Re: Client Authentication with Openssl - Apache - errror -12227

[Bo Boe]

Oeps there we do have some kind of a problem

the response to:
openssl s_client -connect www.bliek.org:443 -prexit

Looks like:
CONNECTED(0003)
depth=0
/C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL 
PROTECTED]
verify error:num=18:self signed certificate
verify return:1
depth=0
/C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL 
PROTECTED]
verify return:1
9493:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1052:SSL alert number
40
9493:error:140790E5:SSL routines:SSL23_WRITE:ssl
handshake failure:s23_lib.c:226:
...
depth=0
/C=UK/ST=MyTown/L=Mylocation/O=mydomain.com/OU=Security/CN=www.mydomain.com/[EMAIL 
PROTECTED]
...


So alright something does go wrong but its yet still
unclear to me why. This is how I created the key that
resulted in 
these errors:


Create direcroties
mkdir /opt/ssl/Server
mkdir /opt/ssl/CA
mkdir /opt/ssl/Client


Create server keys 
cd /opt/ssl/server
openssl req -new > server.cert.csr
openssl rsa -in privkey.pem -out server.cert.key
openssl x509 -in server.cert.csr -out server.cert.cert
-req -signkey server.cert.key -days 365

note: I use CN = www.mydomain.com for all keys


Create CA keys 
cd /opt/ssl/CA
openssl req -new > CA.cert.csr
openssl rsa -in privkey.pem -out cA.cert.key
openssl x509 -in CA.cert.csr -out CA.cert.cert -req
-signkey CA.cert.key -days 365


Create Client keys 
cd /opt/ssl/client
openssl req -new > client.cert.csr
openssl rsa -in privkey.pem -out client.cert.key
openssl x509 -in client.cert.csr -out client.cert.cert
-req -signkey client.cert.key -days 365


Sign the client request with the CA.cert.key
openssl x509 -req -in client.cert.csr -out
client.cert.cert -signkey ../CA/CA.cert.key -CA \ 
../CA/CA.cert.cert -CAkey ../CA/CA.cert.key
-CAcreateserial -days365


Export cert/keys to server
cp /opt/ssl/server/server.cert.cert
/etc/apache/conf/ssl/.
cp /opt/ssl/server/server.cert.key
/etc/apache/conf/ssl/.
cp /opt/ssl/CA/CA.cert.cert /etc/apache/conf/ssl/.


Edit apache configuration
nano -w
/etc/apache2/conf/modules.d/41_mod_ssl.default-vhost.conf
SSLCertificateFile /path/to/certs/server.cert.cert
SSLCertificateKeyFile /path/to/certs/server.cert.key
SSLCACertificateFile /path/to/certs/CA.cert.cert
SSLVerifyClient require


Restart apache server
/etc/init.d/apache2 restart

note: I do have several vhosts on my machine



Export cert to client
cp /opt/ssl/client/client.cert/cert -> client machine


Import key into browser:
start mozilla -> edit -> preferences -> privacy &
security -> certificates -> manage certificates 
-> authorities -> import


browse to my www.mydomain.org (not to any of the
others vhosts)

--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Tue, Feb 24, 2004, Bo Boe wrote:
> 
> > My mozilla browser (version 1.6) returns the
> error.
> > When I install the client certificate in iexplorer
> > (version 6.0) I get a pop-up window asking me to
> > select a client certificate from an empty list. 
> > 
> > By the way I just tried to make the certificates
> as
> > explained in the ssl cookbook on
> > http://www.pseudonym.org/ssl/ssl_apache.html
> > It results in the same error.
> > 
> > I created all the certificates on an gentoo server
> > which is fully up to date. This machine is also
> used
> > as the apache2 server and openssl 0.9.7c.
> > 
> 
> http://www.openssl.org/support/faq.html#USER10
> 
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Key and Certificat

[Yannick Turgeon]

Ng,

Thank for your reply. From you it's a honor! ;o)

Yes I know, my question wasn't clear as my knowledge about SSL. Honestly, I 
didn't know what was the good question! Anyway, the answer was in ZSmime FAQ, 
the only one I hadn't read. 

Thanks for your time to reply to this message and even more for the time you 
spent coding M2Crypto. The combination Zope-ZServer-xmlrpclib-m2xmlrpclib is 
really an unbelievable result of Open Source and its programmers community. 
For me it's really impressive. Almost a total abstaction of the communication 
between server and client using SSL on top of this. It couldn't be better.

