RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing tls 1.3

2022-06-29 Thread Ramaiah, Ravichandran Bagalur 
I was able to trace the failure to ssl/ssl_sess.c line 279.

I’m not sure what needs to done additionally in application code for this. 
Could someone please explain this error?

I’m just trying to add support for tls 1.3 in application which already 
supports tls 1.2.

(gdb) bt
#0  0x7fd5737051a0 in ssl_session_dup () from 
/lib/x86_64-linux-gnu/libssl.so.3
#1  0x7fd57373a931 in tls_construct_new_session_ticket () from 
/lib/x86_64-linux-gnu/libssl.so.3
#2  0x7fd57372aaff in state_machine.part () from 
/lib/x86_64-linux-gnu/libssl.so.3
#3  0x7fd573719e8e in ssl3_read_bytes () from 
/lib/x86_64-linux-gnu/libssl.so.3
#4  0x7fd5736edcc9 in ssl3_read () from /lib/x86_64-linux-gnu/libssl.so.3
#5  0x7fd5736fa6c0 in ssl_read_internal () from 
/lib/x86_64-linux-gnu/libssl.so.3
#6  0x7fd5736fa7f5 in SSL_read () from /lib/x86_64-linux-gnu/libssl.so.3



Regards,
Ravi


_
From: Ramaiah, Ravichandran Bagalur 
Sent: Wednesday, June 29, 2022 12:55 PM
To: Matt Caswell ; openssl-users@openssl.org
Subject: RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while 
implementing tls 1.3


Hi Matt,

Below is the error I got when I printed using ERR_error_string().


error:078C0100:common libcrypto routines::malloc failure

Any pointers on this?

Regards,
Ravi

-Original Message-
From: Matt Caswell mailto:m...@openssl.org>>
Sent: Tuesday, June 21, 2022 4:25 PM
To: Ramaiah, Ravichandran Bagalur 
mailto:rrama...@rbbn.com>>; 
openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing 
tls 1.3



On 16/06/2022 05:52, Ramaiah, Ravichandran Bagalur wrote:
>
> *SSL error (78c0100): malloc failure

Do you get anything in the OpenSSL error stack for this (e.g. try 
"ERR_print_errors_fp(stdout);").

We need a bit more to go on to figure out where specifically the malloc failure 
is occurring.

Matt



Notice: This e-mail together with any attachments may contain information of 
Ribbon Communications Inc. and its Affiliates that is confidential and/or 
proprietary for the sole use of the intended recipient. Any review, disclosure, 
reliance or distribution by others or forwarding without express permission is 
strictly prohibited. If you are not the intended recipient, please notify the 
sender immediately and then delete all copies, including any attachments.

RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing tls 1.3

2022-06-29 Thread Ramaiah, Ravichandran Bagalur 
Hi Matt,

Below is the error I got when I printed using ERR_error_string().


error:078C0100:common libcrypto routines::malloc failure

Any pointers on this?

Regards,
Ravi

-Original Message-
From: Matt Caswell 
Sent: Tuesday, June 21, 2022 4:25 PM
To: Ramaiah, Ravichandran Bagalur ; openssl-users@openssl.org
Subject: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing 
tls 1.3



On 16/06/2022 05:52, Ramaiah, Ravichandran Bagalur wrote:
>
> *SSL error (78c0100): malloc failure

Do you get anything in the OpenSSL error stack for this (e.g. try 
"ERR_print_errors_fp(stdout);").

We need a bit more to go on to figure out where specifically the malloc failure 
is occurring.

Matt



Notice: This e-mail together with any attachments may contain information of 
Ribbon Communications Inc. and its Affiliates that is confidential and/or 
proprietary for the sole use of the intended recipient. Any review, disclosure, 
reliance or distribution by others or forwarding without express permission is 
strictly prohibited. If you are not the intended recipient, please notify the 
sender immediately and then delete all copies, including any attachments.

Re: SSL error (78c0100): malloc failure while implementing tls 1.3

2022-06-21 Thread Matt Caswell 




On 16/06/2022 05:52, Ramaiah, Ravichandran Bagalur wrote:


*SSL error (78c0100): malloc failure


Do you get anything in the OpenSSL error stack for this (e.g. try 
"ERR_print_errors_fp(stdout);").


We need a bit more to go on to figure out where specifically the malloc 
failure is occurring.


Matt

RE: SSL error (78c0100): malloc failure while implementing tls 1.3

2022-06-21 Thread Ramaiah, Ravichandran Bagalur 
Hi All,

Could anyone tell me if this issue is caused due to application error or an 
openssl bug?

This malloc failure is happening when I try to establish TLS connection between 
2 SIP applications.

Regards,
Ravi

From: Ramaiah, Ravichandran Bagalur
Sent: Thursday, June 16, 2022 10:23 AM
To: openssl-users@openssl.org
Subject: SSL error (78c0100): malloc failure while implementing tls 1.3

Hi All,

I'm trying to implement tls 1.3 support in my application. But I'm facing 
malloc failure error.

Could you please help me understand why this error is happening? How to solve 
this issue?


*Set TLSv1.3 Cipher list TLS_AES_128_GCM_SHA256 ret 1
*SipCmOpenSSLNew: TLS, mutual auth, tlsSipAuthRequired = FALSE
*SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for ssl is NOT set.
*SSL handshake started undefined:before SSL initialization 240
*SSL_accept:before SSL initialization
*SSL_accept:before SSL initialization
*SSL_accept:SSLv3/TLS read client hello
*SSL_accept:SSLv3/TLS write server hello
*SSL_accept:SSLv3/TLS write change cipher spec
*SSL_accept:TLSv1.3 early data
*SSL_accept:error in TLSv1.3 early data
*SipCmAcceptSocket, socketId 121, us 10.34.164.185, peer  protocol 8
*SSL_accept:TLSv1.3 early data
*SSL_accept:SSLv3/TLS read client hello
*SSL_accept:SSLv3/TLS write server hello
*SSL_accept:TLSv1.3 write encrypted extensions
*SSL_accept:SSLv3/TLS write certificate request
*SSL_accept:SSLv3/TLS write certificate
*SSL_accept:TLSv1.3 write server certificate verify
*SSL_accept:SSLv3/TLS write finished
*SSL_accept:TLSv1.3 early data
*SSL_accept:error in TLSv1.3 early data
*SSL_accept:TLSv1.3 early data
*SSL_accept:SSLv3/TLS read client certificate
*SSL_accept:SSLv3/TLS read certificate verify
*SSL_accept:SSLv3/TLS read finished
*SSL handshake done undefined:SSLv3/TLS write session ticket  240
*New session created on sigport 2
*SSL_accept:SSLv3/TLS write session ticket
*SSL_SESSION_free ref
 *Session deleted on 2
*SSL3 alert write:fatal:internal error
*SSL_accept:error in error
*SSL error (78c0100): malloc failure
*ERROR on SSL_read err=1 flag=0
*Initiating SSL shutdown





I generated client and server certificates using below commands. And I used 
TLS_AES_128_GCM_SHA256 cipher.

