Re: SSL Communication using BIO
Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
Hi, I am trying to implement State Machine based on the demo application, that is a server code. Like i am writting the client side. So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error. 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only. Thanks. // Harshvir 2011/5/25 Michael Ströder mich...@stroeder.com Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair of memory bios and attach them to the ssl obj, one is for read and the other is for write. C. Create the tcp fds and complete the tcp handshake D. Once tcp connect is done, u have an fd on which u receive and send data E. Initialize ur state machine for ssl connect pending F. Take the buffer to be sent, copy it to the memory write bio, encrypt it using ssl connect, then do a tcp send G. While still connect pending, do tcp read, copy to read bio, call ssl connect to decrypt. Thanks --Gayathri On Wednesday, May 25, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to implement State Machine based on the demo application, that is a server code. Like i am writting the client side. So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error. 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only. Thanks. // Harshvir 2011/5/25 Michael Ströder mich...@stroeder.com Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
Thanks Gayatri. This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side. What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, unknown protocol Thanks. // Harshvir On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar suraj...@gmail.comwrote: So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair of memory bios and attach them to the ssl obj, one is for read and the other is for write. C. Create the tcp fds and complete the tcp handshake D. Once tcp connect is done, u have an fd on which u receive and send data E. Initialize ur state machine for ssl connect pending F. Take the buffer to be sent, copy it to the memory write bio, encrypt it using ssl connect, then do a tcp send G. While still connect pending, do tcp read, copy to read bio, call ssl connect to decrypt. Thanks --Gayathri On Wednesday, May 25, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to implement State Machine based on the demo application, that is a server code. Like i am writting the client side. So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error. 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only. Thanks. // Harshvir 2011/5/25 Michael Ströder mich...@stroeder.com Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
Just to clarify my last message, I am using state machine, i called SSL_connect after creating ctx and ssl objs, 2 mem bios and set them to ssl, and then read data from bio, and sent that to server and that gave me error. On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu hvssi...@gmail.com wrote: Thanks Gayatri. This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side. What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, unknown protocol Thanks. // Harshvir On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar suraj...@gmail.comwrote: So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair of memory bios and attach them to the ssl obj, one is for read and the other is for write. C. Create the tcp fds and complete the tcp handshake D. Once tcp connect is done, u have an fd on which u receive and send data E. Initialize ur state machine for ssl connect pending F. Take the buffer to be sent, copy it to the memory write bio, encrypt it using ssl connect, then do a tcp send G. While still connect pending, do tcp read, copy to read bio, call ssl connect to decrypt. Thanks --Gayathri On Wednesday, May 25, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to implement State Machine based on the demo application, that is a server code. Like i am writting the client side. So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error. 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only. Thanks. // Harshvir 2011/5/25 Michael Ströder mich...@stroeder.com Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
Okay, u r writing the client, so you need to do connect, now ssl_connect is going to do the complete SSL handshake, which involves multiple read and writes, now since you are using memory bios, ssl connect is going to read from the r_membio and write into the w_membio. The data has to go out the tcp fd you have created and connected with the server. So its ur duty to take data out the w_membio and do a tcp_send(). That is what I meant by saying write. Application data transfer may be initiated by your server once the ssl connect is thro. There are apis which tell if ssl connect is completed and ssl connect itself will return ssl_success, until then u will be getting the want_read and want_write error codes, so your state machine would be in the connect pending state until ssl connect returns success. Please understand that SSL_Connect itself will be called multiple times in the asyn architecture. BTW if the protocol nego has failed, perhaps you need to see what the server supports, maybe it understands only tls and not sslv3 etc. thanks --Gayathri On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu hvssi...@gmail.com wrote: Thanks Gayatri. This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side. What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, unknown protocol Thanks. // Harshvir On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar suraj...@gmail.comwrote: So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair of memory bios and attach them to the ssl obj, one is for read and the other is for write. C. Create the tcp fds and complete the tcp handshake D. Once tcp connect is done, u have an fd on which u receive and send data E. Initialize ur state machine for ssl connect pending F. Take the buffer to be sent, copy it to the memory write bio, encrypt it using ssl connect, then do a tcp send G. While still connect pending, do tcp read, copy to read bio, call ssl connect to decrypt. Thanks --Gayathri On Wednesday, May 25, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to implement State Machine based on the demo application, that is a server code. Like i am writting the client side. So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error. 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only. Thanks. // Harshvir 2011/5/25 Michael Ströder mich...@stroeder.com Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
