> While observing some packet dump, I noticed that while sending
> the same application data over twice, different packet dumps
> were obtained in both cases.
Good.
> This was done in the same SSL session, so the connection keys
> being used are all the same. Is this expected behavior or am I
>
> Hi,
> I've this command:
> /usr/bin/xmlsec1 sign --privkey-pem DSAPrivateKey.pem
> --pubkey-der DSAPublicKey.key --output out.xml.out in.xml
> I'm not allowed to use xmlsec on my server, and i need to sign this xml
> with only openssl. Is this possible?
I'm not an expert on this by any mean
> for (nread = 0; nread < sizeof(buf); nread += err)
> {
> err = SSL_read(client_conn, buf + nread,
> sizeof(buf) - nread);
> if (err <= 0)
> break;
> }
Umm, this doesn't look like
> So i want to know how will my client authenticate the server
> since i don't have the server's root certificate?
> Thanks in Advance..
> Regards
> Alok Bhatnagar
That is completely application-dependent. The answer will depend on what
makes the legitimate server different from an imposter.
Y
have installed client certificate.
But so far, it is not working and i am allways getting message about not
trusted certificate.
Can someone help me please, or point me to solution?
Thanks in advance!
Regards,
David
> I have an desktop/server agent that listen for TCP connections to
> process some information. And now i´m trying to implement privacy
> and authentication to this application, to unsure that only my
> trusted application interact with these TCP agents.
> Another problem is that I'm not sure if
> If I send the message "Hello World" from my server to client
> and I capture the aforementioned packet, lets say, I treat it
> as two separate records and decrypt each record. I now have
> two decrypted records. Should I merge these now? If that were
> the case, are you implying that my inital m
> hi again,
> i created a publickey.pem with command:
> openssl rsa -in myprivate.pem -pubout -out publickey.pem
>
> then in C i try to read this public key with:
> RSA *pubkey = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL)
>
> where fp is the opened publickey.pem file.
>
> but it's return this err
> I'm not sure, that this code is correct?
It has some minor issues but appears basically correct.
>EVP_EncryptInit_ex(&ctx,EVP_aes_256_cbc(),NULL,key,iv);
>EVP_EncryptUpdate(&ctx,outbuf,&outlen,text,strlen(text));
>EVP_EncryptFinal_ex(&ctx,outbuf
E:6B:94
> X509v3 Authority Key Identifier:
>
> keyid:C7:B9:B0:BC:5A:A2:73:18:02:F2:80:E2:8A:0C:BC:58:0C:87:14:95
Thanks in advance!
DAVID
On Mon, Jun 23, 2008 at 4:02 PM, javierm <[EMAIL PROTECTED]> wrote:
>
> Your logic is correct, in Thunderbird, you have t
> Thus, I conclude that there is some format in place, respectively
> how do I know where a bignum starts and where it ends?
The format is ANSI X.690, also knows as BER or DER, somtimes (slightly
erroneously) referred to as ASN.1.
> I tried to find a clue by browsing the sources, but I gave up
>
> Hi All,
> I tried to found out a interface which can be used to set the
> SSL record size as a specified number, but I failed.
> e.g. I hope the TLS record size shall be equal to 512 bytes,
> how should i do?
The SSL record size will vary with each record depending on what it
contains. If you
> Hi All,
>
> How many concurrent user will be provided by the OPENSSL solution?
> We plan an SSL VPN solution with up to 3000 concurrent users.
>
> Kind Regards
>
> Kurt Laux
> Schweickert Netzwerktechnik GmbH
> Dietmar-Hopp-Allee 19
> D-69190 Walldorf
> Germany
We've tested to 16,000 concurrent
> I attempt to decrypt a 256 bytes of data with an RSA public key. The
> openssl error I'm getting is
> error:0406706C:lib(4):func(103):reason(108), which from what I read on
> the internet means "data greater than mod len". The openssl API I'm
> using to decrypt the data is RSA_public_decrypt()
logical next number, however the certificate
signing
bails out on me.
Any ideas - I have been trying to get an updated version of
openssl for
RedHat9 without any luck so far ...
David Skeen
> I have had a look around and it appears that the serial number
> for the
> last certificate created was FF (hex), indicating 256
> certificates have
> so far been created. The next number in the serial file is 0100,
> which
> would seem the
a new server?
