RE: Using libcrypto in a shared library
Maybe creating the library with ld rather than gcc might work better? Ted -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of BorisSent: Wednesday, February 02, 2005 2:58 PMTo: openssl-users@openssl.orgSubject: Using libcrypto in a shared library Hi I'm having troubles using libcrypto in a shared library. Here is what I did: 1. I'm on RedHat 7.2 2. I installed OpenSSL by "./config shared" andgot /usr/local/ssl/lib/libcrypto.so 3. I wrote a sample library calling EVA functions (the library source attached below - decrypt.c) 4. I compiled the decrypt.c as follows: gcc -fpic -c decrypt.c -o decrypt.o -I/usr/local/ssl/include gcc -shared decrypt.o -o libdecrypt.so -L/usr/local/ssl/lib -lcrypto 5. I added current and the OpenSSL directories to the library path: LD_LIBRARY_PATH=$(pwd):/usr/local/ssl/lib When I try to run the testlib program (source attached below) the program fails on dlopen() Could someone please advise, whatam I doing wrong? Thanks in advance // decrypt.c #include "testlib.h"#include stdio.h#include openssl/evp.h#include fcntl.h int test_decrypt(){ int >int encfd; unsigned char outbuf[1032]; int olen, tlen, n; char inbuff[1032]; EVP_CIPHER_CTX ctx; unsigned char key[16]; unsigned char iv[8]; char *encfile = "blowfish_enc"; memset (key, 0, 16); memset (iv, 0, 8); strcpy(key,"1234567890123456"); strcpy(iv,"12345678"); if ((encfd = open (encfile, O_RDONLY)) == -1) { return onerr; } memset (inbuff, 0, sizeof(inbuff)); if ((n = read (encfd, inbuff, sizeof(inbuff))) == -1) { close(encfd); return onerr; } close (encfd); EVP_CIPHER_CTX_init (ctx); EVP_DecryptInit (ctx, EVP_bf_cbc (), key, iv); memset (outbuf, 0, sizeof(outbuf)); if (EVP_DecryptUpdate (ctx, outbuf, olen, inbuff, n) != 1) { return onerr; } if (EVP_DecryptFinal (ctx, outbuf + olen, tlen) != 1) { return onerr; } olen += tlen; printf("Output: %s", outbuf); return 0;} // testlib.c #include stdio.h#include stdlib.h#include unistd.h#include dlfcn.h int main(int argc, char **argv){void *handle;int (*test_decrypt)(void);char *c; handle = dlopen("libdecrypt.so", 1);c = dlerror();if(c){fprintf(stderr, "couldnt open library\n");abort();}test_decrypt = dlsym(handle, "test_decrypt");c = dlerror();if(c){fprintf(stderr, "couldnt get function symbol\n");abort();}test_decrypt();dlclose(handle);return 0;}
How to set ON OUN and CN?
Hi I am trying to generate a server's certificate signed by a self-signed Root CA. Commands I am using are the following ones: /usr/share/ssl/misc/CA -newca openssl req -new -nodes -keyout newreq.pem -out newreq.pem /usr/share/ssl/misc/CA -sign cat newcert.pem newreq.pem server.pem server.pem is then the server's certificate. For the both certificates, I don't known how to set - organization name - organization unit name - common name Are they the same for both the root CA and the server's certificate? Should they be different? Thanks a lot. Anne-Sophie. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to set ON OUN and CN?
