RE: Converting RSA to EVP_pkey
Hello, > is this the best way to do it ? EVP_pkey *pkey = EVP_PKEY_new(); > EVP_PKEY_assign_RSA(pkey, rsa); thanks ! I think this one of most "proper" way :-) Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Converting RSA to EVP_pkey
is this the best way to do it ? EVP_pkey *pkey = EVP_PKEY_new(); EVP_PKEY_assign_RSA(pkey, rsa); thanks ! > From: [EMAIL PROTECTED] > To: openssl-users@openssl.org > Subject: RE: Converting RSA to EVP_pkey > Date: Thu, 26 Jul 2007 16:16:36 -0700 > > > Thanks Marek, so then how do i convert RSA to EVP_pkey ? > Subject: Re: > Converting RSA to EVP_pkey> From: [EMAIL PROTECTED]> To: > openssl-users@openssl.org> Date: Fri, 27 Jul 2007 01:09:59 +0200> > Hello,> > > 2) I was looking and found this d2i_RSAPrivateKey. From what it looks> > > like, this doesn't seem to be what i want. and i was wondering when> > what > does this convert to and from. > This function convert from DER format to > INTERNAL format (RSA).> > Best regards.> -- > Marek Marcola > > > __> > OpenSSL Project http://www.openssl.org> User > Support Mailing Listopenssl-users@openssl.org> Automated > List Manager [EMAIL PROTECTED] > _ > PC Magazine’s 2007 editors’ choice for best web mail—award-winning Windows > Live Hotmail. > http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HMWL_mini_pcmag_0707__ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] _ Local listings, incredible imagery, and driving directions - all in one place! Find it! http://maps.live.com/?wip=69&FORM=MGAC01
RE: Converting RSA to EVP_pkey
Thanks Marek, so then how do i convert RSA to EVP_pkey ? > Subject: Re: Converting RSA to EVP_pkey> From: [EMAIL PROTECTED]> To: openssl-users@openssl.org> Date: Fri, 27 Jul 2007 01:09:59 +0200> > Hello,> > 2) I was looking and found this d2i_RSAPrivateKey. From what it looks> > like, this doesn't seem to be what i want. and i was wondering when> > what does this convert to and from. > This function convert from DER format to INTERNAL format (RSA).> > Best regards.> -- > Marek Marcola <[EMAIL PROTECTED]>> > __> OpenSSL Project http://www.openssl.org> User Support Mailing Listopenssl-users@openssl.org> Automated List Manager [EMAIL PROTECTED] _ PC Magazine’s 2007 editors’ choice for best web mail—award-winning Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HMWL_mini_pcmag_0707__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Converting RSA to EVP_pkey
Hello, > 2) I was looking and found this d2i_RSAPrivateKey. From what it looks > like, this doesn't seem to be what i want. and i was wondering when > what does this convert to and from. This function convert from DER format to INTERNAL format (RSA). Best regards. -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Converting RSA to EVP_pkey
Hi,I have a RSA * to a private key and want to convert it to an EVP_pkey. 1) Is there a way to convert from RSA to EVP_pkey.would the following function the right candidate to do the job EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,pem_password_cb *cb, void *u);Also what if there's not password . do i need still need the calls to be registered. in case i don't have want to prompted for password.2) I was looking and found this d2i_RSAPrivateKey. From what it looks like, this doesn't seem to be what i want. and i was wondering when what does this convert to and from. thanks ! _ Don't get caught with egg on your face. Play Chicktionary! http://club.live.com/chicktionary.aspx?icid=chick_wlmailtextlink
Re: Puzzling 50ms delay between SSL_write and poll response
50 ms is a common standalone ACK timer, so if one had a second or Nth small send, it might have been waiting (via Nagle) for the remote's standalone ACK before being transmitted. Some folks like to simply switch-off nagle, I prefer to try to get folks to send logically associated data to the transport in one send call. rick jones __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Puzzling 50ms delay between SSL_write and poll response
David Lobron wrote: 2007-07-26 20:18:04.375 [3317] GS: Got response from sendDataPending 2007-07-26 20:18:04.376 [3317] GS: Calling poll with timeout 6 2007-07-26 20:18:04.376 [3317] GS: Checking poll results 2007-07-26 20:18:04.376 [3317] GS: calling SSL_write on buffer of length 1281 2007-07-26 20:18:04.376 [3317] GS: done with SSL_write 2007-07-26 20:18:04.376 [3317] Called advanceSendBuffer:len 2007-07-26 20:18:04.377 [3317] GS: Calling poll with timeout 6 2007-07-26 20:18:04.426 [3317] GS: Checking poll results <- 50ms delay occurs here 2007-07-26 20:18:04.426 [3317] GS: calling SSL_read 2007-07-26 20:18:04.427 [3317] GS: done with SSL_read, len = 142, text = GET And if you run tcpdump on the TCP packets, does it also agree there is a 50ms delay ? which end is causing the delay ? If I understand correctly the delay seems to be just after you wrote your HTTP headers and content body, so this would include network propagation delay and processing at the far end. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Puzzling 50ms delay between SSL_write and poll response
Thank you for the quick reply, and apologies for my less-than-clear
message: let me give more details.