David Skeen
JDS Solutions
On Thu, 2008-08-07 at 20:19 -0700, David Schwartz wrote:
> > I have had a look around and it appears that the serial number
> > for the
> > last certificate created was FF (hex), indicating 256
> >
> Hi,
>
> I generated a x509 certificate. When I try to read the private key with
> PEM_read_PrivateKey I always get NULL as return value and when calling
> perror I get an Illegal seek.
>
> Here is my code:
>
> FILE *pemKeyFile;
> EVP_PKEY *privKey;
>
> pemKeyFile = fopen ("/hom
> > Hi,
> >
> > You should you generate an X509 certificate and then try to read the
> private key with PEM_read_PrivateKey. What does the key that you are
> trying to load look like? Could it be that you are reading in the
> certificate in place of the key?
> >
> > Also, I don't know much about p
> hi all,
> We are using openssl 0.9.8g with our product and everything
> worked fine till now. We are now trying to check memory leak
> in our code using Purify. But unfortunately our executable core
> dumped soon after it called PKCS12_parse(). I have attached the
> entire purify log file. pleas
Fred Picher:
> For export regulations compliance I must dumb down OpenSSL to use
> only DES. And that's only DES, no 3DES ! So I got it down to:
Are you sure you aren't trying to comply with ancient regulations that no
longer apply? It's been years since anyone I know of has had to dumb thei
spec,
don't go over EAP and use a different CA that I have nothing to do with.
David Johnston
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopens
We saw these same errors in a WiMAX test network with Free Radius.
Moving from an older 32 bit Fedora to a current 64 bit Fedora and the
stock freeradius and freeradius-util packages made it work and made the
errors you exhibit disappear.
openssl0.9.8h manifestly does support the necessary al
Cheers!
Thanks for the info, I managed to fix the problem by upgrading via the
source code to openssl-0.9.7d.
David
On Fri, 2008-08-08 at 08:30 -0500, Michael S. Zick wrote:
> On Fri August 8 2008 05:10, Ger Hobbelt wrote:
> >
>
> It may not be the number itself, but th
Silviu Vlascaenu wrote:
> I am developing an application which also has some CA functions.
> The application knows the public key, KpC, of a client which has
> a priori proven to this app the possession of KpC through an
> out-of-band mean. Therefore, when the application "calls" the CA
> functio
Silviu Vlasceanu wrote:
> To reformulate,
> Is there a way to generate a certificate without a proof of possession?
> Thanks.
Absolutely. Just stuff all the fields that you want into the certificate and
sign it. Simply take the fields from wherever you have them rather than from
the CSR.
Yo
> The only thing that I need is to certify the public key of
> the client by the server, therefore the common name and
> related infos are not used and have no meaning in this
> context. Moreover, the certification chain is local/private,
> so it does not involve interactions with external (public
> Hi,
> We're thinking of using openssl in our company but wondering
> about the version number.
> Why the latest version is still 0.9.x, why it hasn't bumped up
> to 1.x in last 8 years. Generally 1.x defines a stable version.
> Any insight would be helpful in making a decision.
> Thanks,
> Ra
> thanks for the fast replies! When you want to make your own non-EV CA
> recognized by the browser, it's easy, you just have to import your CA
> as trusted root, then it works. Isn't there a similar way for EV CAs,
> like producing your EV CA and simply adding it to the trusted root of
> the brow
> Jinsong Du wrote:
> > I have a simple server using blocked socket and OpenSSL, its only
> > function is for user registering an account. When an user connect to
> > this server, it spawns a child process to handle the request. I found
> > sometime child processes got stuck.
>
> The problem here
> Thanks, Kyle for the reply.
>
> Does anyone have a definitive answer for this one? It could be a
> massive
> amount of work for me to rewrite the code if I have to switch to using
> a single thread for read/write operations.
Just to clarify, you can use two threads. You can use one for read an
> Hello everyone, here's what's driving me nuts.
> I'm sure i'm missing something simple, but why isn't the
> encrypted message coming out of
> " BIO_get_mem_data(out, &enc_msg); " Null terminated ?
> Mike Luich
Why should it be? It's not a string, it's a block of arbitrary data.
Besides, what
> My company currently has a wildcard SSL certificate purchased from
> Go Daddy. It's installed on a Linux Apache web server we are going
> to deploy a Windows web server to support a different application.
> Go Daddy has told me that we can use the certificate on more than
> one server concurrent
> Hmm then perhaps I'm expecting the wong thing to be coming
> out. I'm using PKCS7_encrypt followed by SMIME_write_PKCS7.
> So the data is base64 encoded and in S/MIME Format.