CA Certificate:

openssl_rbbn ecparam -name prime256v1 -genkey -noout -out ca.key

openssl_rbbn req -new -x509 -sha256 -key ca.key -out ca.crt

openssl_rbbn x509 -in ca.crt -inform PEM -out pk-ca.crt.der -outform DER


Server Certificate:

openssl_rbbn ecparam -name prime256v1 -genkey -noout -out server.key

openssl_rbbn req -new -sha256 -key server.key -out server.csr

openssl_rbbn x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial 
-out server.crt -days 1000 -sha256



Client Certificate:

openssl_rbbn ecparam -name prime256v1 -genkey -noout -out client1.key

openssl_rbbn req -new -sha256 -key client1.key -out client1.csr

openssl_rbbn x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial 
-out client1.crt -days 1000 -sha256

Regards,
Ravi


Notice: This e-mail together with any attachments may contain information of 
Ribbon Communications Inc. and its Affiliates that is confidential and/or 
proprietary for the sole use of the intended recipient. Any review, disclosure, 
reliance or distribution by others or forwarding without express permission is 
strictly prohibited. If you are not the intended recipient, please notify the 
sender immediately and then delete all copies, including any attachments.

Re: SSL error after machine restart.

2013-07-31 Thread Jakob Bohm 

On 31-07-2013 11:16, Rajeev Tomar wrote:

Hi
>
We are using openssl 0.9.8 in our application.
Things are working fine and suddenly we are having .
Linux awtah.dispatchserver1 3.6.11-1.fc16.i686 #1 SMP Mon Dec 17 
21:36:23 UTC 2012 i686 i686 i386 GNU/Linux
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad 
record mac:s3_pkt.c:426:
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number:s3_pkt.c:288:
error:1408F096:SSL routines:SSL3_GET_RECORD:encrypted length too 
long:s3_pkt.c:346:

this error was random.
Even though application uses it’s own opnesssl 0.9.8 and M/C have 
1.0.0j-fips.

Two things to check:

- Use the command "cut -c 50- /proc//maps | uniq" (Change 50 to 74
on 64-bit kernels) to make sure your application is not loading a dynamic
libcrypt or libssl anyway.

- If your application uses the shared certificate trust store in
/etc/ssl/certs, note that OpenSSL 1 and OpenSSL 0.9 use incompatible
formats for the symlinks in that directory, so either you need to use
a different directory for your OpenSSL 0.9 applications or you need
some special tricks to set up a combined directory.


-bash-4.2# openssl version -a
OpenSSL 1.0.0j-fips 10 May 2012
built on: Tue May 15 18:44:01 UTC 2012
platform: linux-elf
options: bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) 
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO 
-Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 
-mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack 
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM 
-DWHIRLPOOL_ASM

OPENSSLDIR: "/etc/pki/tls"
engines: aesni dynamic
On reinstalling 1.0.0j-fips on this Machine error got fixed.
Now for the same application on Fedora 14, after reboot we have 
encountered the above problem.
Linux 3UPCAWT605 2.6.35.6-45.fc14.i686 #1 SMP Mon Oct 18 23:56:17 UTC 
2010 i686 i686 i386 GNU/Linux

Any pointer what is the root cause of this problem or how to fix this.
Open SSL installed on second M/C
built on: Wed Sep 7 18:59:14 UTC 2011
platform: linux-elf
options: bn(64,32) md2(int) rc4(8x,mmx) des(ptr,risc1,16,long) 
blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO 
-Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 
-mtune=atom -fasynchronous-unwind-tables -Wa,--noexecstack 
-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT 
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM 
-DWHIRLPOOL_ASM

OPENSSLDIR: "/etc/pki/tls"
engines: aesni dynamic



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL error: SSL error code 336151528 (a seemingly rare error/bug?)

2012-03-27 Thread Marek . Marcola 
Hello,

$ echo "obase=16;336151528" | bc
140943E8
$ openssl errstr 140943E8
error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000)

Best regards,
--
Marek Marcola 

owner-openssl-us...@openssl.org wrote on 03/27/2012 01:09:56 AM:

> Blake Mizerany  
> Sent by: owner-openssl-us...@openssl.org
> 
> 03/27/2012 09:24 AM
> 
> Please respond to
> openssl-users@openssl.org
> 
> To
> 
> openssl-users@openssl.org
> 
> cc
> 
> Subject
> 
> SSL error: SSL error code 336151528 (a seemingly rare error/bug?)
> 
> While working on postgres driver in Go, I began getting these errors
> in my postgres logs:
> "SSL error: SSL error code 336151528"
> 
> I spoke with a postgres team member and they aren't sure exactly where
> this is coming from.
> A little more research on my side found someone else getting a very
> similar error on OS X:
> http://www.mail-archive.com/freebsd-questions@freebsd.org/msg14704.html
> 
> Triangulation of the error points to OpenSSL right now.
> 
> Any thoughts/help would be very much appreciated.
> I don't have a deep understanding of SSL so I'm not sure I'll be able
> to find the root of the problem; but will keep looking.
> 
> -blake
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL error no start line

2011-03-29 Thread Victor Duchovni 
On Tue, Mar 29, 2011 at 10:15:04AM +0200, Aarno Syv?nen wrote:

> HI,
> 
> what would error OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start 
> line mean ?

A PEM file was expected, but the input was not a PEM file, specifically,
it had no "-BEGIN ...-" line.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL error: parse tlsext

2010-04-09 Thread Florent Georges 
Dr. Stephen Henson wrote:

> > > openssl s_client -connect xxx.org:443

> > > and it should say if secure renegotiation is supported in
> > > the output.

> >   Thanks for the tip!  I tried, but I am afraid I cannot tell
> > whether it is the case or not, based on this output.  I tried
> > on google.com:443 as well to be sure that was not because the
> > other server, but I didn't find neither such info.  Do you
> > know what I must look for in the output of -connect ?

