RE: Openssl loading

[David Schwartz]

> You have lots of good points. Thank you again.

You're welcome.

> I work for AOL, developing cross platform SDK for instant messaging that
> supports plugins. Plugins can be malicious. And AOL is responsible for
> protecting users' identity and privacy. Considering our user base, a
> trojan is more likely to target our users than to protect them.

So you need a "security" scheme for plugins that covers more than just
OpenSSL. Any mechanism that could subvert OpenSSL could subvert other
plugins.

> What do the majority applications do on Unix if static linking with
> openssl isn't suitable?
>
> Thanks.
>
> Yvonne

You have a very tricky problem. In general, an attacker needs to do three
things:

1) Get malicious code to run on your machine.

2) Get access to sensitive information in his malicious code.

3) Pass that information to himself from the malicious code.

You can attack any of these three points. It sounds like plugins to an
instant messaging platform make attacking 2 or 3 impossible, so you're back
to 1.

Couldn't anyone could do 1 also put his code in front of your SDK? (or trace
your SDK as it talks to client applications). It seems like if you have to
attack 1, you have to do it at the system level. (Or you have to come up
with a way for applications to validate their own context and then validate
the SDK before they start talking to it.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl loading

[David Schwartz]

> Thanks for your response. Shipping my own version of openssl is ruled
> out. So I have to trust the system installed one. Think at least on some
> Unix systems, LD_LIBRARY_PATH is searched first.

Right, this is beause:

1) A library cannot do any harm the user could not do directly. So there's
no point in preventing him from replacing system libraries.

2) The user may need to replace a system library for a given application for
various reasons, including if the system library has a bug that other
programs rely on.

> I worry Trojan horses
> hidden there. I am advised to zeroing-out this env variable before
> loading openssl.

I would not advise this. At least as likely as a trojan is that the
system-installed one has a problem and the user has installed a fixed
OpenSSL build. The trojan can just as easily intercept your programs file
operations to redirect the attempt to link to the system-installed OpenSSL
to be to a user-provided one.

> What else I can do?

Consider very carefully whether protecting the user from himself is worth
preventing him from protecting himself.

It's very hard to give you advice without having any understanding of what
your threat model is. For example, if your program is designed to protect
banking transactions, that's a very different threat model from if your
program is designed to protect its own licensing.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Openssl loading

[David Schwartz]

> I have an application that is dynamically linked with openssl.
> I'd like to load system installed openssl at runtime.

1) "I'd like to use the system installed openssl rather than one I know is
secure."

> My application can only be as secure as the openssl loaded into
> the process. What steps should I take to ensure my application doesn't
> load a compromised openssl library that happens to be in front of the
> system installed one in library search path?

2) "I'd like to use an openssl I know is secure rather than the system
installed one."

This seems inconsistent. If you have some heuristical way to know which is
secure and which isn't, use them. For example, if you know that one
installed in the system directory is secure, then open a library from the
system directory directly.

I would argue that in the vast majority of cases, option 2 is the correct
one. If someone wants to compromise their own system, why stop them? And
it's impossible in principle for application software to ensure secure
operation on a compromised machine.

Which of the following cases are you in?

A) I trust some system things but not others. For example, I trust DLL's
that are signed or that are stores in known-safe directories. But I don't
trust my search path? (In which case, the solution is obvious, check the
DLLs and open them by full path.)

B) I trust the machine. If it's compromised, oh well, I can't operate safely
on a well-compromised machine anyway. (In which case, just open the DLLs.)

C) I don't trust the machine and my interests may be averse to the machine
owner's interests (for example, a licensing application). (In which case,
use only your own DLLs, checksum or sign them, probe for debuggers, and so
on.)

D) I have to meet explicit regulatory or project requirements, such as FIPS.
(In which case, follow them. You will likely have to do most of what I said
in case C.)

E) Something else. (In which case, more details are needed before you will
get useful advice.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL overhead

[David Schwartz]

> One more question: I'm working on an ansynchronous framework, and
> there's a "poll" method that gets called in each iteration. In our
> sockets, this method's supposed to do whatever needs doing, and return
> how many bytes are waiting to be read from the socket, so the return
> value should be the value of SSL_pending, if I want SSL to be
> transparent. The problem is that SSL_pending might return 0 if there's
> stuff on the socket, but isn't enough to decode a full record. And as
> long as poll() returns 0, no calls to read() which triggers a call to
> SSL_read() will be made, so I need to call SSL_read() in the calls to
> poll(), or to find some other way to force SSL to process a little bit
> of data. Should I call SSL_read() with a num value of 0? will that
> work? or is there something else I'm missing here?

This seems like a strange and inefficient architecture. Why receive the data
twice, once in a some kind of 'poll' operation and then again in a 'read'
operation. Either the 'poll' operation should just say "do something" or the
'poll' operation should provide the data.

Why not just call SSL_read in the 'poll' operation and if the return value
is non-zero, stash the data in a buffer and return the number of bytes you
read? That way you won't need to call into the SSL engine again to get the
data you knew you needed anyway.

If the purpose of the 'poll' operation is just to say "yes, there's
something to do", then you should not be calling the 'poll' operation unless
directed to by the SSL framework. If the SSL framework returns 'WANT_READ',
then you know that no further progress will be possible until either you can
read more data from the socket or something else happens. In that case, your
'poll' can check the real socket. Otherwise, it is a mistake to wait since
the data may already be there.

In sum:

1) Check the socket for readability only if the SSL engine last gave you a
WANT_READ and you've made no further progress since then. Otherwise, just
call SSL_read.

2) Don't try to figure out how many bytes there are, just get them, and then
not only will you know how many there are, but you'll know what they are
too. You'll definitely need that later, so don't force the SSL engine to do
the work of processing them twice.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Public key from a x509v3 certificate

[David Schwartz]

> Thank's for the answer, but i still got a little problem,
> when i run this code :

> EVP_PKEY *key2 = X509_get_pubkey(certif.getX509Certificate());
> cout << BN_bn2hex(key2->pkey.rsa->n);

> I miss the first 00 of the public key...
> How can i get them ?

The leading '00' is part of the DER encoding of the data portion, it is not
part of the number. It is required when the number would otherwise be
considered negative (because its high bit would be set) and prohibited
elsewhere. The command you issued outputs the numerical value.

I think you are asking for something that is not sensible. If you're going
to compare it to something else, you should be comparing the full DER
encoding. If you want it for any other purpose, you shouldn't want the
leading 0, since it's an artifact of DER encoding.

If you want to compare the DER encodings, you need to get the DER encoding,
not the number. If you want to compare the numbers, '03' should compare
equal to '3' anyway. What are you trying to do?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL overhead

[David Schwartz]

> The documentation's poor at best, and I don't completely get the
> general concepts. From reading examples I figure that only the
> BIO_f_ssl does encryption-decryption when written into? so what should
> I do if I want to provide an api that has functions b_encrypt and
> encrypt_flush?

I think you have a wrong notion in your head that's leading you astray. You
are thinking about an SSL connection as a module that you put some plaintext
into, some encrypted data comes out, and then you send that on a socket, you
get some encrypted data back, you feed that into the SSL connection, and you
get some plaintext back.

While that certainly *sometimes* happens, other times it doesn't happen.
Sometimes you want to hand plaintext to the SSL engine, but it can't encrypt
it yet because it hasn't negotiate the key. Sometimes data comes in from the
socket that's protocol data and doesn't correspond to application data.

Your whole concept of "how big does my buffer have to be" is based on the
mistaken notion that it's useful to try to track what goes in to its
corresponding output. It's not. That's the SSL engine's job.

It is better to think the the SSL engine as a box that has four 'links'. One
is the one you feed plaintext into so that it can be encrypted and sent. One
is the one encrypted data comes out of. One is the one that you get
decrypted plaintext from. One is the one that data that comes in from the
wire is fed into. The relationship between these four links to 100% the SSL
engine's business, and you shouldn't make any assumptions about it.

If you hand plaintext to the SSL engine, at some point it might hand
encrypted data to you to send over the Link. Or it might not. That's not
your business. If you get encrypted data from the other end, give it to the
SSL engine. It might output some plaintext for you to treat as received, or
it might not. That's not your business.

You have two general approaches to choose from. You can implement a BIO and
OpenSSL will call into your BIO whenever it needs to send or receive data to
or from the other end. This will result in your calls to SSL_read/SSL_write
making calls into your own send/receive functions when the SSL engine needs
to interact with the link to the other end. This is probably the simpler
approach and it makes deadlocks easier to avoid.

The other way is to use BIO pairs. With A BIO pair, you actually
independently manage all four links independently. When you get data from
the other end of the SSL link, you will actually 'write' it onto the
appropriate link. When you make forward progress, you will actually call a
'read' function to get data from OpenSSL that you send to the other end.
This is a bit trickier to do as it is easy to inadvertently cause deadlock,
especially in non-blocking implementations.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

error when trying to use Net::SSLeay perl module under IIS6

[DAVID NEILL]

This list was given as a place to ask general questions regarding the 
Net::SSLeay module for perl.  I'm having success using the module in a perl 
command-line script to perform an authenticated login to my mail server to send 
E-mail.  When I try to adapt the same code to work from a CGI script from an 
IIS6 server (2003 server), I get the error listed at the bottom of this message.

I've re-installed the Net:SSLeay module with the --force option to re-install 
the SSLeah.dll
(ppm install --force http://theoryx5.uwinnipeg.ca/ppms/Net-SSLeay.ppd) 
and confirmed and accepted the dll file install in D:\Perl\bin
How do I go about fixing this?  I've changed the permissions on all the files 
involved to give 
IUSR_computername (the account IIS runs under) full control over all the files, 
modules, directories, dlls involved.  I also added permissions for 'everyone' 
to the same
effect.  I am still getting the below error message.  Thanks for your time.


Can't load 'D:/Perl/site/lib/auto/Net/SSLeay/SSLeay.dll' for module 
Net::SSLeay: load_file:Access is denied at D:/Perl/lib/DynaLoader.pm line 230.
 at D:/Perl/site/lib/IO/Socket/SSL.pm line 18
Compilation failed in require at D:/Perl/site/lib/IO/Socket/SSL.pm line 18.
BEGIN failed--compilation aborted at D:/Perl/site/lib/IO/Socket/SSL.pm line 18.
Compilation failed in require at D:/Perl/site/lib/Net/SMTP/SSL.pm line 8.
BEGIN failed--compilation aborted at D:/Perl/site/lib/Net/SMTP/SSL.pm line 8.
Compilation failed in require at D:\Inetpub\wwwroot\upload\filechucker.pl line 
8467.
BEGIN failed--compilation aborted at D:\Inetpub\wwwroot\upload\filechucker.pl 
line 8467.

For help, please send mail to this site's webmaster, giving this error message 
and the time and date of the error. 

"ERROR:name does not match"

[David Miller]

This is not a question but a solution to a problem that I and many others it
seems have run into and no solution seems to be on the internet.  So I found
a solution at least in my case and wanted it to be archived in this list so
that it can help others who run into this problem in the future.

The Problem:
  After moving the CA files from one server to another you get an error
message similar to the following when trying to revoke a certificate.
 ERROR:name does not match
/C=xx/ST=xx/O=xxx/CN=user1/[EMAIL PROTECTED]

The Solution:
  The problem in my case was that the index.txt file was opened and
apparently saved on a windows computer before it found it's way to the new
server.  Opening up the index.txt file in VIM showed that the file had ^M
control characters at the end of each line.  As a result the Subject in the
certificate and the index.txt were failing to match resulting in the error
and preventing me from being able to revoke certificates.  Simply removing
the ^M's from the index.txt file resolved the problem.  As always use
caution when editing important files and make a backup of your index.txt
before attempting to do any edits.

I hope this helps someone.
--
David Miller

RE: Create public/private key pair from trusted moduli?

[David Schwartz]

Kyle Hamilton wrote:

> You can have B contact the server and obtain a signed "authorization
> certificate" for its key that uses custom extensions to specify 'is
> authorized to connect to A' for a given timeframe, and have that be
> the certificate that B presents when connecting to A.  Then, A looks
> for the 'authorized to connect to' list, finds itself in there, checks
> validity time, and makes the decision based on that.  No need to share
> the public keys, nor is there a need to tell both sides about it if
> the signature can be verified.
> 
> If you want the server to mediate access between peers without having
> to have your clients constantly connected to the server, that's a way
> to do it.

Maybe I'm missing something, but it doesn't seem to me like that would work. 
How does B know it is talking to A? If you expect the "is authorized to connect 
to" certificate to contain both public keys, then how can you say "no need to 
share the public keys"? And if not, how does B know it is talking to A and A to 
B?

I'm probably misunderstanding you. But if I can misunderstand it, the OP 
probably can too.

And with respect to the other thread, I agree with you. The level of security 
should be the highest that doesn't require sacrificing things that are more 
important than security. Sometimes all you need is to keep out your kid sister, 
sometimes you have to keep out professional spies financed by a major 
government. The solutions appropriate to those two extremes are very different. 
Don't let the fact that you can't feasibly implement a perfect solution keep 
you from implementing one that is more than good enough.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Create public/private key pair from trusted moduli?

