Build static openssl
Hello All, Can anyone tell me how to create statically linked openssl? I have used no-shared option to Configure script,but invain. Please share your suggestions. Thanks, Prathima.
Re: how to enable debug mode of openssl
Is this bug memory leak with mod_ssl and zlib compression (CVE-2008-1678) is resolved in openssl 0.9.8h Please help Thanks Joshi On Thu, Oct 9, 2008 at 4:09 PM, Kyle Hamilton [EMAIL PROTECTED] wrote: You would probably need a FIPS_mode_set(1) somewhere after the openssl library initialization, and it would be a good thing to never keep any keys in the clear. As well, it would need to statically link to openssl 0.9.7m built with the fipscanister module. (If it uses features specific to openssl 0.9.8, you cannot create a FIPS-validated version at this time.) This is not an openssh support list, and I have not looked at the openssh sources to see what else would need to be changed. You must ALWAYS follow the FIPS security policy when dealing with anything FIPS. If the security policy says that some constraint must be met, that constraint must be met -- no matter how it impacts the function or even possibility of doing what you want. -Kyle H 2008/10/9 joshi chandran [EMAIL PROTECTED]: Hi All, I am trying to make openssh compatible with the fips enabled openssl . can anybody tell me what all changes i have make in openssh Please help Thanks Joshi problem was solved by updating openssl to the latest release 0.9.8i (the one I used was 0.9.8a.) But I still don't know the root cause of that aborting. Anyway, it works now. Thanks, Elven Date: Wed, 8 Oct 2008 01:21:08 -0700 Subject: Re: how to enable debug mode of openssl From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi Elven, I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ ERR_print_errors.html#) to get an idea of what error you are getting. You can call it right after your call to PEM_read_bio_X509. It is most likely to be a problem with the certificate data that you are feeding to OpenSSL. Have you tried verifying that the data is valid? --- Kah On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: I am using openssl in arm embedded platform. I want to support https, so it will use openssl. But I have encouterd some problem. The application aborted for some unknown reason. I tried to trace the problem and found the it aborted on call PEM_read_bio_X509 (ssl_rsa.c). And I can't t race deep more. So is there any way to enable debug mode of openssl so that I can trace more deeply to find out the problem? Thanks. Elven _ 一点即聊,MSN推出新功能点我!http://im.live.cn/click/ MSN上小游戏,工作休闲两不误! 马上就开始玩! -- Regards Joshi Chandran -- Regards Joshi Chandran
RE: RE: RE: Issue getting enough entropy on Windows NT 4.0 system
The calls you suggest already are in the rand_win.c file. i.e. we would be double dipping if we added another set of calls. Basically, the problem is that with out Workstation Services running on a WinNT 4.0 box, we lose out on entropy. Which, when it comes time to check for ok we end up with 28 and are looking for at least 32. Which doesn't fail but later on we can not set up the pipe. The other issue is that there is a large block of code that was targeted for WinNT that is #if 0 compiled out due to a potential hang. So, the question becomes. Why is the big chunk of code #if 0 out, and should it be put back in or modified for WinNT? As a side note, I did compile that chunk back in and it ran with out an issue on my test systemL Windows NT 4.00.1381 (which is includes SP6) Thanks Again, Ray Umm, so what's the problem exactly? Did this fail to get entropy from the system? -Original Message- From: Ray Casterline Sent: Friday, October 10, 2008 9:37 AM To: 'openssl-users@openssl.org' Subject: RE: RE: Issue getting enough entropy on Windows NT 4.0 system Thanks for the suggestionb but the RAND_poll function already pulls from the system right after the big #if 0 block as described below in the stetup for the calls. if (advapi) { /* * If it's available, then it's available in both ANSI * and UNICODE flavors even in Win9x, documentation says. * We favor Unicode... */ acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi, CryptAcquireContextW); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, CryptGenRandom); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, CryptReleaseContext); } So, still looking for other suggestions. I also tried finding an EGD for Win NT 4.0 and the only one that looked promising was EGADS which is no longer available. Thanks Again for any suggestions, Ray Hello, Why not grab