RE: Open SSL 1.1.1 and Vxworks 5.4.2 - Query on Entropy source
Users, An update here: See that we have OPENSSL_RAND_SEED_OS defined on our VxWorks based system. Would it be a trusted entropy source ? The default for VxWorks seems to be OPENSSL_RAND_SEED_NONE. Thanks, Prithvi From: Prithvi Raj R (Nokia) Sent: Tuesday, April 30, 2024 12:47 AM To: openssl-users@openssl.org Subject: Open SSL 1.1.1 and Vxworks 5.4.2 - Query on Entropy source Hi Users, A beginner on cryptography and Open SSL here. First query - On our VxWorks 5.4.2 based system with Open SSL 1.1.1, I would like to know what entropy source would be used by RAND_priv_bytes() to generate random numbers. Does Vxworks not use an OS based entropy source ? I see so in the openssl link: https://mta.openssl.org/pipermail/openssl-users/2020-March/012087.html. In our implementation, we have the OPENSSL_RAND_SEED_NONE macro definition commented in the opensslconf.h file. What would be the default entropy source then if OS based sources are not used ? Which Open SSL config file/compile parameter can help me zero in on the correct entropy source being used ? Wanted to know if the source is a trusted one or not. See that rand_drbg_get_entropy is being used (no parent drbg ;_rand_pool_acquire_entropy is used with entropy factor 2 being set) and entropy available is greater than 0. Second query - Please confirm if the following are valid: 1. Understand the Entropy size by default is 256 bits. 2. Understand that RAND_priv_bytes() is cryptographically secure (depends on the entropy source again ?) Thanks, Prithvi
Re: How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?
In openssl 1.1.1, I see that this bn_mod_exp function is called from "rsa_ossl_public_decrypt" : 566 if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, 567rsa->_method_mod_n)) { 568 goto err; 569 } so we are doing "f^(rsa->e)mod(rsa->n)" , this result is being filled in ret (a BIGNUM* type). This 'ret' variable is not a part of the RSA structure . So I think we need look for any bignum "BN" set functions(if available) to modify the BIGNUM structure attributes like 'd' array,top & dmax values , ..as this ret variable isn't the part of RSA structure (yet) when the bn_mod_exp is called. Checkout this function "rsa_ossl_public_decrypt" for more details. Hope that clarifies the scenario . Please let me know if you have any questions. Thanks, Prudvi. On Tue, Dec 22, 2020 at 3:45 AM prudvi raj wrote: > > > > Hello all, > > > > We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( > bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code > snippet of custom bn_mod_exp function: > > -- > > if(rr->d) > > { > > OPENSSL_free(rr->d); > > } > > rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); > > rr->top = m->top; > > rr->dmax = m->top; > > rr->neg = 0; > > > > publicKeyData.operandALength = a->top * sizeof(BN_ULONG); > > publicKeyData.operandA = ( System::BYTE * )( a->d ); > > publicKeyData.operandBLength = p->top * sizeof(BN_ULONG); > > publicKeyData.operandB = ( System::BYTE * )( p->d ); > > publicKeyData.modulusLength = m->top * sizeof(BN_ULONG); > > publicKeyData.modulus = ( System::BYTE * )( m->d ); > > > > publicKeyData.resultLength = m->top * sizeof(BN_ULONG); > > publicKeyData.result = ( System::BYTE * )( rr->d ); > > > > calculate ( publicKeyData );< Bytes in "rr->d" buffer. > > -- > > I found a few 'get' functions (no set functions though) like -- > bn_get_top , bn_get_dmax. These are in "bn_intern.c" , not in "bn_lib.c" > (or BN API). > >OPENSSL_free(rr->d) > >rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); > > rr->top = m->top; > > rr->dmax = m->top; > > rr->neg = 0 > > > > As forward declarations are no longer allowed in openssl 1.1.1 , how to > replicate above operations in openssl 1.1.1 ? > > Are there any Set functions for set, dmax , d values (allocate memory > for rr->d) . ?! > > Please help me on this!! > > > > Thanks, > > Prudvi. > > > > IIUC, this is just a side effect of not being able to access the RSA > structure directly like in openssl 1.0.2 days. > The function RSA_set0_key() will allow you to set D, and there are > routines for other portions of the struct as well. > When the structure went opaque, getter and setters we're added for > your use, see: > - https://www.openssl.org/docs/man1.1.1/man3/RSA_set0_key.html > > If you need to keep backwards compat with 1.0.2, you can define those > getter/setter functions when building with 1.0.2 in your source > code. However, it's strongly recommended to not be using 1.0.2. > > Bill >
How to Manually allocate BIGNUM ->d and set dmax, top values to create a Result Buffer in openssl 1.1.1 ?
Hello all, We use a hardware accelerator to calculate BIGNUM rr = a^p mod m .( bn_mod_exp). I am trying to rewrite that logic for openssl 1.1.1. Code snippet of custom bn_mod_exp function: -- if(rr->d) { OPENSSL_free(rr->d); } rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); rr->top = m->top; rr->dmax = m->top; rr->neg = 0; publicKeyData.operandALength = a->top * sizeof(BN_ULONG); publicKeyData.operandA = ( System::BYTE * )( a->d ); publicKeyData.operandBLength = p->top * sizeof(BN_ULONG); publicKeyData.operandB = ( System::BYTE * )( p->d ); publicKeyData.modulusLength = m->top * sizeof(BN_ULONG); publicKeyData.modulus = ( System::BYTE * )( m->d ); publicKeyData.resultLength = m->top * sizeof(BN_ULONG); publicKeyData.result = ( System::BYTE * )( rr->d ); calculate ( publicKeyData );d) rr->d = ( BN_ULONG * )( malloc( m->top * sizeof(BN_ULONG) ) ); rr->top = m->top; rr->dmax = m->top; rr->neg = 0 As forward declarations are no longer allowed in openssl 1.1.1 , how to replicate above operations in openssl 1.1.1 ? Are there any Set functions for set, dmax , d values (allocate memory for rr->d) . ?! Please help me on this!! Thanks, Prudvi.
Re: Set custom bn_mod_exp functions in openssl 1.1.1
Thanks for the Reply!!. I have a doubt , is it necessary to create a duplicate method ?? , Actually in my case this custom "set" function would be called only once during system initialization & we need to use those hardware accelerator functions for all the crypto operations to be done later. So here's what i did : -- new code : static DH_METHOD *Intoto_DH_Method; static RSA_METHOD *Intoto_RSA_Method; static DSA_METHOD *Intoto_DSA_Method; void updatePublicKeyMethods() { Intoto_DH_Method = (DH_METHOD *)DH_get_default_method(); DH_meth_set_bn_mod_exp(Intoto_DH_Method, Intoto_DH_mod_exp); DH_set_default_method(Intoto_DH_Method); << I guess, there's no need to set the same as default again ?? Intoto_RSA_Method = (RSA_METHOD *)RSA_get_default_method(); RSA_meth_set_bn_mod_exp(Intoto_RSA_Method, Intoto_RSA_mod_exp); RSA_set_default_method(Intoto_RSA_Method); Intoto_DSA_Method = (DSA_METHOD *)DSA_get_default_method(); DSA_meth_set_bn_mod_exp(Intoto_DSA_Method, Intoto_DSA_mod_exp); DSA_set_default_method(Intoto_DSA_Method); return; } -- old code : static DH_METHOD Intoto_DH_Method; static RSA_METHOD Intoto_RSA_Method; static DSA_METHOD Intoto_DSA_Method; void updatePublicKeyMethods() { Intoto_DH_Method = *(DH_get_default_method()); Intoto_DH_Method.bn_mod_exp = Intoto_DH_mod_exp; DH_set_default_method(&Intoto_DH_Method); Intoto_RSA_Method = *(RSA_get_default_method()); Intoto_RSA_Method.bn_mod_exp = Intoto_RSA_mod_exp; RSA_set_default_method(&Intoto_RSA_Method); Intoto_DSA_Method = *(DSA_get_default_method()); Intoto_DSA_Method.bn_mod_exp = Intoto_DSA_mod_exp; DSA_set_default_method(&Intoto_DSA_Method); return; } -- Do you suggest any modifications, If any ?? Thanks, Prudvi. On Thu, Dec 17, 2020 at 4:07 PM Tomas Mraz wrote: > On Thu, 2020-12-17 at 15:16 +0530, prudvi raj wrote: > > Hi, > > > > I need to set custom accelerated functions for bn_mod_exp methods in > > openssl 1.1.1, while upgrading for openssl 1.0.2. Here's the code > > snippet () : > > -- > > static DH_METHOD Intoto_DH_Method; > > static RSA_METHOD Intoto_RSA_Method; > > static DSA_METHOD Intoto_DSA_Method; > > > > void updatePublicKeyMethods() > > { > > Intoto_DH_Method = *(DH_get_default_method()); > > Intoto_DH_Method.bn_mod_exp = Intoto_DH_mod_exp; > > DH_set_default_method(&Intoto_DH_Method); > > > > Intoto_RSA_Method = *(RSA_get_default_method()); > > Intoto_RSA_Method.bn_mod_exp = Intoto_RSA_mod_exp; > > RSA_set_default_method(&Intoto_RSA_Method); > > > > Intoto_DSA_Method = *(DSA_get_default_method()); > > Intoto_DSA_Method.bn_mod_exp = Intoto_DSA_mod_exp; > > DSA_set_default_method(&Intoto_DSA_Method); > > > > return; > > } > > -- > > As RSA_METHOD,DSA_METHOD & DH_METHOD objects are Opaque now , Can > > anyone help me with what would be the replacement for above code ?? > > There is RSA_meth_set_bn_mod_exp() function and the respective > equivalents for DH and DSA. Of course you'll also have to use > RSA_meth_dup() to duplicate the default method before you can > manipulate it. And you'll need to free it once you stop using the > OpenSSL functions. > > -- > Tomáš Mráz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > [You'll know whether the road is wrong if you carefully listen to your > conscience.] > > >
Set custom bn_mod_exp functions in openssl 1.1.1
Hi, I need to set custom accelerated functions for bn_mod_exp methods in openssl 1.1.1, while upgrading for openssl 1.0.2. Here's the code snippet () : -- static DH_METHOD Intoto_DH_Method; static RSA_METHOD Intoto_RSA_Method; static DSA_METHOD Intoto_DSA_Method; void updatePublicKeyMethods() { Intoto_DH_Method = *(DH_get_default_method()); Intoto_DH_Method.bn_mod_exp = Intoto_DH_mod_exp; DH_set_default_method(&Intoto_DH_Method); Intoto_RSA_Method = *(RSA_get_default_method()); Intoto_RSA_Method.bn_mod_exp = Intoto_RSA_mod_exp; RSA_set_default_method(&Intoto_RSA_Method); Intoto_DSA_Method = *(DSA_get_default_method()); Intoto_DSA_Method.bn_mod_exp = Intoto_DSA_mod_exp; DSA_set_default_method(&Intoto_DSA_Method); return; } -- As RSA_METHOD,DSA_METHOD & DH_METHOD objects are Opaque now , Can anyone help me with what would be the replacement for above code ?? Thanks, Prudvi
i2d & ASN1_SEQUENCE related query in openssl 1.1.1.
