RE: apache and that whole bugbear thing
First off, you might be better posting this on the apache list (http://httpd.apache.org/userslist.html) since I think this primarily a server issue (or maybe mod_ssl) - not really openSSL... Having said that, I can perhaps offer some hints as to what's going on: - 400 is a Bad Request... this occurs when the request doesn't follow the HTTP spec (e.g. not GET or POST or HEAD or whatever). - 408 is a timeout, usually in response to a request for a CGI program. The duration of the timeout is controlled by your TimeOut directive in httpd.conf. If you don't have one, the default is 300 sec - which is 5 minutes :-) Note that the report in the log occurs *after* the timeout has expired, so it is not that the attacker is sending something which generates a 400, then waiting 5 minutes then sending something else which generates a 408. What is happening is that the two requests are arriving simultaneously but that the response to the 408 request takes 5 minutes to be logged. This all means that the second request (leading to the 408) must be requesting a real CGI program on your server. Furthermore, the request is framed such that it causes the program to get stuck or in a loop or otherwise take longer than 5 minutes to respond. The fact that this causes apache to hang is very bad. - what is the program? - what does it do? - what is the request like? PS the GET_CLIENT_MASTER_KEY:key arg too long message looks like the trap against the buffer-overflow exploit in 0.9.6g. But this is being trapped and so I think you are safe against it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sonntag, 6. Oktober 2002 02:51 To: [EMAIL PROTECTED] Subject: apache and that whole bugbear thing Is this the right place to ask questions about the bugbear worm? On a Sun box, we upgraded openssl to 0.9.6g because of the potential for the whole bugbear attack... I realize it's apparently targeted at linux, but better safe then sorry... well, we've started getting hit with what we think may be attacks... they're not getting through, but they cause apache to lock up... it's very strange... the situation seems to happen as follows: We get a couple http requests that return a 400 status... then the server stops serving requests... then EXACTLY (every time) 5 minutes later, to the second, we get a request that gives a 408 error from the same IP, then apache needs to be restarted before it accepts any further requests... until this morning, there has not been much information in the logs... but this morning, there were some entries in the ssl_engine_log that looked like this: [05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out (client 66.46.213.130, server XXX.XXX.com:443) [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server YYY.YYY.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy [05/Oct/2002 02:55:42 00969] [error] SSL handshake failed (server YYY.YYY.com:443, client 66.46.213.130) (OpenSSL library error follows) [05/Oct/2002 02:55:42 00969] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server XXX.XXX.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy 66.46.213.130 was the ip address that gave the 400's and 408 this time around (different IP each time)... If this is not the best place to ask about this, please point me in the right direction... I'm starting to sweat with my boss breathing down my next... this is a 24/7 production server, running critical web applications that internal and external customers access constantly... so any help towards an answer would be greatly appreciated... Thanks. Dan. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Normal operation?
Hello. We're operating the network by using the function of OpenSSL. If taskmanager of Windows is seen during the network communication, the amount of the memory used will increase gradually. Is this normal workings? In addition, it checked that the increase in the memory is not a memory leak by using "Purify". The environment of operation is as follows: Openssl Version$B!'(BOpenssl-0.9.6g Operation System $B!'(BWindows2000 sp3 Please give me a reply. The results of an investigation of memory necessary quantity and sample program are indicated below. ++--+ | Windows |DES:@STRENGHTH| | 2000 ++++ || Before | After| Difference | +++++ | 100 times |1032|2444|1412| +++++ | 1000 times |1028|2780|1752| +++++ | 2000 times |1032|3044|2012| +++++ | 3000 times |1028|3096|2068| +++++ #include stdio.h #include memory.h #include string.h #ifdef WIN32 #include winsock2.h #include io.h #else #include unistd.h #include sys/socket.h #include arpa/inet.h #endif #include openssl/ssl.h #include openssl/err.h #include openssl/rand.h #define CIPHER_LIST_STR "ALL:@STRENGTH" */ #define CIPHER_LIST_STR "DES:@STRENGTH" #define SERVER_IP "255.255.255.255" #define _SERVER_PORT5963 #define HELLO_MESSAGE "Hello, World!" #define QUIT_REQUEST"Shut you down." #define SEND_FILE_1000KB"./SKDDL.cpp" // about 100kb int main(int argc, char **argv) { SSL_CTX *ctx = NULL; SSL *ssl = NULL; SSL_SESSION *session = NULL; struct sockaddr_in sa; int sd = -1; int ret; int err; int len; char buf[4096]; int exit_count = 1; FILE *fp = NULL; char *server_ip = SERVER_IP; int server_port = _SERVER_PORT; if (argc 1) { server_ip = *(argv + 1); if (argc 2) { sscanf(*(argv + 2), "%d", server_port); } } fprintf(stdout,"Ready...