Problem after removing memory leak
Hi all, I have written a class in C++ to easily access functions from OpenSSL from our products. In the constructor of my class I do the following lines of code: threadSetup(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_algorithms(); ERR_load_PKCS7_strings(); ERR_load_X509_strings(); ERR_load_crypto_strings(); ERR_load_ERR_strings(); RAND_seed( rnd_seed, sizeof(rnd_seed) ); ENGINE_load_builtin_engines(); In the destructor I do the following: ENGINE_cleanup(); RAND_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); threadCleanUp(); This leads to a memory leak, because of the OpenSSL_add_all_...-functions in the constructor. In the online manual I've read that I need to call EVP_cleanup(); in the destructor too. So if I do this all memory leaks are gone, but the function X509_verify_cert() fails with the error 'certificate signature failure '. If I remove the EVP_cleanup() from the destructor the function works as fine as it should work. Could please anyone give me a hint what could be wrong? The destructor is called at least once before the constructor is called again and X509_verify_cert is called. Thanks in advance. Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What scenario will cause openssl can't send client hello request?
Dears, I am using libcurl to perform http and https request. We have traced the log from libcurl. It also an debug callback function to openssl. - == Info: About to connect() to 10.64.12.55 port 443 == Info: Trying 10.64.12.55... == Info: connected == Info: Connected to 10.64.12.55 (10.64.12.55) port 443 == Info: successfully set certificate verify locations: == Info: CAfile: D:\Source\CA.cer CApath: none == Info: SSLv3, TLS handshake, Client hello (1): = Send SSL data, zd bytes (0xzx) zx: ...]..G..Z)4U_9s.._..WBz ..~6.9.8.5...3.2./...f. zx: c.b.a...e.d.` == Info: Unknown SSL protocol error in connection to 10.64.12.55:443 == Info: Closing connection #0 It seems that client have send 'client' hello message. So at first we think maybe there are something between our client and server cut the connection off. So we use ethereal to catch the network tracfic on port 443. But the result surprised all of us. Ethereal can't catch anything but tcp's handshake. BTW: There is another https server, which is also use openssl, in this computer. It work in LAN environment with its client. Its secure channel work fine. Our server is out of the LAN. The Unknown SSL protocol error was printed by libcurl, it use SSL_connect to setup the secure channel, but SSL_connect return error and libcurl get nothing when it try to retrieve detail error message from openssl. so it print unknown ssl protocol error. 2008/4/2, David Schwartz [EMAIL PROTECTED]: Our program that use openssl can't work normally with 'https' protocol. Then we use ethereal to sniff data on the port 443 and find that client doens't send client hello message to server after it finish tcp handshake. Does anyone known about this? BTW: the openssl lib is fine under another environment. Does anyone have any idea? Any suggestion and help are welcome and greatly appreciated. Thanks. You're asking us to find the bug in a program we can't see. All we can do is guess. FWIW, I once had this exact same problem when I was writing my very first piece of code to implement OpenSSL and BIO pairs. The problem was that nothing triggered by code to send data on the socket. No data had been received on the socket, no data had been sent by the application, so there seemed to be no reason to do anything at all. Your problem may be a deadlock issue where you are waiting for something to happen (on the socket or the application I/O side) and everything else is waiting for you to call some OpenSSL function that will trigger the sending of the client hello. Are you calling into the OpenSSL library? If not, how is the client hello going to get sent?! (Some code has to run in order to send any data.) If so, what function and what is it returning? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem after removing memory leak
Wockenfuß wrote: Hi all, I have written a class in C++ to easily access functions from OpenSSL from our products. In the constructor of my class I do the following lines of code: threadSetup(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_algorithms(); ERR_load_PKCS7_strings(); ERR_load_X509_strings(); ERR_load_crypto_strings(); ERR_load_ERR_strings(); RAND_seed( rnd_seed, sizeof(rnd_seed) ); ENGINE_load_builtin_engines(); In the destructor I do the following: ENGINE_cleanup(); RAND_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); threadCleanUp(); This leads to a memory leak, because of the OpenSSL_add_all_...-functions in the constructor. In the online manual I've read that I need to call EVP_cleanup(); in the destructor too. So if I do this all memory leaks are gone, but the function X509_verify_cert() fails with the error 'certificate signature failure '. If I remove the EVP_cleanup() from the destructor the function works as fine as it should work. Could please anyone give me a hint what could be wrong? The destructor is called at least once before the constructor is called again and X509_verify_cert is called. Ideally these steps should be done once per program life-time; constructor steps at start-up, destructor steps at program exit (say in an environment where the OS doesn't clean up the program's memory). Doing it per-object creation is unnecessary and error prone (as maybe the case here). I believe it should be possible to do it once per program lifetime without changing your C++ class too much. -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl performance