> After the line saying "Server public key is xxx bit" you should
> see:

> Secure Renegotiation IS supported
> or
> Secure Renegotiation IS NOT supported

> you need OpenSSL 1.0.0 or 0.9.8m or later to do this.

  Thanks.  I had to compile a newer version than the one coming
with Snow Leopard (which is just 0.9.8l :-p).  And you're right,
the server does not support the secure renegotiation.  As Open
SSL on that server is part of the system package management, I
did prefer not to upgrade it by hand, but you put me on the
correct way...  I instead temporarily enabled SVN access through
HTTP (anyway the content is readable by anyone).

  Thanks for your help, regards,

-- 
Florent Georges
http://www.fgeorges.org























__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL error: parse tlsext

2010-04-07 Thread Dr. Stephen Henson 
On Wed, Apr 07, 2010, Florent Georges wrote:

> Dr. Stephen Henson wrote:
> 
>   Thanks for your fast response!
> 
> > That looks like it is only part of the actual error code.
> 
>   That's all I have.  I guess either Subversion or Neon truncates
> the error message.
> 
> > I suspect it is because the server doesn't support secure
> > renegotiation.  You can check this by doing:
> 
> > openssl s_client -connect xxx.org:443
> 
> > and it should say if secure renegotiation is supported in the
> > output.
> 
>   Thanks for the tip!  I tried, but I am afraid I cannot tell
> whether it is the case or not, based on this output.  I tried on
> google.com:443 as well to be sure that was not because the other
> server, but I didn't find neither such info.  Do you know what I
> must look for in the output of -connect ?
> 

After the line saying "Server public key is xxx bit" you should see:

Secure Renegotiation IS supported

or

Secure Renegotiation IS NOT supported

you need OpenSSL 1.0.0 or 0.9.8m or later to do this.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL error: parse tlsext

2010-04-07 Thread Florent Georges 
Dr. Stephen Henson wrote:

  Thanks for your fast response!

> That looks like it is only part of the actual error code.

  That's all I have.  I guess either Subversion or Neon truncates
the error message.

> I suspect it is because the server doesn't support secure
> renegotiation.  You can check this by doing:

> openssl s_client -connect xxx.org:443

> and it should say if secure renegotiation is supported in the
> output.

  Thanks for the tip!  I tried, but I am afraid I cannot tell
whether it is the case or not, based on this output.  I tried on
google.com:443 as well to be sure that was not because the other
server, but I didn't find neither such info.  Do you know what I
must look for in the output of -connect ?

  Regards,

-- 
Florent Georges
http://www.fgeorges.org






















__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL error: parse tlsext

2010-04-07 Thread Dr. Stephen Henson 
On Wed, Apr 07, 2010, Florent Georges wrote:

>   Hi,
> 
>   I am using openssl from within neon, itself used from within
> Subversion.  During an svnsync, I receive the following error
> message:
> 
> svnsync: PROPFIND of '/svn/xxx': SSL negotiation failed: SSL
> error: parse tlsext (https://xxx.org)
> 
>   If I am right, this message comes from openssl.  Is it really
> an error reported by openssl?  If it is, is there anything I can
> do to either solve the problem or at least get more informations
> about the context of the error?
> 
>   I am ready to compile myself the source packages if needed (and
> actually I did to be sure the TLS extensions where enabled during
> the build process, but still getting this error).  I am under Mac
> OS X Snow Leopard.
> 

That looks like it is only part of the actual error code. I suspect it is
because the server doesn't support secure renegotiation. You can check this by
doing:

openssl s_client -connect xxx.org:443

and it should say if secure renegotiation is supported in the output.

If it isn't supported the best fix is to upgrade the version of OpenSSL on the
server.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: SSL Error and Info messages

2008-02-25 Thread Shaw Graham George 
Hi,

This may or may not be helpful ... it depends on your code, and what
applications that you are talking to that lead to these errors:

(1) reminds me of a problem that can occur when using OpenSSL against
some Java implementations.  You can test it by using openssl s_client or
s_server using the -bugs option, and then check the man page for
SSL_CTX_set_options() which describes the various bug workarounds.

(2) reminds me of problems that OpenSSL has with IIS, and maybe other
Microsoft products.  They don't follow the SSL shutdown standard so you
just have to handle it in your code.

G.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Weigang Gong
Sent: 25 February 2008 14:55
To: openssl-users@openssl.org
Subject: SSL Error and Info messages


Hi, openssl community,
 
My application calls some library functions, which uses OpenSSL. When my
appliction runs, I believe OpenSSL emitted some messages described
below. 
 
1. Sometimes, following Error messages will be emitted:
ERR-05255|8|04:26:25.540503|sslsocket.cpp[581] - SSL Error: Error on
Read SSL Error Stack: error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac on 
...
ERR-05275|8|14:49:42.733798|sslsocket.cpp[566] - SSL Error: errno is
145: Connection timed out on 
...
 
Does anyone know what caused those error messages?
 
 
2. Also, following Info message will be emitted:
 
INF-05325|8|04:26:25.562401|sslsocket.cpp[538] - SSL Error: SSL_shutdown
EOF that violates SSL protocol 0 
 
Though it seems not affecting the functionality, those infom messages
are kind of annoying. Does anyone know how to turn them off ?
 
Thanks a lot !
 
 
Michael
 






Climb to the top of the charts! Play the word scramble challenge with
star power. Play now!
  
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL Error and Info messages

2008-02-25 Thread David Schwartz 


> My application calls some library functions, which uses
> OpenSSL. When my appliction runs, I believe OpenSSL emitted
> some messages described below.

Nope. Your application emitted them. OpenSSL detected them and reported
them, you chose to print them out.

> Does anyone know what caused those error messages?

They are normal errors. They can safely be ignored.

> Though it seems not affecting the functionality, those infom
> messages are kind of annoying. Does anyone know how to turn
> them off ?

Find the code in your application that generates them and comment it out or
suppress messages that are known to be harmless. You can try grep'ing your
code for "ERR_". If you have 'egrep', using "[^A-Z_]ERR_[a-z]" as the
regular expression will probably reduce the number of false positives.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Error connecting to cia.gov

2007-10-24 Thread Alex Lam 
Try this..