some entropy from the system entropy provider? #include wincrypt.h bool GetSysEntropy(void *ptr, int len) { char namebuf[512]; HCRYPTPROV handle; DWORD count=500; if(!CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_MACHINE_DEFAULT, namebuf, count)) return false; if(!CryptAcquireContext(handle, NULL, namebuf, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) return false; if(!CrytpGenRandom(handle, len (BYTE *) ptr)) { CryptReleaseContext(handle, 0); return false; } CryptReleaseContext(handle, 0); return true; } DS The Windows NT 4.0 system has the workstation service stopped. This causes the following snippet from rand_win.c to return 0 if (netstatget(NULL, LLanmanWorkstation, 0, 0, outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45); netfree(outbuf); } Add to this a large section of calls are #if 0 out due to a reported problem by Wolfgang Marczy and there isn't many places this function gets entropy from. Any suggestions? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Microsoft Visual C++
Mike, I believe you also need to add the libraries to your link statement configuration. Dan Please respond to openssl-users@openssl.org Sent by:[EMAIL PROTECTED] To: openssl-users@openssl.org cc: (bcc: Dan Mitton/YD/RWDOE) Subject:Microsoft Visual C++ LSN: Not Relevant User Filed as: Not a Record Hello, I'm trying to compile in Microsoft Visual C++ Express and I'm getting linker errors like: error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) I got the header files all setup, but I can't get the libs working. I followed the help and copied the lib files to C:\Program Files\Microsoft Visual Studio 9.0\VC\lib . Anybody know what i'm missing? Mike Luich 1-- Build started: Project: sr_trillian_plugin, Configuration: Debug Win32 -- 1Compiling... 1stdafx.cpp 1Compiling... 1sr_trillian_plugin.cpp 1c:\users\mluich\documents\visual studio 2008\projects\sr_trillian_plugin\sr_trillian_plugin\sr_trillian_plugin.cpp(194) : warning C4129: '%' : unrecognized character escape sequence 1c:\users\mluich\documents\visual studio 2008\projects\sr_trillian_plugin\sr_trillian_plugin\sr_trillian_plugin.cpp(247) : warning C4129: '%' : unrecognized character escape sequence 1Compiling... 1dllmain.cpp 1Linking... 1 Creating library C:\Users\mluich\Documents\Visual Studio 2008\Projects\sr_trillian_plugin\Debug\sr_trillian_plugin.lib and object C:\Users\mluich\Documents\Visual Studio 2008\Projects\sr_trillian_plugin\Debug\sr_trillian_plugin.exp 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_ctrl referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_ctrl_pending referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _SMIME_write_PKCS7 referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _PKCS7_encrypt referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _sk_push referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _PEM_read_X509 referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_new referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_s_mem referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _BIO_new_mem_buf referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _RAND_load_file referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_load_crypto_strings referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _OPENSSL_add_all_algorithms_noconf referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _sk_new_null referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _EVP_des_ede3_cbc referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@@YAPADPADPAU_iobuf@@@Z) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_error_string referenced in function char * __cdecl sr_decrypt(char *,char *) (?sr_decrypt@@[EMAIL PROTECTED]) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol _ERR_get_error referenced in function char * __cdecl sr_decrypt(char *,char *) (?sr_decrypt@@[EMAIL PROTECTED]) 1sr_trillian_plugin.obj : error LNK2019: unresolved external symbol
RE: Issue getting enough entropy on Windows NT 4.0 system
