Socket left in CLOSE_WAIT state...
Hi, My code leaves sockets in the CLOSE_WAIT state after I free the SSL connection (running on windows XP with OpenSSL 0.9.8e). After I'm done with the connection I call SSL_shutdown and SSL_free, but that doesn't close the socket on the client side. My code's probably wrong, so tell me what I should change? #include stdlib.h #include windows.h #include openssl/ssl.h char Hostname[] = imap.gmail.com; int Port = 993; int main(int args, char **arg) { printf(OpenSSL Test\n); SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); SSL_CTX *Ctx = SSL_CTX_new(SSLv23_client_method()); if (Ctx) { SSL *Ssl = 0; BIO *Bio = BIO_new_ssl_connect(Ctx); if (Bio) { BIO_get_ssl(Bio, Ssl); if (Ssl) { SSL_set_mode(Ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(Bio, Hostname); BIO_set_conn_int_port(Bio, Port); if (BIO_do_connect(Bio) 0) { printf(Connected to '%s' using SSL\n, Hostname); char Data[256]; char *Cmd = A0001 CAPABILITY\r\n; int w = SSL_write(Ssl, Cmd, strlen(Cmd)); if (w 0) { printf(Wrote %i bytes.\n, w); int r = SSL_read(Ssl, Data, sizeof(Data)); if (r 0) { printf(Got %i bytes.\n, r); } else printf(SSL_read failed.\n); } else printf(SSL_write failed.\n); } else printf(BIO_do_connect failed.\n); } else printf(BIO_get_ssl failed.\n); } else printf(BIO_new_ssl_connect failed.\n); if (Ssl) { SSL_shutdown(Ssl); SSL_free(Ssl); } /* At this point I expect the socket should have disappeared, but it's still there hanging around in CLOSE_WAIT... why? */ SSL_CTX_free(Ctx); } return 0; } Thanks -- Matthew Allen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Socket left in CLOSE_WAIT state...
Looks like it needs a BIO_free_all(bio) or something similair. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]on Behalf Of Matthew Allen Sent: Wednesday, April 21, 2010 5:18 AM To: openssl-users@openssl.org Subject: Socket left in CLOSE_WAIT state... Hi, My code leaves sockets in the CLOSE_WAIT state after I free the SSL connection (running on windows XP with OpenSSL 0.9.8e). After I'm done with the connection I call SSL_shutdown and SSL_free, but that doesn't close the socket on the client side. My code's probably wrong, so tell me what I should change? #include stdlib.h #include windows.h #include openssl/ssl.h char Hostname[] = imap.gmail.com; int Port = 993; int main(int args, char **arg) { printf(OpenSSL Test\n); SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); SSL_CTX *Ctx = SSL_CTX_new(SSLv23_client_method()); if (Ctx) { SSL *Ssl = 0; BIO *Bio = BIO_new_ssl_connect(Ctx); if (Bio) { BIO_get_ssl(Bio, Ssl); if (Ssl) { SSL_set_mode(Ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(Bio, Hostname); BIO_set_conn_int_port(Bio, Port); if (BIO_do_connect(Bio) 0) { printf(Connected to '%s' using SSL\n, Hostname); char Data[256]; char *Cmd = A0001 CAPABILITY\r\n; int w = SSL_write(Ssl, Cmd, strlen(Cmd)); if (w 0) { printf(Wrote %i bytes.\n, w); int r = SSL_read(Ssl, Data, sizeof(Data)); if (r 0) { printf(Got %i bytes.\n, r); } else printf(SSL_read failed.\n); } else printf(SSL_write failed.\n); } else printf(BIO_do_connect failed.\n); } else printf(BIO_get_ssl failed.\n); } else printf(BIO_new_ssl_connect failed.\n); if (Ssl) { SSL_shutdown(Ssl); SSL_free(Ssl); } /* At this point I expect the socket should have disappeared, but it's still there hanging around in CLOSE_WAIT... why? */ SSL_CTX_free(Ctx); } return 0; } Thanks -- Matthew Allen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Socket left in CLOSE_WAIT state...