./openssl s_client -tls1 -connect www.cia.gov:443


On 10/24/07, Lutz Jaenicke <[EMAIL PROTECTED]> wrote:
>
> Isolating the problem is more or less simple:
>   openssl s_client -connect www.cia.gov:443
> shows the intermittent failures as well, so we can rule out all
> applications (curl, wget, ...). Has to be some basic thing.
>
> I tend to observe the failure with s_client not on the first attempt but
> on the nth attempt in a row. I would guess(!) that it may be some
> DoS protection measure that prevents too many new connections
> (from the same site).
> Firefox (and other browsers) would use session caching so that the
> server could see that it is actually the same client coming in again.
> This of course could only be seen after the client hello with a
> proposed session to be reused comes in and could not be done at
> the firewall level.
> Again: this is just a GUESS!
>
> Best regards,
> Lutz
>
> Alex Lam wrote:
> > That's TLSv1, not SSLv2.
> >
> > : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
> > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..
> > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
> > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
> > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 
> > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
> > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
> > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
> >
> > On 10/23/07, *Jake Goulding* <[EMAIL PROTECTED]
> > > wrote:
> >
> > Hey all:
> >
> > We use curl to retrieve webpages, and recently started receiving an
> > intermittent (40-60% of the time) error when retrieving a page
> > from the
> > CIA. About two weeks ago, they switched to running https only,
> > with the
> > http URLs being forwarded to the https equivalents.
> >
> > The error we receive is:
> >
> > $ curl 'https://www.cia.gov/about-cia/faqs/'
> > curl: (35) Unknown SSL protocol error in connection to
> > www.cia.gov:443 
> >
> > Using the --trace option, I see this:
> >
> > == Info: About to connect() to www.cia.gov 
> > port 443 (#0)
> > == Info:   Trying 198.81.129.100.. . == Info: connected
> > == Info: Connected to www.cia.gov 
> > (198.81.129.100 ) port 443 (#0)
> > == Info: successfully set certificate verify locations:
> > == Info:   CAfile: /etc/ssl/certs/ca- certificates.crt
> >   CApath: none
> > == Info: SSLv2, Client hello (1):
> > => Send SSL data, 124 bytes (0x7c)
> > : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00
> c..9..8.
> > 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00
> > .5..
> > 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f
> .3..2../
> > 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03
> ..E..D..A...
> > 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> > 
> > 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08
> [EMAIL PROTECTED]
> > 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff
> 
> > 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
> > == Info: Unknown SSL protocol error in connection to
> > www.cia.gov:443 
> > == Info: Closing connection #0
> >
> > Unfortunately, I don't grok SSL hex  :-) .
> >
> > I have tried this and received the same error with the following
> > versions:
> > curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14
> > curl-7.12.1-11.el4 / openssl-0.9.7a-43.16
> > curl-7.16.1 / openssl-0.9.8e
> > curl-7.17.0 / openssl-0.9.8f
> >
> > Firefox does not seem to have any issues with this page.
> >
> > I asked the curl mailing list about this error, and got the
> following
> > response:
> >
> > > This is apparently has nothing to do with curl. I got the same
> > > intermittent errors with lynx, w3m, wget, you name it. I am using
> > > OpenSSL 0.9.8g 19 Oct 2007.
> >
> > Any help would be greatly appreciated. Please let me know if I can
> > provide more information.
> >
> > Thanks!
> >
> __
> >
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing
> > Listopenssl-users@openssl.org
> > 
> > Automated List Manager
> > [EMAIL PROTECTED] 
> >
> >
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated

Re: SSL Error connecting to cia.gov

2007-10-24 Thread Marek Marcola 
On Tue, 2007-10-23 at 22:02 -0700, Alex Lam wrote:
> That's TLSv1, not SSLv2.
> 
> : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00
> 00 .5.. 
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00
> 00  
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
This is SSL2 client_hello packet with TLS1 proposition.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Error connecting to cia.gov

2007-10-24 Thread Lutz Jaenicke 
Isolating the problem is more or less simple:
  openssl s_client -connect www.cia.gov:443
shows the intermittent failures as well, so we can rule out all
applications (curl, wget, ...). Has to be some basic thing.

I tend to observe the failure with s_client not on the first attempt but
on the nth attempt in a row. I would guess(!) that it may be some
DoS protection measure that prevents too many new connections
(from the same site).
Firefox (and other browsers) would use session caching so that the
server could see that it is actually the same client coming in again.
This of course could only be seen after the client hello with a
proposed session to be reused comes in and could not be done at
the firewall level.
Again: this is just a GUESS!

Best regards,
Lutz

Alex Lam wrote:
> That's TLSv1, not SSLv2.
>
> : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
>
> On 10/23/07, *Jake Goulding* <[EMAIL PROTECTED]
> > wrote:
>
> Hey all:
>
> We use curl to retrieve webpages, and recently started receiving an
> intermittent (40-60% of the time) error when retrieving a page
> from the
> CIA. About two weeks ago, they switched to running https only,
> with the
> http URLs being forwarded to the https equivalents.
>
> The error we receive is:
>
> $ curl 'https://www.cia.gov/about-cia/faqs/'
> curl: (35) Unknown SSL protocol error in connection to
> www.cia.gov:443 
>
> Using the --trace option, I see this:
>
> == Info: About to connect() to www.cia.gov 
> port 443 (#0)
> == Info:   Trying 198.81.129.100.. . == Info: connected
> == Info: Connected to www.cia.gov 
> (198.81.129.100 ) port 443 (#0)
> == Info: successfully set certificate verify locations:
> == Info:   CAfile: /etc/ssl/certs/ca- certificates.crt
>   CApath: none
> == Info: SSLv2, Client hello (1):
> => Send SSL data, 124 bytes (0x7c)
> : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00
> .5..
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00
> 
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
> == Info: Unknown SSL protocol error in connection to
> www.cia.gov:443 
> == Info: Closing connection #0
>
> Unfortunately, I don't grok SSL hex  :-) .
>
> I have tried this and received the same error with the following
> versions:
> curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14
> curl-7.12.1-11.el4 / openssl-0.9.7a-43.16
> curl-7.16.1 / openssl-0.9.8e
> curl-7.17.0 / openssl-0.9.8f
>
> Firefox does not seem to have any issues with this page.
>
> I asked the curl mailing list about this error, and got the following
> response:
>
> > This is apparently has nothing to do with curl. I got the same
> > intermittent errors with lynx, w3m, wget, you name it. I am using
> > OpenSSL 0.9.8g 19 Oct 2007.
>
> Any help would be greatly appreciated. Please let me know if I can
> provide more information.
>
> Thanks!
> __
>
> OpenSSL Project http://www.openssl.org
> User Support Mailing
> Listopenssl-users@openssl.org
> 
> Automated List Manager  
> [EMAIL PROTECTED] 
>
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Error connecting to cia.gov

2007-10-23 Thread Alex Lam 
That's TLSv1, not SSLv2.