The calls you suggest already are in the rand_win.c file. i.e. we would be double dipping if we added another set of calls. Basically, the problem is that with out Workstation Services running on a WinNT 4.0 box, we lose out on entropy. Which, when it comes time to check for ok we end up with 28 and are looking for at least 32. Which doesn't fail but later on we can not set up the pipe. The other issue is that there is a large block of code that was targeted for WinNT that is #if 0 compiled out due to a potential hang. So, the question becomes. Why is the big chunk of code #if 0 out, and should it be put back in or modified for WinNT? As a side note, I did compile that chunk back in and it ran with out an issue on my test systemL Windows NT 4.00.1381 (which is includes SP6) Thanks Again, Ray Umm, so what's the problem exactly? Did this fail to get entropy from the system? -Original Message- From: Ray Casterline Sent: Friday, October 10, 2008 9:37 AM To: 'openssl-users@openssl.org' Subject: RE: RE: Issue getting enough entropy on Windows NT 4.0 system Thanks for the suggestionb but the RAND_poll function already pulls from the system right after the big #if 0 block as described below in the stetup for the calls. if (advapi) { /* * If it's available, then it's available in both ANSI * and UNICODE flavors even in Win9x, documentation says. * We favor Unicode... */ acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi, CryptAcquireContextW); gen = (CRYPTGENRANDOM) GetProcAddress(advapi, CryptGenRandom); release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, CryptReleaseContext); } So, still looking for other suggestions. I also tried finding an EGD for Win NT 4.0 and the only one that looked promising was EGADS which is no longer available. Thanks Again for any suggestions, Ray Hello, Why not grab some entropy from the system entropy provider? #include wincrypt.h bool GetSysEntropy(void *ptr, int len) { char namebuf[512]; HCRYPTPROV handle; DWORD count=500; if(!CryptGetDefaultProvider(PROV_RSA_FULL, NULL, CRYPT_MACHINE_DEFAULT, namebuf, count)) return false; if(!CryptAcquireContext(handle, NULL, namebuf, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT|CRYPT_SILENT)) return false; if(!CrytpGenRandom(handle, len (BYTE *) ptr)) { CryptReleaseContext(handle, 0); return false; } CryptReleaseContext(handle, 0); return true; } DS The Windows NT 4.0 system has the workstation service stopped. This causes the following snippet from rand_win.c to return 0 if (netstatget(NULL, LLanmanWorkstation, 0, 0, outbuf) == 0) { RAND_add(outbuf, sizeof(STAT_WORKSTATION_0), 45); netfree(outbuf); } Add to this a large section of calls are #if 0 out due to a reported problem by Wolfgang Marczy and there isn't many places this function gets entropy from. Any suggestions? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Microsoft Visual C++
On Fri, Oct 10, 2008 at 9:25 PM, Thomas J. Hruska [EMAIL PROTECTED] wrote: Michael Luich wrote: Hello, I'm trying to compile in Microsoft Visual C++ Express and I'm getting linker errors like: error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@ @YAPADPADPAU_iobuf@@@Z) I got the header files all setup, but I can't get the libs working. I followed the help and copied the lib files to C:\Program Files\Microsoft Visual Studio 9.0\VC\lib . Anybody know what i'm missing? Mike Luich You have to add the .lib files to your project's Linker properties. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] I've tried to do that but It doesn't seem to be working. Any idea on how I do that? Mike Luich -- you can't put your finger there - OOH! PUT YOUR FINGER THERE! - Princeton, Avenue Q (http://www.avenueq.com/) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Put certificate on hold
Dear all, I'm new to openssl and I've got a question about putting a certificate on hold. Maybe someone can please confirm or correct my thoughts please? As far as I understand things, you can either revoke a cert (which is not reversible) and you can put a cert on hold. Holding a cert is a reversible process; meaning you can un-hold the cert and use the SAME cert after it was un-holded. Is this true? Putting a cert on hold is like revoking a cert, you only have to provide the reason code certificate Hold. Then an entry in the CRL will be generated that looks like follows: Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=DE/ST=by/L=muc/O=--/OU=--/CN=HK/emailAddress=xx Last Update: Oct 13 07:40:50 2008 GMT Next Update: Oct 13 07:40:50 2009 GMT Revoked Certificates: Serial Number: 01 Revocation Date: Oct 13 07:40:50 2008 GMT CRL entry extensions: X509v3 CRL Reason Code: Certificate Hold Serial Number: 03 Revocation Date: Oct 10 08:58:24 2008 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise Signature Algorithm: sha1WithRSAEncryption 97:68:89:05:c8:58:bd:a6:e4:c8:df:99:0c:25:f4:d6:b7:98: 3e:56:c0:4d:98:d9:2e:c0:15:85:13:e3:2c:1e:77:a8:52:00: ce:00:7d:69:30:b7:87:a1:ae:b4:51:16:e0:5f:c8:c0:[...] What I do not understand is, how to un-hold the cert. What do I have to do? Theoretically un-holding would mean, that you remove the serial number of the holded cert from the crl? Best regards, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Put certificate on hold
