Peer certificate doesn't survive i2d_SSL_SESSION / d2i_SSL_SESSION
Hi *, After a d2i_SSL_SESSION() session has been successfully resumed SSL_get_peer_certificate() returns NULL. Am I doing something wrong or is that the expected result? Thanks in advance. -- Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Peer certificate doesn't survive i2d_SSL_SESSION / d2i_SSL_SESSION
Arno Garrels wrote: Hi *, After a d2i_SSL_SESSION() session has been successfully resumed SSL_get_peer_certificate() returns NULL. Am I doing something wrong or is that the expected result? Sorry, wrong test case, it actually works. -- Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Initialization Vector for EVP_rc4() ?
This is contrary to the specification: The total length of an Enhanced Provider symmetric key and its salt value cannot be greater than 128 bits. So, I think this salt value should not have any influence, as the bits you can set are the trailing bits between the reduced key size and the one the algorithm requires. _ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bugcollect.com Sent: Sunday, May 08, 2011 12:23 AM To: openssl-users@openssl.org Subject: Re: Initialization Vector for EVP_rc4() ? I forgot to mention: the original application uses the Enhanced Cryptography Provider (http://msdn.microsoft.com/en-us/library/aa386986%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/aa386986(v=vs.85).aspx ) which supports 128 bit RC4 keys. The application sets the RC4 cipher from a full 128 bit key and a 128 bit salt. On May 6, 2011, at 10:41 PM, Bugcollect.com wrote: Hello, I need to exchange encrypted content with an existing application on Windows with an RC4 key that is salted as per http://msdn.microsoft.com/en-us/library/aa387782%28v=vs.85%29.aspx (KP_SALT_EX). Note that this is not a passphrase and salt key derivation, but a cipher initialized with some a known key and known initialization vector, similar to a block cipher. I think technically RC4 does not have an IV, but what is the equivalent operation I can perform in openssl to get the cipher in the desired state? Specifying the salt as the iv param in EVP_EncryptInit does not work. TIA, ~ Remus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Multiple connection from 1 client
Hi, I used the following code to change the socket to non blocking, but its still not successful, now its not even able to complete SSL_Accept. I am changing the socket option for the accepted socket. unsigned long iMode = 1; int nReturn = ioctlsocket(sock, FIONBIO, iMode); if(nReturn != NO_ERROR) { printf((ioctlsocket failed with error: %ld\n, nReturn)); } Also i suspect, that if i change the socket to non blocking, then my current read write code will not work. i mean the one in which i use FD_SET and select to perform operations. Thanks. // Harshvir On Fri, May 6, 2011 at 10:33 PM, Gayathri Sundar suraj...@gmail.com wrote: Harsh., If u have any specific doubts in writing this asynchronous state machine email me privately at suraj...@gmail.com. I am pretty much jobless right now and can spend some time on this. Thanks --Gayathri On Friday, May 6, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Thanks, I will give this a try. // Harshvir On Fri, May 6, 2011 at 6:44 PM, Eric S. Eberhard fl...@vicsmba.com wrote: Change the sockets. This is what I use: int setblock(fd, mode) int fd; int mode; /* True - blocking, False - non blocking */ { int flags; int prevmode; flags = fcntl(fd, F_GETFL, 0); prevmode = !(flags O_NDELAY); if (mode) flags = ~O_NDELAY; /* turn blocking on */ else flags |= O_NDELAY; /* turn blocking off */ fcntl(fd, F_SETFL, flags); return prevmode; } Since it returns the existing mode you can use as such: prevmode = setblock(fd,0) /* turn of blocking */ /* do your thing */ (void)setblock(fd,prevmode);/* restore to original condition */ At 04:15 PM 5/6/2011, you wrote: Thanks for the reply Gayathri. Do you mean to changing the sockets to non blocking, or when i create bio for ssl to make that as non blocking? Thanks. On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar mailto: suraj...@gmail.comsuraj...@gmail.com wrote: Harsh, Okay from what I can understand, if you make ur underlying fd non blocking then it would work fine. Blocking FDs, unless and until one client is finished with its processing the other client will not be able to communicate with the server as the previous fd is blocked. The server is waiting on the 1st client to finish. When you have 3 ports and 3 clients then ofcourse it will work. thanks --Gayathri On Fri, May 6, 2011 at 5:50 PM, Harshvir Sidhu mailto: hvssi...