: 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..
0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 
0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y

On 10/23/07, Jake Goulding <[EMAIL PROTECTED]> wrote:
>
> Hey all:
>
> We use curl to retrieve webpages, and recently started receiving an
> intermittent (40-60% of the time) error when retrieving a page from the
> CIA. About two weeks ago, they switched to running https only, with the
> http URLs being forwarded to the https equivalents.
>
> The error we receive is:
>
> $ curl 'https://www.cia.gov/about-cia/faqs/'
> curl: (35) Unknown SSL protocol error in connection to www.cia.gov:443
>
> Using the --trace option, I see this:
>
> == Info: About to connect() to www.cia.gov port 443 (#0)
> == Info:   Trying 198.81.129.100... == Info: connected
> == Info: Connected to www.cia.gov (198.81.129.100) port 443 (#0)
> == Info: successfully set certificate verify locations:
> == Info:   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: none
> == Info: SSLv2, Client hello (1):
> => Send SSL data, 124 bytes (0x7c)
> : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
> == Info: Unknown SSL protocol error in connection to www.cia.gov:443
> == Info: Closing connection #0
>
> Unfortunately, I don't grok SSL hex  :-) .
>
> I have tried this and received the same error with the following versions:
> curl-7.12.1-8.rhel4 / openssl-0.9.7a-43.14
> curl-7.12.1-11.el4 / openssl-0.9.7a-43.16
> curl-7.16.1 / openssl-0.9.8e
> curl-7.17.0 / openssl-0.9.8f
>
> Firefox does not seem to have any issues with this page.
>
> I asked the curl mailing list about this error, and got the following
> response:
>
> > This is apparently has nothing to do with curl. I got the same
> > intermittent errors with lynx, w3m, wget, you name it. I am using
> > OpenSSL 0.9.8g 19 Oct 2007.
>
> Any help would be greatly appreciated. Please let me know if I can
> provide more information.
>
> Thanks!
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

Re: SSL Error connecting to cia.gov

2007-10-23 Thread Jake Goulding 
Marek Marcola wrote:
> I think that this is CIA webserver problem.
> You may test this with:
>  $ openssl s_client -connect www.cia.gov:443 -state -debug -msg [[-ssl3] 
> [-tls1]]
> and in any combination after some successful connection you will get failed 
> connections.
> For example:
>  $ openssl s_client -connect www.cia.gov:443 -state -debug -msg

[snip]

> As you see after sending client_hello remote server just quits connection,
> there is no alert information (for example about unsupported ciphers or 
> something)
> but simply connection is dropped:
>   -> read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0))
> 
> I think that error is in remote site.

Thanks for the evaluation! I will attempt to contact the site's
maintainers, but I guess I will not hold my breath.

-Jake

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Error connecting to cia.gov

2007-10-23 Thread Marek Marcola 
Hello,
> We use curl to retrieve webpages, and recently started receiving an
> intermittent (40-60% of the time) error when retrieving a page from the
> CIA. About two weeks ago, they switched to running https only, with the
> http URLs being forwarded to the https equivalents.
> 
> The error we receive is:
> 
> $ curl 'https://www.cia.gov/about-cia/faqs/'
> curl: (35) Unknown SSL protocol error in connection to www.cia.gov:443
> 
> Using the --trace option, I see this:
> 
> == Info: About to connect() to www.cia.gov port 443 (#0)
> == Info:   Trying 198.81.129.100... == Info: connected
> == Info: Connected to www.cia.gov (198.81.129.100) port 443 (#0)
> == Info: successfully set certificate verify locations:
> == Info:   CAfile: /etc/ssl/certs/ca-certificates.crt
>   CApath: none
> == Info: SSLv2, Client hello (1):
> => Send SSL data, 124 bytes (0x7c)
> : 01 03 01 00 63 00 00 00 10 00 00 39 00 00 38 00 c..9..8.
> 0010: 00 35 00 00 88 00 00 87 00 00 84 00 00 16 00 00 .5..
> 0020: 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f .3..2../
> 0030: 00 00 45 00 00 44 00 00 41 00 00 07 05 00 80 03 ..E..D..A...
> 0040: 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 
> 0050: 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 [EMAIL PROTECTED]
> 0060: 00 00 06 04 00 80 00 00 03 02 00 80 c9 f7 89 ff 
> 0070: 74 f1 92 59 c8 a0 f1 ba ab c0 dd 89 t..Y
> == Info: Unknown SSL protocol error in connection to www.cia.gov:443
> == Info: Closing connection #0
I think that this is CIA webserver problem.
You may test this with:
 $ openssl s_client -connect www.cia.gov:443 -state -debug -msg [[-ssl3] 
[-tls1]]
and in any combination after some successful connection you will get failed 
connections.
For example:
 $ openssl s_client -connect www.cia.gov:443 -state -debug -msg
CONNECTED(0003)
SSL_connect:before/connect initialization
write to 0x9b5bdb0 [0x9b5bdf8] (142 bytes => 142 (0x8E))
 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00   ..c... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5
0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00   ..3..2../.f.
0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00   .c..
0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40   b..a...@
0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00   ..e..d..`...
0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 e1 99   
0070 - 17 7c d8 8d 06 53 4e a1-cf 05 40 af 27 57 da e1   .|[EMAIL PROTECTED]'W..
0080 - 51 26 ea f1 50 f9 f6 ba-47 7d 70 74 00 35 Q&..P...G}pt.5
>>> SSL 2.0 [length 008c], CLIENT-HELLO
01 03 01 00 63 00 00 00 20 00 00 39 00 00 38 00
00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
33 00 00 32 00 00 2f 03 00 80 00 00 66 00 00 05
00 00 04 01 00 80 08 00 80 00 00 63 00 00 62 00
00 61 00 00 15 00 00 12 00 00 09 06 00 40 00 00
65 00 00 64 00 00 60 00 00 14 00 00 11 00 00 08
00 00 06 04 00 80 00 00 03 02 00 80 e1 99 17 7c
d8 8d 06 53 4e a1 cf 05 40 af 27 57 da e1 51 26
ea f1 50 f9 f6 ba 47 7d 70 74 00 35
SSL_connect:SSLv2/v3 write client hello A
read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0))
4176:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:

As you see after sending client_hello remote server just quits connection,
there is no alert information (for example about unsupported ciphers or 
something)
but simply connection is dropped:
  -> read from 0x9b5bdb0 [0x9b61358] (7 bytes => 0 (0x0))

I think that error is in remote site.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL ERROR on verifying Certificate

2007-07-04 Thread Marek Marcola 
Hello,
> I am trying to verify a certificate with the folowing command line on a 
> windows 32 bit plateform:
> 
> C:\OpenSSL\bin> openssl verify -CAfile d:\cert.pem d:\cert2.pem
> 
> It replies me:
> 
> d:\cert2.pem: /C=FR/ST=Cote d Or/L=Saint Apollinaire/O=societe des AUTOROUTES 
> PARIS RHIN RHONE/OU=DTR/DRTM/RT/OU=Provided by TBS INTERNET 
> http://www.tbs-certificats.com//CN=preprod-gc.parisrhinrhone.fr error 20 at 0 
> depth lookup:unable to get local issuer certificate
> 
> What's wrong ?
Probably you do not have full certificate chain in cert.pem.

