Re: Is there XOR , OR and AND operation on BN?
On 2009.05.22 at 20:31:44 +0800, sofian sindhi wrote: By your suggestion, if I have BN a,1024bits, and b, 2048 bits, the only way I can do OR is using char *BN_bn2hex(const BIGNUM *a) to transform each one as 2 char*. Then do the OR byte by byte? No, you completely misunderstood me. I've rather have in mind that you have to access internal representation of bignum (which is defined in the public header bn.h) and than OR per BN_ULONG (which is typically 32-bit). Of course, if your BNs can be different in size, you should study internal representation a bit more, to find out how to find bits with same significance inside these representation. Or, if you want to be absolutely sure that future changes in the internal representation (however unlikely) wouldn't affect your code, use BN_bn2bin, not BN_bn2hex. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
building for Arm in wince
Hi All, Has anyone built the OPENSSL for arm in wince, i am using the platform builder of wince6 , I have been getting the following error tmp32dll_ARMV4I\cryptlib.obj : fatal error LNK1112: module machine type 'X86' co nflicts with target machine type 'THUMB' it looks like the Crypto is being compiled for X86 and so it fails with the cross platfrom error, i am using the version 0.9.8k of openssl. I have taken a look at the makefile of crypto they seem to be configured for x86, has anyone got something for ARM and also the configure file for openssl is configured for CE x86 # Visual C targets VC-CE,clWINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32, Can someone help me change the configure and make files to compile for ARM Thanks in advance Satish kumar Raju
Re: On the fly certificate generation to send to the client
* Scott Gifford wrote on Wed, May 20, 2009 at 21:52 -0400: AngelWarrior srikanth.bemin...@gmail.com writes: but this still requires a CA kind of certificate right.I dont know if the client will be have a CA certificate to authenticate it.If I am wrong please explain me how it can be done. Regular SSL only requires a certificate on the server. Encrypted Web browsing with https, for example, doesn't require a client certificate. I think this is just a matter of configuration. Someone may run SSL without any certificate and even without encryption - for whatever this should be good for :-) (If only the server has a certificate, often additionally some other authentication and authorisation is needed, for instance some PIN or TAN). oki, Steffen ---[ End of message ]--8=== About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: On the fly certificate generation to send to the client
* AngelWarrior wrote on Wed, May 20, 2009 at 15:18 -0500: I dont need to know with whom I am contacting but after contact my messages should be private. If you sent your message to just anybody, how can it be private? oki, Steffen --[ End of message ]---8=== About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about x509
* loody wrote on Fri, May 22, 2009 at 21:51 +0800: 2009/5/22 David Schwartz dav...@webmaster.com: Dear all: at the end of letter, I append the the public key I excerpted from my certificate by openssl x509. Since the key is 2048 bits, 256 bytes, I find the length of 00:af:..14:f7 is 257 bytes. Right. In BER/DER form, without the leading 00 byte, the high bit is set and the number is negative. Is it possible for RSA public key to be negative? As far as I know, the numbers used in RSA should by positive, right? so my certificate may be wrong? Your value starts with 00, so it is not negative, which was the initial question I think :) oki, Steffen About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
error: Unable to link with SSL