[David Schwartz]

> Right, Gotcha!
>
> There is one flaw in this design however.
>
> Peers:
> A, B, E
>
> By this scenario all three peers would be able to communicate, not
> just A and B, but also E.

Do you want the server to have to approve A to talk specifically to B? Or do
you just want A and B to be able to identify each other and make the
decision of whether or not to speak?

The scheme, as I described it, will allow A, B, and E, to confirm who they
are speaking to. Someone with no identity will be rejected, and E cannot
impersonate A or B.

Is the idea is that the server must specifically approve the A<->B link? In
other words, it's not enough for A to know that it's talking to B and vice
versa but each must specifically know that the server has approved its
communication with the other?

In that case, the server should give either peer a signed object that
contains both parties' public keys. Whichever peer has that object can then
send it to the other. Each peer can validate the other peer's public key and
the object from the server, see a match to both its own key and the other
party's key, and approve the connection.

This may be needlessly complex. If the server is actually in communication
with both A and B at the time, it can simply send each side the other side's
IP address, port, and the other side's public key. No need for any special
certificates or the like since there's already a secure channel to both
peers. In that case, each side simply confirms that the other side knows the
secret key corresponding to the public key the server gave it.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Create public/private key pair from trusted moduli?

[David Schwartz]

> Thanks Kyle,
>
> Here is my situation:
>
> I have a server which can sign certificates over tls(implemented in
> both client and peer).
>
> I generate a public/private key pair for each peer now.
>
> I need a way so Peer A Trusts Peer B because.
>
> So, I am trying to figure out the best way to do this, can server sign
> each peers certs and them trust each other?

Yes. The usual way to do this is:

1) Peer connects to server.
2) Peer and server exchange whatever information is needed for server to
confirm peer's identity.
3) Server issues peer a signed certificate that vouches for its identity.
4) Peer disconnects from server.
5) Peer connects to peer.
6) Peer presents certificate it got from server.
7) Other peer validates certificate and knows peer's identity as established
with the server. (It must also determine that the peer *owns* the
certificate as opposed to just having a copy of it!)

This requires the peers to be able to recognize that a certificate was
signed by the server and is properly owned by the peer they're talking to.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: CA generation/certificate serial number

[David Schwartz]

smime.p7m
Description: S/MIME encrypted message

RE: FIPS compliant shared object

[David Schwartz]

> Can some one point me to instructions on how to create a shared object
> that contains the fipscanister.o and passes the FIPS_mode_set() test
> I can create executables using the ldfips script that pass the test but
> when I attempt to create a fips compliant shared library (the FIPS User
> Guide states this is possible) I get the following errors when calling
> FIPS_mode_set()

> 21086:error:2A07806E:FIPS routines:FIPS_check_dso:fingerprint does not
> match:fips.c:212:

Can you clarify what it is you are doing? Are you using "ldfips" to link the
shared library? Are you using "ldfips" to link the executable? What platform
is this? (And, if applicable, 32-bit or 64-bit?)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: openssl performance

[David Schwartz]

On Tue, Apr 1, 2008 at 11:56 PM, raj H <[EMAIL PROTECTED]> wrote:

> Anybody any comments?

It's really hard to help you because your question is so vague. What
platform are you using? What performance are you seeing? What performance
did you expect? Is the problem with session setup rate or connection
throughput or what?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: What scenario will cause openssl can't send "client hello" request?

[David Schwartz]

> Our program that use openssl can't work normally with
> 'https' protocol. Then we use ethereal to sniff data on
> the port 443 and find that client doens't send "client hello"
> message to server after it finish tcp handshake. Does anyone
> known about this? BTW: the openssl lib is fine under another
> environment. Does anyone have any idea? Any suggestion and help
> are welcome and greatly appreciated. Thanks.

You're asking us to find the bug in a program we can't see. All we can do is
guess.

FWIW, I once had this exact same problem when I was writing my very first
piece of code to implement OpenSSL and BIO pairs. The problem was that
nothing triggered by code to send data on the socket. No data had been
received on the socket, no data had been sent by the application, so there
seemed to be no reason to do anything at all.

Your problem may be a deadlock issue where you are waiting for something to
happen (on the socket or the application I/O side) and everything else is
waiting for you to call some OpenSSL function that will trigger the sending
of the client hello.

Are you calling into the OpenSSL library? If not, how is the client hello
going to get sent?! (Some code has to run in order to send any data.) If so,
what function and what is it returning?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Weird behavior of salt in 64 bits machine.

[David Erosa García]

Hello all.

This is my first mail to the list as I'm not any kind of advanced user
of openssl.

I'm doing my "homework" about openssl, but this question have nothing to
do with it. It's just a doubt that arised while doing it.

There is one exercise with the following text:


Con el comando “openssl enc” y la siguiente clave AES:
188458A6D15034DFE386F23B61D43774 se puede descifrar cierta información.
Podrías decir cual?

Using the command " openssl enc" and the following AES key:
188458A6D15034DFE386F23B61D43774 you can decode some information, could
you say what?

So I started playing with "openssl enc" and thought the only thing I
could "guess" was the salt (Surely I'm wrong). 

So I ran the command with a random IV:
openssl enc -aes128 -K 188458A6D15034DFE386F23B61D43774 -iv 1 -P

I found that the salt varies as it should on two machines with 32 bit
CPU (not my main one):

Office's computer (openssl 0.9.8g-4ubuntu2):
salt=4075DFB76496F2B7
salt=4045D8B76466EBB7
salt=40C5DAB764E6EDB7
salt=4015DEB76436F1B7
salt=4025DFB76446F2B7

A server I have somewhere else (openssl 0.9.8c-4etch1):
salt=50D882BF0C00
salt=B05DD9BF0C00
salt=A0CCC7BF0C00
salt=E0C88BBF0C00
salt=204190BF0C00

But when I run it on my main computer, it always outputs the same salt!
This machine is a 64bit CPU, running a 64bits linux distribution
(openssl 0.9.8g-4ubuntu2):

salt=0004
salt=0004
salt=0004
salt=0004

I've searching the openssl lists and found nothing about this behavior.

What can be happening? Is it about the 64 bit versionof openssl?

Thanks a lot for your attention.

Regards.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Upgrade shows wrong version

[David Schwartz]

> Maybe I need some more coffee before I google...
>
> I just upgraded to openssl-0.9.8g, but when I type openssl version it
> still shows me the old one.

That just means that you are running the executable from the old version.

> Am I missing some steps here and is there a web page where I can
> find them?

Where did you install the 'openssl' executable and libraries? And when you
type 'openssl', what executable are you running?

This is basid system troubleshooting and applies the same to pretty much
every package you might install.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_accept hangs

[David Schwartz]

To Md Lazreg:

I think I found it.

 ready_sockets = ::select(m_max_socket + 1, rfds, 0, 0,&tv);
 if (ready_sockets > 0)
 {
if (FD_ISSET(s->get_sock(),p->get_rfds()))
{
   new_s->set_non_blocking(true); /* GAK */
   if (s->accept(new_s))
   { /* HERE */
  call the code above which will call SSL_accept
   }
   else
   {
/*error handling*/
   }


The line marked with the 'GAK' should be:

s->set_non_blocking(true);

You don't want the listening socket to block when you call 'accept' on it.
You can't make the newly-accepted socket non-blocking until after it exists.

At the 'HERE' tag, you should probably have a:
new_s->set_non_blocking(true);

Because you don't want the newly-accepted connection to block either.
(Though you may already cover that by setting the BIO non-blocking.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_accept hangs

[David Schwartz]

> Well, that is not true and I am sorry I did not give
> you the full code as it is quite complicated but the
> snipet you see above is called after  a new  connection
> is already accepted. So I have an outer loop that does
> a select and once a new connection is detected and accepted
> without errors, I go ahead establishing the ssl part... Something like:

  ready_sockets = ::select(m_max_socket + 1, rfds, 0, 0,&tv);
  if (ready_sockets > 0)
  {
 if (FD_ISSET(s->get_sock(),p->get_rfds()))
 {
new_s->set_non_blocking(true);
if (s->accept(new_s))
{
   call the code above which will call SSL_accept
}
else
{
 /*error handling*/
}

Where is the call to 'accept' (the system's 'accept')? Did you cut out a
line before 'new_s->set_non_blocking'? Is 's->accept(new_s)' a wrapper
around 'accept'? Can you paste the code to this wrapper?

> I am setting the socket as non blocking by simply calling:

if (fcntl(m_sock_fd, F_SETFL, O_NONBLOCK) == -1)
{
return false;
}

This does not make the BIO non-blocking. That may or may not matter, but to
tell I need to see where the actual call to the system's 'accept' function
is taking place. And you still haven't pasted that code.

> I am confused when you say if my BIO is non-blocking too.
> I thought that it is non blocking since the underlying socket
> is non blocking. Is this a wrong assumption? if so how can I make
> the BIO non blocking [BIO_set_nbio?]

Right. A blocking BIO with a non-blocking socket can cause serious problems.

Where is the actual call to 'accept' to accept the connection? What happens
if 'accept' returns EMFILE or ENFILE?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_accept hangs

[David Schwartz]

> Hi David,

> My code looks like this:

1  while(1)
2  {
3r = SSL_accept(m_ssl);
4if (r > 0)
5{
6 break;
7}
8r = ssl_retry(r);
9if ( r <= 0)
10 {
11  break;
12}
13}

Well, that's obviously badly broken. It's probably not precisely your issue,
but it's related. Since the socket is non blocking, there is no place for
this code to block waiting for the connection!

> The issue is not that it is going into an infinite while loop.

That's just pure luck.

> The issue is that SSL_accept on line 3 never returns!.
> My socket is a non blocking one so as far as I know
> SSL_accept should return.

How did you make it non blocking exactly? And is the BIO non-blocking too?

> A backtrace shows that when this happen the server gets stuck in:

> SSL_accept
> after calling SSL_accept.

Sounds like you're lucky. The BIO is actually blocking and that's saving
your code from looping. At least you're not burning the CPU. ;)

What is your design intention if 'accept' returns EMFILE or ENFILE? If your
answer is "I have no idea" or "I never really thought about it", then it's
no surprise your code mishandles this case.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_accept hangs

[David Schwartz]

> Hi,

> I have setup an SSL server that works fine up to
> 400 connected clients.

> When I try to have more then 400 clients, then my server hangs in the
> SSL_accept call This happens very randomly, sometimes beyond 1000
> connected clients...

> The server is dead once this happen and no other client can connect.

> Please note that I am using non blocking sockets so SSL_accept _should_
> return... but for whatever reason it does not.

What is your code *supposed* to do if SSL_accept bails out of accept
immediately with EMFILE? If you keep looping and calling SSL_accept forever,
then your code is going to loop forever.

ret=accept(sock,(struct sockaddr *)&from,(void *)&len);
if (ret == INVALID_SOCKET)
{
if(BIO_sock_should_retry(ret)) return -2;
SYSerr(SYS_F_ACCEPT,get_last_socket_error());
BIOerr(BIO_F_BIO_ACCEPT,BIO_R_ACCEPT_ERROR);
goto end;
}

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

Michael Sierchio wrote:

> I'm not suggesting that this isn't useful, just that it is not
> a defect that it isn't part of the key format itself.

That may or may not be true, but none of your arguments support this point.

I'm learning towards a belief that it is a defect, but I am not thoroughly 
convinced and in any event, am not enough of an expert that anyone should act 
on my views.
 
> For compliance purposes, how do you prove generation time?

For compliance purposes, how do you prove you didn't publish the private key in 
an ad in the New York Times or that the private key generator didn't generate a 
private key an adversary programmed it to generate? How do you prove it didn't 
generate the same private key before? If you don't trust the system that 
generates and stores your private key, you're screwed anyway. (With or without 
a timestamp.)

You simply have to trust any system that sees your private key. That doesn't 
mean you have to extend it unlimited trust, of course. But trusting it to 
properly generate and store the timestamp is substantially the same type of 
trust for a lesser purpose.

> I claim
> that the relevant time is that of the first CSR.  Operationally,
> a timestamp and a nonce as part of a challenge created by the CA,
> included in the CSR which is signed by the subject privkey, makes
> sense.  And hygiene dictates that the only use of the private
> key permissible before issuance of the certificate is in signing
> the CSR.
> 
> If the timestamp isn't generated by a trusted third party, I don't
> think it's of much value.

The only real threat model would be that the key was available earlier than the 
timestamp, and trusting that the stamp was generated at the time it claims 
won't help with that.

I think I would go further and argue that not only should a generation 
timestamp be included in private keys but that a key validity interval (signed 
by the corresponding private key) should be a standardized option for 
certificates.

If your argument is "the key generator's clock could be broken", I would 
respond, "the key generator's RNG could be broken too".

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

> David Schwartz wrote:

> > Michael Sierchio:

> >> If it's your policy not to reuse keys, or allow their use beyond
> >> the lifespan of the certificate, then the enforcement mechanism
> >> for this MUST be in the CA.
 
> I completely disagree. If this were true, CA's would generate 
> the private key as part of the certificate issuing process.
 
> That doesn't follow.  In any case, the only place where 
> certificate issuing
> policy can be enforced is the RA and/or CA.

Sure, the CA makes the decision whether or not to issue a certificate. However, 
it can't make me use that certificate for anything. If I don't like the 
certificate, for any reason, I can refuse to use it.