Hi Anne-Sophie, This script looks for these values in a configuration file (openssl.cnf by default, I think). Edit this file and you will find these fields :-) I think that the common name should be different for both certificates. For other fields, they can be the same but the organization unit is often different. Hope this help Frédéric. Harnois Anne-Sophie wrote: Hi I am trying to generate a server's certificate signed by a self-signed Root CA. Commands I am using are the following ones: /usr/share/ssl/misc/CA -newca openssl req -new -nodes -keyout newreq.pem -out newreq.pem /usr/share/ssl/misc/CA -sign cat newcert.pem newreq.pem server.pem server.pem is then the server's certificate. For the both certificates, I don't known how to set - organization name - organization unit name - common name Are they the same for both the root CA and the server's certificate? Should they be different? Thanks a lot. Anne-Sophie. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using libcrypto in a shared library
May be "export" will help you. export LD_LIBRARY_PATH=$(pwd):/usr/local/ssl/lib
CA destroys long serial files
Hello! If the serial number in the serial file is longer then 70, openssl ca works correct, but writes the next number: 342389523...423\ 34234344 The next time openssl needs the serial file the error occurs: unable to load number from /path/longserialCa error while loading serial number A fix could be done on the writing or reading of the serial file, but I think write without \ is a better solution. greetings Wolfgang -- The From: and Reply-To: addresses are internal news2mail gateway addresses. Reply to the list or to Wolfgang Aigner [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using libcrypto in a shared library
thanks I will check the ld - Original Message - From: Ted Mittelstaedt To: openssl-users@openssl.org Sent: Thursday, February 03, 2005 10:59 AM Subject: RE: Using libcrypto in a shared library Maybe creating the library with ld rather than gcc might work better? Ted -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of BorisSent: Wednesday, February 02, 2005 2:58 PMTo: openssl-users@openssl.orgSubject: Using libcrypto in a shared library Hi I'm having troubles using libcrypto in a shared library. Here is what I did: 1. I'm on RedHat 7.2 2. I installed OpenSSL by "./config shared" andgot /usr/local/ssl/lib/libcrypto.so 3. I wrote a sample library calling EVA functions (the library source attached below - decrypt.c) 4. I compiled the decrypt.c as follows: gcc -fpic -c decrypt.c -o decrypt.o -I/usr/local/ssl/include gcc -shared decrypt.o -o libdecrypt.so -L/usr/local/ssl/lib -lcrypto 5. I added current and the OpenSSL directories to the library path: LD_LIBRARY_PATH=$(pwd):/usr/local/ssl/lib When I try to run the testlib program (source attached below) the program fails on dlopen() Could someone please advise, whatam I doing wrong? Thanks in advance // decrypt.c #include "testlib.h"#include stdio.h#include openssl/evp.h#include fcntl.h int test_decrypt(){ int >int encfd; unsigned char outbuf[1032]; int olen, tlen, n; char inbuff[1032]; EVP_CIPHER_CTX ctx; unsigned char key[16]; unsigned char iv[8]; char *encfile = "blowfish_enc"; memset (key, 0, 16); memset (iv, 0, 8); strcpy(key,"1234567890123456"); strcpy(iv,"12345678"); if ((encfd = open (encfile, O_RDONLY)) == -1) { return onerr; } memset (inbuff, 0, sizeof(inbuff)); if ((n = read (encfd, inbuff, sizeof(inbuff))) == -1) { close(encfd); return onerr; } close (encfd); EVP_CIPHER_CTX_init (ctx); EVP_DecryptInit (ctx, EVP_bf_cbc (), key, iv); memset (outbuf, 0, sizeof(outbuf)); if (EVP_DecryptUpdate (ctx, outbuf, olen, inbuff, n) != 1) { return onerr; } if (EVP_DecryptFinal (ctx, outbuf + olen, tlen) != 1) { return onerr; } olen += tlen; printf("Output: %s", outbuf); return 0;} // testlib.c #include stdio.h#include stdlib.h#include unistd.h#include dlfcn.h int main(int argc, char **argv){void *handle;int (*test_decrypt)(void);char *c; handle = dlopen("libdecrypt.so", 1);c = dlerror();if(c){fprintf(stderr, "couldnt open library\n");abort();}test_decrypt = dlsym(handle, "test_decrypt");c = dlerror();if(c){fprintf(stderr, "couldnt get function symbol\n");abort();}test_decrypt();dlclose(handle);return 0;}
Re: Using libcrypto in a shared library
Thanks a lot. That was it. That's what happens when you try to do complex stuff without practicing the basics. Unfortunately we (I) don't always have the time to attend courses - we just need to get the job done. - Original Message - From: Zerg To: openssl-users@openssl.org Sent: Thursday, February 03, 2005 12:48 PM Subject: Re: Using libcrypto in a shared library May be "export" will help you. export LD_LIBRARY_PATH=$(pwd):/usr/local/ssl/lib
Self signed certificates
