openssl 0.9.8 for wince

2006-02-10 Thread Cesc 
Hi,

It may sound strange ... but could someone do either:
- send me the compiled static (.dll.a) and shared (.dll) of libeay32
and ssleay32, for a wince machine?
- or tell me how to cross-compile for wince from a linux debian
machine (i have the pocketpc tools).

Tks in advance!

Cesc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL for Mingw

2006-02-10 Thread Cesc 
Hi,

Yesterday i managed to compile openssl-0.9.8a, provided a patch
(credit to Mikael Magnusson). I attach the patch.
Cross-compilation from a debian etch (testing), using mingw32.
As for the configure line:

./Configure --prefix=$CROSS_COMPILE_FOLDER threads shared mingwx

I don't know exactly the story of the patch, neither i have tried
building any other version of openssl with mingw than 0.9.8a. But if
it is possible, i think this patch may be good to be merged into the
code.

Regards,

Cesc

On 2/9/06, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
> On Thu, Feb 09, 2006, Kiefer, Sascha wrote:
>
> > Looked better (now ./config copied the .h files and so on) but still
> > error's:
> >
> > $ make
> > making all in crypto...
> > make[1]: Entering directory `/d/Eigene
> > Dateien/Downloads/openssl-0.9.8a/crypto'
> > ( echo "#ifndef MK1MF_BUILD"; \
> > echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
> > echo '  #define CFLAGS "gcc -DOPENSSL_THREADS  -DDSO_WIN32 -mno-cygwin
> > -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333
> > -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM
> > -DRMD160_ASM -DAES_ASM"'; \
> > echo '  #define PLATFORM "mingw"'; \
> > echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
> > echo '#endif' ) >buildinf.h
> > make[1]: *** No rule to make target `../include/openssl/crypto.h', needed by
> > `cryptlib.o'.  Stop.
> > make[1]: Leaving directory `/d/Eigene
> > Dateien/Downloads/openssl-0.9.8a/crypto'
> > make: *** [build_crypto] Error 1
> >
> > Why is it '../include/openssl/crypto.h' . It should be './include/',
> > right ?
> >
>
> Try tomorrow's snapshot. That worked fine for me from MSYS with that one
> changed to Configure.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
diff -ur openssl-0.9.8a.orig/Configure openssl-0.9.8a/Configure
--- openssl-0.9.8a.orig/Configure   2005-08-02 12:59:42.0 +0200
+++ openssl-0.9.8a/Configure2005-12-04 20:40:04.0 +0100
@@ -469,6 +469,7 @@
 
 # MinGW
 "mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 
-Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} 
${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL 
-DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a",
+"mingwx", "i586-mingw32msvc-cc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 
-march=i486 -Wall -D_WIN32_WINNT=0x333 -DOPENSSL_NO_HW:::MINGW32:-lwsock32 
-lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} 
EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:mingw-shared:-D_WINDLL:-mno-cygwin 
-shared:.dll:i586-mingw32msvc-ranlib",
 
 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} 
${x86_gcc_opts}:${no_asm}:win32",
@@ -909,7 +910,7 @@
 
 $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin");
 
-$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq 
"mingw");
+$exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq 
"mingw" || $target eq "mingwx");
 $exe_ext=".pm"  if ($target =~ /vos/);
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
@@ -1562,7 +1563,7 @@
 }
 
 # create the ms/version32.rc file if needed
-if ($IsMK1MF) {
+if($IsMK1MF || $target eq "mingwx") {
my ($v1, $v2, $v3, $v4);
if ($version_num =~ 
/(^[0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) {
$v1=hex $1;
@@ -1623,6 +1624,11 @@
close(OUT);
   }
   
+# ugly hack to disable engines
+if($target eq "mingwx") {
+   system("sed -e s/^LIB/XLIB/g -i engines/Makefile");
+}
+  
 print < /dev/null && WLIB="libeay" ; \
+   expr $(LIBNAME) : 'crypto' > /dev/null && WLIB32="libeay32" ; \
+   perl util/mkdef.pl 32 $$WLIB > ms/$$WLIB32.def &&  \
+   i586-mi

Re: A Few General OpenSSL Questions...