Matthew Allen wrote: if (Ssl) { SSL_shutdown(Ssl); SSL_free(Ssl); } Yes as the other writer says, you may need to close out the BIO (which is the thing holding the socket descriptor/handle). So the Bio object you created you may need to clean it up (in and around the SSL_free()). Alternatively if you still get issues with CLOSE_WAIT. if(SSL_shutdown(Ssl) = 0) shutdown(SSL_get_fd(Ssl), SHUT_WR); Research into using the shutdown() system call to half-close a socket, this has been used in the past, usually with servers to improve efficiency during disconnection. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to handle Engine Cleanup
Hello - I am using M2Crypto which wraps OpenSSL, but have translated my M2Crypto commands into OpenSSL methods. I do a set of commands to get the certificate and key off the USB eToken. I am unsure how to clean up my engines. Do I need to do all three of the followings commands: ENGINE_finish(), ENGINE_cleanup() and ENGINE_free? Is there a specific order they need to occur in? Thanks! ENGINE_load_dynamic() dynamic = ENGINE_by_id(dynamic) ENGINE_ctrl_cmd_string(SO_PATH, /usr/local/ssl/lib/engines/engine_pkcs11.so) ENGINE_ctrl_cmd_string(ID,pkcs11) ENGINE_ctrl_cmd_string(LIST_ADD, 1) ENGINE_ctrl_cmd_string(LOAD, None) pkcs = ENGINE_by_id(pkcs11) ENGINE_ctrl_cmd_string(MODULE_PATH, /usr/lib/libeTPksc11.so) ENGINE_init(pkcs) # Get the certificate and key off the eToken ENGINE_ctrl_cmd_string(PIN, password) cert = ENGINE_ctrl_cmd(LOAD_CERT_CTRL) key = ENGINE_load_private_key ENGINE_finish(dynamic) ENGINE_finish(pkcs) ENGINE_free(pkcs)
how to interpret the speed result using openssl command line
Dear all, I input the command speed rc4 under the prompt openssl. The result is as follows:Doing rc4 for 3s on 16 size blocks: 778800 rc4's in 1.53sDoing rc4 for 3s on 64 size blocks: 219433 rc4's in 1.55sDoing rc4 for 3s on 256 size blocks: 52962 rc4's in 1.45sDoing rc4 for 3s on 1024 size blocks: 13924 rc4's in 1.52sDoing rc4 for 3s on 8192 size blocks: 1734 rc4's in 1.51sOpenSSL 0.9.8l 5 Nov 2009built on: Tue Jan 12 17:29:19 EST 2010options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx)compiler: arm-unknown-linux-gnu-gcc -Oavailable timing options: TIMES TIMEB HZ=100 [sysconf value]timing function used: timesThe 'numbers' are in 1000s of bytes per second processed.type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytesrc4 8144.31k 9060.46k 9350.53k 9380.38k 9407.24k How can I interpret the first five lines? Thank you so much. Best Regards,Xiang _ MSN十年回馈,每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码,快来领取! http://kaba.msn.com.cn/?k=1
FW: Help! Encryption Absorted
From: luxiang...@hotmail.com To: openssl-users@openssl.org Subject: Help! Encryption Absorted Date: Wed, 21 Apr 2010 17:52:04 + Dear all, I would like to encrypt my data before they are emitted. I use the following function:EVP_CIPHER_CTX_ex(ctx, EVP_des_ede_cbc(), NULL, key, iv).Unfortunately, when come to this function, my program jumped into the end omitting all the following encryption operations. The whole program is as shown in the last thread, called as Encryption using Openssl. The due day is coming. I really appreciate your help. Thank you so much. Best Regards,Xiang 使用新一代 Windows Live Messenger 轻松交流和共享! 立刻下载! _ 约会说不清地方?来试试微软地图最新msn互动功能! http://ditu.live.com/?form=TLswm=1
Re: Socket left in CLOSE_WAIT state...
