Re: SSL_MODE_AUTO_RETRY and non-blocking sockets
On Jan 16, 2004, at 8:26 PM, David Schwartz wrote: The AUTO_RETRY flag disables a case where the SSL/TLS code would signal a retry even though the underlying transport did not during a session renegotiation. This is there to support some applications which brokenly use select() and blocking I/O. Now you have me curious: What would be a broken use of select and blocking I/O? I use select before a call to SSL_read in order to facilitate a timeout. Is this wrong (or broken)? Yes, it's wrong/broken. (If I receive one of the "WANT" errors, I just restart the I/O however.) My program makes the assumption that if it hears nothing on the read side of the socket during a period of time, that something is wrong. But what if SSL_read didn't get enough data to decode anything? Then it will wind up blocking on the socket, which is exactly what you did't want to happen. Currently, I don't like the way my I/O loop is working so I'm probably going to switch to non-blocking anyway. If you never, ever want to block, just set the socket non-blocking. Otherwise, there can always be corner cases where you can block indefinitely. Now that I think it through, I can imagine a situation where this would be true. Select would only indicate that there was "something" on the read fd. That data might be protocol related (a re-negotiate, or only part of a record) and there might be NO application-level data. My program would then call SSL_read() and block forever since no application data has arrived, just as you described. I think the thing that is most lacking in OpenSSL is the use of library-level threads apart from the application's main threads. I understand the need to be cross-platform, but if the library created a couple threads for handling I/O even when the application wasn't, I think it would go a long way to making the application programmer's life easier. Perhaps this could be done similarly to the way mutexes are set up, by asking the application programmer to register a function that creates new threads. Obviously, those threads would need to be detached by default to avoid memory leaks. Or maybe, there could be a "heartbeat" function supplied by OpenSSL that an application could call periodically to simulate threads. Basically, the application would call this "heartbeat" function repeatedly in order to give the library CPU time to perform its functions. An application programmer could just wrap this in a platform-specific threaded function. This would be similar to the way a unix process gives up CPU time by making system calls. Any time the heartbeat was called, the library could move data in and out of its various IO objects into buffers. The downside of this would be that the application could be burning a lot of CPU if nothing needs be done. I vote to move SSL into the kernel! :) Sigh... I guess the only real way to let OpenSSL do its thing most effectively is to use non-blocking I/O. Which means I'll need to get unlazy and actually design a decent I/O loop. smime.p7s Description: S/MIME cryptographic signature
Re: Win32 OpenSSL Updates/Announcements...
At 08:00 AM 1/13/2004 -0500, John S. Wolter writeth: >Thomas: > >Thank you for the Win32 information, I just joined the list and had >assumed Win32 announcements would be included but I guess I'll have to >join the Win32 list. > >Second please add square brackets around [Win32 OpenSSL] to help >visually I.D. the announce list messages. I get a couple of hundred >spam per day and have my finger on the [DELETE] key. I know I deleted >at least one announce message this morning, I think the seeing [OpenSLL] >will make my spam delete chore efficient. I only posted here because there have been major changes to the distribution/website/etc. that people here might not have been aware of. I typically lurk in the background, so maybe once in a blue moon you'll see something from me. I'm fairly well-versed in appropriate behavior on lists, I only posted here because I was over a week late in getting OpenSSL up to 0.9.6L and just wanted to make sure people knew I am still alive and paying attention to OpenSSL. Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- "Meeting the needs of fellow programmers" http://www.slproweb.com/ `'*-~.,_,.~-*'`'*-~.,_,.~-*'`'*-~.,_,.~-*'`'*-~.,_,.~-*'`'*-~.,_,.~-*'`'*-~ Tired of programming languages that are expensive or difficult to use? Try Nuclear Vision today! http://www.slproweb.com/products/nvml.html Announcing Nuclear Vision v2.0, the 100% HTML-style scripting language. Easy to learn, easy to use. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_MODE_AUTO_RETRY and non-blocking sockets
> > The AUTO_RETRY flag disables a case where the SSL/TLS code would > > signal a retry even > > though the underlying transport did not during a session > > renegotiation. This is > > there to support some applications which brokenly use select() and > > blocking I/O. > Now you have me curious: What would be a broken use of select and > blocking I/O? I use select before a call to SSL_read in order to > facilitate a timeout. Is this wrong (or broken)? Yes, it's wrong/broken. > (If I receive one of > the "WANT" errors, I just restart the I/O however.) My program makes > the assumption that if it hears nothing on the read side of the socket > during a period of time, that something is wrong. But what if SSL_read didn't get enough data to decode anything? Then it will wind up blocking on the socket, which is exactly what you did't want to happen. > Currently, I don't like the way my I/O loop is working so I'm probably > going to switch to non-blocking anyway. If you never, ever want to block, just set the socket non-blocking. Otherwise, there can always be corner cases where you can block indefinitely. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_MODE_AUTO_RETRY and non-blocking sockets
