files size in CVS
It seems that there's a problem in the CVS, the size of the snap is only 16ko today (20030721) ! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Connection pool for HTTPS using OpenSSL
This is pretty standard - if I understand you correctly, you mean that you have a client that keeps a pool of sockets connected to a particular server. You just need to implement some way of storing the session ids from the handshake using say SSL_get1_session (), and then setting these back ito the session when you re-connect using SSL_set_session (). does this help any? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harald Ommang Sent: 19 July 2003 10:49 To: [EMAIL PROTECTED] Subject: RE: Connection pool for HTTPS using OpenSSL On Wed, 16 Jul 2003 14:49:41 +0100, steve thornton wrote: Sorry, can't read - you mean server. If you set up a session caching sceme, then maintaining a pool of connections is cheap (ish) and straightforward. I have code snippets if you need them Steve Hehe, well if you can't read, then I can't write :-) Cause I mean creating a *client* that has a pool of connections against the web server I will be communicating with. And yes, snippets would be very welcome, as I am new to OpenSSL. Harald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verify returns unknown message digest algorithm
On Sun, Jul 20, 2003, Leonard R Smith II wrote: To all, I have a cert that is signed by verisign. Its works find with openssl-0.9.6e that I compiled. The openssl verify command works and tells me that that cert is okay and most of the ssl clients I used recognize it. However I am having trouble with Sun Microsystems openssl distribution. It failes with a certificate signature failure and Sun's openssl verify command returns /opt/SUNWconn/crypto/bin/openssl verify file.crt file.crt: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority error 7 at 1 depth lookup:certificate signature failure 5904:error:0D07908D:asn1 encoding routines:ASN1_verify:unknown message digest algorithm:a_verify.c:86: I've checked the list, searched the web and read the docs and I have not been able to resolve the problem so far. I saw that Colin posted to the list a similar problem back in April but I did not see a response. Can anyone point me towards some other things to try or check, or better yet has anyone seen this and gotten it to work. You don't mention which version of OpenSSL that is. Check this with: openssl version if it says 0.9.7 then try: openssl list-message-digest-commands otherwise you'll have to look in openssl -h for the list of message digests. There should be md2 in there. If not then they've compiled OpenSSL without that digest and that's the problem: md2 is considered obsolete but its still used in some Verisign certificates. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8 with VisualStudio2003
On Fri, Jul 18, 2003, rangeos wrote: Hi, I have made a soft which work fine with openssl-0.9.7-stable-SNAP-20030718, but when I try to compile my soft using VisualStudio2003 with openssl-SNAP-20030718 I get the following message : d:\Mes Documents\Programmation\C++\LibBGT\IncludeWin32\openssl\x509.h(312): fatal error C1001: ERREUR INTERNE DU COMPILATEUR (fichier du compilateur 'msc1.cpp', ligne 2701) Choisissez la commande Support technique du menu ? (Aide) de Visual C++ ou ouvrez le fichier d'aide du Support technique pour plus d'informations It concern the definition of X509_CERT_PAIR, is there any conflict with the definition in wincrypt.h ? In wincrypt.h you have already : #define X509_CERT_PAIR ((LPCSTR) 53) According to the help in VisualStudio, I have diseable all optimisation but I get the same probleme. There are a few clashes with other names in wincrypt.h such as X509_NAME. If you check x509.h and ossl_typ.h you'll see #undefs for some of them. I suggest you try adding another for X509_CERT_PAIR. If that works I'll commit a fix. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE : openssl 0.9.8 with VisualStudio2003