Hi, I am trying to write replacement ASN1 macros for i2d/d2i functions in openssl 1.1.1 Previously: typedef struct pkcs7_issuer_and_subject_st { X509_NAME *issuer; /* Certificate Issuer's name */ X509_NAME *subject; /* Certificate's subject name */ } PKCS7_ISSUER_AND_SUBJECT; i2d function: int i2d_PKCS7_ISSUER_AND_SUBJECT (PKCS7_ISSUER_AND_SUBJECT * a, unsigned char **pp) { M_ASN1_I2D_vars (a); M_ASN1_I2D_len (a->issuer, i2d_X509_NAME); M_ASN1_I2D_len (a->subject, i2d_X509_NAME); M_ASN1_I2D_seq_total (); M_ASN1_I2D_put (a->issuer, i2d_X509_NAME); M_ASN1_I2D_put (a->subject, i2d_X509_NAME); M_ASN1_I2D_finish (); } == New : DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SUBJECT) ASN1_SEQUENCE(PKCS7_ISSUER_AND_SUBJECT) = { ASN1_SIMPLE(PKCS7_ISSUER_AND_SUBJECT, issuer, X509_NAME), ASN1_SIMPLE(PKCS7_ISSUER_AND_SUBJECT, subject, X509_NAME) } ASN1_SEQUENCE_END(PKCS7_ISSUER_AND_SUBJECT) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SUBJECT) Finally , we can call the function : ulLen = i2d_PKCS7_ISSUER_AND_SUBJECT (&pkcs7IssuerAndSub, &ptr); Is this the correct way , or am I missing anything ?? ( does it need DECLARE_ASN1_ALLOC_FUNCTIONS & DECLARE_ASN1_ITEM .. ...etc.,.) Can anyone help me out in this regard !! Thanks, Prudvi.
Does Openssl 1.1.1 Supports GHS Platforms ??
Hi, We are upgrading openssl library of our Embedded systems(Networking) codebase which runs on multiple platforms(Linux, Qnx & GHS) , to version 1.1.1g . (currently using 1.0.2.k) With Openssl 1.1.1g ,the CHANGES doc specifies that "QNX support has been removed" , but nowhere there's a mention of GHS .. I couldn't find a list which specifies all the supported platforms by openssl 1.1.1g ,(wiki shows something of Linux, Android, ios , Windows etc.) , So, can Openssl 1.1.1 be integrated into ghs platforms ? (is it still supported ??) Thanks, Prudvi.
Failure of ..new() for CTX objects in openssl 1.1.1g
Hi, we are upgrading our codebase to openssl 1.1.1g from openssl 1.0.2k Previously, all the ctx objects are allocated memory using "calloc" typedef struct CryptWrapMDContext_t { #ifdef OPENSSL EVP_MD_CTX evpMDCtx; .. struct CryptWrapMDContext_t *pNext; } Allocation : return ((CryptWrapMDContext_t *) calloc (1, sizeof (CryptWrapMDContext_t))); Now that in openssl 1.1.1 , as objects are opaque , we have to use pointers (*) & new() . typedef struct CryptWrapMDContext_t { #ifdef OPENSSL EVP_MD_CTX *evpMDCtx; .. struct CryptWrapMDContext_t *pNext; } CryptWrapMDContext_t; So Allocation becomes : CryptWrapMDContext_t *pTemp; pTemp = ((CryptWrapMDContext_t *) calloc (1, sizeof (CryptWrapMDContext_t))); pTemp-> evpMDCtx = EVP_MD_CTX_new(); return pTemp; But , we are seeing crash upon the call of EVP_MD_CTX_new(); (new is returning null) So, are there any probable reasons why the new() has failed ?? Regards, prud.
'OPENSSLDIR' undeclared in openssl 1.1.1g
Hi, I couldn't find where this macro is #defined , previously in 1.0.2 it was defined in opensslconf.h . So , i am getting this error during compilation : openssl/crypto/x509/x509_def.c:17:12: error: 'OPENSSLDIR' undeclared (first use in this function) . This error is resolved if OPENSSLDIR is #defined in opensslconf.h as /usr/local/ssl (default btw). Can someone help me out with this? , why the OPENSSLDIR isn't #defined in any .h files or was i missing something? Used : ./Configure no-threads no-dso no-shared no-zlib no-asm no-engine no-bf no-camellia no-cast no-md2 no-md4 no-mdc2 no-ocsp no-rc2 no-rc5 no-hw no-idea no-srp gcc --with-rand-seed=none Thanks, Prud.
Re: 'in_addr_t' in openssl 1.1.1g ??
"aes_core.o aes_cbc.o", apps_aux_src => "", apps_init_src => "", apps_obj => "", bf_asm_src => "bf_enc.c", bf_obj => "bf_enc.o", bn_asm_src => "bn_asm.c", bn_obj => "bn_asm.o", bn_ops => "BN_LLONG", build_file => "Makefile", build_scheme => [ "unified", "unix" ], cast_asm_src => "c_enc.c", cast_obj => "c_enc.o", cflags => "", chacha_asm_src => "chacha_enc.c", chacha_obj => "chacha_enc.o", cmll_asm_src => "camellia.c cmll_misc.c cmll_cbc.c", cmll_obj => "camellia.o cmll_misc.o cmll_cbc.o", cppflags => "", cpuid_asm_src => "mem_clr.c", cpuid_obj => "mem_clr.o", defines => [ ], des_asm_src => "des_enc.c fcrypt_b.c", des_obj => "des_enc.o fcrypt_b.o", disable => [ ], dso_extension => ".so", ec_asm_src => "", ec_obj => "", enable => [ ], exe_extension => "", includes => [ ], keccak1600_asm_src => "keccak1600.c", keccak1600_obj => "keccak1600.o", lflags => "", lib_cflags => "", lib_cppflags => "", lib_defines => [ ], md5_asm_src => "", md5_obj => "", modes_asm_src => "", modes_obj => "", module_cflags => "", module_cppflags => "", module_cxxflags => "", module_defines => "", module_includes => "", module_ldflags => "", module_lflags => "", padlock_asm_src => "", padlock_obj => "", poly1305_asm_src => "", poly1305_obj => "", rc4_asm_src => "rc4_enc.c rc4_skey.c", rc4_obj => "rc4_enc.o rc4_skey.o", rc5_asm_src => "rc5_enc.c", rc5_obj => "rc5_enc.o", rmd160_asm_src => "", rmd160_obj => "", shared_cflag => "", shared_cppflag => "", shared_cxxflag => "", shared_defines => "", shared_extension => ".so", shared_extension_simple => ".so", shared_includes => "", shared_ldflag => "", shared_rcflag => "", shared_target => "", thread_defines => [ ], thread_scheme => "(unknown)", unistd => "", uplink_aux_src => "", uplink_obj => "", wp_asm_src => "wp_block.c", wp_obj => "wp_block.o", Recorded environment: AR = ARFLAGS = AS = ASFLAGS = BUILDFILE = CC = CFLAGS = CPP = CPPDEFINES = CPPFLAGS = CPPINCLUDES = CROSS_COMPILE = CXX = CXXFLAGS = HASHBANGPERL = LD = LDFLAGS = LDLIBS = MT = MTFLAGS = OPENSSL_LOCAL_CONFIG_DIR = PERL = RANLIB = RC = RCFLAGS = RM = WINDRES = __CNF_CFLAGS = __CNF_CPPDEFINES = __CNF_CPPFLAGS = __CNF_CPPINCLUDES = __CNF_CXXFLAGS = __CNF_LDFLAGS = __CNF_LDLIBS = Makevars: AR = /opt/toolchains/adtn-6/sysroots/x86_64-fslsdk-linux/usr/bin/ppce500v2-fsl-linux-gnuspe/powerpc-fsl-linux-gnuspe-ar ARFLAGS = r CC = /opt/toolchains/adtn-6/sysroots/x86_64-fslsdk-linux/usr/bin/ppce500v2-fsl-linux-gnuspe/powerpc-fsl-linux-gnuspe-gcc CFLAGS = -O3 CPPDEFINES = CPPFLAGS= CPPINCLUDES = CROSS_COMPILE = /opt/toolchains/adtn-6/sysroots/x86_64-fslsdk-linux/usr/bin/ppce500v2-fsl-linux-gnuspe/powerpc-fsl-linux-gnuspe- CXXFLAGS= HASHBANGPERL= /usr/bin/env perl LDFLAGS = LDLIBS = PERL= /usr/bin/perl RANLIB = /opt/toolchains/adtn-6/sysroots/x86_64-fslsdk-linux/usr/bin/ppce500v2-fsl-linux-gnuspe/powerpc-fsl-linux-gnuspe-ranlib RC = /opt/toolchains/adtn-6/sysroots/x86_64-fslsdk-linux/usr/bin/ppce500v2-fsl-linux-gnuspe/powerpc-fsl-linux-gnuspe-windres RCFLAGS = NOTE: These variables only represent the configuration view. The build file template may have processed these variables further, please have a look at the build file for more exact data: Makefile build file: Makefile build file templates: Configurations/common0.tmpl Configurations/unix-Makefile.tmpl Configurations/common.tmpl On Thu, Aug 6, 2020 at 2:07 AM Benjamin Kaduk wrote: > On Thu, Aug 06, 2020 at 01:51:35AM +0530,
'in_addr_t' in openssl 1.1.1g ??