Hello Martin, Hodie III Id. Oct. MMVIII est, Martin Schneider scripsit: As far as I understand things, you can either revoke a cert (which is not reversible) and you can put a cert on hold. Right. Holding a cert is a reversible process; meaning you can un-hold the cert and use the SAME cert after it was un-holded. Is this true? Putting a cert on hold is like revoking a cert, you only have to provide the reason code certificate Hold. Then an entry in the CRL will be generated that looks like follows: In fact, the certificate is present in the CRL, but is not considered revoked (as per the X.509 recommendation). It's on hold, as the reason tells. For the majority of the applications, it's the same, the behaviour won't be different. But if you wan't to provide signature services that need to be verified far in the future, that's a point to consider. What I do not understand is, how to un-hold the cert. What do I have to do? Theoretically un-holding would mean, that you remove the serial number of the holded cert from the crl? Reading the X.509 recommendation (downloadable for free from the ITU-T web site) tells us that a certificate can be un-holded by 2 means: - either really revoke it, by changing the reason code while keeping the date - or completely remove it from the CRL, as you guessed. If you plan to issue deltaCRLs, you MUST use the removeFromCRL reason code for such certificates, only for the deltaCRLs. -- Erwann ABALEA [EMAIL PROTECTED] - When you honestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Getting the peer certificate encoding
Hi All, I am new to OpenSSL.We have one application which will verify the peer certificate. Problem is our application will verify only DER format certificates. So if i get the peer certificate in PEM format , i will convert that into DER and i will verify the peer certificate. Is there any openSSL API which will tell me a'out the peer certificate encoding ? I want to know whether it is in PEM or DER ? Thanks in advance, Waiting for your reply, Aravind.
Re: how to enable debug mode of openssl
Is there any patches to resolve the bug memory leak with mod_ssl and zlib compression (CVE-2008-1678) . Please help Thanks Joshi 2008/10/13 joshi chandran [EMAIL PROTECTED] Is this bug memory leak with mod_ssl and zlib compression (CVE-2008-1678) is resolved in openssl 0.9.8h Please help Thanks Joshi On Thu, Oct 9, 2008 at 4:09 PM, Kyle Hamilton [EMAIL PROTECTED] wrote: You would probably need a FIPS_mode_set(1) somewhere after the openssl library initialization, and it would be a good thing to never keep any keys in the clear. As well, it would need to statically link to openssl 0.9.7m built with the fipscanister module. (If it uses features specific to openssl 0.9.8, you cannot create a FIPS-validated version at this time.) This is not an openssh support list, and I have not looked at the openssh sources to see what else would need to be changed. You must ALWAYS follow the FIPS security policy when dealing with anything FIPS. If the security policy says that some constraint must be met, that constraint must be met -- no matter how it impacts the function or even possibility of doing what you want. -Kyle H 2008/10/9 joshi chandran [EMAIL PROTECTED]: Hi All, I am trying to make openssh compatible with the fips enabled openssl . can anybody tell me what all changes i have make in openssh Please help Thanks Joshi problem was solved by updating openssl to the latest release 0.9.8i (the one I used was 0.9.8a.) But I still don't know the root cause of that aborting. Anyway, it works now. Thanks, Elven Date: Wed, 8 Oct 2008 01:21:08 -0700 Subject: Re: how to enable debug mode of openssl From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi Elven, I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ ERR_print_errors.html#) to get an idea of what error you are getting. You can call it right after your call to PEM_read_bio_X509. It is most likely to be a problem with the certificate data that you are feeding to OpenSSL. Have you tried verifying that the data is valid? --- Kah On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: I am using openssl in arm embedded platform. I want to support https, so it will use openssl. But I have encouterd some problem. The application aborted for some unknown reason. I tried to trace the problem and found the it aborted on call PEM_read_bio_X509 (ssl_rsa.c). And I can't t race deep more. So is there any way to enable debug mode of openssl so that I can trace more deeply to find out the problem? Thanks. Elven _ 一点即聊,MSN推出新功能点我!http://im.live.cn/click/ MSN上小游戏,工作休闲两不误! 马上就开始玩! -- Regards Joshi Chandran -- Regards Joshi Chandran -- Regards Joshi Chandran