-Message d'origine- De : [EMAIL PROTECTED] [mailto:owner-openssl-[EMAIL PROTECTED] De la part de Dr. Stephen Henson Envoyé : lundi 21 juillet 2003 13:29 À : [EMAIL PROTECTED] Objet : Re: openssl 0.9.8 with VisualStudio2003 On Fri, Jul 18, 2003, rangeos wrote: Hi, I have made a soft which work fine with openssl-0.9.7-stable-SNAP-20030718, but when I try to compile my soft using VisualStudio2003 with openssl-SNAP-20030718 I get the following message : d:\Mes Documents\Programmation\C++\LibBGT\IncludeWin32\openssl\x509.h(312): fatal error C1001: ERREUR INTERNE DU COMPILATEUR (fichier du compilateur 'msc1.cpp', ligne 2701) Choisissez la commande Support technique du menu ? (Aide) de Visual C++ ou ouvrez le fichier d'aide du Support technique pour plus d'informations It concern the definition of X509_CERT_PAIR, is there any conflict with the definition in wincrypt.h ? In wincrypt.h you have already : #define X509_CERT_PAIR ((LPCSTR) 53) According to the help in VisualStudio, I have diseable all optimisation but I get the same probleme. There are a few clashes with other names in wincrypt.h such as X509_NAME. If you check x509.h and ossl_typ.h you'll see #undefs for some of them. I suggest you try adding another for X509_CERT_PAIR. If that works I'll commit a fix. I have added : #ifdef OPENSSL_SYS_WIN32 #undef X509_CERT_PAIR #endif just before : typedef struct x509_cert_pair_st { X509 *forward; X509 *reverse; } X509_CERT_PAIR; and it compiles without any problem Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
weird corruption on return from SSL_write
Guys, I am using openssl-0.9.7b on Windoze with the Visual Studio v6 compiler and have found a strange problem. Maybe someone has some idea what is going wrong. It looks like my program gets some sort of corruption on returning from SSL_write coz VS says that a C++ exception has been thrown. Clearly this is impossible so I figure some sort of corruption has occurred. The thing I am doing that is probably different to most users of openSSL is that I am using on-the-fly ZLIB compression. If I turn off the compression then the problem disappears. Has anyone else tried using ZLIB compression with openSSL? I think there may be some strange sort of interaction between the two dynamic libraries on Windoze. I get no problem on Solaris. Regards, Andrew Marlow There is an emerald here the size of a plover's egg! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: weird corruption on return from SSL_write
On Mon, Jul 21, 2003, Andrew Marlow wrote: Guys, I am using openssl-0.9.7b on Windoze with the Visual Studio v6 compiler and have found a strange problem. Maybe someone has some idea what is going wrong. It looks like my program gets some sort of corruption on returning from SSL_write coz VS says that a C++ exception has been thrown. Clearly this is impossible so I figure some sort of corruption has occurred. The thing I am doing that is probably different to most users of openSSL is that I am using on-the-fly ZLIB compression. If I turn off the compression then the problem disappears. Has anyone else tried using ZLIB compression with openSSL? I think there may be some strange sort of interaction between the two dynamic libraries on Windoze. I get no problem on Solaris. Only thing I can immediately think of is that ZLIB might not be compiled to use the same multithreaded DLL runtime library. The infamous /MD issue. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN.1 database
Hi I would like to try and reduce the size of the ASN.1 database, but am not sure how the various files work together - I see that there is a perl script to generate the necessary files, but I'm not too clear how this works. Can anybody help me out on how to edit and regenerate this? Many thanks in advance Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: weird corruption on return from SSL_write
[EMAIL PROTECTED] writes: On Mon, Jul 21, 2003, Andrew Marlow wrote: I am using openssl-0.9.7b on Windoze with the Visual Studio v6 compiler and have found a strange problem. [ strange problem snipped ] Only thing I can immediately think of is that ZLIB might not be compiled to use the same multithreaded DLL runtime library. The infamous /MD issue. Steve. Hmm, this could be it, er, I think, maybe. What exactly *IS* the infamous /MD issue? Regards, Andrew Marlow There is an emerald here the size of a plover's egg! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: weird corruption on return from SSL_write
http://www.openssl.org/support/faq.html#PROG2 On Mon, Jul 21, 2003 at 03:36:07PM +0100, Andrew Marlow wrote: [EMAIL PROTECTED] writes: On Mon, Jul 21, 2003, Andrew Marlow wrote: I am using openssl-0.9.7b on Windoze with the Visual Studio v6 compiler and have found a strange problem. [ strange problem snipped ] Only thing I can immediately think of is that ZLIB might not be compiled to use the same multithreaded DLL runtime library. The infamous /MD issue. Steve. Hmm, this could be it, er, I think, maybe. What exactly *IS* the infamous /MD issue? Regards, Andrew Marlow There is an emerald here the size of a plover's egg! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: d2i_X509 function definition - where?
