Re: Rainbow Cryptoswift cards
[EMAIL PROTECTED] wrote: > > > -Original Message- > > From: Louis LeBlanc [mailto:[EMAIL PROTECTED]] > > Sent: 19 January 2001 12:39 > > To: [EMAIL PROTECTED] > > Subject: Re: Rainbow Cryptoswift cards > > > > > > One quick question, just so I know how to answer when this kind of > > project comes up: > > The cryptoswift card provides 'onboard' acceleration of SSL based > > processing, but the card itself can only handle so many > > transactions per > > second. What happens if your traffic load exceeds the cards ability? > > can you easily 'spill' that extra work over to the system if you have > > any room there? > > I don't think so. All you can do is add extra cards, or run multiple servers > (NetAID used 28 servers with a Rainbow card in each one). > > You will need to have a rough idea how much traffic you'll have, in order to > estimate how many cards you'll need. Bear in mind that some of these other > solutions like the Intel accelerator are based on a Rainbow card anyway. > > I'm hoping we can get away with one per machine. First though, I have to > recompile openssl! > Thanks. I guess we will have to validate the various options with our system and code base before even guessing at which option to go for. We are using our own streamlined implementation to serve content, so it is possible we will get a better cost/performance ratio without any peripherals. The backend system could wind up being overkill if we can get 500 objects/sec served without an accelerator at around $6K (give or take) and the accelerator only handling 300 effectively, we would need 2 cards to get by the 500 cps limit, but since the system is no longer performing the SSL arithmetic, it could very well be better than 60% idle. we would need to add a couple more cards to get the most out of it, but by then we could be saturating our network, and don't even get me started on the cost/performance hit with the added cost of all those cards. The specific numbers are strictly conjecture, but something to think about. Sorry to take the discussion so far off topic. L -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) [EMAIL PROTECTED] http://acadia.ne.mediaone.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about crypto toolkits that are used in OpenSSL
Isn't there a trademark issue with the name "RC4" and thats why it's called ARC4 or C4 in some implementations? (I might be totally wrong here though...) /Johan -Original Message- From: Rodney Thayer <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, January 18, 2001 22:18 Subject: Re: Question about crypto toolkits that are used in OpenSSL >the patent on RSA expired last september. rc-4 'seems to be' >ok to use. I don't think you need a license. > >(of course, have your lawyers check your logic, I'm not a lawyer >and I don't play one on the Internet.) > >At 01:02 PM 1/18/01 -0800, Gordon Fritsch wrote: > >>I am trying to legally use OpenSSL with OpenSSH. Does anyone know which >>toolkits are used in OpenSSL to handle the RSA public key algorithms? >> >>We want to avoid any licensing issues from RSA. Can anyone recommend a good >>toolkit that will allow use of the RSA public key algorithm? I understand >>that there a number of them, such as BSafe SSL-C, etc. >> >>This is for a commercial application. > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
adrien mistretta wrote: > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > processing, but the card itself can only handle so many transactions per > > second. What happens if your traffic load exceeds the cards ability? > > can you easily 'spill' that extra work over to the system if you have > > any room there? > > The only thing done with the cryptoswift is the RSA key calculation. All > others things are done by your CPU(s) So what about the actual data encryption/decryption? If the system handles this, the potential gains are pretty high for a powerful system. How much of the actual handshake has to be done on the card? > > > I know this can be done with a separate appliance, like the Intel 7115 > > (which takes the fun of actually implementing a solution away), but > > these are overly expensive, and make relational performance measurements > > pretty complicated in many configurations. > > There many other appliance > CiberIQ, Alteon ... > cryptoswift is very expensive , The sonicwall card seems to be nice (RSA, > 3DES, DES, ARC[24], SHA1, MD5) and cheap, but i didn't have the opportunity > to make some tests I've heard of the CyberIQ. I've also heard that their numbers were cooked a little more than most of the providers. I'm sure we will wind up validating a number of options. > > > Enough rambling about this though. Now you have a context for my > > original question: can the OpenSSL engine spill extra SSL sessions over > > to the system cpu? > > When I run some test with heavy load of ssl transaction with the cryptoswift > 200, the 2 cpus (p3-700) was 0% idle. But i don't know if some keys > calculation has been done by the cpus Interesting. Was your system responsible for anything else (ie, a ftp server, etc.)? Were you using Apache in the back end? Our system is pretty streamlined, we have left out a lot of the 'bells and whistles' found in Apache, so we can handle a lot more throughput. We can serve 500+ objects on a clear connection from a Netra 440, where our experience shows Apache at less than half this for the same system. Purely CPU bound on the server side. Client side (separate system) is I/O bound until you start fetching on a secure connection. Maybe we want to see how one of these cards performs there? Thanks for your feedback. Lou > > Adrien > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) [EMAIL PROTECTED] http://acadia.ne.mediaone.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Win32 CA signed Apache Server-Netscape .CRT Problem
Problem: An Unix Apache/mod-ssl server .crt/.key pair generated from a .csr/.key signed by a self generated CA Cert on 32 bit Windows will not work with the Netscape 4.72 client running on Linux Redhat 6.2. However the same .csr/.key signed by the same self generated CA Cert on Redhat 6.2 Linux will work. It will also work with the Microsoft Explorer 5.50.4522.1800 running on Windows 98, regardless of where the .crt/.key pair was signed. The Netscape client fails with the message "OpenSSL: error:14094412: SSL outines:SSL3_READ_BYTES:sslv3 alert bad certificate" in the apache log file. It would appear that the Windows based OpenSSL ca program is not consistant with the Unix based OpenSSL ca program. Conditions: Apache WWW server with mod-ssl (mod_ssl-2.7.1- 1.3.14) running on Linux Redhat 6.2. Latest OpenSSL SNAP (same results with 0.9.6) Netscape client 4.72 running on Linux Redhat 6.2 Microsoft Windows Explorer 5.50.4522.1800 on Windows 98 In all cases the .crt/.key pair is a 1024 bit RSA key. The openssl.cnf file is identical on the Windows/Linux systems. Has anyone else seen this behavior and have found a solution? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Size of signature from EVP_SignFinal
I'd like to be able to work out the size of the signature that would be returned by a call to EVP_SignFinal() so that I can dynamically allocate the memory for the signature before actually calling the function. Any info on how to do this? If I pass in a NULL pointer and 0 length, I get a SEGV. I'm using this with both RSA & DSA keys. Thanks -- Dave __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
I do not know anything about the Rainbow Cryptoswift card. However, I do know how to set it up with the nCipher card. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2001 5:51 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Rainbow Cryptoswift cards I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa, although you are a bit late). Does anyone have experience of setting this up with mod-ssl? If so, can you let me know how I do it. I understand I need to use shm rather than dbm, but how do I get openssl to recognise the card? I've the openssl change list, and it alleges support for these cards, but I don't seem to have it. I'm using the pre-compiled rpms which I realise may not have compiled this support in. (I can't find anything else in the openssl or modssl docs to help me, hence my post. The documentation available on the Rainbow site is scant as well) Thank you. If no-one can help, I'll battle on and post my results later. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
Hi, Just a quick question. Is there anywhere I can find some examples of the code in use. The code in the 'demos' directory doesn't include any of the new calls, 'SSL_set_fd', 'SSL_connect' etc. Any info gratefully appreciated. Thanks Steve Sait Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
