Follow-up
Thanks to everyone for pointing me to PEM_X509_INFO_read However I've noticed a very strange problem. If I call: ASN1_d2i_fp(X509_new, d2i_X509, fp, NULL); before I call PEM_X509_INFO_read(fp, NULL, myPemCallback, NULL), and the ASN1_d2i_fp call fails, the PEM_X509_INFO_read call _always_ fails too. I can't explain this at all. These are on different fp so that's not the problem. It's as though there's some static data or perhaps a spinlock blocking the second call. I haven't tried debugging OpenSSL yet. It could very well be that I'm calling something incorrectly... I don't see it though. I am calling this from C++ so I have to do lots of casting to get the function pointers to be accepted in the first call, but I'm not sure that has anything to do with it. -- George Staikos __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_ERROR_SYSCALL question (follow up)
Cory, Section 7.2.1 of the TLS spec (rfc2246) goes into detail about this, and Eric Rescorla's book has a complete discussion of what the issues are here. I believe you get the error from OpenSSL if you receive an TCP FIN *before* you receive a close_notify alert. The problem is probably in the peer which you perhaps cannot control. If you close down the SSL connection with SSL_shutdown(), you will cause a close_notify alert to be sent to the peer before the TCP FIN. Now, my question is: what does SSL_set_shutdown() do, how is it different from SSL_shutdown(), and what do the mode options SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN do? _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Cory Winter" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 24, 2001 10:26 PM Subject: Re: SSL_ERROR_SYSCALL question (follow up) > Hi, > > I guess what I was wondering was does this just indicate that the peer has > simply gone away/shutdown? By violation, does this situation actually a > indicate a protocol error? I'm thinking that its not. > > Take care, > Cory > > On Wed, Jan 24, 2001 at 11:13:34PM -0330, Cory Winter wrote: > > Hi, > > > > I am occasionally experiencing an SSL_ERROR_SYSCALL where the result of > > the SSL_read() was 0. The docs explain that this is most likely due to > > an EOF that was observed which violates the protocol. I was hoping > > someone could elaborate on this to maybe give me a clue about what I > > should look for in my code. > > > > Thanks, > > Cory > > > > -- > > Cory Winter E-Mail: mailto:[EMAIL PROTECTED] > > Software Developer WWW: http://www.ooc.com/ > > Object Oriented Concepts, Inc. Phone: (709) 738-3725 > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > -- > Cory Winter E-Mail: mailto:[EMAIL PROTECTED] > Software Developer WWW: http://www.ooc.com/ > Object Oriented Concepts, Inc. Phone: (709) 738-3725 > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
follow up to "Odd run-time failure."
Using Slackware 7.1 or 8.0 doesn't seem to matter. Program is written in C++ using GNU's g++ compiler. Same failure with OpenSSL-0.9.6a/b. Problem: The web app that I'm coding dies after a few calls to "malloc()" or C++'s new in the middle of the call. No error code is returned. I've took out the fork() routine in the app so now I have a single process app, and can see the "Segmentation Fault" error. I new this was the error but now I can use gdb with it. From the previous posted question to this problem "Odd run-time failure." Lutz said to try ElectricFence, which I found 2.0.5 and have tried twice to use it. I haven't been able to get it to work just yet, I think my code is still linking to the C librarie's malloc() instead of the efence.a, but either way I will need to do more conversions from "new" calls to "malloc()" calls elsewhere in my code so when I do get the efence.a to link I'm not missing any calls for dynamic memory to be tracked. Current Troubleshooting data: Working with GDB I've compiled the code with OpenSSL (assuming the default libraries are shared). Running the web app then under GDB produces the following message when SIGSEGV thrown - "warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. Program received signal SIGSEGV, Segmentation fault. 