subject:"RE\: SSL Handshake"

RE: SSL Handshake

2004-06-18 Thread Saju Paul

Check 'Network Security with OpenSSL' by John Veiga, Matt Messier and Pravir
Chandra

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Madhuri Rambhatla
Sent: Friday, June 18, 2004 10:14 AM
To: [EMAIL PROTECTED]
Subject: SSL Handshake

Hi,

I am trying to establish a successful handshake with a SSL server. I am
using openSSL version 0.9.7d and my compiler MS Visual Studio.NET and OS
is WIN 2K, Server
I do not see any methods that let me do it. Can someone please tell me
how to establish a successful SSL handshake.
Thanks.

Madhuri Rambhatla
Lead Systems Programmer
Venue 1 Inc
954 797 9883

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake problem.

2007-10-09 Thread Frans de Boer

Unless someone recognizes the text, it might be helpful if you tell a
little more about the server and client side.

frans.

On Wed, 2007-10-10 at 00:09 +0200, Alessandro Baggi wrote:
> I'm trying to make a client/server application with ssl connection but 
> the handshake doesn't work.
> 
> Reading the manual page I've tried to do this to make ssl connection:
> 
> Server layer:
> 
> SSL_CTX *ssl = NULL;
> SSL *new = NULL;
> socketdescriptor = socketcreation();
> bind(...);
> listen(...);
> accept(...);
> ssl = SSL_CTX_new(SSLv3_server_method());
> new = SSL_new(ssl);
> SSL_set_fd(ssl, socketdescriptor);
> SSL_accept(new);
> 
> Client layer:
> 
> SSL_CTX *ssl = NULL;
> SSL *new = NULL;
> socketdescriptor = socketcreation(...);
> connect(..);
> ssl = SSL_CTX_new(SSLv3_client_method());
> new = SSL_new(ssl);
> SSL_set_fd(ssl, socketdescriptor);
> SSL_connect(new);
> 
> When I try to get SSL connection Server give me an error on SSL_accept, 
> that return -1 with message: Operation not permitted and Client give me 
> on SSL_connect 0 with the same message.
> What is the right way to make an ssl connection?
> 
> Thanks in advice.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake problem.

2007-10-09 Thread Alex Lam

Hi Alessandro,

You will need to set up a handful of cipher & certificate related settings
before server and client will join.
I suggest you take a look at the apps/s_server.c and apps/s_client.c

regards,
alex

On 10/9/07, Alessandro Baggi <[EMAIL PROTECTED]> wrote:
>
> I'm trying to make a client/server application with ssl connection but
> the handshake doesn't work.
>
> Reading the manual page I've tried to do this to make ssl connection:
>
> Server layer:
>
> SSL_CTX *ssl = NULL;
> SSL *new = NULL;
> socketdescriptor = socketcreation();
> bind(...);
> listen(...);
> accept(...);
> ssl = SSL_CTX_new(SSLv3_server_method());
> new = SSL_new(ssl);
> SSL_set_fd(ssl, socketdescriptor);
> SSL_accept(new);
>
> Client layer:
>
> SSL_CTX *ssl = NULL;
> SSL *new = NULL;
> socketdescriptor = socketcreation(...);
> connect(..);
> ssl = SSL_CTX_new(SSLv3_client_method());
> new = SSL_new(ssl);
> SSL_set_fd(ssl, socketdescriptor);
> SSL_connect(new);
>
> When I try to get SSL connection Server give me an error on SSL_accept,
> that return -1 with message: Operation not permitted and Client give me
> on SSL_connect 0 with the same message.
> What is the right way to make an ssl connection?
>
> Thanks in advice.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

Re: SSL handshake problem.

2007-10-09 Thread Sukanta Panigrahi


I have a basic question here:
Is it mandatory to have the server configured with ciphers/certificates 
for SSL handshake?


Thanks / Sukant

Alex Lam wrote:

Hi Alessandro,

You will need to set up a handful of cipher & certificate related 
settings before server and client will join.

