[Fwd: Memory leak in TLS client side app]
Hi all, This is a resend of a previous message. Any pointers or tips will be very much appreciated. thanks, Krishna Original Message Hi all, I have written a TLS client using the OpenSSL library. It uses memory BIOs as the input/output BIOs to the SSL connection. The code flow of the client is as follows * SSL_CTX_new(...) * SSL_CTX_use_certificate_ASN1(...) * SSL_CTX_use_RSAPrivateKey_ASN1(...) * X509_STORE_add_cert() // To add CA cert * other init actions * for ever * SSL_new(...) * create read & write BIOs * SSL_connect(...) * . * SSL_free(...) * wait for reconnect event * endfor As the above code flow shows, the client has to periodically (based on time or event) perform a TLS handshake with a TLS server for authentication (EAP-TLS). When this client is run for many iterations, it leaks memory. After tracking OpenSSL mallocs, I have found that it leaks ~ 9K. This 9K leak does not happen for every iteration, but it happens for every n iteration. (Sometimes n is 1 or 3, it is variable ). Soon this leads to lack of memory because the app will be running for ever. Any ideas on what could be causing the memory leak or tips on how to trace back this memory leak, is highly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using 3DES algorithm in SSL with only 2 keys
Hello, In OpenSSL, is it possible to use the 3DES algorithm in an SSL connection so that only 2 keys are used (so that the first and third keys are they same) ? If so, could you please tell me how to do it. The need for this is to use only 112bit key length because of 128bit key export restriction. Choosing "DES-CBC3-SHA" chooses the 3DES with CBC using 3 keys. I am not sure which cipher to choose if we want 3DES with CBC using 2 keys only. [There seems to be an init function (des_ede_init_key()) in ~/crypto/evp/e_des3.c which sets the third and the first key to be the same. But not clear when it gets invoked.] Thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Memory leak in TLS client side app
Hi all, I have written a TLS client using the OpenSSL library. It uses memory BIOs as the input/output BIOs to the SSL connection. The code flow of the client is as follows * SSL_CTX_new(...) * SSL_CTX_use_certificate_ASN1(...) * SSL_CTX_use_RSAPrivateKey_ASN1(...) * X509_STORE_add_cert() // To add CA cert * other init actions * for ever * SSL_new(...) * create read & write BIOs * SSL_connect(...) * . * SSL_free(...) * wait for reconnect event * endfor As the above code flow shows, the client has to periodically (based on time or event) perform a TLS handshake with a TLS server for authentication (EAP-TLS). When this client is run for many iterations, it leaks memory. After tracking OpenSSL mallocs, I have found that it leaks ~ 9K. This 9K leak does not happen for every iteration, but it happens for every n iteration. (Sometimes n is 1 or 3, it is variable ). Soon this leads to lack of memory because the app will be running for ever. Any ideas on what could be causing the memory leak or tips on how to trace back this memory leak, is highly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Maximum size of server certificate
Thanks a lot for the information. I checked out www.openssl.org. It mentions OpenSSL 0.9.6c (21-Dec-2001) as the latest release. Any idea when OpenSSL 0.9.7 is scheduled to be released? thanks and regards, Krishna Lutz Jaenicke wrote: > On Wed, Jan 23, 2002 at 05:42:58PM +0530, Krishnaswamy R. wrote: > > Iam interested in knowing how OpenSSL handles large certificates > > in an SSL connection. My understanding is that OpenSSL would > > dynamically allocate memory buffers for the certificate and process > > them. > > > > We are running OpenSSL in a device where memory is at a premium. > > The concern is that if the cert (rogue cert) is too large, then > > OpenSSL may malloc all available system memory which may cause our > > device hang or crash. This would make the device subject to Denial > > of Service attacks. > > > > Is there any way in Openssl to specify a max limit to the size of > > the certificates it handles in a SSL connection and reject > > certificates bigger than that size. > > OpenSSL 0.9.7 has the new SSL_CTX_set_max_cert_list() family of > functions, allowing to limit the maximum size to be handled. > The default is 1024*100 on all platforms except DOS. > > Best regards, > Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Maximum size of server certificate
Hi, Iam interested in knowing how OpenSSL handles large certificates in an SSL connection. My understanding is that OpenSSL would dynamically allocate memory buffers for the certificate and process them. We are running OpenSSL in a device where memory is at a premium. The concern is that if the cert (rogue cert) is too large, then OpenSSL may malloc all available system memory which may cause our device hang or crash. This would make the device subject to Denial of Service attacks. Is there any way in Openssl to specify a max limit to the size of the certificates it handles in a SSL connection and reject certificates bigger than that size. thanks, Krishna Eric Rescorla wrote: > Oops. Hit send too early. Here's the complete resonse. > > "Krishnaswamy R." <[EMAIL PROTECTED]> writes: > > Is there is any maximum size defined in TLS for a server's > > certificate sent to the client? > Yes, but it's ridiculously large. > > Officially, both any single certificate and the server's cert > chain as a whole are limited to 2^24-1 bytes. In practice > the limit is 5-10 bytes longer because no handshake message can > be longer than 2^24-1 bytes and so when you factor in the > size of various length bytes and such you get a little shrinkage. > > -Ekr > > -- > [Eric Rescorla [EMAIL PROTECTED]] >http://www.rtfm.com/ > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Maximum size of server certificate
Hi all, Is there is any maximum size defined in TLS for a server's certificate sent to the client? Or is there is any practical implementation size limit defined in OpenSSL for the size of a server's certificate. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Identifying peer cert in verify_callback
Hi all, Iam using a certificate verification callback function as follows SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cert_verify_cb); In the callback function, in addition to the standard certificate verification done by OpenSSL, i need to check the subject-name of the peer certificate. Since the callback function is called for every certificate in the certificate chain, from the parameter X509_STORE_CTX *, how do I know if the current certificate is the peer certificiate? Any inputs/pointers will be greatly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Setting CA cert for verification.
Hi all, Iam working on a TLS client using OpenSSL on VxWorks. I need to do server authentication. The openssl function SSL_CTX_load_verify_locations() takes a file as a parameter for the CA certificate. In my application, there is no standard file system and I have the CA cert(DER form) in memory. Is there a way to set the CA cert memory buffer as trusted cert for an SSL context? Any pointers will be very much appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Multi-threading support in OpenSSL
Hi all, I didn't any receive replies on this. Any inputs or pointers will be very much appreciated. thanks, Krishna > Hi, > > I have question regarding enabling multi-thread support in OpenSSL. > We have ported OpenSSL library to VxWorks. We are having two > applications (one server and one client). These two applications will > run as separate tasks, each having its own SSL context. These tasks > can concurrently do SSL operations. > Since these two tasks have their own SSL contexts, do they need > multi-thread protection? Does OpenSSL have some shared global > data outside the SSL context? In VxWorks, since global data is global > to all tasks, does this mean that we have to build OpenSSL with multi- > thread support and provide locking callbacks? > > Any help on this will be very much appreciated. > > thanks, > Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Multi-threading support in OpenSSL
Hi, I have question regarding enabling multi-thread support in OpenSSL. We have ported OpenSSL library to VxWorks. We are having two applications (one server and one client). These two applications will run as separate tasks, each having its own SSL context. These tasks can concurrently do SSL operations. Since these two tasks have their own SSL contexts, do they need multi-thread protection? Does OpenSSL have some shared global data outside the SSL context? In VxWorks, since global data is global to all tasks, does this mean that we have to build OpenSSL with multi- thread support and provide locking callbacks? Any help on this will be very much appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