> I just want to get this in a format that I can return as a
> string that's null terminated. So the app can use it as
> Hi everybody,
>
> i would like to know if it's normal to be able to sign a certificate with
> one which have "anti-signing" rules : i mean basicConstraints = CA:false.
> Could you enlight me ?
>
> Thank you,
>
> Jokester
Absolutely. Nobody can stop you from trying to use your certificate in a w
Sergio wrote:
> I think you have a conflict with your ideas. A and B want to secure its
> communication. They need to be agree about which key to use. I suppose
> you can encrypt the information at the origin using a symmetric key
> (aes, des, idea etc) and decrypt ir at destination with the s
Manuel Sahm wrote:
> could anybody explain me how to modify this programm,
> to use only keys instead of certificates ?
> Thanks to all.
I'm sorry to say, I don't see any easy way to do this with OpenSSL. You have
two choices:
1) Roll your own on top of SSL, using algorithms similar to those i
> Hello,
>
> I'm using an application (that I could recompile) which is using
> OpenSSL. My
> problem is that for some computers I have an internet access but no DNS
> server. In this case I configure the application to connect to
> https://xxx.xxx.xxx.xxx (ip address) instead of https://www.myDom
> Hello Experties there, could you pls help me?
What's the question exactly?
> On Thu, Sep 4, 2008 at 3:45 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>>Honestly, I'm not sure. DER says that there is One True Encoding for
>>any given certificate, and I think (but am not sure) that part of it
I am running Red Hat Enterprise 5.2 with OpenSSL 0.9.8h. The version of
OpenSSL available for download from Red Hat Network was out of date so I
downloaded OpenSSL 0.9.8h from openssl.org and did a ./configure, make,
make install. Now, if I do a openssl version, it displays the correct
version, 0
> Hi,
> I am trying to use SSL_accept on vxWorks 5.5 (Pentium). But when the SSL
> client sends the initial handshake message (Client Hello),
> then SSL_accept returns failure with error as SSL_ERROR_WANT_READ.
>
> The same code works fine when used on Linux platform and
> handshake completes
> su
> You are right that I am making a non-blocking SSL_accept call.
> The problem is on vxWorks when 'select' states that some
> connection request
> is present, SSL_accept returns failure with error code as
> SSL_ERROR_WANT_READ.
That's because the connection request was present but the negotiatio
> Hi,
> I replaced the call to SSL_select to this one and it worked !!! Thanks for
> your help.
>
> int i =0;
> while(1 == i)
> {
> dRetVal = SSL_accept(pSsl);
> if(!(SSL_ERROR_WANT_READ == SSL_get_error(pSsl,dRetVal)))
> i=0;
>
> I have a problem that is *very* similar to the one listed here:
>
> http://www.mail-archive.com/[EMAIL PROTECTED]/msg22288.html
>
> Unfortunately, that thread does not end in a resolution!
>
> Basically, I can't seem to connect to a particular AD server. Trying a
> "sample" connection with this
> Thanks. I'll talk to the server admin and see if I can't get some.
> Logs, that is.
>
> But the description of the problem in the link I supplied is almost
> exactly the same as my problem. Only the server fqdn differs.
That's not helpful for two reasons. First, two problems that appear almost
Dan Ribe:
> I am using the private key just to authenticate the client.
> Once server has authenticated the client (by using the public
> key of client), it will give access to that client.
So you want the server to condition access to a resource based on what
software is being used, and to reje
Peter Walker wrote:
> Sorry if this sounds ultra noobish but you guys lost me, even though you
> probably did answer my question ;)
>
> The purpose of my application is to send a credit card number in
> encrypted format.
>
> So the parent companies webservice issues me a X509 certificate which
>
> Is this correct for openssl 0.9.8 using FIPS?
>
> test SSL protocol
> test ssl3 is forbidden in FIPS mode
> *** IN FIPS MODE ***
> Available compression methods:
> 1: zlib compression
> SSLv3, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
> 1 handshakes of 256 bytes done
> gmake[1]: ***
9
SSL_SESSION is 200 bytes
< ... lots of debugging that I added, which didn't enlighten me at all ... >
DTLS connection returned 0
12994:error:14101119:SSL routines:DTLS1_PROCESS_RECORD:decryption failed or bad
record mac:d1_pkt.c:466:
Child done.
This is the test case
/*
*
> I am rather confused why people need to drop out of FIPS mode. The
> Federal Information Processing Standard dictates that FIPS-validated
> cryptography be used for everything that requires cryptographic
> transformation for storage (or really anything that enters or leaves
> the cryptograpic s
> I am trying to use a memory BIO to decrypt data
> from a TCP stream I am processing,
> I have followed the following steps and for some reason
> I am still not able to get the
> SSL_READ function to return anything but -1?