I suggest you take a look at the apps/s_server.c and apps/s_client.c

regards,
alex

On 10/9/07, *Alessandro Baggi* <[EMAIL PROTECTED] 
> wrote:


I'm trying to make a client/server application with ssl connection but
the handshake doesn't work.

Reading the manual page I've tried to do this to make ssl connection:

Server layer:

SSL_CTX *ssl = NULL;
SSL *new = NULL;
socketdescriptor = socketcreation();
bind(...);
listen(...);
accept(...);
ssl = SSL_CTX_new(SSLv3_server_method());
new = SSL_new(ssl);
SSL_set_fd(ssl, socketdescriptor);
SSL_accept(new);

Client layer:

SSL_CTX *ssl = NULL;
SSL *new = NULL;
socketdescriptor = socketcreation(...);
connect(..);
ssl = SSL_CTX_new(SSLv3_client_method());
new = SSL_new(ssl);
SSL_set_fd(ssl, socketdescriptor);
SSL_connect(new);

When I try to get SSL connection Server give me an error on
SSL_accept,
that return -1 with message: Operation not permitted and Client
give me
on SSL_connect 0 with the same message.
What is the right way to make an ssl connection?

Thanks in advice.
__
OpenSSL Project http://www.openssl.org
User Support Mailing
Listopenssl-users@openssl.org

Automated List Manager  
[EMAIL PROTECTED] 





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake problem.

2007-10-10 Thread jimmy bahuleyan

Sukanta Panigrahi wrote:
> I have a basic question here:
> Is it mandatory to have the server configured with ciphers/certificates
> for SSL handshake?
> 
> Thanks / Sukant

well, ciphers - yes. If you don't do it, openssl gives you a default
cipher list.

certificates - not all the time. If you're using a ADH cipher,
certificates are not needed, but then most of the time you need identity
verification which means you need to use certs.

-jb
-- 
No snowflake in an avalanche ever feels responsible.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake pb

2007-11-20 Thread Marek Marcola

Hello,
> I try to connect a client to an SSL server in SSL 3.0 mode.
> I do not achieve to have the SSL connexion.
> When I look at the IP streams, I can see the Hello client message and the
> handshake phase during which I see the certificate sent by the server to the
> client ( during this phase, I can see that the message content type is 22 
> which
> is normal).
> 
> After that, I can see the change cipher message sent by the server (whose
> content type is 20 (14 in hexadecimal representation -b see below the 
> stream..)
> extract :
>  1403 01011603 4058 b733e063 |[EMAIL PROTECTED]|
> 0010 af7fad75 c0880025 684d3a3a 2caeb950 |...u...%hM::,..P|
> 0020 b093b5c6 1b571fa3 a683be1b 2992e60c |.W..)...|
> 0030 869cb580 38fbb8c2 e21006de f78f6bf9 |8.k.|
> 0040 9cab96d8 b5a9d57f 6d4412|mD. |
> 
> But then, the client , instead of sending me an applicative message ( content
> type  23 (17  in hexadecimal representation), sends me a message whose content
> type is 21( 15 in hex) see below the corresponding IP stream.
>  1503 18e35af3 0b16fb3f 1855e19c |..Z?.U..|
> 0010 e2fae11f 40418fa5 f7d422e8 58   |[EMAIL PROTECTED]".X   |
> 
> Can anyone tells me what this message means ? ( I have not seen it in my SSL
> documents).
This is alert message. This message informs server of some error/warning
send from client to server. After exchange of ChangeCipherSpec alert
message are encrypted (as in your example) and based on this dump is
hard to say why client sends this Alert. When alert message is
unencrypted it has length of 7 bytes (5- header, 2-alert data).

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake pb

2007-11-21 Thread jfhuynh

Selon Marek Marcola <[EMAIL PROTECTED]>:

Thank you very much for the response ..