Hi Experts, OpenSSL 9.8b. We are facing some performance issues with it. I heard that doing session reuse or using some other ciphers can help improve the performance significantly. I would like to know - 1. Is using the session reuse with ssl handshake is advisable? I read somewhere that session reuse with openssl is controversial with memory usage. It might have some memory leaks. Is that true? What are other issues with ssl session reuse? Does anyone has any numbers on performance gain with session reuse? 2. Does changing cipher used improve performance? We use the default one. Is there any numbers on this too? I plan to use one of - SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Thanks for your help! Raj
Openssl compilation on X86_64 for 32bit
Hi, How can I compile openss for 32bi on X86_64 Redhat AS4? I set the CFLAGS=-m32 but this is not updated in the Makefile, if I modify the Makefile to change -m64 to -m32, then the following libraries are not compiled and throws error #CPUID_OBJ= x86_64cpuid.o #BN_ASM= x86_64-gcc.o #RC4_ENC= rc4-x86_64.o #MD5_ASM_OBJ= md5-x86_64.o Even if I comment them, make doesn't succeed. Can any one help? Cheers Rajan
Questions about the openssl req option
Hello, I am developing a program, which uses openssl. It batches the generation of Certificates/Private Key-Pairs. Here an example of a (simple) console call: openssl.exe req -days 3650 -new -keyout example.key -out example.csr -config config.tmp First question: When using the option req, is it possible to change the cipher which is used to encrypt the private key? - The signing digest is changeable (option -sha1,-md5,.). (A commandline-argument or an entry for the config-file would be fine) My second question: Is it possible to encrypt a Certificate Request by a password, so that a Certificate can only be created from that Request with knowing the password? My third (last) question: If I omit the option -nodes, the private key file will be encrypted. The password is asked during the creation progress by openssl. It says Enter PEM-Passphrase: Is there a way to deliver the Passphrase via a command-line argument, instead of entering it during generation process? I don't want to save the passphrase on disc in an file (i.e. in the openssl config-file with the entries input_password = mysecret output_password = mysecret ), to higher the security level. Thank you for your patience and for your very qood work! Kind regards, Frank Wendel
Re: openssl/crypto/cms/
On Wed, Apr 2, 2008 at 5:26 AM, shankar ks [EMAIL PROTECTED] wrote: Hi all, When i refer to the Openssl CVS, I did not find the file related to openssl/crypto/cms/ , All files in this folder are showing the difference , but not the exact files... where can i get the cms files. and one more thing is i downloaded the OpenSSl kit of 0.9.8f version, but i did not find any files or folders with the specified names in the kit, means there is no folder availble with the name openssl/crypto/cms/... Like I said, it's in the latest CVS; 0.9.8 is the latest stable release IIRC, while the CVS I referred to was the development tree (0.9.9). Run this to grab it all; there _will_ be a complete crypto/cms/ directory in there plus a cms.c tool sourcecode in apps/ : cvs -z3 -d [EMAIL PROTECTED]:/openssl-cvs co -R . -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
reg: custom encryption methods
Hi all, Iam new to the community.I have a query regarding encyption methods in SSL. Is it possibile to use some custom built encryption algorithm(apart from those it supports) with SSL? If possible, How can we do it? Thanks Ramakrishna. You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Problem after removing memory leak
Thank you for that hint. I will try to rebuild the class as singleton. This could help, but isn't really nice. Best regards Frank Wockenfuß wrote: Hi all, I have written a class in C++ to easily access functions from OpenSSL from our products. In the constructor of my class I do the following lines of code: threadSetup(); OpenSSL_add_all_digests(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_algorithms(); ERR_load_PKCS7_strings(); ERR_load_X509_strings(); ERR_load_crypto_strings(); ERR_load_ERR_strings(); RAND_seed( rnd_seed, sizeof(rnd_seed) ); ENGINE_load_builtin_engines(); In the destructor I do the following: ENGINE_cleanup(); RAND_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); threadCleanUp(); This leads to a memory leak, because of the OpenSSL_add_all_...-functions in the constructor. In the online manual I've read that I need to call EVP_cleanup(); in the destructor too. So if I do this all memory leaks are gone, but the function X509_verify_cert() fails with the error 'certificate signature failure '. If I remove the EVP_cleanup() from the destructor the function works as fine as it should work. Could please anyone give me a hint what could be wrong? The destructor is called at least once before the constructor is called again and X509_verify_cert is called. Ideally these steps should be done once per program life-time; constructor steps at start-up, destructor steps at program exit (say in an environment where the OS doesn't clean up the program's memory). Doing it per-object creation is unnecessary and error prone (as maybe the case here). I believe it should be possible to do it once per program lifetime without changing your C++ class too much. -jb -- Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CMS usage with OpenSSl
