SSL_write parameters after an SSL_ERROR_WANT_(READ|WRITE)

2002-05-28 Thread Joel Daniels 

The openssl documentation says:

WARNING
When an SSL_write() operation has to be repeated because of
SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be repeated with the
same arguments.

Are there any ways to get around this?

Here is an example of where this might be a problem:
Supposing I attempted to write the time of day to an SSL stream, but failed
with the error SSL_ERROR_WANT_WRITE.  Later on I discover that I can write,
but by this time the time of day has changed by one second.  What am I to
do?



   - Joel Daniels

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Ephemeral RSA Keys

2002-05-24 Thread Joel Daniels 

>From what I understand Ephemeral Keys will keep someone who steals my
private key from being able to decrypt my SSL communication.  He can still
use a man-in-the-middle attack of course.

The SSL_CTX_set_options documentation says:

SSL_OP_EPHEMERAL_RSA

Always use ephemeral (temporary) RSA key when doing RSA operations (see
SSL_CTX_set_tmp_rsa_callback(3)). According to the specifications this is
only done, when a RSA key can only be used for signature operations (namely
under export ciphers with restricted RSA keylength). By setting this option,
ephemeral RSA keys are always used. This option breaks compatibility with
the SSL/TLS specifications and may lead to interoperability problems with
clients and should therefore never be used. Ciphers with EDH (ephemeral
Diffie-Hellman) key exchange should be used instead.





I however am developing both the client and the server, are there any
reasons why I should use Ephemeral RSA vs. Ephemeral DH?


Also are there any reasons why I should not use Ephemeral Keys period?

   - Joel Daniels

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL_set_fd vs. SSL_set_bio

2002-05-24 Thread Joel Daniels 

   Is there any benefit to creating my own BIO and using SSL_set_bio as
apposed to SSL_set_fd, if I am trying to associate the SSL object with a
file descriptor anyway?
   - Joel Daniels

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Alt Subject Name : IP Address

2001-10-04 Thread Joel Daniels 

   >>Can anyone send me a code snippet showing how I get the subject
   >>alternate name (IP address) in a form useful for IP source
verification?

   Don't know what you mean for sure, but here is some MS Visual C++ Client
Code that will verify the Server's Name(IP,or DNS Name) based on the subject
line from the Server Certificate.

Note: this uses the CString Class which is part of Microsoft Foundation
Classes.  You can find CString documentation at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/htm
l/_mfc_cstring.asp.

   CString sAddress = "the server name"
   X509 *ServerCert;
   ServerCert = SSL_get_peer_certificate(m_pSSL); //get the server
certificate
   if(ServerCert == NULL)return FALSE; //could not get a certificate

   CString sCertAddress;
   char* szTempChar;
   szTempChar = X509_NAME_oneline(X509_get_subject_name(ServerCert), 0, 0);
// get the server subject name
   if(szTempChar == NULL)
   {
  X509_free(ServerCert); //free the server cert
  return FALSE; //could not get a subject name
   }

   try{sCertAddress = szTempChar;} //attempt to set the value of
sCertAddress to be the server subject name
   catch (...)
   {
  X509_free(ServerCert); //free the server cert
  return FALSE; // could not copy the server suject name
   }
   X509_free(ServerCert); //free the server cert
   int iStartStrPos,iEndStrPos;
   iStartStrPos = sCertAddress.Find("/CN"); //Finding the portion of the
subject name that relates to the Server Name
   if (iStartStrPos == -1) return FALSE; //Failed to find the server name in
the server subject line
   iStartStrPos += 4;  // moving the start string pos from locating the /CN
SERVER_NAME to SERVER_NAME
   iEndStrPos = sCertAddress.Find('/',iStartStrPos+1);  //Finding the end of
the server name
   if(iEndStrPos == -1)
  iEndStrPos = sCertAddress.GetLength(); //The end must be the end of
the line
   try
   {
  sCertAddress = sCertAddress.Mid(iStartStrPos,iEndStrPos-iStartStrPos);
//Extract the server name out of the subject line.
   }
   catch (...)
   {
  return FALSE; //There was a memory exception
   }
   if(sCertAddress != sAddress) //If the server name from the server
certificate and the server name do not match...
  return FALSE;  //ERROR COULD NOT VALIDATE SERVER


Joel Daniels (a novice).

P.S. Please let me know if this code does not work.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]