Re: Using SSL_accept with non blocking socket
Hopefully you are doing add_ssl_algorithms(..) (and a helpful SSL_load_error_strings(..)) in the beginning. Also, did you try ERR_print_errors_fp(stdout) and see if something appears? I may be restating the obvious here. The usual way I detect errors is to do a SSL_get_error(..) and do a switch-case on all possible values. Arun. - Original Message - From: Miha Wang [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 06, 2000 4:15 PM Subject: Using SSL_accept with non blocking socket Hi, all - I am trying to write both sever/client that using non blocking socket. I am not using BIO based read/write. Here is what my code look like - The code is almost same as the serv.cpp and cli.cpp under demos/ssl, except I am seting non blocking option (O_NONBLOCK) SERVER: SSL *ssl; SSL_CTX *ctx; listen_sd = socket(..) flag = fcntl(listen_sd, F_GETFL); fcntl(listen_sd, F_SETFL, flag | O_NONBLOCK); bind(listen_sd, ...); listen(listen_sd,...); select(listen_sd+1, ...); sd = accept(listen_sd, ...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_accept(ssl); for (;;) { SSL_read(ssl); SSL_write(ssl); } CLIENT: == sd = socket(...); flag = fcntl(sd, F_GETFL); fcnt(sd, F_SETFL, flag | O_NONBLOCK); connect(sd,...); ctx = SSL_CTX_new(...); ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); SSL_connect(ssl); SSL_write(ssl); SSL_read(ssl); The problem is that SSL_accept() failed (return -1). I could not get error code witn ERR_print_errors and I don't know why. Does anyone know what's wrong with this piece of code or if it makes sense? The reason I am not using BIO is that I would like to manage both non-SSL and SSL connection over the socket. Can I do something like that? Any help is appreciated. Miha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using ssl in http protocol
-Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, August 24, 2000 6:53 AM Subject: using ssl in http protocol one question: http is a connectionless protocol(at least 1.0 is, and i don't know if there are some implementations of http1.1). if we want to use ssl in http to acquire secure connection, then, does it means we have to take the full handshake for each connection(each request and reply)? if not, how they implemented it then? are there some little source examples here(both client and server)? Du Chunyan [Moved to openssl-users] If what you mean by a "connectionless" protocol is that there is no mechanism for persistent connections, that is incorrect. HTTP/1.0 does support persistent connections (using the Connection: Keep-Alive header) and HTTP/1.1 does it by default. Hence, if you are communicating to the same HTTPS server, upon a keep-alive request, the server in most cases will oblige that request and keep the connection open. However, that is the prerogative of the server. Arun. "If you torture data long enough, it will admit anything you want.." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using ssl in http protocol
-Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, August 24, 2000 6:50 PM Subject: re: using ssl in http protocol a question about persistent mode in http if in keep-alive mode, in the server side, how can i recongize a persistent connection is shut down, and free the preserved resources of it? from the appearence of http request and response, there seems on obvious steps to tell the server an persistent connection will be terminated. and in the client side, i also can't find any configuration about whether to choose keep-alive mode. then how the browser knows if i want a persistent mode? another question is: now, which web servers and browsers support persistent mode? i wish there are some open source products i can refer to. so many questions, thanks in advance. You need to get familiar with the basics of HTTP. rfc 2068 is the ultimate authority in this regard. What happens is that the client submits a request say: GET /index.html HTTP/1.0. This will cause the server to terminate the connection after the request has been satisfied. If the client says: GET /index.html HTTP/1.0 Connection: Keep-Alive this indicates to the server that the connection needs to be kept-alive. It may then respond with a header that says it accepted the request. This header is something like this: HTTP/1.1 200 OK Connection: Keep-Alive. This indicates that the server has agreed to keep the connection alive. However, the connection may be disconnected after a certain period of time (a "timeout"). Note that a read/write on a closed connection will result in an error message that indicates the connection has been closed. HTH, Arun. "If you torture data long enough, it will admit anything you want.." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is there a way to get SSL_Connect to timeout?