is there somewhere one can get a list of the supported engine cards? I mean, there are vendors out there, other than Rainbow, who'd like to put their two milli-euro's worth into this conversation but that would be impolite and a commercial advertisement (yeah, yeah, read the source. I mean a real list of the cards and how you buy them/etc.) At 08:52 AM 1/19/01 -0500, you wrote: >adrien mistretta wrote: > > > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > > processing, but the card itself can only handle so many transactions per > > > second. What happens if your traffic load exceeds the cards ability? > > > can you easily 'spill' that extra work over to the system if you have > > > any room there? > > > > The only thing done with the cryptoswift is the RSA key calculation. All > > others things are done by your CPU(s) > >So what about the actual data encryption/decryption? If the system >handles this, the potential gains are pretty high for a powerful >system. How much of the actual handshake has to be done on the card? > > > > > > I know this can be done with a separate appliance, like the Intel 7115 > > > (which takes the fun of actually implementing a solution away), but > > > these are overly expensive, and make relational performance measurements > > > pretty complicated in many configurations. > > > > There many other appliance > > CiberIQ, Alteon ... > > cryptoswift is very expensive , The sonicwall card seems to be nice (RSA, > > 3DES, DES, ARC[24], SHA1, MD5) and cheap, but i didn't have the opportunity > > to make some tests > >I've heard of the CyberIQ. I've also heard that their numbers were >cooked a little more than most of the providers. I'm sure we will wind >up validating a number of options. > > > > > > Enough rambling about this though. Now you have a context for my > > > original question: can the OpenSSL engine spill extra SSL sessions over > > > to the system cpu? > > > > When I run some test with heavy load of ssl transaction with the > cryptoswift > > 200, the 2 cpus (p3-700) was 0% idle. But i don't know if some keys > > calculation has been done by the cpus > >Interesting. Was your system responsible for anything else (ie, a ftp >server, etc.)? Were you using Apache in the back end? >Our system is pretty streamlined, we have left out a lot of the 'bells >and whistles' found in Apache, so we can handle a lot more throughput. >We can serve 500+ objects on a clear connection from a Netra 440, where >our experience shows Apache at less than half this for the same system. >Purely CPU bound on the server side. Client side (separate system) is >I/O bound until you start fetching on a secure connection. Maybe we >want to see how one of these cards performs there? > >Thanks for your feedback. > >Lou > > > > > > Adrien > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > >-- >Louis LeBlanc >Fully Funded Hobbyist, KeySlapper Extrordinaire :) >[EMAIL PROTECTED] >http://acadia.ne.mediaone.net >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
> -Original Message- > From: Rodney Thayer [mailto:[EMAIL PROTECTED]] > Sent: 19 January 2001 14:52 > To: [EMAIL PROTECTED] > Subject: Re: Rainbow Cryptoswift cards > > > is there somewhere one can get a list of the supported engine cards? > I mean, there are vendors out there, other than Rainbow, who'd like > to put their two milli-euro's worth into this conversation but > that would be impolite and a commercial advertisement > > (yeah, yeah, read the source. I mean a real list of the cards > and how you buy them/etc.) > > There's a list of supported cards in the openssl changelog at http://www.openssl.org/news/changelog.html Don't know anything else though. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Size of signature from EVP_SignFinal
Dave, See http://www.openssl.org/docs/crypto/EVP_SignInit.html# You should allocate the amount of storage indicated by the EVP_PKEY_size() function. It may a little too much; the actual used is returned by EVP_SignFinal. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Dave R" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 19, 2001 9:27 AM Subject: Size of signature from EVP_SignFinal > I'd like to be able to work out the size of the signature that would be > returned by a call to EVP_SignFinal() so that I can dynamically allocate > the memory for the signature before actually calling the function. > > Any info on how to do this? If I pass in a NULL pointer and 0 length, > I get a SEGV. I'm using this with both RSA & DSA keys. > > Thanks > > -- > Dave __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
> is there somewhere one can get a list of the supported engine cards? > I mean, there are vendors out there, other than Rainbow, who'd like > to put their two milli-euro's worth into this conversation but > that would be impolite and a commercial advertisement The supported Crypto cards are in the Openssl-engine README.ENGINE There's currently built-in support for the following crypto devices: o CryptoSwift o Compaq Atalla o nCipher CHIL for the cryptoswift the french sales told me 31000FF for the cryptoswift 200 or 94000FF for the cryptoswift 600 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
Have you heard of the nCipher card? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rodney Thayer Sent: Friday, January 19, 2001 9:52 AM To: [EMAIL PROTECTED] Subject: Re: Rainbow Cryptoswift cards is there somewhere one can get a list of the supported engine cards? I mean, there are vendors out there, other than Rainbow, who'd like to put their two milli-euro's worth into this conversation but that would be impolite and a commercial advertisement (yeah, yeah, read the source. I mean a real list of the cards and how you buy them/etc.) At 08:52 AM 1/19/01 -0500, you wrote: >adrien mistretta wrote: > > > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > > processing, but the card itself can only handle so many transactions per > > > second. What happens if your traffic load exceeds the cards ability? > > > can you easily 'spill' that extra work over to the system if you have > > > any room there? > > > > The only thing done with the cryptoswift is the RSA key calculation. All > > others things are done by your CPU(s) > >So what about the actual data encryption/decryption? If the system >handles this, the potential gains are pretty high for a powerful >system. How much of the actual handshake has to be done on the card? > > > > > > I know this can be done with a separate appliance, like the Intel 7115 > > > (which takes the fun of actually implementing a solution away), but > > > these are overly expensive, and make relational performance measurements > > > pretty complicated in many configurations. > > > > There many other appliance > > CiberIQ, Alteon ... > > cryptoswift is very expensive , The sonicwall card seems to be nice (RSA, > > 3DES, DES, ARC[24], SHA1, MD5) and cheap, but i didn't have the opportunity > > to make some tests > >I've heard of the CyberIQ. I've also heard that their numbers were >cooked a little more than most of the providers. I'm sure we will wind >up validating a number of options. > > > > > > Enough rambling about this though. Now you have a context for my > > > original question: can the OpenSSL engine spill extra SSL sessions over > > > to the system cpu? > > > > When I run some test with heavy load of ssl transaction with the > cryptoswift > > 200, the 2 cpus (p3-700) was 0% idle. But i don't know if some keys > > calculation has been done by the cpus > >Interesting. Was your system responsible for anything else (ie, a ftp >server, etc.)? Were you using Apache in the back end? >Our system is pretty streamlined, we have left out a lot of the 'bells >and whistles' found in Apache, so we can handle a lot more throughput. >We can serve 500+ objects on a clear connection from a Netra 440, where >our experience shows Apache at less than half this for the same system. >Purely CPU bound on the server side. Client side (separate system) is >I/O bound until you start fetching on a secure connection. Maybe we >want to see how one of these cards performs there? > >Thanks for your feedback. > >Lou > > > > > > Adrien > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > >-- >Louis LeBlanc >Fully Funded Hobbyist, KeySlapper Extrordinaire :) >[EMAIL PROTECTED] >http://acadia.ne.mediaone.net >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Rainbow Cryptoswift cards
when I was evaluating similar products a couple years ago I found that it really didn't help to try and worry about spilling the load over to the main CPU. benchmarks from the time were pentium 200 linux 19 connections/sec 100% CPU RS/6000 233 (RISC) 29 connections/sec 100% CPU install SSL accelerator 300 connections/sec 10-20% CPU nowdays the raw machines will be faster, but you also need to have CPU time to run CGIs etc. I think it's unlikly that you will gain much by useing your main CPUs (assuming you get an appropriatly sized SSL accelerator David Lang On Fri, 19 Jan 2001 [EMAIL PROTECTED] wrote: > Date: Fri, 19 Jan 2001 12:47:02 - > From: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: RE: Rainbow Cryptoswift cards > > > -Original Message- > > From: Louis LeBlanc [mailto:[EMAIL PROTECTED]] > > Sent: 19 January 2001 12:39 > > To: [EMAIL PROTECTED] > > Subject: Re: Rainbow Cryptoswift cards > > > > > > One quick question, just so I know how to answer when this kind of > > project comes up: > > The cryptoswift card provides 'onboard' acceleration of SSL based > > processing, but the card itself can only handle so many > > transactions per > > second. What happens if your traffic load exceeds the cards ability? > > can you easily 'spill' that extra work over to the system if you have > > any room there? > > I don't think so. All you can do is add extra cards, or run multiple servers > (NetAID used 28 servers with a Rainbow card in each one). > > You will need to have a rough idea how much traffic you'll have, in order to > estimate how many cards you'll need. Bear in mind that some of these other > solutions like the Intel accelerator are based on a Rainbow card anyway. > > I'm hoping we can get away with one per machine. First though, I have to > recompile openssl! > > - > Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm > John Airey > Internet Systems Support Officer, ITCSD, Royal National Institute for the > Blind, > Bakewell Road, Peterborough PE2 6XU, > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rainbow Cryptoswift cards
