Empty CA name list in Certificate Request in 0.9.8e
Hi, Our software has been using OpenSSL for many years successfully, but we've recently discovered a problem when running our HTTPS server against a client running some IBM software (not sure exactly what at the moment. The client appears to be making a strict interpretation of the RFCs regarding the CA name list in the Certificate Request sent by our server. This is required not to be empty by the RFCs (prior to TLS v1.1), but the list being sent is empty. It seems that most software is tolerant of this, but this particular IBM software is not. I've being doing some testing in the code, and the name list is derived from the stack of CAs in the client_CA data element of the context. However, it seems that this list is never populated by SSL_CTX_load_verify_locations(). I have a confession here that we are still using a rather old version, 0.9.8e. So has this been seen previously? And has it been fixed? Or are we missing something in our code - SSL_CTX_load_verify_locations() is essentially all we do to handle CAs, and this has been fine until now. I've done the usual searches in the mail archive and not managed to find anything. For now I'd prefer to patch the 0.9.8e code, before moving to a more recent version. Best regards, George Shaw. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Empty CA name list in Certificate Request in 0.9.8e
Hi Michel, Indeed, that seems to work, and I note that the call is included in the s_server.c code. That just leaves me a bit mystified as to why: 1. the call is not included in the SSL_CTX_load_verify_locations() function, so that we don't need to read the file twice - although I guess that the latter is used for both client and server code. I suppose that SSL_CTX_set_client_CA_list() is server-only? 2. how the code has worked for over 10 years, to any number of different clients, without this call ... I guess that most clients are more tolerant. Thanks for your help. G. -Original Message- From: Michel [mailto:msa...@paybox.com] Sent: 03 November 2011 14:10 To: openssl-users@openssl.org Cc: Shaw Graham George Subject: Re: Empty CA name list in Certificate Request in 0.9.8e Hi George, didn't you forget a call to : SSL_CTX_set_client_CA_list() see http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html Le 03/11/2011 14:23, Shaw Graham George a écrit : Hi, Our software has been using OpenSSL for many years successfully, but we've recently discovered a problem when running our HTTPS server against a client running some IBM software (not sure exactly what at the moment. The client appears to be making a strict interpretation of the RFCs regarding the CA name list in the Certificate Request sent by our server. This is required not to be empty by the RFCs (prior to TLS v1.1), but the list being sent is empty. It seems that most software is tolerant of this, but this particular IBM software is not. I've being doing some testing in the code, and the name list is derived from the stack of CAs in the client_CA data element of the context. However, it seems that this list is never populated by SSL_CTX_load_verify_locations(). I have a confession here that we are still using a rather old version, 0.9.8e. So has this been seen previously? And has it been fixed? Or are we missing something in our code - SSL_CTX_load_verify_locations() is essentially all we do to handle CAs, and this has been fine until now. I've done the usual searches in the mail archive and not managed to find anything. For now I'd prefer to patch the 0.9.8e code, before moving to a more recent version. Best regards, George Shaw. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL on IBMi
Yup, I had to do a couple of fixes to the GNU utilities to get around
size limitations, for example when the size limit to ADDBNDDIRE (not
qar) is reached, then to split the request and make multiple calls.
G.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal
Sent: 07 April 2010 12:52
To: openssl-users@openssl.org
Subject: Re: OpenSSL on IBMi
I got the icc problem resolved by writing shell script.
Building static libraries get stuck at following point ( I guess the
object limit of qar is hit)
qar -cuv ../../libcrypto.a a_object.o a_bitstr.o a_utctm.o a_gentm.o
a_time.oa_int.o a_octet.o a_print.o a_type.o a_set.o a_dup.o
a_d2i_fp.o a_i2d_fp.o a _enum.o a_utf8.o a_sign.o a_digest.o
a_verify.o a_mbstr.o a_strex.o x_algor.o
x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o x_bignum.o x_long.o
x_name.o x _x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o
d2i_pu.o d2i_pr.o i2d_pu. o i2d_pr.o t_req.o t_x509.o t_x509a.o
t_crl.o t_pkey.o t_spki.o t_bitst.o tas n_new.o tasn_fre.o tasn_enc.o
tasn_dec.o tasn_utl.o tasn_typ.o f_int.o f_stri ng.o n_pkey.o f_enum.o
a_hdr.o x_pkey.o a_bool.o x_exten.o asn1_gen.o asn1_pa r.o asn1_lib.o
asn1_err.o a_meth.o a_bytes.o a_strnid.o evp_asn1.o asn_pack.o
p5_pbe.o p5_pbev2.o p8_pkey.o asn_moid.o
command = CRTBNDDIR BNDDIR(OPENSSL/LIBCRYPTO)
TEXT('ecofr/openssl-0.9.8e/cryp to/asn1/../../libcrypto.a')
command = ADDBNDDIRE BNDDIR(OPENSSL/LIBCRYPTO) OBJ((OPENSSL/A_OBJECT0
*MODULE ) (OPENSSL/A_BITSTR0 *MODULE) (OPENSSL/A_UTCTM0 *MODULE)
(OPENSSL/A_GENTM0 *M ODULE) (OPENSSL/A_TIME0 *MODULE) (OPENSSL/A_INT0
*MODULE) (OPENSSL/A_OCTET0 * MODULE) (OPENSSL/A_PRINT0 *MODULE)
(OPENSSL/A_TYPE0 *MODULE) (OPENSSL/A_SET0*MODULE) (OPENSSL/A_DUP0
*MODULE) (OPENSSL/A_D2I_FP0 *MODULE) (OPENSSL/A_I2D_
FP0 *MODULE) (OPENSSL/A_ENUM0 *MODULE) (OPENSSL/A_UTF80 *MODULE)
(OPENSSL/A_S IGN0 *MODULE) (OPENSSL/A_DIGEST0 *MODULE)
(OPENSSL/A_VERIFY0 *MODULE) (OPENSS L/A_MBSTR0 *MODULE)
(OPENSSL/A_STREX0 *MODULE) (OPENSSL/X_ALGOR0 *MODULE) (OP ENSSL/X_VAL0
*MODULE) (OPENSSL/X_PUBKEY0 *MODULE) (OPENSSL/X_SIG0 *MODULE) (O
PENSSL/X_REQ0 *MODULE) (OPENSSL/X_ATTRIB0 *MODULE) (OPENSSL/X_BIGNUM0
*MODULE ) (OPENSSL/X_LONG0 *MODULE) (OPENSSL/X_NAME0 *MODULE)
(OPENSSL/X_X5090 *MODUL E) (OPENSSL/X_X509A0 *MODULE) (OPENSSL/X_CRL0
*MODULE) (OPENSSL/X_INFO0 *MODU LE) (OPENSSL/X_SPKI0 *MODULE)
(OPENSSL/NSSEQ0 *MODULE) (OPENSSL/D2I_PU0 *MODU LE) (OPENSSL/D2I_PR0
*MODULE) (OPENSSL/I2D_PU0 *MODULE) (OPENSSL/I2D_PR0 *MOD ULE)
(OPENSSL/T_REQ0 *MODULE) (OPENSSL/T_X5090 *MODULE) (OPENSSL/T_X509A0 *MO
DULE) (OPENSSL/T_CRL0 *MODULE) (OPENSSL/T_PKEY0 *MODULE)
(OPENSSL/T_SPKI0 *MO DULE) (OPENSSL/T_BITST0 *MODULE)
(OPENSSL/TASN_NEW0 *MODULE) (OPENSSL/TASN_FR E0 *MODULE)
(OPENSSL/TASN_ENC0 *MODULE) (OPENSSL/TASN_DEC0 *MODULE) (OPENSSL/
TASN_UTL0 *MODULE) (OPENSSL/TASN_TYP0 *MODULE) (OPENSSL/F_INT0 *MODULE)
(OPEN
SSL/F_STRING0 *MODULE) (OPENSSL/N_PKEY0 *MODULE) (OPENSSL/F_ENUM0
*MODULE) (O PENSSL/A_HDR0 *MODULE) (OPENSSL/X_PKEY0 *MODULE)
(OPENSSL/A_BOOL0 *MODULE) (O PENSSL/X_EXTEN0 *MODULE)
(OPENSSL/ASN1_GEN0 *MODULE) (OPENSSL/ASN1_PAR0 *MODU LE)
(OPENSSL/ASN1_LIB0 *MODULE) (OPENSSL/ASN1_ERR0 *MODULE) (OPENSSL/A_METH0
*MODULE) (OPENSSL/A_BYTES0 *MODULE) (OPENSSL/A_STRNID0 *MODULE)
(OPENSSL/EVP_ ASN10 *MODULE) (OPENSSL/ASN_PACK0 *MODULE)
(OPENSSL/P5_PBE0 *MODULE) (OPENSSL /P5_PBEV20 *MODULE)
(OPENSSL/P8_PKEY0 *MODULE) (OPENSSL/ASN_MOID0 *MODULE) )
UPDBNDDIRE error
GMAKE[2]: *** [lib] Error 1
GMAKE[2]: Leaving directory `/home/qsecofr/openssl-0.9.8e/crypto/asn1'
GMAKE[1]: *** [subdirs] Error 1
GMAKE[1]: Leaving directory `/home/qsecofr/openssl-0.9.8e/crypto'
GMAKE: *** [build_crypto] Error 1
Building shared library, make do_os400-shared is giving the following
error
( :; SHAREDFLAGS=${SHARED_LDFLAGS} ${EXTRA_LDFLAGS}; liblist -af
OPENSSL ; echo system DLTSRVPGM SRVPGM\($OUTPUTDIR/$SRVPGM\); system
DLTSRVPGM SRVPGM \($OUTPUTDIR/$SRVPGM\); ld ${SHAREDFLAGS} -o $SHLIB
$SHOBJECTS; liblist -d OP ENSSL; ) if [ -n $INHIBIT_SYMLINKS ];
then :; else prev=$SHLIB$SHLIB_SOV ER$SHLIB_SUFFIX; if [ -n
$SHLIB_COMPAT ]; then for x in $SHLIB_COMPAT; do (:; rm -f
$SHLIB$x$SHLIB_SUFFIX; ln -s $prev $SHLIB$x$SHLIB_SUFFIX ); prev=$S
HLIB$x$SHLIB_SUFFIX; done; fi; if [ -n $SHLIB_SOVER ]; then ( :; rm -f
$SHL IB$SHLIB_SUFFIX; ln -s $prev $SHLIB$SHLIB_SUFFIX ); fi; fi; \
fi;
system DLTSRVPGM SRVPGM(OPENSSL/libssl)
CPF2105: Object LIBSSL in OPENSSL type *SRVPGM not found.
