Understanding openssl s_time results (ssl session reuse)
Hello, SSL session reuse should improve SSL server performance. It seems that using openssl s_time without triggering http request ( meaning - do only 'ssl connect') - results are OK and reasonable: [root@### ~]# openssl s_time -connect 172.22.22.181:443 -time 1 No CIPHER specified Collecting connection statistics for 1 seconds 476 connections in 0.18s; 2644.44 connections/user sec, bytes read 0 476 connections in 2 real seconds, 0 bytes read per connection Now timing with session id reuse. starting r 2517 connections in 0.37s; 6802.70 connections/user sec, bytes read 0 2517 connections in 2 real seconds, 0 bytes read per connection HOWEVER - when using s_time with http get - it seems that ssl session reuse does not improve server performance: [root@loadqa-server ~]# openssl s_time -connect 172.22.22.181:443 -time 1 -www /test No CIPHER specified Collecting connection statistics for 1 seconds 636 connections in 0.22s; 2890.91 connections/user sec, bytes read 174900 636 connections in 2 real seconds, 275 bytes read per connection Now timing with session id reuse. starting r 49 connections in 0.00s; 4900.00 connections/user sec, bytes read 13475 49 connections in 2 real seconds, 275 bytes read per connection What am I missing? In total - when triggering http get request in
Understanding openssl s_time results (ssl session reuse)
Hello, SSL session reuse should improve SSL server performance. It seems that using openssl s_time without triggering http request ( meaning - do only 'ssl connect') - results are OK and reasonable: [root@### ~]# openssl s_time -connect 172.22.22.181:443 -time 1 No CIPHER specified Collecting connection statistics for 1 seconds 476 connections in 0.18s; 2644.44 connections/user sec, bytes read 0 476 connections in 2 real seconds, 0 bytes read per connection Now timing with session id reuse. starting r 2517 connections in 0.37s; 6802.70 connections/user sec, bytes read 0 2517 connections in 2 real seconds, 0 bytes read per connection HOWEVER - when using s_time with http get - it seems that ssl session reuse does not improve server performance: [root@loadqa-server ~]# openssl s_time -connect 172.22.22.181:443 -time 1 -www /test No CIPHER specified Collecting connection statistics for 1 seconds 636 connections in 0.22s; 2890.91 connections/user sec, bytes read 174900 636 connections in 2 real seconds, 275 bytes read per connection Now timing with session id reuse. starting r 49 connections in 0.00s; 4900.00 connections/user sec, bytes read 13475 49 connections in 2 real seconds, 275 bytes read per connection What am I missing? In total - when triggering http get request in
Re: understanding fipsld usage
Thanks Steve, I have a follow-up below - just checking I have it straight. On Mon, Nov 21, 2011 at 10:11 AM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Nov 18, 2011, Kevin Fowler wrote: Let me first say I have read the User Guide and Security Policy repeatedly, as well as the Incore Tutorial, looked through this users group, and read anything else I could find - so I'm not being lazy, although my questions may be pedestrian... Please correct any misunderstandings along the way. I understand that when fipscanister.o is built, its SHA1 digest is calculated and saved. Then when an application links to fipscanister.o, fipsld is used, which checks that the SHA1 is correct, and then calculates the digest for the application and rebuilds it with that digest embedded. Then, when the application is run and calls FIPS_mode_set(), the digest is calculated and checked against the embedded value. I think that openssl itself is an example of an application built with the fipscanister.o, is that correct? It depends on what you mean by openssl and the build options. If you are performing a shared library build then fipscanister.o is embedded in the libcrypto shared library. For a static build every application including the openssl utility statically includes fipscanister.o Ok, so: - if I do a shared build of OpenSSL (./config fips shared), then the libcrypto.so that is produced contains the FIPS Object Module, and fipsld will have embedded the digest in that library. - if I do a static build of OpenSSL (.config tips), then the libcrypto.a that is produced does not contain the FIPS Object Module. Later linking to an application will require fipscanister.o, -L lcrypto, and the use of fipsld to embed the digest in the application. An example of this is the hello application in the Incore Tutorial document. When OpenSSL is built, it produces, among other things, the libcrypto.a static library, which contains what was sequestered in fipscanister.o.Is that correct? Now I have a big application to build, and it will have the FIPS-capable OpenSSL in it. When I do the build, I think the instructions say that the SHA1 digest has to be re-calculated on this application, and that value embedded where the previous standalone value was. Is that correct? Is my application pulling in the FIPS stuff by linking in the libcrypto.a? If my application is just too large and complex, do I pretty much need to go with the shared library, and avoid the part where the digest is recalculated/re-embedded in the application itself? If you're library links against the OpenSSL shared library you don't need to bother with any of this as the fingerprint is embedded in that shared library by the build process. If you want to statically link against OpenSSL you do need to address this. If you're using a Unix like system then making some minor adjustments to the final linking to use fipsld and set a few environement variables is sufficient. If you want to integrate this with some IDE or you are using Windows with an IDE then this is a bit trickier and you might need to develop your own procedure following the security policy requirements. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Certificate chain in memory buffer