Hello Shankar, as a member of the official OFTP2 working group and also a user of openSSL I can tell you that the PKCS#7 support is sufficient for file based operations in this context. If you need any further assistence for OFTP2 specific suppor I suggest you join the working group, whose head is Joerg Walter ([EMAIL PROTECTED]) or contact me ([EMAIL PROTECTED]) for openSSL specific topics. Regards, Harald Latzko c-works GmbH Hi Stephen, We are developing a secure communication on OFTP(RFC-5024), as per the RFC we need to sign the file, compress the file , encrypt the file. that can be done with the OpenSSl .. ok, Next the consern is : 1)Files that are to be signed are enveloped according to the file enveloping format i.e as a CMS package. 2) Files that are to be copressed are enveloped according to the file enveloping format i.e as a CMS package. 3) Files that are to be encrypted are enveloped according to the file enveloping format i.e as a CMS package. here we are not understand how to implement the CMS package and struck... Best Regards --Shankar On 4/1/08, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, Apr 01, 2008, shankar ks wrote: Hi Stephen, ThanQ for your information. let me conform your information as : CMS is still under development and there is no document or material is available for CMS in OpenSSl . if that is the case is there any thing availble right now for using CMS along with openssl. and what you can suggest me to do what explained in my earlier mail... It can be used with the command line utility cms. The API is similar to the documented PKCS7 API in many respects. It however isn't at all clear from your description what you want to precisely want to do. Does the TLS will support the CMS ? CMS and TLS are two different things entirely. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem after removing memory leak
* Wockenfuß, Frank wrote on Wed, Apr 02, 2008 at 09:07 +0200:
Thank you for that hint.
I will try to rebuild the class as singleton. This could help,
but isn't really nice.
I think you'd need multiple classes. For things done once a
program life time, a C++ class (singleton) may not be suited, a
simple ordinary init function may be sufficient. However, such an
instance could make sense for instance if used on stack around
main in something like this:
int main()
{
OpenSSLAllEverything allocation;
return main_();
}
to ensure that it is released exactly once even in case of
exceptions. Maybe the class assert()s that it is constructed only
once to help application developers to find usage problems
quickly.
I think it is essential and required to call RAND_seed once and
only once. Functions like X509_verify_cert may be desired as
X509Certificat::verify().
Doing it per-object creation is unnecessary and error prone
(as maybe the case here). I believe it should be possible to
do it once per program lifetime without changing your C++
class too much.
Maybe having a static instance counter, so resources could be
freed if the last instance is destroyed? But to much automagic
handling may not be good; imagine, this would be linked with a
similar class that also has its own instance counter...
oki,
Steffen
About Ingenico Throughout the world businesses rely on Ingenico for secure and
expedient electronic transaction acceptance. Ingenico products leverage proven
technology, established standards and unparalleled ergonomics to provide
optimal reliability, versatility and usability. This comprehensive range of
products is complemented by a global array of services and partnerships,
enabling businesses in a number of vertical sectors to accept transactions
anywhere their business takes them.
www.ingenico.com This message may contain confidential and/or privileged
information. If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based on this
message or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this message.
Thank you for your cooperation.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
AW: Problem after removing memory leak
Steffen,
you're right and I did it always like you wrote. I made an static
initialisation class.
This way I don't get the problems anymore.
If I had done a singleton with reference counting it could be possible that
someone decrements the count to zero and all things for deinitialisation are
called and afterwards someone constructs and initialises again and gets the
error.
So now everything works fine.
Thanks to all for the help.
