RE: Have query about certificates on-disk size on encoded szie of x509 certificate mismatch.
From: owner-openssl-us...@openssl.org On Behalf Of baban devkate Sent: Thursday, 08 August, 2013 00:54 Have query about certificates on-disk size on encoded szie of x509 certificate mismatch. snip: DER is smaller than PEM why on-disk size of certificate is 0x3C9 bytes and 'PkCertLen ' is 0x2A2?? Is this size difference is due to encoding? Yes. PEM is base64 = 4 chars for each 3 bytes rounded up, plus line breaks 1 or 2 chars (depending on some systems how you read it) for each chunk of usually 48 or 54 bytes), plus BEGIN and END lines (usually 28 and 26 chars). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Have query about certificates on-disk size on encoded szie of x509 certificate mismatch.
Thanks for confirmation Dave. On Thu, Aug 8, 2013 at 12:35 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of baban devkate Sent: Thursday, 08 August, 2013 00:54 Have query about certificates on-disk size on encoded szie of x509 certificate mismatch. snip: DER is smaller than PEM why on-disk size of certificate is 0x3C9 bytes and 'PkCertLen ' is 0x2A2?? Is this size difference is due to encoding? Yes. PEM is base64 = 4 chars for each 3 bytes rounded up, plus line breaks 1 or 2 chars (depending on some systems how you read it) for each chunk of usually 48 or 54 bytes), plus BEGIN and END lines (usually 28 and 26 chars). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[winlinke...@gmail.com: update openssl error]
Forwarded to openssl-users for discussion. - Forwarded message from gate Bill winlinke...@gmail.com - Date: Tue, 6 Aug 2013 17:22:54 +0800 From: gate Bill winlinke...@gmail.com To: openssl-b...@openssl.org Subject: update openssl error hello my linux env: centos 6.4 x64 gcc 4.8.1 2.6.32-358.6.2.el6.x86_64 compile step: wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz tar zxf openssl-1.0.1e.tar.gz cd openssl-1.0.1e ./config zlib shared threads --prefix=/usr --openssldir=/etc/pki/tls make make test make install ldconfig cd ../ echo 'OK!' the commandopenssl version -a display is right but when i exec this /etc/init.d/ssh restart,display this error: OpenSSL version mismatch. Built against so i think maybe need to upgrade the openssh,so i do like this echo Updateting Openssh yum -y install libedit libedit-devel libbsd libbsd-devel pam pam-devel krb5-devel audit-libs audit-libs-devel cd openssh-6.2p2 ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-cflags --with-cppflags --with-ldflags --with-libs --with-Werror --with-solaris-contracts --with-solaris-projects --with-osfsia --with-zlib=/usr --with-tcp-wrappers=/usr --with-libedit=/usr --with-audit=linux --with-ssl-dir=/etc/pki/tls --with-ssl-engine --with-pam --with-selinux --with-kerberos5=/usr --with-md5-passwords --with-bsd-auth --with-ipaddr-display --with-4in6 but the still the same problem,so,what should i do? i'm waiting your answer???thank u - End forwarded message - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSH 6.2 with OpenSSL 1.0.1e hang at SERVICE_ACCEPT [was: openssl 6.2 hangs]
On 07-08-2013 02:47, Marlon Davis wrote: To the openssl community; I have installed openssl 6.2 on my mac book pro and tried to ssh to a server and the ssh session hangs. The host server shows that a connection was established but I cannot return a prompt to indicate that I am connected to the server. Can someone advise? Thanks in advance Your problem looks a lot like an OpenSSH or Sun SSH problem, not an OpenSSL problem, try asking on a mailing list for SSH problems, please refer to http://www.openssh.org/list.html for instructions. Be sure to use plain text mails with their lists. The details you gave below are likely to help an SSH expert find the issue, so please keep them when contacting the SSH people. ==HOST SERVER [ALLOC133 /export/home/tinker] netstat -a |grep msp9022.XX.XXX.COM.ssh msp9022.XX.XXX.COM.ssh dhcp-uk-vpn-adc-anyconnect-10-154-141-30.XX.XXX.COM.49808 131024 0 128544 0 ESTABLISHED [ALLOC133 /export/home/tinker] netstat -a |grep msp9022.XX.XXX.COM.ssh msp9022.XX.XXX.COM.ssh dhcp-uk-vpn-adc-anyconnect-10-154-141-30.XX.XXX.COM.49808 131024 0 128544 0 ESTABLISHED [ALLOC133 /export/home/tinker] === CLIENT MACHINE bash-3.2$ ssh -v OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] bash-3.2$ ssh -l tinker -vvv msp9022 OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013 debug1: Reading configuration data /opt/local/etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to msp9022 [10.141.10.31] port 22. debug1: Connection established. debug3: Incorrect RSA1 identifier debug3: Could not load /Users/sherlock holmes/.ssh/id_rsa as a RSA1 public key debug1: identity file /Users/sherlock holmes/.ssh/id_rsa type 1 debug1: identity file /Users/sherlock holmes/.ssh/id_rsa-cert type -1 debug3: Incorrect RSA1 identifier debug3: Could not load /Users/sherlock holmes/.ssh/id_dsa as a RSA1 public key debug1: identity file /Users/sherlock holmes/.ssh/id_dsa type 2 debug1: identity file /Users/sherlock holmes/.ssh/id_dsa-cert type -1 debug1: identity file /Users/sherlock holmes/.ssh/id_ecdsa type -1 debug1: identity file /Users/sherlock holmes/.ssh/id_ecdsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version Sun_SSH_2.0 debug1: no match: Sun_SSH_2.0 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host msp9022 from file /Users/sherlock holmes/.ssh/known_hosts debug3: load_hostkeys: found key type RSA in file /Users/sherlock holmes/.ssh/known_hosts:52 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit:
Re: SSL_shutdown question
YUN GAO wrote: Hi there: SSL_shutdown used to have a problem that in some instances it always returns 0 no matter how many time it is called before 0.9.8l. To solve the issue, I have to call SSL_shutdown() twice and check the error number and return code at the second time: if the return code is 0 and the error number from SSL_get_error() is not SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, SSL_shutdown() is confirmed. I found this has been solved in 1.0.1b, SSL_shutdown() always return -1 if the SSL connection has been closed already, and the error number now becomes SSL_ERROR_SYSCALL and the second time calling SSL_shutdow(). I looked at the ChangeLog, and found a SSL_shutdown() fix in 0.9.8m, I wonder if this is the one that contributes to the different behavoir as I describd above. Sorry for late reply to old post. I just did a search on topic to notice your unreply posting. Yes indeed it does. Please search mailing list for full information. Some small code was provided on mailing-list that could be cut and pasted to provide same compatibility of previous behaviour but using new API, also this code is backwards compatible meaning it could be added to your application today and it would not matter if you were using OpenSSL version at runtime from before the change (such as 0.9.7) or after the change (such as 1.0.0). Think of the new behaviour as providing/exposing additional information that was previously hidden. Previously it was not possible to detect with certainty flow control and lack of data issues during SSL shutdown. Before 0.9.8m (or whatever version it was changed, I take your word for it) the return value of 0 could mean any of the 3 new states: -1/WANT_WRITE 0 (this has same meaning as -1/WANT_READ and it return for compatibility with API, but the 0 is only visible once to provide that compatibilty) -1/WANT_READ The return value of 1 has the same meaning in the previous behaviour and current behaviour of the SSL_shutdown() API. When you refer to version 1.0.1b are you talking about a patch in that version, or is this the version you happened to be testing with ? All versions since 0.9.8m (if that is the correct version) should detect a close of lower level transport (i.e. socket) with the usual -1/SSL_ERROR_SYSCALL or -1/SSL_ZERO_RETURN as you would also expect to see from SSL_read() usage. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to do SSL_shutdown()
