subject:"Re\: SSL Communication using BIO"

Re: SSL Communication using BIO

2011-05-25 Thread Harshvir Sidhu

I am using SSL_is_init_finished this API function to check if init is
finished.
But its not even reaching that code.
The very first call i made to SS_Connect, and after that i read data from
w_BIO and then sending that on TCP, and on getting that data, server gives
this error.
and for debugging purposes i am using *openssl s_server *with -msg enabled
so that i can see whats going on, I am not using my server for this, and i
think that one supports sslv3.
this is the error i get

180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:.\ssl\s23_srvr.c:584: shutting down SSL

// Harshvir


On Wed, May 25, 2011 at 12:08 PM, Gayathri Sundar wrote:

> Okay, u r writing the client, so you need to do connect, now ssl_connect is
> going to do the complete SSL handshake, which involves multiple read and
> writes, now since you are using memory bios, ssl connect is going to read
> from the r_membio and write into the w_membio. The data has to go out the
> tcp fd you have created and connected with the server. So its ur duty to
> take data out the w_membio and do a tcp_send(). That is what I meant by
> saying "write". Application data transfer may be initiated by your server
> once the ssl connect is thro. There are apis which tell if ssl connect is
> completed and ssl connect itself will return ssl_success, until then u will
> be getting the want_read and want_write error codes, so your state machine
> would be in the "connect pending" state until ssl connect returns success.
> Please understand that SSL_Connect itself will be called multiple times in
> the asyn architecture.
>
> BTW if the protocol nego has failed, perhaps you need to see what the
> server supports, maybe it understands only tls and not sslv3 etc.
>
> thanks
> --Gayathri
>
>  On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu wrote:
>
>> Thanks Gayatri.
>> This is what i am doing, but i dont have any buffer to send initially, my
>> data transfer start from server side.
>> What i was doing is, calling SSL_connect after initialization and then in
>> the socket read and write code, i was doing encrypt and decrypt accordingly,
>> but the very first moment i send data to s_server, it gives error, "unknown
>> protocol"
>> Thanks.
>>
>> // Harshvir
>>   On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar 
>> wrote:
>>
>>> So finally u have agreed to my initial suggestion of state machines :)
>>>
>>> The basic steps in terms of am algorithm are as follows
>>>
>>> A. Create the ssl ctx and ssl. Obj
>>> B. Create a pair of memory bios and attach them to the ssl obj, one is
>>> for read and the other is for write.
>>> C. Create the tcp fds and complete the tcp handshake
>>> D.  Once tcp connect is done, u have an fd on which u receive and send
>>> data
>>> E. Initialize ur state machine for ssl connect pending
>>> F.  Take the buffer to be sent, copy it to the memory write bio,
>>> encrypt it using ssl connect, then do a tcp send
>>> G. While still connect pending, do tcp read, copy to read bio, call
>>> ssl connect to decrypt.
>>>
>>> Thanks
>>> --Gayathri
>>>
>>> On Wednesday, May 25, 2011, Harshvir Sidhu  wrote:
>>> > Hi,
>>> >I am trying to implement State Machine based on the demo
>>> application, that is a server code.
>>> >Like i am writting the client side.
>>> >So when i try to do handshake, by calling SSL_connect, which i have
>>> used memory bios, after that i check for data available, and then i read
>>> data and send to server, on server side i am getting error.
>>> >
>>> > 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>>> protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>>> >
>>> >My question is which is a good place to do handshake in case we use
>>> state machine, i am doing just after initializing ctx and ssl, and then i
>>> send data 1 time and in performing rest of operations in my receive
>>> callback, but s_server give me error on first packet only.
>>> >
>>> >
>>> > Thanks.
>>> >
>>> > // Harshvir
>>> >
>>> > 2011/5/25 Michael Ströder 
>>> >
>>> > Eric S. Eberhard wrote:
>>> > or ... keep it simple and at least consider using stunnel.
>>> >
>>> > I use stunnel myself in some situations. It's a great tool.
>>> >
>>> > But bear in mind that the application then has no access to
>>> authentication information of the SSL layer.
>>> >
>>> > Ciao, Michael.
>>> >
>>> >
>>> >
>>> > __
>>> > OpenSSL Project http://www.openssl.org
>>>  
>>>  > User Support Mailing List
>>> openssl-users@openssl.org
>>> > Automated List Manager   majord...@openssl.org
>>> >
>>> >
>>> __
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing Listopenssl-users@openssl.org
>>> Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-25 Thread Gayathri Sundar

