Documentation source for using Engines
Hi All, Please provide the links/docs/papers/tutorials about how things can be done with OpenSSL. Though API's docs are there but I am not able to find a learning tutorial. Thanks in advance, Navin
Why no PRNG not seeded error
I'm using ssl (openssl-0.9.7m) as part of AXIS C++. I just spent a week trying
to figure out why I couldn't use https (via openssl) to connect on only some of
our systems. After rebuilding our copy of OpenSSL for debug and trapping
through it, I found that ssleay_rand_bytes() was setting the
RAND_R_PRNG_NOT_SEEDED error, then ssleay_rand_pseudo_bytes() (who called
ssleay_rand_bytes was clearing it off the error stack and all I was getting on
my SSL_Connect() was a return code of -1, and an error string of
:lib(0):func(0):reason(0). It would really be nice if we could get
the right error.
What am I missing here?
The code basically does:
int ret = SSL_connect( m_sslHandle);
// 1 is fine
// 0 is not successful but was shut down controlled
// 0 is handshake was not successful, because a fatal error occurred
if( ret = 0)
{
...
switch( ret)
{
case SSL_ERROR_NONE:// this is not an error
case SSL_ERROR_ZERO_RETURN:// no more data
return;
...
case SSL_ERROR_SSL:
// A failure in the SSL library occurred, usually a protocol error. The
// OpenSSL error queue contains more information on the error.
default:
// openssl/ssl.h says look at error stack/return value/errno
{
// A failure in the SSL library occurred, usually a protocol error.
The
// OpenSSL error queue contains more information on the error.
m_Last Error = OpenSSL error is + std::string(ret) + Error
stack:\n;
while ((sslerror = ERR_get_error()) != 0)
{
ERR_error_string(sslerror , error_buffer);
m_Last Error += std::string(error_buffer) + \n;
}
}
}
Thanks for the help.
Wayne Johnson
Senior Software Engineer
MQSoftware, Inc.
1660 S Highway 100
Minneapolis, MN 55416
(952) 345-8628
test
this is only a test to see if I can post. please ignore this. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
newbie installation problem - Makefile.org not found
I've downloaded openssl-0.9.8e and tried to run ./config, but got this error message: unable to read Makefile.org:A file or directory in the path name does not exist. I searched the directory and did not find Makefile.org. Is it missing from my download? I downloaded some earlier versions and still have the same problem. Please help! This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
RSA and DH
Hi, I am a newbie to SSL as well as RSA security etc. However read quite a bit of books and on the net. But one thing flew over my head. Pl. see if any can help me understand the following. Suppose server and client used RSA based private/public key pairs. I understood that these would be used to authenticate each other. Leaving DSA totally aside, considering only RSA alone, I did not fully understand what DH params are being used for in such communication. There is some explanation about DH params need in terms of key exchange etc, but did not follow. Looked around quite a bit, but not found a clear/direct answer. The article at http://support.microsoft.com/kb/257591 tries to explain somewhat but is at very high level and does not even mention DH params by name at all. My vague understanding is that, though RSA based private/public key pair is useful for authentication, but there still appears to be a need to generate (symmetric ones ?) some keys for encryption on a session by session basis. It appears that either temporary RSA keys (not used it seems to due to some security violations. OK , fine) and DH params can be used. This is thing went over my head. I did not understand - why is there a need for generating session to session keys
OpenSSL/DH params
Sorry, prematurely sent earlier. Sending it again ... Hi, I am a newbie to SSL as well as RSA security etc. However read quite a bit of books and on the net. But one thing flew over my head. Pl. see if anyone can help me understand the following. Suppose server and client used RSA based private/public key pairs. I understood that these would be used to authenticate each other. Leaving DSA totally aside, considering only RSA alone, I did not fully understand what DH params are being used for in such communication. There is some explanation about DH params need in terms of key exchange etc, but did not follow what this key exchange does or means. Looked around quite a bit, but not found a clear/direct answer. The article at http://support.microsoft.com/kb/257591 tries to explain somewhat but is at very high level and does not even mention DH params by name at all. My vague understanding is that, though RSA based private/public key pair is useful for authentication, but there still appears to be a need to generate (symmetric ones ?) some keys for encryption on a session by session basis. It appears that either temporary RSA keys (not used it seems to due to some security violations. OK , fine) or DH params can be used. This is the thing went over my head. I did not understand - why is there a need for generating session to session keys ? Guess, session needs to be encrypted. Why cann't we use the key pair we already have? Guess, to provide what I read as forward secrecy. Fine - But how is DH params helping to create these session keys? Is this what is pre-master, master key thing referred in the http://support.microsoft.com/kb/257591 article. Any explanation on how/what DH params doing in RSA based private/public key based SSL connection would be greatly appreciated. regards jackie PS: BTW, did not know how to look for responses. Is there a mail group I go to check emails or do I get a email directly (hopefully :)
RE: OpenSSL/DH params
DH is used for the Key Agreement or Key Exchange. Here is another article - by cisco - that is more detailed. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.h tml From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jackie jackie Sent: Friday, June 22, 2007 3:28 PM To: openssl-users@openssl.org Subject: OpenSSL/DH params Sorry, prematurely sent earlier. Sending it again ... Hi, I am a newbie to SSL as well as RSA security etc. However read quite a bit of books and on the net. But one thing flew over my head. Pl. see if anyone can help me understand the following. Suppose server and client used RSA based private/public key pairs. I understood that these would be used to authenticate each other. Leaving DSA totally aside, considering only RSA alone, I did not fully understand what DH params are being used for in such communication. There is some explanation about DH params need in terms of key exchange etc, but did not follow what this key exchange does or means. Looked around quite a bit, but not found a clear/direct answer. The article at http://support.microsoft.com/kb/257591 tries to explain somewhat but is at very high level and does not even mention DH params by name at all. My vague understanding is that, though RSA based private/public key pair is useful for authentication, but there still appears to be a need to generate (symmetric ones ?) some keys for encryption on a session by session basis. It appears that either temporary RSA keys (not used it seems to due to some security violations. OK , fine) or DH params can be used. This is the thing went over my head. I did not understand - why is there a need for generating session to session keys ? Guess, session needs to be encrypted. Why cann't we use the key pair we already have? Guess, to provide what I read as forward secrecy. Fine - But how is DH params helping to create these session keys? Is this what is pre-master, master key thing referred in the http://support.microsoft.com/kb/257591 article. Any explanation on how/what DH params doing in RSA based private/public key based SSL connection would be greatly appreciated. regards jackie PS: BTW, did not know how to look for responses. Is there a mail group I go to check emails or do I get a email directly (hopefully :)
Server not getting client's certificate...