2005-11-30 Thread Cesc 
On 11/30/05, Usman Riaz <[EMAIL PROTECTED]> wrote:
> b. Secondly, I set the SSL version to 3 via "SSLv3_method" and wait for
> client to connect. When the client connects (client is a FireFox browser,
> with SSLv2,3 & TLSv1 enabled), on the server side when i try to read from
> the bio (after writing the initial handshake data to the BIO) the read fails
> and BIO_should_retry also fails with the error being incorrect version
> number. Now if i change the SSL method on my server to "SSLv2_method" then i
> dont have any problems and i can connect fine. But since i have enabled all
> available version on my client (SSLv2,3 TLS v1), the BIO should not return
> an error. Can someone tell what do i need to do to make the server connect
> with SSL v3, or TLS ver 1

Have you tried the SSLv23_method? it starts with a v2 Hello, then it
upgrades to v3 or tlsv1 ...

Regards,

Cesc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate Hierarchy

2005-10-31 Thread Cesc 

On 10/31/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Mon, Oct 31, 2005, Cesc wrote:> But, will this user.p7c be accepted on the setup of the web server (apache)?
> i tried using it with s_server ... no luck.For those cases you can include the certificates in the trusted store (e.g.concatenate them and use the -CAfile option) or include the intermediate CA in
the extra certificates option for Apache.You can use s_client to check they are all sent out when you connect.
 
Ok ... i think the Apache stuff is clear ... you mean something like ... 


 .
SSLCertificateKeyFile user.privatekey.pem
SSLCertificateFile user.pem
SSLCACertificate intermediate.pem

 
 
Now, the thing is that i have some server and client code (a sip server and user agent) that deal with TLS ... I would like them to understand this kind of settings, i mean, a multiple level hierarchy. The current code is pretty much straight forward client or server connection, as in most examples. What extra calls needs to be done to reach this goal? 

 
Tks!!
 
Cesc
 

Re: Certificate Hierarchy

2005-10-31 Thread Cesc 

On 10/31/05, Rajeshwar Singh Jenwar <[EMAIL PROTECTED]> wrote:

Hi Steve,
I just want to expand this thread.
Can u help me ?
I want create root CA using openssl(0.9.8) on linux box(kernel 2.6.10). Then i want to create intermediate CAs signed by the root CA using openssl. Can you suggest me how this is possible ??
This is peanuts ;)
You need to create two databases ... the RA and the CA.
The RA has a self-signed cert ...
Then the CA requests to the RA to sign a cert for him ... in the RA.conf file, it must sign the certs with basicConstraints = CA:true
In the CA database, configure the CA.conf to use the ca cert and private key the RA just signed ... Also, the certs signed by the CA should have basicConstraints = CA:false (for end-users). From then on, the RA basically can only emit certs for other CAs ... and these CA can emit certs for end-users ... 

 
I hope this is what you wanted ....
 
Cesc
 
 
 
 

 
Thanks in advance.
 
Rajeshwar Singh 

On 10/31/05, Dr. Stephen Henson <[EMAIL PROTECTED]
> wrote: 
On Mon, Oct 31, 2005, Cesc wrote:>>> For the sake of completion in this thread, this is what i did ... 
> openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem-certfile> root.pem -outform DER -out user.p7c> Actually, the root.pem cert needs not be included ... as long as it is in> the trusted certs repository it all works fine. 
>> I got this to work in windows (add root.pem as trusted, then double click on> user.p7c and it says trusted).Ah, the PKCS#7 stuff was when you were installing the certificatecorresponding to a private key. 
If you just want a browser to trust anything signed by the root CA you justneed to install the root CA as trusted.It is the peers responsibility to send out intermiediate certificates (atleast for SSL and normally for S/MIME too). 
> But, will this user.p7c be accepted on the setup of the web server (apache)?> i tried using it with s_server ... no luck.For those cases you can include the certificates in the trusted store ( 
e.g.concatenate them and use the -CAfile option) or include the intermediate CA inthe extra certificates option for Apache.You can use s_client to check they are all sent out when you connect.Steve. 
--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: 
http://www.drh-consultancy.demon.co.uk__OpenSSL Project 
http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate Hierarchy