Hi there, I got this error during compilation , in file b_addr.c : In function 'BIO_lookup_ex': /b_addr.c:748:9: error: unknown type name 'in_addr_t' I see that "in_addr_t" is defined in "netinet/in.h" & "arpa/inet.h" in toolchain (typedef uint32_t in_addr_t;). i have even tried to #include<> these files directly but that doesn't seem to fix the error. Btw, these files are included already , but under conditional #if 's. I am surprised why the error persists , even after directly including the respective source file ?? Here's the config options i used : ./Configure no-threads no-dso no-ct no-shared no-zlib no-asm no-engine no-bf no-aria no-blake2 no-camellia no-cast no-md2 no-md4 no-mdc2 no-ocsp no-rc2 no-rc5 no-hw-padlock no-idea no-srp gcc --with-rand-seed=none --cross-compile-prefix=/opt/toolchains/adtn-6/sysroots/x86_64-fslsdk-linux/usr/bin/ppce500v2-fsl-linux-gnuspe/powerpc-fsl-linux-gnuspe- PS : same error without any cross compile prefix , using only gcc. Thanks, Prudvi.
error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before - openssl 1.1.1 compilation
Hi, During compilation of openssl 1.1.1g , i am seeing this error : openssl/crypto/ec/ecp_nistz256_table.c:31: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘ecp_nistz256_precomputed’ options used : ./Configure no-threads no-dso no-shared no-zlib no-asm no-engine no-bf no-camellia no-cast no-md2 no-md4 no-mdc2 no-ocsp no-rc2 no-rc5 no-hw no-idea no-srp gcc Anyone has any idea why this error popped up & how to resolve these?. Thanks, Prudvi.
Re: error : unknown type name 'sa_family_t' in openssl 1.1.1g
./Configure no-threads no-dso no-shared no-zlib no-asm no-engine no-bf no-camellia no-cast no-md2 no-md4 no-mdc2 no-ocsp no-rc2 no-rc5 no-hw no-idea no-srp gcc -prud On Fri, 24 Jul, 2020, 11:00 am Richard Levitte, wrote: > It would be helpful if you showed us the Configure options, as they > may very well have affected diverse macros. > > Cheers, > Richard > > On Thu, 23 Jul 2020 21:39:45 +0200, > prudvi raj wrote: > > Hi, > > > > We are upgrading our code base to openssl 1.1.1g from 1.0.2k. > > During Compilation i am seeing this error : > > In file included from > /openssl/include/internal/sockets.h:67:0, > > from /openssl/crypto/bio/bio_local.h:11, > > from /openssl/crypto/bio/bss_mem.c:12: > > > /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:469:7: > error: > > unknown type name 'sa_family_t' > > > /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:497:8: > error: > > unknown type name 'sa_family_t' > > > /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:519:10: > error: > > unknown type name 'sa_family_t' > > > /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:543:4: > error: > > unknown type name 'sa_family_t' > > > /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:562:41: > error: > > unknown type name 'sa_family_t' > > > > In bio_local.h , if we remove "#include" & replace > it with "#include > socket.h>" , the error is gone !! . But I am not sure is this correct ?? > > Btw , even "internal/sockets.h " has " #include". > > > > How to resolve this , Might I have missed something during configure & > compilation ?? > > fwiw: have given "./configure gcc" & same was given when we > had upgraded to 1.0.2 from > > previous versions long ago. > > > > Thanks, > > Prud. > > > > > -- > Richard Levitte levi...@openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ >
error : unknown type name 'sa_family_t' in openssl 1.1.1g
Hi, We are upgrading our code base to openssl 1.1.1g from 1.0.2k. During Compilation i am seeing this error : In file included from /openssl/include/internal/sockets.h:67:0, from /openssl/crypto/bio/bio_local.h:11, from /openssl/crypto/bio/bss_mem.c:12: /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:469:7: error: unknown type name 'sa_family_t' /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:497:8: error: unknown type name 'sa_family_t' /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:519:10: error: unknown type name 'sa_family_t' /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:543:4: error: unknown type name 'sa_family_t' /opt/toolchains/adtn-6/sysroots/ppce500v2-fsl-linux-gnuspe/usr/include/netdb.h:562:41: error: unknown type name 'sa_family_t' In bio_local.h , if we remove "#include" & replace it with "#include" , the error is gone !! . But I am not sure is this correct ?? Btw , even "internal/sockets.h " has " #include". How to resolve this , Might I have missed something during configure & compilation ?? fwiw: have given "./configure gcc" & same was given when we had upgraded to 1.0.2 from previous versions long ago. Thanks, Prud.
Re: Generate opensslconf.h - openssl 1.0.2 vs openssl 1.1.1g
Hello, --- Re : OPENSSLDIR in openssl 1.1.1--- I have successfully generated opensslconf.h , (used make , not make...opensslconf.h - had to generate other .h files as well). Upon comparing contents of opensslconf.h from 1.0.2 & 1.1.1 , i see that: "OPENSSLDIR" is #define 'ed in opensslconf.h in 1.0.2 & not in 1.1.1. Now, i got the error : /openssl/crypto/x509/x509_def.c: In function 'X509_get_default_private_dir': / openssl/crypto/x509/x509_def.c:17:12: error: 'OPENSSLDIR' undeclared (first use in this function) Although , the log of "make" showed OPENSSLDIR as "/usr/local/ssl" , which is default . I couldn't find where this is #define 'ed. May I know , where it's defined in openssl 1.1.1g or how this error can be resolved. ? Thanks, -Prud On Fri, Jul 17, 2020 at 2:32 PM Richard Levitte wrote: > On Thu, 16 Jul 2020 22:01:51 +0200, > prudvi raj wrote: > > How do i generate "opensslconf.h" in openssl 1.1.1g? > > From docs, i assume it is created after we give "./Configure > gcc". > > I observe that "opensslconf.h" is created only on giving "make" after > ./Configure... But this > > additionally created .d & .o files in crypto folders. > > Yes, generation of most such files have moved to the building phase > rather than the configuration phase, so to say. > > The really quick way to get an individual file of this sort is to > simply make it, i.e.: > > make include/openssl/opensslconf.h > > > For openssl1.0.2 , the same opensslconf.h is created right after > "./Configure" . > > (all .h files in include directory are created after ./Configure, > whereas in 1.1.1 .h files appear > > in include directory - without any ./Configure) > > Yeah, before 1.1.0, the public header files were spread around in > diverse crypto/ subdirectories, and they got symlinked into > include/openssl, or copied, on platforms that don't support symbolic > links. We moved them permanently to include/openssl in 1.1.0, which > means the symlinking is no longer needed. > > > For context , we are upgrading our project to openssl 1.1.1g from 1.0.2k > & i am concerned about > > this .d & .o files, in case i build the whole project - which is > including openssl folder. > > I don't quite understand why .o files are a concern, they are the > normal object files that are used to build up libraries and > applications, and are produced in OpenSSL before 1.1.0 as well. > > Cheers, > Richard > > -- > Richard Levitte levi...@openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ >
"rsa->meth->rsa_sign" method in Openssl 1.1.1g
While upgrading to openssl 1.1.1 from 1.0.2k . I came across this code snippet : if (rsa->flags & RSA_FLAG_SIGN_VER) return rsa->meth->rsa_sign (type, m, lLen, sigret, siglen, rsa); >From Docs : Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions will be called when RSA_sign() and RSA_verify() are used. /* * New sign and verify functions: some libraries don't allow arbitrary * data to be signed/verified: this allows them to be used. Note: for * this to work the RSA_public_decrypt() and RSA_private_encrypt() should * *NOT* be used RSA_sign(), RSA_verify() should be used instead. */ In Latest Openssl 1.1.1 : -- RSA_FLAG_SIGN_VER is not required . To get flags : RSA_flags(rsa). -- "struct rsa_meth_st" has "rsa_sign" declared as a function pointer . I cannot find any actual function definition that the above "meth->rsa_sign " might point to , which can be called as this forward declaration is not allowed anymore . Maybe "RSA_sign()" ?? Moreover , "RSA_sign()" function has the same return code snippet above. . So, what is a suitable replacement for the above snippet in openssl 1.1.1g ?? Can Someone help me on this !!, TIA . Regards, Prud.
Generate opensslconf.h - openssl 1.0.2 vs openssl 1.1.1g
Hello, How do i generate "opensslconf.h" in openssl 1.1.1g? >From docs, i assume it is created after we give "./Configure gcc". I observe that "opensslconf.h" is created only on giving "make" after ./Configure... But this additionally created .d & .o files in crypto folders. For openssl1.0.2 , the same opensslconf.h is created right after "./Configure" . (all .h files in include directory are created after ./Configure, whereas in 1.1.1 .h files appear in include directory - without any ./Configure) For context , we are upgrading our project to openssl 1.1.1g from 1.0.2k & i am concerned about this .d & .o files, in case i build the whole project - which is including openssl folder. Thanks, Prud.
get data from X509_EXTENSION in openSSL 1.1.1.
Hi All, we are upgrading our codebase to 1.1.1 from 1.0.2k.Here's a code snippet causing error : ext = X509_get_ext(X509, n); data = ext->value->data; How do i get the data value from X509_EXTENSION object. since forward declarations are not allowed (compiler error) & i couldn't find a suitable 'getter' function. Can someone please help me out in resolving this issue.?? Thanks, Prudvi.