@gmail.comhvssi...@gmail.com wrote: Gayatri, My server code is single threaded and i am using blocking sockets, i am using fd_set and select to wait for event on socket, and then performing operation based on the event that acts on a socket. I have an array of sockets to listen. So if i start listening on 3 different ports and from my client machien, i try to connect on them at different ports then it works fine, but when i use 1 listen port then it dont work properly. What i mean to say by work properly is that the connection is established, but when i am waiting for select to return event, then it dont show any activity when i send data from client, only 1 of them works, 2 dont work. In addition to that, when i use WireShark to see packets, then it shows that machine has received the packet from client. But server dont show that alert. Thats why i think it could be some socket option which is affecting it. // Harshvir On Fri, May 6, 2011 at 5:37 PM, Gayathri Sundar mailto: suraj...@gmail.comsuraj...@gmail.com wrote: Harshvir, SO_REUSEADDR sock option has noting to do with ur problem, please go thro the socket ops man page to get a better understanding. First find out if ur server code is a blocking i/o or non blocking I/O..if former then connections will be handled sequentially..only after the 1st client is finished will the server be able to respond to the 2nd connect request. If non blocking then there should be no problem. Check the code if you see and O_NONBLOCK flag set in some fcntl call or check for FIONBIO flag. Thanks --Gayathri On Fri, May 6, 2011 at 5:29 PM, Harshvir Sidhu mailto: hvssi...@gmail.comhvssi...@gmail.com wrote: Well i think this link is for my question. I have already done 1-5 from the Before you ask list. Number 6, i dont know anyone who use openssl. Number 7, it will take a lot of time to go through all the code, i was just trying to save some time. I thought user discussion forums are for this only. I apologize for my understanding. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org
Re: Multiple connection from 1 client
Hi., Yes, once you make the socket noblocking, your current ssl API,s will not work. that is why I asked you to write the asynchronous state machine. Go thro the man pages for ssl accept, ssl read, ssl write for non blocking cases. You need to handle special cases called want read and write errors. I will send a detailed email a little later. Thanks --Gayathri On Monday, May 9, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I used the following code to change the socket to non blocking, but its still not successful, now its not even able to complete SSL_Accept. I am changing the socket option for the accepted socket. unsigned long iMode = 1; int nReturn = ioctlsocket(sock, FIONBIO, iMode); if(nReturn != NO_ERROR) { printf((ioctlsocket failed with error: %ld\n, nReturn)); } Also i suspect, that if i change the socket to non blocking, then my current read write code will not work. i mean the one in which i use FD_SET and select to perform operations. Thanks. // Harshvir On Fri, May 6, 2011 at 10:33 PM, Gayathri Sundar suraj...@gmail.com wrote: Harsh., If u have any specific doubts in writing this asynchronous state machine email me privately at suraj...@gmail.com. I am pretty much jobless right now and can spend some time on this. Thanks --Gayathri On Friday, May 6, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Thanks, I will give this a try. // Harshvir On Fri, May 6, 2011 at 6:44 PM, Eric S. Eberhard fl...@vicsmba.com wrote: Change the sockets. This is what I use: int setblock(fd, mode) int fd; int mode; /* True - blocking, False - non blocking */ { int flags; int prevmode; flags = fcntl(fd, F_GETFL, 0); prevmode = !(flags O_NDELAY); if (mode) flags = ~O_NDELAY; /* turn blocking on */ else flags |= O_NDELAY; /* turn blocking off */ fcntl(fd, F_SETFL, flags); return prevmode; } Since it returns the existing mode you can use as such: prevmode = setblock(fd,0) /* turn of blocking */ /* do your thing */ (void)setblock(fd,prevmode); /* restore to original condition */ At 04:15 PM 5/6/2011, you wrote: Thanks for the reply Gayathri. Do you mean to changing the sockets to non blocking, or when i create bio for ssl to make that as non blocking? Thanks. On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar mailto:suraj...