Shutdown disables the ability to read, write (or both) on a socket. However, shutdown() does not close the socket. to release the socket descriptor back to the OS you also need to call closesocket(); - Original Message From: Matthew Allen l...@sydneyband.com.au To: openssl-users@openssl.org Sent: Wed, April 21, 2010 2:18:27 AM Subject: Socket left in CLOSE_WAIT state... Hi, My code leaves sockets in the CLOSE_WAIT state after I free the SSL connection (running on windows XP with OpenSSL 0.9.8e). After I'm done with the connection I call SSL_shutdown and SSL_free, but that doesn't close the socket on the client side. My code's probably wrong, so tell me what I should change? #include stdlib.h #include windows.h #include openssl/ssl.h char Hostname[] = imap.gmail.com; int Port = 993; int main(int args, char **arg) { printf(OpenSSL Test\n); SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); OpenSSL_add_all_algorithms(); SSL_CTX *Ctx = SSL_CTX_new(SSLv23_client_method()); if (Ctx) { SSL *Ssl = 0; BIO *Bio = BIO_new_ssl_connect(Ctx); if (Bio) { BIO_get_ssl(Bio, Ssl); if (Ssl) { SSL_set_mode(Ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(Bio, Hostname); BIO_set_conn_int_port(Bio, Port); if (BIO_do_connect(Bio) 0) { printf(Connected to '%s' using SSL\n, Hostname); char Data[256]; char *Cmd = A0001 CAPABILITY\r\n; int w = SSL_write(Ssl, Cmd, strlen(Cmd)); if (w 0) { printf(Wrote %i bytes.\n, w); int r = SSL_read(Ssl, Data, sizeof(Data)); if (r 0) { printf(Got %i bytes.\n, r); } else printf(SSL_read failed.\n); } else printf(SSL_write failed.\n); } else printf(BIO_do_connect failed.\n); } else printf(BIO_get_ssl failed.\n); } else printf(BIO_new_ssl_connect failed.\n); if (Ssl) { SSL_shutdown(Ssl); SSL_free(Ssl); } /* At this point I expect the socket should have disappeared, but it's still there hanging around in CLOSE_WAIT... why? */ SSL_CTX_free(Ctx); } return 0; } Thanks -- Matthew Allen __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verifying the certificate in PEM format
Dear Users, My application generated security certificates, which will be in the PEM format. Can anyone help me on using the OpenSSL tool to verify the PEM certificate format? Appreciate Your help, Thank you, Krishna
Help! Encryption Absorted
Dear all, I would like to encrypt my data before they are emitted. I use the following function:EVP_CIPHER_CTX_ex(ctx, EVP_des_ede_cbc(), NULL, key, iv).Unfortunately, when come to this function, my program jumped into the end omitting all the following encryption operations. The whole program is as shown in the last thread, called as Encryption using Openssl. The due day is coming. I really appreciate your help. Thank you so much. Best Regards,Xiang _ MSN十年回馈,每位用户可免费获得价值25元的卡巴斯基反病毒软件2010激活码,快来领取! http://kaba.msn.com.cn/?k=1
Re: Socket left in CLOSE_WAIT state...