ssl/*.o does not link to a module object
GMAKE[1]: Leaving directory `/home/qsecofr/openssl-0.9.8e'
On Tue, Apr 6, 2010 at 4:18 PM, Shaw Graham George gs...@axway.com
wrote:
Hmm, my version of icc works with the default syntax, for
example:
icc -I. -I.. -I../include -DOPENSSL_THREADS -D_MULTI_THREADED -v
-v -O4
-DB_ENDI
AN -DCHARSET_EBCDIC -DEBCDIC_500
RE: OpenSSL on IBMi
OK, one step forward. I guess that previously you had a path error
because you need to create a link (correctly) to point to your gmake
program.
And the CCSID of the delivered tools package is unimportant - it's the
CCCSID of the unpacked programs that is important.
Hmmm.
Message ID . . . . . . . . . : MCH3601
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message text . . . . . . . . : Pointer not set for location
referenced.
So the delivered icc is not as robust as it should be ... As I said
before, I had to re-compile mine for CCSID 500, so had the source, so I
was able to easily track down problems such as this.
I'm looking at my source, and the only changes that I made to icc look
relatively trivial - but these are changes from 9 years ago, so my
memory may not be 100% accurate. And I suspect that the testing that
I've done has been using my version of icc - while it executes as CCSID
500, it can be used to make binaries of any CCSID.
You have a couple of options, I think. The techie option is to get the
source for icc and find and fix the pointer error. Icc is just a
wrapper program that translates compile requests from a UNIX-like string
to the correct OS/400 command (as you can see from the output). So it
is easy to debug.
The more difficult option is to try to determine which argument is
upsetting icc empirically, and then work around that - it does work out
of the box, but as you can see, is a little temperamental.
Unfortunately, I don't think that IBM offer support for the GNU
utilities - I don't know if they still offer the source code. If you
prefer the techie option, and they don't, then I can probably send you
the source package (at your own risk).
BTW. I'm not sure what your requirements are, but OpenSSL will run on
the AS/400 as AIX binaries under the PASE environment. Which could be a
simpler option.
Good luck.
G.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal
Sent: 05 April 2010 14:51
To: openssl-users@openssl.org
Subject: Re: OpenSSL on IBMi
Got it working !
Stuck in another error in openssl/crypto :-(
icc -I. -I.. -I../include -DOPENSSL_THREADS -D_MULTI_THREADED -v -O4
-DB_ENDI AN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H -D_ALL_SOURCE
-DNO_SYSLOG -qTGTRLS=*CURR ENT -qTGTCCSID=37 -c cryptlib.c -o
cryptlib.o command = CRTCMOD
MODULE(CRYPTO/CRYPTLIB) SRCSTMF('cryptlib.c') DEFINE('OPENS
SL_THREADS' '_MULTI_THREADED' 'B_ENDIAN' 'CHARSET_EBCDIC'
'NO_SYS_PARAM_H' '_ ALL_SOURCE' 'NO_SYSLOG' ) OPTIMIZE(40)
TEXT('/home/qsecofr/openssl-0.9.8e/crypto/cryptlib.o')
SYSIFCOPT(*IFSIO) TGTRLS(*CURRENT) TGTCCSID(37) OPTION(*LOG iMSG )
AQAPTL/ICC: Unexpected exception MCH3601
On Mon, Apr 5, 2010 at 4:06 PM, Pankaj Aggarwal
pankaj.aggar...@gmail.com wrote:
Hi Shaw,Q
I do have the qsh porting tools installed (which include icc, gmake
etc.). I checked the CCSID for these tools. it's 1200.
Now since my openssl files have been extracted from tar in qsh
environment, they have the CCSID of 37. Should I get the IBM tools for
CCSID 37?
I tried to set the QIBM_CSSID variable in qsh environment to 1200, but
the extracted openssl files still have CCSID of 37.
Pankaj
On Sun, Apr 4, 2010 at 8:23 PM, Shaw Graham George gs...@axway.com
wrote:
You should read the detail of the readme files for this and maybe
previous ports at rt.openssl.org.
Firstly, for this port to work, you need to install the IBM AS/400
GNU utilities - it doesn't look like you have. I'm not sure of their
current status, but at the time these were unsupported utilities only
obtainable from IBM. They are delivered as CCSID 37 binaries, so you
need to know what CCSID you wish to support. I had to get the source
from IBM (by special request) and re-compile gmake to run as CCSID 500.
AFAIK (but I am a little out of date), any gmake delivered with the
AS/400 is a PASE binary.
Regarding perl, I can't remember if perl (for CCSID 37) from CPAN
worked. I certainly failed to port CPAN perl to CCSID 500 (and ran out
of time to investigate further). But this made no difference to me as I
was building OpenSSL for about 13 platforms, so I could run the
configure option (that uses perl) on UNIX.
If was looking again now, and looking for AS/400-independence, I'd
investigate if I could run a PASE version of perl for the configure.
G.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal
Sent: 04 April 2010 12:46
To: openssl-users@openssl.org
Subject: Re: OpenSSL on IBMi
I used the patch on openssl 0.9.8e. on firing ./Configure OS400-icc I
am getting the following error:
qsh: 001-0014 Command /home/qsecofr/openssl/QAPTL/GMAKE not found.
GMAKE: *** [links] Error 1
$
I have set the PATH environment variable as follows :
/qibm/ProdData
RE: OpenSSL on IBMi
-c is an option, not an argument, so I think you'll find that the
problem is that icc is objecting to the file-to-be-compiled is not at
the end of the command line - i.e. is it looking for a - character in
temp1/abc.c and failing.
So:
icc -c -o abc.o temp1/abc.c
... would also work.
Like I said ... not very robust.
Give me a short time to see if I can find how I worked around this.
Re PASE, you can execute PASE (AIX) libraries from ILE code, but if you
can avoid it I would.
G.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal
Sent: 06 April 2010 09:59
To: openssl-users@openssl.org
Subject: Re: OpenSSL on IBMi
I am able to narrow down on the icc option that is causing the problem.
icc -c temp1/abc.c -o abc.o
QAPTL/ICC: Unexpected exception MCH3601
$
icc -o abc.o -c temp1/abc.c
$
So, specifying -c option before -o option (which is the case while
compiling openssl) results in error.
If I swap this, icc works fine.
Next, I need to swap this in openssl, any quick way of doing this?
My project involves using the openssl libraries in OS.400 native
environment to create libraries on top of it which will be used by ILE
Code. I believe that I won't be able to use PASE libraries in native
environment, right?
Pankaj
On Tue, Apr 6, 2010 at 1:20 PM, Shaw Graham George gs...@axway.com
wrote:
OK, one step forward. I guess that previously you had a path
error
because you need to create a link (correctly) to point to your
gmake
program.
And the CCSID of the delivered tools package is unimportant -
it's the
CCCSID of the unpacked programs that is important.
Hmmm.
Message ID . . . . . . . . . : MCH3601
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message text . . . . . . . . : Pointer not set for location
referenced.
So the delivered icc is not as robust as it should be ... As I
said
before, I had to re-compile mine for CCSID 500, so had the
source, so I
was able to easily track down problems such as this.
I'm looking at my source, and the only changes that I made to
icc look
relatively trivial - but these are changes from 9 years ago, so
my
memory may not be 100% accurate. And I suspect that the testing
that
I've done has been using my version of icc - while it executes
as CCSID
500, it can be used to make binaries of any CCSID.
You have a couple of options, I think. The techie option is to
get the
source for icc and find and fix the pointer error. Icc is just
a
wrapper program that translates compile requests from a
UNIX-like string
to the correct OS/400 command (as you can see from the output).
So it
is easy to debug.
The more difficult option is to try to determine which argument
is
upsetting icc empirically, and then work around that - it does
work out
of the box, but as you can see, is a little temperamental.
Unfortunately, I don't think that IBM offer support for the GNU
utilities - I don't know if they still offer the source code.
If you
prefer the techie option, and they don't, then I can probably
send you
the source package (at your own risk).
BTW. I'm not sure what your requirements are, but OpenSSL will
run on
the AS/400 as AIX binaries under the PASE environment. Which
could be a
simpler option.
Good luck.
G.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj
Aggarwal
Sent: 05 April 2010 14:51
To: openssl-users@openssl.org
Subject: Re: OpenSSL on IBMi
Got it working !
