Please help
Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? many many thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
I *think* I understand it now, but any clarification etc. would still be most appreciated. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of steve thornton Sent: 23 July 2003 10:09 To: [EMAIL PROTECTED] Subject: Please help Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? many many thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
Yes I've noticed this. Basically I am making an embedded client, and am looking for every way possible to reduce code size, and obj_dat is very big. I've more or less concluded that it is not worth the trouble, but 24k is 24k. It surely should be possible to parse the essential info (Issuer, Subject and public key info etc.) from a cert. without having all the machinery that is in OpenSSL, but achieving that within the context of OpenSSL at present would be a *lot* of work. Would you agree, have you any comments? many thanks Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: 23 July 2003 12:36 To: [EMAIL PROTECTED] Subject: Re: Please help On Wed, Jul 23, 2003, steve thornton wrote: Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? If the added lines use the correct syntax you should be OK as long as you call 'make update'. You should be careful about deleting lines from objects.txt because this will break binary compatibility with any applications that use the NIDs directly: they'd need to be recompiled. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
Thanks for that Steve, that was the conclusion I had just come to. Now I need to convince by bosses. I wonder if they'll pay me to write things from scratch? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: 23 July 2003 13:52 To: [EMAIL PROTECTED] Subject: Re: Please help On Wed, Jul 23, 2003, steve thornton wrote: Yes I've noticed this. Basically I am making an embedded client, and am looking for every way possible to reduce code size, and obj_dat is very big. I've more or less concluded that it is not worth the trouble, but 24k is 24k. It surely should be possible to parse the essential info (Issuer, Subject and public key info etc.) from a cert. without having all the machinery that is in OpenSSL, but achieving that within the context of OpenSSL at present would be a *lot* of work. Would you agree, have you any comments? Well if its embedded then binary compatibility wont matter if you can just recompile everything. You can delete a large number of objects in objects.txt without any major harm. There are other areas you can also look into to reduce code size such as crypto and digest algorithms, extension code, PKCS#12, PKCS#7, ENGINE etc etc. It would be *very* difficult to try to restrict OpenSSL to the sizes claimed for some SSL libraries (40K I've heard quoted for one), so hard in fact that starting again might be less effort. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Connection pool for HTTPS using OpenSSL
This is pretty standard - if I understand you correctly, you mean that you have a client that keeps a pool of sockets connected to a particular server. You just need to implement some way of storing the session ids from the handshake using say SSL_get1_session (), and then setting these back ito the session when you re-connect using SSL_set_session (). does this help any? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harald Ommang Sent: 19 July 2003 10:49 To: [EMAIL PROTECTED] Subject: RE: Connection pool for HTTPS using OpenSSL On Wed, 16 Jul 2003 14:49:41 +0100, steve thornton wrote: Sorry, can't read - you mean server. If you set up a session caching sceme, then maintaining a pool of connections is cheap (ish) and straightforward. I have code snippets if you need them Steve Hehe, well if you can't read, then I can't write :-) Cause I mean creating a *client* that has a pool of connections against the web server I will be communicating with. And yes, snippets would be very welcome, as I am new to OpenSSL. Harald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN.1 database
Hi I would like to try and reduce the size of the ASN.1 database, but am not sure how the various files work together - I see that there is a perl script to generate the necessary files, but I'm not too clear how this works. Can anybody help me out on how to edit and regenerate this? Many thanks in advance Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Reducing the size of the ASN.1 database
Hi folks, I've just sucessfully ported OpenSSL to run on a very small embedded real-time platform. I am now looking at ways to reduce the code size (more than I already have done), and am wondering if I can get rid of most of the entries in the ASN.1 database, as I am only doing the most *basic* checking of peer certificates. Has anybody any thoughts on this? Any input greatly appreciated - thanks in advance Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with X509_set_verify()