Priyaranjan Nayak wrote: I am using openssl-1.0.1c in our project.when SSL_shutdown(ssl) get executed it returns 0.If I get return value zero then calling the same SSL_shutdown(ssl) again.In 2nd time it return -1. Can any one tell me how to shutdown ssl context ? How can I execute SSL_shutdown(ssl) , so that it will return 0 . SSL_shutdown() will only return 1 when it has completed a 2 stream (send stream and receive stream) cryptographically secure shutdown. When you call it you are only able to shutdown the 'send stream' that you control, you can not influence if or when the remote end will provide you indication of the receive stream shutdown; that is completely a software/programming matter of the implementation of the far end, not one enforced by SSL protocol specification. It has to willingly decide to perform an SSL shutdown on its sending stream (your receiving stream), it could if it wanted keep the socket open forever, and still continue to send data (your received data) and this would not violate SSL protocol specification. The fact that you have observed a 0 return value from SSL_shutdown() means that your end (the local end) has done everything it can and you wait for network and remote end to comply with your decision to shutdown. If you are seeing a 0 return value, then a -1, then you have -1/WANT_READ condition see below. If you treat the -1 return value you see like other OpenSSL API calls that operate on (SSL *) type, by using SSL_get_error(ssl) and confirm what value or error code is provided. -1/SSL_ERROR_WANT_WRITE means the 'SSL close notify' packet has not been committed to the kernel. To resolve this you must ensure your BIO layer and below flush their data downwards when they can. You might not be able to flush data down if there is flow control in force blocking this scenario. For example write() system call returns -1/EAGAIN because the network socket write buffer is full. If you see -1/SSL_ERROR_WANT_WRITE then your local end still has work to do, to wait for flow control to clear to allow you to commit data to the kernel and then flush your outstanding data (this data is buffered internally in OpenSSL) to kernel. If you see SSL_shutdown(ssl) == 0, then you can call shutdown(fd, SHUT_WR) on the socket if you wish. Because the SSL protocol stack never needs to write(fd, ...) any data in the future with that socket. NOTE: this comment presumes you are using a direct socket BIO layer. -1/SSL_ERROR_WANT_READ means that the SSL_shutdown() API is waiting for the remote end to send its 'SSL close notify' packet. As stated above you have no control over when or if the remote end does this. The -1/SSL_ERROR_WANT_READ is the generic 'waiting for more data' error code you get from non-blocking SSL_read() API and it has exactly the same meaning in respect of SSL shutdown, since we are waiting for data from the remote end to complete the shutdown of both streams (send and receive). The other end does not have to send the 'SSL shutdown notify' packet and a lot of 'other ends' simply disconnect/close socket on receiving the 'SSL close notify' you sent. If you care about a cryptographically secure shutdown you need to fix the software at the 'other end' to ensure it: * notices it receives a secure shutdown from the remote end * finishes up whatever it maybe in the middle of doing, like sending data * makes a decision to comply with the shutdown scenario * sends its 'SSL close notify' packet, * ensure it flushed the packet to the kernel and over the network, and * keeps the socket open waiting for you to be the first mover in closing the socket. However SO_LINGER may help and maybe you need an application level timer for really bad software that fails to close(). * as a short-circuit the 'other end' can close() if it can ask the kernel if all pending data has been ACKed on the wire. Such as the value of the TCP SendQ in the kernel is now at a 0 value. In reality the above never happens, unless you have some kind of high security environment since doing all that requires understanding, additional work and lowers performances (a host will have more sockets open longer). In reality implementations are more a best-effort to be correct, rather than assured of being correct. If you can not control or fix the other software and your application may choose not to consider this an error condition, but more a 'we did our best to be correct here, but the ignorant other end software was not such a good SSL citizen as we are, since it did not provide us with the SSL close notify packet we expected before it abruptly cause a TCP disconnection of the stream'. Many applications do not require a cryptographic secure end-of-stream indication due to the way the application protocol works. For example HTTP/1.1 which is a request/response protocol where the client is in charge of what the responses the
How do I mount a NAS device?