Stuck in another error in openssl/crypto :-(
icc -I. -I.. -I../include -DOPENSSL_THREADS -D_MULTI_THREADED -v
-O4
-DB_ENDI AN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H -D_ALL_SOURCE
-DNO_SYSLOG -qTGTRLS=*CURR ENT -qTGTCCSID=37 -c cryptlib.c
-o
cryptlib.o command = CRTCMOD
MODULE(CRYPTO/CRYPTLIB) SRCSTMF('cryptlib.c') DEFINE('OPENS
SL_THREADS' '_MULTI_THREADED' 'B_ENDIAN' 'CHARSET_EBCDIC'
'NO_SYS_PARAM_H' '_ ALL_SOURCE' 'NO_SYSLOG' ) OPTIMIZE(40)
TEXT('/home/qsecofr/openssl-0.9.8e/crypto/cryptlib.o')
SYSIFCOPT(*IFSIO) TGTRLS(*CURRENT) TGTCCSID(37) OPTION(*LOG
iMSG )
AQAPTL/ICC: Unexpected exception MCH3601
On Mon, Apr 5, 2010 at 4:06 PM, Pankaj Aggarwal
pankaj.aggar...@gmail.com wrote:
Hi Shaw,Q
RE: OpenSSL on IBMi
Hmm, my version of icc works with the default syntax, for example:
icc -I. -I.. -I../include -DOPENSSL_THREADS -D_MULTI_THREADED -v -v -O4
-DB_ENDI
AN -DCHARSET_EBCDIC -DEBCDIC_500 -DNO_SYS_PARAM_H -D_ALL_SOURCE
-DNO_SYSLOG -qTG
TRLS=V5R1M0 -qTGTCCSID=500 -qTERASPACE=*YES *TSIFC -c cryptlib.c -o
cryptlib
.o
command = CRTCMOD MODULE(OPENSSL/cryptlib) SRCSTMF('cryptlib.c')
DEFINE('OPENSSL
_THREADS' '_MULTI_THREADED' 'B_ENDIAN' 'CHARSET_EBCDIC' 'EBCDIC_500'
'NO_SYS_PAR
AM_H' '_ALL_SOURCE' 'NO_SYSLOG' ) OPTIMIZE(40)
TEXT('sr/gesh/build/newDev/openss
l/sdk/crypto/cryptlib.o') SYSIFCOPT(*IFSIO) TGTRLS(V5R1M0)
TGTCCSID(500) TERASP
ACE(*YES *TSIFC) OPTION(*LOGMSG )
So I must have fixed the problem in some way.
Which doesn't help you, of course.
Changing the order of arguments will mean messing with the OpenSSL
Makefiles, I guess, which is to be avoided if possible I would have
thought.
Otherwise, if you can't get the source from IBM, I can send you my copy,
and my patched code for icc. And then you can re-compile and fix for
yourself.
G.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaw Graham George
Sent: 06 April 2010 10:53
To: openssl-users@openssl.org
Subject: RE: OpenSSL on IBMi
-c is an option, not an argument, so I think you'll find that the
problem is that icc is objecting to the file-to-be-compiled is not at
the end of the command line - i.e. is it looking for a - character in
temp1/abc.c and failing.
So:
icc -c -o abc.o temp1/abc.c
... would also work.
Like I said ... not very robust.
Give me a short time to see if I can find how I worked around this.
Re PASE, you can execute PASE (AIX) libraries from ILE code, but if you
can avoid it I would.
G.
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal
Sent: 06 April 2010 09:59
To: openssl-users@openssl.org
Subject: Re: OpenSSL on IBMi
I am able to narrow down on the icc option that is causing the problem.
icc -c temp1/abc.c -o abc.o
QAPTL/ICC: Unexpected exception MCH3601
$
icc -o abc.o -c temp1/abc.c
$
So, specifying -c option before -o option (which is the case while
compiling openssl) results in error.
If I swap this, icc works fine.
Next, I need to swap this in openssl, any quick way of doing this?
My project involves using the openssl libraries in OS.400 native
environment to create libraries on top of it which will be used by ILE
Code. I believe that I won't be able to use PASE libraries in native
environment, right?
Pankaj
On Tue, Apr 6, 2010 at 1:20 PM, Shaw Graham George gs...@axway.com
wrote:
OK, one step forward. I guess that previously you had a path
error
because you need to create a link (correctly) to point to your
gmake
program.
And the CCSID of the delivered tools package is unimportant -
it's the
CCCSID of the unpacked programs that is important.
Hmmm.
Message ID . . . . . . . . . : MCH3601
Message file . . . . . . . . : QCPFMSG
Library . . . . . . . . . : QSYS
Message text . . . . . . . . : Pointer not set for location
referenced.
So the delivered icc is not as robust as it should be ... As I
said
before, I had to re-compile mine for CCSID 500, so had the
source, so I
was able to easily track down problems such as this.
I'm looking at my source, and the only changes that I made to
icc look
relatively trivial - but these are changes from 9 years ago, so
my
memory may not be 100% accurate. And I suspect that the testing
that
I've done has been using my version of icc - while it executes
as CCSID
500, it can be used to make binaries of any CCSID.
You have a couple of options, I think. The techie option is to
get the
source for icc and find and fix the pointer error. Icc is just
a
wrapper program that translates compile requests from a
UNIX-like string
to the correct OS/400 command (as you can see from the output).
So it
is easy to debug.
The more difficult option is to try to determine which argument
is
upsetting icc empirically, and then work around that - it does
work out
of the box, but as you can see, is a little temperamental.
Unfortunately, I don't think that IBM offer support for the GNU
utilities - I don't know if they still offer the source code.
If you
prefer the techie option, and they don't, then I can probably
send you
the source package (at your own risk).
BTW. I'm not sure what your requirements are, but OpenSSL will
run on
the AS/400 as AIX binaries under the PASE environment. Which
could be a
simpler option.
Good
RE: OpenSSL on IBMi
http://rt.openssl.org/Ticket/Display.html?id=1565user=guestpass=guest Only for 0.9.8e, though. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 10:05 To: openssl-users@openssl.org Subject: OpenSSL on IBMi Could somebody point me to the latest patch available (with instructions) for compiling openssl on IBMi (OS/400). Pankaj __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL on IBMi
You should read the detail of the readme files for this and maybe previous ports at rt.openssl.org. Firstly, for this port to work, you need to install the IBM AS/400 GNU utilities - it doesn't look like you have. I'm not sure of their current status, but at the time these were unsupported utilities only obtainable from IBM. They are delivered as CCSID 37 binaries, so you need to know what CCSID you wish to support. I had to get the source from IBM (by special request) and re-compile gmake to run as CCSID 500. AFAIK (but I am a little out of date), any gmake delivered with the AS/400 is a PASE binary. Regarding perl, I can't remember if perl (for CCSID 37) from CPAN worked. I certainly failed to port CPAN perl to CCSID 500 (and ran out of time to investigate further). But this made no difference to me as I was building OpenSSL for about 13 platforms, so I could run the configure option (that uses perl) on UNIX. If was looking again now, and looking for AS/400-independence, I'd investigate if I could run a PASE version of perl for the configure. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 12:46 To: openssl-users@openssl.org Subject: Re: OpenSSL on IBMi I used the patch on openssl 0.9.8e. on firing ./Configure OS400-icc I am getting the following error: qsh: 001-0014 Command /home/qsecofr/openssl/QAPTL/GMAKE not found. GMAKE: *** [links] Error 1 $ I have set the PATH environment variable as follows : /qibm/ProdData/DeveloperTools/qsh/bin/:/usr/bin:.:/QOpenSys/usr/bin I am using the old perl binaries for OS400 from CPAN site. Any idea where the problem is? On Sun, Apr 4, 2010 at 3:08 PM, Shaw Graham George gs...@axway.com wrote: http://rt.openssl.org/Ticket/Display.html?id=1565user=guestpass=gues t Only for 0.9.8e, though. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Pankaj Aggarwal Sent: 04 April 2010 10:05 To: openssl-users@openssl.org Subject: OpenSSL on IBMi Could somebody point me to the latest patch available (with instructions) for compiling openssl on IBMi (OS/400). Pankaj __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Creating a certificate with Unicode characters in Issuer and Subject
Hi, I have a requirement to make some test keys/certificates that contain Unicode (Chinese) data in the Issuer and Subject fields. Print-out from an example certificate using openssl x509 is: Issuer: C=\x00C\x00N, ST=\x00G\x00u\x00a\x00n\x00g\x00d\x00o\x00n\x00g, L=\x00G\x00u\x00a\x00n\x00g\x00z\x00h\x00o\x00u, O=\x00G\x00D\x00C\x00A\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00 \x00A\x00u\x00t\x00h\x00o\x00r\x00i\x00t\x00y Subject: C=\x00C\x00N, ST=^\x7FN\x1Cw\x01, L=^\x7F]\xDE^\x02, ... Is this at all possible using the openssl tool? From the manual pages it seems that UTF-8 is supported, but not Unicode - for example the config man page says that null characters in strings is not allowed. If not, then does anybody know of any other tools that I could use to make my test keys/certificates. Thanks in advance, George. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Creating a certificate with Unicode characters in Issuer andSubject