2005-10-30 Thread Cesc 
It kinda worked ... but i have a few more doubts :) Tks a lot!
See below
On 10/30/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Sun, Oct 30, 2005, Cesc wrote:> See below ...>>> Used this way, it gives an OK.>So OpenSSL thinks all is fine.> If you get an error include the -issuer_checks debugging option.
> >> > Adding this debug option, i thought it may be interesting to show the> output ... here it is:> error 29 at 0 depth lookup:subject issuer mismatch>That's normal the "OK" is thge important thing.
>> Any way, does all this have to do with the usercert.pem cert not being> recognized as valid by browsers? I want to distribute the root.pem cert ...> then provide to users the cert chain file (first 
usercert.pem and second in> file, intermediate.pem cert). Is this correct?>Depends on how they are being installed. If its Mozilla you can use variousforms. Probably the easiest is PKCS#7 (use crl2pkcs7) with the user cert
first.
For the sake of completion in this thread, this is what i did ...
openssl crl2pkcs7 -nocrl -certfile user.pem -certfile intermediate.pem -certfile root.pem -outform DER -out user.p7c
Actually, the root.pem cert needs not be included ... as long as it is in the trusted certs repository it all works fine.

I got this to work in windows (add root.pem as trusted, then double click on user.p7c and it says trusted).
But, will this user.p7c be accepted on the setup of the web server (apache)? i tried using it with s_server ... no luck. 
I am a little bit puzzled by all the formats and so ... It is very
clear if you just want a 1 level structure (user-certs directly signed
by root authority), but the moment you try to go further in the levels
... it is not so easy ... any document where this whole thing is
explained clearly? What you need to ensure is that the browser trusts the root CA *and* it sends
the intermediate CA with the chain. If it doesn't send the intermediate CAyou'll get unknown CA errors.Steve.How
do i make it so the browser sends the user cert + intermediate CA chain
all at once? setting up to web server to use the .p7c file? just
appending the two certs in the same file (PEM or DER?) ... 

Tks again for your answers!

Cesc

Re: Certificate Hierarchy

2005-10-30 Thread Cesc 
See below ...On 10/29/05, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Sat, Oct 29, 2005, Cesc wrote:> Hi,>> I am facing a problem it seems this guy from the email above also had, i> just wonder what is the answer.>> My problem is that i want to create a multiple level CA ...
> RootAuthority RA > CertAuthority CAx ...> Users>> Thus, RA signs certs for CAx> CAx issue certs for users, hostname, etc.>> I add the RA (root) cert to the browser, or provide it to the openssl verify
> function.> The user cert (for bob) contains: bobs cert and CAx cert, thus creating a> chain.> * The verify function (For user cert Bob), will fail with:> error 20 at 0 depth lookup:unable to get local issuer certificate
>> * And the browser (firefox, for example), will not be able to follow up the> chain and tell that bob's cert is trusted.>> The RA cert is issued with CA:true, pathlen:1> The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user
> certs).>> How can i fix this? what is wrong?> What am i missing?>See what you get from this command:openssl verify -CAfile root.pem -untrusted intermediate.pem -purpose smimesign
usercert.pem
Used this way, it gives an OK. If you get an error include the -issuer_checks debugging option.
Adding this debug option, i thought it may be interesting to show the output ... here it is:
error 29 at 0 depth lookup:subject issuer mismatch

I checked, and the issuer at the usercert.pem and subject at the
intermediate.pem cert are exactly the same ... i include the section
from the .conf file for intermediate CA (the V3 extensions added to
usercert.pem).