Okay, u r writing the client, so you need to do connect, now ssl_connect is
going to do the complete SSL handshake, which involves multiple read and
writes, now since you are using memory bios, ssl connect is going to read
from the r_membio and write into the w_membio. The data has to go out the
tcp fd you have created and connected with the server. So its ur duty to
take data out the w_membio and do a tcp_send(). That is what I meant by
saying "write". Application data transfer may be initiated by your server
once the ssl connect is thro. There are apis which tell if ssl connect is
completed and ssl connect itself will return ssl_success, until then u will
be getting the want_read and want_write error codes, so your state machine
would be in the "connect pending" state until ssl connect returns success.
Please understand that SSL_Connect itself will be called multiple times in
the asyn architecture.

BTW if the protocol nego has failed, perhaps you need to see what the server
supports, maybe it understands only tls and not sslv3 etc.

thanks
--Gayathri

On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu  wrote:

> Thanks Gayatri.
> This is what i am doing, but i dont have any buffer to send initially, my
> data transfer start from server side.
> What i was doing is, calling SSL_connect after initialization and then in
> the socket read and write code, i was doing encrypt and decrypt accordingly,
> but the very first moment i send data to s_server, it gives error, "unknown
> protocol"
>  Thanks.
>
> // Harshvir
> On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar wrote:
>
>> So finally u have agreed to my initial suggestion of state machines :)
>>
>> The basic steps in terms of am algorithm are as follows
>>
>> A. Create the ssl ctx and ssl. Obj
>> B. Create a pair of memory bios and attach them to the ssl obj, one is
>> for read and the other is for write.
>> C. Create the tcp fds and complete the tcp handshake
>> D.  Once tcp connect is done, u have an fd on which u receive and send
>> data
>> E. Initialize ur state machine for ssl connect pending
>> F.  Take the buffer to be sent, copy it to the memory write bio,
>> encrypt it using ssl connect, then do a tcp send
>> G. While still connect pending, do tcp read, copy to read bio, call
>> ssl connect to decrypt.
>>
>> Thanks
>> --Gayathri
>>
>> On Wednesday, May 25, 2011, Harshvir Sidhu  wrote:
>> > Hi,
>> >I am trying to implement State Machine based on the demo application,
>> that is a server code.
>> >Like i am writting the client side.
>> >So when i try to do handshake, by calling SSL_connect, which i have
>> used memory bios, after that i check for data available, and then i read
>> data and send to server, on server side i am getting error.
>> >
>> > 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>> protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>> >
>> >My question is which is a good place to do handshake in case we use
>> state machine, i am doing just after initializing ctx and ssl, and then i
>> send data 1 time and in performing rest of operations in my receive
>> callback, but s_server give me error on first packet only.
>> >
>> >
>> > Thanks.
>> >
>> > // Harshvir
>> >
>> > 2011/5/25 Michael Ströder 
>> >
>> > Eric S. Eberhard wrote:
>> > or ... keep it simple and at least consider using stunnel.
>> >
>> > I use stunnel myself in some situations. It's a great tool.
>> >
>> > But bear in mind that the application then has no access to
>> authentication information of the SSL layer.
>> >
>> > Ciao, Michael.
>> >
>> >
>> >
>> > __
>> > OpenSSL Project http://www.openssl.org
>>  
>>  > User Support Mailing Listopenssl-users@openssl.org
>> > Automated List Manager   majord...@openssl.org
>> >
>> >
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>

Re: SSL Communication using BIO

2011-05-25 Thread Harshvir Sidhu

Just to clarify my last message, I am using state machine, i called
SSL_connect after creating ctx and ssl objs, 2 mem bios and set them to ssl,
and then read data from bio, and sent that to server and that gave me error.

