Re: Running SSL on own socket code
Depends exactly what the person wants to do and also if he wants to use existing code and if he is familiar with the bio pairs. My point was not specific to his needs as there was not a lot of detail, only that making changes to the code is better and easier when you override functions -- such as I must do with the error handling (and anyone else writing PCI compliant code BTW -- MUST MUST -- do). In the old days I was stupid and inserted my code in to open source code ... making updates a nightmare. This externalizes changes and makes updates a cinch. Eric At 11:09 AM 6/1/2011, Victor Duchovni wrote: On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote: > The way I do things like this is to slightly modify OpenSSL (and keep track > of the mods!) Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953&id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750&id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484&id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827&id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Compiling openssl-1.0.0.d
I have a SUN V240 running Solaris 10 10/09 SPARC (I added latest patch after discovering the problem to be described) using the ORACLE for Solaris CPU 11/04. I get a successful Configure, but have a problem with 'make'. Here is the output using GNU make from sunfreeware.com latest package: Killed Killed Killed Killed Killed Killed That's it. Any clue of what action to take from here? I uploaded the .zip file from my laptop to my server twice. Do I need to redownload the source code again? This is for the latest openssl-1.0.0.d code. Sent from my Verizon Wireless BlackBerry __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
Hi Actually I have install Cent OS5 and Freeradius 2.0 http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5-p3 created certificates using above mentioned link. I am trying to use 802.11x enterprise with iPhone. I have created certificates and imported client_cert.p12 and cacert.pem files to iPhone. But I am facing problem. Here is the some part of the "radiusd -X" out put. [tls] <<< TLS 1.0 Handshake [length 0598], Certificate --> verify error:num=18:self signed certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 16 to 192.168.131.200 port 1029 EAP-Message = 0x04030004 Message-Authenticator = 0x Waking up in 0.3 seconds. Cleaning up request 0 ID 11 with timestamp +14 Cleaning up request 1 ID 12 with timestamp +14 Waking up in 1.9 seconds. Cleaning up request 2 ID 13 with timestamp +16 Cleaning up request 3 ID 14 with timestamp +16 Cleaning up request 4 ID 15 with timestamp +17 Waking up in 1.0 seconds. Cleaning up request 5 ID 16 with timestamp +17 Ready to process requests. * Detail log file is attached with. I have spent some on it but no luck. I need some help. Thanks a lot. debugradiusdJune1_3.log Description: Binary data
Re: [openssl-users] CA
I am having a similar problem here: For some reason I need to renew/extend a intermediate certificate within a chain. Without setting the old serial number, all its descending certs verification will fail when use 'openssl verify'. So the question is: Is there anyway to issuing a new signing certificate with a different serial number but not breaking the original chain? Thanks, Peter On Mon, May 23, 2011 at 8:35 AM, sandeep kiran p wrote: > If this isn't resolved yet, can you post the contents of the old cert, new > cert and the user cert? > > -Sandeep > > > On Fri, May 20, 2011 at 8:33 PM, Alex Bergmann wrote: > >> Hi Erwann! >> >> On 05/19/2011 10:20 AM, Erwann ABALEA wrote: >> >> "old" end-user certificates can only be verified by the "old" CA >>> certificate, of course (in case the CA is "renewed", with its key >>> changed, etc). >>> >> >> I didn't "renew" the CA certificate, I've used the existing private key >> to create thr new one. >> >> >> The only way I found was to give the new Root Certificate the same >> >> serial number as the previous one. >> > >> > That's forbidden by X.509 standard. And the serial number has nothing >> > to do with the SKI/AKI. >> >> I agree, using the same serial number seems to be not valid. >> >> But, according to RFC 3280 the Authority Key Identifier "MAY be based on >> either the key identifier ... or on the issuer name and serial number". >> >> My Root CA Certificate and user certificates shows exactly this >> information: >> >> Root CA Certificate: >> >> X509v3 Subject Key Identifier: >> A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E >> X509v3 Authority Key Identifier: >> keyid:A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E >> DirName: >> serial:1C:26:30:4D:53:64:7A:83 >> >> User Certificate: >> - >> X509v3 Subject Key Identifier: >> 7C:F7:66:B5:A4:83:42:1A:FF:AA:CB:0D:07:37:8A:81:E7:48:B8:1D >> X509v3 Authority Key Identifier: >> keyid:A8:C3:14:22:3A:48:50:66:78:89:97:02:A8:B0:CE:D3:EE:FC:0F:1E >> DirName: >> serial:1C:26:30:4D:53:64:7A:83 >> >> So the Root CA Certificate serial number is part of my X509v3 Authority >> Key Identifier. >> >> > Did