I obtained a NAS, with a view toward running MySQL on a sever running MS Small Business Server 2003 (yes, I know, it is old, but I don't have authority to upgrade it or wipe it and install Linux on it). Anyway, the latest version of MySQL will not run on that machine. Therefore, I intend to run MySQL on the latest Suse (12.3) on a much newer server that I have almost fixed (this machine will have a 256 GB SSD). So, unless I can mount the NAS in such a way that MySQL on Suse can find it, the 4 TB NAS goes to waste (even though all machines on my LAN can see it and browse to it, which is fine if I only want to use Windows Explorer, or it's Linux equivalents, to copy files to it - but even on Windows, MySQL doesn't seem to see it unless I have mapped a specific MAS folder to a local drive letter, so I assume something similar is true on Linux). Hence my question. NB: I am a programmer, not a system administrator, so I am at a loss as to how to do this. NB: I did a Google search, which resulted in a very poor signal to noise ratio, but ended up confused by the different instructions given for the different distributions. And, worse, a lot of the pages I found were as old as that ancient SBS machine I can't use for this purpose. Obviously, things have changes a lot since then. So, then, how do I do this on the latest Suse releases (12.x)? Thanks Ted __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: How do I mount a NAS device?
I guess you sent this to the wrong list ... Regards, jjf -Original Message- From: Ted Byers [mailto:r.ted.by...@gmail.com] Sent: Thursday, August 08, 2013 7:29 PM To: openssl-users@openssl.org Subject: How do I mount a NAS device? I obtained a NAS, with a view toward running MySQL on a sever running MS Small Business Server 2003 (yes, I know, it is old, but I don't have authority to upgrade it or wipe it and install Linux on it). Anyway, the latest version of MySQL will not run on that machine. Therefore, I intend to run MySQL on the latest Suse (12.3) on a much newer server that I have almost fixed (this machine will have a 256 GB SSD). So, unless I can mount the NAS in such a way that MySQL on Suse can find it, the 4 TB NAS goes to waste (even though all machines on my LAN can see it and browse to it, which is fine if I only want to use Windows Explorer, or it's Linux equivalents, to copy files to it - but even on Windows, MySQL doesn't seem to see it unless I have mapped a specific MAS folder to a local drive letter, so I assume something similar is true on Linux). Hence my question. NB: I am a programmer, not a system administrator, so I am at a loss as to how to do this. NB: I did a Google search, which resulted in a very poor signal to noise ratio, but ended up confused by the different instructions given for the different distributions. And, worse, a lot of the pages I found were as old as that ancient SBS machine I can't use for this purpose. Obviously, things have changes a lot since then. So, then, how do I do this on the latest Suse releases (12.x)? Thanks Ted __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How do I mount a NAS device?
hehehe i think it's not related to openssl maybe you should look at smbfs, cifs, samba, nfs, and others filesystem over network __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How do I mount a NAS device?
On Aug 8, 2013, at 2:45 PM, Ted Byers r.ted.by...@gmail.com wrote: I obtained a NAS, with a view toward running MySQL on a sever running MS Small Business Server 2003 (yes, I know, it is old, but I don't have authority to upgrade it or wipe it and install Linux on it). Anyway, the latest version of MySQL will not run on that machine. Therefore, I intend to run MySQL on the latest Suse (12.3) on a much newer server that I have almost fixed (this machine will have a 256 GB SSD). So, unless I can mount the NAS in such a way that MySQL on Suse can find it, the 4 TB NAS goes to waste (even though all machines on my LAN can see it and browse to it, which is fine if I only want to use Windows Explorer, or it's Linux equivalents, to copy files to it - but even on Windows, MySQL doesn't seem to see it unless I have mapped a specific MAS folder to a local drive letter, so I assume something similar is true on Linux). Hence my question. NB: I am a programmer, not a system administrator, so I am at a loss as to how to do this. NB: I did a Google search, which resulted in a very poor signal to noise ratio, but ended up confused by the different instructions given for the different distributions. And, worse, a lot of the pages I found were as old as that ancient SBS machine I can't use for this purpose. Obviously, things have changes a lot since then. So, then, how do I do this on the latest Suse releases (12.x)? The two ways that come to my mind are: 1) if the nas has iscsi support, config it on the nas and then config iscsi initiator on suse. 2) mount -t /dev/devid /mnt Btw, not sure how you think this is ssl mailing list material.