[openssl-users] Issue with TLS1.3 and s_time
I'm having an issue with s_time and s_server using the latest OpenSSL (1.1.1-dev) and tls1_3. When I use tls1_2 connections are established and data is transferred. However, when I use tls1_3 data is not transferred (connections are established). Below are the commands I use for s_time and s_server.I provided the output when I used -tls1_2 vs. -tls1_3 on the server. Notice "bytes read 0" for TLS 1.3.(I tried this on the loopback as well as 2 separate boxes) Is this a known issue with s_time? This is the client: s_time -new -connect localhost:44330 -www /1M.txt -cipher ECDHE-RSA-AES256-GCM-SHA384:TLS13-AES-256-GCM-SHA384 This is the server: openssl s_server -key key.pem -cert cert.pem -accept 44330 -WWW -tls1_3 This is what I see with tls1_2: 1086 connections in 0.46s; 2360.87 connections/user sec, bytes read 51042 1086 connections in 2 real seconds, 47 bytes read per connection This is what I see with tls1_3: 17663 connections in 7.67s; 2302.87 connections/user sec, bytes read 0 17663 connections in 31 real seconds, 0 bytes read per connection -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: Set Time out for SSL read
Hi Thank you so much for your reply Can you please let me know how can I set time out as a whole. I think you are mentioning about SSL_CTX_Set_timeout function. If it is so then I have set the time out using this function, and sadly I didn't get the expected result. Thanks, Raj Rajmohan SK - Original Message - From: "David Schwartz" To: Sent: Thursday, September 30, 2010 6:09 PM Subject: Re: Set Time out for SSL read On 9/29/2010 11:41 PM, Raj wrote: Hi All Is there any method to set time our for SSL _read function. As from the Open SSL document SSL_read will not return if there is no data to read from the socket You really shouldn't need this. If you know for sure that it's the other side's turn to transmit, you should be timing out the connection (or even application) as a whole, not just the read. If you don't know for sure that it's the other side's turn to transmit, you should not be making a blocking call to SSL_read. In any event, I recommend that you basically never use blocking functions. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Set Time out for SSL read
Hi All Is there any method to set time our for SSL _read function. As from the Open SSL document SSL_read will not return if there is no data to read from the socket Thanks, Raj Rajmohan SK
Reading Transfer-Encoding: chunked data
Can anybody tell me how to read the chunked data using Open SSL API, I am writing a Man In The Middle application which intercepts the browser request and sends own request to the server , read the information from the server and puts it back to the browser. Now I am some what blocked in point where I need to read the Chunked Data from the server I have used the Open SSL function SSL_read in a loop which works until it get 0 length chunked data, But some time I am not getting 0 sized data. Is there anything else to do. I am pasting my code snippet below do { memset(pcBuff,'\0',iBufferSize); // Initializes the char * to null value dwReadDataLen = SSL_read(pServerssl,pcBuff,iBufferSize); // Read data from the Server if(dwReadDataLen == 0 || dwReadDataLen == SOCKET_ERROR) break; SSL_write(pBrowserssl,pcBuff,dwReadDataLen); // Write back to the browser if(GetChunkedSize(pcBuff) == 0) // This function checks whether the last characters = \n\r and if found it retrieves the value break; } while(true); Thanks, Raj Rajmohan SK
Re: SHA-1 Hash Problem with i2d_Pubkey()
Hi David/Stefan, Thanks for the reply. The core of the problem was that after calling i2d_PUBKEY() issuer_pubkey was pointing to end of the buffer. Interesting part is why it was working [same pubkey data] all time in single test program and not my application. In single test program, issuer_pbukey was only malloc, so when I was dumping issuer_pubkey, it was nothing but common heap data which was same all the time. While is my application the heap data was changing all the time, bcoz of so many malloc() and free(), so issuer_pubkey was different in each run. Thanks again. Best Regards, Raj On Mon, Sep 13, 2010 at 3:22 PM, David Schwartz wrote: > On 9/12/2010 11:38 PM, Raj Singh wrote: > > issuer_pubkey_len = i2d_PUBKEY(pubKey, NULL); >> issuer_pubkey = malloc(issuer_pubkey_len); >> i2d_PUBKEY(pubKey, &issuer_pubkey); >> memory_dump("issuer_pubkey", issuer_pubkey, issuer_pubkey_len); >> >> The problem, is issuer_pubkey buffer is different each time, I run the >> my application using same code. >> > > Umm, you forgot to save the original issuer_pubkey. After the call to > i2d_PUBKEY, issuer_pubkey points elsewhere. Try: > > > issuer_pubkey_len = i2d_PUBKEY(pubKey, NULL); > issuer_pubkey = malloc(issuer_pubkey_len); > foo=issuer_pubkey; > i2d_PUBKEY(pubKey, &foo); > > memory_dump("issuer_pubkey", issuer_pubkey, issuer_pubkey_len); > > DS > >
SHA-1 Hash Problem with i2d_Pubkey()
Hi! I was to send SHA1 hash of my public to some peer. For that i have written a function: EVP_PKEY * ReadPublicKey(const char *certfile) { FILE *fp = fopen (certfile, "r"); X509 *x509; EVP_PKEY *pkey; if (!fp) return NULL; x509 = PEM_read_X509(fp, NULL, 0, NULL); if (x509 == NULL) { ERR_print_errors_fp (stderr); return NULL; } fclose (fp); pkey=X509_extract_key(x509); X509_free(x509); if (pkey == NULL) ERR_print_errors_fp (stderr); return pkey; } Then, I am extracting the public key in a buffer: pubKey = ReadPublicKey(PUBFILE); if(!pubKey) { fprintf(stderr,"Error: can't load public key"); exit(1); } issuer_pubkey_len = i2d_PUBKEY(pubKey, NULL); issuer_pubkey = malloc(issuer_pubkey_len); i2d_PUBKEY(pubKey, &issuer_pubkey); memory_dump("issuer_pubkey", issuer_pubkey, issuer_pubkey_len); The problem, is issuer_pubkey buffer is different each time, I run the my application using same code. To debug the problem, i created a separate test code, just reading the issuer cert in .pem format and reading the pubkey in buffer, the buffer is same each time i run test code as expected. How come pubkey in a buffer can be different each time in my application ? Is this some -lcrypto linking problem ? I have also debugged for memory corruption. It is not present. Please provide some pointers. Thanks for the help in advance. Best Regards, Raj
Re: Man in the middle proxy - Not working
I have tried so many methods to get the data from the webserver. But in all cases it doesnot seems to be get completed. Can you send me some code snippet to get the whole content. In normal proxying I have used the following method // This is the user defined function which returns true if the source string have "Connection: keep-alive" otherwise false if( !IsConnectionAlive(proxyRecvBuf.buf) ) { do { // Connection is closed here so send output to the source memcpy(sSendBuf,sBuff,iBufferSize); send(OutputSocket,sSendBuf,dwReadDataLen,0); // User defined function for reading the content data from the socket dwReadDataLen = Receive(RequestSock,proxyRecvBuf,proxyRecvOverlapped,dwFlag,WSA_INFINITE,FALSE); if(0 == dwReadDataLen || SOCKET_ERROR == dwReadDataLen) break; }while(true); } else { // Connection alive do { memcpy(sSendBuf,sBuff,iBufferSize); send(OutputSocket,sSendBuf,dwReadDataLen,0); memset(sBuff,0,iBufferSize); // User defined function for reading the content data from the socket // Try to Recieve the data in 1 second interval. dwReadDataLen = Receive(RequestSock,proxyRecvBuf,proxyRecvOverlapped,dwFlag,1000,FALSE); if(0 == dwReadDataLen || SOCKET_ERROR == dwReadDataLen) break; }while(true); } In the 'connect-alive' case I am trying to read the data in 1 second interval. I am not sure about how to achieve this using OpenSSL API's. Please let know is this the right approach to do it in SSL commuincation and also How to set the time out along with a recieve request Thanks, Raj Rajmohan SK - Original Message - From: "Dave Thompson" To: Sent: Saturday, August 21, 2010 6:53 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Wednesday, 18 August, 2010 06:49 I have tried one more method to read the data from the socket, which was partially successful it is defined as follows do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); // Gets the data from the server side SSL_write(SourceSsl,pBuff,dwReadDataLen); // Writes the data back to the SSL } while(dwReadDataLen > 0 ); That is my simple until-EOF version, see below. By using this method I am able to read the content data from the server and put it back to my browser. But this method is not consistent though, Sometimes browse request will not get completed and also it takes lot of time complete one browse request That's pretty vague. One off-the-cuff guess: As I alluded to, this method has the limitation that it will only (exit and) close when the server does, so if the request allows keepalive and the server chooses it, you never turn around and see if the client=browser is trying again. Maybe it is. If so, *that* request will never go anywhere. Maybe your browser is timing out that request and retrying on a new (good) connection. Maybe this depends on your browser/version/config or request(s), or even the contents of the response page e.g. script or ActiveX. You could look at the response data (just the headers is enough) to see if keepalive is enabled, and check whether your loop actually exits (i.e. you got EOF, which you *probably* won't *if* the server chose keepalive). Or you could look at both responses and requests on the local side with (I think) ssldump. Or you could use a client which tells you (much) more about the requests it is making; I guess wget might be persuaded. Remember there is a big difference between a webpage and a browser=client request and server response. Typical webpages have CSS, scripts, images, and sometimes frames and objects. One webpage may be 10 or 50 or 200 requests and responses. Often a browser won't show you all of the page, and sometimes even any of it, until all the requests/responses are complete. If this is the problem, you need to either: - get the server to do one response per connection (and close). I know downgrading the request to 1.0 works, and I'm pretty sure replacing or adding as applicable Connection: close on 1.1 does. There may also be server-dependent ways. - recognize the end of the response and close downward (and upward also, since this connection is now orphan). If the browser quickly tries a second request it will get an error, but (much) faster, and more certainly retry (since server async close is a more 'expected' error). - recognize the end of the response and turn around to handle another request (and response etc.). - Replies and quires to the previous posting > For a socket used with openssl directly, I believe OVERLAPPED > will be ignored and is of no use. I think you would have to do > your own 'physical' level either as your own BIO type or
Signing the certificate