-- Original Message -- To: (openssl-users@openssl.org) From: Stuart Weatherby (stuart_weathe...@yahoo.ca) Subject: Re: Socket left in CLOSE_WAIT state... Date: 22/4/2010 5:18:48a Shutdown disables the ability to read, write (or both) on a socket. However, shutdown() does not close the socket. to release the socket descriptor back to the OS you also need to call closesocket(); This code does want I want: int r = 0; if ((r = SSL_shutdown(Ssl)) = 0) { closesocket(SSL_get_fd(Ssl)); } But it seems like an ugly hack. It _should_ close the socket by itself. I'm worried that this leakes some BIO object(s), because clearly if the BIO objects were free'd they'd close their SOCKET. And since that ISN'T happening maybe the BIO object is not being free [correctly]. Saju Paul wrote: Looks like it needs a BIO_free_all(bio) or something similair. I tried that before and after the SSL_shutdown call and it just crashes, clearly thats not the proper way. Maybe there is a way to disassociate the BIO from the SSL but it seems like a hack rather than a solution. Thanks for the responses. PS in investigating these issues I did try and download + build OpenSSL 1.0.0 for myself, hoping to step into the code and see where things went, but after following the instructions to build with Visual C++ I got stuck running a command that never finished. The perl do_ms thing would run for hours using up 100% of the core it was running on and just never seem to finish. Ended up killing it and posting on the mailing list instead. Just FYI. -- Matthew Allen http://www.memecode.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL and Python
Hello, I am porting my code to a new server. I have installed Python 2.5.2 working on a linux box. The problem is I need to know what version of pyOpenSSL and OpenSSL libs are compatible with this version of linux. I'm seeing the below: python Python 2.5.2 (r252:60911, Sep 30 2008, 15:41:38) [GCC 4.3.2 20080917 (Red Hat 4.3.2-4)] on linux2 Type help, copyright, credits or license for more information. import OpenSSL Traceback (most recent call last): File stdin, line 1, in module File /usr/local/lib/python2.5/site-packages/OpenSSL/__init__.py, line 11, in module import rand, crypto, SSL, tsafe ImportError: /usr/local/lib/python2.5/site-packages/OpenSSL/crypto.so: undefined symbol: PyUnicodeUCS2_Decode Anybody know what the workaround is here? Thanks, Garyc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and Python
Le mercredi 21 avril 2010 à 16:06 -0700, gary clark a écrit : ImportError: /usr/local/lib/python2.5/site-packages/OpenSSL/crypto.so: undefined symbol: PyUnicodeUCS2_Decode This is a Python problem, not an unicode one. I suggest posting on comp.lang.python. Basically, you should use the pyOpenSSL package provided by your Linux distribution, or compile it from the source; but not install a standalone binary package. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL and Python
Appreciated. Garyc --- On Wed, 4/21/10, Antoine Pitrou solip...@pitrou.net wrote: From: Antoine Pitrou solip...@pitrou.net Subject: Re: OpenSSL and Python To: openssl-users@openssl.org Date: Wednesday, April 21, 2010, 6:39 PM Le mercredi 21 avril 2010 à 16:06 -0700, gary clark a écrit : ImportError: /usr/local/lib/python2.5/site-packages/OpenSSL/crypto.so: undefined symbol: PyUnicodeUCS2_Decode This is a Python problem, not an unicode one. I suggest posting on comp.lang.python. Basically, you should use the pyOpenSSL package provided by your Linux distribution, or compile it from the source; but not install a standalone binary package. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Socket left in CLOSE_WAIT state...
According to the doc: 0 indicates the ssl_shutdown function needs to be called again. 1 indicates success -1 indicates failure if r = ssl_shutdown() == -1 // failure if r == 0 r = ssl_shutdown if r == 1 // failure else //success Stuart - Original Message From: Matthew Allen l...@sydneyband.com.au To: openssl-users@openssl.org Sent: Wed, April 21, 2010 4:00:10 PM Subject: Re: Socket left in CLOSE_WAIT state... -- Original Message -- To: (openssl-users@openssl.org) From: Stuart Weatherby (stuart_weathe...@yahoo.ca) Subject: Re: Socket left in CLOSE_WAIT state... Date: 22/4/2010 5:18:48a Shutdown disables the ability to read, write (or both) on a socket. However, shutdown() does not close the socket. to release the socket descriptor back to the OS you also need to call closesocket(); This code does want I want: int r = 0; if ((r = SSL_shutdown(Ssl)) = 0) { closesocket(SSL_get_fd(Ssl)); } But it seems like an ugly hack. It _should_ close the socket by itself. I'm worried that this leakes some BIO object(s), because clearly if the BIO objects were free'd they'd close their SOCKET. And since that ISN'T happening maybe the BIO object is not being free [correctly]. Saju Paul wrote: Looks like it needs a BIO_free_all(bio) or something similair. I tried that before and after the SSL_shutdown call and it just crashes, clearly thats not the proper way. Maybe there is a way to disassociate the BIO from the SSL but it seems like a hack rather than a solution. Thanks for the responses. PS in investigating these issues I did try and download + build OpenSSL 1.0.0 for myself, hoping to step into the code and see where things went, but after following the instructions to build with Visual C++ I got stuck running a command that never finished. The perl do_ms thing would run for hours using up 100% of the core it was running on and just never seem to finish. Ended up killing it and posting on the mailing list instead. Just FYI. -- Matthew Allen http://www.memecode.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Socket left in CLOSE_WAIT state...