[ rootca_extensions_user_cert ]
basicConstraints    = CA:false
nsComment     = "Comment ..."
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid,issuer:always
issuerAltName         = issuer:copy
nsBaseUrl    = http://www.mywebpage1234.com

Any way, does all this have to do with the usercert.pem cert not being
recognized as valid by browsers? I want to distribute the root.pem cert
... then provide to users the cert chain file (first usercert.pem and
second in file, intermediate.pem cert). Is this correct?

Should the root.pem or intermediate.pem certs contain some kind of key
usage value? if so, which? root.pem is only to be used to signs
intermediate CA certs; intermediate CA certs are to sign certs for
users and hostnames (acting either as clients or servers, or both at
the same time).

Regards,

Cesc

Certificate Hierarchy

2005-10-29 Thread Cesc 
Hi,

I am facing a problem it seems this guy from the email above also had, i just wonder what is the answer.

My problem is that i want to create a multiple level CA ... 
RootAuthority RA   
CertAuthority CAx ...
Users

Thus, RA signs certs for CAx
CAx issue certs for users, hostname, etc.

I add the RA (root) cert to the browser, or provide it to the openssl verify function.
The user cert (for bob) contains: bobs cert and CAx cert, thus creating a chain.
* The verify function (For user cert Bob), will fail with:
error 20 at 0 depth lookup:unable to get local issuer certificate

* And the browser (firefox, for example), will not be able to follow up the chain and tell that bob's cert is trusted.

The RA cert is issued with CA:true, pathlen:1
The CAx certs are issued with CA:true, pathlen:0 (only able to sign end user certs).
How can i fix this? what is wrong?
What am i missing?

Tks in advance,

Cesc
On 6/20/05, David Busby <[EMAIL PROTECTED]> wrote:
Gurus,   Two questions (perhasp I should have split this)#1  When I look at Thawte or VeriSign certs that a server has there is a heirichy, Thawte then Me or VeriSign then Me.Well
I made my on CA and signed some certs but they don't have the heirichy
like the commercial ones.  What gives?  Do Ineed to make a root CA, then another CA signed by root then sign the certs with the second one?/djb__
OpenSSL
Project
http://www.openssl.orgUser Support Mailing
Listopenssl-users@openssl.orgAutomated
List
Manager  
[EMAIL PROTECTED]

Re: Adding custom data to SSL certificates

2005-10-19 Thread Cesc 
I hit the wall some time ago trying the same ... adding my custom data to the certs.
Certainly this email back then would have come in handy. 
 
Anyway, just a remark ... the pain in the ass, when you generate the certificate and add your V3 extension (ass explained in one of the links), is having to manually encode the value as DER ... it is easy for a small number ... even for a short string ... but beyond that, it is just too much. Does anybody know of some software that does that automatically? i mean ... provide a string/int/bool ... return the hex DER encoded version.

 
Regards,
 
Cesc 
On 10/19/05, Katie Lucas <[EMAIL PROTECTED]> wrote:
On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote:> Hi,> is there a way to add custom data (fields?) to SSL certificates ? If
> so, where can i find more documentation about it ?There's not a huge amount of documentation about this. Several thingsI've found;You need an ASN.1 OID to add your data under. We ended up using the
service at http://www.itu.int/ITU-T/asn1/ to generate and register anoid under {joint-iso-itu-t(2) uuid(25)} under which we can thengenerate our opwn oids.You then get a huge long code which you can use in a call to
   OBJ_create(YOUR_OID, SHORTNAME, LONGNAME)which gets you a "nid". The "nid" is the thing that you use to create& read X509V3 extensions in the certificates.You need to explain to openssl what format the extension field is. The
easiest way to do this is to call   X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID)passing in some field which is the same sort of style as yours.There's an example in the O'Reilly openssl book (the source is
available as a download at http://www.opensslbook.com/code.html) abouthow to sign certificates, and along the way add extensions, and youcan add your own in at that point.
You make a stack of extensions, put your extensions into the stack, addthe stack to the request, sign the request.Reading them is fairly easy once you've got a nid. You go;   X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM);
Probably with START_FROM= -1, unless you're trying to find the secondoccurance of a field. This gives you -1 for not found, or a position.You then go   X509_get_ext(CERTIFICATE,POSITION);
And it'll get you the extension. There's then things to read the dataout of it, and get its name and so on, which are allX509_EXTENSION_xxx type functions.Once you know the function calls to be looking for, it all gets a bit
easier!There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txtAlso worth reading 
http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt__OpenSSL Project 
http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager   
[EMAIL PROTECTED]