The issue was whether the CA is the only place key policy can be enforced. It 
isn't -- I choose what key to use in the CSR, and can enforce any policy I want 
to decide what key to send. The CA can refuse to issue a certificate based on 
the CSR or could, at least in theory, issue a certificate with a completely 
different key in it. But I can also evaluate the key in the certificate when I 
make the decision whether to use the certificate or not.

So there are at least two other places key policy for certificates can be 
enforced other than at the CA's decision to issue the certificate.

If the only place *key* policy could be enforced was the CA, we're in trouble. 
There must be a policy that the private key not be publicly disclosed, and the 
CA has (in typical applications such as the Internet's TLS PKI) no ability to 
enforce this.

> The rest of your argument is
> just as specious, and I could make a career out of correcting your errors,
> but you're determined not to learn.

I agree that all of my arguments are equally specious.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

Michael Sierchio:

> If it's your policy not to reuse keys, or allow their use beyond
> the lifespan of the certificate, then the enforcement mechanism
> for this MUST be in the CA.

I completely disagree. If this were true, CA's would generate the private key 
as part of the certificate issuing process.

However, in the typical case, it is the certificates subject who generates the 
private key, passes the corresponding public key to the CA, and takes 
responsibility for ensuring the safety of the private key.

It is certainly true that the CA could enforce certain security rules with 
respect to the key. But this would be somewhat unusual (beyond perhaps just not 
reusing the same key) and would not relieve the subject of any of his 
responsibility.
 
> I don't understand your "hit-or-miss aspect" - a CA must keep track
> of all the issued certificates back to the beginning of time.  It is
> trivial to know whether a key has been used before.

Whether it's been used for another certificate from that same CA, sure. But in 
what context does another certificate from the same CA with the same key 
present a problem while certificates from other CAs with the same key does not?

> And my objection remains to your notion that the private key format
> should be extended to include generation date.  Even if you are
> to reissue/resign a cert with the same subject pubkey, you still
> have a record of when the key was first placed into use.

I'm not sure who the "you" is here. In practice, nobody has any record of when 
a key was first placed into use. If you think anyone does, please tell me where 
you think that record is.

The CA has no way to know they are the first to see a key. So no CA can know 
this. Whoever or whatever generated the key knows this, but they currently have 
no place to store it. They could store it separately, but then it's quite 
likely to become separated from the key. (And, in practice, that it's not 
embedded in the private key has meant that it's almost never stored and it 
certainly doesn't travel with the private key in a portable format.)
 
> I also don't understand why you think it would be appropriate to
> use the same key in different certs.  It is much more common to
> have different certs with different keys for different purposes.
> For example, if you wish to claim non-repudiation, then the CA
> may require that the private key is embedded in a token device
> where the keypair was generated, and is not otherwise accessible.
> Such a key would be used for signing only, presumably, for a
> number of very good reasons.  The same entity may have an SSL
> client cert, an encryption cert, etc.

PKI is not TLS. Consider a case where a third party needs to vouch that a 
particular identity is entitled to a particular resource. It can only use a key 
it already has for that third party.

For example, suppose I have a public key for a particular warm body. I want to 
grant him access to eight different things by certificate, each of those eight 
things are managed by different systems. Each of those eight systems is part of 
its own zone with its own master key, and I have all eight master keys. So I 
generate eight certificates and pass each one to each of those eight different 
things.

It is not unusual (especially in military systems) for one certificate to bind 
a keypair to a particular person, unit, system, or basically 'thing'. Then 
other systems can grant the entity bound to the keypair access to a resource by 
generating a certificate binding that things keypair to that resource.

If I know Jack's keypair (by certificate) and I control access to a particular 
system, I can grant Jack access to that system by creating a certificate 
associating Jack's keypair with that access. I can do this even without 
communicating with Jack directly, without Jack having to request it, and I can 
pass that certificate either to Jack or to the system that will use it.

> The OP was asking about the mechanics of signature verification
> beyond the expiration date of the signing cert.  I think we've
> answered that.

Yes, but there is an important tie-in between that question and the one I'm 
discussing above. How can you know you can trust a timestamp if you don't know 
whether or not today's date is inside the validity interval for the key that 
signs the timestamp?

Obviously, you can check if the timestamp is inside the validity interval for 
the certificate that signed the object, solving the OP's question. But what if 
today's date is outside the validity interval for the *key* that was used to 
timestamp? (In which case, the timestamp could have been forged yesterday to 
make the signature seem like it was within the validity interval of the 
certificate.)

Suppose I have a key that I trust for 50 years, and therefore will allow to be 
used to make timestamps for 20 years (and they can still be securely verified 
up to 30 years after the last one is made). Where do I put the 20 years

RE: What are the proper flags for Endianness and 32Bit

[David Schwartz]

> Wow, is it possible one can't get help on this simple question??

It's entirely possible that the person who had the answer to your question
saw it and had no idea they knew the answer. Your question contains *no*
details. It would require someone to go hunting to figure out what your
problem is.

> Can't say I'm impressed with this list and the package as a whole when it
> comes to the portability or documentation regarding flags and settings. If
> the settings aren't handled by the config script then your on your own.

You are welcome to purchase support from anyone who will sell it to you.

> > I'm compiling for a 32Bit embedded environment and am working modifying
> > the Makefile to successfully compile.

You don't state the platform! That should be in the subject line. As a
result, anyone with experience with that platform will likely ignore your
message. If you put the name of the platform in the subject, someone who
knows that platform will likely see it.

> > I've run into a couple of errors regarding endianness and 64bit types.

And you don't give the errors. So anyone who has seen those errors and fixed
them won't pay attention.

> > 1. I'm using -DL_ENDIAN as a CFLAG but run into an error when including
> > ieeefp.h. Can someone explain the proper flag (it could be
> overriden using
> > __IEEE_LITTLE_ENDIAN but not clear if this is proper).

And you don't specify the error again.

> > 2. sha.h has @ line 161...
> >
> > #if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
> > #define SHA_LONG64 unsigned __int64
> > #define U64(C) C##UI64
> > #elif defined(__arch64__)
> > #define SHA_LONG64 unsigned long
> > #define U64(C) C##UL
> > #else
> > #define SHA_LONG64 unsigned long long
> > #define U64(C) C##ULL
> > #endif
> >
> > How do I declare a 32bit environment? My target is not windows but an
> > embedded OS.

And you don't state your target or what CPU it uses.

> > Does someone have insight into this?

It's quite likely someone does, but they have no idea that they have the
answer to your question.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to transfer a socket with SSL already initialized

[David Schwartz]

> The vague idea I've gotten so far is that I need to somehow
> transfer the SSL_SESSION to the new process. Examining the
> output of SSL_SESSION_print_fp() I see that the session ID
> and master key change every time SSL is initialized, so
> simply reinitializing the SSL library in the new process
> won't do.

> What do I have to do to let the child process use the host
> application's secure socket? Is there some way I can dump
> the session to a file -- or perhaps even fwrite SSL_SESSION
> itself -- and and load it up in the new process, or do I
> need to do something else?

The short answer is no, there is no good/easy way to do this. You have three
choices:

1) Extend OpenSSL to provide this support. This is a complex and tricky
thing to do for a variety of reasons.

2) Use another SSL library that offers this feature instead of OpenSSL.

3) Use a proxy, with whatever listens to the SSL socket proxying data to and
from a pipe or socket that you can hand off.

I think it would be a good thing to extend OpenSSL so that it can output
everything that's necessary to support a given SSL session as a DER object
and to allow an SSL session to be initialized from a socket and a DER
object, but that's not currently possible. As I understand it, there are
quite a few thorny obstacles involved.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Use of certificates

[David Hostetter]

Do you want to do it inline or not. If not I can send the commands.

EL HACHIMI Driss wrote:

Hello,

I have to setup an SSL communication between a client and a server. I 
have bought the OpenSSL book and I have downloaded the last OpenSSL 
release version.
I think the first think to do is to set up my certification authority 
following these steps:


   1. Create an environment for my CA
   2. Build an OpenSSL configuration file
   3. Create a self signed root certificate
   4. Issue a certificate

Within the book, I don't find the OpenSSL commands to perform these 
operations. Could you help me?


Thank you
Best Regards
Driss El Hachimi

Envoyé avec Yahoo! Mail 
.
La boite email la plus appreciée au monde. 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

Steffen Dettmer wrote:

> > > You may argue, and get me to agree, that cert
> > > reissue/resigning with the same SubjectPubkeyData is a bad
> > > idea.  Make 'em generate keypairs.  Keep a list forever of
> > > pubkeys seen in certs and reject any that appear in CSRs.

> (CSR? Is this like a CRL or something logically equivalent meant?)

> > > Your storage requirements won't rival that of Youporn, or
> > > Wikipedia.

> I think this is wrong. A CRL entry revokes a certificate, not the
> key. Maybe the certificate was revoked because of formal reasons
> (forgotten critical extension CA:FALSE or omitted key usage
>  information or whatever). Maybe other valid certificates exist
> for this valid key.

A certificate may be revoked because the key was compromised. But it could
also be revoked simply because the identity is no longer associated with the
key. In this case, the key is still perfectly good. It would create a
*massive* security loophole for a CA to be able to revoke a *key* just by
revoking a certificate that certified that key.

What I think Michael Sierchio was saying, though, was something different.
He's not saying to treat a certificate as revoked, he's saying not to issue
a certificate. Basically, he's saying a CA could refuse to issue a
certificate for any key that it had ever seen before in any other context. I
think this would be a mistake for a lot of reasons, not the least being the
hit-or-miss aspect of having previously seen the key.

The only scenario I can imagine where this might help is a case where a
person accidentally generates the CSR with the wrong key, and by luck the CA
happens to have seen this key before. And, of course, there are so many
other ways to screw up generating a CSR that this seems like a pretty small
help. (Failing to secure the private key, for example.)

I also think there are perfectly legitimate reasons for using the same key
in many certificates. An obvious one is if you have a large number of
certificates that establish different external identities for the same
logical entity. This isn't a common way to use a PKI, but X.509 and PKI
exist for much more than just TLS and the Internet. (Although presumably
Michael wasn't suggesting you should impose this rule where it was obviously
inappropriate.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

Michael Sierchio wrote:

> Anyway, in the case of RSA keypairs we don't manufacture them, we
> discover them.  They're already there, we just search for our p's and q's
> in the appropriate range and rely on chance starting conditions to find
> some not in use.  I suggested, but not entirely in jest, giving them all
> a timestamp of 0.  Creation date is a useless concept.  Not valid before
> and Not valid after attributes make enormous sense, and are where they
> ought to be.

Nonsense. An attacker can start trying to break your key as soon he has your 
public key. You can put an earliest-possible bound on this -- he cannot have 
started before you generated the key. A creation timestamp on the private key 
that's placed by whatever generated the private key would serve as an earliest 
bound for when at attempt may have been made to break the key.

The not valid before and not valid after attributes specify the outer bounds by 
which the certificate can be used to bind the private key to a name. This must 
be the lesser of the validity interval for the key itself and the validity 
interval for the binding. Often the binding is less, so this does not tell you 
a safe validity interval for the key (other than that it's valid at least as 
long as the certificate is).

The certificate validity period tells you something different from the validity 
interval for the key. Plus, a single key may be associated with any number of 
certificates all of which have different validity intervals. A key may be 
associated with no certificate at all, if it doesn't need to be bound to an 
identity in that way.

In all these cases, a creation timestamp in the public key would serve to 
inform of the expected validity interval of the key. An alternative way to 
accomplish the same thing (that some might like better) is to store public keys 
with self-signed (by the corresponding private key) certificates, with the 
validity of that certificate being the key's validity. I've done this, but it 
feels kind of like a hack.
 
> The trust conferred on a signature derives from signature validation,
> which requires certificate validation.  One part of the validation is
> that the message in question was signed during the validity period
> as defined by certificate policy.

Sure. But another part should (at least in some cases) be that the validation 
is performed during the key's validity interval. After all, you would be 
foolish to trust a 512-bit RSA key signature from five years ago in twenty 
years. (But that's another issue entirely, I suppose.)
 
> You may argue, and get me to agree, that cert reissue/resigning with
> the same SubjectPubkeyData is a bad idea.  Make 'em generate keypairs.
> Keep a list forever of pubkeys seen in certs and reject any that appear
> in CSRs.  Your storage requirements won't rival that of Youporn, or
> Wikipedia.

It's sometimes a bad idea and sometimes a good idea. Sometimes it even makes 
sense to issue multiple certificates for the same keypair. X.500 is not just 
for TLS.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

> David's apparent statement is "the person trusting the time is the
> person generating the key."
> Michael's apparent idea is "if you're generating it and including it
> in the key format, then you're making an assertion which must
> trustable by people other than the person generating the key."
> 
> -Kyle H

You have to have absolute trust in any entity that will generate or store your 
private key. Thus you can trust any information in it -- anyone who could put 
in bogus information could give away your key to strangers. (By absolute trust, 
I mean with respect to anything you would use that private key for.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

> > I have argued many times that not including the creation date 
> in every private key data format was a *huge* mistake.
 