@gmail.comsuraj...@gmail.com wrote: Harsh, Okay from what I can understand, if you make ur underlying fd non blocking then it would work fine. Blocking FDs, unless and until one client is finished with its processing the other client will not be able to communicate with the server as the previous fd is blocked. The server is waiting on the 1st client to finish. When you have 3 ports and 3 clients then ofcourse it will work. thanks --Gayathri On Fri, May 6, 2011 at 5:50 PM, Harshvir Sidhu mailto:hvssi...@gmail.comhvssi...@gmail.com wrote: Gayatri, My server code is single threaded and i am using blocking sockets, i am using fd_set and select to wait for event on socket, and then performing operation based on the event that acts on a socket. I have an array of sockets to listen. So if i start listening on 3 different ports and from my client machien, i try to connect on them at different ports then it works fine, but when i use 1 listen port then it dont work properly. What i mean to say by work properly is that the connection is established, but when i am waiting for select to return event, then it dont show any activity when i send data from client, only 1 of them works, 2 dont work. In addition to that, when i use WireShark to see packets, then it shows that machine has received the packet from client. But server dont show that alert. Thats why i think it could be some socket option which is affecting it. // Harshvir On Fri, May 6, 2011 at 5:37 PM, Gayathri Sundar mailto:suraj...@gmail.comsuraj...@gmail.com wrote: Harshvir, SO_REUSEADDR sock option has noting to do with ur problem, please go thro the socket ops man page to get a better understanding. First find out if ur server code is a blocking i/o or non blocking I/O..if former then connections will be handled sequentially..only after the 1st client is finished will the server be able to respond to the 2nd connect request. If non blocking then there should be no problem. Check the code if you see and O_NONBLOCK flag set in some fcntl call or check for FIONBIO flag. Thanks --Gayathri On Fri, May 6, 2011 at 5:29 PM, Harshvir Sidhu mailto:hvssi...@gmail.comhvssi...@gmail.com wrote: Well i think this link is for my question. I have already done 1-5 from the Before you ask list. Number 6, i dont know anyone who use openssl. Number 7,
Re: Multiple connection from 1 client
On 5/9/2011 6:27 AM, Harshvir Sidhu wrote: Also i suspect, that if i change the socket to non blocking, then my current read write code will not work. i mean the one in which i use FD_SET and select to perform operations. Thanks. It's very easy to get things wrong and it won't work unless you get everything right. The most common mistake is refusing to call one of the SSL_* functions until you get a 'select' hit. You should only do that if OpenSSL specifically tells you to do that. The second most common mistake is assuming that an SSL connection has separate read and write readiness, like a TCP connection does. An SSL connection is a single state machine and so has only a single state. (So if SSL_Read returns WANT_READ and then you call SSL_Write, regardless of what return value you get, the WANT_READ from SSL_Read is invalidated because SSL_Write can change the state of the SSL connection.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: command line to c++ code
On 04/13/2011 07:16 PM, luis hernandez wrote: Hi I do not know if you have talk about this here, but I can not find the answer. How to translate a command line commandt to a c++ code? For instance if at commandd prompt i do this: openssl x509 -inform DER -in cert.cer There is no single openssl main. In this case, look into the source, the file is apps/x509.c If you were issuing a command like openssl smime ..., then look into apps/smime.c, etc. The core code for each OpenSSL command is in the file that I have indicated, common code to apps mostly does stuff like reading the configuration file, initializing OpenSSL (read the FAQ), etc. -noout -enddate What code will generate the same result? Is there howto already written? I have bought the book Network security with Openssl by O'reilly. But I can not figure it out. TIA for your help. Luis Hernandez
Re: Multiple connection from 1 client