On Mon, Jul 21, 2003, Markus Lorch wrote: Hi, I frequently have trouble finding function definitions in the crypt library e.g. this time I need to take a look at d2i_X509 (e.g. as used by PEM_read_X509 to reference the conversion function) I've done a grep -r d2i_X509 * on the whole crypt source but can't seem to find the function definition. Is is a macro or something? Shouldn't I be able to find it somewhere (how does the linker do it?) How do I find out what code is actually executed when it is called. (I guess it will eventuall be d2i_X509_BIO but I can't make the connection) If you have any tips, hints on how to locate it please let me know In OpenSSL 0.9.7 and later just about every ASN1 module is handled by static constant ASN1_ITEM structure. For X509 its X509_it, though that is hidden from applications. The various functions and definitions are all identical apart from the item it refers to. These functions and definitions are now declared in macros of the form: IMPLEMENT_ASN1_FUNCTIONS(X509) DECLARE_ASN1_FUNCTIONS(X509) in x_x509.c in crypto/asn1 d2i_X509_bio() is similar except its not defined via a macro, it calls ASN1_item_d2i_bio() with the X509 item. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FQDN
hi all, maybe it is not a SSL question. I want to make post-connection assertion to prevent man-in-the-middle attack. But I don't know how to get FQDN of the peer side(Not from peer's certificate, it must be other side's real address). Is there any socket fucntion to get peer's FQDN? thank you in advance. Jacky __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
There is no functino in OpenSSL I beleive that does such a thing. What you need to do is get the sockaddr sin_addr data from the accept() function. At that point you have a IP Address. Use gethostbyaddr() to convert that IP into a FQDN. You can then verify that the FQDN of the host matches that in the certificate. On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote: hi all, maybe it is not a SSL question. I want to make post-connection assertion to prevent man-in-the-middle attack. But I don't know how to get FQDN of the peer side(Not from peer's certificate, it must be other side's real address). Is there any socket fucntion to get peer's FQDN? thank you in advance. Jacky __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote: hi all, maybe it is not a SSL question. I want to make post-connection assertion to prevent man-in-the-middle attack. But I don't know how to get FQDN of the peer side(Not from peer's certificate, it must be other side's real address). Is there any socket fucntion to get peer's FQDN? thank you in advance. Jacky this makes sense for a client connecting to some server. The client use some FQDN (user input? configuration file?) to pass it to DNS and do connect() to the host. So the client could check whether the host respond with that FQDN as the common name of server certificate. hope this helps, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
On Mon, Jul 21, 2003 at 12:20:05PM -0400, Christopher Fowler wrote: There is no functino in OpenSSL I beleive that does such a thing. What you need to do is get the sockaddr sin_addr data from the accept() function. At that point you have a IP Address. Use gethostbyaddr() to convert that IP into a FQDN. You can then verify that the FQDN of the host matches that in the certificate. I doubt this. Yes, DNS is used for lookup from reverse zone. However, FQDN was intended to check whether client manage to connect to the server he originally intended. This verifies forward DNS lookup. Regards, Vadim On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote: hi all, maybe it is not a SSL question. I want to make post-connection assertion to prevent man-in-the-middle attack. But I don't know how to get FQDN of the peer side(Not from peer's certificate, it must be other side's real address). Is there any socket fucntion to get peer's FQDN? thank you in advance. Jacky __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