> Furthermore --
 
> How do you know what time it is?  How do I know you know what time
> it is?  Do I trust you to put the correct time, or even a monotically
> increasing sequence, into such a structure?  See?  It's utterly
> useless, even as a thought experiment.  As soon as you need reliance
> on the truth value of an assertion (validity of a timestamp), you're
> already in TRUST territory.
> 
> Might as well let the CA decide not to reissue/resign a cert with an
> existing pubkey.

If you can't trust the system that generates and stores your private key, 
you're screwed anyway. So I don't see that this argument has any validity.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

> Arguably, you shouldn't do it even once, because it's extremely easy
> to fall into the pattern of "one key and one key only" in the systems
> design or implementation.  I can't remember who coined the phrase, but
> it's not "good crypto hygeine".

I have argued many times that not including the creation date in every private 
key data format was a *huge* mistake.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Accessing encrypted messages after cert expires

[David Schwartz]

> Doesn't what you suggest create a headache?  Every time I want to 
> decrypt an 
> old message I sent or I received, or a file, I will need to 
> change the mail 
> client configuration and point it to another private key.  

One would hope your mail client will allow you to keep any number of key pairs 
for decryption use, with one selected as 'active' to be the default for 
encryption.

> Keeping the same 
> key overcomes this problem.  Have I got this right?  Why is it 
> not feasible 
> to retain the same private key?

You can retain the same private and public key but generate a new certificate 
if you wish. The problem is that this reduces the security by extending the 
lifespan of the key. This may be entirely reasonable if the lifespan of the 
certificate is based on other concerns than the lifespan of the key.

For example, suppose I create a public/private keypair that I don't think 
anyone can break for 50 years. If I make the certificate valid for 30 years 
because of this, it would obviously be a bad idea to keep the same key for a 
new certificate. On the other hand, if I make the certificate valid for two 
years because I can only assure that the identity in the certificate will 
belong to the key owner for that long, there's no harm in re-using the same key 
in the next certificate if I know the identity is good for another two years. 
(The key being safe for 48 years rather than 50 is a negligible difference, but 
don't renew the certificate for the same key forever.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: cipher algorithms

[David Schwartz]

> Thanks Marek!
>
> One last question, can an algorithm or cipher suite be enabled or
> disabled on OpenSSL by an user (I mean, without needing to
> recompile and redistribute OpenSSL binaries)?

You can definitively disable an algorithm by not including it in the
libraries. Most programs that use OpenSSL, including the build in 'openssl'
executable permit you to change the algorithms used one way or another. I do
not believe that OpenSSL provides a generic way to do this for other
applications that use OpenSSL.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: valgrind complaints about my network data received through ssl

[David Schwartz]

Let's start with the obvious, just to make 100% sure we're really having an
issue here.

> Here is one code example where I'm reading a 10-byte block of data
> (always 10-bytes, not less):
>
>  bufptr = (u_char *)&wh;
>  for (nread = 0; nread < sizeof(wh); nread += ret) {
>  ret = SSL_read(ssl,bufptr+nread,sizeof(wh)-nread);
>  if (ret <= 0)
>break;
>  }

You are 100% sure sizeof(wh)==10? Do you check to be sure nread==10 after
this block? If it isn't, and you move on to the next chunk, you'll cause
exactly this problem. Is SSL_MODE_AUTO_RETRY set? (I'm assuming the
intention is for SSL_read to block until the session can be established
right?)

>  strncpy(msgLenStr,wh.msgLenStr,10);
>  msgLenStr[10] = 0;
>  msgLen = atoi(msgLenStr);

This looks fine, though it's terribly inefficient. (I hope you don't
particularly care about performance.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Verisign CA Self-Signed Cert Error?

[David Hostetter]

I am using s_client and s_server right now and it is working for me.

I specify the -certs file and the CAfile for the root.

Josh wrote:


Hello,

We are getting an odd self-signed cert error when using openssl s_client
to test the connection for a web service on an internal server.  This
service is protected by a Verisign certificate.  Hitting the service
with a web browser indicates a completely secure chain.

How do we present the root and intermediate CA certs to openssl to
validate the chain?  I have attempted to concatinate the needed certs 
in a file and present that with the -CAfile option, to no avail.  More 
details are presented below.


Thanks,

-Josh


CONNECTED(0003)

---

Certificate chain

 0 s:/C=US/ST=Ohio/L=Columbus/O=Some Big Company, Inc./CN=test.bigco.com

   i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign

-BEGIN CERTIFICATE-

-END CERTIFICATE-

 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority

-BEGIN CERTIFICATE-

-END CERTIFICATE-

 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority

-BEGIN CERTIFICATE-

-END CERTIFICATE-

---

Server certificate

subject=/C=US/ST=Ohio/L=Columbus/O=Some Big Company,
Inc./CN=test.bigco.com

issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign

---

No client certificate CA names sent

---

SSL handshake has read 3095 bytes and written 344 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 1024 bit

SSL-Session:

Protocol  : SSLv3

Cipher: EDH-RSA-DES-CBC3-SHA

Session-ID: 47C816A30006

Session-ID-ctx:

Master-Key: {DELETED}

Key-Arg   : None

Start Time: 1204298976

Timeout   : 300 (sec)

Verify return code: 19 (self signed certificate in certificate
chain)

---

HTTP/1.0 400 Bad request

Cache-Control:no-cache

Date:Fri Feb 29 10:30:01 EST 2008

Allow:GET,POST

Host:test.bigco.com

Content-Length:69

Content-Type:text/html



The HTTP request method should have three elements
(POST,URI,Version)closed

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: valgrind complaints about my network data received through ssl

[David Schwartz]

> > Consider:
> > 
> > char buf[1024];
> > int i, j;
> > 
> > buf[1024]=0; // to make sure we don't run off the end
> >
> 
> Does not C number the indices: 0..1023?

Yeah, that's what I get for hastily constructing an example.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: valgrind complaints about my network data received through ssl

[David Schwartz]

> I've written a network app using pthreads, ssl, and xml.
>
> I use xml over tcp over ssl and all of that is working fine.
>
> Whilest chasing down what I thought was a bug, I started using
> valgrind on my app.
>
> I'm receiving thousands of "uninitialized value and conditional jump"
> errors triggered by the data that I receive via SSL_read.
>
> [I'm not worried about the alleged valgrind errors within SSL itself
> due to randomizing, etc.]
>
> I've run test programs using pthreads and xml parsing (extracted out
> of my code) and they do not trigger the errors when used w/o SSL.
>
> So, I'm struggling to understand why the data received via sockets
> from the network and through SSL would trigger these kinds of
> warnings.  Literally, every packet/pdu I receive and parse triggers
> these errors.  The data is valid and the PDUs are correct thus my
> confusion.
>
> Has anyone ever seen this and know how to fix/correct?

Look at any code that you use with SSL but not without. One common thing
that can trigger this is if you run 'strlen', 'strchr', or something like
that on the received data.

Consider:

char buf[1024];
int i, j;

buf[1024]=0; // to make sure we don't run off the end
j=SSL_read(ssl, buf, 1000)
if(j<=0) return;
i=strlen(buf);
if(ihttp://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Getting error running s_client program

[David Hostetter]

I am using the s_client() program in openssl to test my certificates. 
Anyone ever see this error?



subject=/C=US/ST=Colorado/L=Louisville/O=SUN/OU=Storage Group/CN=topeka
issuer=/C=US/ST=Colorado/L=Louisville/O=SUN/OU=Storage Group/CN=RootCA
---
No client certificate CA names sent
---
SSL handshake has read 1023 bytes and written 234 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
   Protocol  : TLSv1
   Cipher: DHE-RSA-AES256-SHA
   Session-ID: 
92859FFDCE5BD09AB9F4113D954B48334B7AE74FB967263C75C6DDC00100A6B3

   Session-ID-ctx:
   Master-Key: 
EB9D0CBB22861BB66E57D2BFD19551E87456FE4563E1E434A19ACB21657A8FEDEA73EC5B3D0EA03043107CDE406B521B

   Key-Arg   : None
   Start Time: 1204216989
   Timeout   : 7200 (sec)
   Verify return code: 21 (unable to verify the first certificate)

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL client through proxy

[David Schwartz]

> 26.02.08, 23:23, [EMAIL PROTECTED]:
>
> > Hello,
> > > I have to connect to my OpenSSL server through proxy server.
> How can I
> > establish this connection?
> > Establish tcp connection through proxy (connect, socks5, transparent,
> > reverse or any other)
> > and next run SSL on this tcp connection.
> > Best regards,
> > --
> > Marek Marcola <[EMAIL PROTECTED]>
>
> Thanks for the answer. I'm a newbie in TCP/SSL programming. Would
> you suggest any library or function names to use "connect" or
> "transparent". May be it is supported by OpenSSL?.. or another
> C/C++ library.

Could you give us some kind of idea what it is you are trying to do so that
we can give you more precise instructions? Is the proxy being used by the
server or the client? What kind of proxy? Do you have a proxy or need a
proxy? If you have a proxy, what kind of proxy? If you need a proxy, why?

You are straining everyone's ESP here.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Problem with SSL_WRITE

[David Schwartz]

> We are using OPEN SSL library in our client server application. We are
using > SSL_WRITE and SSL_READ api used to read and

> write operations between them. Connection is broken When server sends very
> large message (more than 56K) using SSL_WRITE api.

That's probably due to a bug in your code. You should find it and fix it.

> We fixed problem with set partial mode api like,

> SSL_CTX_set_mode(ctx,SSL_MODE_AUTO_RETRY | SSL_MODE_ENABLE_PARTIAL_WRITE |
> SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

These are all safe and sane options and they really should be the defaults.
I believe they aren't for historical reasons. However, this may have hidden
a bug in your code rather than fixed it, and you should still try to track
down why you were having problems before.

Did you check return values from SSL_* functions? Did you handle non-fatal
errors correctly? Did you hadnle partial writes correctly?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Help regarding error

[David Schwartz]

> when i compile the program p192.c  i get following error

> [EMAIL PROTECTED] ~]# gcc p192.c

This is not the command to compile. This is the command to compile and link.
"gcc -c p192.c" is the command to compile, and you will likely get no
errors.

> /tmp/ccicrxZV.o: In function `main':
> p192.c:(.text+0x12): undefined reference to `DH_new'
> p192.c:(.text+0x31): undefined reference to `BN_bin2bn'
> p192.c:(.text+0x3e): undefined reference to `BN_new'
> p192.c:(.text+0x5c): undefined reference to `BN_set_word'
> p192.c:(.text+0x71): undefined reference to `PEM_write_DHparams'

These are all linker errors. They result from the fact that you didn't tell
gcc to link to OpenSSL. How you link to OpenSSL depends upon how OpenSSL was
installed, but it may be '-lssl -lcrypto'.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL Error and Info messages

[David Schwartz]

> My application calls some library functions, which uses
> OpenSSL. When my appliction runs, I believe OpenSSL emitted
> some messages described below.

Nope. Your application emitted them. OpenSSL detected them and reported
them, you chose to print them out.

> Does anyone know what caused those error messages?

They are normal errors. They can safely be ignored.

> Though it seems not affecting the functionality, those infom
> messages are kind of annoying. Does anyone know how to turn
> them off ?

Find the code in your application that generates them and comment it out or
suppress messages that are known to be harmless. You can try grep'ing your
code for "ERR_". If you have 'egrep', using "[^A-Z_]ERR_[a-z]" as the
regular expression will probably reduce the number of false positives.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Problems with RSA_public_decrypt

[David Schwartz]

> I'm encrypt a file using RSA_private_encrypt, this work fine.

Actually, you've *signed* the file, not encrypted it. And you've done so
incredibly badly at that.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL connections in persistent TCP connection.

[David Schwartz]

> ..I mentioned overhead not in terms of data bytes, but the time.
> Considering that in the system each session should not last not
> more than 3-4 seconds, and client wanting to make multiple SSL
> session with server, persistence can offer performance improvement.

You're just making that up, because you haven't measured. In fact, common
sense would suggest the reverse. Persistence requires each SSL session to
completely shut down before the next session can even begin building up.
Using a new TCP connection can allow the next SSL session to start setting
up as soon as the decision is made to end the previous one without having to
wait until the shutdown completes.

> Also each client that the application simulates would pick up a unique IP
> address, [ virtual address are configured in the system]. Each thread
would
> have a unique socket connection with server. These threads would be
working
> parallel in communicating the sevrer.
> Would there still be issues of  TCP stream getting mixed up across threads
?

It's possible to  make a mistake like this and also possible that you didn't
make a mistake like that. There's no way to know without looking at your
design. You do know that dedicated threads for connections is one of the
worst design patterns out there, giving you almost all of the disadvantages
of threads (overhead of synchronization, for example) with almost none of
the advantages (work can still get done even if a thread blocks for an
unexpected reason, fewer context switches, and so on).

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL connections in persistent TCP connection.

[David Schwartz]

>> This is nearly impossible to do. It's possible that you did it correctly,
>> but very unlikely. The basic problem is this -- when you call 'read' to
get
>> the last message of the first session, how do you make sure you also
don't
>> get all or part of the first message of the second session?