I am poll-ing with a timeout of 60 seconds, and SSL_write is
returning a positive number of bytes read each time through (we
always find data well before the timeout). The server logs for the
part of the session with the 50ms delay look like this:
2007-07-26 20:18:04.375 [3317] GS: Got response from sendDataPending
2007-07-26 20:18:04.376 [3317] GS: Calling poll with timeout 6
2007-07-26 20:18:04.376 [3317] GS: Checking poll results
2007-07-26 20:18:04.376 [3317] GS: calling SSL_write on buffer of
length 1281
2007-07-26 20:18:04.376 [3317] GS: done with SSL_write
2007-07-26 20:18:04.376 [3317] Called advanceSendBuffer:len
2007-07-26 20:18:04.377 [3317] GS: Calling poll with timeout 6
2007-07-26 20:18:04.426 [3317] GS: Checking poll
results <- 50ms delay occurs here
2007-07-26 20:18:04.426 [3317] GS: calling SSL_read
2007-07-26 20:18:04.427 [3317] GS: done with SSL_read, len = 142,
text = GET
The sendDataPending function tells us that we have more data to
send. In the first "calling poll" iteration above, we're calling
poll for both read and write. In the second call to poll, we're only
polling for readability, having sent our entire data buffer, so this
is the point where we are awaiting more data.
The client code (Objective-C) is:
NSLog(@"DEBUG: 2");
if( curl_easy_perform(myhandle) == 0 ) {
NSLog(@"DEBUG: 3");
I enabled libcurl's verbose mode in the client, and it recorded this
transaction as follows (timestamps should match, since it's the same
machine):
2007-07-26 20:18:04.363 fpbridge[21199] DEBUG: 2
* Re-using existing connection! (#0) with host 127.0.0.1
* Connected to 127.0.0.1 (127.0.0.1) port 8443
> GET /filename HTTP/1.1
Host: 127.0.0.1:8443
Pragma: no-cache
Accept: */*
< HTTP/1.1 200 OK
< Content-type: application/x-troff; charset=utf-8
< Content-length: 1281
* Connection #0 to host 127.0.0.1 left intact
2007-07-26 20:18:04.413 fpbridge[21199] DEBUG: 3
In other words, the server's final SSL_write happens at 20:18:04.376,
but the client does not return from curl_easy_perform until
20:18:04.413. My question is: why would it take so long to transfer
that 1281 bytes of data between two processes on the same machine,
even when I'm reusing the same SSL connection? What happens between
the call to SSL_write and the point where the client receives the 200
OK message? The error may of course be on the client side, but I
just wanted to see if there is any debugging I could do on my
SSL_write call.
Thank you!
On Jul 26, 2007, at 3:38 PM, David Schwartz wrote:
I have a Linux server application that calls SSL_write in a loop, and
polls the underlying socket using the poll(2) system call. In the
loop, the first few calls to poll return immediately with data on the
socket, but I'm finding that the last call to poll always takes about
50ms to before poll returns. I am setting O_NONBLOCK on the socket
using fcntl when I first initialize it, so I know it's in non-
blocking mode. Is there anything else that could cause a poll not to
immediately find readable data on a socket to which I've written
using SSL_write? Note that I confirmed via log message that the
SSL_write operation completes before I call poll.
It's hard to understand your issue. You don't tell us if you're
'poll'ing
just for readability and what response you got from SSL_write. You
don't
tell us what timeout you pass to 'poll'. So this response includes
a lot of
guessing.
Presumably, 'poll' is not returning because there is no data.
Presumably
there is no data because to other side hasn't sent any. This could be
because the other side isn't supposed to (for example, it may be
waiting for
the other side to send protocol data) or it could be because there's a
problem with the other side.