-Original Message- From: Walsh, Dan [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Saturday, July 29, 2000 7:16 AM Subject: Is there a way to get SSL_Connect to timeout? I am writing a program that connects to one hundred different machines. A couple of these machines had network problems where they allowed the programs to connect but then never exchanged any data. Please understand that SSL relies on the underlying networking API (aka "socket" library) to achieve communication over the network. Therefore, it is here that you need to tweak things. The problem is that when I call SSL_Connect on these connections, the connection seems to stay hang forever. (Or at least a longer time than I am willing to wait.) Is there anyway to tell SSL_Connect to timeout? I suspect you are using blocking sockets (these block the application until the communication is done). One way to achieve a timeout would be to use non-blocking sockets(these do not block the application) and use the select() system call (maybe many invocations) upto some time T before deciding to give up. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it possible to send Binary Data using SSL_write( )
-Original Message- From: Radhakrishna [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Saturday, July 29, 2000 2:44 PM Subject: Is it possible to send Binary Data using SSL_write( ) Is it possible to send the binary data using SSL_write() from one peer to another peer? Yes, of course!! Don't you think all browsers do this when displaying https images? Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: install issues
You need the "ar" utility for your platform. If you already have it, make sure it is in your path or get one for your platform. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -Original Message- From: Console, James (CSSI) [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Wednesday, July 26, 2000 9:16 AM Subject: install issues I am trying to install openSSL, and upon 'make' I get an error 127 as follows... make[1]: ar: Command not found make[1]: *** [lib] Error 127 make: *** [all] Error 1 ./config seemed to work. Included is text file of the entire incident. If anyone could help me get this package installed properly, I would appreciate it immensly... make.txt Jim Console Web Infrastructure Integration [EMAIL PROTECTED] 817.280.6041 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: (no subject)
I believe that for SSL_connect() a return value of 0 also indicates an error. In such a case, you should delve deeper and figure out the exact text message of the error (as lutz suggested). You may see what you have been looking for. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -Original Message- From: Paul Faccenda [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, July 18, 2000 12:18 PM Subject: (no subject) Yes, I did do SSL_set_fd() and SSL_connect(). Here is the revised sequence. { SSL * ssl = NULL; int ssl_sock; char * cipher; ssl_sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); connect( ssl_sock, (struct sockaddr *)serv_addr, sizeof(serv_addr)); ssl = (SSL*) SSL_new( ssl_ctx ); file://ssl_ctx is global status = SSL_set_fd( ssl, ssl_sock ); SSL_set_connect_state( ssl ); status = SSL_connect( ssl );// returns 0 cipher = SSL_get_cipher(ssl); } The connect works, but the cipher returned after the handshake is "(NONE)", and I cant write on the secure socket. When I put the same code into a standalone C program, it works fine. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: (no subject)
That means nothing more to me that it does to you :) Try ERR_error_string(ERR_get_error(), NULL) instead. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -Original Message- From: Paul Faccenda [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, July 18, 2000 2:40 PM Subject: (no subject) SSL_connect is returning 0 - the error code is 2, "system lib" I believe that for SSL_connect() a return value of 0 also indicates an error. In such a case, you should delve deeper and figure out the exact text message of the error (as lutz suggested). You may see what you have been looking for. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -Original Message- From: Paul Faccenda [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, July 18, 2000 12:18 PM Subject: (no subject) Yes, I did do SSL_set_fd() and SSL_connect(). Here is the revised sequence. { SSL * ssl = NULL; int ssl_sock; char * cipher; ssl_sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); connect( ssl_sock, (struct sockaddr *)serv_addr, sizeof(serv_addr)); ssl = (SSL*) SSL_new( ssl_ctx ); file://ssl_ctx is global status = SSL_set_fd( ssl, ssl_sock ); SSL_set_connect_state( ssl ); status = SSL_connect( ssl );// returns 0 cipher = SSL_get_cipher(ssl); } The connect works, but the cipher returned after the handshake is "(NONE)", and I cant write on the secure socket. When I put the same code into a standalone C program, it works fine. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] The AIMS Group __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Opeen SSL 0.9.5a make test Failed! bc: 1 is unimplemented