I am using SSL_is_init_finished this API function to check if init is finished. But its not even reaching that code. The very first call i made to SS_Connect, and after that i read data from w_BIO and then sending that on TCP, and on getting that data, server gives this error. and for debugging purposes i am using *openssl s_server *with -msg enabled so that i can see whats going on, I am not using my server for this, and i think that one supports sslv3. this is the error i get 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL // Harshvir On Wed, May 25, 2011 at 12:08 PM, Gayathri Sundar suraj...@gmail.comwrote: Okay, u r writing the client, so you need to do connect, now ssl_connect is going to do the complete SSL handshake, which involves multiple read and writes, now since you are using memory bios, ssl connect is going to read from the r_membio and write into the w_membio. The data has to go out the tcp fd you have created and connected with the server. So its ur duty to take data out the w_membio and do a tcp_send(). That is what I meant by saying write. Application data transfer may be initiated by your server once the ssl connect is thro. There are apis which tell if ssl connect is completed and ssl connect itself will return ssl_success, until then u will be getting the want_read and want_write error codes, so your state machine would be in the connect pending state until ssl connect returns success. Please understand that SSL_Connect itself will be called multiple times in the asyn architecture. BTW if the protocol nego has failed, perhaps you need to see what the server supports, maybe it understands only tls and not sslv3 etc. thanks --Gayathri On Wed, May 25, 2011 at 10:12 AM, Harshvir Sidhu hvssi...@gmail.comwrote: Thanks Gayatri. This is what i am doing, but i dont have any buffer to send initially, my data transfer start from server side. What i was doing is, calling SSL_connect after initialization and then in the socket read and write code, i was doing encrypt and decrypt accordingly, but the very first moment i send data to s_server, it gives error, unknown protocol Thanks. // Harshvir On Wed, May 25, 2011 at 10:02 AM, Gayathri Sundar suraj...@gmail.comwrote: So finally u have agreed to my initial suggestion of state machines :) The basic steps in terms of am algorithm are as follows A. Create the ssl ctx and ssl. Obj B. Create a pair of memory bios and attach them to the ssl obj, one is for read and the other is for write. C. Create the tcp fds and complete the tcp handshake D. Once tcp connect is done, u have an fd on which u receive and send data E. Initialize ur state machine for ssl connect pending F. Take the buffer to be sent, copy it to the memory write bio, encrypt it using ssl connect, then do a tcp send G. While still connect pending, do tcp read, copy to read bio, call ssl connect to decrypt. Thanks --Gayathri On Wednesday, May 25, 2011, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to implement State Machine based on the demo application, that is a server code. Like i am writting the client side. So when i try to do handshake, by calling SSL_connect, which i have used memory bios, after that i check for data available, and then i read data and send to server, on server side i am getting error. 180:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:.\ssl\s23_srvr.c:584: shutting down SSL My question is which is a good place to do handshake in case we use state machine, i am doing just after initializing ctx and ssl, and then i send data 1 time and in performing rest of operations in my receive callback, but s_server give me error on first packet only. Thanks. // Harshvir 2011/5/25 Michael Ströder mich...@stroeder.com Eric S. Eberhard wrote: or ... keep it simple and at least consider using stunnel. I use stunnel myself in some situations. It's a great tool. But bear in mind that the application then has no access to authentication information of the SSL layer. Ciao, Michael. __ OpenSSL Project http://www.openssl.org http://www.openssl.org/ User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. // Harshvir On Sun, May 22, 2011 at 10:06 PM, David Schwartz dav...@webmaster.comwrote: On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called. Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. You are thinking about the problem wrong. You are thinking I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me. This attempt to look through the OpenSSL engine will produce broken code and pain. Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things. For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.) DS
Re: SSL Communication using BIO
Anyone any comments on this. Is openssl appropriate choice for my case? // Harshvir On Mon, May 23, 2011 at 3:59 AM, Harshvir Sidhu hvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. // Harshvir On Sun, May 22, 2011 at 10:06 PM, David Schwartz dav...@webmaster.comwrote: On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called. Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. You are thinking about the problem wrong. You are thinking I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me. This attempt to look through the OpenSSL engine will produce broken code and pain. Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things. For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.) DS
Re: SSL Communication using BIO