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
TLS:error TLS1_SETUP_KEY_BLOCK
TLS: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable ../../../../common/openssl/ssl/t1_enc.c:461 A little history I have compiled openssl version 0.9.8e on Sun v420 system running opensolaris (version 11). I used the gcc 3.4.3 compiler loaded in /usr/sfw/bin. I then compilied openldap the latest stable edition from openldap.org. using --L/usr/local/ssl/lib -R/usr/local/ssl/lib to link in the openssl libraries. I created a CA and self signed server certificates for TLS. using /usr/local/ssl/bin/openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl -x509toreq -in newreq.pem -signkey newreq.pem-out tmp.req /usr/local/ssl/bin/openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem All works fine. I setup openldap properly with the certs by copying into the correct directory and with the correct permissions and set up slapd.conf with the following entries TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/server_cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/server_key.pem Slapd starts up successfully using /usr/local/libexec/slapd -d10 -u ldap -h "ldap:/// ldaps:///" now the openssl questios: I run /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts and get the error above TLS1_SETUP_KEY_BLOCK cipher or hash unavailable BUT ... If I use the openssl that came with Solaris 11 /usr/sfw/bin/openssl -connect localhost:636 this works properly without error... Question 1: is this a known issue with 0.9.8e ??? Question 2: Is there an official patch available that fixes this problem ??? Question 3: If not, is there an known workaround to the problem ??? any help would be appreciated As an asside someone did mention that there was an unofficial patch victor duchovni posted a patch on 01/31/07 to this list. Thanks
Re: double free or corruption (!prev) in CRYPTO_free()?
Prabhu S wrote: Hi David, I enabled the debug flags in the OpenSSL makefiles and recompiled for the libraries. The stack trace is obtained is as follows: #0 0x4402 in __kernel_vsyscall () #1 0x001fc1f8 in raise () from /lib/libc.so.6 #2 0x001fd948 in abort () from /lib/libc.so.6 #3 0x0023152a in __libc_message () from /lib/libc.so.6 #4 0x00237424 in _int_free () from /lib/libc.so.6 #5 0x0023795f in free () from /lib/libc.so.6 #6 0x4057b602 in CRYPTO_free (str=0x640f9c38) at mem.c:378 #7 0x405e64f5 in ERR_clear_error () at err.c:722 #8 0x403999ad in ssl3_connect (s=0x63e384c8) at s3_clnt.c:169 #9 0x403b06ac in SSL_connect (s=0x63e384c8) at ssl_lib.c:850 Does it indicate a OpenSSL problem?..I have dug the application code and so far appears it appears to be clean. It only indicate that OpenSSL was the user freeing the memory at the time glibc detected a problem. Glibc's detection of these problems is not fool proof, maybe you should look at valgrind (but dont forget to compile OpenSSL with -DPURIFY) before using the package. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Puzzling 50ms delay between SSL_write and poll response
> I have a Linux server application that calls SSL_write in a loop, and > polls the underlying socket using the poll(2) system call. In the > loop, the first few calls to poll return immediately with data on the > socket, but I'm finding that the last call to poll always takes about > 50ms to before poll returns. I am setting O_NONBLOCK on the socket > using fcntl when I first initialize it, so I know it's in non- > blocking mode. Is there anything else that could cause a poll not to > immediately find readable data on a socket to which I've written > using SSL_write? Note that I confirmed via log message that the > SSL_write operation completes before I call poll. It's hard to understand your issue. You don't tell us if you're 'poll'ing just for readability and what response you got from SSL_write. You don't tell us what timeout you pass to 'poll'. So this response includes a lot of guessing. Presumably, 'poll' is not returning because there is no data. Presumably there is no data because to other side hasn't sent any. This could be because the other side isn't supposed to (for example, it may be waiting for the other side to send protocol data) or it could be because there's a problem with the other side. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
TLS: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable ssl/t1_enc.c:461 on Solaris 11
TLS: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable ../../../../common/openssl/ssl/t1_enc.c:461 A little history I have compiled openssl version 0.9.8e on Sun v420 system running opensolaris (version 11). I used the gcc 3.4.3 compiler loaded in /usr/sfw/bin. I then compilied openldap the latest stable edition from openldap.org. using --L/usr/local/ssl/lib -R/usr/local/ssl/lib to link in the openssl libraries. I created a CA and self signed server certificates for TLS. using /usr/local/ssl/bin/openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl req -new -x509 -nodes -keyout newreq.pem -out newreq.pem -days 3652 -config openssl.cnf /usr/local/ssl/bin/openssl -x509toreq -in newreq.pem -signkey newreq.pem-out tmp.req /usr/local/ssl/bin/openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem All works fine. I setup openldap properly with the certs by copying into the correct directory and with the correct permissions and set up slapd.conf with the following entries TLSCipherSuite HIGH:MEDIUM:+TLSv1:+SSLv2:+SSLv3 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/server_cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/server_key.pem Slapd starts up successfully using /usr/local/libexec/slapd -d10 -u ldap -h "ldap:/// ldaps:///" now the openssl questios: I run /usr/local/ssl/bin/openssl s_client -connect localhost:636 -showcerts and get the error above TLS1_SETUP_KEY_BLOCK cipher or hash unavailable BUT ... If I use the openssl that came with Solaris 11 /usr/sfw/bin/openssl -connect localhost:636 this works properly without error... Question 1: is this a known issue with 0.9.8e ??? Question 2: Is there an official patch available that fixes this problem ??? Question 3: If not, is there an known workaround to the problem ??? any help would be appreciated As an asside someone did mention that there was an unofficial patch victor duchovni posted a patch on 01/31/07 to this list. Thanks james
Constraints on the length of certificate subject DN
Hello, Does OpenSSL put length constraints on the length of subject DN of X.509certificate? If not, what is the maximum length of the subject DN string? Thanks in advance, Arsen.