Look at issuer filed in cert2.pem and check that subject from cert.pem
matches (for top level CA (root CA) subject == issuer).
If not, you must get all certs from chain up to root CA and put
this certs in cert.pem.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error (138): cipher or hash unavailable

2007-04-17 Thread Johans Taboada 

2007/4/10, Johans Taboada <[EMAIL PROTECTED]>:


Hi list, I ask for help please.



Still waiting...



DatabaseError: SSL error: cipher or hash unavailable\n


...


OperationalError: SSL error: cipher or hash unavailable\n
...
What does it really mean '''cipher or hash unavailable'''? (SSL Error
#138, SSL_R_CIPHER_OR_HASH_UNAVAILABLE).
...
For a more detailed info, visit:
http://groups.google.com/group/trac-users/browse_thread/thread/901ef327b448b496?hl=en

Thanks,


Am I writing to the wrong mailing list?, if yes please tell me, thanks


Johans Marvin Taboada Villca-`^_^´-

Adm. Laboratorio de Desarrollo de Software
Carreras de Informática y Sistemas
UMSS, Cochabamba
Bolivia

Re: SSL Error

2006-08-10 Thread Dr. Stephen Henson 
On Wed, Aug 09, 2006, Carlo Agopian wrote:

> Hello,
> 
> Has anybody seen the following runtime error message before?
> 
>   error::lib(0):func(0):reason(0)
> 

Yes. It normally means "no error has been placed on the queue and the the
application wrongly thinks it has and can print it out.." However I realise
that wont help you much :-)

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Error

2006-08-10 Thread Andrew Dennison 
You can't reuse a socket for a TCP connection, but you certainly can reuse the same TCP socket for an arbitrary number of SSL connections as long as you don't compromise the TCP connection while you're doing it.  I suspect that is the intention here and from the sounds of things (if all he is getting is a 'no error' error), it is doing just that.

 
On 8/10/06, Usman Riaz <[EMAIL PROTECTED]> wrote:



sorry if I misunderstood you, but AFAIK, pure sockets API doesnt allow socket reuse as such. You have to have a new socket for every TCP connection, you can't "reuse" a socket.


From: "Carlo Agopian" <[EMAIL PROTECTED]>Reply-To: 
openssl-users@openssl.orgTo: <
openssl-users@openssl.org>CC: "Carlo Agopian" <[EMAIL PROTECTED]
>Subject: SSL ErrorDate: Wed, 9 Aug 2006 08:35:13 -0700

Hello, 
Has anybody seen the following runtime error message before? 
    error::lib(0):func(0):reason(0) 
It seems to be coming from the following openssl function: ERR_error_string(m_sslError, 0).  This error occurs in a C++ client application that sends SSL encrypted messages over TCP-IP.  The application is developed and executed in 
AIX5.2 O/S and uses 0.9.7d version of SSL.  The error occurs when I try to reuse a socket that I had previously opened.  After this error message I am able to open a fresh socket and successfully send a message.  The interesting thing is that this only happens on a certain server, and of course it is not the development server.  When I disable SSL encryption, the error does not occur.  I'm not readily able to do any debugging on this server so, before I go digging into all the difference between the 2 servers, I was wondering if anybody has seen this error message and can provide some clues.

Thank you,  
Carlo Agopian   
[EMAIL PROTECTED] 




Don't just search. Find. MSN Search Check out the new MSN Search! __ OpenSSL Project 
http://www.openssl.org User Support Mailing List 
openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]

RE: SSL Error

2006-08-10 Thread Usman Riaz 
sorry if I misunderstood you, but AFAIK, pure sockets API doesnt allow socket reuse as such. You have to have a new socket for every TCP connection, you can't "reuse" a socket.


From: "Carlo Agopian" <[EMAIL PROTECTED]>Reply-To: openssl-users@openssl.orgTo: CC: "Carlo Agopian" <[EMAIL PROTECTED]>Subject: SSL ErrorDate: Wed, 9 Aug 2006 08:35:13 -0700

Hello, 
Has anybody seen the following runtime error message before? 
    error::lib(0):func(0):reason(0) 
It seems to be coming from the following openssl function: ERR_error_string(m_sslError, 0).  This error occurs in a C++ client application that sends SSL encrypted messages over TCP-IP.  The application is developed and executed in AIX5.2 O/S and uses 0.9.7d version of SSL.  The error occurs when I try to reuse a socket that I had previously opened.  After this error message I am able to open a fresh socket and successfully send a message.  The interesting thing is that this only happens on a certain server, and of course it is not the development server.  When I disable SSL encryption, the error does not occur.  I'm not readily able to do any debugging on this server so, before I go digging into all the difference between the 2 servers, I was wondering if anybody has seen this error message and can provide some clues.
Thank you,  
Carlo Agopian   [EMAIL PROTECTED] Don't just search. Find. MSN Search Check out the new MSN Search!

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Error

2006-08-10 Thread Andrew Dennison 
This error is indicative that there is no error.  You have simply read the error buffer one more time than you should have.  There is absolutely nothing wrong with your application state if you see this reported.  In my experience it wont cause any application problems if you check the error queue while it's empty (likely, this was expected by the developers).  

 
I expect that you're entering the loop to get all errors from the error queue BEFORE you check ERR_get_error() for the first time.  When you finally check it, the response is almost certainly 0 (no error), and this is the textual valuation of 'no error' from ERR_error_string().  Check the value before you loop and this message will go away.