Harsh, I would take up his offer of help. Socket control over multiple sockets is tricky code and very specific to what you are trying to do. My environment is single threaded and does similar things to yours -- but as Gayathri said, there are many details and exceptions and although with some online help or books I am sure with enough time you could do it (took me forever the first time) I suspect that this offer is as good as they get. I am not jobless (lucky me) so I can't put in the time he can. Gayathri -- would you be interested in pure C coding on a contract basis (intermittent, not really a job, more like occasional tasks) -- the code we write runs on AIX, Linux, OS/X, SCO, HP/UX, Centos, etc. so it is a little tricky to make work. If you have interest let me know your rates and real email and so forth. Thanks, Eric At 08:33 PM 5/6/2011, you wrote: Harsh., If u have any specific doubts in writing this asynchronous state machine email me privately at suraj...@gmail.com. I am pretty much jobless right now and can spend some time on this. Thanks --Gayathri On Friday, May 6, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Thanks, I will give this a try. // Harshvir On Fri, May 6, 2011 at 6:44 PM, Eric S. Eberhard fl...@vicsmba.com wrote: Change the sockets. This is what I use: int setblock(fd, mode) int fd; int mode; /* True - blocking, False - non blocking */ { int flags; int prevmode; flags = fcntl(fd, F_GETFL, 0); prevmode = !(flags O_NDELAY); if (mode) flags = ~O_NDELAY; /* turn blocking on */ else flags |= O_NDELAY; /* turn blocking off */ fcntl(fd, F_SETFL, flags); return prevmode; } Since it returns the existing mode you can use as such: prevmode = setblock(fd,0) /* turn of blocking */ /* do your thing */ (void)setblock(fd,prevmode);/* restore to original condition */ At 04:15 PM 5/6/2011, you wrote: Thanks for the reply Gayathri. Do you mean to changing the sockets to non blocking, or when i create bio for ssl to make that as non blocking? Thanks. On Fri, May 6, 2011 at 6:03 PM, Gayathri Sundar mailto:suraj...@gmail.comsuraj...@gmail.com wrote: Harsh, Okay from what I can understand, if you make ur underlying fd non blocking then it would work fine. Blocking FDs, unless and until one client is finished with its processing the other client will not be able to communicate with the server as the previous fd is blocked. The server is waiting on the 1st client to finish. When you have 3 ports and 3 clients then ofcourse it will work. thanks --Gayathri On Fri, May 6, 2011 at 5:50 PM, Harshvir Sidhu mailto:hvssi...@gmail.comhvssi...@gmail.com wrote: Gayatri, My server code is single threaded and i am using blocking sockets, i am using fd_set and select to wait for event on socket, and then performing operation based on the event that acts on a socket. I have an array of sockets to listen. So if i start listening on 3 different ports and from my client machien, i try to connect on them at different ports then it works fine, but when i use 1 listen port then it dont work properly. What i mean to say by work properly is that the connection is established, but when i am waiting for select to return event, then it dont show any activity when i send data from client, only 1 of them works, 2 dont work. In addition to that, when i use WireShark to see packets, then it shows that machine has received the packet from client. But server dont show that alert. Thats why i think it could be some socket option which is affecting it. // Harshvir On Fri, May 6, 2011 at 5:37 PM, Gayathri Sundar mailto:suraj...@gmail.comsuraj...@gmail.com wrote: Harshvir, SO_REUSEADDR sock option has noting to do with ur problem, please go thro the socket ops man page to get a better understanding. First find out if ur server code is a blocking i/o or non blocking I/O..if former then connections will be handled sequentially..only after the 1st client is finished will the server be able to respond to the 2nd connect request. If non blocking then there should be no problem. Check the code if you see and O_NONBLOCK flag set in some fcntl call or check for FIONBIO flag. Thanks --Gayathri On Fri, May 6, 2011 at 5:29 PM, Harshvir Sidhu mailto:hvssi...@gmail.comhvssi...@gmail.com wrote: Well i think this link is for my question. I have already done 1-5 from the Before you ask list. Number 6, i dont know anyone who use openssl. Number 7, it will take a lot of time to go through all the code, i was just trying to save some time. I thought user discussion forums are for this only. I apologize for my understanding. __ OpenSSL Project
RE: Create cert with SHA1: now unexplained window-full and RST?