Puzzling 50ms delay between SSL_write and poll response
Hello All- I have a Linux server application that calls SSL_write in a loop, and polls the underlying socket using the poll(2) system call. In the loop, the first few calls to poll return immediately with data on the socket, but I'm finding that the last call to poll always takes about 50ms to before poll returns. I am setting O_NONBLOCK on the socket using fcntl when I first initialize it, so I know it's in non- blocking mode. Is there anything else that could cause a poll not to immediately find readable data on a socket to which I've written using SSL_write? Note that I confirmed via log message that the SSL_write operation completes before I call poll. Thank you, David __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: decoding ASN1 OCTET STRING
Please look at the code I released a few weeks ago that will show you
how to decode just such a thing. I sent it out on the openssl-users
mailing list.
Peace,
Chuck Wegrzyn
On 7/26/07, edkulus <[EMAIL PROTECTED]> wrote:
Hi All,
I have the following piece of code, that I use for reading the contents of
X.509 extensions:
X509 *cert = NULL;
X509_EXTENSION *extension;
ASN1_OCTET_STRING *extdata;
char *extname;
for (i = 0; i < X509_get_ext_count(cert); i++)
{
extension = X509_get_ext(cert, i);
extdata = X509_EXTENSION_get_data(extension);
extname = (char
*)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
...
}
In the above example, the ASN1_OCTET_STRING *extdata is used for storing the extension
data. The structure for extdata is the same as for ASN1_STRING (OpenSSL uses the same
structure for all ASN.1 strings I believe) so I can access the X.509 extension data
through the extdata->data (knowing the data size from extdata->length and the type
of the data from extdata->type).
In each parsed extension (generally), in extdata->data I get an encoded string of
type (extdata->type) 4, which is V_ASN1_OCTET_STRING. For the purpose of string
manipulation, comparison or print-out, this is really useless in its encoded form and
needs to be further decoded to a human readable format string (for example) so that I
can pass the string to another application or print it out properly.
I looked for BER decoding functions in OpenSSL but really I was able to find
only the encoding ones. Even the OpenSSL asn1parse, when I run it, gives only a
hexadecimal dump of the OCTET STRING content of each extension.
Is there a way in OpenSSL so that I can decode (unpack) the ASN1_OCTET_STRING
string and present it in plain text?
Perhaps there are some other libraries, that you are aware of, that could be
used for this purpose.
Thanks in advance for your help.
edkulus
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
decoding ASN1 OCTET STRING
Hi All,
I have the following piece of code, that I use for reading the contents of
X.509 extensions:
X509 *cert = NULL;
X509_EXTENSION *extension;
ASN1_OCTET_STRING *extdata;
char *extname;
for (i = 0; i < X509_get_ext_count(cert); i++)
{
extension = X509_get_ext(cert, i);
extdata = X509_EXTENSION_get_data(extension);
extname = (char
*)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
...
}
In the above example, the ASN1_OCTET_STRING *extdata is used for storing the
extension data. The structure for extdata is the same as for ASN1_STRING
(OpenSSL uses the same structure for all ASN.1 strings I believe) so I can
access the X.509 extension data through the extdata->data (knowing the data
size from extdata->length and the type of the data from extdata->type).
In each parsed extension (generally), in extdata->data I get an encoded string
of type (extdata->type) 4, which is V_ASN1_OCTET_STRING. For the purpose of
string manipulation, comparison or print-out, this is really useless in its
encoded form and needs to be further decoded to a human readable format string
(for example) so that I can pass the string to another application or print it
out properly.
I looked for BER decoding functions in OpenSSL but really I was able to find
only the encoding ones. Even the OpenSSL asn1parse, when I run it, gives only a
hexadecimal dump of the OCTET STRING content of each extension.