Looks to me like your "bc" program is the culprit here. Check your bc version, try to get the latest for your platform and see if the same problem recurs. HTH. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -Original Message- From: Glen [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Monday, July 17, 2000 4:45 PM Subject: Opeen SSL 0.9.5a "make test" Failed! bc: 1 is unimplemented Good afternoon! As requested in the INSTALL file, I am submitting the following "make report" output. A recent attempt to compile OpenSSL 0.9.5a under SCO OpenServer 5.0.5 using the built-in cc had a successful compile, but a failed test. I am including the output of the make report testlog below. The test also failed, in exactly the same place, using gcc version 2.95.2 19991024 (release). If any workarounds are available, I'd be grateful to hear about them! Thanks! Glen [EMAIL PROTECTED] OpenSSL self-test report: OpenSSL version: 0.9.5a Last change: Make sure _lrotl and _lrotr are only used with MSVC Options: --prefix=/u/glen/local OS (uname): SCO_SV inspiron 3.2 5.0.5 i386 OS (config): whatever-whatever-sco5 Target (default): sco5-gcc Target: sco5-cc Compiler: Usage: cc [ options ] files ... Failure! --- -- making all in crypto... making all in crypto/md2... making all in crypto/md5... making all in crypto/sha... making all in crypto/mdc2... making all in crypto/hmac... making all in crypto/ripemd... making all in crypto/des... making all in crypto/rc2... making all in crypto/rc4... making all in crypto/rc5... making all in crypto/idea... making all in crypto/bf... making all in crypto/cast... making all in crypto/bn... making all in crypto/rsa... making all in crypto/dsa... making all in crypto/dh... making all in crypto/buffer... making all in crypto/bio... making all in crypto/stack... making all in crypto/lhash... making all in crypto/rand... making all in crypto/err... making all in crypto/objects... making all in crypto/evp... making all in crypto/asn1... making all in crypto/pem... making all in crypto/x509... making all in crypto/x509v3... making all in crypto/conf... making all in crypto/txt_db... making all in crypto/pkcs7... making all in crypto/pkcs12... making all in crypto/comp... making all in ssl... making all in rsaref... making all in apps... making all in test... making all in tools... --- -- testing... ./destest Doing cbcm Doing ecb Doing ede ecb Doing cbc Doing desx cbc Doing ede cbc Doing pcbc Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done Doing ofb Doing ofb64 Doing ede_ofb64 Doing cbc_cksum Doing quad_cksum input word alignment test 0 1 2 3 output word alignment test 0 1 2 3 fast crypt test ./ideatest ecb idea ok cbc idea ok cfb64 idea ok ./shatest test 1 ok test 2 ok test 3 ok ./sha1test test 1 ok test 2 ok test 3 ok ./md5test test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok test 7 ok ./hmactest test 0 ok test 1 ok test 2 ok test 3 ok ./md2test test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok test 7 ok ./mdc2test pad1 - ok pad2 - ok ./rmdtest test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok test 7 ok test 8 ok ./rc2test ecb RC2 ok ./rc4test test 0 ok test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test end processing done test multi-call done ./rc5test ecb RC5 ok cbc RC5 ok ./bftest testing blowfish in raw ecb mode testing blowfish in ecb mode testing blowfish set_key testing blowfish in cbc mode testing blowfish in cfb64 mode testing blowfish in ofb64 ./casttest ecb cast5 ok This test will take some time123456789ABCDEF ok ./randtest test 1 done test 2 done test 3 done test 4 done starting big number library test, could take a while... test BN_add test BN_sub test BN_lshift1 test BN_lshift (fixed) test BN_lshift test BN_rshift1 test BN_rshift test BN_sqr test BN_mul test BN_div test BN_div_recp test BN_mod test BN_mod_mul test BN_mont test BN_mod_exp test BN_exp running bc ...
