SSL with ipopd

2002-02-26 Thread Rick Yagodich 

Hi all,
One for any gurus on this list (I know you are out there)

I am attempting to set up a secure pop server (pop3s) on a RH7.2 box. I 
have followed all the instructions (not that they are easy to find), 
creating a self-signed certificate including both private key and 
certificate in the same file, at /usr/share/ssl/certs/imapd.pem

The correct hole is punched in the firewall config: 995

The imapd package, allegedly, comes preconfigured to use a certificate at 
the above-mentioned location in secure mode. So, in theory, that should be 
fine.

On to the testing phase:

[]# openssl s_client -connect localhost:995 -prexit  (*)

gives the following output
CONNECTED(0003)
write:errno=104

* tested both with localhost and the full machine name, with absolutely no 
difference.

So, I tried it with

[]# openssl s_client -connect localhost:995 -prexit

getting a little more info

CONNECTED(0003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 124 bytes
---
New, (NONE), Cipher is (NONE)
---

It would appear that this is an openssl error, though just where it 
originates from, I am not sure. It could be that ipopd isn't automatically 
compiled with SSL support. It could be that the key file location or name 
is incorrectly documented. It could be something totally different.

Has anyone on the list come across a similar problem, and more to the point 
managed to get it working?

Thanks
  - Rick

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Newbie

2002-02-26 Thread Binu 

Iam very new to this mailing list ..ie first mail to this list

My problem is I have to develope a client in C (linux) which
communictes to
a server using HTTPS connection
Where can i get SSL libraries/documents for the same.

Thanks in advance





Binu.B


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ansi error

2002-02-26 Thread Sean O'Riordain 

Hi Wally,
Could you give us more details please?
What exact commands did you issue to get the error?
Does the file /etc/apache/ssl.key/server.key actually exist?
Does it contain anything reasonable?

Sean

Auteria Wally Winzer Jr. wrote:

>I get the following error after compiling openssl-0.9.6c on Debian Linux after 
>creating my own CA:
>
>[Tue Feb 26 12:43:32 2002] [error] mod_ssl: Init: Unable to read server certificate 
>from file /etc/apache/ssl.key/server.key
>(OpenSSL library error follows)
>[Tue Feb 26 12:43:32 2002] [error] OpenSSL: error:0D09F007:asn1 encoding 
>routines:d2i_X509:expecting an asn1 sequence
>
>Can someone why this is occuring and possibly a fix/solution.  Thanks.
>I'm using the mod-ssl-makecert script from libapache-mod-ssl.
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Using SSL_clear to reuse SSL object

2002-02-26 Thread Bodo Moeller 

Lutz Jaenicke <[EMAIL PROTECTED]>:
> On Wed, Feb 20, 2002 at 12:29:03PM +0200, Yoram Zahavi wrote:

>> My server application is using SSL_clear to reuse the SSL object, instead of
>> allocating a new one on every new connection. On first connection the client
>> succeeds to connect the server, and later on to reuse the SSL sessions. As
>> far as I understand connections are closed properly, assigning both
>> SSL_RECEIVED_SHUTDOWN and SSL_SENT_SHUTDOWN masks, and closing the
>> underlying socket as well.
>> 
>> The Server starts facing problems when the Client tries to open a new
>> connection asking not to  reuse the previous session. The SSL object still
>> holds a valid Session (since previous connection was closed in the right
>> way), which is not removed by SSL_clear. As far as I understand, the Server
>> suppose to overcome such case and support the new connection by performing
>> full handshake.
[...]
> Hmm. This brings up the question, what SSL_clear() should actually do.
> I would consider SSL_clear() to be not much different from doing
> SSL_free()/SSL_new(), but obiously it is. Unfortunately EAY did not leave
> documentation about his intentions...

Note that SSL_clear() is called by the {ssl23,ssl2,ssl3}_{connect,accept}
functions, so it should not reset too much.  In particular, it should
not unconditionally remove the session.

Connections to a previously used SSL object with a valid session fail
not because the servers insists on that particular session, but
because the server is restricted to the protocol version of that
particular session (and thus cannot handle a backwards-compatible
client hello).  This is intentional: SSL_clear() will reset the
protocol version (method) only if no session is set.  This behaviour
makes a lot of sense for SSL client objects.  It is not particularly
useful for SSL server objects,  but it would be bad to give up
consistency.  If you really want to reuse an SSL server object,
use SSL_set_session(s, NULL) before calling SSL_clear(s).


-- 
Bodo Möller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Using SSL_clear to reuse SSL object

2002-02-26 Thread Jeffrey Altman 

> Hmm. This brings up the question, what SSL_clear() should actually do.
> I would consider SSL_clear() to be not much different from doing
> SSL_free()/SSL_new(), but obiously it is. Unfortunately EAY did not leave
> documentation about his intentions...
> Does anybody have any more insights? Should we actually deprecate using
> SSL_clear() as we don't know for sure what special side effects it has
> and recommend using SSL_free()/SSL_new() instead???
> 
> Best regards,
>   Lutz
> -- 

My impression has been that if you wanted to reuse a session object as
a new object that you needed to perform

  SSL_clear(ssl);
  SSL_set_session(ssl,NULL);
  SSL_set_accept_state(ssl);

I believe I got this code from some very old ssleay applications.
However, this has not worked with OpenSSL since at least 0.9.5.




 Jeffrey Altman * Sr.Software Designer  C-Kermit 8.0 available now!!!
 The Kermit Project @ Columbia University   includes Telnet, FTP and HTTP
 http://www.kermit-project.org/ secured with Kerberos, SRP, and 
 [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

ansi error

2002-02-26 Thread Auteria Wally Winzer Jr. 

I get the following error after compiling openssl-0.9.6c on Debian Linux after 
creating my own CA:

[Tue Feb 26 12:43:32 2002] [error] mod_ssl: Init: Unable to read server certificate 
from file /etc/apache/ssl.key/server.key
(OpenSSL library error follows)
[Tue Feb 26 12:43:32 2002] [error] OpenSSL: error:0D09F007:asn1 encoding 
routines:d2i_X509:expecting an asn1 sequence

Can someone why this is occuring and possibly a fix/solution.  Thanks.
I'm using the mod-ssl-makecert script from libapache-mod-ssl.

Wally Winzer Jr.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]