On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu  wrote:

> Thanks Gayatri.
> This is what i am doing, but i dont have any buffer to send initially, my
> data transfer start from server side.
> What i was doing is, calling SSL_connect after initialization and then in
> the socket read and write code, i was doing encrypt and decrypt accordingly,
> but the very first moment i send data to s_server, it gives error, "unknown
> protocol"
> Thanks.
>
> // Harshvir
>   On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar wrote:
>
>> So finally u have agreed to my initial suggestion of state machines :)
>>
>> The basic steps in terms of am algorithm are as follows
>>
>> A. Create the ssl ctx and ssl. Obj
>> B. Create a pair of memory bios and attach them to the ssl obj, one is
>> for read and the other is for write.
>> C. Create the tcp fds and complete the tcp handshake
>> D.  Once tcp connect is done, u have an fd on which u receive and send
>> data
>> E. Initialize ur state machine for ssl connect pending
>> F.  Take the buffer to be sent, copy it to the memory write bio,
>> encrypt it using ssl connect, then do a tcp send
>> G. While still connect pending, do tcp read, copy to read bio, call
>> ssl connect to decrypt.
>>
>> Thanks
>> --Gayathri
>>
>> On Wednesday, May 25, 2011, Harshvir Sidhu  wrote:
>> > Hi,
>> >I am trying to implement State Machine based on the demo application,
>> that is a server code.
>> >Like i am writting the client side.
>> >So when i try to do handshake, by calling SSL_connect, which i have
>> used memory bios, after that i check for data available, and then i read
>> data and send to server, on server side i am getting error.
>> >
>> > 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>> protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>> >
>> >My question is which is a good place to do handshake in case we use
>> state machine, i am doing just after initializing ctx and ssl, and then i
>> send data 1 time and in performing rest of operations in my receive
>> callback, but s_server give me error on first packet only.
>> >
>> >
>> > Thanks.
>> >
>> > // Harshvir
>> >
>> > 2011/5/25 Michael Ströder 
>> >
>> > Eric S. Eberhard wrote:
>> > or ... keep it simple and at least consider using stunnel.
>> >
>> > I use stunnel myself in some situations. It's a great tool.
>> >
>> > But bear in mind that the application then has no access to
>> authentication information of the SSL layer.
>> >
>> > Ciao, Michael.
>> >
>> >
>> >
>> > __
>> > OpenSSL Project http://www.openssl.org
>>  
>>  > User Support Mailing Listopenssl-users@openssl.org
>> > Automated List Manager   majord...@openssl.org
>> >
>> >
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>

Re: SSL Communication using BIO

2011-05-25 Thread Harshvir Sidhu

Thanks Gayatri.
This is what i am doing, but i dont have any buffer to send initially, my
data transfer start from server side.
What i was doing is, calling SSL_connect after initialization and then in
the socket read and write code, i was doing encrypt and decrypt accordingly,
but the very first moment i send data to s_server, it gives error, "unknown
protocol"
Thanks.

// Harshvir
On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar wrote:

> So finally u have agreed to my initial suggestion of state machines :)
>
> The basic steps in terms of am algorithm are as follows
>
> A. Create the ssl ctx and ssl. Obj
> B. Create a pair of memory bios and attach them to the ssl obj, one is
> for read and the other is for write.
> C. Create the tcp fds and complete the tcp handshake
> D.  Once tcp connect is done, u have an fd on which u receive and send data
> E. Initialize ur state machine for ssl connect pending
> F.  Take the buffer to be sent, copy it to the memory write bio,
> encrypt it using ssl connect, then do a tcp send
> G. While still connect pending, do tcp read, copy to read bio, call
> ssl connect to decrypt.
>
> Thanks
> --Gayathri
>
> On Wednesday, May 25, 2011, Harshvir Sidhu  wrote:
> > Hi,
> >I am trying to implement State Machine based on the demo application,
> that is a server code.
> >Like i am writting the client side.
> >So when i try to do handshake, by calling SSL_connect, which i have
> used memory bios, after that i check for data available, and then i read
> data and send to server, on server side i am getting error.
> >
> > 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:.\ssl\s23_srvr.c:584: shutting down SSL
> >
> >My question is which is a good place to do handshake in case we use
> state machine, i am doing just after initializing ctx and ssl, and then i
> send data 1 time and in performing rest of operations in my receive
> callback, but s_server give me error on first packet only.
> >
> >
> > Thanks.
> >
> > // Harshvir
> >
> > 2011/5/25 Michael Ströder 
> >
> > Eric S. Eberhard wrote:
> > or ... keep it simple and at least consider using stunnel.
> >
> > I use stunnel myself in some situations. It's a great tool.
> >
> > But bear in mind that the application then has no access to
> authentication information of the SSL layer.
> >
> > Ciao, Michael.
> >
> >
> >
> > __
> > OpenSSL Project http://www.openssl.org <
> http://www.openssl.org/>
>  > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager   majord...@openssl.org
> >
> >
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL Communication using BIO