Frank
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von
Steffen DETTMER
Gesendet: Mittwoch, 2. April 2008 10:47
An: openssl-users@openssl.org
Betreff: Re: Problem after removing memory leak
* Wockenfuß, Frank wrote on Wed, Apr 02, 2008 at 09:07 +0200:
Thank you for that hint.
I will try to rebuild the class as singleton. This could help, but
isn't really nice.
I think you'd need multiple classes. For things done once a
program life time, a C++ class (singleton) may not be suited,
a simple ordinary init function may be sufficient. However,
such an instance could make sense for instance if used on
stack around main in something like this:
int main()
{
OpenSSLAllEverything allocation;
return main_();
}
to ensure that it is released exactly once even in case of
exceptions. Maybe the class assert()s that it is constructed
only once to help application developers to find usage
problems quickly.
I think it is essential and required to call RAND_seed once
and only once. Functions like X509_verify_cert may be desired
as X509Certificat::verify().
Doing it per-object creation is unnecessary and error prone (as
maybe the case here). I believe it should be possible to
do it once
per program lifetime without changing your C++ class too much.
Maybe having a static instance counter, so resources could be
freed if the last instance is destroyed? But to much
automagic handling may not be good; imagine, this would be
linked with a similar class that also has its own instance counter...
oki,
Steffen
About Ingenico Throughout the world businesses rely on
Ingenico for secure and expedient electronic transaction
acceptance. Ingenico products leverage proven technology,
established standards and unparalleled ergonomics to provide
optimal reliability, versatility and usability. This
comprehensive range of products is complemented by a global
array of services and partnerships, enabling businesses in a
number of vertical sectors to accept transactions anywhere
their business takes them.
www.ingenico.com This message may contain confidential and/or
privileged information. If you are not the addressee or
authorized to receive this for the addressee, you must not
use, copy, disclose or take any action based on this message
or any information herein. If you have received this message
in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
3DES encryption how to
Hi all , I am a newbie to OpenSSL . I have written a client and server program using OpenSSL that works properly doin certificate verification , authentication etal . Now i want to encrypt my data on the client side using 3DES algorithm ...i m confused which is the way to go ..using ciphers EVP apis like EVP_des_ede3_cbc() or built in custom functions like DES_ede3_cbc_encrypt() Please guide me on this .. -Vaibhav
Re: 3DES encryption how to
Hello, [EMAIL PROTECTED] wrote on 04/02/2008 02:16:19 PM: Hi all , I am a newbie to OpenSSL . I have written a client and server program using OpenSSL that works properly doin certificate verification , authentication etal . Now i want to encrypt my data on the client side using 3DES algorithm i m confused which is the way to go ..using ciphers EVP apis like EVP_des_ede3_cbc() or built in custom functions like DES_ede3_cbc_encrypt() Use EVP with EVP_des_ede3_cbc() - high level API. DES_ede3_cbc_encrypt() is low level API Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to load a root(CA) certificate from memory?
Hi, My server application now reads server and root certificates from files, like that: SSL_CTX_use_certificate_chain_file(ctx, ser_cert); SSL_CTX_use_PrivateKey_file(ctx, ser_key, SSL_FILETYPE_PEM); SSL_CTX_load_verify_locations(ctx, rootcert, NULL); But for security reasons it been decided that certifictes should not be stored in the file system but keep in the memory. I found a replacement for the 1st and 2nd function (where buf is a char array with certificates): SSL_CTX_use_certificate_ASN1(ctx, len, buf); SSL_CTX_use_PrivateKey_ASN1(ctx, len, buf); but i can't find anything similar for loading root certificate. Does anybody know a way to load root certificate from memory? Thanks in advance. -- Sergey -- View this message in context: http://www.nabble.com/How-to-load-a-root%28CA%29-certificate-from-memory--tp16447050p16447050.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CMS usage with OpenSSl