> Hello,
> > I try to connect a client to an SSL server in SSL 3.0 mode.
> > I do not achieve to have the SSL connexion.
> > When I look at the IP streams, I can see the Hello client message and the
> > handshake phase during which I see the certificate sent by the server to
> the
> > client ( during this phase, I can see that the message content type is 22
> which
> > is normal).
> >
> > After that, I can see the change cipher message sent by the server (whose
> > content type is 20 (14 in hexadecimal representation -b see below the
> stream..)
> > extract :
> >  1403 01011603 4058 b733e063 |[EMAIL PROTECTED]|
> > 0010 af7fad75 c0880025 684d3a3a 2caeb950 |...u...%hM::,..P|
> > 0020 b093b5c6 1b571fa3 a683be1b 2992e60c |.W..)...|
> > 0030 869cb580 38fbb8c2 e21006de f78f6bf9 |8.k.|
> > 0040 9cab96d8 b5a9d57f 6d4412|mD. |
> >
> > But then, the client , instead of sending me an applicative message (
> content
> > type  23 (17  in hexadecimal representation), sends me a message whose
> content
> > type is 21( 15 in hex) see below the corresponding IP stream.
> >  1503 18e35af3 0b16fb3f 1855e19c |..Z?.U..|
> > 0010 e2fae11f 40418fa5 f7d422e8 58   |[EMAIL PROTECTED]".X  
> >  |
> >
> > Can anyone tells me what this message means ? ( I have not seen it in my
> SSL
> > documents).
> This is alert message. This message informs server of some error/warning
> send from client to server. After exchange of ChangeCipherSpec alert
> message are encrypted (as in your example) and based on this dump is
> hard to say why client sends this Alert. When alert message is
> unencrypted it has length of 7 bytes (5- header, 2-alert data).
>
> Best regards,
> --
> Marek Marcola <[EMAIL PROTECTED]>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake failed

2005-04-18 Thread Asif Iqbal

On Sun, Apr 17, 2005 at 10:53:50PM, Asif Iqbal wrote:
> Hi All
> 
> I installed Apache/1.3.33 (Unix) mod_perl/1.29 mod_ssl/2.8.22
> OpenSSL/0.9.7d on Solaris

Upgrade OpenSSL to latest to fix the problem. Thanks

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
"..there are two kinds of people: those who work and those who take the 
credit...try
 to be in the first group;...less competition there."  - Indira Gandhi
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL handshake error

1999-09-23 Thread Bodo Moeller

On Thu, Sep 23, 1999 at 03:17:32PM +0200, Goetz Babin-Ebell wrote:

> In OpenSSL 0.9.3a I get the folowing handshake error:
> (WindowsNT)
> 
> 
> SSL_connct: 11 to Host before/connect initialization
> SSL_connct: 11 to Host SSLv3 write client hello A
> SSL_read  : 11 to Host SSL3 alert fatal:handshake failure
> 
> 165:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:.\ssl\s3_pkt.c:767:SSL alert number 40
> 
> (at least Netscape fails, too)
> 
> Does anybody know what fails ?

Both server and client are OpenSSL 0.9.3a?  It's hard to tell what is
going wrong if you don't provide the *server*-side error message ...
anyway, I've recently fixed various bugs in the client hello
processing, so you should try again with a server that uses the
current (0.9.5-dev) OpenSSL snapshot; this might help, and at least
chances are that the server will generate more useful error messages
than with versions up to 0.9.4.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: ssl handshake state

2001-07-13 Thread Zhong Chen


Anybody can explain me these SSL3_MT_* state? 
Thanks.

-Zhong

-Original Message-
From: Zhong Chen 
Sent: Wednesday, July 11, 2001 11:13 AM
To: [EMAIL PROTECTED]
Subject: ssl handshake state


In the ssl state machine, there are additional state with prefix "_MT_".
Is this for multi-thread? In which case the state machine will go to
these states? Is there a API to control it?
Thanks.

Zhong

#define SSL3_MT_HELLO_REQUEST   0
#define SSL3_MT_CLIENT_HELLO1
#define SSL3_MT_SERVER_HELLO2
#define SSL3_MT_CERTIFICATE 11
#define SSL3_MT_SERVER_KEY_EXCHANGE 12
#define SSL3_MT_CERTIFICATE_REQUEST 13
#define SSL3_MT_SERVER_DONE 14
#define SSL3_MT_CERTIFICATE_VERIFY  15
#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
#define SSL3_MT_FINISHED20
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: SSL Handshake Failure !