> I have looked at the archives and it
> appears that this method has w
> Dave,
> It appears that my take on this was really off, thank you for
> your explanation, what I am trying to do
> is to create a utility like ssltap that will allow me the ability
> to pull decrypted data out of a
> connection between a browser and Apache. So it appears I need to
> build s
> Dave,All
>I would also like to be able to recreate a "session" by
> recording (i.e with TCPDump -w) and playing the databack
> Through the proxy? If I understand the remarks below that might
> not be possible?
>
> Thanks
> Ed
It may or may not be possible, depending on many factors. At a m
prashanth s joshi:
> Hi I have got a query to make here. So if I know the private
> key(permanant) of the server is it possible to decrypt the SSL traffic?
You cut the answer to this exact question. It may or may not be possible,
depending on many factors. The permanent server key is just one of
> I am new to the OpenSSL environment. I would like to know from
> the experts here about the BIO_read and BIO_write and the
> SSL_read and SSL_write.
The BIO_read and BIO_write functions read from or write to a BIO, which is
an abstraction for a buffered I/O object. The SSL_read and SSL_write
fu
> Hi SSL experts,
> I am using the s_client.c and the s_server.c for my ssl client and
> server. I need to find the socket calls such as send and recv. ie
> SSL_write( ), SSL_read( ), bio_read( ), bio( ) write etc will
> finally have to make a call to the socket calls such as send and
> recv as
On Tue, 2008-09-23 at 23:12 -0700, nagendra modadugu wrote:
> Hi David, unfortunately I've been out of touch with the developments
> to DTLS for some time. I forwarded your message to Eric Rescorla
> who worked with Cisco to get their implementation working.
Thanks.
> I suspe
On Fri, 2008-09-26 at 13:46 -0700, David Woodhouse wrote:
> At the worst, I should be able to reverse-engineer the library I have.
The first failure seems to have been a discrepancy in epoch numbers.
Comparing behaviour of their library and 0.9.8e, I find that theirs is
adding '00 01 00
On Sun, 2008-09-28 at 18:56 +0100, David Woodhouse wrote:
> On Fri, 2008-09-26 at 13:46 -0700, David Woodhouse wrote:
> > At the worst, I should be able to reverse-engineer the library I
> have.
>
> The first failure seems to have been a discrepancy in epoch numbers.
And the
Isabel <[EMAIL PROTECTED]> wrote:
> 1) Is the software compatible with XP? If not, what is the compatible
> version and what are the costs involved in upgrading?
OpenSSL is compatible with XP. OpenSSL is a library and you are probably
using it through other programs. You need to investigate thei
Solveig Viste wrote:
> I have an application which is occasionally hanging.
> I have tracked it down to an SSL_shutdown call.
> The value (0) returned from the shutdown call indicates
> that the shutdown is not finished.
As happens with non-blocking sockets, sometimes the operation does not
com
> "09dirkd+sRoXWShF8ctVVb4B1PAFTOBEa8diickehnAyEq6KhzLWpQqhqCnylETw\r\n"
> > "Drys2uVaAzmRhS6tGJ2fdwPnlSLJrQbHuP938BkyxNhdYN8drfqb\r\n";
>
> You appear to have an extra ";" here ---^
> But that should give you a compilation error.
>
> > "-END RSA PRIVATE KEY
Stanislav Mikhailenko:
> Hello I use openssl 0.9.8i in my project under Win32.
> There are some leaks detected when i do just it:
>
> X509* x=X509_new();
> X509_free();
>
> It was in previous versions too.
> What should i do to remove this?
Did you confirm that the memory was leake
> Thank you for your response. I have checked the
> error code using SSL_get_error.
> I get an SSL_ERROR_SYSCALL (5) return code,
> indicating an I/O, but the error queue is empty.
> My application continues to function. It is fetching
> an HTML document over an HTTPS connection.
This is a docu
> Where can I find a detailed description of how to
> compute the RSA private key? Well structured C
> or C++ code might do.
>
> Thanks,
> Mike.
http://en.wikipedia.org/wiki/RSA
In the section "Operation", the first set of 5 steps beginning with "Choose two
distinct large random prime numbers
> Hi,
> Can anyone tell me if SSL_peek is a blocking or non-blocking call ?
It can be either.
> When I use it inside my code, then the program blocks on this fuction call
> where there is no data on the socket.