0x400fd3b8 in malloc () from /lib/libc.so.6" However, if I stick "-static" in the linker call of Makefile and then run GDB with web app, GDB produces - "Program received signal SIGSEGV, Segmentation fault. chunk_alloc (ar_ptr=0x8136540, nb=40) at malloc.c:2814 2814malloc.c: No such file or directory. Current language: auto; currently c" I have also run mtrace() and the output shows many unallocated memory accesses, and many unfree()d addresses, but after further reading the mtrace() man I found this at http://www.gnu.org/manual/glibc-2.2.3/html_node/libc_38.html : "This last point is also why it is no good idea to call muntrace before the program terminated. The libraries are informed about the termination of the program only after the program returns from main or calls exit and so cannot free the memory they use before this time. " I don't call muntrace() I just let it run through to the end, then after giving it some thought most of the output from mtrace wouldn't tell me a whole lot since I'm getting a Segmentation Fault, of course there would be missing free()s. But to confirm that my code compiled without OpenSSL works just fine I ran mtrace() with it compiled without OpenSSL. It came back with like 4 accesses of unallocated space and 3 missing free()s, all of which were associated with *.so files and are persistent outside the runtime of my web app. So if my hunch is correct OpenSSL is doing something with memory that my C++ code butts heads with. I will try to work out ElectricFence linking issue in the meantime. But for now does anyone have a suggestions? Am I correct in my understanding of the mtrace() and the output. Does anyone currently use OpenSSL and GNU's g++ compiler (yes I know g++ is another interface to gcc) on Linux? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Follow up question to efficient usage of SSL_write().
I'm not at a location to access the account that receives the subscription mail today so please CC this account on a reply, [EMAIL PROTECTED] I'm kind of delving over which way I should implement buffering. I looked through some of the source code and found in bf_buff.c #define DEFAULT_BUFFER_SIZE 1024 the code appears to use this as the buffer size before calling the underlying routine ( SSL_write ) in my case. What is the reasoning for 1024? Or do the encryption routines like a 1024 data segment? "openssl.cnf" configuration file has a name=value pair of "default_bits=1024" is there an association here? Or simply this has worked best in the past. If my memory serves me right doesn't each of the encryption algorithms dictate there own max memory size that it will encrypt in each message it sends over the network. Before asking my original question and then learning about BIO I did a little recoding to try to make my output to a plain socket unbuffered to try to make use of the same code as I was doing with SSL_write(). But I had an idea to call getsockopt() to find out the socket's SND buffer size and make send() calls using data segment sizes based off of the buffer size (although I'm don't know a simple way to confirm that this is a more efficient method than just buffering the socket). If BIO is simply using 1024 (or some other value I can figure out in run-time) I could make SSL_write() calls using that fixed size in the same code; and if/else whether it is an encrypted/unencrypted socket. Yeah, I know I'm being difficult, but then again I could be doing this whole web app in a scripting language in a week and not deal with any of this. Much thanks for the pointers on the last question, and thanks for putting up with this question. ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Random test fail on dual cpu i686 follow up!
I have two identical Dell servers, both exactly the same spec, dual pentium 667 with 512MB ram, Linux6.2. I have successfully compiled and tested openssl-0.9.6 on one machine However when I compile it on the second and run make test the test also hangs and when I look at top the %CPU goes up over 90%, what is happening??? the tests fail at different places, could be at the start or near the end This problem is driving me crazy and dell don't have any idea, could there be a problem with my hardware??? - Other programs also seem to be affected, including Tripwire, it fails when the app trys to decrypt an encrypted site key Any clues to this problem would help me greatly especially if it is the hardware at fault -- Christopher Bragg IT Development The Moviemarket [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Follow up question to efficient usage of SSL_write().