2011-05-25 Thread Gayathri Sundar

So finally u have agreed to my initial suggestion of state machines :)

The basic steps in terms of am algorithm are as follows

A. Create the ssl ctx and ssl. Obj
B. Create a pair of memory bios and attach them to the ssl obj, one is
for read and the other is for write.
C. Create the tcp fds and complete the tcp handshake
D.  Once tcp connect is done, u have an fd on which u receive and send data
E. Initialize ur state machine for ssl connect pending
F.  Take the buffer to be sent, copy it to the memory write bio,
encrypt it using ssl connect, then do a tcp send
G. While still connect pending, do tcp read, copy to read bio, call
ssl connect to decrypt.

Thanks
--Gayathri

On Wednesday, May 25, 2011, Harshvir Sidhu  wrote:
> Hi,
>    I am trying to implement State Machine based on the demo application, that 
> is a server code.
>    Like i am writting the client side.
>    So when i try to do handshake, by calling SSL_connect, which i have used 
> memory bios, after that i check for data available, and then i read data and 
> send to server, on server side i am getting error.
>
> 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown 
> protocol:.\ssl\s23_srvr.c:584: shutting down SSL
>
>    My question is which is a good place to do handshake in case we use state 
> machine, i am doing just after initializing ctx and ssl, and then i send data 
> 1 time and in performing rest of operations in my receive callback, but 
> s_server give me error on first packet only.
>
>
> Thanks.
>
> // Harshvir
>
> 2011/5/25 Michael Ströder 
>
> Eric S. Eberhard wrote:
> or ... keep it simple and at least consider using stunnel.
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication 
> information of the SSL layer.
>
> Ciao, Michael.
>
>
>
> __
> OpenSSL Project                                 
> http://www.openssl.org 
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-25 Thread Harshvir Sidhu

Hi,
   I am trying to implement State Machine based on the demo application,
that is a server code.
   Like i am writting the client side.
   So when i try to do handshake, by calling SSL_connect, which i have used
memory bios, after that i check for data available, and then i read data and
send to server, on server side i am getting error.

180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:.\ssl\s23_srvr.c:584: shutting down SSL
   My question is which is a good place to do handshake in case we use state
machine, i am doing just after initializing ctx and ssl, and then i send
data 1 time and in performing rest of operations in my receive callback, but
s_server give me error on first packet only.

Thanks.

// Harshvir

2011/5/25 Michael Ströder 

> Eric S. Eberhard wrote:
>
>> or ... keep it simple and at least consider using stunnel.
>>
>
> I use stunnel myself in some situations. It's a great tool.
>
> But bear in mind that the application then has no access to authentication
> information of the SSL layer.
>
> Ciao, Michael.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL Communication using BIO

2011-05-25 Thread Michael Ströder


Eric S. Eberhard wrote:

or ... keep it simple and at least consider using stunnel.


I use stunnel myself in some situations. It's a great tool.

But bear in mind that the application then has no access to authentication 
information of the SSL layer.


Ciao, Michael.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread David Schwartz


On 5/23/2011 1:59 AM, Harshvir Sidhu wrote:

David,
So are you suggesting that i change the approach in my Code.


Hard for me to give you a useful answer without seeing your code. If 
your code tries to treat OpenSSL as a filter, expecting input and output 
to correlate, then yes. If your code handled OpenSSL as a black box with 
four separate I/O paths (encrypted data in, encryped data out, plaintext 
in, plaintext out) without assuming any relationship between them, then 
it's fine.


> My

application is for Windows and in Managed C++. In that i am using
Callback function for receive, when the callback function is called, and
when i call SSL_read in that, it hangs at recv call in the OpenSSL code,
my assumption is that data was already read from socket, when callback
was called. Another thing i would like to mention is I am using Sockets
Managed Class, not the native sockets.