If you're using blocking socket calls, that's what will happen.
> The reason I want
> Hello,
>
> The Windows NT 4.0 system has the workstation service stopped.
>
> This causes the following snippet from rand_win.c to return 0
>
> if (netstatget(NULL, L"LanmanWorkstation", 0, 0,
> &outbuf) == 0)
> {
> RAND_add(outbuf, si
> Actually before closing a TLS connection I need to make sure that no
> pending data is present on the that socket. So, calling SSL_peek would
> tell if this is the case or not.
No, it won't. Okay, you call SSL_peek, and there's no pending data.
Now, you're about to call SSL_shutdown. How do yo
> Thanks for the suggestionb but the RAND_poll function already
> pulls from the system right after the big #if 0 block as described
> below in the stetup for the calls.
>
> if (advapi)
> {
> /*
> * If it's available, then it's available
> btw, when i try to get the error code by
> printf("Error code: %d", ERR_get_error());
> i get Error code: 67567722
Your code says:
result = RSA_public_decrypt(pValidationData.ulValidationDataLength,
pValidationData.rgbValidationData, outputPlaintext, publicKey,
RSA_PKCS1_
Aravinda Babu wrote:
> Problem is our application will verify only DER format certificates.
> So if i get the peer certificate in PEM format , i will convert
> that into DER and i will verify the peer certificate.
> Is there any openSSL API which will tell me a'out the peer
> certificate encodi
> Documentation tells me that the SSL pointer should inherit
> the blocking property from the socket passed to SSL_set_fd.
Right.
> However, when I call SSL_shutdown with the SSL handle,
> the return code I get is not an error or a shutdown completed
> but a shutdown in progress (return code= 0)
> Most of the time but not all I get
> 140A90F1:lib(20):func(169):reason(241) from the error stack when
> I try to call sl_ctx_new. I am using 9.8i in a win32 environment.
> Any information on what the error message means would be much appreciated.
The OpenSSL executable has the 'errstr' comma
> David Schwartz wrote:
> > Which is pretty much the same as every other operation. If you
> > call 'send'
> > or 'write' on a blocking TCP socket, and you get a zero return,
> > does that
> > mean the data has been sent? No. It means the d
> Never ship a Shared OpenSSL library. Anyone can rebuild it to output
> the socket buffer to disk prior to encryption and replace yours.
>
> :-)
A party to an encrypted conversation can put its contents in a full-page ad
in the New York Times if they want to. There's no need to keep a
conversati
Gabriel Soto wrote:
> {
> // Create BIO with some random nonexistent host.
> BIO *bio = BIO_new_connect("192.168.9.9:");
>
> if (bio == NULL) {
> // Failed to obtain BIO.
> return false;
> }
>
> // Set as non-blocking.
> BIO_set_nbio(bio, 1);
>
> //
> I was thinking about an alternate solution, using blocking sockets,
> and doing the connect on another thread. If the user cancels the
> operation I'd close the socket (BIO_free) and I guess the connect
> would return with an error and the thread would exit then. Seems a
> little dirty but it co
> > I was thinking about an alternate solution, using blocking sockets,
> > and doing the connect on another thread. If the user cancels the
> > operation I'd close the socket (BIO_free) and I guess the connect
> > would return with an error and the thread would exit then. Seems a
> > little dirty
> Hello list,
>
> I write a application which acts like a proxy/repeater between
> two ssl - endpoints. For my app I use OpenSSL 0.9.8g.
> The two endpoints connect to the app and idenfity themselves
> using a id (Both use the matrixssl implementation for ssl handling).
> Two matching id's sta
there anything that I
fairly clear and I should understand in SSL and Certificates?
Thank you in advance!
David Carvalho
> please tell me where the deadlock is.
> As far as I know a deadlock arise when one process locks a
> resource an other
> process requests and vice versa.
A deadlock occurs when two or more agents are waiting for each other. Neither
can make forward progress until the other does. This is preci
Let me try one more time to explain the problem with an unrealistic, but I hope
easy to follow, example. Consider:
A <-> B
Now, imagine A sends a message to B requesting some unit of data. B begins
sending a very, very large chunk of data to A, many tens of MB. After 10 MB or
so, A realizes t
hould understand in SSL and Certificates?
Thank you in advance!
David Carvalho
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
Md Lazreg wrote:
> Actually the same question is valid even if I am not using SSL sockets.
> So is there a way to distinguish between if a socket was closed because
> of a client crash or because of a netwrok issue?. If yes, is there an
> equivalent under SSL sockets?