> I do not think   it is very difficult. The application initiates SSL
> sessions sequentially in a established socket connection.One cycle of
> SSL_connect - DataExchange-SSL_shutdown is followed by another cycle of
> SSL_connect - DataExchange-SSL_shutdown. As such there shouldn't be issue
of > session mix up.At least that is what is observed with say 400-500
clients
> connecting to server simultaneously.

It is either designed properly or it's not. You can't validate a design by
testing.

What makes sure that the last 'read' for the first session doesn't get some
of the data for the second session? Either something makes absolutely sure
this can't happen, or it can happen, and your design is broken.

> Multiple sessions are tried in a single TCP connect to reduce the
> overhead of TCP handshake and termination if the client wishes to
> do multiple 'new' SSL connects to server.

Right, but they serve a vital purpose. They make absolutely sure that the
end of the first session can't be confused with the beginning of the second.
If you remove this "overhead", you have to provide this same assurance with
some other mechanism. It sounds like you don't.

Do you understand the issue I'm talking about? TCP is a byte-stream that
doesn't preserve message boundaries. Nothing stops a call to 'read' made by
OpenSSL from getting the last bits of data from the first session and the
first bits of data from the second. Then OpenSSL has no place to put the
'leftover' data that is vital to establishing the second session. As a
result, the next session can't properly establish.

This is most likely to show up under load and is a classic race condition.

> So successful SSL handshakes in persistent connection  should be possible
> 'every time'. I do not think it can happen by accident.

You say this, but your design does not make sure. You get lucky a lot and it
happens by accident. But you provide no guaranteed separation between the
last bits of the first session and the first bits of the second.

> And I do agree with you on significance of improvement. I haven't
> quantified yet the gain in doing connection in persistent TCP.

So you made a premature optimization that his risks you don't understand.

> But server as persistent TCP feature. Some client may wish to communicate
> like that.

Then you need a precise specification that explains in detail how the
sessions are separated at the TCP level, and you need to make sure both the
client and the server follow that specification. You are doing this
completely wrong, and it is unfortunate that it worked by accident
misleading you into thinking what you were doing made some kind of sense. It
does not.

By the way, did you do any kind of analysis to make sure this doesn't have
security risks? Offhand, I can't think of any way that it would, but I
wouldn't trust it without a full evaluation. If both SSL sessions have the
same security parameters, tearing down the old one and building up a new one
is a pure waste. If they have different security parameters, the possibility
that the boundary between the two could be compromised in some way seems to
be a threat that needs proper evaluation.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL connections in persistent TCP connection.

[David Schwartz]

> But, the application code tries to clear out/shutdown existing
> SSL session with orderly bi-directional alerts. Once shutdown it
> creates a new SSL object 'ssl' [ssl = SSL_new (ctx)]
> for the next session in persistent connection..

This is nearly impossible to do. It's possible that you did it correctly,
but very unlikely. The basic problem is this -- when you call 'read' to get
the last message of the first session, how do you make sure you also don't
get all or part of the first message of the second session?

> When the app simulates limited clients , say, 100, each client makes
> hundreds of  unique SSL sessions successfully in persistent connection.
> It is under stress of ~800 clients , that I run into issues.
> Also, the bi-directional alerts do not happen always under
> high stress..could this be the reason? a possible session data mix up?

Either your code properly separates the sessions or it doesn't. My bet is
that it doesn't because this is very hard to do right.

Why do you do things this way? It's just plain wrong. Either layer on top of
SSL or don't, but splitting the difference and "sort of" layering between
SSL and TCP is just plain crazy.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL connections in persistent TCP connection.

[David Schwartz]

> I have a SSL client and a server application.The client connects to a
> SSL server in a TCP socket persistence mode, i.e, it does a data
> exchange with the server through a SSL connection , tears down the SSL
> connection but again sends out a client_hello in the same TCP socket
> connection it had earlier established with the server to perform another
> cycle of data exchange.

You are trying to do this without having any protocol that would assure that
it works. As far as I know, there is no reason this should work, and you
haven't coded any.

How do you determine, unambiguously, whether a particular chunk of data is
part of the first SSL session or the second? How do you make sure final data
from the first connection isn't seen as starting data for the second?

If you want to multiplex two SSL connections over a single TCP connection,
you need to make sure that both ends agree unambiguously on what data is
part of the first SSL connection and what data is part of the second. Unless
you wrote code to do that, you are basically expecting it to happen by
accident.

There is simply no way to prevent the code that receives the last bytes from
the first SSL connection from receiving some of the first bytes for the new
one, and it has no place to "put them back" since all the code just reads
directly from the socket.

Theoretically, SSL could have been designed to allow this, but as far as I
know, it wasn't. Do you have any reason to believe otherwise?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Creating certificates inline

[David Hostetter]

Can someone point me to some documentation on how to create certificates 
during runtime in the code?


I can use the openssl command from solaris at the terminal but how do I 
do it in the code?


Thanx.

Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: CA verify fails but certificates seem to be installed correctly - ???

[David Schwartz]

> When I connect to our printer server, the certificate is never verified 
> correctly. When I specify the CA certificate file manually on the command 
> line, it works though. The root certificate in question is installed, and
 ^ 
> everything looks correct to me. -> ???

Where is the root certificate installed? Is it somewhere you told OpenSSL to 
look?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: RAND_load_file question

[David Schwartz]

> Please give me some feedback.

Why don't you just call RAND_add? This seems like a complicated way to
accomplish nothing.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Emptying the buffer

[David Schwartz]

Joel Christner wrote:

> dataRead=recvfrom(connfd,readBuffer,sizeof(readBuffer),0,NULL,NULL);
> for (i=0;i readBufferClear=decrypt(&context,readBuffer+i,1);

You are passing characters one-at-a-time to your decryption function.
Depending on exactly what this function does, this may indicate that you are
not getting the security you expected.

> if (readBufferClear!=0) strncat(readBufferFinal,readBufferClear,strlen
> (readBufferClear));
> }

Your 'decrypt' function takes as input a single character and returns a
C-style string?

Either your code is *truly* weird, or you have some basic misunderstandings
about C-style strings.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: How use the puzzle of CRL in ssl connection

[David Hostetter]

After the accept do the following...  BTW...are you using the pkcs11 
engine? I am trying to find out the patch for 9.8g version.


sbio=BIO_new_socket(socketFd, BIO_NOCLOSE);

// Create a new SSL structure
ssl=SSL_new(ctx);

// Connect the read and write BIOs
SSL_set_bio(ssl, sbio, sbio);
  
/* Wait for the client to initiate the TLS/SSL handshake.  A

** return code of 1 indicates that the connection was successfully
** established.
*/

printf("Wait for Client to initiate the handshake\n");
retCode = SSL_accept(ssl);


Anri Lau wrote:

Hello guys,

I setting the CRL path for SSL by SSL_context, but it is not useful.

In manual page SSL_connection and SSL_accept are used to inited a 
handshake and SSL_do_handshake() perform a handshake


SSL_do_handshake should be called explicitly after 
SSL_accept/SSL_connection is called?


does SSL_connection/SSL_accept  do the work of validate the 
certificate of client or server!



Thank you very much!


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

pkcs11 engine

[David Hostetter]

I am using the latest 9.8g openssl on Solaris 10 update 3. The ssl 
handshake is working fine. I want to use the Niagra 2 chip to do my 
encryping but I need the pkcs11 engine. The 9.8g 
ENGINE_load_builtin_engines() does not have pkcs11.


How do I get it and if there is a way then how do I install it?

Any help would be great.

Thanx.

Dave
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: possible SSL_write bug

[David Schwartz]

> Program received signal SIGPIPE, Broken pipe.

You need to either catch or ignore SIGPIPE.

> There is also the output of the program. I think the focus should
> not be on the call the caused the crash, but on the call before,
> which returned 7 even if the connection was closed.

There's nothing unusual about that.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: possible SSL_write bug

[David Schwartz]

> Sorry for my bad english, it crashes, it doesn't hang.

Then compile with '-g' and run 'gdb' on the core dump. Post the output of
the 'where' command.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL wants to read on connection?

[David Schwartz]

> ret = SSL_write( m_ssl, buf, buf_lef );
>
> which returns -1, as you'd expect. But (and here's the odd part) when I
> call:
>
> SSL_get_error( m_ssl, ret )
>
> it returns SSL_ERROR_WANT_READ, not SSL_ERROR_WANT_WRITE. How can this
> be!? The OpenSSL library is setup in client mode, so shouldn't it want to
> write a "client hello" to the server first?

It probably did write a "client hello" to the server and is now waiting for
a reply.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: possible SSL_write bug

[David Schwartz]

> I found out that if I keep calling SSL_write, if the connection
> is closed remotely (killing stunnel), my application hangs.

I thought your problem was crashing. Now I see that it's hanging. These are
two totally different problems.

> I made some tests, and saw that the error happens only if I keep
> calling SSL_write. The first SSL_write after closing the connection
> returns a positive value, as if the closing wasn't seen. The second
> causes the hanging.

Your read handler doesn't handle SSL_WANT_WRITE. Your write handler doesn't
handle any of the SSL_WANT errors. It doesn't surprise me that your code
spins in non-blocking mode.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: possible SSL_write bug

[David Schwartz]

> If I close stunnel, the next SSL_write will return a positive value,
> as if everything is ok, the second causes sudden application termination.

Make a build with debugging symbols, get a core dump, and analyze it with
'gdb' or similar. Alternatively, post the smallest complete, compilable
example of code that demonstrates the problem.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> Hi David,

> Yes indeed I do.  I have seen that link before,
> but it doesn't contain the contents of incremental_send
> (this data is left hanging in limbo with nothing to do).

That is the contents of incremental_send.

> My goal is to integrate this into a sockets application
> I'm using where there will indeed be a continuous stream
> of data.  

It won't link until you do that.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: possible SSL_write bug

[David Schwartz]

> I made a program that connects to a stunnel server.
> I am able to connect to the server, read, write, with no problems.

Good.

> The problem is that if I close the stunnel, I can handle the error
> correctly if I make an SSL_read, but not if I make an SSL_write.
> The SSL_write returns a positive value even if the stunnel is closed,
> and on next SSL_write the application closes suddently.

The first part is typical. Depending on exactly how the tunnel was closed, a
write may not detect it immediately.

As for your application closing suddenly on the next SSL_write, this is
abnormal. Most likely, it's a bug in your program. It could be a bad OpenSSL
build or a bug in OpenSSL, but that's unlikely.

> So if I close the stunnel, and make two writes in a row in my
> application, my application dies.

Figure out why. Get a core dump or attach a debugger and see why and where
it's dying.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Problem porting SSL on VDK OS

[David Schwartz]

> Hi All;
>  Thanks to you for your suggestions. I followed your suggestion
> and removed "ssl/ssl_task.c" and compiled it but I got one
> problem which is as follows:

> "crypto\sha\sha1s.cpp", line 72: cc0020:  error: identifier "GetTSC" is
>   undefined
>   GetTSC(s1);

You have no TSC, so this code is of no use to you. Eliminate this file from
those you are compiling.

Arguably, someone should add the following to this file:
---
@@ -28,6 +28,8 @@ void GetTSC(unsigned long& tsc)
   __asm mov a, eax;
   tsc=a;
 }
+#else
+#error This code requires an instruction cycle counter
 #endif

 #include 
---

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> Can you share the code that you found, a link to it, or at
> least a hint as to which search engine you found it on?

>> http://www.cs.odu.edu/~cs772/sourcecode/NSwO/compiled/encdec.c

There you go.

I'm curious -- do you understand what the code you are compiling is supposed
to actually *do*? Because if my understanding is correct, it only makes
sense if you have a source of a stream of bytes and a sink for the stream of
bytes and are trying to interpose an encryption/decryption step in the
middle. If you don't have these two things, the code will not work because
it will have no idea where to get its input from and where to send its
output to.

At least, that's my understanding. If your understanding is different, share
it. If you don't understand what the code is supposed to do, stop trying to
make it work. You will have no way to know when you've succeeded. ;)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> The source for incremental_send isn't in the book anywhere
> that I've seen.

Well then that explains the problem. You are calling a function that does
not exist.

> I'm using the first edition (June 2002).
> My code does call incremental_send,
> and the code I'm trying to compile is the example code provided in the
> book itself (in chapter 6 - see example 6-4).

I don't have your book, but I found similar example code online that calls
"incremental_send" and it always includes the actual code for
"incremental_send".

> The book provides the code for incremental_encrypt as well as
> incremental_finish, so my assumption is that it is a method
> included in the bowels of the libraries provided.

If that were true, it would show that you are going the wrong way. You
should be using OpenSSL's documented interface, not functions deep in its
bowels.

> Are you saying that this is a method that I must construct myself?

Yes.

> The book doesn't say that, so my assumption is that it is provided.

I don't have the book you have, but every example I was able to find online
that called "incremental_send" included an implementation of it. This is one
example:

http://www.cs.odu.edu/~cs772/sourcecode/NSwO/compiled/encdec.c

I think the correct assumption is that the example *assumes* you have coded
an "incremental_send" function and is intended to demonstrate the plumbing
between OpenSSL's encryption/decryption engine and an incremental transmit
function.