When your callback function is called, that means encrypted data is 
available on the socket. The SSL_Read function is for reading 
unencrypted data from the SSL engine. It is only appropriate to call 
SSL_Read in response to a data available callback on the socket in one 
case -- if your last SSL operation was an SSL_Read and it returned a 
WANT_READ indication. In any other case, this is broken behavior 
reflecting erroneously trying to "look through" the SSL engine.


Your code must treat the SSL engine as a black box. Yes, we happen to 
know that *IN* *GENERAL* we're reading encrypted data from the socket, 
decrypting it, and then passing the plaintext to the application, your 
code should treat this as an OpenSSL internal detail and should not 
pretend it knows that this will happen.


DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread Eric S. Eberhard

or ... keep it simple and at least consider using stunnel.  I have a 
LOT of applications using openssl, 3/4 I just use stunnel and forget 
about it.  For a few when I need to do crazy things, I code and link 
in to my application.  But you can save a lot of trouble with 
stunnel, at least as a first step (proof of concept).  BTW, I also 
use the Windows version which you can download with an installer and 
it works great as well. E



At 04:12 PM 5/23/2011, Gayathri Sundar wrote:
actually I would seriously recommend you read the OpenSSL book 
written by Eric Rescorla, it discusses all the use cases of openssl, 
BIO, async/sync usages..so that you get an idea of how OpenSSL itself works.


On Mon, May 23, 2011 at 6:02 PM, Neo Liu 
<diablo...@gmail.com> wrote:

I think you can read this article and it will be help.
http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html

On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu 
<hvssi...@gmail.com> wrote:

David,
   So are you suggesting that i change the approach in my Code. My 
application is for Windows and in Managed C++. In that i am using 
Callback function for receive, when the callback function is 
called, and when i call SSL_read in that, it hangs at recv call in 
the OpenSSL code, my assumption is that data was already read from 
socket, when callback was called. Another thing i would like to 
mention is I am using Sockets Managed Class, not the native sockets.









Eric S. Eberhard
(928) 567-3727  Voice
(928) 567-6122  Fax
(928) 301-7537   Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread Gayathri Sundar

actually I would seriously recommend you read the OpenSSL book written by
Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync
usages..so that you get an idea of how OpenSSL itself works.

On Mon, May 23, 2011 at 6:02 PM, Neo Liu  wrote:

> I think you can read this article and it will be help.
>
> http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html
>
>  On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu wrote:
>
>> David,
>>So are you suggesting that i change the approach in my Code. My
>> application is for Windows and in Managed C++. In that i am using Callback
>> function for receive, when the callback function is called, and when i call
>> SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption
>> is that data was already read from socket, when callback was called. Another
>> thing i would like to mention is I am using Sockets Managed Class, not the
>> native sockets.
>>
>>
>>>
>>
>>
>

Re: SSL Communication using BIO

2011-05-23 Thread Neo Liu

I think you can read this article and it will be help.
http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html

On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu  wrote:

> David,
>So are you suggesting that i change the approach in my Code. My
> application is for Windows and in Managed C++. In that i am using Callback
> function for receive, when the callback function is called, and when i call
> SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption
> is that data was already read from socket, when callback was called. Another
> thing i would like to mention is I am using Sockets Managed Class, not the
> native sockets.
>
>
>>
>
>

Re: SSL Communication using BIO

2011-05-23 Thread Eric S. Eberhard

You might also consider using stunnel which works perfectly and is 
easy to use in many cases and unless your volume is silly-high has 
plenty of performance to run in inetd mode which is very 
reliable.  stunnel is based on openssl.  It also makes your app 
independent of SSL changes which I like.  Eric


At 03:47 PM 5/23/2011, Wim Lewis wrote:


On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote:
> Anyone any comments on this. Is openssl appropriate choice for my case?

As I understand it you want OpenSSL to handle the protocol and 
encryption, but you don't want OpenSSL to do any network I/O itself: 
you want to do that (via the C# sockets class).


An example of using OpenSSL in this way is in 
demos/state_machine/state_machine.c in the OpenSSL distribution. As 
David Schwartz says, the important thing is not to assume that reads 
and writes of your data correspond directly to reads and writes on 
the socket. SSL may need to perform multiple reads and writes before 
you see any data (for example, during a handshake or renegotiation).


state_machine.c uses memory BIOs to buffer data going in and out of 
SSL. I think a better way to do it in current versions of OpenSSL is 
to make your own, nonblocking BIO which calls into your C# code as 
needed. But I could be wrong.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



Eric S. Eberhard
(928) 567-3727  Voice
(928) 567-6122  Fax
(928) 301-7537   Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread Wim Lewis


On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote:
> Anyone any comments on this. Is openssl appropriate choice for my case?