Thanks Steve, OpenSSL will *NOT* however do what happens above with the C (Country) field. That is a two character code and only PrintableString (a restricted version of ASCII) characters are permitted. Doing anything else violates several standards. That's interesting, considering that this example certificate was sent to us by one of our customers, and appears to be issued by the Guandong Certificate Authority (GDCA), which is presumably a live CA ... Is that possible - that a real CA can violate the standards like this? Or is this just like Microsoft breaking standards - you just have to live with it? BTW, the rogue example certificate seems OK when used as an input to other openssl functions ... E.g. openssl smime. But putting the country name to one side, what about the other data elements? I understand the UTF-8 input is possible in openssl. Is what you're saying that it's only UTF-8 that is possible, so if I want Unicode input, then I have to find another solution. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: 19 November 2009 13:24 To: openssl-users@openssl.org Subject: Re: Creating a certificate with Unicode characters in Issuer andSubject On Thu, Nov 19, 2009, Shaw Graham George wrote: Hi, I have a requirement to make some test keys/certificates that contain Unicode (Chinese) data in the Issuer and Subject fields. Print-out from an example certificate using openssl x509 is: Issuer: C=\x00C\x00N, ST=\x00G\x00u\x00a\x00n\x00g\x00d\x00o\x00n\x00g, L=\x00G\x00u\x00a\x00n\x00g\x00z\x00h\x00o\x00u, O=\x00G\x00D\x00C\x00A\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00 \x00A\x00u\x00t\x00h\x00o\x00r\x00i\x00t\x00y Subject: C=\x00C\x00N, ST=^\x7FN\x1Cw\x01, L=^\x7F]\xDE^\x02, ... Is this at all possible using the openssl tool? From the manual pages it seems that UTF-8 is supported, but not Unicode - for example the config man page says that null characters in strings is not allowed. If not, then does anybody know of any other tools that I could use to make my test keys/certificates. Characters are passed to OpenSSL using UTF8, then depending on the configuration options it gets translated into either a BMPString or a UTF8String. From an application point of view it shouldn't matter which (RFC3280 and later mandate UTF8Strings). OpenSSL will *NOT* however do what happens above with the C (Country) field. That is a two character code and only PrintableString (a restricted version of ASCII) characters are permitted. Doing anything else violates several standards. BTW if you pick appropriate values for the -nameopt option and if your terminal supports it you should be able to get that certificate to display correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Creating a certificate with Unicode characters in Issuer and Subject
No, this is the output from openssl x509 -text, but without -nameopt utf8, which has no effect on the output anyway. G. -Original Message- From: dry...@sky-haven.net [mailto:dry...@sky-haven.net] Sent: 19 November 2009 17:16 To: Shaw Graham George Subject: Re: Creating a certificate with Unicode characters in Issuer and Subject Scríobh Shaw Graham George: Hi, I have a requirement to make some test keys/certificates that contain Unicode (Chinese) data in the Issuer and Subject fields. Print-out from an example certificate using openssl x509 is: Issuer: C=\x00C\x00N, ST=\x00G\x00u\x00a\x00n\x00g\x00d\x00o\x00n\x00g, L=\x00G\x00u\x00a\x00n\x00g\x00z\x00h\x00o\x00u, O=\x00G\x00D\x00C\x00A\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00 \x00A\x00u\x00t\x00h\x00o\x00r\x00i\x00t\x00y Subject: C=\x00C\x00N, ST=^\x7FN\x1Cw\x01, L=^\x7F]\xDE^\x02, ... UTF-8 is a means for providing Unicode glyph sequences on computers. Each Unicode character has 1 reasonable UTF-8 transform. As per my personal experience, OpenSSL does handle them. What you have in hand looks more like what happened when a certificate tool converted the output into what appears to be UTF-16 big endian, then emitted that to your terminal. Very odd. As it turns out, it looks like the CA you picked did the right thing as 0x00430x4E is CN. It's mainly your output program that has made ... unusual choices when asked to emit the subject and issuer to your screen; I'm assuming it wasn't OpenSSL. Anyway, yes, with the proper options on input, OpenSSL will accept a UTF-8 stream as elements in the subject and isuser DNs. I believe that OpenSSL already presumes incoming text is in UTF-8, and a -nameopt utf8 all you need to emit UTF-8 directly to the terminal. Yours, c Lance Dryden __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help Please....SSL3_GET_RECORD error
What remote application or software is it that is generating these errors? Is it Java? G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Biswatosh Sent: 03 August 2009 15:32 To: openssl-users@openssl.org Subject: Fw: Help PleaseSSL3_GET_RECORD error Hi, As a sequel to the mail i sent today on the same issue, I found multiple references in openssl user community but none seemed to be address my problem precisely. My questions are: 1)Does openssl accept that this is their bug? It looks to get manifested when lot of load is there. This is not consistent in my case. 2)https://bugzilla.redhat.com/show_bug.cgi?id=450265 speaks about this issue for 9.8 version. I am using 9.6i on solaris 10 with good load. Which version of openssl I should use to resolve this? 3) Why does this problem happen? If this happens consistently, this could be because of incorrect key certificate pair. But, in my case, it can happen any time but not all time. Thanks Biswatosh --- On Mon, 8/3/09, Biswatosh biswatosh2...@yahoo.com wrote: From: Biswatosh biswatosh2...@yahoo.com Subject: Help PleaseSSL3_GET_RECORD error To: openssl-users@openssl.org Date: Monday, August 3, 2009, 6:19 PM Hi OpenSSL Gurus, Firstly, please reply to me as I am not a member yet of your alias. My multithreaded application uses openssl 9.6i and sometime gets error: SSL Error: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac. Could anybody help me on this? I want to know why it comes and how can that be solved? Google was of no help. openssl FAQ does not contain anything on this. Many Thanks in advance Biswatosh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL_read() returns SSL_ERROR_SYSCALL
Is the server IIS? And do you get all of the response? Because IIS doesn't necessarily close SSL connections in a tidy manner - it can give SSL_ERROR_SYSCALL. G. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of chithuanand Sent: 10 June 2009 13:22 To: openssl-users@openssl.org Subject: RE: SSL_read() returns SSL_ERROR_SYSCALL hi, We have tried settiong the ciphersuite using SSL_CTX_set_cipher_list(), as eNULL/NULL-MD5/DEFAULT. But we get handshake error. In the server also we have tried giving the encryption= true and cipherlist to all of the above settings. eNULL/NULL-MD5 /any null values give handshake error. What am i missing here? If this is a network problem, it may be easier to look for it using clear data. Do you have the option of connecting to these servers/services without SSL (or with SSL but using an eNULL ciphersuite) and if so does it have the same problem? (Obviously you should do that only with nonconfidential data. If there is higher-level authentication e.g. password, use a temporarily assigned and immediately disabled test id, etc.) -- View this message in context: http://www.nabble.com/SSL_read%28%29-returns-SSL_ERROR_SYSCALL-tp2391837 9p23961104.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: compiling app with separate openssl
Hi, I'm no Linux guru but this worked for me (or rather it's equivalent). To ensure that you link to your development libraries: g++ -o tls-srv main.o /home/dev/openssl-0.9.8d/lib/libssl.so.0.9.8 /home/dev/openssl-0.9.8d/lib/libcrypto.so.0.9.8 ... and then use LD_LIBRARY_PATH in your run-time to ensure that your development, rather than installed, shared libraries are used. And also remember to set LD_LIBRARY_PATH before using ldd. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lauer, Thomas Sent: 08 August 2008 15:22 To: openssl-users@openssl.org Subject: compiling app with separate openssl hi. i'm using ubuntu with libssl-dev (0.9.8g-4ubuntu3.3). additional i compiled openssl 0.9.8d in a separate folder (/home/dev/openssl-0.9.8d). now i'm trying to compile a tool that will link to my second openssl-lib in /home/dev... this is my g++ call: # g++ -o tls-srv main.o -L/home/dev/openssl-0.9.8d/lib -lssl -lcrypto but ldd shows me, that tls-srv will use the ossl lib in /usr/lib/i686/cmov/ (ubuntu ossl-lib). i compiled my second ossl lib with following commands: # ./config --prefix=/home/dev/openssl-0.9.8d -DOPENSSL_NO_COMP # make # make install in /home/dev/openssl-0.9.8d there are the following lib-files: drwxr-xr-x 2 root root4096 2008-08-08 15:30 engines -rw-r--r-- 1 root root 2353124 2008-08-08 15:30 libcrypto.a lrwxrwxrwx 1 root root 18 2008-08-08 15:30 libcrypto.so - libcrypto.so.0.9.8 -r-xr-xr-x 1 root root 1510851 2008-08-08 15:30 libcrypto.so.0.9.8 -rw-r--r-- 1 root root 399534 2008-08-08 15:30 libssl.a lrwxrwxrwx 1 root root 15 2008-08-08 15:30 libssl.so - libssl.so.0.9.8 -r-xr-xr-x 1 root root 287236 2008-08-08 15:30 libssl.so.0.9.8 drwxr-xr-x 2 root root4096 2008-08-08 15:29 pkgconfig but i wonder, that # ldd libssl.so use libcrypto.so from /usr/lib/i686/cmov [EMAIL PROTECTED]:/home/dev/openssl-0.9.8d/lib# ldd libssl.so linux-gate.so.1 = (0xb7f32000) libcrypto.so.0.9.8 = /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d9f000) libdl.so.2 = /lib/tls/i686/cmov/libdl.so.2 (0xb7d9b000) libc.so.6 = /lib/tls/i686/cmov/libc.so.6 (0xb7c4b000) libz.so.1 = /usr/lib/libz.so.1 (0xb7c36000) /lib/ld-linux.so.2 (0xb7f33000) perhabs anybody can help me? thanks Thomas L. PS: sorry for my bad english :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Openssl + cipher
http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html? G. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yolanda Craven Sent: 04 March 2008 17:35 To: openssl-users@openssl.org Subject: Openssl + cipher I'm new to using openssl and I need to change the cipher that is currently being used. I'm using a product called ssl_proxy that doesn't have a config file for changing/limiting any of these attributes. The current cipher is aes-256 and I need to change it to something stronger with a key length of least 128 bits. Can someone tell me how I can accomplish this? thanks! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: cipher algorithms
Surely http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Baur, Mateus (Brazil RD-CL) Sent: 05 March 2008 12:25 To: openssl-users@openssl.org Subject: RE: cipher algorithms Yes, I know you can enable/disable the algorithms at build time. However, my question is if a user could enable/disable an algorithm when the library is already built (even by the application using OpenSSL or some generic configuration of OpenSSL). I thought there was actually no way to do that. Your answer reinforces that. Thanks, Mateus -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl- [EMAIL PROTECTED] On Behalf Of David Schwartz Sent: quarta-feira, 5 de março de 2008 09:12 To: openssl-users@openssl.org Subject: RE: cipher algorithms Thanks Marek! One last question, can an algorithm or cipher suite be enabled or disabled on OpenSSL by an user (I mean, without needing to recompile and redistribute OpenSSL binaries)? You can definitively disable an algorithm by not including it in the libraries. Most programs that use OpenSSL, including the build in 'openssl' executable permit you to change the algorithms used one way or another. I do not believe that OpenSSL provides a generic way to do this for other applications that use OpenSSL. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL client through proxy