TLS Extension support - Server Name Indication

2005-10-12 Thread Cesc 
Hi,
 
While discussing the proper implementation for TLS support for (open)ser SIP proxy (currently using OpenSSL), we came up with somehow a showstopper: when the server serves multiple domains, we'd like to present a different certificate depending on which domain the incoming message is directed to. The option of using a different port per domain is an option, but not the best one. 

So, my question is, does openssl implement TLS extensions, as defined in RFC 3546, specially section "3.1 - server name identification"? This way, the tls client establishing the tls connection could announce the proxy it is connecting to, thus solving all the multi-domain problems. 

We heard that it is there in gnutls, what about openssl?
 
And, now that i started, what TLS Extensions does openssl support?
 
Regards,
 
Cesc

Re: Threading OpenSSL

2005-08-29 Thread Cesc 
Hi,

I would say openssl is not thread-safe per se, but you can deal with it. 
Write wrappers around the malloc/free functions to use shared memory,
to share objects among threads. Write thread-safe functions around the
ssl functions you need to access from multiple threads ...
For example code, openser.org comes to mind. In this sip proxy, tls
connections are used among various threads to send data ... take a
look, it may help.

Regards,

Cesc

On 8/28/05, Dusty Hendrickson <[EMAIL PROTECTED]> wrote:
> I am currently working on a project making use of SSL
> connections via OpenSSL.  We need a stable thread-safe
> SSL setup.  I currently know 3 things about OpenSSL
> thread-safety:
> 
> 1. Cannot share SSL connection amongst threads
> 2. Provide locking_function()
> 3. Provide id_function()
> 
> I am interested in hearing about any scenarios where
> SSL cannot be threaded, or any further steps to take
> to make it thread-safe.  Any feedback would be
> appreciated.  Thanks
> 
> Dusty
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Investigating a leak

2005-07-19 Thread Cesc 
Why don't you move the ssl handshake to the thread code? 
Let the main loop accept tcp sockets, then create the thread with the
tcp socket as the argument you pass to the thread run method ...
perform then the ssl_accept loop (blocking or non-blocking, up to you)
in the thread ...

Just a suggestion.

