starting new ssl session on existing ssl socket
Hi, I have to start a new ssl session on previous ssl socket. Can this be done? Are there any problems I may get into? Here is what I need to do: 1. start a session 2. send/receive some data 3. close the session but keep the connection open. 4. start a new session 5. send/receive some data 6. close the connection. Pl. help me. Regards, Nagarama. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
EAGAIN error in SSL_read
Hi, I am searching the openssl source code now but I thought I should also post a question here. I use SSL_read() on nonblocking socket. SSL_read () will uses the TCP system call read() to read the data from the socket. My question is when read() returns EAGAIN, will the control returned to the caller of SSL_read(). I checked the bss_sock.c file and it looks like on Solaris system, EAGAIN will be handled as no retry. But my SSL client is reported a lot of consecutive EAGAIN errors when I use truss to trace the system calls invoked. I want to find out if SSL_read() retries the read() internally if the read returns EAGAIN Thanks, Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Decryption wrong when seeking into a file.
1) Never reuse keys; use a new key for each file. This is true whether you use a stream or block cipher. Never use a block cipher in ECB mode for encrypting files. etc. etc. 2) There are numerous schemes that support random file access while encrypting. With block ciphers in CBC mode it is common practice to begin every n-size block with a new IV. You'll have to deal with the size-changing aspects here, since block ciphers require IVs and padding. 3) Length-increasing random functions such as SEAL 3.0 (under an IBM patent) have the advantage of absolute speed (they are the fastest software encryption algorithms) and the ability to move independently to any block of k bits in the keystream. This supports random file access quite well. Despite some of the comments you've read here, secure encryption with random access is feasible. Alternately, you could use RC4 and you'll need to manually wind the keystream to the place in the file you're seeking to. 4) Do a Google search on Cryptfs and fistgen. 5) File encryption is problematic -- programs can only operate on plaintext versions, anyway, which means writing plaintext bits to disk. Ack. Ppppt. 6) Most file reads are sequential -- most file writes are appends. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Help !!!
Help!!! I successfully make OpenSSL DLL's under Borland Free C++ Compiler 5.5. After that I try to compile example sign.c program dynamically linked to libeay32.dll. I must mention that this little program works good when linked with static library, but not with dynamic (crash) I recognized that problem is with such macros like PEM_load_PrivateKey or EVP_SignFinal. For example another functions like ERR_load_crypto_strings or ERR_error, ERR_error_string working well. Is that a problem of compiler or not (I know that silly Borland syntax need __import to import function but noone function in OpenSSL have this, besides import library have all info about how to resolve function names, right so maybe __import is not neccessary) ? I try with DLL compiled under VC++ : I convert *.lib files with coff2omf and linked to sign.c - the same problem. Please help me !! Boguslaw Brandys -- Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie! [ http://oferty.onet.pl ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with installing Open SSL.
Hello, I am not able to install openssl. I am getting following errors. Can any one tell me where I am wrong? Error: -- ho12fe:edcstat> ./Configure sunos-gcc --prefix=/home/ho12fe/apachefe --openssldir=/home/ho12fe/apachefe/openssl Configuring for sunos-gcc IsWindows=0 CC=gcc CFLAG =-O3 -mv8 -Dssize_t=int EX_LIBS = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=/usr/ccs/bin/ranlib PERL =/usr/local/bin/perl5 THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4 uses uchar RC4_CHUNK is unsigned long Makefile => Makefile.ssl e_os.h => include/openssl/e_os.h [File exists] e_os2.h => include/openssl/e_os2.h [File exists] making links in crypto... /tools/gnu/set4/bin/make.wrapped: invalid option -- 8 /tools/gnu/set4/bin/make.wrapped: invalid option -- D /tools/gnu/set4/bin/make.wrapped: invalid option -- z /tools/gnu/set4/bin/make.wrapped: invalid option -- _ /tools/gnu/set4/bin/make.wrapped: invalid option -- = GNU Make version 3.74, by Richard Stallman and Roland McGrath. Copyright (C) 1988, 89, 90, 91, 92, 93, 94, 95 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Usage: make.wrapped [options] [target] ... Options: -b, -m Ignored for compatibility. -C DIRECTORY, --directory=DIRECTORY Change to DIRECTORY before doing anything. -d, --debug Print lots of debugging information. -e, --environment-overrides Environment variables override makefiles. -f FILE, --file=FILE, --makefile=FILE Read FILE as a makefile. -h, --help Print this message and exit. -i, --ignore-errors Ignore errors from commands. -I DIRECTORY, --include-dir=DIRECTORY Search DIRECTORY for included makefiles. -j [N], --jobs[=N] Allow N jobs at once; infinite jobs with no arg. -k, --keep-goingKeep going when some targets can't be made. -l [N], --load-average[=N], --max-load[=N] Don't start multiple jobs unless load is below N. -n, --just-print, --dry-run, --recon Don't actually run any commands; just print them. -o FILE, --old-file=FILE, --assume-old=FILE Consider FILE to be very old and don't remake it. -p, --print-data-base Print make's internal database. -q, --question Run no commands; exit status says if up to date. -r, --no-builtin-rules Disable the built-in implicit rules. -s, --silent, --quiet Don't echo commands. -S, --no-keep-going, --stop Turns off -k. -t, --touch Touch targets instead of remaking them. -v, --version Print the version number of make and exit. -w, --print-directory Print the current directory. --no-print-directoryTurn off -w, even if it was turned on implicitly. -W FILE, --what-if=FILE, --new-file=FILE, --assume-new=FILE Consider FILE to be infinitely new. --warn-undefined-variables Warn when an undefined variable is referenced. make.wrapped: *** [links] Error 1 With best regards, holla. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Longterm verify_callback in single threaded app
On Mon, Mar 11, 2002 at 09:18:08AM +0100, Joerg Bartholdt wrote:
> Dr S N Henson wrote:
>
> >Joerg Bartholdt wrote:
> >
> >>Hi *,
> >>
> >>During the SSL Handshake, OpenSSL can call a verify_callback
> >>that can manipulate the outcome of the certificate verification
> >>process.