Hi all I want to sign the certificate programmatically. I have created a X509 certificate programmatically using Open SSL API's, Instead of making it self signed I want to sign it using another CA certificate, which is inside my local hard drive. Can anybody tell me how to do it. Thanks, Raj Rajmohan SK
FUNCTION FOR LOADING THE CERTIFICATE
Hi All Can anybody tell me the function for loading a certificate file (from my local hdd) to X509 object Thanks, Raj Rajmohan SK
Create Cert Dynamically
Hi All Can anybody tell me how to create a Digital certificate and its key from an application, VC++ for Windows Thanks, Raj Rajmohan SK
Re: Man in the middle proxy - Not working
Hi I have created multiple threads for processing the multiple socket request. On each thread I am waiting on a processing a single socket request only May I attach my sample application along with my next posting so that you will get more idea about what I am doing and you can instruct me as well what went wrong in my application. Thanks, Raj Rajmohan SK - Original Message - From: "David Schwartz" To: Sent: Thursday, August 19, 2010 5:51 AM Subject: RE: Man in the middle proxy - Not working Raj wrote: I have tried one more method to read the data from the socket, which was partially successful it is defined as follows do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); // Gets the data from the server side SSL_write(SourceSsl,pBuff,dwReadDataLen); // Writes the data back to the SSL } while(dwReadDataLen > 0 ); This is the basic idea of how you proxy, but it can't work for a general HTTP proxy. For one thing, it assumes the end of a reply is marked by the close of a connection. This is true for some HTTP requests, but it's not true in general. You can write a proxy two different ways: 1) You can understand the protocol you are parsing and know when it changes directions. Based on this understanding, you can switch from proxying in one direction to proxying in the other. 2) You can avoid having to understand the protocol you are parsing. But in this case, you will not know which side is supposed to send data next, so you must always be ready to proxy in either direction. It seems you do neither of these two things. You try to proxy in only one direction at a time but you don't track the protocol. How do you even know when you've sent the entire request and can even enter this loop? How do you know when you've read the entire reply and can begin reading the next request? Your test condition, 'dwReadDataLen>0' will be true so long as the connection is healthy. It will typically remain healthy even when the reply has been fully sent. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Man in the middle proxy - Not working
Hi Thanks for your valuable suggestion. I didn't understand some points which you described in the previous posting, may because of my lack of exposure to the socket technology. I have tried one more method to read the data from the socket, which was partially successful it is defined as follows do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); // Gets the data from the server side SSL_write(SourceSsl,pBuff,dwReadDataLen); // Writes the data back to the SSL } while(dwReadDataLen > 0 ); By using this method I am able to read the content data from the server and put it back to my browser. But this method is not consistent though, Sometimes browse request will not get completed and also it takes lot of time complete one browse request - Replies and quires to the previous posting For a socket used with openssl directly, I believe OVERLAPPED will be ignored and is of no use. I think you would have to do your own 'physical' level either as your own BIO type or as a BIO_pair looping back to your code (the more usual way). Frankly I don't think you're anywhere near ready for that. I didn't understand about this, Can you describe this in more detail, Sorry for that I am new to this technology You should check for error (<=0) and report/handle it. Error on _write especially initial is not common, but if it ever happens, proceeding with other operations will likely cause much greater confusion. I have checked all the error codes of SSL functions in my application, I have posted only some code snippet to avoid junk data SSL_accept(Serverssl); This is useless. SSL_accept _creates_ a server-side endpoint; it is not applicable to a client-side endpoint. I have removed this from my application Also, the data read by SSL_read (like POSIX read or C fread) does not get a null terminator byte added, so outputting pBuff as a C-style string is likely to append garbage, especially on the second or more time through the loop. I have outputted the buffer only for indicative purpose. I have removed the code for outputting the buffer That's your problem. SSL_pending only indicates data _already received and buffered_ by OpenSSL but not yet read by the app. For responses more than one SSL record (max 32kbytes if I recall correctly, and server may choose less) AND (probably) more than the TCP window (varies but typically 2 MTU = about 3kbytes to start) there will be some time delay between receiving the first chunk of the data and the next, and the next and so on. } while(SSL_pending(Serverssl)); Instead of using the above condition I have opted for while(dwReadDataLen > 0 ); By using this I was able to read the content data. For a waited/blocking socket, which is the default as you have here, you need to keep reading from the server (and in your case writing back to the client) until you've done all the data in the response. If you require, or the server chooses, HTTP/1.0 style conn-per-txn (also known as connection: close or not-keepalive or not-pipelined, and also not-chunked) you can just loop until you receive "EOF" (0) from SSL_read, caused by the server closing the connection. "EOF" (0) I am not sure about EOF(0), is that some thing similar to End Of File in C++; If you allow and the server uses HTTP/1.1 keep-alive (or pipelining) and/or chunked data, the situation can get quite a bit more complicated. See RFC 2616. If you use a nonblocking socket (which is supported on Windows as far as I know but is apparently not the same as OVERLAPPED) you can also do your own timeout -- that is, read until EOF or optionally calculated end of the response body, *or* timeout. Since HTTP servers will normally send a complete response within a short time (like at most a few seconds), and if one doesn't a person at a browser usually doesn't want to wait anyway, this can be a good simple compromise. Could you send me some code snippet using 'bio' in SSL, I have seen using 'bio' is some sample applications instead of Sockets Thanks, Raj Rajmohan SK - Original Message - From: "Dave Thompson" To: Sent: Saturday, August 07, 2010 9:06 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Friday, 06 August, 2010 10:14 I was able to read the content data from the server using SSL_read and put back to the browser by using SSL_write. I don't know whether is a right approach or not. If you are doing an SSL connection to the server then SSL_write to and SSL_read from the server are correct. (And you should since the client is requesting SSL.) SSL_read from and SSL_write back to the client are correct if the client is SSL, and you said it is. For [an .ico] I got the response as follows and I was able to see the icon in
Re: Man in the middle proxy - Not working
Hi I was able to read the content data from the server using SSL_read and put back to the browser by using SSL_write. I don't know whether is a right approach or not. I have done the experiment in these two urls 1. https://s-static.ak.facebook.com/rsrc.php/z9Q0Q/hash/8yhim1ep.ico 2. https://s-static.ak.facebook.com/rsrc.php/z8OGI/hash/41j5eq4v.png For the first try I got the response as follows and I was able to see the icon in my browser HTTP/1.1 200 OK Cache-Control: public, max-age=31536000 Content-Length: 318 Content-Type: image/x-icon Expires: Sat, 06 Aug 2011 06:58:14 -0700 Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="DSP LAW" Pragma: X-Cnection: close Date: Fri, 06 Aug 2010 13:58:14 GMT But for the second link, which is 42,565 bytes long, I am receiving the following output. I understood that there is more to do inorder to read the content data, which I am not sure about HTTP/1.1 200 OK Cache-Control: public, max-age=31536000 Content-Length: 42565 Content-Type: image/png Expires: Sat, 06 Aug 2011 07:04:17 -0700 Last-Modified: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="DSP LAW" Pragma: X-Cnection: close Date: Fri, 06 Aug 2010 14:04:17 GMT Can anybody tell me what else should I do inorder to read the content and show it the browser. The following are sending some code snippets RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); pHost = gethostbyname(pcTargetURL); memset(&ClientAddr,0,sizeof(ClientAddr)); ClientAddr.sin_family = AF_INET; memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } SSL *Serverssl; Serverssl = SSL_new(m_pSSLCtx); SSL_set_fd(Serverssl, RequestSock); iRes = SSL_connect(Serverssl); if(iRes <= 0 ) { ERR_print_errors_fp(stderr); cout << " connect Failed " << endl; } iRes = SSL_write(Serverssl,pcData, strlen(pcData)); SSL_accept(Serverssl); do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); SSL_write(SourceSsl,pBuff,dwReadDataLen); cout << "Read buffer \n" << pBuff << endl; } while(SSL_pending(Serverssl)); Thanks, Raj Rajmohan SK - Original Message - From: "Raj" To: Sent: Friday, August 06, 2010 10:12 AM Subject: Re: Man in the middle proxy - Not working Hi Can you send me some code snippet which shows how to commutate with webserver and read the content data Thanks, Raj Rajmohan SK - Original Message - From: "Dave Thompson" To: Sent: Friday, August 06, 2010 2:19 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Thursday, 05 August, 2010 01:06 I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); I don't know much about 'OVERLAPPED' in Windows, but I think it's something like 'nonblocking' in Unix. pHost = gethostbyname(pcTargetURL); memset(&ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,&ClientRequestBuf,1,&dwSendDataLen,dwFlag, &SendOverlapped,NULL); // Sending data to the server At this point, the send probably hasn't actually happened. And if you call [WSA]Recv and it returns, it almost certainly hasn't actually been done either. You probably have to do some kind of synchronization with the .hEvent,
Re: Man in the middle proxy - Not working