On Thu, Aug 23, 2001 at 07:55:13AM -0700, Steven Schaefer wrote: > I'm not at a location to access the account that receives the subscription > mail today so please CC this account on a reply, [EMAIL PROTECTED] > > I'm kind of delving over which way I should implement buffering. > I looked through some of the source code and found in bf_buff.c > > #define DEFAULT_BUFFER_SIZE 1024 >From CHANGES: Changes between 0.9.6a and 0.9.6b [9 Jul 2001] ... *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 (previously it was 1024). [Bodo Moeller] > the code appears to use this as the buffer size before calling the > underlying routine ( SSL_write ) in my case. > > What is the reasoning for 1024? Or do the encryption routines like a 1024 > data segment? "openssl.cnf" configuration file has a name=value pair of > "default_bits=1024" is there an association here? Or simply this has worked > best in the past. If my memory serves me right doesn't each of the > encryption algorithms dictate there own max memory size that it will encrypt > in each message it sends over the network. It's a compromise between memory usage and efficiency. SSL_write() can send up to 16kB in one chunk (TLS specification). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Follow up - Re: Can't get PKI Client Authentication Enforcement to work
Replying to my own message to add additional information. When I try it with Firefox, it asks which cert to use from my smart card etc. and then throws this error dialog.: "Could not establish an encrypted connection because your certificate was rejected by euukmoappd003n.dev.local. Error Code: -12271" I looked up Firefox error code -12271 = "SSL_ERROR_BAD_CERT_ALERT SSL peer cannot verify your certificate. The remote system has received a certificate from the local system, and has rejected it for some reason." Again, I have the proper CA's installed on the server including the one that issued the ID cert on the smart card. Quoting Joseph Felten <[EMAIL PROTECTED]>: > I'm stumped so I thought I would give this list a try as I believe my problem > is > an openssl issue. > > Background: Building an SSL enabled Apache web server on a closed network. > Apache under Solaris 8 OS. Need to restrict access to users with ID > certificates issued by particular CA's (issued by particular Root issuers) > read > from a smart card. I can make everything work except restricting access to > particular CA's. Whenever I enable SSLVerifyClient and SSLVerifyDepth in > Apache it denies all access even though I present a cert that was issued by > one > of the CA's under SSLCACertificatePath. Even though I have those CA's certs > loaded on the server and can dump and verify them with openssl. I get errors > in the Apache log such as.: > > "Certificate Verification: Error (20): unable to get local issuer > certificate" > > and > > "SSL Library Error: 336105650 error:140890B2:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" > > I'm not sure which certificate is not being returned. From the browser/smart > card? It seems to be presenting the cert to the server. I suspect that > error > is misleading. > > I know the browser is reading the cert from the smart card as the browser > security module kicks in and asks which cert from the smart card to present > to > the server. I can't just install the user ID cert directly in the browser as > they are flagged non-exportable for security reasons, plus the smart cards > are > a requirement. > > Software: Apache/2.2.4 (Unix) mod_jk/1.2.21 DAV/2 mod_ssl/2.2.4 > OpenSSL/0.9.8e > mod_perl/2.0.3 Perl/v5.8.8 > > I tried some tests with openssl verify, s_client, s_server etc. openssl > s_server seems happy with everything. For example.: > > openssl s_server -key conf/euukmoappd003n.dev.local.server.key -cert > conf/cert.euukmoappd003n.dev.local.server.crt -CApath conf/ssl.crt -state > -Verify 10 > > verify depth is 10, must return a certificate > Enter pass phrase for conf/disa.euukmoappd003n.dev.local.server.key: > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > > And I can connect with s_client. > > Below is the debug log from starting the SSL server and trying and failing to > view a test page with a certificate issued by a root/CA chain the server has > loaded. When I try to load a test page, it grinds a bit, asks me to insert > my > smart card, grinds a bit, asks for my smart card PIN, grinds a bit more, then > the browser displays an error page that "The page cannot be displayed". This > is with microsoft internet explorer (unfortunately that is the browser the > users have). Sorry I can't post the actual certs here as we have pretty > tight > security rules. Thanks in advance. > > [Fri Dec 07 19:11:40 2007] [info] Loading certificate & private key of > SSL-aware > server > [Fri Dec 07 19:11:40 