> >>If I use some longterm evaluation like an OCSP-Request, my single
> >>threaded application is blocked during this time. I cannot return
> >>a value like "I don't know yet, ask later" - I have to have the
> >>decision before I return from the callback.
> >>So, there is no change for handling other connections (I usually use
> >>select() and async IO to handle multiple connection which OpenSSL
> >>can do pretty well in all other states...) during that time.
> >>
> >I'm not sure this has ever been tested but it looks like you can handle
> >this by returning -1 from the verify callback instead of the normal
> >1=success or 0=failure. There's some code in place that handles this in
> >a manner analagous to other non-blocking operations using a special
> >condition SSL_ERROR_WANT_X509_LOOKUP.
> >
> Hm, I just tried it, but "-1" accepts the certificate. Maybe I have to
> set something in the X509_STORE which is given as a parameter to the
> verify_callback? I'll have a look into the code, maybe I find something.
The verify_callback() is called inside the X509 verification routines.
At least in the SSL code, the method described must fail, as all certificate
verifications are performed using ssl_cert.c:ssl_verify_cert_chain().
The functions calling it are not prepared to handle return values beyond
"pass" and "fail", see e.g. s3_srvr.c:ssl3_get_client_certificate():
...
i=ssl_verify_cert_chain(s,sk);
if (!i)
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
goto f_err;
}
}
...
As you can see the program logic can only distinguish to cases: return
value 0 for failure, 0 for pass. The case "temporary failure" is not
handled, thus the method proposed cannot work. The logic would have
to be extended.
(*) As the check only takes "0" for failure, the "-1" returned must be
understood as "success".
(**) I only checked out the SSL_* routines, but I am also not convinced that
the internal logic in the X509_* verification routines is prepared to
handle temporary failures gracefully.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Decryption wrong when seeking into a file.
Lorenzo wrote: > I have a quick question to ask. I'm using the EVP_EncryptInit and > EVP_DecryptInit functions to stream data to a file. Basically, I > encrypt data , one byte at a time, which is in the put area of my > filebuf object and send it out. I When I get data from the file, I > decrypt each byte I receive one byte at a time. The problem is when i > use 'seekg(x)' to seek to a point in the file , when I try to decrypt > the buffer I get back, the results are wrong. However, when I start > from the beginning, every thing is fine. When I seek, it does seek to > the right byte in the file. Does any one know why this may be the case? > Ecryption does (usually) not encrypt each byte independently from all the others. The encryption of a byte in the stream depends on what was done before. So, seeking to a different position in the file gets the encryption routines out of sync and you get garbage. You have to read all data If you want your applicatoin to use a seek command, have a look at the BIOs in OpenSSL (an abstraction of I/O-Operations). BIOs can be layered and perform some kind of filtering (e.g. RC4 encryption/decryption). And they provide a BIO_seek() command. I havn't tried it myself, but I assume it does the right stuff. Jörg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Longterm verify_callback in single threaded app
Dr S N Henson wrote: >Joerg Bartholdt wrote: > >>Hi *, >> >>During the SSL Handshake, OpenSSL can call a verify_callback >>that can manipulate the outcome of the certificate verification >>process. >>If I use some longterm evaluation like an OCSP-Request, my single >>threaded application is blocked during this time. I cannot return >>a value like "I don't know yet, ask later" - I have to have the >>decision before I return from the callback. >>So, there is no change for handling other connections (I usually use >>select() and async IO to handle multiple connection which OpenSSL >>can do pretty well in all other states...) during that time. >> >I'm not sure this has ever been tested but it looks like you can handle >this by returning -1 from the verify callback instead of the normal >1=success or 0=failure. There's some code in place that handles this in >a manner analagous to other non-blocking operations using a special >condition SSL_ERROR_WANT_X509_LOOKUP. > Hm, I just tried it, but "-1" accepts the certificate. Maybe I have to set something in the X509_STORE which is given as a parameter to the verify_callback? I'll have a look into the code, maybe I find something. Thanks so far. Jörg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
