kontakt z Kamilem Kilinskim. Z powazaniem, Michal Trojnara "[EMAIL PROTECTED]" 05/01/00 21:51 Amit Chopra [EMAIL PROTECTED]: I had reported some leaks some time back, but got no response from the mailing list. OpenSSL 0.9.4 leaks 332 bytes for ERR_STATE struct allocated while doing SSL_read. ERR_get_state [err.c:561] = ret=(ERR_STATE *)Malloc(sizeof(ERR_STATE)); It also leaks 12 bytes allocated for an LHASH_NODE in SSL_read . lh_insert [lhash.c:196] ((nn=(LHASH_NODE*)Malloc(sizeof(LHASH_NODE))) Are these the leaks in question ? I still havent found a way to fix them. Please try the latest snapshost. If your program calls ERR_remove_state(0) before exiting, there should be no such leaks now. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Decrypting a key
I found the answer to this once in the list archives, but neglected to write it down. I have a key that I need to decrypt so that I can run multiple keys on my server without have to type in the PEM phrase. Can someone help me with this? These are the old directions, just replace the command ssleay with openssl Step two - remove the passphrase from the key (optional): ssleay rsa -in privkey.pem -out new.cert.key __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: patent issues
From: Stefan Schmidt [EMAIL PROTECTED] snip I am looking into using OpenSSL commercially in the US but I can't find anything about the legal issues other than that there are some. So I know that RSA holds patents on their algorithms in the US until September 2000. Can I just not use their algorithms and still use OpenSSL and if so how would I do that. Is there any helpful up-to-date source of information about this topic? And what other patent issues have to be taken into account in the US in relation with OpenSSL? Thanks. One approach is to substitute the RSA BSAFE SSL-C library for the OpenSSL crypto and ssl libraries. This is the only way I know of licensing the RSA encryption algorithms at a reasonable cost. This might be the the sole remaining option, as RSA Security seems to have stopped issuing commercial licenses for RSAREF. Depending on which version of OpenSSL you are porting from, there is not a lot of tweaking necessary. The RSA libraries provide API's that are almost identical to those in the OpenSSL code. (It's not surprising, since Eric Young's code is the basis for both.) Al Allan Borr, Scriptics Corp. Mountain View, California email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