Re: Dynamic loading openSSL BIO_ functions - compilation error
Raymond Zhou wrote: Hi there, I was trying to load a function from openSSL libeay32.dll using LoadLibrary and GetProcAddress, the function is the following: BIO* BIO_new_fp(File*, int). You'll need to at least change File* to FILE * - C is case sensitive. Tim. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL for Win CE
Hi, I need to use openssl for Windows CE (5.0) on an ARM platform. To save some time, I would be interested if there are also precompiled DLLs available for Windows CE as I couldn't find them anywhere? Regards, Jonas
RE: creating public RSA key and verifying signature
btw, when i try to get the error code by printf(Error code: %d, ERR_get_error()); i get Error code: 67567722 Your code says: result = RSA_public_decrypt(pValidationData.ulValidationDataLength, pValidationData.rgbValidationData, outputPlaintext, publicKey, RSA_PKCS1_PADDING); Are you 100% sure the data had PKCS#1 v1.5 padding? error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: [FWD] DNS Error while doing SSL handshake - bad gethostbyaddr
Thank you Dave and Lutz. Good to know that I can ignore the error message bad gethostbyaddr. Real problem is that Client hello B is not coming through. Yes, there is a firewall in between client and server. Since the SSL client was able to send in a few bytes (cient hello A?) successfully, firewall connection in this direction looks ok. It might be that firewall doesn't allow communication in opposite direction (from server to client) and hence client not receiving server hello? I will look into the firewall side... Thanks, Byju Joy Dave Thompson-4 wrote: -Original Message- From: [EMAIL PROTECTED] On Behalf Of Lutz Jaenicke Sent: Friday, 10 October, 2008 09:03 - Forwarded message from Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] - Subject: DNS Error while doing SSL handshake - bad gethostbyaddr Date: Fri, 10 Oct 2008 15:00:51 +0200 Thread-Topic: DNS Error while doing SSL handshake - bad gethostbyaddr thread-index: Ackq2DkNLX4Go5QUSQWx6NJWZ9B4Hw== From: Joy, Byju (GE Healthcare, consultant) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Dear OpenSSL experts, I am trying to run OpenSSL version OpenSSL 0.9.8i 15 Sep 2008 on Windows Server 2003 Standard Edition Version 5.2.3790. Could you please help me with bad gethostbyaddr error message while doing SSL handshake? Log is given below: s_server calls do_server calls do_accept which, after the actual (TCP) accept, calls gethostbyaddr to try to get the client host's name. If your system/network doesn't have DNS set up to do reverse-mapping for that host, you get this printed. (That would include DNS not set up at all, but I don't think Svr03 can do that. It could include using a bad/wrong nameserver, or zone; or unreachable/down one; or using a good nameserver but the zone admin doesn't do reverse-mapping at all -- some don't; or didn't do it for that host -- particularly if it's a dynamic host e.g. a(nother) PC many admins don't consider it worth the trouble.) But it causes no harm; it just passes back a nullptr for the hostname string, which the actual logic (sv_body or www_body) never uses. The connection can still be completed and used, at least through 0.9.8g and I doubt this would be changed. (If you actually want to fix the revlookup, you need to say more about the type and relative network location of the client machine, and if it's not something simple you'll probably need to go elsewhere to a network-mgt group/list/forum.) D:\OpenSSL2\binopenssl OpenSSL s_server -accept 443 -verify 2 -cert D:\my_crt.pem -key D:\my_key.pem -debug -msg -state -CAfile D:\CAcerts.pem -ssl3 verify depth is 2 Enter pass phrase for D:\my_key.pem: my_pass_phrase Loading 'screen' into random state - done Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr SSL_accept:before/accept initialization read from 0xa533d0 [0xa6fc10] (5 bytes = 0 (0x0)) SSL_accept:failed in SSLv3 read client hello B This is your actual problem: you are not receiving the client hello. You appear to be getting a normal TCP shutdown instead i.e. FIN not RST. This might mean the client deliberately closed; on some system types it also occurs if the client fails e.g. segfault; it might also occur if something between you in the network like a firewall dislikes you. ERROR shutting down SSL CONNECTION CLOSED ACCEPT __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/-FWD--DNS-Error-while-doing-SSL-handshake---bad-gethostbyaddr-tp19918981p19950564.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Runtime error if dynamically loading SSL_library_init()