You have three choices:
1)
> Hello,
>
> In appendix B of the openssl FIPS security policy it is stated
> that the module must be built with a particular tar file
> (openssl-fips-1.1.2.tar.gz) and a hmac hash value for the tar
> file is specified. Furthermore it is stated that there shall be
> no additions, deletions, or alt
> Thanks David.
> Unfortunately option 1) and 3) are not possible for my clients.
In other words, you cannot engineer a sensible option and have to fake it.
That's fine, but solutions that aren't engineered tend to be poor.
> option 2) seems the way to go for me, b
> Calling SSL_accept.
> Error code: 5
> error::lib(0):func(0):reason(0)
> Error: SSL_ERROR_SYSCALL, errlist: No such file or directory
> WSAGetLastError, rc=0
>
> This is basically the APIs I call to get the above information.
>
> err = SSL_get_error(ssl, rc);
> printf("Error code: %d", er
> So I can now see the Solaris side. It appears it gets
> "gibberish", probably
> encrypted data. Does anyone know why it would appear that the socket is
> not decrypting the data? This same code works fine on a Windows system.
>
> SSL_ca_file: /opt/bf-567/Platform/keystore/CA.pem
> SSL_cert
> On 2008.09.22 at 16:37:58 +0200, F. wrote:
>
> > Any way to collect only from HRNG?
>
> You can write your own RAND_METHOD
> and encapsulate it in the engine module.
>
> Then you can load this engine via openssl.cnf
> and set default rand method to this engine.
>
> Really, this is not very good
. What the implications are, with respect to having
a predictable pattern in the connection message is in relation to making
a known plaintext/crypto text, I'll leave to the experts.
Or I may be misunderstanding your needs (-:.
David Richardson
From: [EM
> Thank you again David,
You are welcome.
> As for the network issue scenarios here are some details about the last
case:
> 1)The server is running on UNIX, the client is running on windows or unix.
> unplug the client or the server. The server does not report anything!
Logical,
> All -
>
> I am using OpenSSL with memory BIOs for the communication. I have
> everything working just fine, until I came across a server that sends
> Application data in the final packet of the TLS handshake.
> Specifically, Wireshark shows the following in its output :
>
> Change Cipher Spec,
> There needs to be a call to fcntl(fd,F_SETFL,O_NONBLOCK) just after
> the socket() call and error status check.
>
> -Kyle H
That will just waste CPU. The code will spin in each loop "while (!success)"
loop until it gets what it wants. It will still not return any time soon, but
will do so at
Ben Sandee wrote:
> On Thu, Nov 6, 2008 at 9:11 PM, David Schwartz <[EMAIL PROTECTED]>
wrote:
>> > There needs to be a call to fcntl(fd,F_SETFL,O_NONBLOCK) just after
>> > the socket() call and error status check.
>> That will just waste CPU. The code will spin
> That's a great question. Indeed, this platform (AIX) does have
> /dev/random but apparently that too was exhausted because that
> is checked first in our implementation. I think the fault is truly
> with the system in question, because prngd should not have blocked
> in the manner it did. Des
>> So what do you want to do if you run out of entropy?
> Fail with an error condition stating that, rather than
> the indeterminate hang in read() that was experienced.
I believe you need to compile with EGD support then. This will get you the
behavior you want. EGD provides no way to tell whet
> Yes. Hence the correct solution would be non-blocking with select()...
>
> Best regards,
> Lutz
How do you determine (portably) if the socket you got from 'socket' is
inside the legal range for FD_SET? Many platforms, including Linux, will
happilly allow 'socket' to return values that are w
> I use valgrind to check my code, and I can't seem to be able to
> free up 36
> bytes.
So what?
> SSL_library_init() allocates 36 bytes that I am not able to free
> using the
> regular cleanup functions.
Correct.
> The details:
> SSL_library_init calls SSL_COMP_get_compression
> I understand about one-off leaks, but we're talking about a dynamically
> loadable library when we're talking about OpenSSL.
> What would happen if an application did something like this:
>
> for (int i=0; i<1000; i++)
> {
> hSSL = LoadLibrary("libssl.so")
>
> Dismissing leaks as one-off's is a pet peeve of mine. The notion
> of one-off
> leaks in an executable is arguably passable, but becomes a plain
> old memory
> leak just like any other when packaged as a library.
Not if the memory is reused if the library is unloaded and reloaded.
301 - 400 of 1421 matches
Mail list logo