\n"); getchar();/* 0 */ // SSL_library_init(); fprintf(stdout,"SSL_library_init\n"); // SSL_load_error_strings(); fprintf(stdout,"SSL_load_error_strings\n"); // while (RAND_status() == 0) { int rnd = rand(); RAND_seed(rnd, sizeof(rnd)); } fprintf(stdout,"RAND_status\n"); // ctx = SSL_CTX_new(TLSv1_client_method()); fprintf(stdout,"SSL_CTX_new"); if (ctx == NULL) { fprintf(stderr, "SSL_CTX_new() failed\n"); goto cleanup; } // SSL_CTX_set_cipher_list(ctx, CIPHER_LIST_STR); fprintf(stdout,"SSL_CTX_set_cipher_list"); // ssl = SSL_new(ctx); fprintf(stdout,"SSL_new"); if (ssl == NULL) { fprintf(stderr, "SSL_new() failed\n"); goto cleanup; } #ifdef WIN32 // WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD(2, 2); if (WSAStartup(wVersionRequested, wsaData) != 0) { fprintf(stderr,"WSAStartup failed\n"); goto cleanup; } #endif fprintf(stdout,"WSAStartup"); start_connect: fprintf(stdout,"\n** %d **\n", exit_count); // if (sd != -1) { close(sd); } fprintf(stdout,"close\n"); sd = socket(AF_INET, SOCK_STREAM, 0); if (sd == -1) { // fprintf(stderr, "socket() failed\n"); goto cleanup; } fprintf(stdout,"socket\n"); // memset (sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr(server_ip); sa.sin_port = htons(server_port); ret = connect(sd, (struct sockaddr*)sa, sizeof(sa)); fprintf(stdout,"connect\n"); if (ret != 0) { // fprintf(stderr, "connect() failed\n"); goto cleanup; } // SSL_set_fd(ssl, sd); fprintf(stdout,"SSL_set_fd\n"); // ret = SSL_connect(ssl); fprintf(stdout,"SSL_connect\n"); if (ret != 1) { err = SSL_get_error(ssl, ret); ERR_error_string(err, buf); fprintf(stderr, "SSL_connect() failed: %s\n", buf); goto cleanup; } // printf("SSL connection established.\n"); // if(session != NULL){
SUN Crypto Accelerator + OpenSSL
Hi everybody, is someone using OpenSSL with the SUN Crypto Accelerator 1000? The openssl binary that comes on the driver CD *always* uses the hardware crypto. It does not need the -engine switch, and I cannot switch it off. With the openssl-engine binaries, I compiled myself, I do need that -engine id, but what is that id? How can I determine that id? The reason for me to get this thing working with the binaries compiled myself are - the openssl from the driver CD also has disabled IDEA, RC5, etc. - I'd like to use 0.9.7-beta3 Any suggestions? Thanks, Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SUN Crypto Accelerator + OpenSSL
In message [EMAIL PROTECTED] on Mon, 7 Oct 2002 16:54:09 +0200, Joerg Bartholdt [EMAIL PROTECTED] said: panther Hi everybody, panther panther is someone using OpenSSL with the SUN Crypto Accelerator 1000? The openssl panther binary that comes on the driver CD *always* uses the hardware crypto. It does panther not need the -engine switch, and I cannot switch it off. panther panther With the openssl-engine binaries, I compiled myself, I do need that panther -engine id, but what is that id? How can I determine that id? panther panther The reason for me to get this thing working with the binaries compiled panther myself are panther - the openssl from the driver CD also has disabled IDEA, RC5, etc. panther - I'd like to use 0.9.7-beta3 Unfortunately, there is no support for that card built in to OpenSSL, as far as I know. If I had the developpers manual for it, I could possibly write something and test it with you. If I had access to a machine with that accelerator, even better. Do you have the possibility to provide that? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
BIO_write BIO_should_retry issue - URGENT - HELP
Hi ALL, Please read the mail below. Need help ASAP. thanks, Vignesh [EMAIL PROTECTED] x.comTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] owner-openssl-users@oSubject: BIO_write BIO_should_retry issue penssl.org 10/01/02 10:25 AM Please respond to openssl-users Hi All, I have a problem with the use of BIO_write and BIO_should_retry. I have a SSL_Session which is in a SSL_NONBLOCKING_IO mode. To this, making a call to the write function. For some strange reason, the write is returning =0 condition. To determine the cause of the problem, I tried using the BIO_should_retry() function immediately after getting the error condition. This also seems to return a false condition and hence I am throwing an exception. I was going through the documentation about write and should_retry. found a few thing there. what I would like to know are - [1] If the IO is NON-Blocking mode, then calling should_retry might not be the right thing. What else could be done? [2] Why would BIO_write fail? thanks, Vignesh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie Openssl questions