you change the private key of the CA? If not, then: >> > - the SKI of the new CA certificate will be the same as the old >> > certificate (it's a *Key* identifier, and is generally constructed >> > from the public key) >> >> I didn't change the private key, so the X509v3 Subject Key Identifier is >> always the same, right. >> >> > - you don't need to have the same serial number (remember, it's >> > forbidden by X.509 standard) >> >> Right, I've check that with RFC 2459. >> >> - you will be able to verify old end-user certificates with the new >>>CA certificate (since the CA key didn't change), if the rest of the >>>CA certificate permits it (validity dates, extensions). >>> >> >> This seems to be a problem if you're using openssl to verify the >> certificate. I've generated a new CA certificate with the same CA key as >> before. But only the verification with the "old" CA certificate was working. >> >> #> openssl verify -CAfile newca.pem user_cert.pem >> user_cert.pem: >> error 20 at 0 depth lookup:unable to get local issuer certificate >> >> According to old threads on this list this message has something to do >> with the AKID/SKID. >> >> > If you were in this situation, and only were able to verify end-user >> > certificates if the new CA certificate had the same serial number as >> > the old one, then I'm sure you made a mistake in your tests. >> >> I agree, maybe I did something wrong here. What steps would I have to do >> to recertify my CA with openssl? >> >> >> Cheers, >> Alex >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing Listopenssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
Issue with 1.0.0d of OpenSSL on Windows.
Hi, It has been a while I dived into the OpenSSL product. Please forgive me for posting this issue and if it has already resolved please send me a pointer. I compiled and built OpenSSL 1.0.0d on Windows using Visual Studio C++ without any compiler problems. The test all passed fine. I was using 0.9.8d version before and it works fine except once in a while it is in a loop in accept and doesn't come out of it. So I decided to give 1.0.0d a try. My code compiles and runs through all the setup (cert extra) without any problems. But I can't make connections to the server (server is the one that has OpenSSL 1.0.0d.) Please let me know what I am missing? Thanks, Best Wishes, Allen
About client certification verification
Hi, I would like to clarify if SSL server request client to send certification, and does not do the verification in OpenSSL (verification error is ignored, and certificate is verified somewhere else), will the client certificate still participate in the negotiation of keys? Thanks -- qun-ying __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Running SSL on own socket code
On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote: > The way I do things like this is to slightly modify OpenSSL (and keep track > of the mods!) Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Running SSL on own socket code
The way I do things like this is to slightly modify OpenSSL (and keep track of the mods!) 1) Hunt down the socket code 2) Set a new variable, a pointer to a function (for each function you replace) (fptr in my example) 3) rename the routine to "release_function" 4) make a new function() which has the exact same args and a few lines of code int function() { If (!fptr) fptr = (int(*)())(&release_function); return(*ftpr()); } In my code I put in the initialization routine: extern int (*fptr)(); fptr = (int(*)())(&my_function); Note that is pseudo code and needs fleshing out. This is because often these functions are VERY tightly coupled including handshaking and things I don't really understand -- so I replace a low-level routine I do understand. And with new releases it only takes moments to re-do the 3-4 functions I do this with. It means that the OpenSSL code will still work as intended in all cases except where you chose to override. Using function pointers does have weird/odd/goofy syntax but works well. I primarily use this to override error logging as I have my own logging functions and I need to use syslog() for the version 1.2 PCI/PA-DSS compliance. I have also replaced low-level TCP code on occasion. In fact I would argue that all the logging functions should be released with this capability built in as that is one area I think a lot of people would like to customize, and if there is any interest I will modify the code and send it through channels to be included. Error handling is tightly coupled -- everywhere -- in the code, so my system makes using my own logging very easy. Eric At 07:22 AM 6/1/2011, Victor Duchovni wrote: On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote: > I'd like to know the feasibility or complexity around using my own > socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of > BIOs to read and write would that be sufficient? How tightly integrated > the code is with bio_connect and bio_socket? thanks > jeff man BIO_new_bio_pair Look at the example. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953&id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750&id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484&id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827&id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Running SSL on own socket code