Hi there I'm installing Globus Toolkist from source in a Sun Blade 100 and when it starts building openssl I get this error but I can't find what it is: ** Dependencies Complete checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking OpenSSL CFLAGS... using ' ' checking OpenSSL INCLUDES... using ' ' checking for style of include used by make... GNU checking for gcc... /usr/bin/gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether /usr/bin/gcc accepts -g... yes checking for /usr/bin/gcc option to accept ANSI C... none needed checking dependency style of /usr/bin/gcc... none checking OpenSSL LDFLAGS... using '-lssl -lcrypto ' checking OpenSSL LIBS... using '-lssl -lcrypto ' configure: error: Unable to link with SSL make: *** [globus_system_openssl-thr] Error 1 ** And here is what the config.los says: ** configure:1280: result: no configure:1600: checking for a BSD-compatible install configure:1655: result: /usr/bin/install -c configure:1666: checking whether build environment is sane configure:1709: result: yes configure:1774: checking for gawk configure:1790: found /usr/bin/gawk configure:1800: result: gawk configure:1810: checking whether make sets $(MAKE) configure:1830: result: yes configure:2010: checking OpenSSL CFLAGS configure:2017: result: using ' ' configure:2021: checking OpenSSL INCLUDES configure:2030: result: using ' ' configure:2045: checking for style of include used by make configure:2073: result: GNU configure:2144: checking for gcc configure:2170: result: /usr/bin/gcc configure:2414: checking for C compiler version configure:2417: /usr/bin/gcc --version /dev/null 5 gcc (Debian 4.3.2-1.1) 4.3.2 Copyright (C) 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. configure:2420: $? = 0 configure:2422: /usr/bin/gcc -v /dev/null 5 Using built-in specs. Target: sparc-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.3.2-1.1' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --with-cpu=v8 --with-long-double-128 --enable-checking=release --build=sparc-linux-gnu --host=sparc-linux-gnu --target=sparc-linux-gnu Thread model: posix gcc version 4.3.2 (Debian 4.3.2-1.1) configure:2425: $? = 0 configure:2427: /usr/bin/gcc -V /dev/null 5 gcc: '-V' option must have argument configure:2430: $? = 1 configure:2453: checking for C compiler default output file name configure:2456: /usr/bin/gcc -g -m64 -Wall -I/usr/local/globus-4.2.1/include -I/usr/local/globus-4.2.1/include/gcc64dbgpthr -L/usr/local/globus-4.2.1/lib -m64 conftest.c -lpthread 5 configure:2459: $? = 0 configure:2505: result: a.out configure:2510: checking whether the C compiler works configure:2516: ./a.out configure:2519: $? = 0 configure:2536: result: yes configure:2543: checking whether we are cross compiling configure:2545: result: no configure:2548: checking for suffix of executables configure:2550: /usr/bin/gcc -o conftest -g -m64 -Wall -I/usr/local/globus-4.2.1/include -I/usr/local/globus-4.2.1/include/gcc64dbgpthr -L/usr/local/globus-4.2.1/lib -m64 conftest.c -lpthread 5 configure:2553: $? = 0 configure:2578: result: configure:2584: checking for suffix of object files configure:2605: /usr/bin/gcc -c -g -m64 -Wall -I/usr/local/globus-4.2.1/include -I/usr/local/globus-4.2.1/include/gcc64dbgpthr conftest.c 5 configure:2608: $? = 0 configure:2630: result: o configure:2634: checking whether we are using the GNU C compiler configure:2658: /usr/bin/gcc -c -g -m64 -Wall -I/usr/local/globus-4.2.1/include -I/usr/local/globus-4.2.1/include/gcc64dbgpthr conftest.c 5 configure:2664: $? = 0 configure:2668: test -z || test ! -s conftest.err configure:2671: $? = 0 configure:2674: test -s conftest.o configure:2677: $? = 0 configure:2690: result: yes configure:2696: checking whether /usr/bin/gcc accepts -g configure:2717: /usr/bin/gcc -c -g -I/usr/local/globus-4.2.1/include -I/usr/local/globus-4.2.1/include/gcc64dbgpthr conftest.c 5 configure:2723: $? = 0 configure:2727: test -z || test ! -s conftest.err configure:2730: $? = 0 configure:2733: test -s conftest.o configure:2736: $? = 0