On Jan 16, 2004, at 5:57 PM, Dr. Stephen Henson wrote: On Fri, Jan 16, 2004, Joseph Bruni wrote: After reading the man page for SSL_CTX_set_mode, I have to ask, what happens if you set AUTO_RETRY with a non-blocking socket? The AUTO_RETRY flag disables a case where the SSL/TLS code would signal a retry even though the underlying transport did not during a session renegotiation. This is there to support some applications which brokenly use select() and blocking I/O. Now you have me curious: What would be a broken use of select and blocking I/O? I use select before a call to SSL_read in order to facilitate a timeout. Is this wrong (or broken)? (If I receive one of the "WANT" errors, I just restart the I/O however.) My program makes the assumption that if it hears nothing on the read side of the socket during a period of time, that something is wrong. Currently, I don't like the way my I/O loop is working so I'm probably going to switch to non-blocking anyway. smime.p7s Description: S/MIME cryptographic signature
Re: SSL_MODE_AUTO_RETRY and non-blocking sockets
On Fri, Jan 16, 2004, Joseph Bruni wrote: > After reading the man page for SSL_CTX_set_mode, I have to ask, > what happens if you set AUTO_RETRY with a non-blocking socket? > The AUTO_RETRY flag disables a case where the SSL/TLS code would signal a retry even though the underlying transport did not during a session renegotiation. This is there to support some applications which brokenly use select() and blocking I/O. It avoids a possible deadlock in such applications when a session renegotiation occurs. To avoid breaking such applications this mode is only enabled by setting a flag and it isn't set by default. This is the only case where the SSL/TLS code could signal a retry when the underlying transport is blocking. So setting this flag means that applications that use blocking I/O will never need to retry calls and so don't need to allow for this case. The flag otherwise doesn't have any effect: in particular it does not disable normal signalling of retries due to the underlying transport. So the real answer is: not much. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_MODE_AUTO_RETRY and non-blocking sockets
After reading the man page for SSL_CTX_set_mode, I have to ask, what happens if you set AUTO_RETRY with a non-blocking socket? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: new CA & crlDistributionPoints
On Fri, Jan 16, 2004, Charles Harmon wrote: > Hello all, > > I am desperately trying to get crlDistributionPoints stamped to my > (server/client) certificates. For some reason it does not get added to > any certificate I generate. I have read through the openssl.txt file > and it just says to add the following to the x509_extensions section: > > crlDistributionPoints = > URI:http://hostname.domain.com/mycrl.crl > > Well, no luck. I have been searching through the archives for this list > and basically it says the same thing. In a last ditch I went and bought > the O'Reilly openSSL book today which proved to be just as helpful. I > don't even see a reference to crlDistributionPoints in the book! As > this is my first attempt in setting up a CA I'm sure I am missing > something stupid. If anyone has a free moment to help me out it would > be greatly appreciated. I have included my openssl.cnf file for review. > Since this is my first attempt any advice or recommendations would be > useful. > [config file] What command are you using to make the server/client certificates? What does: opensssl x509 -in some_cert.pem -text (where some_cert.pem is one you created) say? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: new CA & crlDistributionPoints
It is set to /usr/local/ssl/openssl.cnf I even tried to use the -extensions usr_cert to specify the section to pull the crlDistributionPoints parameter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bommareddy, Satish (Satish) Sent: Friday, January 16, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: new CA & crlDistributionPoints what is the env variable OPENSSL_CONF pointing to? if not defined then is the change you made in the "/usr/local/ssl/openssl.cnf"??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Harmon Sent: Friday, January 16, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: new CA & crlDistributionPoints Hello all, I am desperately trying to get crlDistributionPoints stamped to my (server/client) certificates. For some reason it does not get added to any certificate I generate. I have read through the openssl.txt file and it just says to add the following to the x509_extensions section: crlDistributionPoints = URI:http://hostname.domain.com/mycrl.crl Well, no luck. I have been searching through the archives for this list and basically it says the same thing. In a last ditch I went and bought the O'Reilly openSSL book today which proved to be just as helpful. I don't even see a reference to crlDistributionPoints in the book! As this is my first attempt in setting up a CA I'm sure I am missing something stupid. If anyone has a free moment to help me out it would be greatly appreciated. I have included my openssl.cnf file for review. Since this is my first attempt any advice or recommendations would be useful. Thanks! Charles # openssl.cnf # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] ### [ ca ] default_ca = myCA # The default ca section ### [ myCA ] dir = /usr/local/ssl/myCA certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/private/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand x509_extensions = usr_cert default_days= 365 default_crl_days= 30 default_md = md5 preserve= no policy = policy_match ### [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional ### [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional ### [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr ### [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName= Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress= Email Address emailAddress_max= 4