Re: Error in handshake: Get client hello B
We have a similar application where we reuse a pool of SSL connections. The only difference between our approach and yours is the following piece of code which we execute before reusing an already used SSL structure. SSL_set_session(ssl, NULL); Can you try this and see if the problem recurs? We might be turning off session-caching by this above line (my understanding of openssl session-caching is somewhat hazy). But, its worth a try anyways. Arun. -Original Message- From: Amit Chopra [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, June 29, 2000 10:35 PM Subject: Error in handshake: Get client hello B Hi, Some time back I had posted a mail on the same subject, but had got no response. Now that I am tuning my application for performance this issue has come up again. When my app comes up I create a pool of SSL structures (using SSL_new)that I intend to reuse for the connections as follows: SSL_clear(ssl); SSL_set_accept_state(ssl); SSL_set_fd(ssl,client); I do this before accepting every client connection. The problem appears when I follow below steps: 1. Open browser and establish connection with my app. I can browse others links over SSL as well.(fine) 2. Close browser. 3. Open browser again and establish connection with my app. My app fails saying "Error in get client hello B". This also happens when I cancel the certificate message that the broswers show. The problem happens with both IE(5) and Netscape(4.7). Using 0.9.4 SSL_read used to return with SSL_ERROR_WANT_READ. Using 0.9.5a SSL_read returns ERROR_SSL (Navigator 4.7). I have also written an OpenSSL based linux test client that simply fires hundreds of concurrent connections. It works fine with that. The problem disappers when I do a SSL_new for every connection. What might I be doing wrong here? I believe that the SSL state machine is not getting reset properly. What can I do to fix this? I wish to avoid allocating memory at run time and I believe doing a SSL_new does allocate memory for a host of structures. I apologise for the repost, but I'm quite literally stuck. Thanks, Amit. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate verify fails
In the future, please do not post such user problems to the developer mailing list. (Should this be a faq :) I am hazarding a guess here. It seems you me that you are trying to use the sample cert supplied with the demo. Note that this is just a dummy certificate and not signed by a "real" CA. Is that why your client-side verification process is failing? If you have a "real" certificate around, try to use that and see if this recurs. Arun. -Original Message- From: Du Xiaojiang [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Friday, June 30, 2000 9:52 AM Subject: certificate verify fails Dear Sir: I used "SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,verify_callback); " in my code, it makes the SSL handshake unsuccessful. And the following message appears: " depth=0 error=20 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (1024 bit) " . If I use "SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,verify_callback);", the handshake is ok, but the above message also appears. I used apps/server.pem and apps/client.pem (in openssl) as the cert files and key files. Could you tell me what's the wrong. Thank you very much. Sincerely, Xiaojiang Du __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How do I install a Verisign Cert.
If you are using apache, it's very simple to install the cert. Just put it in the directory pointed to by the appropriate setting in ur httpsd.conf file. Arun. -Original Message- From: Murthy, Ashok P. [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Monday, June 19, 2000 9:31 AM Subject: How do I install a Verisign Cert. I received a Verisign Secure Server ID for Apache_1.3.12 with openssl-0.9.5a Their install talks about a "getca" or "getverisign" utility that does not seem to be present under the "openssl" tree. Pl. help -- thx, ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FTP SSL
This is an old gripe :( Ppl don't seem to have attempted seriously to use SSL over something else other than http. Try ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps for a SSL-ftp client and server on Unix. These may be outdated though. I haven't come across an implementation on Windoze. Arun. -Original Message- From: Emili Sanroma - RI [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, June 15, 2000 11:29 PM Subject: FTP SSL I'm interested in offer a secure FTP connection to our user acounts in our file server. Is there any ssl-ftpd (unix; linux, solaris) ssl-ftp client (win3.xx) ?? Where? Thanks a lot, Emili __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FTP SSL