From: owner-openssl-us...@openssl.org On Behalf Of Moisés Barba Pérez Sent: Thursday, 05 May, 2011 14:52 Firstly I apologize for my insistence about this topic but it is very important to me. I cleared my head a little and I'm exposing my issue again: There is a client machine integrated in LDAP server (389 DS). (Language nit: connected to, maybe integrated with, not integrated in.) To my knowledge ldap(plain) is 389 and ldaps(SSL) is 636. Your trace excerpts definitely are 636 (except one oddity below). in this client machine I tried to run getent group, sudo -l or id and usually fail. I have tried to run these commands without ssl and everything is ok. The problem appears with ssl enabled. Do you know what code actually does ldap or ldap+SSL client here? I.e. Are those utilities modified to do or invoke ldap themselves, or do they go through some kernel hook that comes back out to some other thing, maybe a helper process? This could make a difference in where errors get reported or recorded. On Unix they probably should be in some syslog, but which? And *might* be somewhere else. I have captured traffic with wireshark and ... attached ... plain txt with 6 packages ... wireshark says that the transmission window is full and the client closes the connection. (Language nit: packet(s) not package(s).) This clearly doesn't have the MAC error you reported before; did you fix/change something or did it just vanish? Aside: this list seems to support binary attachments, so you could probably provide the whole .pcap file if (1) it's not too big and (2) it doesn't contain any sensitive data like passwords. What you have here does not look like an SSL protocol problem, and may or may not be an OpenSSL problem. Do you know if the ldap client code uses OpenSSL's default blocking I/O, or if it does something 'advanced' like nonblocking, BIO_pair, or custom BIO? Does it (in your cases) do more than one request/response, and if so are those sequential or do they (try to) pipeline or overlap? #268 svr-39950 analyzes as window full but you omitted (filtered?) the preceding packets which would show how big the window was, what was in it, and for how long (although you're 2sec from 'reference' so it's not very long). I assume it's encrypted; did or can you try eNULL so it's (still SSL but) readable? Is at least the amount of data (about 251k) appropriate? If you capture a nonSSL case, does it send and receive the same ldap data (modulo timestamps and nonces and such) or at least the same amount of data in the same pattern? Is *some* of the received data acknowledged? I'd expect so, since 251k is large for an early window (though not impossible), unless a lot of this is handshake and maybe previous responses. Could the wire acknowledgement (of the current response only) be just in the stack (RCVBUF) or is there evidence that OpenSSL has actually recv-ed, or the client code has recv-ed and (we hope!) given to OpenSSL, some of it? #269 39950-svr client immediately sends FIN and then RST. That's odd; for (Open)SSL shutdown it should send an alert first (although possibly you omitted/filtered that) and even if the client went directly to the socket level, perhaps because there has been an error (or it thinks so), I would expect to see normal FIN,FIN *xor* abort RST. But on a quick test it appears (at least some?) Linux does FIN then immediate RST for linger 0. Yuck. Is the client on Linux? sudo certainly implies some Unix. Does the client display or log anything at this point in time? Is there indication of a timeout happening, or any timeout that should apply here, that you can increase at least for test? Hmm- maybe in the omitted packets client called SSL_shutdown and sent close_notify against a server flow which client didn't SSL_read; will OpenSSL (discard and) recv from stack in that case? I don't have time to read through source or set up a test now. But if client did that because it thinks there's something wrong with the data it's receiving, it really ought to say so. #271,272 39951-svr send SYN recv SYNACK normally. This is presumably the same client, or maybe a reincarnated one, if it got an error just above, trying a new connection. #287 svr8807-39950 rcvd RST -- I assume you omitted/filtered here. Did client#39950 really send to server#8807 (soon) before this? If so, re-using a port like that is very unusual, though legal. If it didn't, it makes no sense at all for server to respond with an unrelated port, unless either it is mangling packets or something in between is doing so, and your addresses are very close which *usually* implies same link and nothing in between. #438 after ~40 sec 39951-svr send FIN. Clearly you've omitted or filtered plenty here because this shows about 13k sent 26k rcvd, and noticeable time passing. #440 immediately send RST, like above except one packet in