2007] [debug] ssl_engine_pphrase.c(481): encrypted RSA > private key - pass phrase reused > [Fri Dec 07 19:11:41 2007] [info] Configuring server for SSL protocol > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(405): Creating new SSL > context (protocols: SSLv3, TLSv1) > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(538): Configuring client > authentication > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=ECA/CN=ECA Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD Root CA 2 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/ST=Cambs/L=Mole/O=USG/OU=USA OU PKI DD/CN=euukmoappd003n.dev.local > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-12 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CLASS 3 Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=DD/OU=PKI/CN=DD CA-13 > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=US/O=USG/OU=ECA/CN=ECA Root CA > [Fri Dec 07 19:11:41 2007] [debug] ssl_engine_init.c(1113): CA certificate: > /C=
Re: CA Key and Self-Signed Server Certificate Generation - Follow-up
Hello Dr. Henson, And thank you again for this advice. --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > I suggest you ignore that script: and use the CA.pl > script and the appropriate > documentation instead. As suggested by you, I used the CA.pl script which works okay. On this issue, I would like to ask some follow-up questions: 1. Do I have to move server.key and ca.key to /etc/ssl/private and ca.crt /etc/ssl/certs directory respectively? 2. Since the command sign.sh server.csr does not work because the sign.sh script is kind of obsoleted already, do I have to move newreq.pem to the directory /etc/ssl/certs if in case I issued the command /etc/ssl/misc/CA.pl -newcert to create a new certificate? And would it be okay if I remove server.csr from the /etc/ssl directory? 3. I would like to secure my keys and certificate by doing a chmod on the following: # chmod 750 /etc/ssl/private/ # chmod 400 /etc/ssl/certs/ca.crt # chmod 400 /etc/ssl/certs/newreq.pem # chmod 400 /etc/ssl/private/ca.key # chmod 400 /etc/ssl/private/server.key Would this be suffice enough as a security measure to protect the integrity of the certificate itself? 4. And finally, since I am basically new in the field of openssl and have only come across this kind of open source toolkit from school. May I ask some of you the benefits of openssl in general if properly implemented alongside apache intended for a secured web site? All I know is that OpenSSL is a robust, commercial-grade, full-featured Open Source method of implementing the Secure Socket Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as general-purpose cryptography library as what we have been taught from school. Any links, reading materials and the like for newbies would be great. Thank you very much Dr. Henson and special thanks/mention to the kind replies of Mr. Ringaby and Mr. Sylvester. More power to this group! Sincerely, Servie > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > __ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Follow-up
On Tue, Jan 11, 2005, Servie Platon wrote: > Hello Dr. Henson, > > And thank you again for this advice. > > --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > > > I suggest you ignore that script: and use the CA.pl > > script and the appropriate > > documentation instead. > > As suggested by you, I used the CA.pl script which > works okay. On this issue, I would like to ask some > follow-up questions: > > 1. Do I have to move server.key and ca.key to > /etc/ssl/private and ca.crt /etc/ssl/certs directory > respectively? > If you used CA.pl correctly there wont be a 'server.key' file initially. The private key wil be in newreq.pem. You dont' need to move ca.key at all. What you need to do is move newreq.pem to wherever the server private key needs to go (/etc/ssl/private/server.key) and the same with newcert.pem (the new certificates) and copy the CA certificate which is in demoCA/cacert.pem. > 2. Since the command sign.sh server.csr does not work > because the sign.sh script is kind of obsoleted > already, do I have to move newreq.pem to the directory > /etc/ssl/certs if in case I issued the command > /etc/ssl/misc/CA.pl -newcert to create a new > certificate? And would it be okay if I remove > server.csr from the /etc/ssl directory? > > 3. I would like to secure my keys and certificate by > doing a chmod on the following: > > # chmod 750 /etc/ssl/private/ > # chmod 400 /etc/ssl/certs/ca.crt > # chmod 400 /etc/ssl/certs/newreq.pem > # chmod 400 /etc/ssl/private/ca.key > # chmod 400 /etc/ssl/private/server.key > > Would this be suffice enough as a security measure to > protect the integrity of the certificate itself? > Yes the 400 permissions is OK, though you only really need it on the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