2001-10-04 Thread Steve Quirk


I don't have the specific code, but it's not that much.  I take it that
you're issuing your own certs with the acceptable client ip in the
"subjectAltName" - you might want to allow a range.

I have similar code but not for this purpose, so let's see if I can put
them together. My code looks at the subject name, so I might be wrong in
looking for the alt name in the subject, but it's a start.


SSL *ssl;/* client SSL struct, assume this exists */

int fd, l;
struct sockaddr client_addr;
char ip_addr[4*3+3+1];
X509 *cert;
X509_NAME *subject;
char subject_ip[300];

/* get the ip of client */
fd = SSL_get_fd(ssl);
l = sizeof(struct sockaddr);
getpeername(fd, &client_addr, &l);  /* check rc! */
strcpy(ip_addr, inet_ntoa(client_addr.sin_addr));

/* look in cert for subject name? */
cert = SSL_get_peer_certificate(ssl);
subject = X509_get_subject_name(cert); /* check for NULL! */
X509_NAME_get_text_by_NID(subject, NID_subject_alt_name,
  subject_ip, 300); /* check rc! */

if (strcmp(subject_ip, client_ip) != 0)
/* mismatch! */;

X509_free(cert);  /* reduce reference count */

Steve

On Thu, 4 Oct 2001, Andy Schneider wrote:

> Does anyone have any canned code I could steal that does IP address
> validation. I.e. grabs the IP address from the alt subject name and
> compares it against the IP of the incoming socket?
>
> Andy S.
>
> > -Original Message-
> > From: Costas Magos [mailto:[EMAIL PROTECTED]]
> > Sent: 04 October 2001 15:40
> > To: [EMAIL PROTECTED]
> > Subject: SSL Handshake Failure !
> > Importance: High
> >
> >
> > Dear all,
> >
> > Sorry for posting the following again, but I am in a bit hurry.
> >
> > I'm running an Apache server (1.3.19) with openssl 0.9.6b on
> > Solaris 2.6 /
> > SPARCclassic platform. Apache serves a site that accesses a database
> > through various cgi-scripts or through a java applet for more
> > specialized
> > actions. The database is managed just fine with the
> > cgi-scripts, but when I
> > try to load the java applet to do some advanced
> > configuration, the browser
> > hangs at some point (while loading some classes) and the
> > server produces
> > the following error logs:
> >
> > [info] [client xxx.xxx.xxx.xxx] SSL accept timeout timed out
> > [error] SSL_accept failed
> >
> > and then
> >
> > [debug] apache_ssl.c(1123): Generating 512 bit key
> > [debug] apache_ssl.c(287): SSL_accept returned 0
> > [debug] apache_ssl.c(291): error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> > [debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
> > [debug] apache_ssl.c(1123): Generating 512 bit key
> > [debug] apache_ssl.c(287): SSL_accept returned 0
> > [debug] apache_ssl.c(291): error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> > [debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
> > [debug] apache_ssl.c(1123): Generating 512 bit key
> > [debug] apache_ssl.c(287): SSL_accept returned 0
> > [debug] apache_ssl.c(291): error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake
> >
> > What is going on?  Could someone please help me? Any help
> > would be much
> > appreciated.
> >
> > Respectfully,
> >
> > ~~
> > Costas Magos
> > Ariadne-t Network Operation Center,
> > NCSR "Demokritos"
> > ~~
> > email: [EMAIL PROTECTED]
> > tel.: +30 1 6544279,
> > +30 1 6503125
> > fax:  +30 1 6532910
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Handshake Failure !

2001-10-04 Thread Dr S N Henson

Andy Schneider wrote:
> 
> Does anyone have any canned code I could steal that does IP address
> validation. I.e. grabs the IP address from the alt subject name and
> compares it against the IP of the incoming socket?
> 

No I don't. But in outline you need to extract and decode the subject
alt name extension (see doc/openssl.txt) this will give you a
STACK_OF(GENERAL_NAME). Then search for the ip address type and, if
found, extract and compare.

