SSL with ipopd
Hi all, One for any gurus on this list (I know you are out there) I am attempting to set up a secure pop server (pop3s) on a RH7.2 box. I have followed all the instructions (not that they are easy to find), creating a self-signed certificate including both private key and certificate in the same file, at /usr/share/ssl/certs/imapd.pem The correct hole is punched in the firewall config: 995 The imapd package, allegedly, comes preconfigured to use a certificate at the above-mentioned location in secure mode. So, in theory, that should be fine. On to the testing phase: []# openssl s_client -connect localhost:995 -prexit (*) gives the following output CONNECTED(0003) write:errno=104 * tested both with localhost and the full machine name, with absolutely no difference. So, I tried it with []# openssl s_client -connect localhost:995 -prexit getting a little more info CONNECTED(0003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 124 bytes --- New, (NONE), Cipher is (NONE) --- It would appear that this is an openssl error, though just where it originates from, I am not sure. It could be that ipopd isn't automatically compiled with SSL support. It could be that the key file location or name is incorrectly documented. It could be something totally different. Has anyone on the list come across a similar problem, and more to the point managed to get it working? Thanks - Rick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie
Iam very new to this mailing list ..ie first mail to this list My problem is I have to develope a client in C (linux) which communictes to a server using HTTPS connection Where can i get SSL libraries/documents for the same. Thanks in advance Binu.B __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ansi error
Hi Wally, Could you give us more details please? What exact commands did you issue to get the error? Does the file /etc/apache/ssl.key/server.key actually exist? Does it contain anything reasonable? Sean Auteria Wally Winzer Jr. wrote: >I get the following error after compiling openssl-0.9.6c on Debian Linux after >creating my own CA: > >[Tue Feb 26 12:43:32 2002] [error] mod_ssl: Init: Unable to read server certificate >from file /etc/apache/ssl.key/server.key >(OpenSSL library error follows) >[Tue Feb 26 12:43:32 2002] [error] OpenSSL: error:0D09F007:asn1 encoding >routines:d2i_X509:expecting an asn1 sequence > >Can someone why this is occuring and possibly a fix/solution. Thanks. >I'm using the mod-ssl-makecert script from libapache-mod-ssl. > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using SSL_clear to reuse SSL object
Lutz Jaenicke <[EMAIL PROTECTED]>: > On Wed, Feb 20, 2002 at 12:29:03PM +0200, Yoram Zahavi wrote: >> My server application is using SSL_clear to reuse the SSL object, instead of >> allocating a new one on every new connection. On first connection the client >> succeeds to connect the server, and later on to reuse the SSL sessions. As >> far as I understand connections are closed properly, assigning both >> SSL_RECEIVED_SHUTDOWN and SSL_SENT_SHUTDOWN masks, and closing the >> underlying socket as well. >> >> The Server starts facing problems when the Client tries to open a new >> connection asking not to reuse the previous session. The SSL object still >> holds a valid Session (since previous connection was closed in the right >> way), which is not removed by SSL_clear. As far as I understand, the Server >> suppose to overcome such case and support the new connection by performing >> full handshake. [...] > Hmm. This brings up the question, what SSL_clear() should actually do. > I would consider SSL_clear() to be not much different from doing > SSL_free()/SSL_new(), but obiously it is. Unfortunately EAY did not leave > documentation about his intentions... Note that SSL_clear() is called by the {ssl23,ssl2,ssl3}_{connect,accept} functions, so it should not reset too much. In particular, it should not unconditionally remove the session. Connections to a previously used SSL object with a valid session fail not because the servers insists on that particular session, but because the server is restricted to the protocol version of that particular session (and thus cannot handle a backwards-compatible client hello). This is intentional: SSL_clear() will reset the protocol version (method) only if no session is set. This behaviour makes a lot of sense for SSL client objects. It is not particularly useful for SSL server objects, but it would be bad to give up consistency. If you really want to reuse an SSL server object, use SSL_set_session(s, NULL) before calling SSL_clear(s). -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using SSL_clear to reuse SSL object
> Hmm. This brings up the question, what SSL_clear() should actually do. > I would consider SSL_clear() to be not much different from doing > SSL_free()/SSL_new(), but obiously it is. Unfortunately EAY did not leave > documentation about his intentions... > Does anybody have any more insights? Should we actually deprecate using > SSL_clear() as we don't know for sure what special side effects it has > and recommend using SSL_free()/SSL_new() instead??? > > Best regards, > Lutz > -- My impression has been that if you wanted to reuse a session object as a new object that you needed to perform SSL_clear(ssl); SSL_set_session(ssl,NULL); SSL_set_accept_state(ssl); I believe I got this code from some very old ssleay applications. However, this has not worked with OpenSSL since at least 0.9.5. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ansi error
I get the following error after compiling openssl-0.9.6c on Debian Linux after creating my own CA: [Tue Feb 26 12:43:32 2002] [error] mod_ssl: Init: Unable to read server certificate from file /etc/apache/ssl.key/server.key (OpenSSL library error follows) [Tue Feb 26 12:43:32 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Can someone why this is occuring and possibly a fix/solution. Thanks. I'm using the mod-ssl-makecert script from libapache-mod-ssl. Wally Winzer Jr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]