You need to open a socket to the proxy server and send it an HTTP CONNECT request. If the proxy server sends back an OK reply, then it has opened a socket to the proxy. After that the proxy acts as a port forwarder, so you can continue your SSL dialog with the proxy as if it was the SSL server. You should be able to Google the details. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrey Petrashenko Sent: 27 February 2008 12:32 To: openssl-users@openssl.org Subject: Re: OpenSSL client through proxy Excuse me that my question is too much general. The situation is like this: I have a client computer in a local network that is behind proxy server so it can not see a SSLServer directly. The SSL server is in Internet area. The type of proxy server is HTTP proxy. The task is a SSL data communication between local client and internet SSL-server. SSL port at the server is opened (without proxy). Of course, I'm using OpenSSL library. The SSL client trying to connect using BIO_set_conn_hostname(bio, server_host_port). Thus, I need to find appropriate functions in the OpenSSL library to setup proxy configuration for the client... or find other solution. 27.02.08, 12:32, David Schwartz [EMAIL PROTECTED]: 26.02.08, 23:23, [EMAIL PROTECTED]: Hello, I have to connect to my OpenSSL server through proxy server. How can I establish this connection? Establish tcp connection through proxy (connect, socks5, transparent, reverse or any other) and next run SSL on this tcp connection. Best regards, -- Marek Marcola [EMAIL PROTECTED] Thanks for the answer. I'm a newbie in TCP/SSL programming. Would you suggest any library or function names to use connect or transparent. May be it is supported by OpenSSL?.. or another C/C++ library. Could you give us some kind of idea what it is you are trying to do so that we can give you more precise instructions? Is the proxy being used by the server or the client? What kind of proxy? Do you have a proxy or need a proxy? If you have a proxy, what kind of proxy? If you need a proxy, why? You are straining everyone's ESP here. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: SSL Error and Info messages
Hi, This may or may not be helpful ... it depends on your code, and what applications that you are talking to that lead to these errors: (1) reminds me of a problem that can occur when using OpenSSL against some Java implementations. You can test it by using openssl s_client or s_server using the -bugs option, and then check the man page for SSL_CTX_set_options() which describes the various bug workarounds. (2) reminds me of problems that OpenSSL has with IIS, and maybe other Microsoft products. They don't follow the SSL shutdown standard so you just have to handle it in your code. G. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Weigang Gong Sent: 25 February 2008 14:55 To: openssl-users@openssl.org Subject: SSL Error and Info messages Hi, openssl community, My application calls some library functions, which uses OpenSSL. When my appliction runs, I believe OpenSSL emitted some messages described below. 1. Sometimes, following Error messages will be emitted: ERR-05255|8|04:26:25.540503|sslsocket.cpp[581] - SSL Error: Error on Read SSL Error Stack: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac on ... ERR-05275|8|14:49:42.733798|sslsocket.cpp[566] - SSL Error: errno is 145: Connection timed out on ... Does anyone know what caused those error messages? 2. Also, following Info message will be emitted: INF-05325|8|04:26:25.562401|sslsocket.cpp[538] - SSL Error: SSL_shutdown EOF that violates SSL protocol 0 Though it seems not affecting the functionality, those infom messages are kind of annoying. Does anyone know how to turn them off ? Thanks a lot ! Michael Climb to the top of the charts! Play the word scramble challenge with star power. Play now! http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_ jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Problem building Windows 64-bit
FYI. I found the problem.
Our build environment had the following environment variable set:
LINK=/manifest:no
Removing this environment variable solved the problems.
G.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shaw Graham George
Sent: 24 August 2007 14:00
To: openssl-users@openssl.org
Subject: RE: Problem building Windows 64-bit
I forgot to mention. 0.9.8e.
G.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shaw Graham George
Sent: 24 August 2007 13:40
To: openssl-users@openssl.org
Subject: Problem building Windows 64-bit
Hi,
I've tried to follow the instructions in INSTALL.W64 for building
OpenSSL for 64-bit Windows, but while C programs are compiling OK, the
link of the dlls is failing:
link /nologo /subsystem:console /opt:ref /dll /out:out32dll\libeay32.dll
/def:ms/LIBEAY32.def @C:\Documents and Settings\gshaw\Local
Settings\Temp\nm33.tmp
LINK : fatal error LNK1181: cannot open input file 'link.obj'
NMAKE : fatal error U1077: 'S:\Microsoft Visual
Studio\VC\BIN\amd64\link.EXE'
: return code '0x49d'
Previously to executing make, I am executing:
perl .\Configure VC-WIN64A
ms\do_win64a.bat
The file nm33.tmp looks OK.
I've done a bit of digging in Google, and it seems that this might be
due to an environment problem. But (I am not a Windows expert), I can't
see what the problem might be. Can anybody help me?
The output from set, from just before nmake is executed, is given below.
Just one other thing to note, maybe. The nmake is being executed from a
Makefile, i.e. another make invocation, as we build OpenSSL for multiple
platforms from the same set of top-level makefiles. But this works fine
for 32-bit Windows, the AS/400 and a number of UNIX platforms.
Thanks,
G.
ALLUSERSPROFILE=C:\Documents and Settings\All Users CD_ROOT=..\..
ClusterLog=C:\WINNTS2K\Cluster\cluster.log
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WBILL02
ComSpec=C:\WINNTS2K\system32\cmd.exe
CVS_VERSION=0.9.8e
FP_NO_HOST_CHECK=NO
FrameworkDir=C:\WINNTS2K\Microsoft.NET\Framework64
FrameworkSDKDir=S:\Microsoft Visual Studio\SDK\v2.0 64bit
FrameworkVersion=v2.0.50727
GWTN_ACK=GWTN_ACK4660
GWTN_AGNTPID=4660
GWTN_ANSWERBACK=UNKNOWN
GWTN_CLIENT_IP=172.16.1.1
GWTN_CLIENT_MAC=UNKNOWN
gwtn_color=0
GWTN_ENTER_DSU=GWTN_EnterDSU4660
GWTN_GET_I=GWTN_GET_I4660
GWTN_GET_O=GWTN_GET_O4660
gwtn_graphics=2
GWTN_GSCLNT=0
GWTN_HSOCKET=1020
GWTN_INFO_SLOT=0
GWTN_INTERFACE1=GSW_Interface1_4660
GWTN_LEAVE_DSU=GWTN_LeaveDSU4660
GWTN_PI_Request=GWTN_PI_Request4660
GWTN_RLS_I=GWTN_RLS_I4660
GWTN_RLS_O=GWTN_RLS_O4660
GWTN_SERVER_PORT=23
gwtn_term=0
GWTN_TRIGGER_DSU=GWTN_TriggerDSU4660
GWTN_TTY=/dev/tty4660
GWTN_XFER=GWTN_Xfer4660
GWTN_XFER_FROM_GS_AGNT=GWTN_XFromGS_Agnt4660
GWTN_XFER_TO_GS_AGNT=GWTN_XToGS_Agnt4660
HPX19=X:
INCLUDE=S:\Microsoft Visual Studio\VC\ATLMFC\INCLUDE;S:\Microsoft Visual
Studio\VC\INCLUDE;S:\Microsoft Visual
Studio\VC\PlatformSDK\include;S:\Microsoft Visual
Studio\SDK\v2.0\include;
INSTALLDIR=X:/gesh/build/newDev/openssl/Obj/nt52-x64
LIB=S:\Microsoft Visual Studio\VC\ATLMFC\LIB\amd64;S:\Microsoft Visual
Studio\VC\LIB\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\lib\amd64;S:\Microsoft Visual
Studio\SDK\v2.0\LIB\AMD64; LIBPATH=S:\Microsoft Visual
Studio\VC\ATLMFC\LIB\amd64; LINK=/manifest:no MAKEFLAGS=
MAKELEVEL=2
MAKEOVERRIDES=${-*-command-variables-*-}
MDEP_A=.lib
MDEP_AWK=awk
MDEP_CFLAGS=
MDEP_CONFIG=.\Configure VC-WIN64A
MDEP_D=.dll
MDEP_E=.exe
MDEP_MAKE=nmake
MFLAGS=--no-print-directory
MODULE_NAME=openssl
MQ_JAVA_DATA_PATH=S:\IBM\WebSphere MQ
MQ_JAVA_INSTALL_PATH=S:\IBM\WebSphere MQ\Java
MQ_JAVA_LIB_PATH=S:\IBM\WebSphere MQ\Java\lib
NUMBER_OF_PROCESSORS=4
OPENSSL_DIRECTORY_NAME=openssl-0.9.8e
OPENSSL_VERSION=0.9.8e
OS=Windows_NT
Path=S:\Perl64\bin;S:\Microsoft Visual Studio\VC\BIN\amd64;S:\Microsoft
Visual Studio\VC\PlatformSDK\bin\win64\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\bin;C:\WINNTS2K\Microsoft.NET\Framework64\v2.0.507
27;S:\Microsoft Visual Studio\VC\VCPackages;S:\Microsoft Visual
Studio\Common7\IDE;S:\Microsoft Visual Studio\Common7\Tools;S:\Microsoft
Visual Studio\Common7\Tools\bin;S:\Microsoft Visual
Studio\SDK\v2.0\bin;c:\windows\system32;c:\windows;c:\windows\system32\w
bem;c:\windows\system32\nls;c:\windows\system32\nls\english;c:\unix\usr\
local\wbin
PATH=S:\Perl\bin;S:\Microsoft Visual Studio\VC\BIN\amd64;S:\Microsoft
Visual Studio\VC\PlatformSDK\bin\win64\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\bin;C:\WINNTS2K\Microsoft.NET\Framework64\v2.0.507
27;S:\Microsoft Visual Studio\VC\VCPackages;S:\Microsoft Visual
Studio\Common7\IDE;S:\Microsoft Visual Studio\Common7\Tools;S:\Microsoft
Visual Studio\Common7\Tools\bin;S:\Microsoft Visual
Studio\SDK\v2.0\bin;c:\windows\system32;c:\windows;c:\windows\system32\w
bem;c:\windows\system32\nls;c
Problem building Windows 64-bit
Hi,
I've tried to follow the instructions in INSTALL.W64 for building
OpenSSL for 64-bit Windows, but while C programs are compiling OK, the
link of the dlls is failing:
link /nologo /subsystem:console /opt:ref /dll /out:out32dll\libeay32.dll
/def:ms/LIBEAY32.def @C:\Documents and Settings\gshaw\Local
Settings\Temp\nm33.tmp
LINK : fatal error LNK1181: cannot open input file 'link.obj'
NMAKE : fatal error U1077: 'S:\Microsoft Visual
Studio\VC\BIN\amd64\link.EXE'
: return code '0x49d'
Previously to executing make, I am executing:
perl .\Configure VC-WIN64A
ms\do_win64a.bat
The file nm33.tmp looks OK.