Cesc

On 7/19/05, Simon Edwards <[EMAIL PROTECTED]> wrote:
> That'd do it. But if you're doing the loop in that sequence, and if you have
> set non-blocking on the sockets, then instead of polling for the connection
> you can use select or poll (depending on your platform) to wait for incoming
> connection activity, then enter ssl_accept in blocking mode which would
> probably cut down on those fake errors. Wouldn't this be a better sequence?
> 
> If you are worried about inserting another call in the sequence... Being in
> blocking mode at this stage shouldn't adversely affect performance as the
> connection thread would only be in a polling loop during this period anyway
> in this code example. Being in a time-limited wait during select only aids
> performance as it allows the client serving threads access to the time-slice
> for the process which would otherwise be tied up in the polling loop. The
> new select() call could adversely impact performance if you have to service
> a continual stream of new client connections that  prevent the select() from
> blocking at all, but that is unlikely in the real world.
> 
> Regards,
> 
>Simon
> 
> - --
> Simon Edwards
> 
> 
> 
> -Original Message-
> From: Cesc [mailto:[EMAIL PROTECTED]
> Sent: 19 July 2005 09:58
> To: openssl-users@openssl.org
> Subject: Re: Investigating a leak
> 
> 
> On 7/19/05, Rich Salz <[EMAIL PROTECTED]> wrote:
> > > Doing this now, but since my app is a server, it never really reaches
> > > the end, and the leaks build up during its lifetime, which I'd rather
> > > hoped could be more than a day or so. As it is now, the process'
> > > virtual memory size quickly reaches 3.5 GB, and then malloc() starts
> > > failing.
> >
> > Something wrong is happening.  Lots of folks are running apache/openssl
> > servers for days, weeks, etc., at a time.
> >
> > If you're seeing memory leaks like you describe, then it is far more
> > likely that the like is either in your code, or there's a bug in the way
> > you're calling OpenSSL.  Do you get the same growth when openssl isn't
> > used?  Make sure you "xxx_free" every object you "xxx_new".
> >
> > /r$
> >
> 
> Hi,
> 
> I was looking at the code ... could it be that the memory leak is in
> the main server loop?
> Sometimes, the ssl_accept may return 0, but with an error code like
> SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, which just means that
> could not complete the handshake, but not really an error (just call
> ssl_accept again ... ).
> But in you main server thread, you just do a continue, thus looping
> again ... and creating a brand new ssl structure and socket ... you
> should
> loop() {
>   create the tcp socket
>   loop () {
>   ssl_accept from the tcp socket till non-zero
>}
> }
> 
> Take a look at the examples that come with openssl.
> 
> Regards,
> 
> Cesc
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> 
> 
> This message has been scanned for viruses by MailController -
> www.MailController.altohiway.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Investigating a leak

2005-07-19 Thread Cesc 
On 7/19/05, Rich Salz <[EMAIL PROTECTED]> wrote:
> > Doing this now, but since my app is a server, it never really reaches
> > the end, and the leaks build up during its lifetime, which I'd rather
> > hoped could be more than a day or so. As it is now, the process'
> > virtual memory size quickly reaches 3.5 GB, and then malloc() starts
> > failing.
> 
> Something wrong is happening.  Lots of folks are running apache/openssl
> servers for days, weeks, etc., at a time.
> 
> If you're seeing memory leaks like you describe, then it is far more
> likely that the like is either in your code, or there's a bug in the way
> you're calling OpenSSL.  Do you get the same growth when openssl isn't
> used?  Make sure you "xxx_free" every object you "xxx_new".
> 
> /r$
> 

Hi,

I was looking at the code ... could it be that the memory leak is in
the main server loop?
Sometimes, the ssl_accept may return 0, but with an error code like
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, which just means that
could not complete the handshake, but not really an error (just call
ssl_accept again ... ).
But in you main server thread, you just do a continue, thus looping
again ... and creating a brand new ssl structure and socket ... you
should
loop() {
  create the tcp socket
  loop () {
  ssl_accept from the tcp socket till non-zero
   }
}
  
Take a look at the examples that come with openssl.

Regards,

Cesc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Supporting both TLSv1 and SSLv3

2005-06-29 Thread Cesc 
Why don't you try SSLv23_client_method()?
You can also use the set_options (for the SSL structure or the
SSL_CTX) to prohibit the use of SSLv2. This way, you got an SSLv3 and
TLSv1 client.

