Re: Question on OpenSSL encryption
On Sat, Jan 7, 2012 at 4:12 PM, Manish Jain invalid.poin...@gmail.com wrote: Hello Michael/Anyone Else, Can you be kind enough to please point me to some place/URL where I can get a bit more information about how the key is negotiated upon ? I have gone through a a couple of write-ups on OpenSSL which throw light upon everything else except for this vital piece of information. http://en.wikipedia.org/wiki/Transport_Layer_Security Thanks Regards Manish Jain On 07-Jan-12 19:23, Michael S. Zick wrote: On Sat January 7 2012, Manish Jain wrote: Hi, I am new to OpenSSL and am trying to prepare some illustrative documentation on how it works. AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a private key which is never communicated to any other host, and the other is a public key which is transmitted to the peer (the other party). The client uses the public key of the server (contained in the server's certificate) to encrypt its communication, which can only be decrypted with the server's private key. Please correct me if I am wrong. That is the essence of what happens and by that the client knows that it is communicating with the server it intended to reach (authentication). Now the question is : when the server sends data to the client, what key does it use for encryption ? The general answer is: The client and server establish a shared key for that propose early in the protocol. Does the client communicate its public key to the server (at some initial stage) which the server uses for encryption ? If the communications set up between the two requires client authentication. In many cases the client remains a stranger to the server (un-authenticated). If yes, what if the client does not have a pair of public/private keys ? The usual case for public web browsing using https and some other protocols. The client remains a stranger to the server. The question arises because it does not seem logical that the server would its private key for encrypting data to be sent to the client. Else, snoopers who might have picked the public key could decrypt the data too. There is an early stage in nearly all protocols, called: key agreement where the client and server agree on a key without exchanging any of the 'private' information that it is based on. Any help on clearing up the above points would be greatly appreciated. My comments above are at a very general level. If the process was as simple as my answers, OpenSSL would not be as large a body of code as it is. ;-) Mike Thank you Regards Manish Jain invalid.poin...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: socket functions on fds
Pay special attention to the fact that sometimes an OpenSSL call to send or recv will ask you to wait (select) for it's own direction to be ready, sometimes for the other direction to be ready, depending on internal OpenSSL states. Selects before the SSL_read/writes? Any chance of a link to an example, or even some specific search terms? Thanks!! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: socket functions on fds
Or perhaps, more specifically, any examples to address the following. As I seem to be getting deadlocks :( Per the OpenSSL FAQ: http://www.openssl.org/support/faq.html#PROG10 A pitfall to avoid: Don't assume that SSL_read() will just read from the underlying transport or that SSL_write() will just write to it -- it is also possible that SSL_write() cannot do any useful work until there is data to read, or that SSL_read() cannot do anything until it is possible to send data. One reason for this is that the peer may request a new TLS/SSL handshake at any time during the protocol, requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. Thanks! - Original Message - From: Nathan Smyth naf...@ymail.com To: openssl-users@openssl.org openssl-users@openssl.org Cc: Sent: Sunday, 8 January 2012, 22:45 Subject: Re: socket functions on fds Pay special attention to the fact that sometimes an OpenSSL call to send or recv will ask you to wait (select) for it's own direction to be ready, sometimes for the other direction to be ready, depending on internal OpenSSL states. Selects before the SSL_read/writes? Any chance of a link to an example, or even some specific search terms? Thanks!! __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: socket functions on fds
Sorry, I actually haven't been using that part of OpenSSL myself, so I don't know the details, but Michael Smith has offered to help you, could you ask him? What I have read elsewhere seems to be something like: When using non-blocking sockets mode, SSL_read(), SSL_write() etc. may return either of two special error codes (by returning a negative number and causing the next call to SSL_get_error() to return that code): SSL_ERROR_WANT_READ: pass the socket in the fd_read argument to select, then try again when select() says it is ready. SSL_ERROR_WANT_WRITE: pass the socket in the fd_write argument to select, then try again when select() says it is ready. There are other similar return values to wait for the connect/accept socket operation, see the documentation for SSL_get_error() for details. On 1/9/2012 1:53 AM, Nathan Smyth wrote: Or perhaps, more specifically, any examples to address the following. As I seem to be getting deadlocks :( Per the OpenSSL FAQ: http://www.openssl.org/support/faq.html#PROG10 A pitfall to avoid: Don't assume that SSL_read() will just read from the underlying transport or that SSL_write() will just write to it -- it is also possible that SSL_write() cannot do any useful work until there is data to read, or that SSL_read() cannot do anything until it is possible to send data. One reason for this is that the peer may request a new TLS/SSL handshake at any time during the protocol, requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. Thanks! - Original Message - From: Nathan Smythnaf...@ymail.com To: openssl-users@openssl.orgopenssl-users@openssl.org Cc: Sent: Sunday, 8 January 2012, 22:45 Subject: Re: socket functions on fds Pay special attention to the fact that sometimes an OpenSSL call to send or recv will ask you to wait (select) for it's own direction to be ready, sometimes for the other direction to be ready, depending on internal OpenSSL states. Selects before the SSL_read/writes? Any chance of a link to an example, or even some specific search terms? Thanks!! __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