I'm getting a Rainbow Cryptoswift card in the post today (thank you Santa, although you are a bit late). Does anyone have experience of setting this up with mod-ssl? If so, can you let me know how I do it. I understand I need to use shm rather than dbm, but how do I get openssl to recognise the card? I've the openssl change list, and it alleges support for these cards, but I don't seem to have it. I'm using the pre-compiled rpms which I realise may not have compiled this support in. (I can't find anything else in the openssl or modssl docs to help me, hence my post. The documentation available on the Rainbow site is scant as well) Thank you. If no-one can help, I'll battle on and post my results later. - Happy new Millennium - http://www.rog.nmm.ac.uk/mill/index.htm John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about PKCS7_encrypt()
These are normal if you have compiled the openssl crypto libraries for Win32 with the debugging options enabled. __ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] __ - Original Message - From: "Hellan,Kim KHE" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 19, 2001 5:41 AM Subject: Question about PKCS7_encrypt() > Whenever I use PKCS7_encrypt(), OpenSSL writes the following to stdout: > > randomness from PROV_RSA_FULL > Exiting RAND_poll > > Before I use PKCS7_encrypt() I call RAND_seed() with 256 bit of random data. > > Am I doing something wrong or are these messages from OpenSSL just "normal" > behaviour? > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32 CA signed Apache Server-Netscape .CRT Problem
"Kenneth R. Robinette" wrote: > > Problem: > > An Unix Apache/mod-ssl server .crt/.key pair > generated from a .csr/.key signed by a self > generated CA Cert on 32 bit Windows will not work > with the Netscape 4.72 client running on Linux > Redhat 6.2. > > However the same .csr/.key signed by the same > self generated CA Cert on Redhat 6.2 Linux will > work. It will also work with the Microsoft > Explorer 5.50.4522.1800 running on Windows 98, > regardless of where the .crt/.key pair was signed. > > The Netscape client fails with the message > "OpenSSL: error:14094412: SSL > outines:SSL3_READ_BYTES:sslv3 alert bad > certificate" in the apache log file. > > It would appear that the Windows based OpenSSL ca > program is not consistant with the Unix based > OpenSSL ca program. > The two cases should be indentical with respect to the generated certificates. How are you generating the certificates (i.e. what precise command) and how are you importing them into Netscape, presumably a PKCS#12 file? You mention the "same self generated CA certificate". What do you mean by "same"? Is this the same private key or the same DN? If it is the same DN but different keys have you installed both CA certificates as trusted in Apache? Its possible if the DNs are the same but the keys are different that it is attempting to verify one certificate against the other CA and causing a verify error as a result. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Strange problem with MSIE + SSL
Hi, I have set up an Apache 1.3.14 + mod_ssl 2.7.1 on a box which acts as an https-to-http proxy (i.e. it proxies https connections from the outside world to a http server in the intranet which is not capable of doing https itself). It works very well, except when accessed via MS Internet Explorer (we're using version 5.5) from a LAN. I am not a Windows expert at all, so I have no clue about this. Netscape via dial-up: no problem Netscape via LAN: no problem Explorer via dial-up: no problem Explorer via LAN: *problem* where "problem" means that it takes 15 - 20 minutes (!!!) to receive a single page. At the same time, the following appears in the ssl_engine log (line wrapped for clarity): [19/Jan/2001 18:20:19 08196] [info] \ Spurious SSL handshake interrupt\ [Hint: Usually just one of those OpenSSL confusions!?] We have no idea what might be causing the problem. Interestingly it works fine when accessing from a dial-up line (ISDN or whatever), and with Netscape it works either way. Also, "normal surfing" works fine in all cases. All of the clients (Netscape and Explorer) are running on Windows. Does anyone have an idea? Regards Oliver PS: The Apache SSL server is running on a BSD/OS 4.0.1 machine, if that matters. PPS: Please Cc: me, I'm not on the list. (Yes, I know, I _should_ be on the list.) -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Strange problem with MSIE + SSL
I have noted a server problem with IE 5 and keep alives. I've actually turned off all keep alives for IE on SSL connections. That might help. Jeff On Fri, 19 Jan 2001, Oliver Fromme wrote: > > Hi, > > I have set up an Apache 1.3.14 + mod_ssl 2.7.1 on a box > which acts as an https-to-http proxy (i.e. it proxies https > connections from the outside world to a http server in the > intranet which is not capable of doing https itself). > > It works very well, except when accessed via MS Internet > Explorer (we're using version 5.5) from a LAN. I am not > a Windows expert at all, so I have no clue about this. > >Netscape via dial-up: no problem >Netscape via LAN: no problem >Explorer via dial-up: no problem >Explorer via LAN: *problem* > > where "problem" means that it takes 15 - 20 minutes (!!!) > to receive a single page. At the same time, the following > appears in the ssl_engine log (line wrapped for clarity): > >[19/Jan/2001 18:20:19 08196] [info] \ > Spurious SSL handshake interrupt\ > [Hint: Usually just one of those OpenSSL confusions!?] > > We have no idea what might be causing the problem. > Interestingly it works fine when accessing from a dial-up > line (ISDN or whatever), and with Netscape it works either > way. Also, "normal surfing" works fine in all cases. All > of the clients (Netscape and Explorer) are running on > Windows. > > Does anyone have an idea? > > Regards >Oliver > > PS: The Apache SSL server is running on a BSD/OS 4.0.1 > machine, if that matters. > > PPS: Please Cc: me, I'm not on the list. (Yes, I know, I > _should_ be on the list.) > > -- > Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > "All that we see or seem is just a dream within a dream" (E. A. Poe) > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ca -startdate
I am trying to sign certificates with a future start date (Using OpenSSL 0.95a). The documentation says that use -startdate date (which is in YYMMDDhhmmssZ format) but ca command seems to ignore dates in the form 010601010101Z and sets the startdate to the default current time. Just wondering 1. Does ca -startdate actually work, some old threads have mentioned that it does not. 2. If it does work (since the functionality is documented) what do I need to do? Thanks Min __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Date sent: Fri, 19 Jan 2001 17:24:55 + From: Dr S N Henson <[EMAIL PROTECTED]> Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] The .csr/.key is generated using the following commands: openssl genrsa -out server.key 1024 openssl req -new -config /tmp/openssl.cnf -key server.key -out server.csr I then sign it with the openssl ca progam with a self generated/self signed ca crt and key. I then transfer the resulting server.key and server.csr to the Unix workstation and place in: /usr/local/apache/ssl.crt/server.crt /usr/local/apache/ssl.key/server.key I start up the Apache server, then use the Microsoft Internet Explorer on Windows 98 to connect to the Apache server. Everything goes well, the Microsoft Explorer knows that the cert is signed by a CA that is in it's list of CA certs, gives the proper warning, etc. and it displays a dialog box asking if I wish to proceed. I accept the yes button and the https page is displayed correctly. I then login to the Redhat Linux system and start the Netscape client. It states that it has received an improperly formatted cert and does nothing more. I then take the .csr and .key file mentioned above, tranfer both to the Linux workstation and use the same openssl ca command to sign the cert. I then transfer the resulting .crt and .key to the locations shown above. I restart Apache, and try Netscape again. This time it is happy and does much like the Microsoft Explorer, it displays a dialog stating it does not know about the ca and asks if I would like to add it. Note that the .csr and .key are identical in both cases. In both cases they have been created on the Windows workstation. Note that the ca .crt and .key are identical in both cases. The only difference is where the .csr and .key file for the server.crt is signed, but the openssl ca program is provided the identical input and .cnf file in both cases. Note that in both cases, I have not imported anything into the Explorer or Netscape. I am simply trying to connect to the www site using a https: url to test the installation of the Apache/mod-ssl .crt and .key file. I have taken note that mod_ssl and a package called ssl.ca-0.1 make some nasty remarks about using the openssl.cnf as supplied by OpenSSL and both in fact generate their own temporary openssl.cnf files in the script used to call the openssl ca program. I have tried the same on both