Hi Can you send me some code snippet which shows how to commutate with webserver and read the content data Thanks, Raj Rajmohan SK - Original Message - From: "Dave Thompson" To: Sent: Friday, August 06, 2010 2:19 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Thursday, 05 August, 2010 01:06 I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); I don't know much about 'OVERLAPPED' in Windows, but I think it's something like 'nonblocking' in Unix. pHost = gethostbyname(pcTargetURL); memset(&ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,&ClientRequestBuf,1,&dwSendDataLen,dwFlag, &SendOverlapped,NULL); // Sending data to the server At this point, the send probably hasn't actually happened. And if you call [WSA]Recv and it returns, it almost certainly hasn't actually been done either. You probably have to do some kind of synchronization with the .hEvent, following whatever Windows rules are applicable. FYI pcPort = 443 pcTargetURL = L"www.facebook.com"; pcData = "GET https://www.facebook.com HTTP/1.0\r\n\r\n" __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Man in the middle proxy - Not working
Hi I will describe my code snippet below The module for connecting to server SOCKET RequestSock; SOCKADDR_IN ClientAddr; RequestSock = WSASocket(AF_INET,SOCK_STREAM,0,NULL,0,WSA_FLAG_OVERLAPPED); pHost = gethostbyname(pcTargetURL); memset(&ClientAddr,0,sizeof(ClientAddr)); int iAddrLen = sizeof(ClientAddr); ClientAddr.sin_family = AF_INET; memcpy(&ClientAddr.sin_addr,pHost->h_addr, pHost->h_length); ClientAddr.sin_port = htons(atoi(pcPort)); if(0 != connect(RequestSock,(SOCKADDR *)&ClientAddr, sizeof(SOCKADDR_IN))) { closesocket(RequestSock); // Connection failed return false; } WSAOVERLAPPED SendOverlapped; DWORD dwSendDataLen = 0; WSABUF ClientRequestBuf; WSAEVENT SendEvent[1]; ClientRequestBuf.buf = pcData; ClientRequestBuf.len = strlen(pcData); SendEvent[0] = WSACreateEvent(); SendOverlapped.hEvent = SendEvent[0]; iRes = WSASend(RequestSock,&ClientRequestBuf,1,&dwSendDataLen,dwFlag,&SendOverlapped,NULL); // Sending data to the server FYI pcPort = 443 pcTargetURL = L"www.facebook.com"; pcData = "GET https://www.facebook.com HTTP/1.0\r\n\r\n" Thanks, Raj Rajmohan SK - Original Message - From: "Dave Thompson" To: Sent: Thursday, August 05, 2010 7:48 AM Subject: RE: Man in the middle proxy - Not working From: owner-openssl-us...@openssl.org On Behalf Of Raj Sent: Wednesday, 04 August, 2010 01:09 Thanks for all the response 1. I was able to do the handshaking successfully with the browser. On receiving the request from the browser I will send "HTTP OK " response back to the browser, I was able to do the handshaking and read the actual GET request. To be clear: I interpret you received CONNECT, sent OK, did SSL handshake between browser and you (SSL_accept), then SSL_read (data which is a) GET request. 2. Then I create a new socket to establish the connection with server. The connection was successful. Sends the request to the server Reads the request from the server (Obviously you mean read response.) When I read the response from the server it always return empty. I don't know what went wrong here. I am reading the data from the socket using 'recv' function. Can anybody tell me what went wrong Is the connection to the server clear, or SSL? If SSL, you must use SSL_{connect,write,read,etc} throughout, with a different SSL* pointer than the one for the client side. And check for errors and report them etc. If clear, either: - you did the send and/or recv wrong; we'd have to look at your code, which you should simplify/trim as much as possible. - the server didn't like the request you sent, or you, strongly enough it just closed the connection. For HTTP this should be rare; most issues with the actual request (such as bad method or resource, unauthorized, bad or prohibited or required body, etc.) have defined HTTP error responses. Something like a firewall or frontend that works at the TCP level might just disconnect you, although in my experience they usually block or reject the initial connection (SYN) or break abruptly (RST), either of which appears to your program as an error return (canonically -1, not 0). Can you contact the people operating the server, and can they check their logs around the time of your attempt? Can you connect to the server from a browser on the machine running your proxy, or at one nearby on the same subnet? In clear, SSL, or both? And do a GET like the one you are (receiving and) forwarding from your client? Successfully? Can you run a monitor like tcpdump or wireshark while running your program, to see what was actually sent to the server and confirm if any data or what flags came back? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Man in the middle proxy - Not working
Hi recv function is returning 0 Thanks, Raj Rajmohan SK - Original Message - From: "David Schwartz" To: Sent: Thursday, August 05, 2010 6:05 AM Subject: RE: Man in the middle proxy - Not working Raj wrote: Thanks for all the response 1. I was able to do the handshaking successfully with the browser. On receiving the request from the browser I will send "HTTP OK " response back to the browser, I was able to do the handshaking and read the actual GET request. 2. Then I create a new socket to establish the connection with server. The connection was successful. Sends the request to the server Reads the request from the server When I read the response from the server it always return empty. What does that mean? Are you doing a blocking read or a non-blocking read? If 'read' returns zero, then the connection was closed by the server. If 'read' returns a number less than zero, there is an error -- tell us what error you are getting. If 'read' returns a number greater than zero, then that is the first part of the response. I don't know what went wrong here. I am reading the data from the socket using 'recv' function. Can anybody tell me what went wrong So, what return value do you get from 'recv'? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Man in the middle proxy - Not working
Thanks for all the response 1. I was able to do the handshaking successfully with the browser. On receiving the request from the browser I will send "HTTP OK " response back to the browser, I was able to do the handshaking and read the actual GET request. 2. Then I create a new socket to establish the connection with server. The connection was successful. Sends the request to the server Reads the request from the server When I read the response from the server it always return empty. I don't know what went wrong here. I am reading the data from the socket using 'recv' function. Can anybody tell me what went wrong Thanks, Raj Rajmohan SK - Original Message - From: "David Schwartz" To: Sent: Wednesday, July 28, 2010 1:07 AM Subject: RE: Man in the middle proxy - Not working Rene Hollan: Oh! I totally misunderstood this. I thought OP wanted to MITM SSL sessions (which is possible, if (a) the traffic is decrypted, (b) certs are reissued and resigned, and (c) the client TRUSTS the modified cert chain (typically its root cert)). This is just HTTPS Proxy. In which case other answers about terminating the HTTP connection first are correct. No, you were correct. He does want to MITM SSL sessions. A MITM and a normal proxy operate precisely the same way up until the actual proxying part starts. His problem is earlier, when he establishes the connection to the client, determines what host and port the client wants to talk to, and then switches to his SSL proxy/MITM capability. All those steps are the same. 1) Accept plaintext connection. 2) Wait for client to send request. 3) Confirm CONNECT request, host and port valid. 4) Send 200 reply. 5) Make connection to host and port requested by client. 6) If normal proxying, begin proxying (copy ciphertext between client and server). If MITMing, begin MITMing (do SSL negotiation with both client and plaintext, copy plaintext between client and server). DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Error in SSL accept
Hi All I am getting the following error when I call the function SSL_accept 1364:error:2006F079:BIO routines:BIO_read:unsupported method:.\crypto\bio\bio_lib.c:197: Can anybody please tell me the reasons for the failure I am new to this technology so I am not sure about the steps. I will describe what I have done After call the initialization functions I have done the following steps 1. Open SSL method SSLv23_method 2. Created a new context object from this method 3. Loads certificate file from my local folder with the extension ".crt" into the context object 4. Loads key file from my local folder with the extension ".key" into the context object 5. Created a Socket object and listen on port 4433. 6. Initiated a https request from internet explorer browser to the listening port by configuring the proxy 7. Accept the connection using socket function and read data from it 8. Called SSL_accept function for handshaking with the browser, but it failed Can anybody tell me what went wrong ? Platforms of my application MS VC++ 9.0 in Windows-Xp SP2 Thanks, Raj Rajmohan SK
Re: Proxy for content filtering
Hi No I am not using any kind of proxy application. Actually I want to build a proxy application like squid Thanks, Raj Rajmohan SK - Original Message - From: "Luis Daniel Lucio Quiroz" To: Sent: Friday, July 30, 2010 10:26 AM Subject: Re: Proxy for content filtering Le jeudi 29 juillet 2010 23:38:27, vous avez écrit : Hi All I want to build a proxy server, which acts as man in the middle proxy. The main intention of application is to do content filtering, whether it is an http or https request. I want to block some specified URL. Can anybody tell me what is the best approach of doing this Thanks, Raj Rajmohan SK I guess you are using squid use squid3.1 and sslbump option __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Proxy for content filtering
Hi All I want to build a proxy server, which acts as man in the middle proxy. The main intention of application is to do content filtering, whether it is an http or https request. I want to block some specified URL. Can anybody tell me what is the best approach of doing this Thanks, Raj Rajmohan SK
Re: Man in the middle proxy - Not working
Hi All Thank you so much for all the response. I have one more doubt. If we do normal proxying on https connection, is it possible to read the https content data, at least the URL Thanks, Raj Rajmohan SK - Original Message - From: "David Schwartz" To: Sent: Wednesday, July 28, 2010 1:07 AM Subject: RE: Man in the middle proxy - Not working Rene Hollan: Oh! I totally misunderstood this. I thought OP wanted to MITM SSL sessions (which is possible, if (a) the traffic is decrypted, (b) certs are reissued and resigned, and (c) the client TRUSTS the modified cert chain (typically its root cert)). This is just HTTPS Proxy. In which case other answers about terminating the HTTP connection first are correct. No, you were correct. He does want to MITM SSL sessions. A MITM and a normal proxy operate precisely the same way up until the actual proxying part starts. His problem is earlier, when he establishes the connection to the client, determines what host and port the client wants to talk to, and then switches to his SSL proxy/MITM capability. All those steps are the same. 1) Accept plaintext connection. 2) Wait for client to send request. 3) Confirm CONNECT request, host and port valid. 4) Send 200 reply. 5) Make connection to host and port requested by client. 6) If normal proxying, begin proxying (copy ciphertext between client and server). If MITMing, begin MITMing (do SSL negotiation with both client and plaintext, copy plaintext between client and server). DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Man in the middle proxy - Not working