As I understand it you want OpenSSL to handle the protocol and encryption, but 
you don't want OpenSSL to do any network I/O itself: you want to do that (via 
the C# sockets class).

An example of using OpenSSL in this way is in 
demos/state_machine/state_machine.c in the OpenSSL distribution. As David 
Schwartz says, the important thing is not to assume that reads and writes of 
your data correspond directly to reads and writes on the socket. SSL may need 
to perform multiple reads and writes before you see any data (for example, 
during a handshake or renegotiation).

state_machine.c uses memory BIOs to buffer data going in and out of SSL. I 
think a better way to do it in current versions of OpenSSL is to make your own, 
nonblocking BIO which calls into your C# code as needed. But I could be wrong.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread Harshvir Sidhu

I have discussed that with my team, we only have to use OpenSSL, SSAPI has
been ruled out for our work.

// Harshvir

On Mon, May 23, 2011 at 3:56 PM, John R Pierce  wrote:

> On 05/23/11 1:59 AM, Harshvir Sidhu wrote:
>
>>   So are you suggesting that i change the approach in my Code. My
>> application is for Windows and in Managed C++. In that i am using Callback
>> function for receive, when the callback function is called, and when i call
>> SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption
>> is that data was already read from socket, when callback was called. Another
>> thing i would like to mention is I am using Sockets Managed Class, not the
>> native sockets.
>>
>
> if you are working in Windows "Managed" space, why not use the Windows
> native SSL functionality?  I believe thats provided by SSPI and its Schannel
> support.
> http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx <
> http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx>
> http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx <
> http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx>
>
> --
> john r pierceN 37, W 123
> santa cruz ca mid-left coast
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL Communication using BIO

2011-05-23 Thread John R Pierce


On 05/23/11 1:59 AM, Harshvir Sidhu wrote:
   So are you suggesting that i change the approach in my Code. My 
application is for Windows and in Managed C++. In that i am using 
Callback function for receive, when the callback function is called, 
and when i call SSL_read in that, it hangs at recv call in the OpenSSL 
code, my assumption is that data was already read from socket, when 
callback was called. Another thing i would like to mention is I am 
using Sockets Managed Class, not the native sockets.


if you are working in Windows "Managed" space, why not use the Windows 
native SSL functionality?  I believe thats provided by SSPI and its 
Schannel support.
http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx 

http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx 



--
john r pierceN 37, W 123
santa cruz ca mid-left coast

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-23 Thread Harshvir Sidhu

Anyone any comments on this. Is openssl appropriate choice for my case?

// Harshvir

On Mon, May 23, 2011 at 3:59 AM, Harshvir Sidhu  wrote:

> David,
>So are you suggesting that i change the approach in my Code. My
> application is for Windows and in Managed C++. In that i am using Callback
> function for receive, when the callback function is called, and when i call
> SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption
> is that data was already read from socket, when callback was called. Another
> thing i would like to mention is I am using Sockets Managed Class, not the
> native sockets.
>
> // Harshvir
>
>
> On Sun, May 22, 2011 at 10:06 PM, David Schwartz wrote:
>
>> On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:
>>
>> Previously I have used SSL_XXX functions for performing SSL
>>> operations. Now i have am working on an application which is written in
>>> Managed C++ using callback functions(BeginReceive and EndReceive), and
>>> SSL_Read function is not working for that. So i tried using BIO_
>>> functions to create a bio pair for internal and network bio and then
>>> using them to encrypt/decrypt data before sending using normal socket,
>>> but when i try to use that my handshake is not getting completed, i do
>>> not see any error on s_server, but it dont seem to work when i try to
>>> enter something on server side, my callback dont get called.
>>>Can someone point me to some example code for this in which BIO is
>>> used to encrypt and decrypt data and then using normal sockets for
>>> send/receive? I am not able to find anything in openssl source exmple or
>>> on google.
>>>
>>
>> You are thinking about the problem wrong. You are thinking "I need to send
>> some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to
>> get that encrypted data from OpenSSL and write it to the socket. Then, the
>> other end will reply, so I need to read some encrypted data from the socket,
>> give it to OpenSSL, and then OpenSSL will decrypt it and give it to me."
>> This attempt to "look through" the OpenSSL engine will produce broken code
>> and pain.
>>
>> Instead, treat the OpenSSL engine as a black box whose internals are
>> wholly unknown to you. If you receive some data from the socket, give it to
>> OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you
>> want to send some data to the other side, give it to OpenSSL. If OpenSSL has
>> some plaintext for you, take it and process it. But make no assumptions
>> about the sequence or interactions between these things.
>>
>> For example, a typical mistake is to wait for data to be received on the
>> socket before calling SSL_Read. This is completely broken behavior. Data
>> received on the socket is encrypted. Data received from SSL_Read is
>> decrypted. These are two distinct streams that, as far as your application
>> should be concerned, are totally unrelated. (Except when SSL_Read
>> specifically returns a WANT_READ, of course, and then only until some other
>> event invalidates the WANT_READ indication.)
>>
>> DS
>>
>>
>