HI Harald, ThanQ for your information. So implementing of PKCS#7 Api's will serve my purpose .. Ok, at last , a small doubt : I have implemented signing, encryption using RSA_sign EVP_EncryptUpdate RSA_public_encrypt , so where these will differ from the PKCS#7 API's as these PKCS#7 api's also do the same things as by the above functions. I did not find any difference of usage of those two. can you please tell me what is difference in b/w usage of those two. -- Shankar On 4/2/08, Harald Latzko [EMAIL PROTECTED] wrote: Hello Shankar, as a member of the official OFTP2 working group and also a user of openSSL I can tell you that the PKCS#7 support is sufficient for file based operations in this context. If you need any further assistence for OFTP2 specific suppor I suggest you join the working group, whose head is Joerg Walter ([EMAIL PROTECTED]) or contact me ([EMAIL PROTECTED]) for openSSL specific topics. Regards, Harald Latzko c-works GmbH Hi Stephen, We are developing a secure communication on OFTP(RFC-5024), as per the RFC we need to sign the file, compress the file , encrypt the file. that can be done with the OpenSSl .. ok, Next the consern is : 1)Files that are to be signed are enveloped according to the file enveloping format i.e as a CMS package. 2) Files that are to be copressed are enveloped according to the file enveloping format i.e as a CMS package. 3) Files that are to be encrypted are enveloped according to the file enveloping format i.e as a CMS package. here we are not understand how to implement the CMS package and struck... Best Regards --Shankar On 4/1/08, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, Apr 01, 2008, shankar ks wrote: Hi Stephen, ThanQ for your information. let me conform your information as : CMS is still under development and there is no document or material is available for CMS in OpenSSl . if that is the case is there any thing availble right now for using CMS along with openssl. and what you can suggest me to do what explained in my earlier mail... It can be used with the command line utility cms. The API is similar to the documented PKCS7 API in many respects. It however isn't at all clear from your description what you want to precisely want to do. Does the TLS will support the CMS ? CMS and TLS are two different things entirely. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- --Best Regards Shankar
How to load a root(CA) certificate from memory?
Hi, My server application now reads server and root certificates from files, like that: SSL_CTX_use_certificate_chain_file(ctx, ser_cert); SSL_CTX_use_PrivateKey_file(ctx, ser_key, SSL_FILETYPE_PEM); SSL_CTX_load_verify_locations(ctx, rootcert, NULL); But for security reasons it been decided that certifictes should not be stored in the file system but keep in the memory. I found a replacement for the 1st and 2nd function (where buf is a char array with certificates): SSL_CTX_use_certificate_ASN1(ctx, len, buf); SSL_CTX_use_PrivateKey_ASN1(ctx, len, buf); but i can't find anything similar for loading root certificate. Does anybody know a way to load root certificate from memory? Thanks in advance. -- Sergey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Looking for Implementors
Hi all, I would like if there is interested people who can do implemetations with OpenSSL. I've to run a secure application using SSL, interested people are kindly invited to contact me off-line. Sincerely, Malek
Re: How to load a root(CA) certificate from memory?
On Wed, Apr 02, 2008, GeraGray wrote: Hi, My server application now reads server and root certificates from files, like that: SSL_CTX_use_certificate_chain_file(ctx, ser_cert); SSL_CTX_use_PrivateKey_file(ctx, ser_key, SSL_FILETYPE_PEM); SSL_CTX_load_verify_locations(ctx, rootcert, NULL); But for security reasons it been decided that certifictes should not be stored in the file system but keep in the memory. I found a replacement for the 1st and 2nd function (where buf is a char array with certificates): SSL_CTX_use_certificate_ASN1(ctx, len, buf); SSL_CTX_use_PrivateKey_ASN1(ctx, len, buf); but i can't find anything similar for loading root certificate. Does anybody know a way to load root certificate from memory? You convert the certiifcate into an X509 structure using d2i_X509() then retrieve the SSL_CTX store using SSL_CTX_get_store. Add the cert using X509_STORE_add_cert(). Finally free up the X509 structure with X509_free(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl performance
Anybody any comments? On Tue, Apr 1, 2008 at 11:56 PM, raj H [EMAIL PROTECTED] wrote: Hi Experts, OpenSSL 9.8b. We are facing some performance issues with it. I heard that doing session reuse or using some other ciphers can help improve the performance significantly. I would like to know - 1. Is using the session reuse with ssl handshake is advisable? I read somewhere that session reuse with openssl is controversial with memory usage. It might have some memory leaks. Is that true? What are other issues with ssl session reuse? Does anyone has any numbers on performance gain with session reuse? 2. Does changing cipher used improve performance? We use the default one. Is there any numbers on this too? I plan to use one of - SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Thanks for your help! Raj
RE: openssl performance
On Tue, Apr 1, 2008 at 11:56 PM, raj H [EMAIL PROTECTED] wrote: Anybody any comments? It's really hard to help you because your question is so vague. What platform are you using? What performance are you seeing? What performance did you expect? Is the problem with session setup rate or connection throughput or what? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