In reading his orignal email, I made the assumption that he just wanted to get the hostname + domain of the peer that conencted. To mae the logical choice was to get the peers IP address from the socket data and then do a lookup on that IP Address. Maybe another method will work? On Mon, Jul 21, 2003 at 07:28:51PM +0300, Vadim Fedukovich wrote: On Mon, Jul 21, 2003 at 12:20:05PM -0400, Christopher Fowler wrote: There is no functino in OpenSSL I beleive that does such a thing. What you need to do is get the sockaddr sin_addr data from the accept() function. At that point you have a IP Address. Use gethostbyaddr() to convert that IP into a FQDN. You can then verify that the FQDN of the host matches that in the certificate. I doubt this. Yes, DNS is used for lookup from reverse zone. However, FQDN was intended to check whether client manage to connect to the server he originally intended. This verifies forward DNS lookup. Regards, Vadim On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote: hi all, maybe it is not a SSL question. I want to make post-connection assertion to prevent man-in-the-middle attack. But I don't know how to get FQDN of the peer side(Not from peer's certificate, it must be other side's real address). Is there any socket fucntion to get peer's FQDN? thank you in advance. Jacky __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Connection pool for HTTPS using OpenSSL
On Mon, 21 Jul 2003 11:58:43 +0100, steve thornton wrote: This is pretty standard - if I understand you correctly, you mean that you have a client that keeps a pool of sockets connected to a particular server. You just need to implement some way of storing the session ids from the handshake using say SSL_get1_session (), and then setting these back ito the session when you re-connect using SSL_set_session (). does this help any? Steve Sounds good! Sounds like what I intended to do anyway, unless someone out there already had some code that did this with OpenSSL. I'll look into it. Harald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
Thank you, Chris. Yes, that's what I want to do. But I have to use SSL_accept instead of accept, and peer's ip address is dynamic. Can I get peer's ip address from SSL connection? Thank you again. Jacky Quoting Christopher Fowler [EMAIL PROTECTED]: In reading his orignal email, I made the assumption that he just wanted to get the hostname + domain of the peer that conencted. To mae the logical choice was to get the peers IP address from the socket data and then do a lookup on that IP Address. Maybe another method will work? On Mon, Jul 21, 2003 at 07:28:51PM +0300, Vadim Fedukovich wrote: On Mon, Jul 21, 2003 at 12:20:05PM -0400, Christopher Fowler wrote: There is no functino in OpenSSL I beleive that does such a thing. What you need to do is get the sockaddr sin_addr data from the accept() function. At that point you have a IP Address. Use gethostbyaddr() to convert that IP into a FQDN. You can then verify that the FQDN of the host matches that in the certificate. I doubt this. Yes, DNS is used for lookup from reverse zone. However, FQDN was intended to check whether client manage to connect to the server he originally intended. This verifies forward DNS lookup. Regards, Vadim On Mon, Jul 21, 2003 at 12:12:49PM -0400, Jue (Jacky) Shu wrote: hi all, maybe it is not a SSL question. I want to make post-connection assertion to prevent man-in-the-middle attack. But I don't know how to get FQDN of the peer side(Not from peer's certificate, it must be other side's real address). Is there any socket fucntion to get peer's FQDN? thank you in advance. Jacky __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
Jue (Jacky) Shu wrote: Yes, that's what I want to do. But I have to use SSL_accept instead of accept, and peer's ip address is dynamic. Can I get peer's ip address from SSL connection? Normally one makes first an accept and then an SSL_accept. After the accept you can proceed as described by Christopher. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
On Mon, Jul 21, 2003, Jue (Jacky) Shu wrote: Thank you, Chris. Yes, that's what I want to do. But I have to use SSL_accept instead of accept, and peer's ip address is dynamic. Can I get peer's ip address from SSL connection? You can get the underlying socket fd from the relevant socket BIOs using the appropriate calls, see BIO_s_socket() docs for more info. Which side (client, server) do you want the FQDN for BTW? One thing to be careful of is that DNS spoofing can't be used to fool any checks you make. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question on Record Layer.
Hi, I don't know how to exactly describe my problem, but I will try my best with the help of a packet trace. Below is a trace of an SSL session. As seen from this, when the handshake is complete, and i send an applicaion data of 128 bytes, why do i get two record layer packet, instead of just one. In other wiords, I know how the 152 bytes packet comes, but I have no idea as to why the client sends an additional 24 byte record layer packet. Any help is appreciated. Shashank New TCP connection #1: mia.ece.uic.edu(59608) - zidler.ece.uic.edu(7171) 1 1 0.0034 (0.0034) CSV3.0(95) Handshake ClientHello Version 3.0 random[32]= 3f 1c 24 26 69 11 f3 d7 be d8 7d 9b 50 67 ac e5 40 3e ad 32 45 52 51 af 65 6c a5 f6 c1 25 77 9e cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA --SNIP-- 1 2 0.0076 (0.0042) SCV3.0(74) Handshake ServerHello Version 3.0 random[32]= 3f 1c 24 38 00 f8 4b 91 02 b3 73 c3 b6 90 3e cf session_id[32]= 8a 16 72 c3 14 80 0b 89 6d 7e bc a7 be 67 8d a9 ... cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA compressionMethod NULL 1 3 0.0077 (0.) SCV3.0(1821) Handshake Certificate 1 4 0.0077 (0.) SCV3.0(13) Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign ServerHelloDone 1 5 0.0242 (0.0164) CSV3.0(1818) Handshake Certificate 1 6 0.0242 (0.) CSV3.0(132) Handshake ClientKeyExchange EncryptedPreMasterSecret[128]= 65 c7 82 a3 73 c0 a0 a4 9a 42 f3 a3 97 f6 d7 ef ... 