Openssl : disable sslv2
Hello, I cannot disable sslv2 : Openssl s_server -no_ssl2 Loading 'screen into random stat - done Usign default temp DH Parameters ACCEPT After i'm block = Ctrl + C accept error 10004 Information : Openssl version : 0.9.6g 9 Aug 2002 Can you help me please, Regards, Gaël REGUER
OpenSSL and kernel __read_nocancel() blocking under heavy network congestion
Greetings OpenSSL Users list, In the TR-069 WAN management space, the plethora of user devices in the home have to support SSL-based communications with the server (over the WAN). Recently, one of our integration customers has been subjecting their client to WAN congestion simulation using WANem (wanem.sourceforge.net) on request of an operator for testing. What has been found is that under high packet loss (approximate 50%) and worse, non-SSL operation works fine, but SSL communications will randomly end up stuck on a blocked call, regardless of using select() first, socket timeouts, etc. The usual suspect call that is at the top of most of the stack backtraces is __read_nocancel(). The bad blocking behavior has been experienced using OpenSSL 0.9.7f through 0.9.8k. The question to the list is how to stop the blocked call behavior so device communication threads don't get stuck? Said differently, if non-SSL isn't blocking, why is SSL getting stuck? Thanks for any suggestions (besides a watchdog time/observer) that can help correct the problem. Background: the TR-069 client uses the gSoap system that in turn calls OpenSSL. The communications to the server at HTTP/SOAP based using SSL or non_SSL. The problems are being experienced in Linux 2.6.x systems 32-bit and 64-bit, on MIPS and AMD processors; i.e. both embedded Linux systems and normal development systems. WANem is configured for T1 link, 100ms delay, 10ms jitter, and 40% to 50% packet loss. gSoap uses a select() call with timeout prior to calling SSL_read. In addition, I added code to set SO_RCVTIMEO and SO_SNDTIMEO to 60 seconds on the socket. Various stack backtraces from entry into gSoap are presented below, each one was captured from a core file produced from kill -3'ing the hung up client. They are just representative of the problem happening from several different entry points into OpenSSL. (gdb) bt 1 #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 #1 0x003b91499091 in BIO_new_socket () from /lib64/libcrypto.so.6 #2 0x003b9149766f in BIO_read () from /lib64/libcrypto.so.6 #3 0x003f9642047d in ssl3_read_n () from /lib64/libssl.so.6 #4 0x003f964209dd in ssl3_read_bytes () from /lib64/libssl.so.6 #5 0x003f9641de64 in ssl3_shutdown () from /lib64/libssl.so.6 #6 0x00455961 in tcp_disconnect (soap=0x596960) at gsoap/stdsoap2.c:4013 #7 0x00455c9c in soap_closesock (soap=0x596960) at gsoap/stdsoap2.c:4069 gdb) bt 2 #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 #1 0x003b91499091 in BIO_new_socket () from /lib64/libcrypto.so.6 #2 0x003b9149766f in BIO_read () from /lib64/libcrypto.so.6 #3 0x003f9642047d in ssl3_read_n () from /lib64/libssl.so.6 #4 0x003f96420a7f in ssl3_read_bytes () from /lib64/libssl.so.6 #5 0x003f964216c6 in ssl3_get_message () from /lib64/libssl.so.6 #6 0x003f9641c5f6 in ssl3_get_server_hello () from /lib64/libssl.so.6 #7 0x003f9641d1b6 in ssl3_connect () from /lib64/libssl.so.6 #8 0x003f9642334f in ssl23_connect () from /lib64/libssl.so.6 #9 0x00453bbc in tcp_connect (soap=0x596960, endpoint=0x595de0 https://10.2.2.22:8443/dps/TR069;, host=0x5997f0 10.2.2.22, port=8443) at gsoap/stdsoap2.c:3459 #10 0x0046d8e8 in soap_connect_command (soap=0x596960, http_command=2000, endpoint=0x595de0 https://10.2.2.22:8443/dps/TR069;, action=0x476f2f ) at gsoap/stdsoap2.c:12234 #11 0x0046d689 in soap_connect (soap=0x596960, endpoint=0x595de0 https://10.2.2.22:8443/dps/TR069;, action=0x476f2f ) at gsoap/stdsoap2.c:12195 gdb) bt 3 #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 #1 0x004a8beb in sock_read () #2 0x004a7d6b in BIO_read () #3 0x00476fce in ssl23_read_bytes () #4 0x00476344 in ssl23_connect () #5 0x004528bc in tcp_connect (soap=0x6a8b40, endpoint=0x68dc40 https://10.2.2.22:8443/dps/TR069;, host=0x6ab9d0 10.2.2.22, port=8443) at gsoap/stdsoap2.c:3459 #6 0x0046c5e8 in soap_connect_command (soap=0x6a8b40, http_command=2000, endpoint=0x68dc40 https://10.2.2.22:8443/dps/TR069;, action=0x52432f ) at gsoap/stdsoap2.c:12234 #7 0x0046c389 in soap_connect (soap=0x6a8b40, endpoint=0x68dc40 https://10.2.2.22:8443/dps/TR069;, action=0x52432f ) at gsoap/stdsoap2.c:12195 (gdb) bt 4 #0 0x00496332 in CRYPTO_lock () #1 0x004eec8f in ssleay_rand_add () #2 0x004907ec in ssl3_connect () #3 0x004945da in ssl3_write_bytes () #4 0x0044918a in fsend (soap=0x6a8b60, s=0x6a8f40 POST /dps/TR069 HTTP/1.1\r\nHost: 10.2.2.22:8443\r\nUser-Agent: gSOAP/2.7\r\nContent-Type: text/xml; charset=utf-8\r\nContent-Length: \ 2393\r\nConnection: keep-alive\r\nSOAPAction: \\\r\n\r\n\ xmlns:xsi=\http://www.w3;..., n=174) at gsoap/stdsoap2.c:468 #5 0x0044984f in soap_flush_raw (soap=0x6a8b60, s=0x6a8f40 POST /dps/TR069 HTTP/1.1\r\nHost:
unresolved symbols when linking with vs2005
Hello, I have built openssl 098k with visual studio 2005 using the following script (batch file) perl.exe Configure VC-WIN32 --prefix=C:\tmpopenssl no-idea no-mdc2 no-rc5 no-asm no-shared ms\do_ms nmake -f ms\nt.mak nmake -f ms\nt.mak install openssl builds with no problem reporting: Configuring for VC-WIN32 no-asm [option] OPENSSL_NO_ASM no-camellia [default] OPENSSL_NO_CAMELLIA (skip dir) no-capieng [default] OPENSSL_NO_CAPIENG (skip dir) no-cms [default] OPENSSL_NO_CMS (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-idea [option] OPENSSL_NO_IDEA (skip dir) no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-mdc2 [option] OPENSSL_NO_MDC2 (skip dir) no-montasm [default] no-rc5 [option] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-seed [default] OPENSSL_NO_SEED (skip dir) no-shared [option] no-zlib [default] no-zlib-dynamic [default] IsMK1MF=1 CC =cl CFLAG =-DOPENSSL_THREADS -DDSO_WIN32 EX_LIBS = CPUID_OBJ = BN_ASM =bn_asm.o DES_ENC =des_enc.o fcrypt_b.o AES_ASM_OBJ =aes_core.o aes_cbc.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB =true ARFLAGS = PERL =perl THIRTY_TWO_BIT mode BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Configured for VC-WIN32. openssl-0.9.8krem ms\do_masm openssl-0.9.8kms\do_ms openssl-0.9.8kperl util\mkfiles.pl 1MINFO openssl-0.9.8kperl util\mk1mf.pl no-asm VC-WIN32 1ms\nt.mak openssl-0.9.8kperl util\mk1mf.pl dll no-asm VC-WIN32 1ms\ntdll.mak openssl-0.9.8kperl util\mk1mf.pl no-asm VC-CE 1ms\ce.mak %OSVERSION% is not defined at util/pl/VC-32.pl line 57. Compilation failed in require at util\mk1mf.pl line 151. openssl-0.9.8kperl util\mk1mf.pl dll no-asm VC-CE 1ms\cedll.mak %OSVERSION% is not defined at util/pl/VC-32.pl line 57. Compilation failed in require at util\mk1mf.pl line 151. openssl-0.9.8kperl util\mkdef.pl 32 libeay 1ms\libeay32.def openssl-0.9.8kperl util\mkdef.pl 32 ssleay 1ms\ssleay32.def Building OpenSSL perl util/copy.pl .\crypto\buildinf.h tmp32\buildinf.h Copying: ./crypto/buildinf.h to tmp32/buildinf.h perl util/copy.pl .