ssl renegotiation does not work

2007-09-05 Thread Grzegorz Rusin 
Hi,

I've wrote myself an server application that basically allows people
to connect (it uses non blocking IO) and echoes text they sent to the
server.

I am testing the server with openssl s_client utility.

Everything works as expected till the time when renegotiation comes
(you can force it with "R" command in the s_client). In most cases it
seems that it works correctly, but there is a special case that makes
s_client to disconnect with an error message:

RENEGOTIATING
16428:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected
record:s3_pkt.c:1207:

That _only_ happens when renegotiation has happened before server
echoed sent text.

Example 1: working scenario ("R" is the input, rest is the output)

R
RENEGOTIATING
depth=0 /C=XX/ST=nowhere/O=anonymous
organization/OU=server/CN=server/[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
[cut]

Example 2: not working scenario ("OOO\nRR" is the input)
OOO
RR
RENEGOTIATING
16520:error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected
record:s3_pkt.c:1207:

Probably here s_client waits for a renegotiation packet, but all it
gets is a echoed "OO..." string.

Could anyone point me where to look for the solution for this problem?

Thanks!
Grzegorz Rusin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: server timeout in connection handshake ?

2007-09-05 Thread Grzegorz Rusin 
On 9/5/07, Thomas Radke <[EMAIL PROTECTED]> wrote:
>
> During a connection handshake, the server gets stuck forever (or at
> least > 2 hours) in a call to SSL_accept() for the case where it has
> sent its certificate but the client doesn't respond back: because the
> server's certificate is unknown on the client side, the web client (a
> standard browser) will prompt the user to examine the certificate and
> either accept or reject it. While this client/user interaction hasn't
> finished (eg. because the user didn't notice) the server is effectively
> blocked.
>

I've never been using ssl with blocking io, but according to man pages
you need to call SSL_do_handshake() function on the server side.

It should do the handshake, and you will be possible to do the
read/write operations afterwards.

-- 
Regards
Grzegorz Rusin, skype: mr.pks
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl 0.9.8e build fails on HP Itanium

2007-09-10 Thread Grzegorz Rusin 
On 9/10/07, Urjit Gokhale <[EMAIL PROTECTED]> wrote:
> ld: Duplicate symbol "__divxf3" in files
> /usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/hpux64/libgcc.a[__divxf3.oS]
> and
> /usr/local/lib/gcc/ia64-hp-hpux11.23/3.4.3/hpux64/libgcc.a[__divxf3.oS]

It looks like one object file is being passed two times to the linker.

-- 
Pozdrawiam.
Grzegorz Rusin, skype: mr.pks
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: newbie question: sample s_server usage

2007-09-29 Thread Grzegorz Rusin 
On 9/28/07, Deep Chand <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I'm a newbie to openssl and openssl toolkit. i need to add support for tls
> to one java client including client authentication, and i've made the
> changes to the client and need to test it with server, so trying to use
> s_server. I have used keytool utility supplied with jdk1.4 to generate
> client/server public/private key certificates using rsa algo. how do i use
> these certificates in invoking and testing my client using s_server?

openssl s_server  -cert filename -key keyfile

and it should work.

Checkout man page for more information about available options :)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL package for Java

2007-11-13 Thread Grzegorz Rusin 
On Nov 8, 2007 9:45 AM,  <[EMAIL PROTECTED]> wrote:
>
>  I need to develope a small Java application to create Certificates and
> Certificate requests. Where I can find the packages to use OpenSSL in Java?
>
Goto http://www.openssl.org/related/apps.html search for keyword java

>
>  P.S My English isn't perfect, I'm an Italian student.
>
Noone's english is purfect :)

-- 
Regards
Grzegorz Rusin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SHA-1 number of calls

2007-11-25 Thread Grzegorz Rusin 
On Nov 23, 2007 5:54 PM, Koza <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I counted the number of calls of SHA-1 Init/Upgrade/Final (sum of these) and
> I see that the number of calls differs even when I download all the time the
> same file in the same environment (I download a file with wget from apache
> server with mod_ssl).
>
> Can some explain why it works that way? Shouldn't the number be always the
> same? Number of encrypt/decrypt/rsas functions are always the same.
>

My wild guess is that SHA1::Upgrade() function is being called each
time mod_ssl sends a packet to the peer. Asuming that you never have
the same network conditions (tcp/ip slow start, packet loss => the
size of packets might differ and some packets can even be sent few
times) hence the number of invidual packets is difference, hence the
number of upgrade calls is different.

I am not sure if that is the reason, but i am not able to figure out
anything else than that.

-- 
Regards
Grzegorz Rusin
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: how to decrypt encrypted PCSK8 witch NULL-Byte (0x00) in binary-password

2008-03-02 Thread Grzegorz Rusin 
You can make openssl to read password from file:

-passin file:something.txt

Should to the trick

Regards,
Grzegorz

On Sat, Mar 1, 2008 at 7:49 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Hello
>
>  I've got problems to decrypt a PKCS8 encrypted private-key with the
>  openssl-application (not library), because the password is binary and
>  contains NULL-bytes (0x00).
>  The PKCS8-object is valid.
>
>  sample-password:  (hex) '0A 0B 91 00 17 F4 8E 4D FA BD 31 3D 72 43 ED A1'
>
>  sample-cmd:
>   > passwd=cat 'binary_password_file.bin'  (cat as example, also ussed
>  other ways)
>   > export passwd
>   > openssl pkcs8 -in filename.pkcs8 -inform DER -passin env:passwd
>  -outform DER
>
>  (Using '-passin file:passwdfile' or '-passin stdin' causes problems with
>  0x0A, cause these options read only the first line)
>
>  Platforms: Windows and Unix and I prefer not to write a C-programm to
>  use openssl-library.
>
>
>  Can anyone help me to decrypt a pkcs8-encrypted rsa-key, using a
>  password, which contains NULL-Bytes ... please :)?
>
>  thx
> Fabian
>  __
>  OpenSSL Project http://www.openssl.org
>  User Support Mailing Listopenssl-users@openssl.org
>  Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]