Hi All Requirement:- I want to build a man in the middle proxy application. I have experimented so many methods to achieve this. But my application is failing when I tried some https url's from the browser (IE 8 and Firefox 3.7). I have configured my browser proxy settings to '4433' port. My application is listening on this port, when I connect to this port from my browser, with the URL https://localhost:4433 it is working, only a certificate warning is there. When I try to connect to another secured site, the SSL_accept function is returning -1 and my error code is as follows. "2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:.ssls23_srvr.c:391:" I am not able to trace out the problem for many days. Anybody please help me to trace out this issue, or send me some sample application. What could be reasons for failure Platforms I am using are : MS Windows XP service pack 2 MS Visual Studio 2008 , VC++ Thanks, Raj Rajmohan SK
clarification on OpenSSL 0.9.8l - Renegotiating vulnerability
Hi, Wanted a clarification on OpenSSL 0.9.8l ( CVE-2009-3555 - TLS / SSLv3 Renegotiating vulnerability) . When I execute the following ./openssl s_client -connect www.testapp.com:8090 --- [snipped... openssl output] HEAD / HTTP/1.0 R RENEGOTIATING The below output is shown HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Accept-Ranges: bytes ETag: W/"-1266209541000" Last-Modified: Mon, 15 Feb 2010 04:52:21 GMT Content-Type: text/html Content-Length: Date: Wed, 03 Mar 2010 17:44:54 GMT Connection: close What I want to know is if this should output the header details or should that be suppressed also. As per a lot of forums I should get this error “28874:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:” OR The connection blocks and timeouts after a while Could someone please clarify. -- Thanks & Regards, Rajat
Re: Newbie: PKCS#10 request for an existing key pair
Hello Patrick I am using Luna PCI as my HSM. To answer your questions, >>First question: Do you have OpenSSL patched to use that particular HSM as an engine? Yes, I verified with the documentation from the vendor. >>Second question: Do you have a openssl.cnf set up that properly instantiates that engine? Again the documentation provides some information on this., so my answer is yes. Thanks From: Patrick Patterson To: openssl-users@openssl.org Sent: Thursday, June 4, 2009 8:41:24 PM Subject: Re: Newbie: PKCS#10 request for an existing key pair Hi Raj: On June 4, 2009 12:58:02 pm Raj wrote: > Hello Experts, > > I request your expert opinion in generating a PKCS#10 CSR; > > I have generated my RSA 1024 private public key pair in the HSM. The HSM > exposes the keys as handles. > First question: Do you have OpenSSL patched to use that particular HSM as an engine? Second question: Do you have a openssl.cnf set up that properly instantiates that engine? > I am seeing that OpenSSL is raising the CSR (-new) but it generates the RSA > key pair. In my case, i already have the keys generated with various > attributes; I want to raise a CSR of this key pair which are referred by > their handles. > If that handle is in a file (most patches that I've seen for HSMs allow you to do this), then just point the -key parameter as that file. For information on how to create this openssl compatible private key file that contains the handle (if you don't have it already), I would talk to your HSM vendor. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Newbie: PKCS#10 request for an existing key pair
Hello Experts, I request your expert opinion in generating a PKCS#10 CSR; I have generated my RSA 1024 private public key pair in the HSM. The HSM exposes the keys as handles. I am seeing that OpenSSL is raising the CSR (-new) but it generates the RSA key pair. In my case, i already have the keys generated with various attributes; I want to raise a CSR of this key pair which are referred by their handles. Please advice how i can do this with OpenSSL. Thanks Raj
Re: Linker errors on windows
I think we are sailing in the same boat. I hit into exactly the same problem.if you try compiling without disabling rc4. You will not get those linking errors. But if we want to exclude all patented algorithms, then we need to look for specific build releases without these algorithms. On 6/16/08, Gerhard Gappmeier <[EMAIL PROTECTED]> wrote: > Hello > > I tried to deactivate patented algorithms that are mentioned in README, > but I get unresolved externals linker errors. > > I'm building this way: > set OPTS=no-asm > perl Configure disable-idea disable-rc4 disable-rc5 disable-ntt > disable-mdc2 VC-WIN32 > perl util\mkfiles.pl >MINFO > perl util\mk1mf.pl %OPTS% dll VC-WIN32 >32dll.mak > perl util\mkdef.pl 32 libeay > ms\libeay32.def > perl util\mkdef.pl 32 ssleay > ms\ssleay32.def > > @if errorlevel 1 goto end > nmake -f 32dll.mak > > :end > > > Output: > link /nologo /subsystem:console /opt:ref /dll > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def > @C:\DOKUME~1\gergap\LOKALE~1\Temp\nm37D.tmp > ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not > supported for the target platform; ignored > LIBEAY32.def : error LNK2001: unresolved external symbol d2i_Netscape_RSA > LIBEAY32.def : error LNK2001: unresolved external symbol d2i_RSA_NET > LIBEAY32.def : error LNK2001: unresolved external symbol i2d_Netscape_RSA > LIBEAY32.def : error LNK2001: unresolved external symbol i2d_RSA_NET > out32dll\libeay32.lib : fatal error LNK1120: 4 unresolved externals > NMAKE : fatal error U1077: '"C:\Programme\Microsoft Visual Studio > 8\VC\BIN\link.EXE"' : return code '0x460' > Stop. > Building OpenSSL failed. > Build failed > > Has somebody a tip how to solve this? > > regards, > Gerhard. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
Hi, Is there any binary distribution where I can find SSL dlls without patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling without them. I could exclude other algos but not RC4. Some linking issues. So i need to know if there is any ssl release without the patented algorithms. On 6/16/08, Mounir IDRASSI <[EMAIL PROTECTED]> wrote: > Hi, > > Use the tool Dependency Walker (http://www.dependencywalker.com/) to look > at the exported functions of libeay32.dll. If it exports RC5, you will see > exported symbols starting with RC5. For MDC2, you'll find symbols starting > with MDC2 and etc... > > Cheers, > -- > Mounir IDRASSI > IDRIX > http://www.idrix.fr > > On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote: >> Hi, >> >> I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if >> these >> libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 >> etc. Can you please let me know if there is any way to find out this? >> Any help would be highly appreciated. >> >> Thanks in adavance, >> Bagavathy >> > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Please help: very urgent: Query on patented algorithms
Hi, I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 etc. Can you please let me know if there is any way to find out this? Any help would be highly appreciated. Thanks in adavance, Bagavathy
Re: openssl performance
Thanks Jimmy! This command looks to help me for the performance! Only thing is I have to get it working. I keep on getting errors. Anyways, thanks! I will go through and get it running. Any inputs on session reuse? On Thu, Apr 3, 2008 at 12:39 PM, jimmy bahuleyan <[EMAIL PROTECTED]> wrote: > raj H wrote: > > > Thanks Marek for your comments! > > > > > > [snip] > > I am sorry these questions are really vague and not of challenge for the > > technical personals. But I believe these are the questions any solution > > developer or openssl user would have. Isn't the OpenSSL publishes any > > numbers? > > > > Have you tried the command > > $ openssl s_time > > > -jb > -- > Real computer scientists don't comment their code. The identifiers are > so long they can't afford the disk space. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
Re: openssl performance
Thanks Marek for your comments! When you say, session reuse improves the handshake performance, what factor? If normal handshake takes 1 second, how long it will take to negotiate session re-use? What about the other issues such as memory leaks and security concerns with session re-use? Does anyone has any performance numbers on encrption with cipher suites using AES / 3DES and others? David, Here are more details - I am running on HP NonStop system. It is an mainframe application. But I dont think anybody would have performance number on this so I didn't mentioned the platform. I am interested in knowing the gain factors on other platforms so that I can co-relate those numbers on nonstop platform. Currently it takes around 1 second of cpu time for handshake. Kalyan, I would surely help you with the code snippet in C. Email me! I am sorry these questions are really vague and not of challenge for the technical personals. But I believe these are the questions any solution developer or openssl user would have. Isn't the OpenSSL publishes any numbers? On Thu, Apr 3, 2008 at 2:15 AM, <[EMAIL PROTECTED]> wrote: > Hello, > > [EMAIL PROTECTED] wrote on 04/03/2008 04:18:42 AM: > > > Anybody any comments? > > > On Tue, Apr 1, 2008 at 11:56 PM, raj H <[EMAIL PROTECTED]> wrote: > > Hi Experts, > > > > OpenSSL 9.8b. We are facing some performance issues with it. I > heard that > > doing session reuse or using some other ciphers can help improve the > performance significantly. > > I would like to know - > > > > 1. Is using the session reuse with ssl handshake is advisable? I read > somewhere that > > session reuse with openssl is controversial with memory usage. It might > have some memory > > leaks. Is that true? What are other issues with ssl session reuse? Does > anyone has any > > numbers on performance gain with session reuse? > This is method improves handshake performance when your client > connects/disconnects > many times to your server in short time (like https client connections > with HTTP/1.0). > In this case handshake exchanges only 6 packets (without RSA encryption in > case where > RSA certificates are used) instead of 9/10/12 (depending of authorization > scheme). > > > 2. Does changing cipher used improve performance? We use the default > one. Is there any > > numbers on this too? I plan to use one of - > In general: use AES instead of DES3, its faster. > > Best regards, > -- > Marek Marcola <[EMAIL PROTECTED]> > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
Re: openssl performance