On 05/23/11 1:59 AM, Harshvir Sidhu wrote: So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. if you are working in Windows Managed space, why not use the Windows native SSL functionality? I believe thats provided by SSPI and its Schannel support. http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx -- john r pierceN 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
I have discussed that with my team, we only have to use OpenSSL, SSAPI has been ruled out for our work. // Harshvir On Mon, May 23, 2011 at 3:56 PM, John R Pierce pie...@hogranch.com wrote: On 05/23/11 1:59 AM, Harshvir Sidhu wrote: So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. if you are working in Windows Managed space, why not use the Windows native SSL functionality? I believe thats provided by SSPI and its Schannel support. http://msdn.microsoft.com/en-us/library/aa380493(v=vs.85).aspx http://msdn.microsoft.com/en-us/library/aa380493%28v=vs.85%29.aspx http://msdn.microsoft.com/en-us/library/aa380123(v=VS.85).aspx http://msdn.microsoft.com/en-us/library/aa380123%28v=VS.85%29.aspx -- john r pierceN 37, W 123 santa cruz ca mid-left coast __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote: Anyone any comments on this. Is openssl appropriate choice for my case? As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets class). An example of using OpenSSL in this way is in demos/state_machine/state_machine.c in the OpenSSL distribution. As David Schwartz says, the important thing is not to assume that reads and writes of your data correspond directly to reads and writes on the socket. SSL may need to perform multiple reads and writes before you see any data (for example, during a handshake or renegotiation). state_machine.c uses memory BIOs to buffer data going in and out of SSL. I think a better way to do it in current versions of OpenSSL is to make your own, nonblocking BIO which calls into your C# code as needed. But I could be wrong. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
You might also consider using stunnel which works perfectly and is easy to use in many cases and unless your volume is silly-high has plenty of performance to run in inetd mode which is very reliable. stunnel is based on openssl. It also makes your app independent of SSL changes which I like. Eric At 03:47 PM 5/23/2011, Wim Lewis wrote: On 23 May 2011, at 1:29 PM, Harshvir Sidhu wrote: Anyone any comments on this. Is openssl appropriate choice for my case? As I understand it you want OpenSSL to handle the protocol and encryption, but you don't want OpenSSL to do any network I/O itself: you want to do that (via the C# sockets class). An example of using OpenSSL in this way is in demos/state_machine/state_machine.c in the OpenSSL distribution. As David Schwartz says, the important thing is not to assume that reads and writes of your data correspond directly to reads and writes on the socket. SSL may need to perform multiple reads and writes before you see any data (for example, during a handshake or renegotiation). state_machine.c uses memory BIOs to buffer data going in and out of SSL. I think a better way to do it in current versions of OpenSSL is to make your own, nonblocking BIO which calls into your C# code as needed. But I could be wrong. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu hvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.
Re: SSL Communication using BIO
actually I would seriously recommend you read the OpenSSL book written by Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync usages..so that you get an idea of how OpenSSL itself works. On Mon, May 23, 2011 at 6:02 PM, Neo Liu diablo...@gmail.com wrote: I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu hvssi...@gmail.comwrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets.
Re: SSL Communication using BIO
or ... keep it simple and at least consider using stunnel. I have a LOT of applications using openssl, 3/4 I just use stunnel and forget about it. For a few when I need to do crazy things, I code and link in to my application. But you can save a lot of trouble with stunnel, at least as a first step (proof of concept). BTW, I also use the Windows version which you can download with an installer and it works great as well. E At 04:12 PM 5/23/2011, Gayathri Sundar wrote: actually I would seriously recommend you read the OpenSSL book written by Eric Rescorla, it discusses all the use cases of openssl, BIO, async/sync usages..so that you get an idea of how OpenSSL itself works. On Mon, May 23, 2011 at 6:02 PM, Neo Liu mailto:diablo...@gmail.comdiablo...@gmail.com wrote: I think you can read this article and it will be help. http://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.htmlhttp://www.lenholgate.com/blog/2002/11/using-openssl-with-asynchronous-sockets.html On Mon, May 23, 2011 at 4:59 PM, Harshvir Sidhu mailto:hvssi...@gmail.comhvssi...@gmail.com wrote: David, So are you suggesting that i change the approach in my Code. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com Pictures of Snake in Spring http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49 Pictures of Camp Verde http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf Pictures of Land Cruiser in Sedona http://www.facebook.com/album.php?aid=50953id=1409661701 Pictures of Flagstaff area near our cabin http://www.facebook.com/album.php?aid=12750id=1409661701 Pictures of Cheryl in a Horse Show http://www.facebook.com/album.php?aid=32484id=1409661701 Pictures of the AZ Desert http://www.facebook.com/album.php?aid=58827id=1409661701 (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