I've done a bit of digging in Google, and it seems that this might be
due to an environment problem. But (I am not a Windows expert), I can't
see what the problem might be. Can anybody help me?
The output from set, from just before nmake is executed, is given below.
Just one other thing to note, maybe. The nmake is being executed from a
Makefile, i.e. another make invocation, as we build OpenSSL for multiple
platforms from the same set of top-level makefiles. But this works fine
for 32-bit Windows, the AS/400 and a number of UNIX platforms.
Thanks,
G.
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CD_ROOT=..\..
ClusterLog=C:\WINNTS2K\Cluster\cluster.log
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WBILL02
ComSpec=C:\WINNTS2K\system32\cmd.exe
CVS_VERSION=0.9.8e
FP_NO_HOST_CHECK=NO
FrameworkDir=C:\WINNTS2K\Microsoft.NET\Framework64
FrameworkSDKDir=S:\Microsoft Visual Studio\SDK\v2.0 64bit
FrameworkVersion=v2.0.50727
GWTN_ACK=GWTN_ACK4660
GWTN_AGNTPID=4660
GWTN_ANSWERBACK=UNKNOWN
GWTN_CLIENT_IP=172.16.1.1
GWTN_CLIENT_MAC=UNKNOWN
gwtn_color=0
GWTN_ENTER_DSU=GWTN_EnterDSU4660
GWTN_GET_I=GWTN_GET_I4660
GWTN_GET_O=GWTN_GET_O4660
gwtn_graphics=2
GWTN_GSCLNT=0
GWTN_HSOCKET=1020
GWTN_INFO_SLOT=0
GWTN_INTERFACE1=GSW_Interface1_4660
GWTN_LEAVE_DSU=GWTN_LeaveDSU4660
GWTN_PI_Request=GWTN_PI_Request4660
GWTN_RLS_I=GWTN_RLS_I4660
GWTN_RLS_O=GWTN_RLS_O4660
GWTN_SERVER_PORT=23
gwtn_term=0
GWTN_TRIGGER_DSU=GWTN_TriggerDSU4660
GWTN_TTY=/dev/tty4660
GWTN_XFER=GWTN_Xfer4660
GWTN_XFER_FROM_GS_AGNT=GWTN_XFromGS_Agnt4660
GWTN_XFER_TO_GS_AGNT=GWTN_XToGS_Agnt4660
HPX19=X:
INCLUDE=S:\Microsoft Visual Studio\VC\ATLMFC\INCLUDE;S:\Microsoft Visual
Studio\VC\INCLUDE;S:\Microsoft Visual
Studio\VC\PlatformSDK\include;S:\Microsoft Visual
Studio\SDK\v2.0\include;
INSTALLDIR=X:/gesh/build/newDev/openssl/Obj/nt52-x64
LIB=S:\Microsoft Visual Studio\VC\ATLMFC\LIB\amd64;S:\Microsoft Visual
Studio\VC\LIB\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\lib\amd64;S:\Microsoft Visual
Studio\SDK\v2.0\LIB\AMD64;
LIBPATH=S:\Microsoft Visual Studio\VC\ATLMFC\LIB\amd64;
LINK=/manifest:no
MAKEFLAGS=
MAKELEVEL=2
MAKEOVERRIDES=${-*-command-variables-*-}
MDEP_A=.lib
MDEP_AWK=awk
MDEP_CFLAGS=
MDEP_CONFIG=.\Configure VC-WIN64A
MDEP_D=.dll
MDEP_E=.exe
MDEP_MAKE=nmake
MFLAGS=--no-print-directory
MODULE_NAME=openssl
MQ_JAVA_DATA_PATH=S:\IBM\WebSphere MQ
MQ_JAVA_INSTALL_PATH=S:\IBM\WebSphere MQ\Java
MQ_JAVA_LIB_PATH=S:\IBM\WebSphere MQ\Java\lib
NUMBER_OF_PROCESSORS=4
OPENSSL_DIRECTORY_NAME=openssl-0.9.8e
OPENSSL_VERSION=0.9.8e
OS=Windows_NT
Path=S:\Perl64\bin;S:\Microsoft Visual Studio\VC\BIN\amd64;S:\Microsoft
Visual Studio\VC\PlatformSDK\bin\win64\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\bin;C:\WINNTS2K\Microsoft.NET\Framework64\v2.0.507
27;S:\Microsoft Visual Studio\VC\VCPackages;S:\Microsoft Visual
Studio\Common7\IDE;S:\Microsoft Visual Studio\Common7\Tools;S:\Microsoft
Visual Studio\Common7\Tools\bin;S:\Microsoft Visual
Studio\SDK\v2.0\bin;c:\windows\system32;c:\windows;c:\windows\system32\w
bem;c:\windows\system32\nls;c:\windows\system32\nls\english;c:\unix\usr\
local\wbin
PATH=S:\Perl\bin;S:\Microsoft Visual Studio\VC\BIN\amd64;S:\Microsoft
Visual Studio\VC\PlatformSDK\bin\win64\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\bin;C:\WINNTS2K\Microsoft.NET\Framework64\v2.0.507
27;S:\Microsoft Visual Studio\VC\VCPackages;S:\Microsoft Visual
Studio\Common7\IDE;S:\Microsoft Visual Studio\Common7\Tools;S:\Microsoft
Visual Studio\Common7\Tools\bin;S:\Microsoft Visual
Studio\SDK\v2.0\bin;c:\windows\system32;c:\windows;c:\windows\system32\w
bem;c:\windows\system32\nls;c:\windows\system32\nls\english;c:\unix\usr\
local\wbin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PERL5LIB=S:\oracle\product\10.1.0\Db_1\perl\lib\5.6.1\MSWin32-x86;S:\ora
cle\product\10.1.0\Db_1\perl\lib\5.6.1;S:\oracle\product\10.1.0\Db_1\per
l\5.6.1\lib\MSWin32-x86;S:\oracle\product\10.1.0\Db_1\perl\site\5.6.1;S:
\oracle\product\10.1.0\Db_1\perl\site\5.6.1\lib;S:\oracle\product\10.1.0
\Db_1\sysman\admin\scripts
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=EM64T Family 15 Model 4 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=040a
ProgramFiles(x86)=C:\Program Files
RE: Problem building Windows 64-bit
I forgot to mention. 0.9.8e.
G.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shaw Graham George
Sent: 24 August 2007 13:40
To: openssl-users@openssl.org
Subject: Problem building Windows 64-bit
Hi,
I've tried to follow the instructions in INSTALL.W64 for building
OpenSSL for 64-bit Windows, but while C programs are compiling OK, the
link of the dlls is failing:
link /nologo /subsystem:console /opt:ref /dll /out:out32dll\libeay32.dll
/def:ms/LIBEAY32.def @C:\Documents and Settings\gshaw\Local
Settings\Temp\nm33.tmp
LINK : fatal error LNK1181: cannot open input file 'link.obj'
NMAKE : fatal error U1077: 'S:\Microsoft Visual
Studio\VC\BIN\amd64\link.EXE'
: return code '0x49d'
Previously to executing make, I am executing:
perl .\Configure VC-WIN64A
ms\do_win64a.bat
The file nm33.tmp looks OK.
I've done a bit of digging in Google, and it seems that this might be
due to an environment problem. But (I am not a Windows expert), I can't
see what the problem might be. Can anybody help me?
The output from set, from just before nmake is executed, is given below.
Just one other thing to note, maybe. The nmake is being executed from a
Makefile, i.e. another make invocation, as we build OpenSSL for multiple
platforms from the same set of top-level makefiles. But this works fine
for 32-bit Windows, the AS/400 and a number of UNIX platforms.
Thanks,
G.
ALLUSERSPROFILE=C:\Documents and Settings\All Users CD_ROOT=..\..