On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote: > I'd like to know the feasibility or complexity around using my own > socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of > BIOs to read and write would that be sufficient? How tightly integrated > the code is with bio_connect and bio_socket? thanks > jeff man BIO_new_bio_pair Look at the example. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Errors with certificate signing x509v1 when making test. Test failed
On Wed June 1 2011, Dr. Stephen Henson wrote: > On Tue, May 31, 2011, gvfb wrote: > > > > > >Thanks, I've got the package for shared libraries libssl0.9.8 as well as > > >the -dev packages which I need to compile IMAP toolkit, I'll probably use > > >those, unless I manage to install from source and then I will enable > > >mod_ssl on apache, with a simple a2enmod. I did config without changing > > >anything on Configure, I simply did config and apparently succesfully, it > > >only informed it was configured for linux - elf. The warnings I got had to > > >do with the pem signatures, I believe, they were sort of: > > > > pem_all.c: In function ???PEM_read_bio_X509_REQ???:pem_all.c:141:1: > > warning: function called through a non-compatible typepem_all.c:141:1: > > note: if this code is reached, the program will abort > > > > (...compiling)pem_all.c:147:1: warning: function called through a > > non-compatible typepem_all.c:147:1: note: if this code is reached, the > > program will abort > > > > (...compiling)pem_x509.c: In function > > ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a > > non-compatible typepem_x509.c:68:1: note: if this code is reached, the > > program will abortpem_x509.c: In function ???PEM_read_X509???: (same > > result) // this was certainly not the output of the machine, its a comment > > of mine :) > > > > (...compiling)pem_x509.c: In function > > ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a > > non-compatible typepem_x509.c:68:1: note: if this code is reached, the > > program will abortpem_x509.c: In function ???PEM_read_X509???: (same result) > > > > pem_xaux.c: In function ???PEM_read_bio_X509_AUX???:pem_xaux.c:68:1: > > warning: function called through a non-compatible typepem_xaux.c:68:1: > > note: if this code is reached, the program will abort > > > > (...compiling)pem_pk8.c: In function > > ???PEM_read_bio_PKCS8???:pem_pk8.c:240:1: warning: function called through > > a non-compatible typepem_pk8.c:240:1: note: if this code is reached, the > > program will abort > > > > (...compiling)x_all.c: In function ???d2i_RSA_PUBKEY_bio???:x_all.c:266:9: > > warning: function called through a non-compatible typex_all.c:266:9: note: > > if this code is reached, the program will abort > > > > (Those are not the first 10, but a collection of the warnings of which I > > made a text grouping them by order of appearance and by what I could > > understand they meant, I obviously didn't do a good work there :) > > > > As for the output test (should I do the commands inside those directories > > or is it supposed to be a sort of bash script) Anyway, I'm sorry to say I > > have deleted the directory that I used to build, so I would have to run the > > config and making again. I will let you know if I can manage to do the > > test. > > > > Those relate to the old way OpenSSL (ab)used function pointers which more > recent versions of gcc object to. Although they are "warnings" they will cause > OpenSSL to abort in many places rendering it unusable. You must use a newer > version of OpenSSL sources where this was addressed. > If for some reason you must stay with the older version of OpenSSL - Your Debian/Ubuntu system supports multiple versions of gcc - You can select v-3.4.? as the default and compile the older OpenSSL with the older version of gcc. Mike > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Errors with certificate signing x509v1 when making test. Test failed
On Tue, May 31, 2011, gvfb wrote: > > >Thanks, I've got the package for shared libraries libssl0.9.8 as well as the > >-dev packages which I need to compile IMAP toolkit, I'll probably use those, > >unless I manage to install from source and then I will enable mod_ssl on > >apache, with a simple a2enmod. I did config without changing anything on > >Configure, I simply did config and apparently succesfully, it only informed > >it was configured for linux - elf. The warnings I got had to do with the pem > >signatures, I believe, they were sort of: > > pem_all.c: In function ???PEM_read_bio_X509_REQ???:pem_all.c:141:1: warning: > function called through a non-compatible typepem_all.c:141:1: note: if this > code is reached, the program will abort > > (...compiling)pem_all.c:147:1: warning: function called through a > non-compatible typepem_all.c:147:1: note: if this code is reached, the > program will abort > > (...compiling)pem_x509.c: In function > ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a > non-compatible typepem_x509.c:68:1: note: if this code is reached, the > program will abortpem_x509.c: In function ???PEM_read_X509???: (same result) > // this was certainly not the output of the machine, its a comment of mine :) > > (...compiling)pem_x509.c: In function > ???PEM_read_bio_X509???:pem_x509.c:68:1: warning: function called through a > non-compatible typepem_x509.c:68:1: note: if this code is reached, the > program will abortpem_x509.c: In function ???PEM_read_X509???: (same result) > > pem_xaux.c: In function ???PEM_read_bio_X509_AUX???:pem_xaux.c:68:1: warning: > function called through a non-compatible typepem_xaux.c:68:1: note: if this > code is reached, the program will abort > > (...compiling)pem_pk8.c: In function > ???PEM_read_bio_PKCS8???:pem_pk8.c:240:1: warning: function called through a > non-compatible typepem_pk8.c:240:1: note: if this code is reached, the > program will abort > > (...compiling)x_all.c: In function ???d2i_RSA_PUBKEY_bio???:x_all.c:266:9: > warning: function called through a non-compatible typex_all.c:266:9: note: if > this code is reached, the program will abort > > (Those are not the first 10, but a collection of the warnings of which I made > a text grouping them by order of appearance and by what I could understand > they meant, I obviously didn't do a good work there :) > > As for the output test (should I do the commands inside those directories or > is it supposed to be a sort of bash script) Anyway, I'm sorry to say I have > deleted the directory that I used to build, so I would have to run the config > and making again. I will let you know if I can manage to do the test. > Those relate to the old way OpenSSL (ab)used function pointers which more recent versions of gcc object to. Although they are "warnings" they will cause OpenSSL to abort in many places rendering it unusable. You must use a newer version of OpenSSL sources where this was addressed. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Running SSL on own socket code
I'd like to know the feasibility or complexity around using my own socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of BIOs to read and write would that be sufficient? How tightly integrated the code is with bio_connect and bio_socket? thanks jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Errors with certificate signing x509v1 when making test. Test failed
On Tue May 31 2011, gvfb wrote: > > De: owner-openssl-us...@openssl.org > Para: openssl-users@openssl.org > Cc: > Fecha: Tue, 31 May 2011 23:08:18 -0400 > Asunto: RE: Errors with certificate signing x509v1 when making test. Test > failed > > > > From: owner-openssl-us...@openssl.org On Behalf Of gvfb > > > Sent: Tuesday, 31 May, 2011 18:17 > > > > > > > > Now I'm trying to walk the steps over again, so I will reinstall OpenSSL, > > > which is needed for the IMAP toolkit. However, when making OpenSSL > > > > Aside: the people here probably can't help with the IMAP and PHP > > parts. But we can try to help you get OpenSSL right. > > > > > it did not pass the tests, and throws an error when trying to test > > > the x509v1 signing utility. > > > > For info: the x509 utility, which covers v1 and v3 and > > multiple functions not just signing. The first test cases > > are of *reformatting* v1 certificate files. > > > > > I have some hints that point to the problem being with the > > > certificates, since the make of the OpenSSL throwed numerous warnings > > > about pem_all.c, pem_xaux.c and pem_x509.c being called through a > > > non-compatible type, and the making of PHP and OpenSSL throwing the errors > > > > > I mentioned make me think the matter are the certificates. > > > > See below. > > > > > The error that make test of OpenSSL throws is: > > > echo test normal x509v1 certificate > > > test normal x509v1 certificate > > > sh ./tx509 2>/dev/null > > > testing x509 conversions > > > p -> d > > > make [1]: > > > > > > ***[test_x509] Error 1 > > > make[1] : se sale del directorio > > /home/gerardo/Descargas/openssl-0.9.8e/test > > > make:***[tests] Error > > > > 1. OpenSSL 0.9.8e is over 4 years old. I don't know about Ubuntu > > schedule, but I would hope they would have a newer version. > > Poking around a little, I find packages.ubuntu.com/natty > > has openssl-0.9.8o listed. But in case it matters, there was > > a visible change in 0.9.8j Jan2009 in use of extensions, and > > 0.9.8m Feb2010 and later specifically the renegotiation extension -- > > which was added partly to fix a serious Apache vulnerability! > > > > 2. Is the source you are building from a Ubuntu/Debian package > > (copied to your homedir?) or base release from www.openssl.org? > > If the former, are there any indications that it has been changed > > from base, and if so how, for example a patches list? > > > > 3. Did you do 'config' and