This is strongly implied by the excerpt of the book I was able to find on
Amazon. This is intended to demonstrate an encryption/decryption
implementation as a stream filter. It assumes the data comes from someplace,
gets encrypted or decrypted, and then goes someplace else. The
"incremental_send" function is intended to be the "goes someplace else"
function.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> Ummm, I realize that.  I've tried hunting down where the
> incremental_send method is and I can't find it anywhere.

It's in your book.

> Can you give some suggestions on the "rational troubleshooting"
> you recommend?

Check your source code for references to "incremental_send". You can use
"grep" for this purpose.

> I have no idea what the cc4DdydW.o file is, I'm assuming this
> is being produced by the compiler.

It could be, but there's really no way to tell. One good way to figure out
what it is would be to compile your code and then separately link it. This
will allow you to easily check what symbols each file defines and which
symbols it needs.

> Where is the symbol table and how do I examine it?

The "nm" command will do this.

> Pardon my ignorance.  I've also googled for "incremental_send", which
> per the OpenSSL book I'm using is supposed to be contained in one of the
> OpenSSL files that 'm including, and google doesn't provide me anything
> useful on it.

I think you are misunderstanding the book. I think it provides
"incremental_send" as an example function. You call this function without
providing the code for it, hence the reason it shows up as undefined.

Does your code call "incremental_send"?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> Hi David,

> I'm down to symbol not defined for one item - incremental_send
> (and I can't find what file this is supposed to be in).

Well, you need to do that.

> I re-installed to /usr/include/openssl and used --prefix=/usr/include
> and --openssldir=/usr/include/openssl

> I'm trying to compile now with -lssl -lcrypto -L/usr/include/openssl

Did you verify that "-lssl -lcrypto" goes to the newly installed version of
OpenSSL?

> I believe -lssl tried linking to a legacy version of openssl
> (I saw a thread on this on the openssl website FAQ section).

You need to engage in some kind of rational troubleshooting. You have a
theory -- -lssl is linking to the wrong library version -- and you haven't
either confirmed that or ruled it out. That should be the very first thing
you do.

One easy way to do that is to replace '-lssl -lcrypto' with the full path of
the libraries you just compiled.

> Here's what I'm getting now when I try and compile - this
> appears to be the only error.

> Undefined symbols:
>   "_incremental_send", referenced from:
>   _incremental_encrypt in cc4DdydW.o
>   _incremental_finish in cc4DdydW.o
> ld: symbol(s) not found
> collect2: ld returned 1 exit status

It sounds like you call a function called 'incremental_send' that doesn't
exist. What is "cc4DdydW.o"?

Did you check your own source code for the string "incremental"? Did you
check the symbol table of libraries you are linking to to figure out where
that's coming from? Did you check all available libraries on your system to
see if any of them contain an "incremental_send" function?

You need to follow some kind of troubleshooting process.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> Sorry I didn't update the list, but I tried with
> -lssl and -lcrypto, as well as -I/usr/include/openssl.

And what happened? Did you get the same error messages or different ones?

> I've reinstalled openssl to no avail.

What directories did you install to? And did you tell your compiler/linker
to look in the right place?

> Any other thoughts?

Typical include lines look like this:

#include 

So adding "/usr/include/openssl" to the includes will only help if you
installed the opensslconf.h file as
"/usr/include/openssl/openssl/opensslconf.h" which doesn't seem to make much
sense.

Also, what file did '-lssl' actually wind up linking to? Was it the file you
installed or some other file, perhaps one that came with your system?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

>> On Feb 3, 2008 10:51 AM, David Schwartz <[EMAIL PROTECTED]> wrote:
>>> mac# gcc blowfish.c -o blowfish

>> Where did you get this command from and what
>> was it supposed to accomplish?

> blowfish.c is a progam I wrote which contained a series of methods for
> initializing, encrypting, and decrypting.
> Joel

Okay, and you issued a command to compile and link your program in a single
step. The compilation succeeded, as you have no compiler errors. The linking
failed. You'll notice that you have an undefined symbol error for every
single symbol in the OpenSSL library that you tried to use. This means no
attempt was made to link to the OpenSSL library. That shouldn't be
surprising, since you didn't tell the compiler to link to the OpenSSL
library.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling on a Mac

[David Schwartz]

> mac# gcc blowfish.c -o blowfish
 
Where did you get this command from and what was it supposed to accomplish?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: site encryption

[David Schwartz]

> Hi there

> I am trying to integrate a paypal shopping cart into my site and paypal
> recommend getting a security certificate from your website.
> Their site tells users to find the WIN32 section of your site to get
> the source for the certificate but I cant find that section anywhere.

I googled "openssl win32" and the first hit was the answer to your question.

>  Eg: If you are using Windows, make sure to download the Win32 version of
> OpenSSL.

Again, googling "download win32 openssl" gives the answer.

> Once you have downloaded OpenSSL and added it to your PATH.
> Also I am confused about the line "adding it your PATH".
> Can anyone advise me about all this please ?

Does it really make sense that you would ask the OpenSSL folks to explain
what PayPal means by something when you don't even tell us what PayPal
instructions you were following?

I can't find the exact PayPal page you're following, but I don't see
anything that resembles what you are talking about. Googling "adding it to
your path" and "paypal" produced nothing. Ditto for "site:paypal.org openssl
path". But that sounds like the kind of explanations experts give to each
other for things that are not meant to be done by people who don't know what
they're doing. (Otherwise they would have explained exactly how to do it.)

I'm sorry that this falls on you, but PayPal is being really stupid here.
They are creating a web page for people with no security knowledge and
telling them to go find a gun, find some bullets, and see if they can get
the contraption to work.

The approach you are attempting is only needed with scripts which would
require much more knowledge than you seem to have. (Again, no offense.) If
you just need a button, follow PayPal's directions to use their own web site
to create and encrypt the button. There is no reason you need to do it
yourself.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: How to use OpenSSL on system without conventional file system?

[David Schwartz]

> Thanks, but as I said, I cannot simply provide my own linkable versions
> of fopen, fread, etc. These functions are reserved by the system for
> other uses.
>
> Is there no way to cleanly override IO in OpenSSL?
>
> Thanks.

Just never ask OpenSSL to operate on a file. If you want to read a key in
from a file, you read the key into a memory buffer and then ask OpenSSL to
operate on the buffer.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_read reads 0 bytes after SSL_write/SSL_read/SSL_write

[David Schwartz]

> > Because that's what HTTP version 1.0 says to do, and you asked
> > for HTTP 1.0
> > behavior. If it didn't, how would the client know when it got the entire
> > request?

> (You mean the entire response, and in particular response body
> aka entity.)

Right.

> Content-length is allowed in 1.0, and if supplied the client can use it.
> It just isn't required and so can't be relied on.

It isn't required in 1.1 either. If the server can't supply a Content-length
header, it can either refuse to permit a persistent connection or it can use
chunked encoding. A 1.1 client must support chunked encoding.

Turning on persistent connections just asks the server to use them where
possible. In the instant case, it was impossible, so the server still
couldn't use them.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: non-blocking BIO_do_connect problems with select

[David Schwartz]

> Now the problem is before the connection is established.
> Select is based on the file descriptor. Looks like I can't get
> the file descriptor before the connect.
> FD_SET(BIO_get_fd(conn, &c), &rfds) BIO_get_fd
> returns null. what did I do wrong?

You should not be calling 'select' until told to. That is, *after* the
connect.

Until you start the connection process, there is nothing to wait for.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_read reads 0 bytes after SSL_write/SSL_read/SSL_write

[David Schwartz]

> Hi
> Thanks for reply.
>
> In fact, I'm not sure why apache closes connection even if I set KeepAlive
> to On in httpd.conf.

Because that's what HTTP version 1.0 says to do, and you asked for HTTP 1.0
behavior. If it didn't, how would the client know when it got the entire
request?

> If I send "HTTP/1.1" request
> will it also close the socket after reply?

It may or may not. Read the HTTP 1.1 specification and it will explain that
to you. Note that HTTP 1.1 compliant clients must accept chunked encoding.

Fundamentally, you are making a very serious and painful mistake. Your
client claims HTTP 1.0 compliance, but it is not HTTP 1.0 compliant. This
will make things break.

You can fix it one of two ways:

1) Make the client HTTP 1.0 compliant, or

2) Stop claiming HTTP 1.0 compliance.

However, claiming HTTP 1.1 compliance while not being HTTP 1.1 compliant is
really not a good fix. You'll just break the first time you encounter a
server that enforces some other rule. (For example, a 'Host' header is
mandatory and you aren't sending one.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL_read reads 0 bytes after SSL_write/SSL_read/SSL_write

[David Schwartz]

> Hello!
>
> I use openssl to work with apache server via https.
> But I see a strange situation when the second and the third calls
> to send()
> in my test-case read 0 bytes from socket.
> Can you provide here any help?

Why is that surprising? That's exactly what I would expect to happen. When
the connection has been normally closed, SSL_read returns zero. You
specifically asked for HTTP/1.0 behavior, which calls for the connection to
be closed after a reply is completed.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Regarding the obj_mac.h

[David Schwartz]

> The problem is if I give the name of the extension given as in the
> certificate,

What is the "name of the extension given as in the certificate"?
Certificates don't contain extension names.

> the OBJ_sn2nid function is throwing NULL value that
> means it is
> unable to find the extension.

Probably because it is unable to map the extension name to an extension
object identifier.

> If I write the same extension name which is given in the
> obj_mac.h then the
> function is returning the value.

Because that's the table that OBJ_sn2nid uses to map extension names to
extension identifier.

> For example if I am trying to retrieve the value of the
> subjectalternativename from the certificate. In the certificate this
> extension name is written as "SubjectAlternativeName"

How did you determine that? Certificates don't contain extension names. Most
likely the program you used to view the certificated mapped the OID
2.5.29.17 to the strong "SubjectAlternativeName", but it just did this for
your covenience in viewing the extension.

> where as in the
> obj_mac.h it is there as "subjectAltName". If I pass this value then I am
> getting the correct result.

Because that is the name this tool uses for OID 2.5.29.17.

> At the sametime all the extensions in the certificate are not
> present in the
> obj_mac.h.

The certificate is meant to be machine-readable, not human-readable. It will
contain whatever certificates the issues wants to put in it, whether or not
OpenSSL knows what they are or how to best display them.

> What is the link between this function and obj_mac.h?

The obj_mac.h file contains #define's for the internal names that OpenSSL
uses to refer to those extensions it knows about.

> Can I add any extensions to this file obj_mac.h?

Yes, but that won't do anything. That won't make them make to the OID.

> If yes How to give the number of the NID?

OBJ_txt2nid can take the numerical representation of an extension. In fact,
OBJ_txt2nid can take the long name, short name, or the numerical
representation.

I would suggest not trying to teach OpenSSL to understand new extensions
unless you need those extensions supported by OpenSSL tools. For example, if
you want 'openssl x509 -text ...' to output the extension nicely, you have
no choice. Otherwise, just create a header file that #define's a tag for
your extension and replaces to its numeric identifier. Pass that to
OBJ_txt2nid.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: unable to write 'Random State' e is 65537

[David Schwartz]

> Sorry for not being clear.
> I was following the link you have provided below. First I was trying to
> generate a private key by
> type "openssl genrsa -out my-prvkey.pem 1024" to the windows Vista CMD
> and the result was:

>C:\OpenSSL>openssl genrsa -out my-prvkey.pem 1024
>   Loading 'screen' into random state - done
>   Generating RSA private key, 1024 bit long modulus
>..++
>
>++
>unable to write 'random state'
>e is 65537 (0x10001)

> I don't know if this is an error or not, but I assume its
> an error and I don't what the result of the above command line
> should said after you enter it in the cmd.

As I said, it's an error that you can safely ignore.

> If it's an error then the file shouldn't be created right ?

If that was true, you couldn't ignore the error. Since you can ignore the
error, that cannot be true.

> but when I went through the OpenSSL folder I saw the
> my-prvkey.pem was create.

Great.

>  So I used the next command "openssl req -new -key my-prvkey.pem
> -x509 -days 365 -out my-pubcert.pem" which is to get the public
> certificate from the private key that I've just created.

Right.

> Now, I need to use those informations to encrypted to the buttons
> that was generated by paypal and I'm stucked on how to get those
> buttons encrypted

Continue following the directions. You've completed step 1, so now you
should move onto step 2.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: unable to write 'Random State' e is 65537

[David Schwartz]

> I just found out that the files i have been creating are in the
> OpenSSL folder, not in the Bin folder. Are those files that I have created
> working ? how do i test it ?

I have no idea what files you are talking about. You could be talking about
keys, certificates, configuration files, encrypted data, the random state,
or anything else.

Are for how you test it, try to do whatever it is you want to do with those
files and see if it works.

If you're trying to create encrypted payloads for paypal buttons, presumably
you're following some explanation of how to do that. Keep following it.

As I understand it, your problem is that you are getting the message in the
subject. I believe I resolved that problem -- you can ignore that message.

If you have some other problem, tell us about it. Tell us what directions
you are following, if any. Tell us what you have done so far. Tell us what
worked and where you got into trouble. Tell us what output you got and what
you expected.

Is this the page you're following?
https://www.paypal.com/IntegrationCenter/ic_button-encryption.html
If so, keep following it.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: unable to write 'Random State' e is 65537

[David Schwartz]

> By the way, this detailed explanation was my first hit Googling
> 'openssl "not seeded"'.