Yannick

Le 23 Février 2004 21:42, Ng Pheng Siong a écrit :
> On Mon, Feb 23, 2004 at 06:45:29PM -0500, Yannick Turgeon wrote:
> > I just installed Zope and then ZServerSSL. Then I created a client and
> > everything is going fine using https protocol... and the "temporary" key
> > and certificate provided with ZServerSSL. I tryed to generate new ones in
> > two similar but differents ways. In both case, when I execute runzope,
> > it's asking me for my passphrase. It's working when I enter it but it's
> > anoying.
> >
> > Anyone could help?
>
> Yes.
>
> ;-)
>
> Are you asking how to generate a passphrase-less private key? I'm sure that
> is covered in one of my HOWTOs: CA, ZSmime, or ZServerSSL.
>
> Also see here:
>
> http://tinyurl.com/e6m6
>
> HTH.

-- 
[Anti-Spam: 749825]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL, socket and Kernel

[David Schwartz]

> > There's a lot of different things you could mean by
> >"kernel-socket-network-connection". Can you clarify?
> >
> > If you're talking about using SSL to secure network
> >connections that take
> >place purely in kernel space, yes, you can do this. It's fairly tedious
> >because you still want to do the asymmetric cipher in user space.
> >
> > DS

> oh thats bad, because the complete network connection must be realized
> by the kernel. the user should have to do nothing with it.
> is there another way to realize it without using the user space ?

You really should get a security expert who is familiar with your
requirements to comment in more detail. You didn't mention what operating
system you're talking about, but the situation on Windows is totally
different from the situation on UNIXes.

If you really want all the crypto in the kernel, you probably should be
looking at platform-specific solutions.

Linux, for example, has cryptoapi. http://www.kerneli.org/index.phtml

Windows has SSPI.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/se
curity/sspi_model.asp

Not knowing what your requirements are, and somewhat baffled by why anyone
would want to put something that so obviously belongs in user space into the
kernel, it's hard for me to know what to advise you.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate chain

[Joseph Bruni]

There is a really good example of how to do that in O'Reilly's Network 
Security with OpenSSL.

You can also download the source from http://www.opensslbook.com/. 
After downloading the source, check out example 10-7.



On Feb 24, 2004, at 12:07 PM, Manuel Sánchez Cuenca wrote:

Hello all,

Anybody can tell me how can I verify a certificate chain in a C 
program?

Thanks in advance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client Authentication with Openssl - Apache - errror -12227

[Dr. Stephen Henson]

On Tue, Feb 24, 2004, Bo Boe wrote:

> My mozilla browser (version 1.6) returns the error.
> When I install the client certificate in iexplorer
> (version 6.0) I get a pop-up window asking me to
> select a client certificate from an empty list. 
> 
> By the way I just tried to make the certificates as
> explained in the ssl cookbook on
> http://www.pseudonym.org/ssl/ssl_apache.html
> It results in the same error.
> 
> I created all the certificates on an gentoo server
> which is fully up to date. This machine is also used
> as the apache2 server and openssl 0.9.7c.
> 

http://www.openssl.org/support/faq.html#USER10

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL, socket and Kernel

[Frank Herchet]

There's a lot of different things you could mean by
"kernel-socket-network-connection". Can you clarify?
If you're talking about using SSL to secure network connections that take
place purely in kernel space, yes, you can do this. It's fairly tedious
because you still want to do the asymmetric cipher in user space.
	DS
 

oh thats bad, because the complete network connection must be realized 
by the kernel. the user should have to do nothing with it.
is there another way to realize it without using the user space ?

thx
Frank
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl smime -encrypt ... -aes256 planned?

[Ralf Hauser]

Hi,

http://www.openssl.org/docs/apps/smime.html# offers 
openssl smime [-encrypt] ... [-des3] ... [-rc2-128]
Are there any plans to also support -aes256 or stronger?

Regards Ralf

P.S.: At least my tomcat-coyote https does AES256 with quite acceptable
performance.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL, socket and Kernel

[David Schwartz]

> Hi,
>
> is it possible to use openssl in a kernel-socket-network-connection ?
>
> thx

There's a lot of different things you could mean by
"kernel-socket-network-connection". Can you clarify?

If you're talking about using SSL to secure network connections that take
place purely in kernel space, yes, you can do this. It's fairly tedious
because you still want to do the asymmetric cipher in user space.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Non-Blocking Socket Reads and Writes?