Since BIO is creating the SSL object somewhere in the call to BIO_new_ssl_connect(Ctx); the cleanup of the SSL object (SSL_shutdown SSL_free) maybe handled by BIO_free_all() begin else printf(BIO_new_ssl_connect failed.\n); BIO_free_all(Bio); /* if (Ssl) { SSL_shutdown(Ssl); SSL_free(Ssl); } */ end -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matthew Allen Sent: Wednesday, April 21, 2010 7:00 PM To: openssl-users@openssl.org Subject: Re: Socket left in CLOSE_WAIT state... -- Original Message -- To: (openssl-users@openssl.org) From: Stuart Weatherby (stuart_weathe...@yahoo.ca) Subject: Re: Socket left in CLOSE_WAIT state... Date: 22/4/2010 5:18:48a Shutdown disables the ability to read, write (or both) on a socket. However, shutdown() does not close the socket. to release the socket descriptor back to the OS you also need to call closesocket(); This code does want I want: int r = 0; if ((r = SSL_shutdown(Ssl)) = 0) { closesocket(SSL_get_fd(Ssl)); } But it seems like an ugly hack. It _should_ close the socket by itself. I'm worried that this leakes some BIO object(s), because clearly if the BIO objects were free'd they'd close their SOCKET. And since that ISN'T happening maybe the BIO object is not being free [correctly]. Saju Paul wrote: Looks like it needs a BIO_free_all(bio) or something similair. I tried that before and after the SSL_shutdown call and it just crashes, clearly thats not the proper way. Maybe there is a way to disassociate the BIO from the SSL but it seems like a hack rather than a solution. Thanks for the responses. PS in investigating these issues I did try and download + build OpenSSL 1.0.0 for myself, hoping to step into the code and see where things went, but after following the instructions to build with Visual C++ I got stuck running a command that never finished. The perl do_ms thing would run for hours using up 100% of the core it was running on and just never seem to finish. Ended up killing it and posting on the mailing list instead. Just FYI. -- Matthew Allen http://www.memecode.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.814 / Virus Database: 271.1.1/2827 - Release Date: 04/21/10 14:31:00 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Win32 OPENSSL_USE_APPLINK usage
Andy Polyakov schrieb: I actually ended up solving it by removing all uses of BIO_new_fp() in favor of my own custom BIO that I just finished writing earlier this week. Why not BIO_new_file? Yeah, I discovered while analyzing the code that using BIO_new_file() rather than BIO_new_fp() would disengage applink, however that was not an option for me because BIO_new_file() can't open a file whose name contains non-ANSI Unicode characters on Windows. I have to open the file myself using _wfopen(). There was suggestion to fall back to wfopen from a vmware engineer a while ago, but he couldn't provide patch (not that it would be very complex) and it was not followed up. Idea must have been something similar to just committed http://cvs.openssl.org/chngview?cn=19610. why not adding the following to BIO_new_file()? - BIO interface still uses char * (meaning latin ASCII 0x20..0x7F) - BIO implementation calls UTF8_to_UCS16() on all platforms supporting wfopen or _wfopen - BIO implementation then calls wfopen / _wfopen with this UCS16 value (sometimes known as WCHAR*) - For Win32 and Win32_WinCE the conversion can be done with FormatMessage() API. It's allways available. ... just my 5 cents. The Modem Man __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org