Hi folks, I've been trying to use X509_set_verify() and an associated callback function to allow me to override the standard verification if necessary. According to the O'Reilly OpenSSL book, this function gets called on every connection, and allows the callback to alter the ok value, thus allowing the application to override. However, when I look at the source code, I notice that this is not true, as the callback is made only if the verification fails. Furthermore, if the application alters the return value to true (thus overriding the failure) then everything crashes in flames (at least on my embedded platform). While I am hunting for the bug, can anybody confirm any of the above? Is anybody aware of this behaviour? Thanks for your time Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with X509_set_verify()
Actually, I take that back, it does get called whether the chain passes or fails. However, it still crashes horribly when ok is altered. Any clues? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of steve thornton Sent: 26 June 2003 09:53 To: [EMAIL PROTECTED] Subject: Problem with X509_set_verify() Hi folks, I've been trying to use X509_set_verify() and an associated callback function to allow me to override the standard verification if necessary. According to the O'Reilly OpenSSL book, this function gets called on every connection, and allows the callback to alter the ok value, thus allowing the application to override. However, when I look at the source code, I notice that this is not true, as the callback is made only if the verification fails. Furthermore, if the application alters the return value to true (thus overriding the failure) then everything crashes in flames (at least on my embedded platform). While I am hunting for the bug, can anybody confirm any of the above? Is anybody aware of this behaviour? Thanks for your time Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with X509_set_verify()
I think I've found the problem (in my code) but will take a while to make sure. As far as horrible crash goes - it freezes in mid handshake (as the verify callback explodes), and causes the real-time embedded kernel to lock up all its signal queues, causing the whole (very complex) system to gradually nosedive into deadlock. The display device goes crazy foe while as it twitches in its death throes. After a while I get an auto reset. This of course has nothing to do with OpenSSL. cheers Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke Sent: 26 June 2003 10:28 To: [EMAIL PROTECTED] Subject: Re: Problem with X509_set_verify() On Thu, Jun 26, 2003 at 10:07:08AM +0100, steve thornton wrote: Actually, I take that back, it does get called whether the chain passes or fails. However, it still crashes horribly when ok is altered. Any clues? Hmm. I don't use the function directly but indirectly via the SSL layer. See the Postfix/TLS pachtkit (file pfixtls.c after applying the patch, available from my homepage) on how I use it. Anyway, I am currently trying to imagine a horrible crash. I assume it is similar to the Enterprise being hit by a photone torpedo: sparks are coming out of the consoles, computers explode and smoke fills the bridge... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with X509_set_verify()
OK, I haven't found the problem. It does appear to be an OpenSSL bug. I use SSL_CTX_set_verify ( ctx, SSL_VERIFY_PEER, verifyCallbackProc ); and int verifyCallbackProc ( int ok, X509_STORE_CTX *store ) { return 1; } this causes the verification code to hang in the middle of the handshake. Can anybody confirm that this happens with standard OpenSSL builds? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of steve thornton Sent: 26 June 2003 11:07 To: [EMAIL PROTECTED] Subject: RE: Problem with X509_set_verify() I think I've found the problem (in my code) but will take a while to make sure. As far as horrible crash goes - it freezes in mid handshake (as the verify callback explodes), and causes the real-time embedded kernel to lock up all its signal queues, causing the whole (very complex) system to gradually nosedive into deadlock. The display device goes crazy foe while as it twitches in its death throes. After a while I get an auto reset. This of course has nothing to do with OpenSSL. cheers Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke Sent: 26 June 2003 10:28 To: [EMAIL PROTECTED] Subject: Re: Problem with X509_set_verify() On Thu, Jun 26, 2003 at 10:07:08AM +0100, steve thornton wrote: Actually, I take that back, it does get called whether the chain passes or fails. However, it still crashes horribly when ok is altered. Any clues? Hmm. I don't use the function directly but indirectly via the SSL layer. See the Postfix/TLS pachtkit (file pfixtls.c after applying the patch, available from my homepage) on how I use it. Anyway, I am currently trying to imagine a horrible crash. I assume it is similar to the Enterprise being hit by a photone torpedo: sparks are coming out of the consoles, computers explode and smoke fills the bridge... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with X509_set_verify()