Linux and Windows. It does not help the Windows problem. For the record, the ca cert and key were generated on the UNIX system. They were then transfered to the Windows workstation. So again, it appears that there is some subtle difference in OpenSSL when used on a UNIX platform verses one used on a Windows platform. The important thing to note (I think) is only the Netscape client does not like the cert received from the Apache/mod-ssl server. The Microsft Explorer thinks it is ok, and other programs that I use with the "problem" server cert likes it. Ken "Kenneth R. Robinette" wrote: > > Problem: > > An Unix Apache/mod-ssl server .crt/.key pair > generated from a .csr/.key signed by a self > generated CA Cert on 32 bit Windows will not work > with the Netscape 4.72 client running on Linux > Redhat 6.2. > > However the same .csr/.key signed by the same > self generated CA Cert on Redhat 6.2 Linux will > work. It will also work with the Microsoft > Explorer 5.50.4522.1800 running on Windows 98, > regardless of where the .crt/.key pair was signed. > > The Netscape client fails with the message > "OpenSSL: error:14094412: SSL > outines:SSL3_READ_BYTES:sslv3 alert bad > certificate" in the apache log file. > > It would appear that the Windows based OpenSSL ca > program is not consistant with the Unix based > OpenSSL ca program. > The two cases should be indentical with respect to the generated certificates. How are you generating the certificates (i.e. what precise command) and how are you importing them into Netscape, presumably a PKCS#12 file? You mention the "same self generated CA certificate". What do you mean by "same"? Is this the same private key or the same DN? If it is the same DN but different keys have you installed both CA certificates as trusted in Apache? Its possible if the DNs are the same but the keys are different that it is attempting to verify one certificate against the other CA and causing a verify error as a result. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project
RE: Win32 CA signed Apache Server-Netscape .CRT Problem
I think with Apache server. The cert must have the extension of .pem I hope this help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth R. Robinette Sent: Friday, January 19, 2001 1:14 PM To: [EMAIL PROTECTED] Subject: Re: Win32 CA signed Apache Server-Netscape .CRT Problem Date sent: Fri, 19 Jan 2001 17:24:55 + From: Dr S N Henson <[EMAIL PROTECTED]> Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] The .csr/.key is generated using the following commands: openssl genrsa -out server.key 1024 openssl req -new -config /tmp/openssl.cnf -key server.key -out server.csr I then sign it with the openssl ca progam with a self generated/self signed ca crt and key. I then transfer the resulting server.key and server.csr to the Unix workstation and place in: /usr/local/apache/ssl.crt/server.crt /usr/local/apache/ssl.key/server.key I start up the Apache server, then use the Microsoft Internet Explorer on Windows 98 to connect to the Apache server. Everything goes well, the Microsoft Explorer knows that the cert is signed by a CA that is in it's list of CA certs, gives the proper warning, etc. and it displays a dialog box asking if I wish to proceed. I accept the yes button and the https page is displayed correctly. I then login to the Redhat Linux system and start the Netscape client. It states that it has received an improperly formatted cert and does nothing more. I then take the .csr and .key file mentioned above, tranfer both to the Linux workstation and use the same openssl ca command to sign the cert. I then transfer the resulting .crt and .key to the locations shown above. I restart Apache, and try Netscape again. This time it is happy and does much like the Microsoft Explorer, it displays a dialog stating it does not know about the ca and asks if I would like to add it. Note that the .csr and .key are identical in both cases. In both cases they have been created on the Windows workstation. Note that the ca .crt and .key are identical in both cases. The only difference is where the .csr and .key file for the server.crt is signed, but the openssl ca program is provided the identical input and .cnf file in both cases. Note that in both cases, I have not imported anything into the Explorer or Netscape. I am simply trying to connect to the www site using a https: url to test the installation of the Apache/mod-ssl .crt and .key file. I have taken note that mod_ssl and a package called ssl.ca-0.1 make some nasty remarks about using the openssl.cnf as supplied by OpenSSL and both in fact generate their own temporary openssl.cnf files in the script used to call the openssl ca program. I have tried the same on both Linux and Windows. It does not help the Windows problem. For the record, the ca cert and key were generated on the UNIX system. They were then transfered to the Windows workstation. So again, it appears that there is some subtle difference in OpenSSL when used on a UNIX platform verses one used on a Windows platform. The important thing to note (I think) is only the Netscape client does not like the cert received from the Apache/mod-ssl server. The Microsft Explorer thinks it is ok, and other programs that I use with the "problem" server cert likes it. Ken "Kenneth R. Robinette" wrote: > > Problem: > > An Unix Apache/mod-ssl server .crt/.key pair > generated from a .csr/.key signed by a self > generated CA Cert on 32 bit Windows will not work > with the Netscape 4.72 client running on Linux > Redhat 6.2. > > However the same .csr/.key signed by the same > self generated CA Cert on Redhat 6.2 Linux will > work. It will also work with the Microsoft > Explorer 5.50.4522.1800 running on Windows 98, > regardless of where the .crt/.key pair was signed. > > The Netscape client fails with the message > "OpenSSL: error:14094412: SSL > outines:SSL3_READ_BYTES:sslv3 alert bad > certificate" in the apache log file. > > It would appear that the Windows based OpenSSL ca > program is not consistant with the Unix based > OpenSSL ca program. > The two cases should be indentical with respect to the generated certificates. How are you generating the certificates (i.e. what precise command) and how are you importing them into Netscape, presumably a PKCS#12 file? You mention the "same self generated CA certificate". What do you mean by "same"? Is this the same private key or the same DN? If it is the same DN but different keys have you installed both CA certificates as trusted in Apache? Its possible if the DNs are the same but the keys are different that it is attempting to verify one certificate against the other CA and causing a verify error as a result. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy
RE: Win32 CA signed Apache Server-Netscape .CRT Problem
From: "Jennifer Arden" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject:RE: Win32 CA signed Apache Server-Netscape .CRT Problem Date sent: Fri, 19 Jan 2001 13:21:20 -0500 Send reply to: [EMAIL PROTECTED] No, as I stated in BOTH cases the name is .crt and .key. It works in the Linux signed case but not the Windows signed case. Both cases use the same apache/mod-ssl setup on the same Linux Redhat 6.0 system. Ken Ken I think with Apache server. The cert must have the extension of .pem I hope this help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth R. Robinette Sent: Friday, January 19, 2001 1:14 PM To: [EMAIL PROTECTED] Subject: Re: Win32 CA signed Apache Server-Netscape .CRT Problem Date sent: Fri, 19 Jan 2001 17:24:55 + From: Dr S N Henson <[EMAIL PROTECTED]> Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] The .csr/.key is generated using the following commands: openssl genrsa -out server.key 1024 openssl req -new -config /tmp/openssl.cnf -key server.key -out server.csr I then sign it with the openssl ca progam with a self generated/self signed ca crt and key. I then transfer the resulting server.key and server.csr to the Unix workstation and place in: /usr/local/apache/ssl.crt/server.crt /usr/local/apache/ssl.key/server.key I start up the Apache server, then use the Microsoft Internet Explorer on Windows 98 to connect to the Apache server. Everything goes well, the Microsoft Explorer knows that the cert is signed by a CA that is in it's list of CA certs, gives the proper warning, etc. and it displays a dialog box asking if I wish to proceed. I accept the yes button and the https page is displayed correctly. I then login to the Redhat Linux system and start the Netscape client. It states that it has received an improperly formatted cert and does nothing more. I then take the .csr and .key file mentioned above, tranfer both to the Linux workstation and use the same openssl ca command to sign the cert. I then transfer the resulting .crt and .key to the locations shown above. I restart Apache, and try Netscape again. This time it is happy and does much like the Microsoft Explorer, it displays a dialog stating it does not know about the ca and asks if I would like to add it. Note that the .csr and .key are identical in both cases. In both cases they have been created on the Windows workstation. Note that the ca .crt and .key are identical in both cases. The only difference is where the .csr and .key file for the server.crt is signed, but the openssl ca program is provided the identical input and .cnf file in both cases. Note that in both cases, I have not imported anything into the Explorer or Netscape. I am simply trying to connect