ClusterLog=C:\WINNTS2K\Cluster\cluster.log
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WBILL02
ComSpec=C:\WINNTS2K\system32\cmd.exe
CVS_VERSION=0.9.8e
FP_NO_HOST_CHECK=NO
FrameworkDir=C:\WINNTS2K\Microsoft.NET\Framework64
FrameworkSDKDir=S:\Microsoft Visual Studio\SDK\v2.0 64bit
FrameworkVersion=v2.0.50727
GWTN_ACK=GWTN_ACK4660
GWTN_AGNTPID=4660
GWTN_ANSWERBACK=UNKNOWN
GWTN_CLIENT_IP=172.16.1.1
GWTN_CLIENT_MAC=UNKNOWN
gwtn_color=0
GWTN_ENTER_DSU=GWTN_EnterDSU4660
GWTN_GET_I=GWTN_GET_I4660
GWTN_GET_O=GWTN_GET_O4660
gwtn_graphics=2
GWTN_GSCLNT=0
GWTN_HSOCKET=1020
GWTN_INFO_SLOT=0
GWTN_INTERFACE1=GSW_Interface1_4660
GWTN_LEAVE_DSU=GWTN_LeaveDSU4660
GWTN_PI_Request=GWTN_PI_Request4660
GWTN_RLS_I=GWTN_RLS_I4660
GWTN_RLS_O=GWTN_RLS_O4660
GWTN_SERVER_PORT=23
gwtn_term=0
GWTN_TRIGGER_DSU=GWTN_TriggerDSU4660
GWTN_TTY=/dev/tty4660
GWTN_XFER=GWTN_Xfer4660
GWTN_XFER_FROM_GS_AGNT=GWTN_XFromGS_Agnt4660
GWTN_XFER_TO_GS_AGNT=GWTN_XToGS_Agnt4660
HPX19=X:
INCLUDE=S:\Microsoft Visual Studio\VC\ATLMFC\INCLUDE;S:\Microsoft Visual
Studio\VC\INCLUDE;S:\Microsoft Visual
Studio\VC\PlatformSDK\include;S:\Microsoft Visual
Studio\SDK\v2.0\include;
INSTALLDIR=X:/gesh/build/newDev/openssl/Obj/nt52-x64
LIB=S:\Microsoft Visual Studio\VC\ATLMFC\LIB\amd64;S:\Microsoft Visual
Studio\VC\LIB\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\lib\amd64;S:\Microsoft Visual
Studio\SDK\v2.0\LIB\AMD64; LIBPATH=S:\Microsoft Visual
Studio\VC\ATLMFC\LIB\amd64; LINK=/manifest:no MAKEFLAGS=
MAKELEVEL=2
MAKEOVERRIDES=${-*-command-variables-*-}
MDEP_A=.lib
MDEP_AWK=awk
MDEP_CFLAGS=
MDEP_CONFIG=.\Configure VC-WIN64A
MDEP_D=.dll
MDEP_E=.exe
MDEP_MAKE=nmake
MFLAGS=--no-print-directory
MODULE_NAME=openssl
MQ_JAVA_DATA_PATH=S:\IBM\WebSphere MQ
MQ_JAVA_INSTALL_PATH=S:\IBM\WebSphere MQ\Java
MQ_JAVA_LIB_PATH=S:\IBM\WebSphere MQ\Java\lib
NUMBER_OF_PROCESSORS=4
OPENSSL_DIRECTORY_NAME=openssl-0.9.8e
OPENSSL_VERSION=0.9.8e
OS=Windows_NT
Path=S:\Perl64\bin;S:\Microsoft Visual Studio\VC\BIN\amd64;S:\Microsoft
Visual Studio\VC\PlatformSDK\bin\win64\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\bin;C:\WINNTS2K\Microsoft.NET\Framework64\v2.0.507
27;S:\Microsoft Visual Studio\VC\VCPackages;S:\Microsoft Visual
Studio\Common7\IDE;S:\Microsoft Visual Studio\Common7\Tools;S:\Microsoft
Visual Studio\Common7\Tools\bin;S:\Microsoft Visual
Studio\SDK\v2.0\bin;c:\windows\system32;c:\windows;c:\windows\system32\w
bem;c:\windows\system32\nls;c:\windows\system32\nls\english;c:\unix\usr\
local\wbin
PATH=S:\Perl\bin;S:\Microsoft Visual Studio\VC\BIN\amd64;S:\Microsoft
Visual Studio\VC\PlatformSDK\bin\win64\amd64;S:\Microsoft Visual
Studio\VC\PlatformSDK\bin;C:\WINNTS2K\Microsoft.NET\Framework64\v2.0.507
27;S:\Microsoft Visual Studio\VC\VCPackages;S:\Microsoft Visual
Studio\Common7\IDE;S:\Microsoft Visual Studio\Common7\Tools;S:\Microsoft
Visual Studio\Common7\Tools\bin;S:\Microsoft Visual
Studio\SDK\v2.0\bin;c:\windows\system32;c:\windows;c:\windows\system32\w
bem;c:\windows\system32\nls;c:\windows\system32\nls\english;c:\unix\usr\
local\wbin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PERL5LIB=S:\oracle\product\10.1.0\Db_1\perl\lib\5.6.1\MSWin32-x86;S:\ora
cle\product\10.1.0\Db_1\perl\lib\5.6.1;S:\oracle\product\10.1.0\Db_1\per
l\5.6.1\lib\MSWin32-x86;S:\oracle\product\10.1.0\Db_1\perl\site\5.6.1;S:
\oracle\product\10.1.0\Db_1\perl\site\5.6.1\lib;S:\oracle
RE: Problem handling unexpected SSL shutdown
Thanks for the response. You'll have to bear with me, as I'm not really a low-level sockets programmer. But maybe you misunderstood the nature of my problem. The problem is that, on Windows at least, my server doesn't appear to get the SSL shutdown notify packet, for some reason. So, if that is to be expected, I'm looking for an alternative way of detecting the closure. I've now tested it on Linux, and the existing code works fine. In other words, when trying the SSL_Get: 1. It fails 2. SSL_get_error() returns SSL_ERROR_ZERO_RETURN 3. (SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) is true On Windows this is not the case. But I guess if this problem is restricted to Windows, then I can: 1. Add the call to WSAGetLastError() just for that platform 2. Use it to detect the socket closure and ... 3. Softly close the server socket that way Unless somebody has any better ideas ... G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Miles Sent: 15 August 2007 15:40 To: openssl-users@openssl.org Subject: Re: Problem handling unexpected SSL shutdown Shaw Graham George wrote: The sequence of events goes like this: 1. The SSL handshake proceeds as normal. 2. The client puts an HTTP request 3. The server gets the HTTP request 4. The client then executes an (unexpected) SSL shutdown 5. The server puts the HTTP response Here I might expect the put to fail, but all appears normal. 6. As an HTTP Keep-Alive request has been made, the server enters a wait for the next read event. 7. The read event occurs (presumably due to the SSL shutdown), and now the get fails. SSL_get_error() returns SSL_ERROR_SYSCALL (I would expect SSL_ERROR_ZERO_RETURN for an SSL shutdown). ERR_get_error() returns 0. (SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) returns 0. Is this the expected behaviour? What I am looking for is a way of identifying the shutdown at the server, so that I can close the connection softly. I.e. you dont want your Keep-Alive's hanging around when the other end has gone. The client will take one of these actions: * It will simply close the socket. This can be picked up by your normal read() / write() failure scenarios. * It will write out a SSL shutdown notify packet, and then close the connection anyway. The server may or may not get the SSL shutdown notify packet due to send buffering, socket linger options, retransmission timeouts etc... But at server end will either receive the SSL shutdown notify before the socket close or it will just see a socket close. So again there is no special trickey here. * It will write out a SSL shutdown notify packet and wait for the acknowledgment from the server. This is 100% graceful and conceptually correct way to finish things off. To handle this your SSL_read() will signal a shutdown has been received (and from this point on no further SSL data will be received on that session that just closed). From seeing this you have a number of options at the server: * ACK the shutdown and issue your own shutdown (but only after you have finished writing all your application data with SSL_write()). A HTTP client can often send the request and then shut the socket down, the server can observe this right after it pulled the request off to process it in another thread, this does not mean you want to shut the socket down at your end until you have processed that request and finished writing the Content body back the other way, only then should you take action in response to seeing the client's SSL shutdown notify. * Once your SSL shutdown notify has hit the kernel write socket buffer, issue a TCP level shutdown(fd, SHUTDOWN_SEND). * Then wait to receive your shutdown ack or for the socket to close/timeout. This wait does not have to be forever, I have an implementation that will allow the client socket a configurable amount of time to provide the SSL shutdown notify ACK back to me, if it does not happen within that time I close the socket. * Ultimately all this work leads to closing the socket. If you implement everything above then your server is at least complying with all the available mechanisms within SSL during the shutdown sequence. I'm sure many implementations skip all the more complex points and jump right to the close the socket. I don't fully see the problem with your code, nor the concern of having a solution that works on Unix and Win32 because most people in the situation you are in would put the socket into idle state but listening for more data (an active Keep-Alive idle list). You will always get an event from listening for more data that will indicate the socket has been closed, or the socket has received a SSL shutdown notify request. You won't miss it. Here is a random fragment of my read code from Unix, it interests me if the there is a difference for Win32 but I would expect SSL_read() to return
RE: Problem handling unexpected SSL shutdown
Sure. 1. The server receives the HTTP request, using SSL_read() and SSL_pending(). The request contains a Keep-Alive request. 2. The server writes the data out to another process. 3. The server then it sits on an event handler that multiplexes a select() (or Windows equivalent) on sockets it has an interest in, and other events such as receiving data from other processes. At this time it actually has no interest in any events at the socket, as it is waiting for the processing to complete. 4. The SSL client lose patience with a lack of response, and does an SSL shutdown and socket close. 5. An event is detected, and the server receives the result from the background processing. 6. It adds write interest to the socket and goes back to sitting on the event handler. 7. An event is detected and the server then performs an SSL_write() to the (non-existent) client, which is successful. 8. It then adds read interest in the socket, as it is a Keep-Alive socket, so it is waiting for the next HTTP request. It goes back to sitting on the event handler. 9. An event is detected and the server then performs: 9a. SSL_read() which fails (return code is -1). 9b. SSL_get_error() which returns SSL_ERROR_SYSCALL. 9c. ERR_get_error() which returns 0. In the original code SSL_get_shutdown() would not be called unless SSL_get_error() returns SSL_ERROR_ZERO_RETURN, but I added an extra debug call after the call to SSL_get_error(), and it did not show SSL_RECEIVED_SHUTDOWN. And I have now added a call to WSAGetLastError() after the call to ERR_get_error(), and it returns WSAECONNABORTED. So I do get a read event on the socket. I do call SSL_read. It fails. But the shutdown is apparently not received, as: a. SSL_get_error() does not return SSL_ERROR_ZERO_RETURN b. SSL_get_shutdown() does not show SSL_RECEIVED_SHUTDOWN I hope that's clear. As I say, the code works fine on Linux. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darryl Miles Sent: 16 August 2007 17:44 To: openssl-users@openssl.org Subject: Re: Problem handling unexpected SSL shutdown Shaw Graham George wrote: The problem is that, on Windows at least, my server doesn't appear to get the SSL shutdown notify packet, for some reason. So, if that is to be expected, I'm looking for an alternative way of detecting the closure. I've now tested it on Linux, and the existing code works fine. In other words, when trying the SSL_Get: SSL_read() ? 1. It fails 2. SSL_get_error() returns SSL_ERROR_ZERO_RETURN 3. (SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) is true On Windows this is not the case. But I guess if this problem is restricted to Windows, then I can: 1. Add the call to WSAGetLastError() just for that platform 2. Use it to detect the socket closure and ... 3. Softly close the server socket that way Unless somebody has any better ideas ... Can you log the OpenSSL API calls you make and the return values you see. When seeing any errors from OpenSSL don't forget the idiom's: int err = SSL_get_error(client-ssl, n); int wsa_errno = WSAGetLastError(); and log the values you see. Please also include the OpenSSL API calls made just before the other end disappears. This would clear up in my mind what you are observing : * You don't get the read-ready wakeup event from Win32 API ? So you never get a chance to call SSL_read(). * You don't see an error from SSL_read() ? But what did it return instead ? * You never see '(SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) is true' condition, even though you have written you own client and can confirm it does/will send a SSL shutdown notify packet, will ensure the data is flushed to the socket and will keep the socket open waiting to receive a SSL shutdown notify packet from the other end ? If you get the read-ready wakeup event from Win32 API, then your code will end up calling SSL_read() and that call should attempt to process another packet and pull data from the socket as necessary until no more progress can be made at this time. This will implicitly process the SSL shutdown notify packet. Darryl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem handling unexpected SSL shutdown
Hi, We have an application that provides HTTPS, either as client or server, for our customers. At the moment I am doing some testing between our client and our server, as a result of a problem with one of our customers, and there is a particular sequence of events, that involves an unexpected SSL shutdown, that is giving an unexpected behaviour (at least to me). The sequence of events goes like this: 1. The SSL handshake proceeds as normal. 2. The client puts an HTTP request 3. The server gets the HTTP request 4. The client then executes an (unexpected) SSL shutdown 5. The server puts the HTTP response Here I might expect the put to fail, but all appears normal. 6. As an HTTP Keep-Alive request has been made, the server enters a wait for the next read event. 7. The read event occurs (presumably due to the SSL shutdown), and now the get fails. SSL_get_error() returns SSL_ERROR_SYSCALL (I would expect SSL_ERROR_ZERO_RETURN for an SSL shutdown). ERR_get_error() returns 0. (SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) returns 0. Is this the expected behaviour? What I am looking for is a way of identifying the shutdown at the server, so that I can close the connection softly. The version is 0.9.8e. All sockets are non-blocking. The test platform is Windows - but our application runs on many platforms, I can test on those as well if required. Thanks in advance, G. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Problem handling unexpected SSL shutdown
Some more information and thoughts. I can replicate the server behaviour using openssl s_client, sending the HTTP request, and then shutting down the client with a Q. I'm wondering if the problem is that, once the HTTP request is received by my server, then it has no read interest in the socket (as it now wants to write the HTTP response). So it will put the response whatever the state of the socket. Then maybe the put affects the state of the socket, so that the shutdown state is no longer present. So should I always have a read interest in the socket, in case of shutdown? Or should I check for a shutdown before actually doing the put? But I would still have thought that the put should return an error if the socket has been shutdown. Thanks again, G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shaw Graham George Sent: 15 August 2007 11:38 To: openssl-users@openssl.org Subject: Problem handling unexpected SSL shutdown Hi, We have an application that provides HTTPS, either as client or server, for our customers. At the moment I am doing some testing between our client and our server, as a result of a problem with one of our customers, and there is a particular sequence of events, that involves an unexpected SSL shutdown, that is giving an unexpected behaviour (at least to me). The sequence of events goes like this: 1. The SSL handshake proceeds as normal. 2. The client puts an HTTP request 3. The server gets the HTTP request 4. The client then executes an (unexpected) SSL shutdown 5. The server puts the HTTP response Here I might expect the put to fail, but all appears normal. 6. As an HTTP Keep-Alive request has been made, the server enters a wait for the next read event. 7. The read event occurs (presumably due to the SSL shutdown), and now the get fails. SSL_get_error() returns SSL_ERROR_SYSCALL (I would expect SSL_ERROR_ZERO_RETURN for an SSL shutdown). ERR_get_error() returns 0. (SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) returns 0. Is this the expected behaviour? What I am looking for is a way of identifying the shutdown at the server, so that I can close the connection softly. The version is 0.9.8e. All sockets are non-blocking. The test platform is Windows - but our application runs on many platforms, I can test on those as well if required. Thanks in advance, G. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Problem handling unexpected SSL shutdown
Hi, More information. Before the server put: (SSL_get_shutdown() SSL_RECEIVED_SHUTDOWN) returns 0. ... so that's of no use. After the server get: errno returns 0. WSAGetLastError() returns WSAECONNABORTED. That's one step forward, maybe. But my code must work for all supported platforms, so I need to find a solution that will work on UNIX as well. I guess I should make a test on UNIX to see if the same problem occurs, or if this is a Windows-specific problem. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jimmy bahuleyan Sent: 15 August 2007 14:01 To: openssl-users@openssl.org Subject: Re: Problem handling unexpected SSL shutdown jimmy bahuleyan wrote: Shaw Graham George wrote: Hi, We have an application that provides HTTPS, either as client or server, for our customers. At the moment I am doing some testing between our client and our server, as a result of a problem with one of our customers, and there is a particular sequence of events, that involves an unexpected SSL shutdown, that is giving an unexpected behaviour (at least to me). The sequence of events goes like this: 1. The SSL handshake proceeds as normal. 2. The client puts an HTTP request 3. The server gets the HTTP request 4. The client then executes an (unexpected) SSL shutdown Is this only a SSL_shutdown() or is SSL_shutdown() followed by a socket close by the client? Well if you had been listening for a read, both the SSL_shutdown and the socket close are capable of generating read events in select() If it was only a SSL_shutdown, i suppose you should be getting SSL_ERROR_ZERO_RETURN. In the other case SSL_ERROR_SYSCALL with errno=EPIPE seems possible. 5. The server puts the HTTP response Here I might expect the put to fail, but all appears normal. 6. As an HTTP Keep-Alive request has been made, the server enters a wait for the next read event. 7. The read event occurs (presumably due to the SSL shutdown), and now the get fails. SSL_get_error() returns SSL_ERROR_SYSCALL (I would expect Did you check errno here? i mean WSAGetLastError() or whatever. -jb -- Tact is the art of making a point without making an enemy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: how to use openssl's header file in my program?
man gcc --- George Shaw Senior Software Engineer Axway a Sopra Group company Tel: +44 (0) 7802 452186 Fax: +44 (0) 1454 299684 email: [EMAIL PROTECTED] www.axway.com --- Ce message est exclusivement destin aux personnes dont le nom figure ci-dessus. Il peut contenir des informations confidentielles dont la divulgation est ce titre rigoureusement interdite. Dans l'hypothse o vous avez reu ce message par erreur, merci de le renvoyer l'adresse e-mail ci-dessus et de dtruire toute copie. This message may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of alan alan Sent: 01 December 2004 13:12 To: [EMAIL PROTECTED] Subject: Re: how to use openssl's header file in my program? I just solved it,the command is: # gcc settime.c -lcrypto Who can tell me why and explain it?thanks Xuekun Hu [EMAIL PROTECTED] wrote: If you complied with libssl.a, just like gcc settime.c [path]libssl.a If you complied with libssl.so, just like gcc -L[path] -lssl settime.c On Wed, 1 Dec 2004 15:46:25 +0800 (CST), alan alan wrote: First,thanks for your answer.Another,how to set the path for the openssl libraries in my compiler? I just compiled it like this: gcc settime.c I don't kown how to add path.Can you help me again?Thanks! [EMAIL PROTECTED] wrote: Do you have the correct path setup for the openssl libraries in your compiler ? e.g. -L/usr/local/ssl/lib Andrew. alan alan Sent by: [EMAIL PROTECTED] g t; 01/12/2004 02:15 PM Please respond to [EMAIL PROTECTED] [EMAIL PROTECTED] cc Subjecthow to use openssl's header file in my program? hi, when I write my program,for example,I want to use openssl's function:BIO_write. And I write all openssl's header file in my program. such as: #include #include #include #include #include but there is always wrong: /tmp/ccrza3u0.o(.text+0x229): In function `ASN1_UTCTIME_2tm': : undefined reference to `BIO_write' who can help me.thanks for any assistance. alan. OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Do You Yahoo!? ??? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