with what result, or 'Configure' and with > > what option(s)? What do you have in the first noncomment block of the > > toplevel Makefile (and is it recent)? > > > > 4. Exactly what warnings did you get on 'make'? If they're too many, > > maybe the first 10 or so? For comparison, when I did 0.9.8e in 2007 > > on RedHat (config'ed as plain linux-elf with shared) with gcc 3.4.4, > > I got no such warnings on the sourcefiles you name, and all tests worked. > > > > 5. Try running a single simple test with output visible: > > cd $BUILDDIR/test > > ../util/shlib_wrap.sh ../apps/openssl x509 -in testx509.pem -text > > Do you get better error message(s)? Or even normal output? > > > >Thanks, I've got the package for shared libraries libssl0.9.8 as well as the > >-dev packages which I need to compile IMAP toolkit, I'll probably use those, > >unless I manage to install from source and then I will enable mod_ssl on > >apache, with a simple a2enmod. I did config without changing anything on > >Configure, I simply did config and apparently succesfully, it only informed > >it was configured for linux - elf. The warnings I got had to do with the pem > >signatures, I believe, they were sort of: > > pem_all.c: In function ‘PEM_read_bio_X509_REQ’:pem_all.c:141:1: warning: > function called through a non-compatible typepem_all.c:141:1: note: if this > code is reached, the program will abort > What compiler and compiler version are you using? If gcc, gcc has changed a lot in the past 4 years. Mike > (...compiling)pem_all.c:147:1: warning: function called through a > non-compatible typepem_all.c:147:1: note: if this code is reached, the > program will abort > > (...compiling)pem_x509.c: In function ‘PEM_read_bio_X509’:pem_x509.c:68:1: > warning: function called through a non-compatible typepem_x509.c:68:1: note: > if this code is reached, the program will abortpem_x509.c: In function > ‘PEM_read_X509’: (same result) // this was certainly not the output of the > machine, its a comment of mine :) > > (...compiling)pem_x509.c: In function ‘PEM_read_bio_X509’:pem_x509.c:68:1: > warning: function called through a non-compatible typepem_x509.c:68:1: note: > if this code is reached, the program will abortpem_x509.c: In function > ‘PEM_read_X509’: (same result) > > pem_xaux.c: In function ‘PEM_read_bio_X509_AUX’:pem_xaux.c:68:1: warning: > function called through a non-compatible typepem_xaux.c:68:1: note: if thi
Re: How to derive EAP-TLS key material from TLS?
On Wed, Jun 1, 2011 at 5:49 PM, Robin Seggelmann wrote: > > _key, but how can I find the PRF api used to calculate: > as Michael stated, the function SSL_tls1_key_exporter() is exactly what > you're looking for. The TLS Key Exporter is described in RFC 5705. The > patch #1830, which Michael also mentioned, is available for the current > OpenSSL 1.0.0 release on http://sctp.fh-muenster.de/dtls-patches.html and > already included in the development version of OpenSSL 1.0.1 in the CVS, > which can be checked out with: > > cvs -d anonym...@cvs.openssl.org:/openssl-cvs co -rOpenSSL_1_0_1-stable > openssl > > I see. This is added recently and it was not provided in 1.0.0d, and due to the version used in my system I must implement this function myself. The content of the patch is sufficient for me to implement the function. Thanks. > Best regards > Robin > > > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: How to derive EAP-TLS key material from TLS?
Hi Neo, On Jun 1, 2011, at 4:02 AM, Neo Liu wrote: > On Tue, May 31, 2011 at 6:41 PM, Michael Tüxen > wrote: > > What about using SSL_tls1_key_extractor()? > > I didn't this function in OpenSSL source. > I can get master secret from SSL_SESSION->master_key, but how can I find the > PRF api used to calculate: > > RPF(master_secret, "client EAP encryption", client_random || > server_random) as Michael stated, the function SSL_tls1_key_exporter() is exactly what you're looking for. The TLS Key Exporter is described in RFC 5705. The patch #1830, which Michael also mentioned, is available for the current OpenSSL 1.0.0 release on http://sctp.fh-muenster.de/dtls-patches.html and already included in the development version of OpenSSL 1.0.1 in the CVS, which can be checked out with: cvs -d anonym...@cvs.openssl.org:/openssl-cvs co -rOpenSSL_1_0_1-stable openssl Best regards Robin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to derive EAP-TLS key material from TLS?
On Jun 1, 2011, at 4:02 AM, Neo Liu wrote: > > > On Tue, May 31, 2011 at 6:41 PM, Michael Tüxen > wrote: > > What about using SSL_tls1_key_extractor()? > > I didn't this function in OpenSSL source. I don't understand what you are saying... > I can get master secret from SSL_SESSION->master_key, but how can I find the > PRF api used to calculate: > > RPF(master_secret, "client EAP encryption", client_random || > server_random) Have a look at the patch: http://sctp.fh-muenster.de/dtls/tls-exporter.patch Best regards Michael > > Best regards > Michael > > > > Thanks > > > > Neo LIu > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org