[David Schwartz]

> Just to get this thread back on track. I am simply trying to find a code
> example that shows using bio pairs instead of the SSL_write and SSL_read
> functions, so that I can use openssl routines in conjunction with native
> WinSock calls. In other words, I would like to be able to encrypt/decrypt
> using openssl and then actually send the encrypted payloads using WSASend,
> WSARecv on an overlapped socket.

Look at ssltest. Specifically, the bio pairs code.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client Authentication with Openssl - Apache - errror -12227

[Bo Boe]

My mozilla browser (version 1.6) returns the error.
When I install the client certificate in iexplorer
(version 6.0) I get a pop-up window asking me to
select a client certificate from an empty list. 

By the way I just tried to make the certificates as
explained in the ssl cookbook on
http://www.pseudonym.org/ssl/ssl_apache.html
It results in the same error.

I created all the certificates on an gentoo server
which is fully up to date. This machine is also used
as the apache2 server and openssl 0.9.7c.



--- Peter Sylvester <[EMAIL PROTECTED]>
wrote:


> ATTACHMENT part TEXT x-sun-attachment/ 



__
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL, socket and Kernel

[Frank Herchet]

Hi,

is it possible to use openssl in a kernel-socket-network-connection ?

thx

--
Frank
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Non-Blocking Socket Reads and Writes?

[Chris Rowe]

Just to get this thread back on track. I am simply trying to find a code
example that shows using bio pairs instead of the SSL_write and SSL_read
functions, so that I can use openssl routines in conjunction with native
WinSock calls. In other words, I would like to be able to encrypt/decrypt
using openssl and then actually send the encrypted payloads using WSASend,
WSARecv on an overlapped socket.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Tuesday, February 24, 2004 2:53 PM
To: [EMAIL PROTECTED]
Subject: RE: Non-Blocking Socket Reads and Writes?




> For windows programmers, switching an existing
> socket from blocking to non-blocking is
> considered dangerous.  Have a look at the
> "Winsock Programmer's Lame List":

> http://tangentsoft.net/wskfaq/articles/lame-list.html

> -- kov

I looked and couldn't find any such warning. Can you cite the
specific
paragraph?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Non-Blocking Socket Reads and Writes?

[David Schwartz]

> For windows programmers, switching an existing
> socket from blocking to non-blocking is
> considered dangerous.  Have a look at the
> "Winsock Programmer's Lame List":

> http://tangentsoft.net/wskfaq/articles/lame-list.html

> -- kov

I looked and couldn't find any such warning. Can you cite the specific
paragraph?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL session hangs

[Paul L. Allen]

Dr. Stephen Henson wrote:


On Mon, Feb 23, 2004, Paul L. Allen wrote:


[... tracking my problem partially through the OpenSSL libraries ...]
I'm stumped!
I'm not immediately sure what the problem is either. It might be stack
corruption somewhere or something confusing the malloc library. Have you tried
it under a debugging malloc library that can detect and out of bounds
accesses?
Have you tried this under a different OS to see if you get the same behaviour?
I pushed on this a little harder last night and watched the SSL bio
calling out to the system malloc() and hanging there.  It would appear
that my problem is likely not with OpenSSL, although something might
be happening there that's confusing the system malloc().  I do have
a couple different OS's and a debugging malloc library to experiment
with.  I'll post back here if I learn anything relevant to OpenSSL.
Thanks to Dr. Henson and all others who spent think-time on this.
Paul Allen

--
Boeing Phantom Works   \ Paul L. Allen, (425) 865-3297
Math & Computing Technology  \ [EMAIL PROTECTED]
POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Certificate chain

[Manuel Sánchez Cuenca]

Hello all,

Anybody can tell me how can I verify a certificate chain in a C program?

Thanks in advance.

--
=
Manuel Sanchez Cuenca
Dept. Ingenieria y Tecnologia de Computadores
Universidad de Murcia - Espana
Tlf: +34 968363995 - Fax: 968364151
email: [EMAIL PROTECTED]
www: http://skywalker.dif.um.es/~lolo


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Regarding all the spam...