This comment, while true, it not useful. I meant to point out that it was my
first hit when Googling 'openssl "unable to write"'.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: unable to write 'Random State' e is 65537

[David Schwartz]

> Can you elaborate a little bit more cause I'm totally new to
> this openssl. I'm doing this to create encryptions for my
> paypal buttons

You want me to elaborate on, "I think it should be safe to ignore"?

If you want more details, read this question and answer. It doesn't directly
apply, but it will give you the background you need:
http://www.openssl.org/support/faq.html#USER1

Then you can understand this:
http://www.openssl.org/support/faq.html#USER2

By the way, this detailed explanation was my first hit Googling 'openssl
"not seeded"'.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: unable to write 'Random State' e is 65537

[David Schwartz]

> 3. I installed OpenSSL and run it in the Windows Vista  cmd and
> the command
> is
>openssl genrsa -out my-pkey.pem 1024
>
>I got the following:
>
>   C:\OpenSSL>openssl genrsa -out my-prvkey.pem 1024
> Loading 'screen' into random state - done
> Generating RSA private key, 1024 bit long modulus
>  ..++
>  ++
>  unable to write 'random state'
>  e is 65537 (0x10001)
>
>Anyone know why?

My bet would be it's Vista file protection. It probably tried to write its
random state out to a default location that was not writable by the current
user. One simple workaround would be to set an environment variable
"RANDFILE" with a name of a file you can create and write to.

I think it should be safe to ignore. The relative loss in security should be
negligible. But you probably shouldn't take my word for it.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: What is an OpenSSL issue (was Re[2]: Vista 64 bit)

[David Schwartz]

smime.p7m
Description: S/MIME encrypted message

RE: What is an OpenSSL issue (was Re[2]: Vista 64 bit)

[David Schwartz]

> > OpenSSL is *NOT* intended to be 'used' by people who use
> > programs that use
> > it. It is intended to be used by programs and by people who make them.

> I'll stick my 0.01 euro cent in here and state i disagree with this
> hypothesis.  whether you are a user via a 3rd party program (as almost
> all users of openssl are!) or are directly using openssl as a developer
> both camps and parties should be catered for - especially
> as a lot of apps that use openssl really only look for the DLL
> or shared library - or, if built from source, the required dev libraries
> and link libraries.

However, they generally require particular versions of OpenSSL or particular
build environments. They impose their own requirements. If you can state and
explain these requirements and reduce your question to one that is actually
about OpenSSL, then I agree with you.

OpenSSL explicitly is *not* a stable library such that you can make library
upgrades without consideration application details -- other than withing the
same minor version to fix specific security issues. If a post is about a
specific known OpenSSL security issue, and the issue is how to fix that
issue within the minor version required by the application, that would be an
OpenSSL issue.

Even then, it may be dangerous to do that if the application contains its
own workaround to that same issue. Or the application may not even use the
part of OpenSSL that has the vulnerability, making the exercise pointless.
This should still, in most cases, be treated as an application issue first.
If it is handled as an OpenSSL issue, that should be by one of the
application's developers, not a mere user.

> either type of user may be intersted in such things as keeping an
> up-to-date version for security - or ways of configuring it for
> better speed, performance or security settings.

That's true. I agree, my position as stated is a bit too harsh. I disagree
about security settings though, those are application issues, not library
issues. It's dangerous to treat them as library issues.

A security issue should not be fixed without the presence of *someone* with
detailed understanding of how the application uses OpenSSL. An actual user
(in the sense of application developer) of the library needs to do this to
be sure it's done properly. Even OpenSSL experts would either have to
familiarize themselves with the application or do a lot of guessing.
Guessing in the security field is bad.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: [!! SPAM] RE: Re[2]: Vista 64 bit

[David Schwartz]

> I am newly looking into the openSSL code part and trying to understand.
> I have a few silly doubts regarding the usage and implementation of
> openSSL along with Heimdal Kerberos. Could you please let me know whom
> can I contact?

Ask your question in this newsgroup. It is for users of OpenSSL. It's
perfectly suitable for general question regarding whether OpenSSL is what
you want, how to use it, or where to look for answers.

Note that OpenSSL requires a surprising amount of cryprographic knowledge to
use safely. If you're looking for a tool that's designed to be secure when
used by people who are not security experts, you are likely looking for
something other than OpenSSL.

Of course, if you don't need real security, messing around with OpenSSL is a
great way to learn more about security.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: [!! SPAM] RE: Re[2]: Vista 64 bit

[David Schwartz]

> Hello David,

> > Then why are you downloading OpenSSL? It's a library, a toolkit.
> > It has no enduser application.

> Are you really sure?
> I subscribed, while at the openssl.org site for this list
> the description was given:
> "openssl-users open anybody Application Development, OpenSSL Usage,
>  Installation Problems, etc."

> I downloaded and installed Win32 OpenSSL v0.9.8g Light, on an
> XP computer, that would mean, I'm a user, isn't it? :-)

Not of OpenSSL, no.

> Of course, for the reasons I told, I did not subscribe to:
> "openssl-dev open subscribers Discussions on development of the
> OpenSSL library.

Note that this is for development *of* *OpenSSL*. Just like the OpenSSL
users list is for users *of* *OpenSSL*.

> > If you are installing some other application that asked you
> > to install OpenSSL, you have to follow that other application's
> > instructions.

> I did. Using Total Commander also as FTP client on XP, it told me
> to install OpenSSL first, before checking the option in the settings
> there.

Ah, so your issue is with getting Total Commander's OpenSSL support to work.
You need to install OpenSSL exactly how Total Commander wants it and not any
other way.

OpenSSL is *NOT* intended to be 'used' by people who use programs that use
it. It is intended to be used by programs and by people who make them.

> > If you  had an issue, it would be with that appication or its
> > OpenSSL support, not with OpenSSL.

> Not really. I got a new computer with Vista 64 bit and I didn't
> find a 64 bit version of OpenSSL. That is, what I asked here.
> And it seemed, I asked it on the right place. ;-)

How would that help you if it wasn't the version Total Commander was built
to use?

> > These are not the droids you are looking for.
>
> Who and where else should I have asked for it?

If you want to know whether Total Commander works with a 64-bit SSL library
and how to get/make one for it, you should be asking the Total Commander
folks. (Unless you already did and got the answer that it would, in which
case what are you asking exactly?)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Re[2]: Vista 64 bit

[David Schwartz]

> ???
> I'm sorry, I never did any programming, never any compiling,
> I'm just an enduser, using payware, shareware and freeware
> programs, that are already prepared for use. ;-)

Then why are you downloading OpenSSL? It's a library, a toolkit. It has no
enduser application.

If you are installing some other application that asked you to install
OpenSSL, you have to follow that other application's instructions. If you
had an issue , it would be with that appication or its OpenSSL support, not
with OpenSSL.

These are not the droids you are looking for.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: License for contributed Mac OS code?

[David Schwartz]

> The entire body of source code which makes up OpenSSL and is
> distributed as OpenSSL, btw, might fall under the "compilation
> copyright" rules.  My understanding of those rules (which govern
> things like phone books, dictionaries, databases, and anything else
> that sources from multiple places and publishes as a conglomerate) is
> that you cannot take something from a compilation and use it under any
> license except that which you obtained from the compilation.  (If you
> receive it independently from the original author, you can use it
> under the license terms you negotiate with the original author.  But,
> OpenSSL cannot claim anything other than "it is distributed with and
> by virtue of the license that OpenSSL was granted by the contributor"
> -- and without permission of the original contributor cannot change
> that license.)

No, that is not correct. Relicensing can only take place with the written 
consent of the original author. So how you receive the work doesn't matter 
unless the person you received it from had a written relicensing agreement with 
the author.

The GPL states this explicitly in section 6. Other licenses must work the same 
way by law, absent written agreements with the original author to the contrary.

Regardless of how you receive a work, you receive whatever license the original 
author offers. Nobody else is entitled to offer the work under any other terms, 
absent a written agreement.
 
> This license has a clause which requires advertising any portion of
> code's presence.

I don't think the license can compel you to make a demonstrably false 
statement. I think such a clause would be considered unconscionable. However, 
if the clauses are true under any reasonable interpretation at all, then it's 
probably not unconscionable to compel them. The would likely have to be 
unambiguously false, demonstrable clearly.

In any event, it's still incompatible with the GPL. Being forced to retain 
terms and conditions is the same as an advertising clause. The GPL prohibits 
any compulsion to retain content -- other than the GPL itself.

"You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program."

Notice it says notices that refer to *this* license and the absence of any 
warranty. You cannot compel the retention of anything else. But the OpenSSL 
license required you to retain notices about use of the "OpenSSL" name and a 
note from the OpenSSL license that conditions must be kept. These cannot 
reasonably be considered notices that refer to the GPL or the absence of 
warranty, so the GPL prohibits you from compelling their retention, which the 
OpenSSL license does.

Then OpenSSL license is incompatible with the GPL, and not just because of the 
advertising clauses.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: License for contributed Mac OS code?

[David Schwartz]

> Barring any objections from the copyright holder(s), I will in good
> faith construe Randomizer.cpp's license as being the same as
> OpenSSL's license except with the false advertising clauses removed,
> and consequently, compatible with the GNU GPL.
>
> Josh

The OpenSSL license says:

 * 1. Redistributions of source code must retain the above copyright
 *notice, this list of conditions and the following disclaimer.

But the GPL says:

"2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:"

None of the conditions listed say anything about retaining some other list
of conditions from some other license. The GPL then says:

"You may not impose any further restrictions on the recipients' exercise of
the rights granted herein."

Sorry, the license is not GPL-compatible. The GPL permits distrubtion of
modified versions without any requirement to keep some other list of
conditions and disclaimer intact, but the OpenSSL license imposes that
requirement.

It's the same as if the OpenSSL license prohibited any other kind of
modification that the GPL allowed. For example, you cannot place something
under the GPL that outputs "David Schwartz is the best, all must kneel
before him" to your system log every time you run it and add a license
clause that you must leave that intact. The OpenSSL conditions and
disclaimers are equally foreign to the GPL.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Perl & SSL Certificates

[David M. Funk]

Folks,

 

I wrote a "webbot" Perl script that goes through an entire checkout process
and tests for validation.
It works great. It has been in production for a while now.


Now to make changes, I had to copy into our test environment and  work with
our test web server. (Change control go figure...) 
Supposed to be the same right?  Nope.

I noticed when I go from http to https on the test server it complains about
a Certification Error.

I manually went through with IE to see what's going on..
Here is what the error is from IE: 

There is a problem with this website's security certificate. 

The security certificate presented by this website was issued for a
different website's address. 

Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server. 
We recommend that you close this webpage and do not continue to this
website.

Click here to close this webpage.
Continue to this website (not recommended). 
More information 

If you arrived at this page by clicking a link, check the website address in
the address bar to be sure that it is the address you were expecting. 
When going to a website with an address such as https://example.com, try
adding the 'www' to the address, https://www.example.com. If you choose to
ignore this error and continue, do not enter private information into the
website. For more information, see "Certificate Errors" in Internet Explorer
Help. 

Is there a way in Perl to ignore this error or just accept and continue? 

TIA,

Mark

 

RE: FIPS Module on Mac OS X (Intel)

[David Schwartz]

> No you can't change anything at all in the validate source so you are SOL.

What if you made your own compiler that was identical to 'gcc' except that
when asked to define 'B_ENDIAN' it defines 'L_ENDIAN'? I realize this may
violate the spirit of the rule, but I believe it conforms to the letter.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: asynchronous read/write with multithread

[David Schwartz]

> > Writing:
> >
> > 1) Acquire the mutex.
> >
> > 2) Call SSL_write. If we have sent all of the data, release the lock and
> > returen.
> >
> > 3) If we sent any data, re-adjust to only send the data that remains and
> > go
> > to step 2.
> >
> > 4) If we got a zero, release the lock and return the number of bytes
> > successfully sent.
> >
> > 5) If we got an error, pass the return value to SSL_get_error.
> >
> > 6) If the error is fatal error, release the lock and return.
> >
> > 7) Obey the WANT_READ or WANT_WRITE by releasing the lock, calling
> > 'select',
> > and re-acquiring the lock. Go back to step 2.

> I have looked into s_client example, and thought over your advice, but I
> have one more doubt yet.
> I think, the meaning of "ready for write" at select() is only
> "there is some
> space to write on TCP stack". Actually, the result of select() is almost
> always "ready for write".

Correct.

> So, the meanings of WANT_READ and WANT_WRITE are really same as
> buffer full
> on TCP stack?

WANT_READ means the SSL engine cannot make further progress until it can
read some data from the socket. WANT_WRITE means the SSL engine cannot make
further progress until it can write some data from the socket.

> If not so, I think there is a possibility to cause non-wait
> loop at step 2-7.

There is one ugly situation, and I don't know a good way to stop it.
Consider:

1) The receive buffer is empty, SSL_read returns WANT_READ. You release the
lock and prepare to call 'select'.

2) Another thread acquires the lock and calls SSL_write. SSL_write calls
'read' and reads the data. SSL_pending would now return greater than zero.