On 5/23/2011 1:59 AM, Harshvir Sidhu wrote: David, So are you suggesting that i change the approach in my Code. Hard for me to give you a useful answer without seeing your code. If your code tries to treat OpenSSL as a filter, expecting input and output to correlate, then yes. If your code handled OpenSSL as a black box with four separate I/O paths (encrypted data in, encryped data out, plaintext in, plaintext out) without assuming any relationship between them, then it's fine. My application is for Windows and in Managed C++. In that i am using Callback function for receive, when the callback function is called, and when i call SSL_read in that, it hangs at recv call in the OpenSSL code, my assumption is that data was already read from socket, when callback was called. Another thing i would like to mention is I am using Sockets Managed Class, not the native sockets. When your callback function is called, that means encrypted data is available on the socket. The SSL_Read function is for reading unencrypted data from the SSL engine. It is only appropriate to call SSL_Read in response to a data available callback on the socket in one case -- if your last SSL operation was an SSL_Read and it returned a WANT_READ indication. In any other case, this is broken behavior reflecting erroneously trying to look through the SSL engine. Your code must treat the SSL engine as a black box. Yes, we happen to know that *IN* *GENERAL* we're reading encrypted data from the socket, decrypting it, and then passing the plaintext to the application, your code should treat this as an OpenSSL internal detail and should not pretend it knows that this will happen. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL Communication using BIO
Hi, Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called. Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. Thanks. // Harshvir
Re: SSL Communication using BIO
On Sun, May 22, 2011 at 5:10 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. Here's some: http://www.opensc.ws/tutorials-articles/12761-rsa-encryption-using-openssl-c-c.html
Re: SSL Communication using BIO
Thanks GS. But i am more interested in the sample code in which BIO pair is used for socket communication along with Certificate Exchange. In the current code, i am creating CTX as usual, then using BIO to do connect, and handshake. but that is not working. // Harshvir On Sun, May 22, 2011 at 7:21 PM, G S stokest...@gmail.com wrote: On Sun, May 22, 2011 at 5:10 PM, Harshvir Sidhu hvssi...@gmail.comwrote: Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. Here's some: http://www.opensc.ws/tutorials-articles/12761-rsa-encryption-using-openssl-c-c.html
Re: SSL Communication using BIO
Ah, yes, I realized later that there wasn't any communication info in there. I only use it for encryption. Good luck!
Re: SSL Communication using BIO
BIO pair is non-blocking BIO, so you need to call SSL_accept() or SSL_do_handshake() for server times. The example code looks like follows: BIO_write(ebio, ...) SSL_accept(ssl) BIO_read(ebio, ...) you can use BIO_pending() and BIO_wpending() to watch the buffer status of the BIO pairs. On Mon, May 23, 2011 at 9:18 AM, G S stokest...@gmail.com wrote: Ah, yes, I realized later that there wasn't any communication info in there. I only use it for encryption. Good luck!
Re: SSL Communication using BIO
On 5/22/2011 5:10 PM, Harshvir Sidhu wrote: Previously I have used SSL_XXX functions for performing SSL operations. Now i have am working on an application which is written in Managed C++ using callback functions(BeginReceive and EndReceive), and SSL_Read function is not working for that. So i tried using BIO_ functions to create a bio pair for internal and network bio and then using them to encrypt/decrypt data before sending using normal socket, but when i try to use that my handshake is not getting completed, i do not see any error on s_server, but it dont seem to work when i try to enter something on server side, my callback dont get called. Can someone point me to some example code for this in which BIO is used to encrypt and decrypt data and then using normal sockets for send/receive? I am not able to find anything in openssl source exmple or on google. You are thinking about the problem wrong. You are thinking I need to send some data. So I send it to OpenSSL. OpenSSL encrypts it, so then I need to get that encrypted data from OpenSSL and write it to the socket. Then, the other end will reply, so I need to read some encrypted data from the socket, give it to OpenSSL, and then OpenSSL will decrypt it and give it to me. This attempt to look through the OpenSSL engine will produce broken code and pain. Instead, treat the OpenSSL engine as a black box whose internals are wholly unknown to you. If you receive some data from the socket, give it to OpenSSL. If OpenSSL wants to send some data on the socket, send it. If you want to send some data to the other side, give it to OpenSSL. If OpenSSL has some plaintext for you, take it and process it. But make no assumptions about the sequence or interactions between these things. For example, a typical mistake is to wait for data to be received on the socket before calling SSL_Read. This is completely broken behavior. Data received on the socket is encrypted. Data received from SSL_Read is decrypted. These are two distinct streams that, as far as your application should be concerned, are totally unrelated. (Except when SSL_Read specifically returns a WANT_READ, of course, and then only until some other event invalidates the WANT_READ indication.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL Communication using BIO
as Neo Liu has pointed out, if you try to use memory bio pair for communcation, then its ur responsibility to read and write every byte out the fd using tcp_send and recv() calls, as openssl would only read and write into the bio. This approach is very very tedious and not sure if thats the only way to solve ur problem. thanks --Gayathri On Sun, May 22, 2011 at 9:01 PM, Neo Liu diablo...@gmail.com wrote: BIO pair is non-blocking BIO, so you need to call SSL_accept() or SSL_do_handshake() for server times. The example code looks like follows: BIO_write(ebio, ...) SSL_accept(ssl) BIO_read(ebio, ...) you can use BIO_pending() and BIO_wpending() to watch the buffer status of the BIO pairs. On Mon, May 23, 2011 at 9:18 AM, G S stokest...@gmail.com wrote: Ah, yes, I realized later that there wasn't any communication info in there. I only use it for encryption. Good luck!
