Hello,
Is BIO_do_connect() smart enough to try to connect to all IP addresses if a
name resolves to more than one?
For example, the name "www.microsoft.com" resolves to eight different IP
addresses. Will they all be tried by BIO_do_connect? is there a way to do this?
Do I need to keep calling
One last update on getting 0.9.8 to build on OS X. As long as I do NOT try to
build "shared" then everything builds okay.
Now if only I could get Xcode to actually use the static libraries...
-Joe
__
OpenSSL Project
I think I found the problem installing on OS X. In the ./engines/Makefile, in
the "install" target, the script makes the assumption that shared library files
are named *.so, whereas they are named *.dylib on Darwin.
There is even a comment to that effect in the Makefile:
# X This currently
Is your client sending only its certificate, or are you sending the entire
certificate chain?
It looks like your server is unable to rebuild the cert. chain from the client
to the root.
-Original Message-
From: "Fco .J. Arias" <[EMAIL PROTECTED]>
Sent: Jul 6, 2005 2:47 PM
To: openssl-u
I seem to be having some build problems. I'll describe what's happening below.
I'm trying to install
openssl 0.9.8 onto OS X 10.4.1. I have the Xcode 2.1 tools installed.
Firstly, I downloaded the tarball using "curl" to make sure that Safari wasn't
causing me any grief. The installed
curl is 7.
What software are you using to retrieve the certificate?
On May 12, 2005, at 5:42 PM, Jana Nguyen wrote:
Hi there,
I'm having a certificate format problem with Linux.
It strips out the line feeds (see below) when I retrieve
a proxy certificate from a portal and write it to a file.
linux system put
Did you set up your mutex call-backs needed by the library? See the
man page for CRYPTO_set_locking_callback, et al for details.
-joe
On May 6, 2005, at 8:56 AM, Calista wrote:
Are the functions
d2i_X509_fp and PEM_read_X509 thread safe?
smime.p7s
Description: S/MIME cryptographic signature
http://www.openca.org/
The last time I checked however, the documentation is quite difficult
to follow being a rough translation from either German or Klingon.
On Apr 27, 2005, at 3:46 PM, Andy Cravens wrote:
Is there a free or commercial web interface for openSSL? I'm managing
my own CA from t
OS X ships with openssl pre-installed so you will never find a machine that does
not have the dylib's available in /usr/lib. However, the version shipped is
0.9.7b.
-Original Message-
From: Qadeer Baig <[EMAIL PROTECTED]>
Sent: Apr 27, 2005 7:43 AM
To: openssl-users@openssl.org
Subject:
ped it in my msg. I actually set it to
/usr/local/openssl/lib when I did the build/compile.
Jim
Joseph Bruni wrote:
Just a shot in the dark, but shouldn't your LD_LIBRARY_PATH be set to
/usr/local/openssl/lib?
(I appended the "lib" part).
-Joe
On Apr 25, 2005, at 11:36 PM, ohaya wrote:
Just a shot in the dark, but shouldn't your LD_LIBRARY_PATH be set to
/usr/local/openssl/lib?
(I appended the "lib" part).
-Joe
On Apr 25, 2005, at 11:36 PM, ohaya wrote:
I set the LD_LIBRARY_PATH to "/usr/local/openssl:$LD_LIBRARY_PATH"
before doing the Apache build, and used:
smime.p7s
Descri
On the Mac, you'll load your client certificate into your users'
keychains. On Windows, you'll load it into the certificate store. In
either case, simply having the user double-click on the certificate
file will launch the appropriate tool.
On Apr 18, 2005, at 9:17 PM, [EMAIL PROTECTED] wrote:
This would be a feature of Safari rather than OpenSSL. I'm pretty sure
that recent versions of Safari can do authentication using certs, but
I'm not sure how to do it. You can try posting you question to one of
Apple's lists.
http://lists.apple.com/
On Apr 18, 2005, at 1:46 AM, [EMAIL PROTECTE
If all that was sent was the protocol data that the write was
waiting for to satisfy the ssl state machine, and no application data
was
sent, would SSL_read return the number of bytes actually read off the
socket
(which is just protocol data), or would it read that transparently and
return 0 indi
You're right -- the latter.
