OpenSSL on IBMi
Could somebody point me to the latest patch available (with instructions) for compiling openssl on IBMi (OS/400). Pankaj __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL on IBMi
http://rt.openssl.org/Ticket/Display.html?id=1565user=guestpass=guest Only for 0.9.8e, though. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 10:05 To: openssl-users@openssl.org Subject: OpenSSL on IBMi Could somebody point me to the latest patch available (with instructions) for compiling openssl on IBMi (OS/400). Pankaj __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL on IBMi
I used the patch on openssl 0.9.8e. on firing ./Configure OS400-icc I am getting the following error: qsh: 001-0014 Command /home/qsecofr/openssl/QAPTL/GMAKE not found. GMAKE: *** [links] Error 1 $ I have set the PATH environment variable as follows : /qibm/ProdData/DeveloperTools/qsh/bin/:/usr/bin:.:/QOpenSys/usr/bin I am using the old perl binaries for OS400 from CPAN site. Any idea where the problem is? On Sun, Apr 4, 2010 at 3:08 PM, Shaw Graham George gs...@axway.com wrote: http://rt.openssl.org/Ticket/Display.html?id=1565user=guestpass=guest Only for 0.9.8e, though. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 10:05 To: openssl-users@openssl.org Subject: OpenSSL on IBMi Could somebody point me to the latest patch available (with instructions) for compiling openssl on IBMi (OS/400). Pankaj __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL on IBMi
You should read the detail of the readme files for this and maybe previous ports at rt.openssl.org. Firstly, for this port to work, you need to install the IBM AS/400 GNU utilities - it doesn't look like you have. I'm not sure of their current status, but at the time these were unsupported utilities only obtainable from IBM. They are delivered as CCSID 37 binaries, so you need to know what CCSID you wish to support. I had to get the source from IBM (by special request) and re-compile gmake to run as CCSID 500. AFAIK (but I am a little out of date), any gmake delivered with the AS/400 is a PASE binary. Regarding perl, I can't remember if perl (for CCSID 37) from CPAN worked. I certainly failed to port CPAN perl to CCSID 500 (and ran out of time to investigate further). But this made no difference to me as I was building OpenSSL for about 13 platforms, so I could run the configure option (that uses perl) on UNIX. If was looking again now, and looking for AS/400-independence, I'd investigate if I could run a PASE version of perl for the configure. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 12:46 To: openssl-users@openssl.org Subject: Re: OpenSSL on IBMi I used the patch on openssl 0.9.8e. on firing ./Configure OS400-icc I am getting the following error: qsh: 001-0014 Command /home/qsecofr/openssl/QAPTL/GMAKE not found. GMAKE: *** [links] Error 1 $ I have set the PATH environment variable as follows : /qibm/ProdData/DeveloperTools/qsh/bin/:/usr/bin:.:/QOpenSys/usr/bin I am using the old perl binaries for OS400 from CPAN site. Any idea where the problem is? On Sun, Apr 4, 2010 at 3:08 PM, Shaw Graham George gs...@axway.com wrote: http://rt.openssl.org/Ticket/Display.html?id=1565user=guestpass=gues t Only for 0.9.8e, though. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 10:05 To: openssl-users@openssl.org Subject: OpenSSL on IBMi Could somebody point me to the latest patch available (with instructions) for compiling openssl on IBMi (OS/400). Pankaj __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: handshake failure / SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr
Am 01.04.10 23:09, schrieb Victor Duchovni: On Thu, Apr 01, 2010 at 10:48:56PM +0200, G??tz Reinicke - IT Koordinator wrote: Hi, how do I check this? On both servers I do have installed the same client and server software and performing a secured connection from both systems to the master server works; from both systems to the slave server fails. If the slave has no certificate with a mutually agreeable public key algorithm, it will not offer any of the associated cipher-suites. Thus either the slave has a mis-configured cipher-list, is missing required certificates, or missing the associated private keys. Hi Viktor, thanks for your response. I don't know what went wrong and the error messages aren't of any help to me. You too mention a lot of different possibel sources of error. So I set up two new ldap servers (master and slave) and a third just for fun for a CA. Than I worked step by step to my previously used tutorial and voila: The connection from clients (local linux ldapsearch, remote Mac OS X Apache Directory Studio) to the servers are crypted. Even the replication from the master to the slave. Strike. Now I'm faced with some other questions regarding the CA, but this will be an othet posting. Happy Easter! - Götz -- Götz Reinicke IT-Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reini...@filmakademie.de Filmakademie Baden-Württemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzende des Aufsichtsrats: Prof. Dr. Claudia Hübner Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium Geschäftsführer: Prof. Thomas Schadt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
setting an SSL_accept(...) timeout
hello, is there a way i can set a timeout for an SSL_accept, either if the handshake does not complete within X seconds (prefered), or even if it is waiting on a blocking socket and no data comes in for X seconds. I know i can use alarms, but i was wondering (hoping), there was a mechanism already built into the OpenSSL APIs. thank you, -=- adam grossman __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: setting an SSL_accept(...) timeout
On Sun, Apr 04, 2010, Adam Grossman wrote: hello, is there a way i can set a timeout for an SSL_accept, either if the handshake does not complete within X seconds (prefered), or even if it is waiting on a blocking socket and no data comes in for X seconds. I know i can use alarms, but i was wondering (hoping), there was a mechanism already built into the OpenSSL APIs. The only way to reliably do this is with non-blocking I/O at the application level. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: setting an SSL_accept(...) timeout
