OpenSSL SMIME -sign command - file size limits?
I am using the OpenSSL SMIME command to sign files with -outform DER and -nodetach. However, for files larger than 1MBytes, the output file does not contain all the data. Does anyone know how I can sign large files? Need signed data in ASN.1 format. Thanks Joe Fedak __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Can't free BIO after ssl handshake fails
Hello. I have got a big problem in my application: My application is connecting webservers over ssl. Therefore, I use a bio chain bufferBIO - sslBIO - socketBIO. I use certificate verification, but when a cert verification fails, I have a problem with freeing the ssl BIO. My thread is hanging at BIO_free(serverTlsBIO) with full CPU load. But if I don't free the ssl BIO, I have a big memory leak. The interesting thing is, that this doesen't happen always, but always with the same websites/certificates. if (BIO_do_handshake(serverTlsBIO) = 0) { BIO_pop(serverTlsBIO); BIO_free(serverTlsBIO); return TLS_SERVER_HANDSHAKE_ERR; } Has anyone a solution or is anything wrong in my consideration? Thanks in advance, Roman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL SMIME -sign command - file size limits?
On Thu, May 15, 2008, Fedak, Joe wrote: I am using the OpenSSL SMIME command to sign files with -outform DER and -nodetach. However, for files larger than 1MBytes, the output file does not contain all the data. Does anyone know how I can sign large files? Need signed data in ASN.1 format. I've just tested this on 0.9.8 and it seems to work OK. What OS and version of OpenSSL are you using? For anything other than the development version of OpenSSL (which will be 0.9.9 ultimately) all the signed data needs to be held in memory at once. However 1MB should be easily handleable. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
qcStatements extension support in OpenSSL
Hi there, I was wondering whether there are any news on the support of qcStatements X.509 v3 certificate private extension in OpenSSL. The ASN.1 syntax for this extension is quite straight forward so perhaps some one has already implemented this or at least it is pending somewhere in the queue for new release? The easiest solution to work with would be to allow the configuration of the extension from the OpenSSL configuration file, something perhaps similar to the following: qcStatements = critical,qcCompliance,qcSyntaxVersion1 or qcStatements = critical,1.3.6.1.5.5.7.11.1,0.4.0.1862.1.1 whereby the qcCompliance would represent the ETSI statement of compliance object identifier [id-etsi-qcs-QcCompliance: 0.4.0.1862.1.1] and qcSyntaxVersion1 [id-qcs-pkixQCSyntax-v1: 1.3.6.1.5.5.7.11.1] - the object identifier for compliance with RFC 3039 Qualified Certificates Profile syntax. Obviously the above represents the simplified scenario, without extending the qcStatements sequence to optional statementInfo and also without consideration of the version 2 of the profile (as defined in RFC 3739) but nonetheless it would be very useful and helpful for the community I believe. Does any one have any thoughts on this or perhaps a ready to go implementation? I have searched mailing lists and groups but had no luck in finding any useful information other than the fact, that many people asked similar questions in the past years - but there was no response... Thanks, E. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
unsolved memory leak
Hello, I'm working on a client - multithreaded-server application, both side authenticating each other with auto-signed certs. After lots of adventures, I finally end-up with a memory leak problem which is detected using valgrind (and crazy self-test with tons of clients connecting to the server). When the server is asked to leave, then valgrind complains about unallocated memory (allocated in server's threads, one per connection from clients): c_ssl = SSL_new(c_ctx); c_ssl_client = BIO_new_socket(c_peer_sock, BIO_NOCLOSE); SSL_set_bio(c_ssl, c_ssl_client, c_ssl_client); c_buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */ -- c_ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */ BIO_set_ssl(c_ssl_bio, c_ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */ BIO_push(c_buf_io, c_ssl_bio); /* add c_ssl_bio to c_buf_io */ This BIO_new(BIO_f_ssl()) is leaking and apparently I do not know how to release it. What I do when a server's thread has finished working is: if (c_buf_io) BIO_free(c_buf_io); if (c_ssl_client) BIO_free_all(c_ssl_client); if (c_ssl) SSL_free(c_ssl); // memory leak !! (this BIO_free() segfaults) //if (c_ssl_bio) // BIO_free(c_ssl_bio); // from http://readlist.com/lists/openssl.org/openssl-users/0/1352.html // (no effect) ERR_remove_state(0); ERR_free_strings(); // might be useless Surely I'm doing something wrong, and I'd be glad if some experts from you could lighten me :-) Best regards, David Gauchard Valgrind logs : ==5410== 1,597,904 (699,608 direct, 898,296 indirect) bytes in 10,931 blocks are definitely lost in loss record 15 of 15 ==5410==at 0x401D38B: malloc (vg_replace_malloc.c:149) ==5410==by 0x430556D: default_malloc_ex (mem.c:79) ==5410==by 0x4305BD8: CRYPTO_malloc (mem.c:304) ==5410==by 0x4364225: BIO_new (bio_lib.c:70) ==5410==by 0x8055B4E: (c_ssl_bio = BIO_new(BIO_f_ssl());) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]