[Ken - Xzone9 Productions]

This chain of email regarding SPAM originated with the topic to reduce
the SPAM in this group email...
The only way to moderate a group email list is to formalize the method
of how it is delivered. If interested people are asked to join as a
member, they can be turned off if proved to be malicious. Otherwise,
anyone can keep sending emails with bad intent in any email name from
yahoo, msn, etc. If they are forced to "sign-up" each time, they will
eventually go pick on another email group.
In addition, if enough interest is responding, I can post a Bulletin
Board for topics, and people can choose to go there instead of through
group email listings.
I otherwise agree that non-members need to become members to post.

Best Regards;
Ken Hackenberg

[EMAIL PROTECTED]
www.xzone9.com
AOL IM- khkenberg
(480) 726.8579



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lyngmo Ted
Sent: Tuesday, February 24, 2004 5:41 AM
To: [EMAIL PROTECTED]
Subject: RE: Regarding all the spam...


Richard Levitte wrote:
> Ted Lyngmo wrote:
> >
> > Is it possible to post messages to the mailing list without being a 
> > member? If so, what would we lose by changing that?
> 
> I honestly don't know what we would lose. Maybe a sense of openness.

True, but considering how easy it is to become a member, my suggestion
is that posting to the list is made available for members only.

Kind regards,
Ted Lyngmo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Rich Salz]

> I think I misunderstood that question.  I honestly don't know what we
> would lose.  Maybe a sense of openness.

In the past -- at least, say, 2-3 years ago -- we had a couple of
anonymous posters who made very worthwhile contributions.  Haven't
seen that recently.  Also, it used to be in the spirit of crypto
open source (cypherpunkcs, etc) to allow anon posting because
of the whoele ethos thing.

Probably not worth supporting any more.

/r$

--
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Non-Blocking Socket Reads and Writes?

[Chris Rowe]

What are you talking about? When did I
ever say I was doing that Look I’m new to openssl NOT sockets!

 









From: owner-[EMAIL PROTECTED] [mailto:owner-[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 24, 2004
9:20 AM
To: [EMAIL PROTECTED]
Subject: RE: Non-Blocking Socket
Reads and Writes?



 


For windows programmers, switching an existing socket
from blocking to non-blocking is considered dangerous.  Have a look at the
"Winsock Programmer's Lame List": 

http://tangentsoft.net/wskfaq/articles/lame-list.html


--
kov 



I am
developing for Win2K,XP,2003 and was hoping to use an IO model
equivalent to windows overlapped IO to maximize
performance. Is there anyway
to encrypt the socket payloads for the SSL
handshake, SSL Reads and Writes,
separately and then call WSARecv, WSASend, etc in
order to use native window
IO? I know how to do this using SSPI on windows
but I would like to develop
an equivalent using openssl to compare the
performance.

-Original
Message-
From: owner-[EMAIL PROTECTED]
[mailto:owner-[EMAIL PROTECTED]]
On Behalf Of Joseph Bruni
Sent: Saturday, February 21, 2004 2:27 AM
To: [EMAIL PROTECTED]
Subject: Re: Non-Blocking Socket Reads and Writes?

Which OS are
you using? It's a bit hard to recommend APIs without
knowing which set you are using.

If you are
using a POSIX-compliant OS, you can use the fcntl() function
to switch your socket between blocking and
non-blocking:

non-blocking:

fcntl(my_socket,F_SETFL,O_NONBLOCK)

blocking:

fcntl(my_socket,F_SETFL,0)


--
http://www.badgerbadgerbadger.com/

On Feb 20,
2004, at 9:14 AM, Chris Rowe wrote:

> Do I
need to call  ioctlsocket(m_socket, FIONBIO, (u_long FAR*)
> &iMode); to enable non-blocking or can I
just #define FIONBIO and
> #define USE_NBIO from within my code?
>
>
>
>
>
>
> From: Chris Rowe [mailto:[EMAIL PROTECTED]
>  Sent: Friday, February 20, 2004 9:18 AM
> To: '[EMAIL PROTECTED]'
> Subject: Non-Blocking Socket Reads and
Writes?
>
>
>
> I am having a hard time finding a good
example on using non-blocking
> I/O with SSL_Read and SSL_Write?
>
> How do I set the underlying BIO to
non-blocking? I am assuming it
> requires the use of SSL_ERROR_WANT_READ or
SSL_peek()???
>
> I have been looking in the man pages on
openssl but need a little push
> in the right direction please.
>
>
>
> Thanks in advance,
>
> Chris Rowe
>
>

__
OpenSSL Project          
                     
http://www.openssl.org
User Support Mailing List      
             [EMAIL PROTECTED]
Automated List Manager        
                  [EMAIL PROTECTED]

__
OpenSSL Project          
                     
http://www.openssl.org
User Support Mailing List      
             [EMAIL PROTECTED]

Automated
List Manager                  
        [EMAIL PROTECTED]

Re: OpenSSL session hangs

[Pablo J Royo]

Hi

May be this problem could nothing to do with OpenSSL?