Another thing to think about is that at any time, the remote peer might
request a re-negotiation. During such time, the session key will be
re-established requiring a few round-trips during the DH process. This
will all be handled behind the scenes as you attempt to m
A return result of 0 typically means the other side closed the
connection.
Here is the section from SSL_read's man page with regards to a 0 return:
0 The read operation was not successful. The reason may either
be a
clean shutdown due to a "close notify" alert sent by the
pe
As of 0.9.7g, is OpenSSL still not cancellation safe? If not, am I okay
to bracket calls into the ssl library by changing the cancellation
state (sort of like a mutex) reverting back on return from the library?
According to the pthreads documentation changing the cancellation state
should preve
You're on the money. This confused me, too. I had a program that needed
to see if there was incoming data, and so I performed an SSL_read(). I
received back a WANT_READ, because there was no data yet to read. (I'm
using non-blocking I/O).
But then some time later I needed to send data. The logi
bert
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni
| Sent: Viernes, 10 de Septiembre de 2004 06:42 PM
| To: [EMAIL PROTECTED]
| Subject: Re: How to convert a buffer in DER format to a RSA
structure?
|
| It looks like "len"
'm using this piece of
code:
char buf[1024];
int len;
RSA *PubKey;
PubKey = d2i_RSAPublicKey(NULL, (const unsigned char **)&buf, len);
What's wrong?
Best regards,
Herbert
| -Original Message-
| From: [EMAIL PROTECTED]
| [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni
The d2i_* functions will convert from DER-encoded things to Internal
structures. The two you'll probably want are
d2i_RSAPrivateKey()
d2i_RSAPublicKey()
On Sep 10, 2004, at 3:36 PM, Herbert Skopnik V. wrote:
Hi everybody!
I'm working in a project (transactional switch) which uses RSA
encrypti
Hi Steve,
Here are a couple books that helped me understand SSL and the X.509
security model:
Network Security with OpenSSL, ISBN 059600270X
Planning for PKI, ISBN 0471397024
Joe
On Sep 10, 2004, at 1:17 PM, Steve Ankeny wrote:
I am designing a secure webserver for use in a small company. The
The way I did it was to delete my SSL_CTX and build a new one.
On Sep 9, 2004, at 7:38 AM, Ralf Haferkamp wrote:
Hi,
I am currently trying to implement CRL checking inside a server. I am
now
facing the problem, that I would like to trigger a reload of the CRL
from
disc if it has been updated, wit
TECTED] On Behalf Of Joseph Bruni
Sent: Wednesday, September 08, 2004 3:54 PM
To: [EMAIL PROTECTED]
Subject: Re: Certificate expired error
Use the "openssl x509 -dates" option to view the actual dates
in the certificate.
Also check your system clock.
On Sep 7, 2004, at 5:09 PM, Edward Chan wr
The default_days in the REQ section doesn't do anything since a
certificate request doesn't expire. The default_days is used in the CA
section when making a certificate from a request.
On Sep 8, 2004, at 5:29 PM, IB wrote:
I'd like to create an own CA certificate that will last for more than
30
The text database used by the openssl ca command can only allow one
certificate per subject. If you need to issue another certificate with
the exact same subject, revoke the previous certificate first, even if
the earlier certificate has expired.
On Sep 7, 2004, at 3:03 PM, Areg Alimian wrote:
Use the "openssl x509 -dates" option to view the actual dates in the
certificate.
Also check your system clock.
On Sep 7, 2004, at 5:09 PM, Edward Chan wrote:
Hi there,
I had created a certificate to test with using OpenSSL. It is
supposed to expire in Aug. 2005. I have been using it for the p
Can you run your server for thousands of iterations to see if the
memory continues to be consumed? Generally memory that has been
allocated by the C library is not returned to the OS. Instead those
pages are cached to handle future allocations without needing to
request them from the OS.
If yo
I applied the patch this morning and the server seems to be perfectly
stable, even under conditions with a bazillion simultaneous in-bound
connections. I'll keep an eye on it but I think your patch nailed the
problem.
Thanks!