Peter-Michael, thanks for the info, but this is on linux. -=- adam grossman On Sun, 2010-04-04 at 19:40 +0200, PMHager wrote: Adam Grossman wrote: is there a way i can set a timeout for an SSL_accept, either if the handshake does not complete within X seconds (prefered), or even if it is waiting on a blocking socket and no data comes in for X seconds. I know i can use alarms, but i was wondering (hoping), there was a mechanism already built into the OpenSSL APIs. This is part of the Winsock functions. If you need a different timeouts in the different states, just call setsockopt() appropriate. #include winsock2.h SOCKET hSocket; DWORD dwTimeout=1000; // milliseconds setsockopt(hSocket,SOL_SOCKET,SO_RCVTIMEO,(char*)dwTimeout,sizeof dwTimeout); setsockopt(hSocket,SOL_SOCKET,SO_SNDTIMEO,(char*)dwTimeout,sizeof dwTimeout); Peter-Michael -- Peter-Michael Hager - acm senior - HAGER-ELECTRONICS GmbH - Germany __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to passively obtain the server certificate from a TLS connection
Hello all! (I'm a new member of this mailing list, so if the answer to my question is already somewhere in the archives please point me there.) (I've done some searching and couldn't find anything useful.) In the context of the Perspectives project ( http://www.cs.cmu.edu/~perspectives ) (the Perspectives developers mailing list is also put in CC, so please keep them there) I want to implement an HTTPS proxy server that does the following: * when it receives the CONNECT request it connects to the designated target, but, * it monitors the connection (thus sniffing the connection) in order to obtain the SSL certificate that the server uses; * it compares the SSL certificate fingerprint to those reported by the notary servers (part of the Perspectives project infrastructure), and * if the fingerprints match I stop sniffing the connection and just continue proxying; * if the fingerprints don't match I just drop the connection; So my problem is the following: how can I extract the SSL certificate from the connection without reimplementing the TLS protocol? For example I assume that there is a method (which I'm not aware of and want to find it), in which I just feed the data that comes from the server to the client (ignoring the other channel of the connection), into a parser, which at the end will spit out the certificate (or at least decode the TLS packets as they fly by). (I bet that there are functions in the openssl library, but it's hard to spot them in the reference documentation.) And a second question (related to security): I guess that there is no way to trick my proxy by switching to another certificate once the first one was already sent? For example I guess there is no way in which the server can re-initiate the TLS handshake (reusing the same connection) by using another certificate than the one previously sent. Thanks for your support, Ciprian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: setting an SSL_accept(...) timeout
Adam Grossman wrote: thanks for the info, but this is on linux. The socket interface is almost the same on linux: #include sys/socket.h int hSocket; int dwTimeout=1000; // milliseconds setsockopt(hSocket,SOL_SOCKET,SO_RCVTIMEO,(void*)dwTimeout,sizeof dwTimeout); setsockopt(hSocket,SOL_SOCKET,SO_SNDTIMEO,(void*)dwTimeout,sizeof dwTimeout); [http://linux.die.net/man/3/setsockopt] Peter-Michael -- Peter-Michael Hager - acm senior - HAGER-ELECTRONICS GmbH - Germany __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: setting an SSL_accept(...) timeout
i have done networking programming for a while, and i have never run across that before. thank you so much, you have just saved me a lot of development time! -=- adam grossman On Sun, 2010-04-04 at 22:34 +0200, PMHager wrote: Adam Grossman wrote: thanks for the info, but this is on linux. The socket interface is almost the same on linux: #include sys/socket.h int hSocket; int dwTimeout=1000; // milliseconds setsockopt(hSocket,SOL_SOCKET,SO_RCVTIMEO,(void*)dwTimeout,sizeof dwTimeout); setsockopt(hSocket,SOL_SOCKET,SO_SNDTIMEO,(void*)dwTimeout,sizeof dwTimeout); [http://linux.die.net/man/3/setsockopt] Peter-Michael -- Peter-Michael Hager - acm senior - HAGER-ELECTRONICS GmbH - Germany __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Decrypting with key and initialization vector don't decrypt the first 8 bytes?
Hello everybody and thank you all for reading. I'm doing some experiments with blowfish and triple DES ciphers. I'm encrypting some text files; using a password to generate the key and the IV; while using the -p option to let openssl show me the salt, the key and the IV onscreen. As far as I've understood I could decrypt the output encrypted file just supplying the key and the IV. And actually if I do that, that is ALMOST what I get. But, the first eight characters of the source file didn't get decrypted, or at least they doesn't apparently get decoded correctly: I got a bunch of unreadable binary bytes instead. Here's what I did: $ openssl enc -bf -in source.txt -out encrypted -p enter bf-cbc encryption password: Verifying - enter bf-cbc encryption password: salt=FF01D744C268C056 key=22153E114FB3C2873BAE05873AFBD19C iv =F68A9A229A516752 Then if I try to decode the encrypted file with: openssl enc -d -bf -in encrypted -K 22153E114FB3C2873BAE05873AFBD19C -iv F68A9A229A516752 Then the output *of the first eight bytes* isn't even ASCII so I can't paste it here! The rest of the file is perfectly decrypted though. I tried with files of various length and they are all decrypted perfectly but the first chars. I tried with versions 0.9.8g (19 Oct 2007) and 0.9.8k (25 Mar 2009) with the same results. Using des3 in place of bf doesn't change that behaviour too. Please kindly help me to understand what I'm missing. Thank you SO much! -- Alfredo Belmonti __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org