 
Andrew. 
On 8/9/06, Carlo Agopian <[EMAIL PROTECTED]> wrote:



Hello, 
Has anybody seen the following runtime error message before? 
    error::lib(0):func(0):reason(0) 
It seems to be coming from the following openssl function: ERR_error_string(m_sslError, 0).  This error occurs in a C++ client application that sends SSL encrypted messages over TCP-IP.  The application is developed and executed in 
AIX5.2 O/S and uses 0.9.7d version of SSL.  The error occurs when I try to reuse a socket that I had previously opened.  After this error message I am able to open a fresh socket and successfully send a message.  The interesting thing is that this only happens on a certain server, and of course it is not the development server.  When I disable SSL encryption, the error does not occur.  I'm not readily able to do any debugging on this server so, before I go digging into all the difference between the 2 servers, I was wondering if anybody has seen this error message and can provide some clues.

Thank you,  
Carlo Agopian   
[EMAIL PROTECTED]  

Re: SSL error: no cipher list

2005-01-24 Thread Dr. Stephen Henson 
On Mon, Jan 24, 2005, Yuriy Synov wrote:

> In fact I'm not using OpenSSL library directly. I use an open source library
> Indy which in turn makes use of OpenSSL. I discovered that POP3 servers that
> use DES-CBC3-SHA work correctly with my program, and the server that fails
> uses RC4-SHA. I got what you had said about Diffie-Hellman parameters, but
> it means that I will need to modify Indy (the lib I'm using) which is not a
> very simple task. I will report to this list if I get any positive results.
> 

DH parameters are set on the server so this will make no difference.

You can try using OpenSSL s_server as a test and connecting to it using your
program. The -cipher option can be used to restrict the ciphers available to
see if that's the problem.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error: no cipher list

2005-01-24 Thread Yuriy Synov 
In fact I'm not using OpenSSL library directly. I use an open source library
Indy which in turn makes use of OpenSSL. I discovered that POP3 servers that
use DES-CBC3-SHA work correctly with my program, and the server that fails
uses RC4-SHA. I got what you had said about Diffie-Hellman parameters, but
it means that I will need to modify Indy (the lib I'm using) which is not a
very simple task. I will report to this list if I get any positive results.

- Original Message -
From: "mclellan, dave" <[EMAIL PROTECTED]>
To: 
Sent: Sunday, January 23, 2005 3:12 PM
Subject: RE: SSL error: no cipher list


> On my first SSL implementation, I struggled with this specific error.  The
> Diffie-Hellman parameters for key exchange must be initialized, and if I
> remember correctly they weren't in my case.
>
> You must set up a callback to your code where it initializes DH parms.
Call
> SSL_CTX_set_tmp_dh_callback to establish your callback.  In order to see
> what to do inside it, visit the www.openssl.org/docs/ssl/ssl.html.
There's
> an example here:
>
> http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#
>
> I hope this doesn't steer you off the course.
>
> Dave McLellan - Consulting Software Engineer
> EMC Corporation
> 228 South St.
> Hopkinton MA 01748
> phone: 508-249-1257
> fax 508-497-8030
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Henry Su
> Sent: Friday, January 21, 2005 3:11 PM
> To: openssl-users@openssl.org
> Subject: RE: SSL error: no cipher list
>
> No sure if you have set it or not. If not, you can try following example:
>
> #define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
>
> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Yuriy Synov
> Sent: Friday, January 21, 2005 6:15 AM
> To: openssl
> Subject: SSL error: no cipher list
>
>
> Dear All,
>
> I get this error with one POP3 server when I call function SSL_connect:
>
> error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list
>
> Could someone tell me what it means and how I can get rid of it? TIA
>
> Best regards,
>
> Yuriy Synov.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error: no cipher list

2005-01-24 Thread Dr. Stephen Henson 
On Mon, Jan 24, 2005, Yuriy Synov wrote:

> > See if you can connect to the server using the s_client test program. For
> > example:
> >
> > openssl s_client -conntect hostname:995
> >
> > (use whatever port it uses for POP4+SSL, 995 is standard).
> 
> Output from 'openssl s_client' follows:
> 
> [EMAIL PROTECTED] /]# openssl s_client -connect
> ipostoffice.worldnet.att.net:995
> CONNECTED(0005)
> depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
> Authority
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> No client certificate CA names sent
> ---
> +OK <[EMAIL PROTECTED]> (mtiwpxc03) Maillennium POP3/PROXY
> server
>  #2
> 
> and after that I can enter POP3 commands.
> 

That shows that the server is OK and OpenSSL can comminicate with it properly.
There must be a bug in your program somewhere.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error: no cipher list

2005-01-24 Thread Yuriy Synov 
> See if you can connect to the server using the s_client test program. For
> example:
>
> openssl s_client -conntect hostname:995
>
> (use whatever port it uses for POP4+SSL, 995 is standard).

Output from 'openssl s_client' follows:

[EMAIL PROTECTED] /]# openssl s_client -connect
ipostoffice.worldnet.att.net:995
CONNECTED(0005)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=New
Jersey/L=Middletown/O=AT&T/OU=WorldNet/CN=ipostoffice.worldnet
.att.net
   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
 1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
---
Server certificate
-BEGIN CERTIFICATE-
MIIDxzCCAzSgAwIBAgIQePDFqFMk1AlFDRG1iBFXWzANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDQwNTA2MDAwMDAwWhcNMDUwNTA2MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCk5ldyBKZXJzZXkxEzARBgNVBAcUCk1pZGRsZXRvd24xDTALBgNV
BAoUBEFUJlQxETAPBgNVBAsUCFdvcmxkTmV0MSUwIwYDVQQDFBxpcG9zdG9mZmlj
ZS53b3JsZG5ldC5hdHQubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl
bCW+xGGUN+ZIzU8yv7GTDdOs65VWmA41ud0ds4wIbWgL3sJb6fhFc5gdG6BvpwTb
nYRAxTY8bGwdK2Lg4SIINtvztSEAknArhkEcRokLQDGU19AEyu3sFVh9ZXmXQho0
yz9E2kyhaHqGGIXxuD5WcW4gOPuNThfT757NR4Le/wIDAQABo4IBZDCCAWAwCQYD
VR0TBAIwADALBgNVHQ8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2Ny
bC52ZXJpc2lnbi5jb20vUlNBU2VjdXJlU2VydmVyLmNybDBEBgNVHSAEPTA7MDkG
C2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWdu
LmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDQGCCsGAQUF
BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMG0G
CCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoE
FI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNv
bS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA34AIUYu0VU0LawRz2Q1n2YMtdoK
m9tv5M9ITwUwol4H8WcyF8R5nGk6bxUNtRciNVhIjRiwD0n+A/OAV1d3jDCrX+LH
MjgKRrELnFLc48WRrSTaK7PT50yvbWF+BaimQc0IOBhHfuk4d4wVF5UStyeZ6n6s
bNIq4dp8oSfR9ME=
-END CERTIFICATE-
subject=/C=US/ST=New
Jersey/L=Middletown/O=AT&T/OU=WorldNet/CN=ipostoffice.world
net.att.net
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
---
No client certificate CA names sent
---
SSL handshake has read 1692 bytes and written 310 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher: RC4-SHA
Session-ID:
227FD6BC3D6953F53EFB198EEC8B2280349FF1BB5D41CDC9E8260CEF3C5C8177
Session-ID-ctx:
Master-Key:
917594C0A1347D67F83D554B1A35A77A39166F7152B71BD306BBF84C483C5D84
2FE561021BD6B782E032552F40A54392
Key-Arg   : None
Start Time: 1106569919
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
+OK <[EMAIL PROTECTED]> (mtiwpxc03) Maillennium POP3/PROXY
server
 #2