On Aug 28, 2004, at 5:40 PM, Dr. Stephen Henson wrote:
I've attached
uot;Dr. Stephen Henson" <[EMAIL PROTECTED]>
Sent: Aug 26, 2004 2:44 PM
To: [EMAIL PROTECTED]
Subject: Re: CRL signature failure
On Thu, Aug 26, 2004, Joseph Bruni wrote:
> I wrote a bit earlier about a problem I'm having with regards to a server
> that is verifying client ce
I wrote a bit earlier about a problem I'm having with regards to a server that is
verifying
client certificates against a CRL. I currently have about 2000 clients connected
simultaneously.
Without reason, the CRL object in my SSL_CTX goes bad and all new connection fail with
the following error c
I have a server that runs with many (1500) long-duration SSL connections. I am using
CRLs and have the CRL checking enabled when I'm building my SSL_CTX using the
following code:
X509_STORE* store = SSL_CTX_get_cert_store(ctx);
if ( !store ) {
In a user's brain. Any file that is readable by the system is, well,
readable, therefore is only as secure as the OS can make it.
On OS X you could use the Keychain Services to store your password in
an encrypted database, available via an API. This is available as Open
Source if you're interes
ways like reject the tls request and only accept
the ssl.
thanks,
weijun
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni
Sent: Wednesday, August 04, 2004 5:47 PM
To: [EMAIL PROTECTED]
Subject: Re: looking for server test script
$openssl s_server.
$openssl s_server... will do the server side of an SSL connection for
you. If you need to set up an HTTP server, just fire up apache.
On Aug 4, 2004, at 6:49 PM, weijun jiang wrote:
Hi,
I am looking for some test scripts that could be used as a server to
test
the http-based client. Does the SSL
Or rather since this is C++:
distpoints = reinterpret_cast
(X509_get_ex_d2i(...));
On Aug 4, 2004, at 7:37 AM, Dr. Stephen Henson wrote:
Presumably your are trying this from C++ if so then you will need an
explicit
cast to the appropriate type, for example
distpoints = (STACK_OF(DISTPONT) *)X5
It's been awhile since I've looked at OpenCA. The manual was almost
impossible to read and seemed to be quite a rough translation from
German. Do you know if any work has been done on cleaning that up in
the past 12 months or so?
On Aug 1, 2004, at 11:42 PM, Oliver Welter wrote:
If you need rev
ct: Re: max sessions
On July 29, 2004 02:20 pm, Joseph Bruni wrote:
> The other thing I noticed was that (according to the man page for
> select()) the results of the FD_ macros are undefined if the descriptor
> value is greater than FD_SETSIZE, which is 1024 on my system. I find
>
Regarding the max number of sessions problem. I think I've figured out what was going
wrong, but now I need some insight.
I increased the Session Cache as you suggested to (40 * 1024) without any change in
behavior. It turns out is was a bug in my code (whew!).
After doing some more debugging I
Hello all,
I'm developing an application that is used as a messaging hub for
thousands of users. The idea was that the users would maintain their
SSL connections indefinitely because one would never know when a
message was to be delivered and the messages need to be sent in
near-real-time.
So
Where might I find the documentation for X509_REQ_print_ex()? I've searched the man
pages, the web site, and the source in ./crypto/asn1/t_req.c is uncommented.
I really only need info on the nmflags and cflags parameters -- the others I can
figure out.
__
Perhaps if you could use gdb to display a stack trace, it would be
easier to locate the error.
-Original Message-
From: Jeff Fulmer <[EMAIL PROTECTED]>
Sent: May 13, 2004 8:24 AM
To: [EMAIL PROTECTED]
Subject: Re: X509_get_subject_name
It didn't. It still core dumps on Red Hat systems.
Try using the -enddate option to get the expiration date.
On May 3, 2004, at 12:50 PM, Reese Williams wrote:
Brand new to openssl.
Anyone use openssl x509 -text -n //certificate-name.pem with a
Verisign
certificate to get expiration date?
I have quite a few Apache and IIS 5.0 web servers and I am
The man page for "SSL_CTX_use_certificate_chain_file" states:
SSL_CTX_use_certificate_chain_file() loads a certificate chain from
file into ctx. The certificates must be in PEM format and must be
sorted starting with the certificate to the highest level (root CA).