Is there a way in OpenSSL so that I can decode (unpack) the ASN1_OCTET_STRING
string and present it in plain text?
Perhaps there are some other libraries, that you are aware of, that could be
used for this purpose.
Thanks in advance for your help.
edkulus
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
OpenSLL Timestamping
Hi all! In the openssl documentation I found the command "ts" for timestamping actions. Trying this command with my openssl 0.9.8e I was told that this is an unknown command. Now I am wondering if the documentation may be some kind of too uptodate - what is normally not the case with docs - or if it is just a joke. Who can tell me more about openssl and timestamping? Best regards Thomas Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 123, D-45001 Essen Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code DRESDEFF200, IBAN DE6920080954411200 Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, Ust.-ID.-Nr.: DE147861238
Re: double free or corruption (!prev) in CRYPTO_free()?
On Thu, Jul 26, 2007, Prabhu S wrote: > Hi David, > > I enabled the debug flags in the OpenSSL makefiles and recompiled for the > libraries. > The stack trace is obtained is as follows: > > #0 0x4402 in __kernel_vsyscall () > #1 0x001fc1f8 in raise () from /lib/libc.so.6 > #2 0x001fd948 in abort () from /lib/libc.so.6 > #3 0x0023152a in __libc_message () from /lib/libc.so.6 > #4 0x00237424 in _int_free () from /lib/libc.so.6 > #5 0x0023795f in free () from /lib/libc.so.6 > #6 0x4057b602 in CRYPTO_free (str=0x640f9c38) at mem.c:378 > #7 0x405e64f5 in ERR_clear_error () at err.c:722 > #8 0x403999ad in ssl3_connect (s=0x63e384c8) at s3_clnt.c:169 > #9 0x403b06ac in SSL_connect (s=0x63e384c8) at ssl_lib.c:850 > > Does it indicate a OpenSSL problem?..I have dug the application code and so > far appears it appears to be clean. > It isn't immediately clear if that is an OpenSSL problem or not. The error code makes extensive use of locks and thread IDs. If there is a problem with either the locking callbacks or the thread ID callback then that could cause this problem. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: double free or corruption (!prev) in CRYPTO_free()?
Hi David, I enabled the debug flags in the OpenSSL makefiles and recompiled for the libraries. The stack trace is obtained is as follows: #0 0x4402 in __kernel_vsyscall () #1 0x001fc1f8 in raise () from /lib/libc.so.6 #2 0x001fd948 in abort () from /lib/libc.so.6 #3 0x0023152a in __libc_message () from /lib/libc.so.6 #4 0x00237424 in _int_free () from /lib/libc.so.6 #5 0x0023795f in free () from /lib/libc.so.6 #6 0x4057b602 in CRYPTO_free (str=0x640f9c38) at mem.c:378 #7 0x405e64f5 in ERR_clear_error () at err.c:722 #8 0x403999ad in ssl3_connect (s=0x63e384c8) at s3_clnt.c:169 #9 0x403b06ac in SSL_connect (s=0x63e384c8) at ssl_lib.c:850 Does it indicate a OpenSSL problem?..I have dug the application code and so far appears it appears to be clean. Thanks, Prabhu. S On 7/25/07, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote: On Wed, Jul 25, 2007, Prabhu S wrote: > Hi, > > I have a SSL enabled client application. > The client connects to the server with which it shares no common ciphers. > When 200 or more simultaneous connections are made the application crashes. > The backtrace indicates double free or corruption (!prev) in CRYPTO_free(). > However when there is a common shared ciphers between the client and server > there are no issues. > > #0 0x4402 in __kernel_vsyscall () > #1 0x001fc1f8 in raise () from /lib/libc.so.6 > #2 0x001fd948 in abort () from /lib/libc.so.6 > #3 0x0023152a in __libc_message () from /lib/libc.so.6 > #4 0x00237424 in _int_free () from /lib/libc.so.6 > #5 0x0023795f in free () from /lib/libc.so.6 > #6 0x4056e6fa in CRYPTO_free () from ../lib/libcrypto.so.0.9.8 > > > The client uses libcrypto.so.0.9.8. > > Is there any known issues in libcrypto.so.0.9.8?.. > Whats baffling me is there are no issues in successful handshakes but > application > quite immediately crashes with failed handshakes. > > The way the client handles cleanup is same for both the cases. > Simultaneous connections are achieved by creating threads , one thread for > every connections. > But the CTX and SSL objects are all different for each threads. > That isn't necessarily a problem with OpenSSL. Application error could have a similar effect. Does the stack trace go any further than that? Debugging symbols would help then we'd know which function had called CRYPTO_free() though it might be the first one that is the culprit. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