Anybody any comments? On Tue, Apr 1, 2008 at 11:56 PM, raj H <[EMAIL PROTECTED]> wrote: > Hi Experts, > > OpenSSL 9.8b. We are facing some performance issues with it. I > heard that doing session reuse or using some other ciphers can help improve > the performance significantly. > I would like to know - > > 1. Is using the session reuse with ssl handshake is advisable? I read > somewhere that session reuse with openssl is controversial with memory > usage. It might have some memory leaks. Is that true? What are other issues > with ssl session reuse? Does anyone has any numbers on performance gain with > session reuse? > > 2. Does changing cipher used improve performance? We use the default one. > Is there any numbers on this too? I plan to use one of - > > SSL_RSA_WITH_3DES_EDE_CBC_SHA > SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_AES_128_CBC_SHA > TLS_DH_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_RSA_WITH_AES_256_CBC_SHA > TLS_DH_RSA_WITH_AES_256_CBC_SHA > TLS_DHE_RSA_WITH_AES_256_CBC_SHA > > Thanks for your help! > > Raj >
openssl performance
Hi Experts, OpenSSL 9.8b. We are facing some performance issues with it. I heard that doing session reuse or using some other ciphers can help improve the performance significantly. I would like to know - 1. Is using the session reuse with ssl handshake is advisable? I read somewhere that session reuse with openssl is controversial with memory usage. It might have some memory leaks. Is that true? What are other issues with ssl session reuse? Does anyone has any numbers on performance gain with session reuse? 2. Does changing cipher used improve performance? We use the default one. Is there any numbers on this too? I plan to use one of - SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA Thanks for your help! Raj
Re: error regaring libssl.so
but my libssl.so is at /usr/lib and my lhmail.so is at /usr/lib/qt/lib and my application is /home/lhmail/pop/ and my application need lhmail.so and lhmail.so depends on libssl.so how i link both these lib wyhen i compilinh my application i m new in linux stuff plz tell me step by step regards, Amit On 6/9/07, Allen Cbhen <[EMAIL PROTECTED]> wrote: raj pansuria 写道: > helo i m using fedora core 6 > > i got the following error > > helo my dynamic lib file is stored > at /usr/src/lib/qt-3.3/lib/lhmail.so and > it required support for libssl.so and libssl.so is in /usr/lib > but when i run my application > i got the following strange errors > > ../../liblhmail.so: undefined reference to `BIO_ctrl' > ../../liblhmail.so: undefined reference to `d2i_DHparams' > ../../liblhmail.so: undefined reference to `X509_dup' > ../../liblhmail.so: undefined reference to `ASN1_HEADER_free' > ../../liblhmail.so: undefined reference to `X509_LOOKUP_file' > ../../liblhmail.so: undefined reference to `ERR_print_errors' > ../../liblhmail.so: undefined reference to `EVP_PKEY_set1_RSA' > ../../liblhmail.so: undefined reference to `EVP_PKEY_set1_DSA' > ../../liblhmail.so: undefined reference to `CRYPTO_mem_ctrl' > ../../liblhmail.so: undefined reference to `RSA_free' > ../../liblhmail.so: undefined reference to `DH_free' > ../../liblhmail.so: undefined reference to `BIO_free' > ../../liblhmail.so: undefined reference to `PKCS7_free' > ../../liblhmail.so: undefined reference to `X509_LOOKUP_hash_dir' > ../../liblhmail.so: undefined reference to `EVP_PKEY_free' > ../../liblhmail.so: undefined reference to `BUF_MEM_free' > ../../liblhmail.so: undefined reference to `i2d_DHparams' > ../../liblhmail.so: undefined reference to `PEM_read_bio_PrivateKey' > ../../liblhmail.so: undefined reference to `EVP_PKEY_set1_DH' > ../../liblhmail.so: undefined reference to `ERR_load_crypto_strings' > ../../liblhmail.so: undefined reference to `X509_LOOKUP_ctrl' > ../../liblhmail.so: undefined reference to `PEM_write_bio_PKCS7' > ../../liblhmail.so: undefined reference to `ASN1_dup' > ../../liblhmail.so: undefined reference to `i2d_DSAparams' > ../../liblhmail.so: undefined reference to `BIO_printf' > ../../liblhmail.so: undefined reference to `RSAPrivateKey_dup' > ../../liblhmail.so: undefined reference to `EVP_PKEY_new' > ../../liblhmail.so: undefined reference to `SMIME_read_PKCS7' > ../../liblhmail.so: undefined reference to `EVP_PKEY_get1_RSA' > ../../liblhmail.so: undefined reference to `EVP_PKEY_get1_DH' > ../../liblhmail.so: undefined reference to `BIO_free_all' > ../../liblhmail.so: undefined reference to `BIO_s_file' > ../../liblhmail.so: undefined reference to `BIO_s_mem' > ../../liblhmail.so: undefined reference to `BIO_new_fp' > ../../liblhmail.so: undefined reference to > `OPENSSL_add_all_algorithms_noconf' > ../../liblhmail.so: undefined reference to `PKCS7_verify' > ../../liblhmail.so: undefined reference to `d2i_DSAparams' > ../../liblhmail.so: undefined reference to `CRYPTO_mem_leaks' > ../../liblhmail.so: undefined reference to `BIO_new' > ../../liblhmail.so: undefined reference to `X509_STORE_free' > ../../liblhmail.so: undefined reference to `X509_STORE_new' > ../../liblhmail.so: undefined reference to `X509_STORE_add_lookup' > ../../liblhmail.so: undefined reference to `PEM_read_bio_X509_AUX' > ../../liblhmail.so: undefined reference to `ERR_clear_error' > ../../liblhmail.so: undefined reference to `BIO_new_mem_buf' > ../../liblhmail.so: undefined reference to `DSA_free' > ../../liblhmail.so: undefined reference to `EVP_PKEY_type' > ../../liblhmail.so: undefined reference to `PKCS7_sign' > ../../liblhmail.so: undefined reference to `EVP_PKEY_get1_DSA' > ../../liblhmail.so: undefined reference to `ENGINE_load_builtin_engines' > collect2: ld returned 1 exit status > make: *** [pop3] Error 1 > > what to do to solve this error > amit Add |/usr/local/ssl/lib to |LD_LIBRARY_PATH or /etc/ld.so.conf|.| __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
error regaring libssl.so
helo i m using fedora core 6 i got the following error helo my dynamic lib file is stored at /usr/src/lib/qt-3.3/lib/lhmail.so and it required support for libssl.so and libssl.so is in /usr/lib but when i run my application i got the following strange errors ../../liblhmail.so: undefined reference to `BIO_ctrl' ../../liblhmail.so: undefined reference to `d2i_DHparams' ../../liblhmail.so: undefined reference to `X509_dup' ../../liblhmail.so: undefined reference to `ASN1_HEADER_free' ../../liblhmail.so: undefined reference to `X509_LOOKUP_file' ../../liblhmail.so: undefined reference to `ERR_print_errors' ../../liblhmail.so: undefined reference to `EVP_PKEY_set1_RSA' ../../liblhmail.so: undefined reference to `EVP_PKEY_set1_DSA' ../../liblhmail.so: undefined reference to `CRYPTO_mem_ctrl' ../../liblhmail.so: undefined reference to `RSA_free' ../../liblhmail.so: undefined reference to `DH_free' ../../liblhmail.so: undefined reference to `BIO_free' ../../liblhmail.so: undefined reference to `PKCS7_free' ../../liblhmail.so: undefined reference to `X509_LOOKUP_hash_dir' ../../liblhmail.so: undefined reference to `EVP_PKEY_free' ../../liblhmail.so: undefined reference to `BUF_MEM_free' ../../liblhmail.so: undefined reference to `i2d_DHparams' ../../liblhmail.so: undefined reference to `PEM_read_bio_PrivateKey' ../../liblhmail.so: undefined reference to `EVP_PKEY_set1_DH' ../../liblhmail.so: undefined reference to `ERR_load_crypto_strings' ../../liblhmail.so: undefined reference to `X509_LOOKUP_ctrl' ../../liblhmail.so: undefined reference to `PEM_write_bio_PKCS7' ../../liblhmail.so: undefined reference to `ASN1_dup' ../../liblhmail.so: undefined reference to `i2d_DSAparams' ../../liblhmail.so: undefined reference to `BIO_printf' ../../liblhmail.so: undefined reference to `RSAPrivateKey_dup' ../../liblhmail.so: undefined reference to `EVP_PKEY_new' ../../liblhmail.so: undefined reference to `SMIME_read_PKCS7' ../../liblhmail.so: undefined reference to `EVP_PKEY_get1_RSA' ../../liblhmail.so: undefined reference to `EVP_PKEY_get1_DH' ../../liblhmail.so: undefined reference to `BIO_free_all' ../../liblhmail.so: undefined reference to `BIO_s_file' ../../liblhmail.so: undefined reference to `BIO_s_mem' ../../liblhmail.so: undefined reference to `BIO_new_fp' ../../liblhmail.so: undefined reference to `OPENSSL_add_all_algorithms_noconf' ../../liblhmail.so: undefined reference to `PKCS7_verify' ../../liblhmail.so: undefined reference to `d2i_DSAparams' ../../liblhmail.so: undefined reference to `CRYPTO_mem_leaks' ../../liblhmail.so: undefined reference to `BIO_new' ../../liblhmail.so: undefined reference to `X509_STORE_free' ../../liblhmail.so: undefined reference to `X509_STORE_new' ../../liblhmail.so: undefined reference to `X509_STORE_add_lookup' ../../liblhmail.so: undefined reference to `PEM_read_bio_X509_AUX' ../../liblhmail.so: undefined reference to `ERR_clear_error' ../../liblhmail.so: undefined reference to `BIO_new_mem_buf' ../../liblhmail.so: undefined reference to `DSA_free' ../../liblhmail.so: undefined reference to `EVP_PKEY_type' ../../liblhmail.so: undefined reference to `PKCS7_sign' ../../liblhmail.so: undefined reference to `EVP_PKEY_get1_DSA' ../../liblhmail.so: undefined reference to `ENGINE_load_builtin_engines' collect2: ld returned 1 exit status make: *** [pop3] Error 1 what to do to solve this error amit
SSL3_GET_CLIENT_KEY_EXCHANGE:bad protocol version number
Hello, Could some one explain what the following error means and possible solution? OpenSSL error detected in sslEndpoint::accept. Reason: error:1408B074:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad protocol version number Thank you, Raj Pannala [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Warning !!! Re: Check this
Both my IRIX on O2 and Linux on PII took one look at the virus, yawned, and continued on their normal course. :-) -- Raju > "Jon" == Jon Earle <[EMAIL PROTECTED]> writes: >> If you get this email from this guy DO NOT open it, my >> macafee's virus scanner freaked out saying it was a virus.. I >> am assuming it is an actual VB Script virus >> >> Here is the info on the virus. >> >> http://vil.nai.com/vil/vbs10225.asp Jon> hehehe... mine did the same. Boss was not impressed. Jon> Insisted I fully scan my workstation. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSLv4?
Hmm, interesting question! I have with me a tender specification which asks for a web server with SSLv4 support, and I assumed that SSLv4 is the logical successor to v3 (which is when I sent out the mail). However, on searching the web I find no reference to v4, so I conclude that either it doesn't exist, or is in a very preliminary development stage. Please correct me if I'm wrong. Regards, -- Raju >>>>> "Ben" == Ben Laurie <[EMAIL PROTECTED]> writes: Ben> Raj Mathur wrote: >> Hi, >> >> I looked for this on the FAQ and the mail archives, but either >> my archive searching skills are non-existent or the answer is >> ditto... >> >> Is any support planned for SSLv4 in OpenSSL? If yes, by when? Ben> What is SSLv4? Ben> Cheers, Ben> Ben. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]