to the www site using a https: url to test the installation of the Apache/mod-ssl .crt and .key file. I have taken note that mod_ssl and a package called ssl.ca-0.1 make some nasty remarks about using the openssl.cnf as supplied by OpenSSL and both in fact generate their own temporary openssl.cnf files in the script used to call the openssl ca program. I have tried the same on both Linux and Windows. It does not help the Windows problem. For the record, the ca cert and key were generated on the UNIX system. They were then transfered to the Windows workstation. So again, it appears that there is some subtle difference in OpenSSL when used on a UNIX platform verses one used on a Windows platform. The important thing to note (I think) is only the Netscape client does not like the cert received from the Apache/mod-ssl server. The Microsft Explorer thinks it is ok, and other programs that I use with the "problem" server cert likes it. Ken "Kenneth R. Robinette" wrote: > > Problem: > > An Unix Apache/mod-ssl server .crt/.key pair > generated from a .csr/.key signed by a self > generated CA Cert on 32 bit Windows will not work > with the Netscape 4.72 client running on Linux > Redhat 6.2. > > However the same .csr/.key signed by the same > self generated CA Cert on Redhat 6.2 Linux will > work. It will also work with the Microsoft > Explorer 5.50.4522.1800 running on Windows 98, > regardless of where the .crt/.key pair was signed. > > The Netscape client fails with the message > "OpenSSL: error:14094412: SSL > outines:SSL3_READ_BYTES:sslv3 alert bad > certificate" in the apache log file. > > It would appear that the Windows based OpenSSL ca > program is not consistant with the Unix based > OpenSSL ca program. > The two cases should be indentical with respect to the generated certificates. How are you generating the certificates (i.e. what precise command) and how are you importing them
Re: Rainbow Cryptoswift cards
David Lang wrote: > > when I was evaluating similar products a couple years ago I found that it > really didn't help to try and worry about spilling the load over to the > main CPU. > > benchmarks from the time were > > pentium 200 linux 19 connections/sec 100% CPU > RS/6000 233 (RISC) 29 connections/sec 100% CPU > install SSL accelerator 300 connections/sec 10-20% CPU > > nowdays the raw machines will be faster, but you also need to have CPU > time to run CGIs etc. I think it's unlikly that you will gain much by > useing your main CPUs (assuming you get an appropriatly sized SSL > accelerator We will be aiming toward a dual 880-1000Mhz system with a Gig of Ram, and using a Gigabit fiber ethernet interface. No CGI will be supported (not in the business model, we just serve cacheable content as FAST as possible). The only other overhead will be static backend database connections (possibly > 100) and a few (<5) other network connections. I don't think one card is going to peg those CPUs. Right now, a 440Mhz machine with 512MB of Ram is able to maintain 500+ objects served/second. The new systems will (presumably, barring any unforseen bottlenecks) be able to maintain over 1800 objects/second. We are guessing (meaning we based these numbers on 'similar but scaled' environment performance numbers), that we will need to maintain at least 600 real world new connections per second. My experience suggests that this means 2 or 3 cards that claim a 600cps ability. If these cards cost more than the system they are intended to sit on, we could just buy more of those systems (maybe even 1/card) and possibly get a better cost/performance benefit. Lots to think about. Regards Lou -- Louis LeBlanc Fully Funded Hobbyist, KeySlapper Extrordinaire :) [EMAIL PROTECTED] http://acadia.ne.mediaone.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Would the open ssl libraries work on an SCO unix platform?
Hi Grant! Thanks for your reply. Is your apache web server installed on a SCO unix platform? If so, did you encounter any problems compiling openssl unto it. If you did, what were those? I actually have the sources compiling. But for some reason the object files never get linked to the libraries. I am looking over the makefile, but am not sure that is the problem. Thanks! Deji. >From: "Grant Walters" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: RE: Would the open ssl libraries work on an SCO unix platform? >Date: Wed, 17 Jan 2001 11:11:19 +1300 >Reply-To: [EMAIL PROTECTED] > >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED]]On Behalf Of Deji Akinyemi >> Sent: Tuesday, 16 January 2001 14:16 >> To: [EMAIL PROTECTED] >> Subject: Would the open ssl libraries work on an SCO unix platform? >> >> >> Hi! I have an application that is being targeted towards the SCO >> unix platform. A major issue that would determine what SSL API to >> use is it's compliancy with SCO unix. >> >> Do the OPENSSL libs support SCO? If not what changes may be made >> to them or my code to ensure conformancy? >> > >I am using openssl-0.9.5a as part of an Apache Web Server and it works fine >if that is any help? > >Regards > >Grant Walters >Walters & Associates, P O Box 13-043 Johnsonville, Wellington, NEW ZEALAND >Telephone: +64 4 4765175, CellPhone 025488265, ICQ# 23511989 > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] --== Sent via Deja.com ==-- http://www.deja.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: crypto cards
I don't see a list. Broadcom is there, but nCipher and Rainbow are not. At 03:09 PM 1/19/01 +, you wrote: >There's a list of supported cards in the openssl changelog at >http://www.openssl.org/news/changelog.html __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift cards
well... sort of. the 7 January snapshot, which includes working Broadcom engine support, has CryptoSwift, Compaq Atalla, nCipher CHIL and Nuron listed. I thought there was Hifn support too? So... I guess the list is, approximately, in alphabetical order: Broadcom 5805 Compaq Atalla nCipher CHIL Nuron Rainbow CryptoSwift At 04:34 PM 1/19/01 +0100, someone wrote: >The supported Crypto cards are in the Openssl-engine README.ENGINE > >There's currently built-in support for the following crypto devices: > > o CryptoSwift > o Compaq Atalla > o nCipher CHIL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32 CA signed Apache Server-Netscape .CRT Problem
"Kenneth R. Robinette" wrote: > > > The .csr/.key is generated using the following commands: > > openssl genrsa -out server.key 1024 > openssl req -new -config /tmp/openssl.cnf -key server.key -out > server.csr > > I then sign it with the openssl ca progam with a self generated/self > signed ca crt and key. I then transfer the resulting server.key and > server.csr to the Unix workstation and place in: > > /usr/local/apache/ssl.crt/server.crt > /usr/local/apache/ssl.key/server.key > > I start up the Apache server, then use the Microsoft Internet > Explorer on Windows 98 to connect to the Apache server. > Everything goes well, the Microsoft Explorer knows that the cert is > signed by a CA that is in it's list of CA certs, gives the proper > warning, etc. and it displays a dialog box asking if I wish to proceed. > I accept the yes button and the https page is displayed correctly. > > I then login to the Redhat Linux system and start the Netscape client. > It states that it has received an improperly formatted cert and does > nothing more. > > I then take the .csr and .key file mentioned above, tranfer both to the > Linux workstation and use the same openssl ca command to sign the > cert. I then transfer the resulting .crt and .key to the locations > shown above. I restart Apache, and try Netscape again. This time > it is happy and does much like the Microsoft Explorer, it displays a > dialog stating it does not know about the ca and asks if I would like > to add it. > > Note that the .csr and .key are identical in both cases. In both > cases they have been created on the Windows workstation. Note > that the ca .crt and .key are identical in both cases. The only > difference is where the .csr and .key file for the server.crt is signed, > but the openssl ca program is provided the identical input and .cnf > file in both cases. > > Note that in both cases, I have not imported anything into the > Explorer or Netscape. I am simply trying to connect to the www site > using a https: url to test the installation of the Apache/mod-ssl .crt > and .key file. > Strange problem. When you accept the certificate on Netscape do you click to accept it for the session or until it expires? Also if the two certificates are virtually identical Netscape may have problems distinguishing the two if one is already in its database. See what happens if you wipe the Netscape database between the two tests. You can do this by renaming the key3.db and cert7.db files usually found under ~/.netscape . Also see if you get similar results with the s_server utility. If none of that helps send me the various certificate files and I'll see if I can see anything that might cause this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SunOS 5.6 probs?
Has anyone else had any issues with SunOS and openSSL?
I'm running OpenSSL 0.9.6 and I've written an extremely simple program
that just tries to connect to the secure port of a webserver. On my
Linux box it appears to work fine but when I run it on my SunOS box the
connect always fails. Not only does the connect fail, but if I add a
ERR_print_errors() call after the SSL_connect call the program seg
faults.