I experienced this problem under a , non SSL, private protocol for sending
files to a server.
The symptons were VERY similar: a hang after sending a file to a server,
then exchanging little packets betwen client and server.
I made experiments with the "low watermark" socket option, used by select( )
to detect when a packet has come to a socket.
I remember that lowering that parameter could improve the situation but then
I discovered the same effects in a LAN with fragmented packets incorrectly
handled by broken routers and forget that tests. I suppose this is not your
problem , unless something very ugly is happening on your OS.

Not sure if this can help, or distract you. Anyway, hope it can help.



- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: "Paul L. Allen" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, February 24, 2004 2:50 PM
Subject: Re: OpenSSL session hangs


> 
>
> On Mon, Feb 23, 2004, Paul L. Allen wrote:
>
> >
> > OK, here's where it took me:
> >
> > The setup is a stack consisting of a buffered BIO, an SSL BIO, and
> > a socket BIO.  In a typical test run, client and server have had a
> > conversation of a hundred or so messages.  The most recent exchange
> > involved a message from the client of about 4500 bytes.  Messages are
> > newline-delimited ASCII lines exchanged via BIO_puts()/BIO_gets(),
> > with a BIO_flush() after each BIO_puts().
> >
> > The client sends a 4-byte message using BIO_puts().
> > buffer_write() stashes the bytes in the buffer and returns.
> > The client calls BIO_flush() on the buffered BIO.
> > In buffer_ctl(), BIO_write() gets called to get the SSL BIO to write the
> > bytes.
> > BIO_write() calls the bwrite method on the SSL BIO, which resolves to
> > ssl_write().
> > ssl_write() calls SSL_write().
> > SSL_write() calls ssl->method->ssl_write, which resolves to
ssl3_write().
> > ssl3_write() calls ssl3_write_bytes().
> > ssl3_write_bytes() calls do_ssl3_write().
> > do_ssl3_write() calls s->method->ssl3_enc->mac(), which hangs until a
> > SIGALRM gets delivered in about 60 seconds.
> >
> > On all prior runs down this pathway, s->method->ssl3_enc->mac()
> > returns OK, s->method->ssl3_enc->enc() is called, followed by s2n(),
> > ssl3_write_pending() gets called to ask the socket BIO to write the
> > data, and we return back up the stack to where BIO_flush() returns to
> > my code.  The above experiment is with the 2/19 snapshot of the OpenSSL
> > code, liberally sprinkled with fprintf's.  It's possible that I've
> > missed some links in the chain, although I've tried pretty hard not to.
> >
> > The hang always involves a short message from the client following
> > an interchange involving a long message from the client.  If I move
> > the transaction containing the long line around in the sequence of
> > test transactions, the client sometimes does not hang.  But when it
> > does hang, it is always right after a long transaction.  Interestingly,
> > the "long" transactions consist of a 4500 byte message from the client,
> > a short (100 bytes) message from the server, another short message from
> > the client (which always succeeds), and another short message from the
> > server.  When the hang happens, it is on the next message from the
> > client (the second short client message after a long one).
> >
> > I'm stumped!
> >
>
> I'm not immediately sure what the problem is either. It might be stack
> corruption somewhere or something confusing the malloc library. Have you
tried
> it under a debugging malloc library that can detect and out of bounds
> accesses?
>
> Have you tried this under a different OS to see if you get the same
behaviour?
>
> I could look into this as part of my commercial consultancy services if
you
> can't get anywhere. Maybe with a discount if it turned out to be an
OpenSSL
> bug :-)
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Non-Blocking Socket Reads and Writes?

[KOverton]

For windows programmers, switching an existing socket from blocking to non-blocking is considered dangerous.  Have a look at the "Winsock Programmer's Lame List":

http://tangentsoft.net/wskfaq/articles/lame-list.html

-- kov



I am developing for Win2K,XP,2003 and was hoping to use an IO model
equivalent to windows overlapped IO to maximize performance. Is there anyway
to encrypt the socket payloads for the SSL handshake, SSL Reads and Writes,
separately and then call WSARecv, WSASend, etc in order to use native window
IO? I know how to do this using SSPI on windows but I would like to develop
an equivalent using openssl to compare the performance.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni
Sent: Saturday, February 21, 2004 2:27 AM
To: [EMAIL PROTECTED]
Subject: Re: Non-Blocking Socket Reads and Writes?