I am having a problem with my program. I have a client - server
application where both sides need to see the other sides certificate. On
the server, when I do a SSL_get_peer_certificate(ssl) I get nothing
returned.
From a trace of the client I see this happening:
LOOP: SSL connect: before/connect initialization
LOOP: SSL connect: SSLv2/v3 write client hello A
LOOP: SSL connect: SSLv3 read server hello A
LOOP: SSL connect: SSLv3 read server certificate A
LOOP: SSL connect: SSLv3 read server done A
LOOP: SSL connect: SSLv3 write client key exchange A
LOOP: SSL connect: SSLv3 write change cipher spec A
LOOP: SSL connect: SSLv3 write finished A
LOOP: SSL connect: SSLv3 flush data
LOOP: SSL connect: SSLv3 read finished A
INFO: SSL connect: SSL negotiation finished successfully
Which looks like the client sent it over. On the server side I see this:
LOOP: SSL accept: before/accept initialization
LOOP: SSL accept: SSLv3 read client hello A
LOOP: SSL accept: SSLv3 write server hello A
LOOP: SSL accept: SSLv3 write certificate A
LOOP: SSL accept: SSLv3 write server done A
LOOP: SSL accept: SSLv3 flush data
INFO: SSL accept: SSLv3 read client certificate A
INFO: SSL accept: SSLv3 read client certificate A
LOOP: SSL accept: SSLv3 read client key exchange A
LOOP: SSL accept: SSLv3 read finished A
LOOP: SSL accept: SSLv3 write change cipher spec A
LOOP: SSL accept: SSLv3 write finished A
LOOP: SSL accept: SSLv3 flush data
INFO: SSL accept: SSL negotiation finished successfully
Which seems to indicate the server got it.
One other thing that is strange, if I set SSL.VERIFY_PEER |
SSL.VERIFY_FAIL_IF_NO_PEER_CERT I get this error thrown back in the server:
BIO.BIOError: (19, 'no certificate returned')
On the client side of the equation I setup my SSL context and do a
SSL_CTX_use_certificate and SSL_CTX_use_privkey. The calls return
success (I follow it up with a SSL_CTX_check_privkey just to make sure
the private key and the cert are matched up).
Here is the client side code (in Python)
ctx = SSL.Context()
if ctx.load_verify_locations('cacert.pem') != 1:
raise Exception('CA certificates not loaded')
ctx.set_verify(SSL.verify_peer | SSL.verify_fail_if_no_peer_cert, 9)
ctx.load_cert('client.pem',keyfile='client-key.pem',callback=zzz)
The server side code (also in python) is:
ctx = SSL.Context()
getCertListAsX509Store(ctx.get_cert_store())
ctx.set_allow_unknown_ca(False)
ctx.set_verify(SSL.verify_peer+SSL.verify_fail_if_no_peer_cert,9)
ssl_ctx_use_x509(ctx.ctx,CA.TSRootCertificate._ptr())
ssl_ctx_use_pkey_privkey(ctx.ctx,CA.TSRootPKey._ptr())
I was wondering if any one can see anything obvious that I am doing wrong.
Thanks in advance,
Chaz
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
How to change mode from Blocking to Non-blocking
Hi, I am working on an application which currently uses Blocking I/O. At SSL_connect, my client waits for a long time till the SSL connection is established. I would like to change my I/O to non-blocking mode. Can you tell me the steps to follow for the same ? Thanks, Rahul Rahul Malegaonkar College Intern Product Development [EMAIL PROTECTED] Phone :1-4089023770 Mobile :1-2152751701 771 Alder Drive MILPITAS CA - 95035 United States www.cisco.com http://www.cisco.com/ This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message. spacer.giffooterHead.giffooter.gif