Re: SSL Communication using BIO

2011-05-23 Thread Harshvir Sidhu

David,
   So are you suggesting that i change the approach in my Code. My
application is for Windows and in Managed C++. In that i am using Callback
function for receive, when the callback function is called, and when i call
SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption
is that data was already read from socket, when callback was called. Another
thing i would like to mention is I am using Sockets Managed Class, not the
native sockets.

// Harshvir

On Sun, May 22, 2011 at 10:06 PM, David Schwartz wrote:

> On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:
>
> Previously I have used SSL_XXX functions for performing SSL
>> operations. Now i have am working on an application which is written in
>> Managed C++ using callback functions(BeginReceive and EndReceive), and
>> SSL_Read function is not working for that. So i tried using BIO_
>> functions to create a bio pair for internal and network bio and then
>> using them to encrypt/decrypt data before sending using normal socket,
>> but when i try to use that my handshake is not getting completed, i do
>> not see any error on s_server, but it dont seem to work when i try to
>> enter something on server side, my callback dont get called.
>>Can someone point me to some example code for this in which BIO is
>> used to encrypt and decrypt data and then using normal sockets for
>> send/receive? I am not able to find anything in openssl source exmple or
>> on google.
>>
>
> You are thinking about the problem wrong. You are thinking "I need to send
> some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to
> get that encrypted data from OpenSSL and write it to the socket. Then, the
> other end will reply, so I need to read some encrypted data from the socket,
> give it to OpenSSL, and then OpenSSL will decrypt it and give it to me."
> This attempt to "look through" the OpenSSL engine will produce broken code
> and pain.
>
> Instead, treat the OpenSSL engine as a black box whose internals are wholly
> unknown to you. If you receive some data from the socket, give it to
> OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you
> want to send some data to the other side, give it to OpenSSL. If OpenSSL has
> some plaintext for you, take it and process it. But make no assumptions
> about the sequence or interactions between these things.
>
> For example, a typical mistake is to wait for data to be received on the
> socket before calling SSL_Read. This is completely broken behavior. Data
> received on the socket is encrypted. Data received from SSL_Read is
> decrypted. These are two distinct streams that, as far as your application
> should be concerned, are totally unrelated. (Except when SSL_Read
> specifically returns a WANT_READ, of course, and then only until some other
> event invalidates the WANT_READ indication.)
>
> DS
>
>

Re: SSL Communication using BIO

2011-05-22 Thread Gayathri Sundar

as Neo Liu has pointed out, if you try to use memory bio pair for
communcation, then its ur responsibility to read and write every byte
out the fd using tcp_send and recv() calls, as openssl would only read and
write into the bio. This approach is very very tedious and not sure if thats
the only way to solve ur problem.

thanks
--Gayathri
On Sun, May 22, 2011 at 9:01 PM, Neo Liu  wrote:

> BIO pair is non-blocking BIO, so you need to call SSL_accept() or
> SSL_do_handshake() for server times.
> The example code looks like follows:
>
> BIO_write(ebio, ...)
> SSL_accept(ssl)
> BIO_read(ebio, ...)
>
> you can use BIO_pending() and BIO_wpending() to watch the buffer status of
> the BIO pairs.
>
>
> On Mon, May 23, 2011 at 9:18 AM, G S  wrote:
>
>> Ah, yes, I realized later that there wasn't any communication info in
>> there.  I only use it for encryption.
>>
>> Good luck!
>>
>
>