Theres a function that extracts email addresses from the subject name
and subject alt name extensions (its used by the x509 utility) which
should be easy enough to adapt.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Handshake failure (openssl-0.9.1c)

1999-03-24 Thread Bodo Moeller


Leonid Elbert <[EMAIL PROTECTED]>:

> The following errors I got during a try to connect to a https site.

>> SSLeay>s_client -host www.srd.com -port 443
[...]
>> 4102:error:140790E3:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:224:

It works with
 s_client -host www.srd.com -port 443 -cipher RC4-MD5 -ssl2
(but not with -ssl3 or -tls1), so the server software is probably
quite old and possibly buggy.

>> Also -- this site uses 128-bit encryption. Does the openSSL handle it?

In the above command line, RC4-MD5 indicates a 128-bit symmetric
cipher (the weak ones have "EXP-" in their OpenSSL name).
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ssl handshake failure: s23_l.c:188

2009-06-24 Thread Victor Duchovni

On Wed, Jun 24, 2009 at 08:48:28PM -0400, Robert Jacobson wrote:

>
> I'm having a problem with Firefox connecting to a web site at work.  I 
> found that openssl also has problems with it.  I can connect with other 
> browsers like IE, Chrome, and Safari.
>
> There is a Firefox bug report, but no one is working on it.  See:
> https://bugzilla.mozilla.org/show_bug.cgi?id=448303
>
>
> Here is the openssl s_client output:
>
> # openssl s_client -connect cds.gsfc.nasa.gov:443
> CONNECTED(0003)
> depth=0 /C=US/ST=Maryland/L=Greenbelt/O=National Aeronautics and Space 
> Administration/OU=CDS / Code 444/CN=*.gsfc.nasa.gov
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=Maryland/L=Greenbelt/O=National Aeronautics and Space 
> Administration/OU=CDS / Code 444/CN=*.gsfc.nasa.gov
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=Maryland/L=Greenbelt/O=National Aeronautics and Space 
> Administration/OU=CDS / Code 444/CN=*.gsfc.nasa.gov
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 5008:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> failure:s23_lib.c:188:

The server is misconfigured, it advertises support for ciphers that
it fails to properly implement. If you exclude the 256-bit AES
ciphers:

openssl s_client -connect cds.gsfc.nasa.gov:443 \
-cipher 'DEFAULT:!DHE-RSA-AES256-SHA:!DHE-DSS-AES256-SHA:!AES256-SHA'

the connection works. My guess is that the server is a SunOS (5.10?)
system with Sun's libcrypto containing AES 128 and no AES256, and you
have configured a non-default server cipherlist.

If Sun upgrade to a more recent OpenSSL version, the partly implemented
AES suite will work even with a non-default cipherlist.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL handshake failed - 14090086 and 14095412

2007-02-28 Thread Julius Davies


If you wouldn't mind moving over to "not-yet-common-ssl" mailing list
(SSL and Java) I might be able to help you over there:

http://lists.juliusdavies.ca/listinfo.cgi/not-yet-commons-ssl-juliusdavies.ca/

To me it looks like you are missing a client certificate.

Try using "java -jar not-yet-commons-ssl-0.3.7.jar" to further
troubleshoot this.  You can download it here:

http://juliusdavies.ca/commons-ssl/download.html

Explanation here:

"Ping Utility"
http://juliusdavies.ca/commons-ssl/utilities.html




--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL Handshake

Re: SSL handshake problem.

Re: SSL handshake problem.

Re: SSL handshake problem.

Re: SSL handshake problem.

Re: SSL handshake pb

Re: SSL handshake pb

Re: SSL handshake failed

Re: SSL handshake error

RE: ssl handshake state

RE: SSL Handshake Failure !

Re: SSL Handshake Failure !

Re: SSL Handshake failure (openssl-0.9.1c)

Re: ssl handshake failure: s23_l.c:188

Re: SSL handshake failed - 14090086 and 14095412

15 matches

Site Navigation

Mail list logo

Footer information