Which OS are you using? It's a bit hard to recommend APIs without
knowing which set you are using.

If you are using a POSIX-compliant OS, you can use the fcntl() function
to switch your socket between blocking and non-blocking:

non-blocking:

fcntl(my_socket,F_SETFL,O_NONBLOCK)

blocking:

fcntl(my_socket,F_SETFL,0)


--
http://www.badgerbadgerbadger.com/

On Feb 20, 2004, at 9:14 AM, Chris Rowe wrote:

> Do I need to call  ioctlsocket(m_socket, FIONBIO, (u_long FAR*)
> &iMode); to enable non-blocking or can I just #define FIONBIO and
> #define USE_NBIO from within my code?
>
>
>
>
>
>
> From: Chris Rowe [mailto:[EMAIL PROTECTED]
>  Sent: Friday, February 20, 2004 9:18 AM
> To: '[EMAIL PROTECTED]'
> Subject: Non-Blocking Socket Reads and Writes?
>
>
>
> I am having a hard time finding a good example on using non-blocking
> I/O with SSL_Read and SSL_Write?
>
> How do I set the underlying BIO to non-blocking? I am assuming it
> requires the use of SSL_ERROR_WANT_READ or SSL_peek()???
>
> I have been looking in the man pages on openssl but need a little push
> in the right direction please.
>
>
>
> Thanks in advance,
>
> Chris Rowe
>
>

__
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

__
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Re: OpenSSL session hangs

[Dr. Stephen Henson]

On Tue, Feb 24, 2004, Dr. Stephen Henson wrote:

> 
> 

Not so private after all: bugger!

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL session hangs

[Dr. Stephen Henson]

On Mon, Feb 23, 2004, Paul L. Allen wrote:

> 
> OK, here's where it took me:
> 
> The setup is a stack consisting of a buffered BIO, an SSL BIO, and
> a socket BIO.  In a typical test run, client and server have had a
> conversation of a hundred or so messages.  The most recent exchange
> involved a message from the client of about 4500 bytes.  Messages are
> newline-delimited ASCII lines exchanged via BIO_puts()/BIO_gets(),
> with a BIO_flush() after each BIO_puts().
> 
> The client sends a 4-byte message using BIO_puts().
> buffer_write() stashes the bytes in the buffer and returns.
> The client calls BIO_flush() on the buffered BIO.
> In buffer_ctl(), BIO_write() gets called to get the SSL BIO to write the 
> bytes.
> BIO_write() calls the bwrite method on the SSL BIO, which resolves to 
> ssl_write().
> ssl_write() calls SSL_write().
> SSL_write() calls ssl->method->ssl_write, which resolves to ssl3_write().
> ssl3_write() calls ssl3_write_bytes().
> ssl3_write_bytes() calls do_ssl3_write().
> do_ssl3_write() calls s->method->ssl3_enc->mac(), which hangs until a
> SIGALRM gets delivered in about 60 seconds.
> 
> On all prior runs down this pathway, s->method->ssl3_enc->mac()
> returns OK, s->method->ssl3_enc->enc() is called, followed by s2n(),
> ssl3_write_pending() gets called to ask the socket BIO to write the
> data, and we return back up the stack to where BIO_flush() returns to
> my code.  The above experiment is with the 2/19 snapshot of the OpenSSL
> code, liberally sprinkled with fprintf's.  It's possible that I've
> missed some links in the chain, although I've tried pretty hard not to.
> 
> The hang always involves a short message from the client following
> an interchange involving a long message from the client.  If I move
> the transaction containing the long line around in the sequence of
> test transactions, the client sometimes does not hang.  But when it
> does hang, it is always right after a long transaction.  Interestingly,
> the "long" transactions consist of a 4500 byte message from the client,
> a short (100 bytes) message from the server, another short message from
> the client (which always succeeds), and another short message from the
> server.  When the hang happens, it is on the next message from the
> client (the second short client message after a long one).
> 
> I'm stumped!
> 

I'm not immediately sure what the problem is either. It might be stack
corruption somewhere or something confusing the malloc library. Have you tried
it under a debugging malloc library that can detect and out of bounds
accesses?