Hi All, I use BIO_new_mem_buf and PEM_read_bio_X509 to convert the certificate in memory buffer to X509 certificate format. Finally the certificate is then added to the CA store. If the buffer contains certificate chain like -BEGIN CERTIFICATE- ... (CA certificate 1) ... -END CERTIFICATE- -BEGIN CERTIFICATE- ... (CA certificate 2) ... -END CERTIFICATE- -BEGIN CERTIFICATE- ... (CA certificate 3) ... -END CERTIFICATE- Only the first certificate is then read. Is there a way to handle the appended CA's? I cannot use SSL_CTX_load_verify_locations as my program does not have access to the file system or the files directly.Regards Aravind GJ
Re: SSL_Connect call gives SSL_ERROR_WANT_READ for non blocking sockets
Ohh .. ok. But I just want the SSL_connect to succeed because I want to fetch the certificate of an HTTPS website. So after the success of SSL_connect() function, I would call SSL_get_peer_certificate(). Since I wait until the SSL_connect() function succeeds I wanted to know if there is a better approach. Hope I am able to convey my understandings for these functions. If you feel that I dont, please help in understanding the same. ~Arjun On Mon, Nov 21, 2011 at 8:10 PM, Michael S. Zick open...@morethan.orgwrote: On Mon November 21 2011, Arjun SM wrote: Well yes, these are not errors. My bad for naming the variable as 'error'. Not my point - Your logic shows that you think the connection has failed when it has simple not yet finished with its protocol. Not finished because you didn't respond to the want-write and/or want-read. Something which your code must do when using non-blocking sockets. Mike ~Arjun On Thu, Nov 17, 2011 at 11:50 PM, Michael S. Zick open...@morethan.org wrote: On Thu November 17 2011, Arjun SM wrote: Hi, Thanks for the reply. I have called the ssl_connect() function again after checking for SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE. But I wanted to know if I can optimize my code. Below is my code int counter = 6; while (status 0 --counter 0 ) { if(status 0) { error=SSL_get_error(ssl,status); if(error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) { MessageLog.Write(SSL 1st Connect error , error); But these two cases are __not__ errors, you just need to 'read' or 'write' as indicated so the protocol can advance. Mike usleep(200); status = SSL_connect(ssl); error=SSL_get_error(ssl,status); MessageLog.Write(SSL 2nd Connect error , error); } else { break; } } } // end of while I would try for some time and break out saying unable to connect. I am sure I can optimize this code by using select() but I am unable to make it work. If there is a better approach please do share. ~Arjun On Tue, Nov 15, 2011 at 9:04 PM, Huaqing Wang whuaq...@gmail.com wrote: Hi, Arjun, For non-blocking case, you have to handle SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE In that case you need to redo *SSL_connect.* * * Huaqing On Tue, Nov 15, 2011 at 5:51 AM, Arjun SM arjun...@gmail.com wrote: Hi all, I am newbie to openssl any help is greatly appreciated. I have a requirement of fetching the Common name (domin name ) from the certificate that I request from any HTTPS websites. I followed the regular method of 1. establish a connection with the ip address using *connect() *system call. 2. Use *SSL_connect()* system call to perform handshake. 3. Use *SSL_get_peer_certificate()* to get the certificate. The problem I faced was that, the connect() call would at times return a errno 4 (EINTR) error . So i changed code from blocking to non-blocking sockets and used select() call to have a valid connection and return an appropriate file descriptor. Now the ssl_connect() call returns SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE error. I am unable to make my code work by adding a select() even on ssl_connect() call. If any one can please help as to how I need to use the ssl_connect() by polling that would be of great help. preferred language would be C/C++ thanks, ~Arjun -- Thank you. Best Regards, Michael(Huaqing) Wang __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Usage of CAPath/CAFile options in int SSL_CTX_load_verify_locations Reg.
Hi, We are implementing multi-layer support for our openssl-based PKI solution and had the following query: Currently our PKI solution supports only single layer CA support and we use SSL_CTX_load_verify_locations API with the CAFile option, meaning that the service loads the CA certificate from a PEM file. When testing multi-layer support between a client-server model with *SSL_VERIFY_PEER *set to true, we observed that using the CAFile(with all CA certificates- root + intermediate concatenated into a single PEM file) does not work anymore. But using CAPath option (storing each CA in separate file, creating hashes for them in a directory and providing that directory in CAPath) seems to work fine. Is this a known bug with openSSL or is it something that we are doing wrong.* * Also, from the openSSL community perspective, is it advisable to use CAFile option or CAPath option when providing multi-layer support? Regds, Ashok