Hello there, Need your help again. I am developing an application in which I use openSSL for https support. My application load openSSL function dynamically (using LoadLibrary(ssleay32.dll) for example). It calls a lot of functions starting with SSL_ and BIO_. What I noticed that I can successfully load any other functions and execute them at runtime except the following three: SSL_library_init(); SSLv23_method(); SSL_ctx_new(meth); For these three, my application has to to statically link with them and then it works for me (even with other openSSL functions dynamically loaded). The code snippet for loading SSL_library_init() is like this (similarly for others): typedef int (*_ssl_library_init) (); _ssl_library_init _my_SSL_library_init; _my_SSL_library_init = (_ssl_library_init )GetProcAddress(ssleay32, SSL_library_init); _my_SSL_library_init(); I am using openSSL 0.98g in windows XP environemnt. Any problem with this approach? What is so special with these three functions? Thanks for your help in advance. Ray
Re: Runtime error if dynamically loading SSL_library_init()
Just to add to my earlier message, the error message I was getting is Access violation. Thanks! --- On Tue, 10/14/08, Raymond Zhou [EMAIL PROTECTED] wrote: From: Raymond Zhou [EMAIL PROTECTED] Subject: Runtime error if dynamically loading SSL_library_init() To: openssl-users@openssl.org Date: Tuesday, October 14, 2008, 12:18 AM Hello there, Need your help again. I am developing an application in which I use openSSL for https support. My application load openSSL function dynamically (using LoadLibrary(ssleay32.dll) for example). It calls a lot of functions starting with SSL_ and BIO_. What I noticed that I can successfully load any other functions and execute them at runtime except the following three: SSL_library_init(); SSLv23_method(); SSL_ctx_new(meth); For these three, my application has to to statically link with them and then it works for me (even with other openSSL functions dynamically loaded). The code snippet for loading SSL_library_init() is like this (similarly for others): typedef int (*_ssl_library_init) (); _ssl_library_init _my_SSL_library_init; _my_SSL_library_init = (_ssl_library_init )GetProcAddress(ssleay32, SSL_library_init); _my_SSL_library_init(); I am using openSSL 0.98g in windows XP environemnt. Any problem with this approach? What is so special with these three functions? Thanks for your help in advance. Ray
RE: Getting the peer certificate encoding
Aravinda Babu wrote: Problem is our application will verify only DER format certificates. So if i get the peer certificate in PEM format , i will convert that into DER and i will verify the peer certificate. Is there any openSSL API which will tell me a'out the peer certificate encoding ? I want to know whether it is in PEM or DER ? Is the certificate in a memory buffer or a file? Either way, you can just look at the data. If it's PEM, the whole file will be printable text. The first few characters will be perhaps some number of newlines or empty spaces, but the first non-whitespace should be a '-'. If it's DER, there will be many non-printable characters. However, it's probably just easiest to try it both ways. If either of them works, you have a valid certificate. Just remember to clear the error stack after an expected and normal error. Otherwise, it might confuse you later when you see an invalid certificate type error because much earlier it worked on the second attempt. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Getting the peer certificate encoding
On Mon, Oct 13, 2008 at 09:35:03PM -0700, David Schwartz wrote: Aravinda Babu wrote: Problem is our application will verify only DER format certificates. What protocol exchange is secured by the certificate (private/public key pair, with the public key encased in a CA certificate)? In many case the protocol already exchanges the certificate in binary (DER) form. It is appropriate to ask what is happening here and why a certificate needs to be verified out-of-band and in what sense it is verified. Presumably this is somehow tied to use of the associated private key to sign some data, but this is far from clear. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]