Have you tried this under a different OS to see if you get the same behaviour?

I could look into this as part of my commercial consultancy services if you
can't get anywhere. Maybe with a discount if it turned out to be an OpenSSL
bug :-)

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 24 Feb 2004 13:54:57 +0100, Mads Toftum <[EMAIL 
PROTECTED]> said:

mads> On Tue, Feb 24, 2004 at 01:40:03PM +0100, Richard Levitte - VMS Whacker wrote:
mads> > mads> get someone to moderate the list - problem solved.
mads> > 
mads> > *cough* you do know what you're talking about, right?
mads> > 
mads> yes. Allow members to post and only non-members if moderated through -
mads> I wouldn't suggest it if I didn't do the same for other lists already.

Ah, that form.  Sorry, got confused...

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Mads Toftum]

On Tue, Feb 24, 2004 at 01:40:03PM +0100, Richard Levitte - VMS Whacker wrote:
> mads> get someone to moderate the list - problem solved.
> 
> *cough* you do know what you're talking about, right?
> 
yes. Allow members to post and only non-members if moderated through -
I wouldn't suggest it if I didn't do the same for other lists already.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Regarding all the spam...

[Lyngmo Ted]

Richard Levitte wrote:
> Ted Lyngmo wrote:
> >
> > Is it possible to post messages to the mailing list without
> > being a member? If so, what would we lose by changing that?
> 
> I honestly don't know what we would lose. Maybe a sense of
> openness.

True, but considering how easy it is to become a member, my suggestion is that posting 
to the list is made available for members only.

Kind regards,
Ted Lyngmo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 24 Feb 2004 13:32:40 +0100, Mads Toftum <[EMAIL 
PROTECTED]> said:

mads> On Tue, Feb 24, 2004 at 01:27:05PM +0100, Richard Levitte - VMS Whacker wrote:
mads> > 
mads> > I think I misunderstood that question.  I honestly don't know what we
mads> > would lose.  Maybe a sense of openness.
mads> > 
mads> get someone to moderate the list - problem solved.

*cough* you do know what you're talking about, right?

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Client Authentication with Openssl - Apache - errror -12227

[Schoneman, Mark]

I’ve only seen this error when in
the SSL process the client is attempting to sign with the private key and
errors out.

This was with openssl
and non-openssl certificates.

 

    Mark
S

 

-Original Message-
From: Bo Boe
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 24, 2004
6:17 AM
To: [EMAIL PROTECTED]
Subject: Client Authentication
with Openssl - Apache - errror -12227

 



I am trying to set-up a web-server which can only be
accessed if the client has a valid & trusted ssl certificate. 





 





When I do this I get the following error message:
www.mydomain.com has received an incorrect and unexpected message. Error code -12227





 





So far I have found several other people who have run
into this problem but so far none of them have reported the solution. My strong
feeling is somehow that the problem is caused by the certificates generated by
openssl but I do not have a clear proof of it since there are no entries in the
log-files around this error.





 





I posted this problem also on gentoo
forum where I have described in more detail how I configured my Apache
server and how I created the SSL certificates.





 





Does anyone know how to resolve this problem?





 





 





 





 









Do you Yahoo!?
Yahoo!
Mail SpamGuard - Read only the mail you want.

Re: Regarding all the spam...

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 24 Feb 2004 12:59:37 +0100, "Lyngmo Ted" 
<[EMAIL PROTECTED]> said:

ted.lyngmo> Is it possible to post messages to the mailing list
ted.lyngmo> without being a member?

Yes, openssl-users is completely open.

ted.lyngmo> If so, what would we lose by changing that?

Some people will have their responses go to
[EMAIL PROTECTED]  You will miss those replies.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Tue, 24 Feb 2004 12:59:37 +0100, "Lyngmo Ted" 
<[EMAIL PROTECTED]> said:

ted.lyngmo> If so, what would we lose by changing that?

I think I misunderstood that question.  I honestly don't know what we
would lose.  Maybe a sense of openness.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Regarding all the spam...

[Mads Toftum]

On Tue, Feb 24, 2004 at 01:27:05PM +0100, Richard Levitte - VMS Whacker wrote:
> 
> I think I misunderstood that question.  I honestly don't know what we
> would lose.  Maybe a sense of openness.
> 
get someone to moderate the list - problem solved.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]