Hello all, I was having a play with Eric Rescorla's programs implementing simple openssl client/server comms; the ones from his An Introduction to OpenSSL Programming articles. He supplies some self-signed certificates for testing along with the source accompanying the articles. Now, I compile his software with openssl version 0.9.7e and the function SSL_get_verify_result (ssl) throws the error 19, which translates to: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN I presume openssl now defaults to refusing to deal with self-signed certificates due to the well known problems associated with them. Is there a function I can call that will allow self-signed certificates in my program for the purposes of testing? regards, Seb -- Sebastian James - Embedded Systems. Hypercube Systems Ltd 'Embedded Linux Solutions' 35 Walkley Crescent Road, Sheffield, S6 5BA Tel: 0845 4580277 Web: www.hypercubesystems.co.uk signature.asc Description: This is a digitally signed message part
Re: Self signed certificates
Hi, You can use the function SSL_CTX_set_verify to declare a callback function which be called by the OpenSSL framework if an error occured during the default certificate verification. In your callback function, return 1 when the error is equal to X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html# for an example Hope this help Frdric. Seb James wrote: Hello all, I was having a play with Eric Rescorla's programs implementing simple openssl client/server comms; the ones from his "An Introduction to OpenSSL Programming" articles. He supplies some self-signed certificates for testing along with the source accompanying the articles. Now, I compile his software with openssl version 0.9.7e and the function SSL_get_verify_result (ssl) throws the error 19, which translates to: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN I presume openssl now defaults to refusing to deal with self-signed certificates due to the well known problems associated with them. Is there a function I can call that will allow self-signed certificates in my program for the purposes of testing? regards, Seb
Re: Self signed certificates
On Thu, Feb 03, 2005, Seb James wrote: Hello all, I was having a play with Eric Rescorla's programs implementing simple openssl client/server comms; the ones from his An Introduction to OpenSSL Programming articles. He supplies some self-signed certificates for testing along with the source accompanying the articles. Now, I compile his software with openssl version 0.9.7e and the function SSL_get_verify_result (ssl) throws the error 19, which translates to: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN I presume openssl now defaults to refusing to deal with self-signed certificates due to the well known problems associated with them. No it will accept a self signed certificate. It just wont accept an untrusted chain. Is there a function I can call that will allow self-signed certificates in my program for the purposes of testing? You need to add the root CA (in this case the self signed certificate) to the set of trusted certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_read SSL_write and retry
Title: SSL_read SSL_write and retry Hi there, I've been trying to figure out the correct way to use SSL_read and SSL_write with retry and auto retry mode, etc. I'm a little confused. I've got a program that uses blocking sockets, and select (I only use select to check for readability of sockets). When select wakes up indicating there is data to be read, I pull a thread from a thread pool and call SSL_read. Am I correct in assuming that each time SSL_read succeeds (return value 0), then the data read is application data? And if SSL_read returns 0, it is an error? And if 0, check if SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE is the error, in which case I need to retry the read? And if I do get one of these errors, should I immediately reissue the SSL_read, or should I do a select again and wait until there is actual data to be read? I'm guessing the latter since the former may result in the call blocking, and the thread would be tied up which could eventually lead to all my threads in the pool being blocked. Does this sounds right? If I get SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE after a call to SSL_write(), can I simply reissue the SSL_write() immediately? Is there any harm in this? It wouldn't block like SSL_read() might, would it? Also, I've set the SSL_MODE_AUTO_RETRY flag on the SSL_CTX, but when I call SSL_write(), I still seem to get the SSL_ERROR_WANT_WRITE error. I thought that if I used this flag, that I wouldn't have to worry about retrying? And if I use this flag, I would still be susceptable to blocking indefinitely in SSL_read() wouldn't I? Sorry for all the questions. I hope I was clear in explaining what I'm unclear of. Thanks for any info or help you can provide me. Regards, Ed