-Original Message- From: Michael Sierchio [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Friday, June 16, 2000 10:14 AM Subject: Re: FTP SSL Arun Venkataraman wrote: This is an old gripe :( Ppl don't seem to have attempted seriously to use SSL over something else other than http. Huh-wah? You have it backwards (HTTP over SSL). And there are Oops! you are right. plenty of examples of LDAP, POP, SMTP and other protocols over SSL. FTP is inherently problematic (except if restricted to passive mode) because of the way connections are made -- SSL, itself running atop TCP, isn't really suitable for this. IPSec, SKIP, and other attempts to secure information at the packet level, are probably much better. I wasn't aware of these technical difficulties. When I went over to ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps it seemed like people had successfully patched wu-ftpd, an ftp client and a telnet client to work with SSL. However, all the patches etc. seemed out of date and meant for SSL-eay. This made me wonder if it was simply a problem of updating those patches for openssl. Arun. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to free up stuff allocated by SSLeay_add_ssl_algorithms() - openSSL
how to free up stuff allocated by SSLeay_add_ssl_algorithms() - openSSLI would like to know also. I have seen a SSL_library_cleanup() in the BSafe API, but nothing comparable in OpenSSL. Arun. -Original Message- From: Arora Meenakshi [EMAIL PROTECTED] To: Openssl-Users (E-mail) [EMAIL PROTECTED] Cc: 'WINSOCK-2 (E-mail) [EMAIL PROTECTED] Date: Friday, June 16, 2000 4:13 PM Subject: how to free up stuff allocated by SSLeay_add_ssl_algorithms() - openSSL hello SSLeay_add_ssl_algorithms(.) function sets up the global SSL stuff which function should i use to free up the stuff allocated by SSLeay_add_ssl_algorithms() ?? thanx Meenakshi Arora __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Make Error
Looks like ur linux installation needs some tuning. I have a symlink in my /usr/include/ directory which points to /usr/src/linux/include/linux/ which contains an errno.h. The make seems to be looking for this file and not finding it on your system. Perhaps you can check to see if a errno.h exists in /usr/src/linux/include/linux/ and then put a symlink yourself. Arun. -Original Message- From: ben [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, June 15, 2000 8:36 AM Subject: Make Error Can someone help? I have tried to make openSSL v0.9.5a but I get the following error. Any ideas welcome. I'm using a Cyrix running Red Hat 6.2. Thanks. making all in crypto... make[1]: Entering directory `/home/users/java/openssl-0.9.5a/crypto' gcc -I. -I../include -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame -pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c cryptlib.c -o cryptl ib.o In file included from /usr/include/errno.h:36, from ../include/openssl/err.h:82, from cryptlib.h:74, from cryptlib.c:61: /usr/include/bits/errno.h:25: linux/errno.h: No such file or directory make[1]: *** [cryptlib.o] Error 1 make[1]: Leaving directory `/home/users/java/openssl-0.9.5a/crypto' make: *** [all] Error 1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FW: multithreaded crypto functions
Electric Fence is one, though I haven't used it myself. I am not sure if it is as good/better/worse than purify. Arun. -Original Message- From: Richard Dykiel [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Thursday, June 15, 2000 12:45 PM Subject: RE: FW: multithreaded crypto functions Steve, thanks. I'd be interested if someone knows any tool capable of detecting memory leaks on Linux that I could use on an Openssl app; apparently Purify doesn't have a Linux version. Some precisions below: My application calls directly the following functions in OpenSSL: * EVP_CipherInit/Update/Final, etc.. * PEM_read_PrivateKey, PEM_read_X509, etc... In a multithreaded context, do these calls need to be encapsulated by calls to CRYPTO_lock? I happen to have transient failures: * EVP_DecryptFinal: Bad Decrypt * PEM_do_header: Bad Decrypt What do you mean by "in a multithreaded context"? Multithreaded app, each thread calling the openssl functions I mention above. If each thread has its own EVP_CIPHER_CTX structure there are no known issues which could cause problems, that doesn't mean there aren't any though! In the function I wrote and I'm suspecting, the EVP_CIPHER_CTX structure is allocated on the stack. If however you are sharing an EVP_CIPHER_CTX between threads then that may well cause problems, but such a thing isn't likely to be thread safe unless you carefully synchronise operations. Not the case. Hmmm PEM_do_header Nothing obvious in there, unless you are using the old (broken) technique of passing pass phrases via global variables instead of the extra parameter. I'm reading a private key file as follows: if ((pkey = PEM_read_PrivateKey(fpk, NULL, sx_P7PasswordCb, NULL)) == NULL) rc=LMSECPRIVLOAD; break; } sx_P7PasswordCb doesn't use static variables, but uses the EVP_Cipher.. to decrypt a passphrase stored in a file. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_free