1 7 0.0242 (0.) CSV3.0(134) Handshake CertificateVerify Signature[128]= 32 70 d4 70 0b c6 da 40 04 2b 58 a8 43 23 18 57.. 4a 1 8 0.0242 (0.) CSV3.0(1) ChangeCipherSpec 1 9 0.0242 (0.) CSV3.0(64) Handshake 1 10 0.0598 (0.0355) SCV3.0(1) ChangeCipherSpec 1 11 0.0598 (0.) SCV3.0(64) Handshake --SNIP-- 1 12 24.8474 (24.7875) CSV3.0(24) application_data 1 13 24.8474 (0.) CSV3.0(152) application_data 1 14 25.8489 (1.0014) CSV3.0(24) application_data 1 15 25.8489 (0.) CSV3.0(152) application_data 1 16 26.8589 (1.0100) CSV3.0(24) application_data 1 17 26.8589 (0.) CSV3.0(152) application_data __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on Record Layer.
Shashank Khanvilkar wrote: Hi, I don't know how to exactly describe my problem, but I will try my best with the help of a packet trace. Below is a trace of an SSL session. As seen from this, when the handshake is complete, and i send an applicaion data of 128 bytes, why do i get two record layer packet, instead of just one. In other wiords, I know how the 152 bytes packet comes, but I have no idea as to why the client sends an additional 24 byte record layer packet. If you have access to the private RSA key, than you can get ssldump to decrypt the application data, see the ssldump man page for more information. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
malloc SEGV during ssl3_shutdown processing
Application: OpenLDAP 2.1.22 System: Solaris 8 Library: OpenSSL 0.9.7b During the shutdown of a TLS|SSL connection to an OpenLDAP 2.1.22 a SEGV fault occurs in the standard Sun malloc(3C) library's realfree() internal function. This looks like general memory corruption and I'm looking in all directions for a cause of that. However, on the remote chance that this is a problem specific to the use of OpenSSL 0.9.7b, I'm posting this query. The entire function trace in ascending order is: OpenLDAP 2.1.22 sb_tls_close OpenSSL 0.9.7b: ssl3_shutdown ssl3_send_alert tls1_mac HMAC_Init_ex EVP_DigestInit)ex CRYPTO_malloc Solaris 8 libc: malloc _malloc_unlocked cleanfree realfree If this sounds familiar to anyone, please let me know. Vic Abell __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on Record Layer.
If you have access to the private RSA key, than you can get ssldump to decrypt the application data, see the ssldump man page for more information. Ciao, Yes.. i did use SSLdump, with the private RSA key to capture the trace. Below is the command that i used. /usr/local/sbin/ssldump -i eth0 -A -d -X -k $HOME/certificates/client.pem port I think ssldump has no option to dump the application data in hex.. but I will check. Thanks Shashank Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on Record Layer.
Shashank Khanvilkar wrote: Yes.. i did use SSLdump, with the private RSA key to capture the trace. Below is the command that i used. /usr/local/sbin/ssldump -i eth0 -A -d -X -k $HOME/certificates/client.pem port I think ssldump has no option to dump the application data in hex.. but I will check. The option -X should be the right option for printing the data in hex, but i have the impression, that the value for the -k option is wrong: the file specified here must contain the *private* key of the *server*, not the client certificate. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question on Record Layer.
Shashank Khanvilkar wrote: Yes.. i did use SSLdump, with the private RSA key to capture the trace. Below is the command that i used. /usr/local/sbin/ssldump -i eth0 -A -d -X -k $HOME/certificates/client.pem port I think ssldump has no option to dump the application data in hex.. but I will check. The option -X should be the right option for printing the data in hex, but i have the impression, that the value for the -k option is wrong: the file specified here must contain the *private* key of the *server*, not the client certificate. Well, it does not really matter .. I ran ssldump at both the client and server... Using their respective *private* keys, capturing the same session... However, I did not get any hex optput for the 24 byte packet.. Thanks Shashank Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]