Th
d2i_X509_CRL_bio()
On Mar 31, 2004, at 6:59 PM, å ç wrote:
how to load DER format CRL via my program?
I see an example which is PEM format,the type para is
X509_FILETYPE_PEM.And is not have a X509_FILETYPE_DER.so,how to load
DER format CRL?
___
I feel your pain. I too have tried looking through various headers and
source files to find the definitions of things. To my dismay, I've
found that the openssl group makes heavy use of C preprocessor macros
for the definition of various functions and whatnot, which makes
finding routine defini
If you build your application on OS X or Darwin, you'll run into the
really nasty problem where the LinkEditor will bind your app to shared
libraries even if you specify static libraries.
(I found this out the hard way.)
Not fun.
On Mar 19, 2004, at 9:52 AM, Mark Rowe wrote:
Hi,
Question
If
I know that it is possible to place multiple PEM-encoded objects into a single file.
Is it possible to iterate through each item? The command-line tools only seem to work
on the first one found.
__
OpenSSL Project
When you finish this, please post the results. It would make great
documentation.
:)
On Mar 12, 2004, at 7:16 AM, Reginaldo de Oliveira Santos wrote:
Hi., it´s my first time in this list and I have some questions.
I wanna a map of the directory structure of the C code of OpenSSL
0.9.7c. I
wan
+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Fl lib$$i.a -ldld -lc ) || exit 1; \
chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
done
# gmake
Regards,
ViSolve Security Consulting Group
Email: [EMAIL PROTECTE
I don't think that those are coming from the list server itself, but
rather from from hosts within the list subscribers' networks.
On Mar 6, 2004, at 11:20 AM, Robin Lynn Frank wrote:
At least set it to NEVER send "you have a virus" notifications. There
is no
excuse for that in an era of forged
I'm working on a server that will handle connections from clients on
two different interfaces -- a public interface and a private. What I
would like to do is somehow encode into a certificate which interface
the client is allowed to connect on. (I realize that there is no
technical reason for a
Could you post the curl command line that you're using? You might just
be missing a param or two.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTE
I thought 5L had /dev/random. Are you running an older version of AIX?
On Mar 3, 2004, at 5:21 AM, todayhill wrote:
I am using IBM AIX System and DO NOT have /dev/random device.
I see I can use EGADS or EGD.But how can I use them?For example,my
code:
RSA_public_encrypt(fromLen, fromBuf, tmpBuf,
I don't know about that. During the latest Windows exploit virus blast
(when are they going to fix their stuff?) I kept getting bombed by AV
bounces aimed at openssl-users-l. Not to mention that the list was DOWN
during that time as well. A good number of my posts just got timed out
by my legit
There is a really good example of how to do that in O'Reilly's Network
Security with OpenSSL.
You can also download the source from http://www.opensslbook.com/.
After downloading the source, check out example 10-7.
On Feb 24, 2004, at 12:07 PM, Manuel Sánchez Cuenca wrote:
Hello all,
Anybod
I have a server that I've written using OpenSSL on Mac OS X that has been running for
a few weeks now. Using the "leaks" command, I am getting the following report:
Leak: 0x003130b0 size=32
0x 0x0030a0c0 0x0030a0e0 0x0030d060
0x 0x1381c88d 0x 0x00010002
Question: Why the proxy? Perhaps a simple NAT router would suffice.
On Feb 17, 2004, at 1:03 PM, Marton Anka wrote:
The second question is, can this be improved? For example, can we get
rid of the decryption/re-encryption phase? Can I somehow manage to get
both Host and Client to negotiate th
Hello,
I'm writing a small GUI app that builds an x509 cert. request and
simply shells out to the command line in order to actually build the
req. I've noticed that when I specify the subject on the command line
(-subj), both the distinguished name and attributes sections in the
configuration
Take a look at the "scp" program also which is another program that
uses the SSH protocol.
Some other ideas are "rsync" over SSH, or you could use "curl" which
will support HTTPS.
If the files don't change much, or if you need to sync up entire
directories, rsync is the way to go.