Hi Lutz, I'm using OSSL 0.9.7b ported for an ARM based platform (I'm currently doing the port myself, and it is operational), which uses non-blocking sockets (custom version). If I run the code below, but with return ok; rather than return 1; everthing works just dandy. But if I try to override the verification by returning 1, then the handshake stops there, and the embedded system actally crashes irrevocably. I've noticed a few other wierdnesses like this due to the platform which I have been able to fix , but I need to know whether this happens on an ordinary build or not. Testing this myself on vanilla OpenSSL is a real pain the way things are set up here. cheers Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke Sent: 26 June 2003 12:54 To: [EMAIL PROTECTED] Subject: Re: Problem with X509_set_verify() On Thu, Jun 26, 2003 at 12:07:19PM +0100, steve thornton wrote: OK, I haven't found the problem. It does appear to be an OpenSSL bug. I use SSL_CTX_set_verify ( ctx, SSL_VERIFY_PEER, verifyCallbackProc ); and int verifyCallbackProc ( int ok, X509_STORE_CTX *store ) { return 1; } this causes the verification code to hang in the middle of the handshake. Can anybody confirm that this happens with standard OpenSSL builds? Negative: it seems to work fine for all of the other people using it (including myself). Please point out more information about the version used, the platform, which kind of socket (blocking/non-blocking?). What does hang mean? Is the SSL code running in a loop, is it waiting for input or output??? -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with X509_set_verify()
Lutz, Thanks for that. OK I'll just have to set to work with printf's ( and returns, as currently it crashes so badly I don't get the printf's). This could take a while, but probably quicker than setting up an on-target debuggerer. It's probably something deeply occult. thanks again Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke Sent: 26 June 2003 13:26 To: [EMAIL PROTECTED] Subject: Re: Problem with X509_set_verify() On Thu, Jun 26, 2003 at 01:07:22PM +0100, steve thornton wrote: I'm using OSSL 0.9.7b ported for an ARM based platform (I'm currently doing the port myself, and it is operational), which uses non-blocking sockets (custom version). I am using OpenSSL 0.9.7b on an ARM based platform myself (Xscale based Intel IXP425, Linux, if that matters). If I run the code below, but with return ok; rather than return 1; everthing works just dandy. But if I try to override the verification by returning 1, then the handshake stops there, and the embedded system actally crashes irrevocably. I've noticed a few other wierdnesses like this due to the platform which I have been able to fix , but I need to know whether this happens on an ordinary build or not. Testing this myself on vanilla OpenSSL is a real pain the way things are set up here. It does not crash on plain OpenSSL. Postfix/TLS uses a non-blocking setup like a lot of other applications do and neither I have seen problems like these nor do I remember any similar report. Overriding the verification result is exactly the purpose, that the verify_callback() has been designed for. I don't know enough about your platform, but no platform should ever crash due to an application, no matter how buggy the application might be. Therefore I also don't know what to propose in your special case. Normally if an application is crashing, I can at least get a backtrace. Even a crashing Linux-kernel will leave a Panic to be traced. But even if it would not... printf() is the ultimate debugging aid :-) Best regards, Lutz PS. Just to prevent misunderstandings: Postfix/TLS and the IXP425 work are in no way technical related. -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem with X509_set_verify()
OK I've found the problem. I can kluge my way around it, as it is something to do with the wierd stuff that I am doing, rather than any fault in OSSL. Thanks for everybodies input. At least it showed up a bug in the docs that has been corrected. thanks again Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke Sent: 26 June 2003 15:00 To: [EMAIL PROTECTED] Subject: Re: Problem with X509_set_verify() On Thu, Jun 26, 2003 at 08:47:49AM -0500, Fred Crable wrote: It looks like a verification failure, whatever that means! Sounds like an infinite loop from the man pages. Try fflush() on your stdio to catch those printf()'s :) Quote from: http://www.hmug.org/man/3/SSL_CTX_set_verify.html The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with verification failed state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If ver- ify_callback always returns 1, the TLS/SSL handshake will never be terminated because of this application experienc- ing a verification failure. The calling process can how- ever retrieve the error code of the last verification error using SSL_get_verify_result(3) or by maintaining its own error storage managed by verify_callback. Oouch. What was meant is: If verify_callback() always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. Will fix this in the manual pages in the next minutes. Thanks, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Async IO on Windows
Hi, Yes it is possible to change OpenSSL to do this (I've just done it), but it's a bit fiddly. Try BIO pairs first though. Steve -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Steve CollinsSent: 30 May 2003 19:53To: [EMAIL PROTECTED]Subject: Async IO on Windows Hi, I am try to add OpenSSL support to an application that uses Windows async IO. Basically, when a read completes, I get called back, and I need to decrypt the buffer etc. Is this do-able? Is there an example? I dont see how I can use SSL_read.. TIA Steve