Re: SSL Communication using BIO

2011-05-22 Thread David Schwartz


On 5/22/2011 5:10 PM, Harshvir Sidhu wrote:


Previously I have used SSL_XXX functions for performing SSL
operations. Now i have am working on an application which is written in
Managed C++ using callback functions(BeginReceive and EndReceive), and
SSL_Read function is not working for that. So i tried using BIO_
functions to create a bio pair for internal and network bio and then
using them to encrypt/decrypt data before sending using normal socket,
but when i try to use that my handshake is not getting completed, i do
not see any error on s_server, but it dont seem to work when i try to
enter something on server side, my callback dont get called.
Can someone point me to some example code for this in which BIO is
used to encrypt and decrypt data and then using normal sockets for
send/receive? I am not able to find anything in openssl source exmple or
on google.


You are thinking about the problem wrong. You are thinking "I need to 
send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I 
need to get that encrypted data from OpenSSL and write it to the socket. 
Then, the other end will reply, so I need to read some encrypted data 
from the socket, give it to OpenSSL, and then OpenSSL will decrypt it 
and give it to me." This attempt to "look through" the OpenSSL engine 
will produce broken code and pain.


Instead, treat the OpenSSL engine as a black box whose internals are 
wholly unknown to you. If you receive some data from the socket, give it 
to OpenSSL. If OpenSSL wants to send some data on the socket, send it. 
If you want to send some data to the other side, give it to OpenSSL. If 
OpenSSL has some plaintext for you, take it and process it. But make no 
assumptions about the sequence or interactions between these things.


For example, a typical mistake is to wait for data to be received on the 
socket before calling SSL_Read. This is completely broken behavior. Data 
received on the socket is encrypted. Data received from SSL_Read is 
decrypted. These are two distinct streams that, as far as your 
application should be concerned, are totally unrelated. (Except when 
SSL_Read specifically returns a WANT_READ, of course, and then only 
until some other event invalidates the WANT_READ indication.)


DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Communication using BIO

2011-05-22 Thread Neo Liu

BIO pair is non-blocking BIO, so you need to call SSL_accept() or
SSL_do_handshake() for server times.
The example code looks like follows:

BIO_write(ebio, ...)
SSL_accept(ssl)
BIO_read(ebio, ...)

you can use BIO_pending() and BIO_wpending() to watch the buffer status of
the BIO pairs.

On Mon, May 23, 2011 at 9:18 AM, G S  wrote:

> Ah, yes, I realized later that there wasn't any communication info in
> there.  I only use it for encryption.
>
> Good luck!
>

Re: SSL Communication using BIO

2011-05-22 Thread G S

Ah, yes, I realized later that there wasn't any communication info in
there.  I only use it for encryption.

Good luck!

Re: SSL Communication using BIO

2011-05-22 Thread Harshvir Sidhu

Thanks GS.
But i am more interested in the sample code in which BIO pair is used for
socket communication along with Certificate Exchange.
In the current code, i am creating CTX as usual, then using BIO to do
connect, and handshake. but that is not working.

// Harshvir

On Sun, May 22, 2011 at 7:21 PM, G S  wrote:

> On Sun, May 22, 2011 at 5:10 PM, Harshvir Sidhu wrote:
>
>>Can someone point me to some example code for this in which BIO is used
>> to encrypt and decrypt data and then using normal sockets for send/receive?
>> I am not able to find anything in openssl source exmple or on google.
>>
>>
> Here's some:
>
>
> http://www.opensc.ws/tutorials-articles/12761-rsa-encryption-using-openssl-c-c.html
>

Re: SSL Communication using BIO

2011-05-22 Thread G S

On Sun, May 22, 2011 at 5:10 PM, Harshvir Sidhu  wrote:

>Can someone point me to some example code for this in which BIO is used
> to encrypt and decrypt data and then using normal sockets for send/receive?
> I am not able to find anything in openssl source exmple or on google.
>
>
Here's some:

http://www.opensc.ws/tutorials-articles/12761-rsa-encryption-using-openssl-c-c.html

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

Re: SSL Communication using BIO

23 matches

Site Navigation

Mail list logo

Footer information