Any help/advice would be greatly appriciated!
I've attached to code to this message as it is so short (I've excluded
the headers). The output from this program on the Sun box is:
> ./ssltest
SSL_connect: -1
Segmentation Fault(coredump)
>
Jason
--- ssltest.c
int main( void )
{
int sock;
struct sockaddr_in sSockAddr;
struct hostent *spHostEnt;
SSL_CTX *ctx = NULL;
SSL_METHOD *meth = NULL;
SSL *ssl = NULL;
sSockAddr.sin_family = AF_INET;
sSockAddr.sin_port = htons( 443 );
spHostEnt = gethostbyname( "www.csi.ca" );
memcpy( &(sSockAddr.sin_addr.s_addr),
spHostEnt->h_addr_list[0],
spHostEnt->h_length );
sock = socket( AF_INET, SOCK_STREAM, 0 );
connect( sock, (struct sockaddr *)&sSockAddr, sizeof( sSockAddr ));
SSLeay_add_ssl_algorithms();
meth = SSLv2_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new(meth);
ssl = SSL_new( ctx );
SSL_set_fd( ssl, sock );
ERR_print_errors();
printf( "SSL_connect: %d\n", SSL_connect( ssl ) );
ERR_print_errors();
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Date sent: Fri, 19 Jan 2001 20:01:53 + From: Dr S N Henson <[EMAIL PROTECTED]> Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] Dr. Henson As I stated before, Netscape never gets to the point of asking if I am willing to accept the bad cert. It just displays the message about the fact it cannot read the cert and stops. If I use the "good" cert that was signed on Linux, then it will accept the cert and will ask if I want to enter it into the database. At first I said yes, just to make sure that would work and it did. I then did as you recommended and deleted it from the database. Do you need the ca cert and key as well? I will put together a zip file and send all of them to you as soon as I resolve a production problem we are currently having. Thanks for the offer for assistance. Ken "Kenneth R. Robinette" wrote: > > > The .csr/.key is generated using the following commands: > > openssl genrsa -out server.key 1024 > openssl req -new -config /tmp/openssl.cnf -key server.key -out > server.csr > > I then sign it with the openssl ca progam with a self generated/self > signed ca crt and key. I then transfer the resulting server.key and > server.csr to the Unix workstation and place in: > > /usr/local/apache/ssl.crt/server.crt > /usr/local/apache/ssl.key/server.key > > I start up the Apache server, then use the Microsoft Internet > Explorer on Windows 98 to connect to the Apache server. > Everything goes well, the Microsoft Explorer knows that the cert is > signed by a CA that is in it's list of CA certs, gives the proper > warning, etc. and it displays a dialog box asking if I wish to proceed. > I accept the yes button and the https page is displayed correctly. > > I then login to the Redhat Linux system and start the Netscape client. > It states that it has received an improperly formatted cert and does > nothing more. > > I then take the .csr and .key file mentioned above, tranfer both to the > Linux workstation and use the same openssl ca command to sign the > cert. I then transfer the resulting .crt and .key to the locations > shown above. I restart Apache, and try Netscape again. This time > it is happy and does much like the Microsoft Explorer, it displays a > dialog stating it does not know about the ca and asks if I would like > to add it. > > Note that the .csr and .key are identical in both cases. In both > cases they have been created on the Windows workstation. Note > that the ca .crt and .key are identical in both cases. The only > difference is where the .csr and .key file for the server.crt is signed, > but the openssl ca program is provided the identical input and .cnf > file in both cases. > > Note that in both cases, I have not imported anything into the > Explorer or Netscape. I am simply trying to connect to the www site > using a https: url to test the installation of the Apache/mod-ssl .crt > and .key file. > Strange problem. When you accept the certificate on Netscape do you click to accept it for the session or until it expires? Also if the two certificates are virtually identical Netscape may have problems distinguishing the two if one is already in its database. See what happens if you wipe the Netscape database between the two tests. You can do this by renaming the key3.db and cert7.db files usually found under ~/.netscape . Also see if you get similar results with the s_server utility. If none of that helps send me the various certificate files and I'll see if I can see anything that might cause this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Obtain Biotech IPOs! 42
Title: Help Beta Test Our Site and Be Eligible to Purchase Shares of Future IPOs In Which We Participate** eMedsecurities has selected you as a possible participant to help test our online stock-trading engine for knowledge-based investing in the life sciences. For your cooperation, you will be eligible to purchase shares of future IPOs in which we participate, for as long as you maintain your account with us. This is limited to only 50 qualified testers! Request More Information.** eMedsecurities The Cure for the Common Portfolio! eMedsecurities provides you with a wealth of information, all compiled in a single, easy-to-use resource. Learn about new research and upcoming treatments for leukemia, hemophilia, sickle cell anemia, Evans syndrome and much more. Obtain critical investment information about the companies that are developing these treatments. eMedsecurities empowers you to make more informed investment decisions. Request More Information.** Participation in eMedsecurities's Beta Test allows you: Eligibility to purchase shares of IPOs in which eMedsecurities participates for as long as you maintain your account** Valuable research of the entire product pipeline of companies, including stages of clinical development, by industry or specific disease Useful information about industry trends, recent developments and upcoming IPOs Commitment to customer service featuring our Live Customer Service Online Dedication to fast trade executions at the best possible price. The following guidelines will explain what we expect from an eMedsecurities Beta Tester: Open a funded eMedsecurities account Visit our online trading site once a week Execute trades through our Web site in accordance with your normal practice Submit feedback to eMedsecurities's development team through a questionnaire sent via email Provide us with additional feedback regarding the site as needed. The test is limited to only 50 Beta Testers so sign up now to be considered! Request More Information.** Please note: All applications for the Beta Test must be submitted by January 24, 2001 to be considered. Please be advised that your information will stay in our proprietary database and will not be sold, traded, given or otherwise provided to outside vendors. We respect your privacy. By submitting your information, you implicitly state that this is something that interests you and that you agree to receive periodic emails from eMedsecurities. Research indicated that you might benefit from our offer. To be removed instantly and permanently from our database, simply click here. We respect all removal requests.** Restrictions Apply: Beta test not open to residents of HI, IL, MI, MN, MS, NE, NH, TN, TX. Initial Public Offerings are considered speculative investments and as such may not be appropriate for every investor. If an investor chooses to participate in IPOs, there are certain restrictions that apply. Flipping - The first time an investor sells their shares within the first 30 days the issue is trading in the secondary market, that investor will not be allocated shares for the next 90 days following the sale. The second time that investor flips," they will not be allocated IPO shares for 180 days. The third time that investor flips," they lose their IPO allocations permanently. Transferring shares - If the investor transfers IPO shares out of their account within the first 30 days the issue is trading in the secondary market, they will permanently lose their IPO allocations. Beta investors will be chosen from all the applicants based on their income, net worth and investing experience. IPO shares will only be allocated from transactions in which eMedsecurities participates in the underwriting. eMedsecurities, Inc. is a member of NASD/SIPC. A0011-1-A2 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: crypto card performance
the hardware vendors claim speeds of 300-2000 RSA operations per second. One would like to think that, with that sort of hardware, one can productively offload even an 800 MHZ CPU. At 07:59 AM 1/19/01 -0800, David Lang wrote: >when I was evaluating similar products a couple years ago I found that it >really didn't help to try and worry about spilling the load over to the >main CPU. > >benchmarks from the time were > >pentium 200 linux 19 connections/sec 100% CPU >RS/6000 233 (RISC) 29 connections/sec 100% CPU >install SSL accelerator 300 connections/sec 10-20% CPU > >nowdays the raw machines will be faster, but you also need to have CPU >time to run CGIs etc. I think it's unlikly that you will gain much by >useing your main CPUs (assuming you get an appropriatly sized SSL >accelerator > >David Lang > > > On Fri, 19 Jan 2001 [EMAIL PROTECTED] wrote: > > > Date: Fri, 19 Jan 2001 12:47:02 - > > From: [EMAIL PROTECTED] > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: RE: Rainbow Cryptoswift cards > > > > > -Original Message- > > > From: Louis LeBlanc [mailto:[EMAIL PROTECTED]] > > > Sent: 19 January 2001 12:39 > > > To: [EMAIL PROTECTED] > > > Subject: Re: Rainbow Cryptoswift cards > > > > > > > > > One quick question, just so I know how to answer when this kind of > > > project comes up: > > > The cryptoswift card provides 'onboard' acceleration of SSL based > > > processing, but the card itself can only handle so many > > > transactions per > > > second. What happens if your traffic load exceeds the cards ability? > > > can you easily 'spill' that extra work over to the system if you have > > > any room there? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SunOS 5.6 probs?