\crypto\opensslconf.h inc32\openssl\opensslconf.h Copying: ./crypto/opensslconf.h to inc32/openssl/opensslconf.h cl /Fotmp32\cryptlib.obj -Iinc32 -Itmp32 /MT /Ox /O2 /Ob2 /W3 /WX /Gs0 /GF /Gy /nologo ... cl ... ... ... openssl.c link /nologo /subsystem:console /opt:ref /out:out32\openssl.exe @C:\DOCUME~1\dax\LOCALS~1\Temp\nm451.tmp IF EXIST out32\openssl.exe.manifest mt -nologo -manifest out32\openssl.exe.manifest -outputresource:out32\openssl.exe;1 perl util/mkdir-p.pl C:\tmpopenssl perl util/mkdir-p.pl C:\tmpopenssl\bin created directory `C:/tmpopenssl/bin' perl util/mkdir-p.pl C:\tmpopenssl\include created directory `C:/tmpopenssl/include' perl util/mkdir-p.pl C:\tmpopenssl\include\openssl created directory `C:/tmpopenssl/include/openssl' perl util/mkdir-p.pl C:\tmpopenssl\lib created directory `C:/tmpopenssl/lib' perl util/copy.pl inc32\openssl\*.[ch] C:\tmpopenssl\include\openssl Copying: inc32/openssl/aes.h to C:/tmpopenssl/include/openssl/aes.h Copying: ... ... ... ... Copying: inc32/openssl/x509v3.h to C:/tmpopenssl/include/openssl/x509v3.h perl util/copy.pl out32\openssl.exe C:\tmpopenssl\bin Copying: out32/openssl.exe to C:/tmpopenssl/bin/openssl.exe perl util/copy.pl apps\openssl.cnf C:\tmpopenssl Copying: apps/openssl.cnf to C:/tmpopenssl/openssl.cnf perl util/copy.pl out32\ssleay32.lib C:\tmpopenssl\lib Copying: out32/ssleay32.lib to C:/tmpopenssl/lib/ssleay32.lib perl util/copy.pl out32\libeay32.lib C:\tmpopenssl\lib Copying: out32/libeay32.lib to C:/tmpopenssl/lib/libeay32.lib So far so good, however, when I link my project I get the following unresolved symbols: connect.obj : error LNK2019: unresolved external symbol _RC4_set_key referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_CTX_cleanup referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_Final referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_Update referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_Init_ex referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _EVP_sha256 referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_CTX_init referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _RC4 referenced in function protected: bool __thiscall Connect() The connect.obj
Re: unresolved symbols when linking with vs2005
Answer below... On Mon, May 25, 2009 at 10:38 PM, gary marlow garytmar...@hotmail.com wrote: perl util/copy.pl out32\ssleay32.lib C:\tmpopenssl\lib Copying: out32/ssleay32.lib to C:/tmpopenssl/lib/ssleay32.lib perl util/copy.pl out32\libeay32.lib C:\tmpopenssl\lib Copying: out32/libeay32.lib to C:/tmpopenssl/lib/libeay32.lib So far so good, however, when I link my project I get the following unresolved symbols: connect.obj : error LNK2019: unresolved external symbol _RC4_set_key referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_CTX_cleanup referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_Final referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_Update referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_Init_ex referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _EVP_sha256 referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _HMAC_CTX_init referenced in function void __cdecl InitializeEncryption() connect.obj : error LNK2019: unresolved external symbol _RC4 referenced in function protected: bool __thiscall Connect() The connect.obj functions are mine. The code is trying to build a console application. Am I leaving something out that I get these unresolved? Thank you, I will greatly appreciate any help. Might be you didn't specify that libeay32.lib file as part of the includes of the linker (see linker section in MSVC project: Linker Input Additional Dependencies) Note that SSL delivers two(2) libraries/DLLs: ssleay32 for the SSL stuff and libeay32 for the crypto stuff, such as MD4, AES, etc... (Disclaimer ;-)) : I use a completely different MSVC rig myself, so cannot validate this, but it's my first hunch, given the way openSSL produces it's libraries and the caveats regarding msvc and external library usage.) -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl : disable sslv2