3) You switch back to the first thread which blocks on 'select'.
Unfortunately, the data it is waiting for has already arrived and been
consumed.

The only workarounds I know for this are horribly ugly. For example, you can
call SSL_pending after every call to SSL_write, and if it's non-zero, you
can write a byte to a pipe that the read thread also selects on.

Maybe someone else knows a better way. I always use BIO pairs because I
think OpenSSL's I/O code is not well thought out.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: asynchronous read/write with multithread

[David Schwartz]

> Yes, the protocol is asynchronous exactly, not "query/response" sequence,
> and could not re-design it now.

Many protocols are that way and should be that way. I wouldn't redesign the
protocol unless it was badly designed in the first place.

> I could not find sufficient documents or examples about
> non-blocking I/O for
> newbie like me. By way of experiment, I tried to re-write the code again
> with BIO and non-blocking I/O.
> The read() wrapping function I made newlly is below;

> --- snip ---
> BIO_set_nbio( cbio, 1 ) ;
> BIO_do_connect( cbio ) ;
> BIO_do_handshake( cbio ) ;
>
> int read_ssl( ... ) {
> while ( 1 ) {
> pthread_mutex_lock( &rw_lock ) ;
> int ret = BIO_read( cbio ... ) ;
> pthread_mutex_unlock( &rw_lock ) ;
> if ( ret > 0 ) {
> break ;
> } else if ( ! BIO_should_retry( cbio ) ) {
> do_something_ERROR() ;
> break ;
> }
> usleep( a_little ) ; // to prevent wasting CPU
> }
> }
> --- snip ---
>
> Will this work correctly with multithreaded asynchronous I/O?
> But I think, this way is not better than simple blocking I/O like the
> original code. It wastes CPU by the loop and gets poor response
> time by the
> sleep. Is there any way better than it?

That's correct, but very poor for precisely the reasons you explain. You
should take a look at the include s_client example. The basic idea is this:

Reading:

1) Acquire the mutex.

2) Call SSL_pending. If any bytes are already available, call SSL_read,
release the lock, and return. (Note that calls to SSL_write might wind up
reading from the socket, so data might already be waiting.)

3) Call SSL_read. If it returns a positive number, release the lock and
return the data. If zero, release the lock and return EOF.

4) Pass the return value of SSL_read to SSL_get_error.

5) If the error was not WANT_READ or WANT_WRITE, handle it as appropriate.
You can assume it's fatal.

6) If the error was WANT_READ or WANT_WRITE, release the lock, select for
read or write as asked, re-acquire the lock, and go back to step 2.

Writing:

1) Acquire the mutex.

2) Call SSL_write. If we have sent all of the data, release the lock and
returen.

3) If we sent any data, re-adjust to only send the data that remains and go
to step 2.

4) If we got a zero, release the lock and return the number of bytes
successfully sent.

5) If we got an error, pass the return value to SSL_get_error.

6) If the error is fatal error, release the lock and return.

7) Obey the WANT_READ or WANT_WRITE by releasing the lock, calling 'select',
and re-acquiring the lock. Go back to step 2.

Note that SSL_read can return WANT_WRITE and SSL_write can return WANT_READ.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: asynchronous read/write with multithread

[David Schwartz]

> So, at first, I made two simple wrapper functions to replace plain
> read/write functions.
>
> -- snip --
> int read_ssl( .. ) {
> pthread_mutex_lock( &rw_lock ) ;
> SSL_read( ... ) ;
> pthread_mutex_unlock( &rw_lock ) ;
> }
>
> int write_ssl( .. ) {
> pthread_mutex_lock( rw_lock ) ;
> SSL_write( ... ) ;
> pthread_mutex_unlock( rw_lock ) ;
> }
> -- snip --
>
> Of course, it did not work. The mutex was locked during waiting
> messages at
> SSL_read, could not send any messages.

You really only have two choices:

1) Use non-blocking I/O. You can move the I/O to a service thread if you
like, so 'SSL_write' becomes 'push a message on the send queue and alert the
service thread' and 'SSL_read' becomes 'block on the receive queue'.

2) Restructure your design so that you do all the writing you need to do
before you call read again. (This may or may not be possible depending upon
the protocol you are implementing. It is possible for a pure query/response
protocol but not possible if the protocol is fundamentally asynchronous.)

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Expired certificates out from revocation list

[David Schwartz]

> How can I get rid of the expired certificates in the revocation
> list? When I
> do openssl ca -gencrl -out revocationlist.crl -config myconfig.cfg the
> revoked certificates that are also expired are added into the
> list. It is no
> use to store them there because the revocation list grows bigger
> and bigger
> that way.

Make sure this is correct for the type of certificate you are using. For
email, code signing, and other stored communication certificates, this is
the wrong thing to do.

Suppose I receive a program signed with a key. Even though that key expired
two years ago, I still care whether it was revoked. If it was revoked --
especially if it was revoked before it signed the program -- then I don't
want to run the program. If it just expired normally, there is no reason not
to trust the program.

Similarly, you may look at an email you received last year and it may matter
whether the key that signed it was revoked or not.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: AES CBC mode problem

[David Schwartz]

> If I call like this, I get 32-byte return(The first 16 byte string equal to
> Ciphertext in the test case)
>   ret = EVP_EncryptUpdate(&ctx, out, outl, in, inl); 
>if(!ret) abort();
>len += *outl;
>ret = EVP_EncryptFinal_ex(&ctx, out+len, outl);
>if(!ret) abort();
>   len += *outl;

You added the output twice. You did it the first time, when you did "len += 
*outl;" but then you did it again when you called EVP_EncryptFinal_ex with 
'*outl' equal to 16.

You need to do one or the other, but not both. You can either take the output 
as it comes (which is what 'len += *outl;' before EVP_EncryptFinal_ex does) or 
let it accumulate (which is what calling EVP_EncryptFinal_ex with a nonzero 
value of *outl does), but you cannot do both.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Doubt about the use and initialization of DH struct

[David Schwartz]

> Thank you for your reply!!!
> I have another question about this topic. I need to generate a shared
> secret which size 16 byte, using a DH_compute_key() function. How can
> i manage that size

Produce a much larger shared secret and then reduce it securely to 16
bytes.

> Should I use a 16 byte dh->p

Absolutely not! DH requires a much larger key size to provide equivalent
security. If you get DH to produce a 16 byte shared secret directly, it will
provide much less than the 16 bytes of security you expect in the shared
secret.

DS

PS: You're jogging in a minefield. You shouldn't be working at this low 
a
level unless you already have a solid understanding of DH and how it relates
to whatever you're going to do with the shared secret.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Problem in handling SSL_connect failures

[David Schwartz]

> To begin with, when the client calls SSL_connect(), it is guaranteed that
> the server is waiting / looping in SSL_accept(). So I believe there is no
> chance that SSL_connect() will read any plaintext data.

Do you have any rational basis for this belief? Consider:

1) The client calls SSL_connect. A TCP connection forms.

2) The client sends negotiation data.

3) The server reads the negotiation data, doesn't like it and sends an SSL
abort to the other side. SSL_accept returns an error.

4) The server sends a plaintext error message.

5) The client calls 'read' from SSL_connect, reading both the negotiation
data and the plaintext error.

> In my scenario, the ERR_reason_error_string(ERR_get_error()) tells me that
> there was a problem in server certificate verification. Also on the server
> side, SSL_accept reports 'SSL alert number 42'. In this case the
> SSL_connect() failed because it knew what was wrong, not because it didn't
> understand what the server had sent. Now as this failure is a
> result of SSL
> handshake, and as the reason of the failure is knows to the client,
> SSL_connect should have clean all the data sent by the server as
> part of SSL
> handshake. The tcp channel should have been cleaned before SSL_connect()
> returned.

Nonsense. SSL_connect calls 'read' for an arbitrarily large number of bytes.
It accepts the possibility that it might read past a single SSL record or
protocol data unit.

> Now when the SSL_connect() fails (and it would imply that corresponding
> SSL_accept would have also failed), the client knows that the server is
> going to send the error message back to the client in plain text. So the
> client reads next packet in plain text.

Except that the server has already sent the error message. The client has
already called 'read' (from SSL_connect).

> Allow me to explain what I see on the client-server communication (The
> server is using non blocking sockets)
> The first call of SSL_accept() return WANT_READ
> The client initiates SSL_connect()
> As we detect readability, we call SSL_accept(), which now return
> WANT_WRITE
> (I guess this is the data that reached me after SSL_connect returned).
> By this time, the client SSL_connect() has already returned with -1.
> The client assumes that the next data that would come would be plain text
> error message sent by the server. And this is where it fails.

Since it shouldn't work, it's hardly surprising that it doesn't work.

> I will be glad if you could give me a sample code snippet that
> will show how
> one can handle SSL_connect / SSL_accept failures correctly and gracefully.

I explained the necessary logic. After the server detects failure, it must
send the error message several times, with a uniquely identifiable separator
around the error message. The client must scan the data stream until it
finds the separators and extracts the error message from therein.

You may need to wait a bit to make sure the client has gotten a chance to
call 'read', otherwise all your transmissions of the error message may
single coalesce into a single 'read' that's done by SSL_connect. If you know
how big the SSL_connect buffer is, you can send twice that many zero bytes
before the error to ensure SSL_connect can't eat them.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Problem in handling SSL_connect failures

[David Schwartz]

> I have a client that attempts to open a secured session with the server.
> After calling SSL_connect(), on failure, the client would free the SSL
object,
> and read the response on normal tcp socket.

> On the other hand, the server calls SSL_accept(), and on failure, would
free
> the SSL object, and return the error message to the client on normal tcp
socket.

> But what I see is, the client receives some 9 bytes of data after
SSL_connect fails.
> This data seems to be SSL control data, as it reaches the client even
before the
> server actually sends out the error message. The 9 bytes are
> (16 03 00 00 04 0e 00 00 00).

How could you ensure that both the server and the client fail at precisely
the same point? That would seem to be nearly impossible.

> Here is the code snippet from the client code that is in trouble,
> and receives these 9 bytes. the value returned in beresp is the first
> byte of these 9.
> Am I missing something while handling SSL_connect failures?
> ===
> if ( SSL_connect(sock->ssl) != 1 ) {
> printf("\t%s'", ERR_reason_error_string(ERR_get_error()));
> SSL_free(sock->ssl);
> ssl = NULL;
> }
> else
> secured = 1;
> }
> beresp = get_char(sock);

This is complete nonsense. Since SSL_connect returned an error, that means
it read something it didn't like. Since it didn't understand what the other
side sent, how can it ensure it read all of it?

> Please let me know if I can provide any more information that might be of
help
> to understand the scenario

The scenario seems to require the impossible in several regards. First,
SSL_connect must somehow be careful not to read the plaintext failure
message. But how can it do this? Second, SSL_connect must be sure to read
all the non-plaintext when it fails to understand what's going on. But how
can it do this?

Your scheme doesn't seem to make any sense at all. You can't ensure a
failure will be perfect.

You can probably make this work 99% of the time with extreme ugliness if
it's an absolute requirement. Have the server send the message, sleep a
second or two, send it again, and so on. Use unique byte codes to mark the
beginning and the end of the message. The client must carefully scan the
stream paying attention only to the data in-between the start and end
markers.

This should ensure the other end fails eventually, and when it does, it
won't matter if there's leftover SSL stuff or some of the message was eaten.
Eventually, it will find the beginning and end of the error message.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: Doubt about the use and initialization of DH struct

[David Schwartz]

> dh_struct = DH_new();
> dh_struct->p = BN_new();
> dh_struct->g = BN_new();
> dh_struct->priv_key = BN_new();
> dh_struct->pub_key = BN_new();

> num_byte = BN_dec2bn(dh_struct->p,str_p);  // Here it seems that not
execute anything about

Something is very wrong in your code. BN_new returns a 'BIGNUM *', so
dh_struct->p contains a 'BIGNUM *'. But then you pass dh_struct->p as the
first parameter to BN_dec2bn, which takes a 'BIGNUM **'.

int BN_dec2bn(BIGNUM **a, const char *str);
BIGNUM *BN_new(void);

dh_struct->p can't be both a 'BIGNUM *' and a 'BIGNUM **'. In fact, it's a
'BIGNUM *'. So at a minimum, the BN_dec2bn call must be:

num_byte = BN_dec2bn(&dh_struct->p, str_p);

There could be other mistakes too. This was the most obvious.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: AES CBC mode problem

[David Schwartz]

> The decrypt program:
>
> unsigned char *DecryptTest(unsigned char *in, int inl, unsigned
> char *key, unsigned char *iv, int * outl)
> {
> int ret;
> EVP_CIPHER_CTX ctx;
> EVP_CIPHER_CTX_init(&ctx);
>
> ret = EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), 0, key, iv);
> if(!ret) abort();
> cout<<"EVP_CIPHER_CTX_block_size:
> "< cout<<"EVP_CIPHER_CTX_key_length:
> "< cout<<"EVP_CIPHER_CTX_iv_length:
> "< char Plaintext[]="Single block msg";

This is a 17-byte string.


> out = EncryptTest((unsigned char*)Plaintext,
> sizeof(Plaintext), key,iv, &outl);

sizeof(Plaintext) == 17

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]