On Fri, Jan 19, 2001 at 04:05:19PM -0500, Jason Scharlach wrote:
> Has anyone else had any issues with SunOS and openSSL?
I don't have SunOS, but I also do not remember having seen reports about
special problems with SunOS...
Does the openssl application work? You can use "openssl s_client ..."
to perform the connection test.
> Any help/advice would be greatly appriciated!
Compile with "-g", call your favorite debugger and check out why the
segmentation fault occured.
Let's discuss your code:
> int main( void )
> {
> int sock;
> struct sockaddr_in sSockAddr;
> struct hostent *spHostEnt;
>
> SSL_CTX *ctx = NULL;
> SSL_METHOD *meth = NULL;
> SSL *ssl = NULL;
>
>
> sSockAddr.sin_family = AF_INET;
> sSockAddr.sin_port = htons( 443 );
>
> spHostEnt = gethostbyname( "www.csi.ca" );
Here you do not check the return value. gethostbyname might return NULL
because of a failure.
> memcpy( &(sSockAddr.sin_addr.s_addr),
> spHostEnt->h_addr_list[0],
> spHostEnt->h_length );
>
> sock = socket( AF_INET, SOCK_STREAM, 0 );
> connect( sock, (struct sockaddr *)&sSockAddr, sizeof( sSockAddr ));
Here you do not check sock [socket() might fail] and you do not check the
return value of connect() for failure.
> SSLeay_add_ssl_algorithms();
> meth = SSLv2_client_method();
> SSL_load_error_strings();
> ctx = SSL_CTX_new(meth);
>
> ssl = SSL_new( ctx );
>
> SSL_set_fd( ssl, sock );
> ERR_print_errors();
Of course, you did not check whether ctx and ssl have been successfully
created. You do not check whether SSL_set_fd() was successfull.
(I don't know whether this applies here, but at least some of the
OpenSSL functions are "NULL proof": they simply return 0 for failure
but do not set an error message because they suppose "nothing to be done".)
> printf( "SSL_connect: %d\n", SSL_connect( ssl ) );
> ERR_print_errors();
Aha, and here we go: ERR_print_errors() is actually called as:
void ERR_print_errors(BIO *bp);
with bp being the BIO to which the errors shall be reported. You do not
specify bp, so of course ERR_print_errors() will try to put the error message
to an undefined location.
Any good compiler should have warned you, that you did violate the function
prototype by not supplying "one argument of type BIO *".
(Actually the other ERR_print_errors() call only did not segfault because
nothing was to be reported.)
You probably want to use ERR_print_errors_fp(stderr) (or set up the BIO
for the error messages).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: SunOS 5.6 probs?
Lutz
The openssl application does work just fine. I figured I would ask
here before I went and recompiled the debug on.
As for the not checking of return codes, I actually do have checks in
my code but I removed them to simplify what I was posting. Thanks for
the catch on ERR_print_errors! I've recompiled and I'm actually getting
a somewhat useful error now.
18686:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:474:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
It's a problem with random number generator. SunOS doesn't come with
any easy way of generating random number (that I know of) and this has
caused me issues in the past. I'm going to send out another post asking
about this issue. Thanks!
Jason
Lutz Jaenicke wrote:
>
> On Fri, Jan 19, 2001 at 04:05:19PM -0500, Jason Scharlach wrote:
> > Has anyone else had any issues with SunOS and openSSL?
>
> I don't have SunOS, but I also do not remember having seen reports about
> special problems with SunOS...
> Does the openssl application work? You can use "openssl s_client ..."
> to perform the connection test.
>
> > Any help/advice would be greatly appriciated!
> Compile with "-g", call your favorite debugger and check out why the
> segmentation fault occured.
>
> Let's discuss your code:
>
> > int main( void )
> > {
> > int sock;
> > struct sockaddr_in sSockAddr;
> > struct hostent *spHostEnt;
> >
> > SSL_CTX *ctx = NULL;
> > SSL_METHOD *meth = NULL;
> > SSL *ssl = NULL;
> >
> >
> > sSockAddr.sin_family = AF_INET;
> > sSockAddr.sin_port = htons( 443 );
> >
> > spHostEnt = gethostbyname( "www.csi.ca" );
>
> Here you do not check the return value. gethostbyname might return NULL
> because of a failure.
>
> > memcpy( &(sSockAddr.sin_addr.s_addr),
> > spHostEnt->h_addr_list[0],
> > spHostEnt->h_length );
> >
> > sock = socket( AF_INET, SOCK_STREAM, 0 );
> > connect( sock, (struct sockaddr *)&sSockAddr, sizeof( sSockAddr ));
>
> Here you do not check sock [socket() might fail] and you do not check the
> return value of connect() for failure.
>
> > SSLeay_add_ssl_algorithms();
> > meth = SSLv2_client_method();
> > SSL_load_error_strings();
> > ctx = SSL_CTX_new(meth);
> >
> > ssl = SSL_new( ctx );
> >
> > SSL_set_fd( ssl, sock );
> > ERR_print_errors();
>
> Of course, you did not check whether ctx and ssl have been successfully
> created. You do not check whether SSL_set_fd() was successfull.
> (I don't know whether this applies here, but at least some of the
> OpenSSL functions are "NULL proof": they simply return 0 for failure
> but do not set an error message because they suppose "nothing to be done".)
>
> > printf( "SSL_connect: %d\n", SSL_connect( ssl ) );
> > ERR_print_errors();
>
> Aha, and here we go: ERR_print_errors() is actually called as:
> void ERR_print_errors(BIO *bp);
> with bp being the BIO to which the errors shall be reported. You do not
> specify bp, so of course ERR_print_errors() will try to put the error message
> to an undefined location.
> Any good compiler should have warned you, that you did violate the function
> prototype by not supplying "one argument of type BIO *".
> (Actually the other ERR_print_errors() call only did not segfault because
> nothing was to be reported.)
>
> You probably want to use ERR_print_errors_fp(stderr) (or set up the BIO
> for the error messages).
>
> Best regards,
> Lutz
> --
> Lutz Jaenicke [EMAIL PROTECTED]
> BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: SunOS 5.6 probs?
about random numbers.
I use sun 5.6 and there are ports of the linux /dev/urandom to sun 5.6
OR you can also use... cpu info to get a fairly random number.
This method will allow your code to port to other sun boxes without
having to install the /dev/urandom
prusage_t prusage;
prstatus_t prstatus;
prpsinfo_t prpsinfo;
int _fd;
// Processor status
ioctl(_fd, PIOCSTATUS, &prstatus);
// Processor info
ioctl(_fd, PIOCPSINFO, &prpsinfo);
char **ap = prpsinfo.pr_argv;
char **ep = prpsinfo.pr_envp;
// Processor usage
ioctl(_fd, PIOCUSAGE, &prusage);
I'm no mathmatician and if this method is subpar or if there is a better
way I'm all ears.
--ian
-Original Message-
From: Jason Scharlach [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 19, 2001 2:41 PM
To: [EMAIL PROTECTED]
Subject: Re: SunOS 5.6 probs?
Lutz
The openssl application does work just fine. I figured I would ask
here before I went and recompiled the debug on.
As for the not checking of return codes, I actually do have checks in
my code but I removed them to simplify what I was posting. Thanks for
the catch on ERR_print_errors! I've recompiled and I'm actually getting
a somewhat useful error now.
18686:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:474:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
It's a problem with random number generator. SunOS doesn't come with
any easy way of generating random number (that I know of) and this has
caused me issues in the past. I'm going to send out another post asking
about this issue. Thanks!