Use a MUCH more recent version of OpenSSL. However, accept error 10004 is (on Windows) a system call interrupted error, if I am given to understand properly. which means that you ctrl+c'd, you interrupted the system call (accept()) which was waiting for a connection. Not sure what port it was waiting for, though, my documentation doesn't go that far back. -Kyle H On Mon, May 25, 2009 at 7:34 AM, Gaël REGUER g.reg...@sgfgas.fr wrote: Hello, I cannot disable sslv2 : Openssl s_server –no_ssl2 Loading ‘screen into random stat – done Usign default temp DH Parameters ACCEPT After i’m block = Ctrl + C accept error 10004 Information : Openssl version : 0.9.6g 9 Aug 2002 Can you help me please, Regards, Gaël REGUER __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl : disable sslv2
From: owner-openssl-us...@openssl.org On Behalf Of Gaël REGUER Sent: Monday, 25 May, 2009 10:35 I cannot disable sslv2 : What makes you think that? Openssl s_server no_ssl2 Loading screen into random stat done Usign default temp DH Parameters ACCEPT You either mistyped that or damaged it in copying: screen should have FORWARD quote before and after, and state and Using should be spelled correctly. And I don't have 096g to check, but by 097d you need -nocert to avoid an error for no readable keycert. After im block = Ctrl + C accept error 10004 It's normal for s_server to block until a client connects; that's what a server DOES. What did you do to cause a client connection, and if it failed in what way did it do so? If client got a 'physical' TCP connection, but failed in SSL negotiation, add -msg and maybe -debug to s_server to get (quite a bit) more detailed output about what it's doing. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
From: owner-openssl-us...@openssl.org On Behalf Of David Woodhouse Sent: Friday, 22 May, 2009 05:49 To: openssl-users@openssl.org Subject: Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL. On Thu, 2009-05-21 at 22:44 +0100, David Woodhouse wrote: I'm trying to connect to an HTTPS server, and my connection is being rejected when I use a client certificate: [dw...@macbook ~]$ openssl s_client -cert $CERT -connect $SERVER:443 -crlf -tls1 CONNECTED(0003) depth=1 /C=US/O=Foo Corporation/CN=Foo Intranet Basic Issuing CA 2A verify error:num=20:unable to get local issuer certificate verify return:0 24620:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: Those errors are run together; there should be different line breaks. I've discovered that it works if I also use the '-CAfile' option and give it the appropriate certificate chain. If I use an empty CAfile or one with the wrong certificates in it, the server still hates me. I don't understand why you got verify return 0 above. In at least all 098* that I've used, s_client logs verify errors on the server cert (like no-issuer or self-signed) but ignores them and continues. However, since s3_pkt:530 is a failure on our end of the handshake, maybe it is indeed failing for verification. Or maybe something else, since according to your wireshark it certainly does seem the client sends the rest of the sequence (cert, keyxch, verify, change, finished?). I suggest running the client with -state and -msg or probably better -debug to get (much) more detailed information about what it's doing. And check (or ask) if the server logs any helpful error messages. I assume your $CERT file actually contains cert AND KEY, otherwise you should have gotten quite different errors. But NSS can connect without having to have the certificate chain in place locally. Is there a way to make OpenSSL behave similarly, so that it doesn't upset the server? Presumably it's not verifying the server, then. That's a local choice and doesn't bother the protocol. It's usually not good security practice; whether it's acceptable in your application is up to you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL and kernel __read_nocancel() blocking under heavy network congestion