Hey all, I have some newbie questions about how to use certificates properly, so I've compiled a few questions for anyone out there willing to offer a few minutes of their time to help me out. RedHat 7.3 apache-devel-1.3.23-14 apache-manual-1.3.23-14 apacheconf-0.8.2-2 apache-1.3.23-14 openssl-0.9.6b-28 openssl-perl-0.9.6b-28 openssl095a-0.9.5a-18 openssl096-0.9.6-13 openssl-devel-0.9.6b-28 1. When I use the Makefile in /etc/httpd/conf/ I can generate the .crt and .key files, no problem, add them to httpd.conf, piece of cake. But when I try to view the site I'm securing, it says the certificate comes from localhost.localhost, and not mydomain.com. How do I get around this? I plan to eventually get Thawte to sign my cert.'s, just curious if they're all going to say they came from localhost.localhost? 2. From a very basic, high-level view, if I make a certificate for mydomain.com, will it, by default, work without complaining to the user about the host name if I try to use it for https://www.mydomain.com and https://myprefix1.mydomain.com and https://myprefix2.mydomain.com - or is it absolutely tied to the hostname? That is, if I make a certificate for mydomain.com it will ONLY work as https://mydomain.com/ or can I add whatever prefix I want (www., myprefix1. etc)? Thanks for any info, -id __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SUN Crypto Accelerator + OpenSSL
Unfortunately, there is no support for that card built in to OpenSSL, as far as I know. If I had the developpers manual for it, I could possibly write something and test it with you. If I had access to a machine with that accelerator, even better. Do you have the possibility to provide that? IIRC the Sun card is a rebadging of something else that *is* supported in OpenSSL - but I can't remember which one of the engines supports it off-hand (and anyway, again, IIRC there are subtle issues about making sure certain libraries are in the LD_LIBRARY_PATH etc). Search the archives for openssl-users and openssl-dev and I've no doubt you'll drag up what you're looking for. Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SUN Crypto Accelerator + OpenSSL
Geoff Thorpe wrote: IIRC the Sun card is a rebadging of something else that *is* supported in OpenSSL - but I can't remember which one of the engines supports it Without knowing which one is supported by the engine, I'm pretty sure that the Sun board is a Rainbow CryptoSwift. Michael smime.p7s Description: S/MIME Cryptographic Signature
Re: SUN Crypto Accelerator + OpenSSL
On Mon, 7 Oct 2002, Geoff Thorpe wrote: :Subject: Re: SUN Crypto Accelerator + OpenSSL : : Unfortunately, there is no support for that card built in to OpenSSL, : as far as I know. If I had the developpers manual for it, I could : possibly write something and test it with you. If I had access to a : machine with that accelerator, even better. Do you have the : possibility to provide that? : :IIRC the Sun card is a rebadging of something else that *is* supported :in OpenSSL - but I can't remember which one of the engines supports it :off-hand (and anyway, again, IIRC there are subtle issues about making :sure certain libraries are in the LD_LIBRARY_PATH etc). Search the :archives for openssl-users and openssl-dev and I've no doubt you'll :drag up what you're looking for. This is just from memory, but isn't the Sun card a repackaged Rainbow Cryptoswift? (which is engine cswift?) Thanks, Arin -- -- Arin Komins [EMAIL PROTECTED] Manager of Web Systems Architecture University of Chicago/NSIT tel: (773)834-4087 1155 E. 60th St. #302B Chicago, IL 60637fax: (773)702-0559 -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using OCSP client in a dll
Hi! I am creating a dll that uses the openssl ocsp client function calls (version openssl-0.9.7-beta3) to send an ocsp req and receive the returned response. The dll compiles fine but on executing the application that calls the dll hangs on the "OCSP_sendreq_bio(cbio, path, req)" call. After digging thru the code in .../crypto/ocsp/ocsp_ht.c that implements the above call, I found that the app hangs on the call "i2d_OCSP_REQUEST_bio(b, req)" inside the above call, which is implemented in the openssl library. I have tested the ocsp client featureof the 'openssl.exe' binary against my OCSP server and that works fine. Is the OCSP_sendreq_biofunction implementation in this version of openssl not complete yet? What else could be going wrong? My platform is Win2K. Please help! Thanks Tirthankar smime.p7s Description: application/pkcs7-signature
Re: using OCSP client in a dll
Hi! I am creating a dll that uses the openssl ocsp client function calls (version openssl-0.9.7-beta3) to send an ocsp req and receive the returned response. The dll compiles fine but on executing the application that calls the dll hangs on the "OCSP_sendreq_bio(cbio, path, req)" call. After digging thru the code in .../crypto/ocsp/ocsp_ht.c that implements the above call, I found that the app hangs on the call "i2d_OCSP_REQUEST_bio(b, req)" inside the above call, which is implemented in the openssl library. I have tested the ocsp client featureof the 'openssl.exe' binary against my OCSP server and that works fine. Is the OCSP_sendreq_biofunction implementation in this version of openssl not complete yet? What else could be going wrong? My platform is Win2K. Please help! Thanks Tirthankar