Jason
Lutz Jaenicke wrote:
>
> On Fri, Jan 19, 2001 at 04:05:19PM -0500, Jason Scharlach wrote:
> > Has anyone else had any issues with SunOS and openSSL?
>
> I don't have SunOS, but I also do not remember having seen reports about
> special problems with SunOS...
> Does the openssl application work? You can use "openssl s_client ..."
> to perform the connection test.
>
> > Any help/advice would be greatly appriciated!
> Compile with "-g", call your favorite debugger and check out why the
> segmentation fault occured.
>
> Let's discuss your code:
>
> > int main( void )
> > {
> > int sock;
> > struct sockaddr_in sSockAddr;
> > struct hostent *spHostEnt;
> >
> > SSL_CTX *ctx = NULL;
> > SSL_METHOD *meth = NULL;
> > SSL *ssl = NULL;
> >
> >
> > sSockAddr.sin_family = AF_INET;
> > sSockAddr.sin_port = htons( 443 );
> >
> > spHostEnt = gethostbyname( "www.csi.ca" );
>
> Here you do not check the return value. gethostbyname might return NULL
> because of a failure.
>
> > memcpy( &(sSockAddr.sin_addr.s_addr),
> > spHostEnt->h_addr_list[0],
> > spHostEnt->h_length );
> >
> > sock = socket( AF_INET, SOCK_STREAM, 0 );
> > connect( sock, (struct sockaddr *)&sSockAddr, sizeof( sSockAddr ));
>
> Here you do not check sock [socket() might fail] and you do not check the
> return value of connect() for failure.
>
> > SSLeay_add_ssl_algorithms();
> > meth = SSLv2_client_method();
> > SSL_load_error_strings();
> > ctx = SSL_CTX_new(meth);
> >
> > ssl = SSL_new( ctx );
> >
> > SSL_set_fd( ssl, sock );
> > ERR_print_errors();
>
> Of course, you did not check whether ctx and ssl have been successfully
> created. You do not check whether SSL_set_fd() was successfull.
> (I don't know whether this applies here, but at least some of the
> OpenSSL functions are "NULL proof": they simply return 0 for failure
> but do not set an error message because they suppose "nothing to be
done".)
>
> > printf( "SSL_connect: %d\n", SSL_connect( ssl ) );
> > ERR_print_errors();
>
> Aha, and here we go: ERR_print_errors() is actually called as:
> void ERR_print_errors(BIO *bp);
> with bp being the BIO to which the errors shall be reported. You do not
> specify bp, so of course ERR_print_errors() will try to put the error
message
> to an undefined location.
> Any good compiler should have warned you, that you did violate the
function
> prototype by not supplying "one argument of type BIO *".
> (Actually the other ERR_print_errors() call only did not segfault because
> nothing was to be reported.)
>
> You probably want to use ERR_print_errors_fp(stderr) (or set up the BIO
> for the error messages).
>
> Best regards,
> Lutz
> --
> Lutz Jaenicke [EMAIL PROTECTED]
> BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
__
Re: crypto card performance
Rodney Thayer wrote: > > the hardware vendors claim speeds of 300-2000 RSA operations > per second. One would like to think that, with that sort of > hardware, one can productively offload even an 800 MHZ CPU. Kinda depends on what kind of "operations" I would think -- verifying signatures with the common exponent of F4? Or signing, which is much slower? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL handshake fails - 51 bytes unread
Hi, The problem happens most obviously when connecting large numbers of sockets at once, and it happens on the accepting (server) side. In the example where I have a test client application opening 500 sockets at maximum speed to a test server, almost every single connection will get set up properly and begin communicating quite well. But there's a few that end badly, not because of an SSL error but because I seem to get out of sync with what SSL needs. Every time, things break down because there's data waiting on the socket that SSL doesn't read. In every case this fails, FIONREAD tells me 51 bytes before read, 51 after. This can happen during the setup phase, where I am calling SSL_accept; in these cases SSL_accept() never returns 1, tells me SSL_ERROR_WANT_READ, yet stops reading from the socket. The other case, which happens less often, is that immediately after SSL_accept() returns 1 and I mark the connection as being ready for business, I will get 51 bytes on the socket - yet my test client has not yet started sending data; the 51 bytes are apparently left over from negotiation, sent by SSL on the client side, despite SSL_accept() on my side thought the negotiation was successful. MY CODE: I'm using OpenSSL on non-blocking sockets, using a few threads to handle select loops and event handling. All critical sections are threadsafe, including calls to SSL; no overlapping calls are possible. I need to handle well over 1000 active SSL connections, so things are performance tuned. I use a per- connection status indicator to know what SSL action is pending each time I get a network event. These are the states I handle (probably overkill but I wasn't sure of all the possible cases so covered all indicated, OnReceive and OnSend are my FD_READ/FD_WRITE select event handlers): * setup:+ an OnReceive SSL_accept() or SSL_connect() is pending setup:+ an OnSend SSL_accept() or SSL_connect() is pending shutdown: + an OnReceive SSL_shutdown() is pending shutdown: + an OnSend SSL_shutdown() is pending writing: + an OnReceive SSL_write() is pending * writing: + an OnSend SSL_write() is pending * reading: + an OnReceive SSL_read() is pending reading: + an OnSend SSL_read() is pending The stars indicate states I know for sure happen. I'm using the 0.9.6 release of SSL on the Win32 platform with tests running on Win2K Pro. All my code is C++. Any thoughts are appreciated - cheers. Jesse __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
I am using: OpenSSL 0.9.5a 1 Apr 2000 OpenSSH_2.3.1p1 OS: NetBSD 1.4.2 I get ssh-keygen errors at runtime. Here is output of two instances: % gdb ./ssh-keygen (gdb) r Starting program: ./ssh-keygen Program received signal SIGSEGV, Segmentation fault. 0x2ddce in expand (lh=0xd3080) at openssl/crypto/lhash/lhash.c:321 321 np->next= *n2; (gdb) where #0 0x2ddce in expand (lh=0xd3080) at openssl/crypto/lhash/lhash.c:321 #1 0x2dff4 in lh_insert (lh=0xd3080, data=0xd8800) at openssl/crypto/lhash/lhash.c:187 #2 0x2efec in OBJ_NAME_add (name=0x3054a "RC4", type=2, data=0xbc0c0 "\005") at openssl/crypto/objects/o_names.c:171 #3 0x4c23a in EVP_add_cipher (c=0xbc0c0) at openssl/crypto/evp/names.c:69 #4 0x2ceca in OpenSSL_add_all_ciphers () at openssl/crypto/evp/c_allc.c:94 #5 0x2ccf8 in OpenSSL_add_all_algorithms () at openssl/crypto/evp/c_all.c:65 #6 0x29a4 in main (ac=1, av=0xefbfd628) at openssh/ssh-keygen.c:649 (gdb) (gdb) p n2 $1 = (LHASH_NODE **) 0xd9040 (gdb) p *n2 $2 = (LHASH_NODE *) 0x0 (gdb) p np $3 = (LHASH_NODE *) 0x8d7ca (gdb) p np->next $4 = (struct lhash_node_st *) 0xe8510c4d Nth time when I run above, I see it breaking at same source file location, but this time on different cipher: (gdb) where #0 0x2ddce in expand (lh=0xd3080) at openssl/crypto/lhash/lhash.c:321 #1 0x2dff4 in lh_insert (lh=0xd3080, data=0xd8780) at openssl/crypto/lhash/lhash.c:187 #2 0x2efec in OBJ_NAME_add (name=0x30365 "DES-EDE3", type=2, data=0xbc098 "!") at openssl/crypto/objects/o_names.c:171 #3 0x4c23a in EVP_add_cipher (c=0xbc098) at openssl/crypto/evp/names.c:69 #4 0x2cebf in OpenSSL_add_all_ciphers () at openssl/crypto/evp/c_allc.c:90 #5 0x2ccf8 in OpenSSL_add_all_algorithms () at openssl/crypto/evp/c_all.c:65 #6 0x29a4 in main (ac=1, av=0xefbfd628) at openssh/ssh-keygen.c:649 Any suggestions on cause and remedy ? Thank you. __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