RE: new CA & crlDistributionPoints
what is the env variable OPENSSL_CONF pointing to? if not defined then is the change you made in the "/usr/local/ssl/openssl.cnf"??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charles Harmon Sent: Friday, January 16, 2004 11:47 AM To: [EMAIL PROTECTED] Subject: new CA & crlDistributionPoints Hello all, I am desperately trying to get crlDistributionPoints stamped to my (server/client) certificates. For some reason it does not get added to any certificate I generate. I have read through the openssl.txt file and it just says to add the following to the x509_extensions section: crlDistributionPoints = URI:http://hostname.domain.com/mycrl.crl Well, no luck. I have been searching through the archives for this list and basically it says the same thing. In a last ditch I went and bought the O'Reilly openSSL book today which proved to be just as helpful. I don't even see a reference to crlDistributionPoints in the book! As this is my first attempt in setting up a CA I'm sure I am missing something stupid. If anyone has a free moment to help me out it would be greatly appreciated. I have included my openssl.cnf file for review. Since this is my first attempt any advice or recommendations would be useful. Thanks! Charles # openssl.cnf # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] ### [ ca ] default_ca = myCA # The default ca section ### [ myCA ] dir = /usr/local/ssl/myCA certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/private/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand x509_extensions = usr_cert default_days= 365 default_crl_days= 30 default_md = md5 preserve= no policy = policy_match ### [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional ### [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional ### [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr ### [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName= Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress= Email Address emailAddress_max= 40 ### [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName= An optional company name ### [ usr_cert ] # The
new CA & crlDistributionPoints
Hello all, I am desperately trying to get crlDistributionPoints stamped to my (server/client) certificates. For some reason it does not get added to any certificate I generate. I have read through the openssl.txt file and it just says to add the following to the x509_extensions section: crlDistributionPoints = URI:http://hostname.domain.com/mycrl.crl Well, no luck. I have been searching through the archives for this list and basically it says the same thing. In a last ditch I went and bought the O'Reilly openSSL book today which proved to be just as helpful. I don't even see a reference to crlDistributionPoints in the book! As this is my first attempt in setting up a CA I'm sure I am missing something stupid. If anyone has a free moment to help me out it would be greatly appreciated. I have included my openssl.cnf file for review. Since this is my first attempt any advice or recommendations would be useful. Thanks! Charles # openssl.cnf # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] ### [ ca ] default_ca = myCA # The default ca section ### [ myCA ] dir = /usr/local/ssl/myCA certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/private/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand x509_extensions = usr_cert default_days= 365 default_crl_days= 30 default_md = md5 preserve= no policy = policy_match ### [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional ### [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional ### [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca string_mask = nombstr ### [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) localityName= Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress= Email Address emailAddress_max= 40 ### [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName= An optional company name ### [ usr_cert ] # These extensions are added when 'ca' signs a request. basicConstraints= critical, CA:false keyUsage= digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage= clientAuth, emailProtection subjectKeyIdentifier= hash authorityKeyIdentifier
Handshake returns error
Hi all, I have a problem with my handshake. When the server does not require the client certificate, all works fine. But when it requires the client certificate, It stops in the handshake and return me that error: 1:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1993: and the client returns: CONNECTED(0003) depth=1 /C=US/O=RTFM, Inc./OU=Widgets Division/CN=Test CA20010517 verify error:num=19:self signed certificate in certificate chain verify return:0 16433:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 16433:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: I have compiled OpenSSL-0.9.7c for an arm7tdmi, and I use RTEMS "operating system". I really don't know why that happens whereas the same program works fine on my PC! please help! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]