If you are talking abt reusing SSL structures, you can do SSL_clear(sslp) and SSL_set_session(sslp, NULL) to try and reuse the old session. This way, you need not free(). It worked for me. Same holds for SSL_accept. The only caveat is that you need to use the same method (SSLv23, SSLv3 etc.) as before. Arun. -Original Message- From: Levy itai [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Tuesday, June 13, 2000 7:45 AM Subject: SSL_free Hi to all, Do I have to use the SSL_free (SSL *s) routine after every call to SSL_new (SSL *s) which allocates memory for the SSL structure upon every connection ? If I use the SSL_free routine it seems to free the session context and I can't do reuse in the next connection. I tried to use the s-method-ssl_free(SSL *s) but it seems that there are memory leaks (it doesn't free all the mallocs). Which routine should I use in order to clean after every SSL connection, and also if SSL_accept fails. please help since this is a very important issue. Itai Levy, Algorithmic Research. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Session Cache
Hello, I am developing a server side SSL application. I know that you can minimise renegotiation of SSL connections by using a session cache, which basically stores info about previously negotiated connections. I also know that the session-cache timeout is a configurable value. * By default, how many sessions are cached? Is this number configurable? * What is the approximate memory overhead per session entry in the cache? * And, how does one identify an incoming handshake request with one already in the cache? Is it identified by an ip-port combination of some sort? Thanks very much, in advance. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error (Apache+SSL)
I have the following error: [Thu May 25 15:10:26 2000] [crit] unable to set private key [Thu May 25 15:10:26 2000] [crit] error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch [Thu May 25 15:10:26 2000] [error] ApacheSSLSetCertStuff failed Most likely, the key you used to create the server certificate request (csr) and the server key pointed to by the appropriate apache directive are not the same. You should check out the apache-ssl mailing list archives (www.apache-ssl.org)...I am sure you will find that helpful. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cryptoswift 100 ?
Does 0.9.5 support the Cryptoswift line of SSL accelerators? Is anyone using one under Solaris 2.6? AFAIK, it is upto rainbow technologies to provide a patch for OpenSSL 0.95. I believe a patch of 0.94 is available but I am not sure about 0.95. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate Management
We do SSL webhosting distributed over multiple webservers. Each customer we host gets a domain called customer.speedera.com, so to avoid browser warnings, we need a new certificate per customer distributed out to all the SSL webservers. Is it possible to get a *.speedera.com certificate so we can avoid this? I realise one of the solutions is to get a CA license but that still doesn't workaround the problem of distributing the same certificate to multiple webservers. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CSR Help
I think there is an option ("-new", is it?) which causes the CSR generating utility to read the responses from the screen. So, you input all the values instead of the utility looking in sslc.cnf...I haven't tried this on NT though. Arun. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may containconfidential, proprietary or legally privileged information. Noconfidentiality or privilege is waived or lost by any mistransmission.If you receive this message in error, please immediately delete it andall copies of it from your system, destroy any hard copies of it andnotify the sender. You must not, directly or indirectly, use, disclose,distribute, print, or copy any part of this message if you are not theintended recipient. SPEEDERA NETWORKS, INC. reserves the right tomonitor all e-mail communications through its network. -Original Message-From: John Tan [EMAIL PROTECTED]To: [EMAIL PROTECTED] [EMAIL PROTECTED]Date: Thursday, May 11, 2000 6:56 PMSubject: CSR Help Hi, I have installed the OpenSA v 0.2.0 package on NT. OpenSSL is part of this package and I am trying to generate an CSR. I was able to use openssl to generate a key file but when I try to generate a CSR file, openssl is looking for /usr/local/ssl/openssl.cnf. The utility is looking in a Unix directory instead of NT and I can't seem to find openssl.cnf. Any ideas? Thanks John Tan Alexa Internet [EMAIL PROTECTED] 415-561-6940
Re: Compilation Problems
U need to include the libraries in your compilation. Something like: gcc -lcrypto -lssl -ocli cli.cpp. Arun. -Original Message- From: Tewari, Vijay [EMAIL PROTECTED] To: 'Open-SSL' [EMAIL PROTECTED] Date: Wednesday, May 10, 2000 9:15 AM Subject: Compilation Problems Hi, I am newbie at using OpenSSL and am having some problems compiling the code in the demos directory of the code. When I try to compile the code I get a host of undefined references. (Linux RH 6.1 , OpenSSL 0.9.5a) The libcrypto.a and libssl.a files are in the /lib directory. I have copied the /usr/local/ssl/include/openssl dir to the /usr/include dir. I am compiling cli.cpp as gcc -o cli cli.cpp Help would be appreciated. "The online world is a cool place to visit, but you really don't want to live there." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]