Background: the TR-069 client uses the gSoap system that in turn calls OpenSSL. The communications to the server at HTTP/SOAP based using SSL or non_SSL. The problems are being experienced in Linux 2.6.x systems 32-bit and 64-bit, on MIPS and AMD processors; i.e. both embedded Linux systems and normal development systems. WANem is configured for T1 link, 100ms delay, 10ms jitter, and 40% to 50% packet loss. gSoap uses a select() call with timeout prior to calling SSL_read. Why? You can't 'select' on the decrypted data stream. The SSL_read function reads *decrypted* data from the OpenSSL output stream, not encrypted data from the socket (unless that happens to be necessary). It is a serious mistake to call 'select' prior to calling SSL_read. For example, suppose the data has already been read from the socket (SSL_write can result in data being read from the socket), and an SSL_read would completely immediately. You will be calling 'select' to wait for data that has already been read. In addition, I added code to set SO_RCVTIMEO and SO_SNDTIMEO to 60 seconds on the socket. Why? You're using non-blocking operations. Fortunately, this will do nothing because these timeouts only affect blocking operations, but if they did take affect, the would destroy the integrity of the connection. (They are timeouts for the operations themselves, not just for the calls that initiate them.) Various stack backtraces from entry into gSoap are presented below, each one was captured from a core file produced from kill -3'ing the hung up client. They are just representative of the problem happening from several different entry points into OpenSSL. (gdb) bt 1 #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 #1 0x003b91499091 in BIO_new_socket () from /lib64/libcrypto.so.6 #2 0x003b9149766f in BIO_read () from /lib64/libcrypto.so.6 #3 0x003f9642047d in ssl3_read_n () from /lib64/libssl.so.6 #4 0x003f964209dd in ssl3_read_bytes () from /lib64/libssl.so.6 #5 0x003f9641de64 in ssl3_shutdown () from /lib64/libssl.so.6 #6 0x00455961 in tcp_disconnect (soap=0x596960) at gsoap/stdsoap2.c:4013 #7 0x00455c9c in soap_closesock (soap=0x596960) at gsoap/stdsoap2.c:4069 How is the connection made non-blocking exactly? #0 0x003b8d40bf7b in __read_nocancel () from /lib64/libpthread.so.0 #1 0x004a8e0b in sock_read () #2 0x004a7f8b in BIO_read () #3 0x0049411d in ssl3_read_n () #4 0x00494c60 in ssl3_read_bytes () #5 0x00495b44 in ssl3_get_message () #6 0x0048fea1 in ssl3_get_server_hello () #7 0x00490a66 in ssl3_connect () #8 0x004947da in ssl3_write_bytes () #9 0x00449194 in fsend (soap=0x6a8de0, s=0x6a91c0 POST /dps/TR069 HTTP/1.1\r\nHost: 10.2.2.22:8443\r\nUser-Agent: gSOAP/2.7\r\nContent-Type: text/xml; charset=utf-8\r\nContent-Length: \ 2393\r\nConnection: keep-alive\r\nSOAPAction: \\\r\n\r\n\ xmlns:xsi=\http://www.w3;..., n=174) at gsoap/stdsoap2.c:470 #10 0x00449859 in soap_flush_raw (soap=0x6a8de0, s=0x6a91c0 POST /dps/TR069 HTTP/1.1\r\nHost: 10.2.2.22:8443\r\nUser-Agent: gSOAP/2.7\r\nContent-Type: text/xml; charset=utf-8\r\nContent-Length: \ 2393\r\nConnection: keep-alive\r\nSOAPAction: \\\r\n\r\n\ xmlns:xsi=\http://www.w3;..., n=174) at gsoap/stdsoap2.c:671 #11 0x00449589 in soap_flush (soap=0x6a8de0) at gsoap/stdsoap2.c:637 #12 0x00458e8c in soap_end_send (soap=0x6a8de0) at gsoap/stdsoap2.c:5399 Are you sure the connection in non-blocking? Are you absolutely 100% sure? It looks like you simply have forgetten to set the connection non-blocking. As a result, you may block in one direction forever even though you could make forward progress in the other direction. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org