and after that I can enter POP3 commands.

- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: 
Sent: Saturday, January 22, 2005 2:19 PM
Subject: Re: SSL error: no cipher list


> On Sat, Jan 22, 2005, Yuriy Synov wrote:
>
> > > No sure if you have set it or not. If not, you can try following
example:
> > >
> > > #define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
> > >
> > > SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;
> >
> > I tried to set that cipher list, and now I get the following error:
> >
> > error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available
> >
> > I also tried "ALL" and some other cipher lists, and I always get one of
> > these errors:
> >
> > 1) error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available
> > 2) error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list
> >
> > Microsoft Outlook Express 6.0 and Nokia 9500 smartphone messaging client
do
> > work with the POP3 server that causes the trouble. Is it possible, that
the
> > server does not conform to SSL standards, and these softwares ignore it,
but
> > the OpenSSL library is more strict?
> >
>
> See if you can connect to the server using the s_client test program. For
> example:
>
> openssl s_client -conntect hostname:995
>
> (use whatever port it uses for POP4+SSL, 995 is standard).
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> __

RE: SSL error: no cipher list

2005-01-23 Thread mclellan, dave 
On my first SSL implementation, I struggled with this specific error.  The
Diffie-Hellman parameters for key exchange must be initialized, and if I
remember correctly they weren't in my case.  

You must set up a callback to your code where it initializes DH parms. Call
SSL_CTX_set_tmp_dh_callback to establish your callback.  In order to see
what to do inside it, visit the www.openssl.org/docs/ssl/ssl.html.  There's
an example here: 

http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_dh_callback.html#

I hope this doesn't steer you off the course. 

Dave McLellan - Consulting Software Engineer
EMC Corporation
228 South St. 
Hopkinton MA 01748
phone: 508-249-1257
fax 508-497-8030



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Henry Su
Sent: Friday, January 21, 2005 3:11 PM
To: openssl-users@openssl.org
Subject: RE: SSL error: no cipher list

No sure if you have set it or not. If not, you can try following example:

#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"

SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Yuriy Synov
Sent: Friday, January 21, 2005 6:15 AM
To: openssl
Subject: SSL error: no cipher list


Dear All,

I get this error with one POP3 server when I call function SSL_connect:

error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list

Could someone tell me what it means and how I can get rid of it? TIA

Best regards,

Yuriy Synov.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error: no cipher list

2005-01-22 Thread Dr. Stephen Henson 
On Sat, Jan 22, 2005, Yuriy Synov wrote:

> > No sure if you have set it or not. If not, you can try following example:
> >
> > #define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
> >
> > SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;
> 
> I tried to set that cipher list, and now I get the following error:
> 
> error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available
> 
> I also tried "ALL" and some other cipher lists, and I always get one of
> these errors:
> 
> 1) error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available
> 2) error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list
> 
> Microsoft Outlook Express 6.0 and Nokia 9500 smartphone messaging client do
> work with the POP3 server that causes the trouble. Is it possible, that the
> server does not conform to SSL standards, and these softwares ignore it, but
> the OpenSSL library is more strict?
> 

See if you can connect to the server using the s_client test program. For
example:

openssl s_client -conntect hostname:995

(use whatever port it uses for POP4+SSL, 995 is standard).

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error: no cipher list

2005-01-22 Thread Yuriy Synov 
> No sure if you have set it or not. If not, you can try following example:
>
> #define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
>
> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;

I tried to set that cipher list, and now I get the following error:

error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available

I also tried "ALL" and some other cipher lists, and I always get one of
these errors:

1) error:140650B5:SSL routines:CLIENT_HELLO:no ciphers available
2) error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list

Microsoft Outlook Express 6.0 and Nokia 9500 smartphone messaging client do
work with the POP3 server that causes the trouble. Is it possible, that the
server does not conform to SSL standards, and these softwares ignore it, but
the OpenSSL library is more strict?

- Original Message -
From: "Henry Su" <[EMAIL PROTECTED]>
To: 
Sent: Friday, January 21, 2005 10:10 PM
Subject: RE: SSL error: no cipher list


> No sure if you have set it or not. If not, you can try following example:
>
> #define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
>
> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Yuriy Synov
> Sent: Friday, January 21, 2005 6:15 AM
> To: openssl
> Subject: SSL error: no cipher list
>
>
> Dear All,
>
> I get this error with one POP3 server when I call function SSL_connect:
>
> error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list
>
> Could someone tell me what it means and how I can get rid of it? TIA
>
> Best regards,
>
> Yuriy Synov.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL error: no cipher list

2005-01-21 Thread Henry Su 
No sure if you have set it or not. If not, you can try following example:

#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"

SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) ;

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Yuriy Synov
Sent: Friday, January 21, 2005 6:15 AM
To: openssl
Subject: SSL error: no cipher list


Dear All,

I get this error with one POP3 server when I call function SSL_connect:

error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list

Could someone tell me what it means and how I can get rid of it? TIA

Best regards,

Yuriy Synov.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL error status: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac

2002-12-05 Thread Lutz Jaenicke 
On Wed, Dec 04, 2002 at 01:56:12PM -0500, Will Day wrote:
> >I tried to verify my cert using:
> >error 20 at 0 depth lookup:unable to get local issuer certificate
> >
> >What does error 20 mean?  The cert works when using https, imaps, pop3s,
> >etc.

unable to get local issuer certificate means that the chain verification
failed. Use the -CAfile option to supply the corresponding root CA
certificate(s).

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]