Cesc

On 6/29/05, david kine <[EMAIL PROTECTED]> wrote:
> Hello,
> 
> How should I program my client application to support
> both TSLv1 and SSLv3?
> 
> According to RFC2246 appendix E, the client sends a
> single SSLv3 record format HELLO message with the
> version field set to {3, 1}.
> 
> Is this possible with OpenSSL?
> 
> If not, do I connect with the TLSv1_client_method()
> first, and if that fails then try
> SSLv3_client_method()?  Can these be done over the
> same socket connection or will the server disconnect
> if TLSv1 is not supported?
> 
> Thanks,
> 
> -David
> 
> 
> 
> __
> Yahoo! Mail Mobile
> Take Yahoo! Mail with you! Check email on your mobile phone.
> http://mobile.yahoo.com/learn/mail
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

SSL_CTX_use_PrivateKey_file ... noisy output

2005-05-30 Thread Cesc 
Hi,

When I load the private key, using SSL_CTX_use_PrivateKey_file
function, and I fail to enter the correct one, i get the following
output (actually, i loop three times to ask the user to reenter the
password).

How can i make these error lines not appear?

I use the password_cb function to output an UI, where the password is
requested (UI_new, UI_construct_prompt, UI_process, ... )

32539:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:evp_enc.c:450:
32539:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423:
32539:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
lib:ssl_rsa.c:709:
Enter passphrase for /usr/local/etc/private/prik.pem:


Thanks in advance,

C.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

SSL_VERIFY_PEER with SSL_VERIFY_CLIENT_ONCE

2005-05-27 Thread Cesc 
Hi,

I am trying to build an application server which requests a client
certificate, but that if this is not provided, it will not fail, just
generate a warning.

To request the client cert, i set the SSL_VERIFY_PEER.
To make it not fail if client does not provide cert, i use
SSL_VERIFY_CLIENT_ONCE (xored with the previous, of course). Is it
correct?

Can I do it just with this flags, or better go implementing the
verify_callback function to do this?

Another question ... where can I find a good verify_callback function?
the one in s_server.c does the verify_depth checking thing, which i
don't quite understand.

Regards,

C.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Certificate verify failed on big-endian (Intel IXP425)

2005-05-25 Thread Cesc 
Hi,

A few days ago I posted to openssl.users the message i attach below.

I have done some more research and after seeing that the ssl code works
on a little endian pc with 0.9.6, the problem is:
- with the big-endian Intel IXP425 ARM running 0.9.6
- the code of the application (SER, voip proxy, with TLS).

I have seen a few discussions about endiannes, about some test failing
...
The next thing i would like to try is to cross-compile OpenSSL 0.9.7
for the IXP425 and install the new libraries.
What is the safest way to avoid all conflicts, even big a
big-performance penalty?

Thanks!

Cesc

===
Certificate verify failed ... incompatible versions 0.9.6m-engine and
0.9.7d?

Hi,

I am testing an application, which is a server and a client at the same
time, connecting or receiving connections from the same application
running on other machines.
It all worked fine as long as:
- All used v.0.9.7d
- All of them were running on a i386 pc on debian linux (kernel 2.6.x).

Now ... i managed to get the application to run on an ARM embedded
system (intel ixp425, but different host byte order), which for now
only has openssl version 0.9.6m installed.

As said, it all would work fine ... till this ARM with openssl 0.9.6
came into play. Now, I cannot connect or accept connections from/to the
ARM platform.
If i do an ssl_connect (to a pc-based host), i get:
* error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed  ... on the ARM-host

If i do an ssl_accept (incoming connect from a pc-based host to the
arm-host), i get:
* error: 140890B2: SSL routines: SSL3_GET_SERVER_CERTIFICATE: no
certificate returned  ... on the ARM-host

I have set VERIFY_PEER and VERIFY_PEER_ONCE, with no verification
callback (pointer set to NULL).

The certificates and configurations work (root CA is self-signed;
server certificates, also used as client certs, are directly signed by
root CA, and contain some private X509v3 extensions).
On the ARM host i cannot do "openssl verify" ... i only have the
libraries, not the binaries for the platform.

Things i thought about: i am missing something which 0.9.7 does
automatically and 0.9.6 doesn't; a question of byte-order on the hosts;
the x509v3 private extensions; the self-signed root ca cert in 0.9.6;
...

Any other ideas or solutions?

Thanks in advance!

Cesc.S
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]