FTP/SSL is
int sk;
BIO_get_fd(bio,&sk);
getpeername(sk,&address,&address_len);
On Jan 19, 2004, at 4:44 PM, Zac Hansen wrote:
I'm trying to figure out how to get the client address/port when using
BIOs to accept new connections.
__
OpenSS
No. My understanding of ZERO_RETURN means that the SSL session has been closed down by
the other end.
I've been doing some experimenting, and a no-data condition results in a WANT-READ.
I just want to know if that means I'm stuck, unable to send data, until something
arrives.
-Original M
As a quick follow-up to my previous question.
If I call SSL_read and receive a WANT result, does that also preclude me from calling
SSL_write
if the socket is currently writable?
__
OpenSSL Project
I have yet another question regarding non-blocking I/O and the OpenSSL library.
With normal sockets that have been set to non-blocking, an attempt to read
when no data is present will return an EAGAIN.
In my case, no data on a read is fine, since that just means there are no messages to
pick up.
On Jan 16, 2004, at 8:26 PM, David Schwartz wrote:
The AUTO_RETRY flag disables a case where the SSL/TLS code would
signal a retry even
though the underlying transport did not during a session
renegotiation. This is
there to support some applications which brokenly use select() and
blocking I/O.
On Jan 16, 2004, at 5:57 PM, Dr. Stephen Henson wrote:
On Fri, Jan 16, 2004, Joseph Bruni wrote:
After reading the man page for SSL_CTX_set_mode, I have to ask,
what happens if you set AUTO_RETRY with a non-blocking socket?
The AUTO_RETRY flag disables a case where the SSL/TLS code would
signal
After reading the man page for SSL_CTX_set_mode, I have to ask,
what happens if you set AUTO_RETRY with a non-blocking socket?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Does BIO_new_connect modify the string passed to it?
Or should that function be rather declared as a "const char*" instead?
Joe
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Yep. Reinstall. Panther ships with 0.9.7b. If you want to build your
own, put it into /usr/local.
On Jan 8, 2004, at 8:03 PM, Ian C Roberts wrote:
I have just had this problem and am very stuck. I have an xserve
which is colocated, I tried to install another openssl installation
and instead o
On Jan 6, 2004, at 12:47 AM, David Schwartz wrote:
In most cases multi threads and only one SOCKET don't really get
along.
I'm not sure why you'd say that. For TCP, reading and writing are
totally
independent. Using a pool of threads for I/O is quite common to protect
against ambush (when an op
An excellent reference to OpenSSL programming can be found in the
O'Reilly book:
http://www.oreilly.com/catalog/openssl/index.html
Lot's of really good stuff here about common mistakes (like not
initializing mutexes...). The book was written for 0.9.6 with a few
references to some features in
I'm glad this discussion happened about now. I, too, am implementing a
query/response system and I've been thinking about putting the read and
write cycles into different threads.
My reason for wanting to do this would be to allow the server, which
sends the initial message, waits for a respons
Gotcha. So it would be safe to assume that almost nobody uses CRLs
since none of the software I use that does SSL seems to worry about the
presence (or lack) of a CRL. Wonderful. That really inspires
confidence.
I'll just bump the nextUpdate field out and make sure that the CA is
keeping the C
I've run into an interesting situation and need some advice. I'm building a server
that will be validating clients via
certs. So, I've coded this to handle CRLs, but I've encountered that if a CRL has
"expired" no certificates
related to that CA are considered valid. I'm not sure this a good way
Check out the pair of functions htonl() and ntohl() which are part of
the sockets library. If you need to flip port numbers, you can use
htons() and ntohs().
(By the way, your little-endian'ness is due to your x86 hardware, not
Linux. Linux runs on big-endian systems also.)
On Nov 23, 2003, at
?)
On Nov 21, 2003, at 4:51 PM, Dr. Stephen Henson wrote:
On Sat, Nov 22, 2003, Dr. Stephen Henson wrote:
On Sat, Nov 22, 2003, Dr. Stephen Henson wrote:
On Fri, Nov 21, 2003, Joseph Bruni wrote:
I've been poking around in the v3_alt.c file to try to determine
why the email address is n
I've been poking around in the v3_alt.c file to try to determine why the email address
is not getting copied or moved into the extension. After sprinkling in a few debug
statements, it looks like the copy_email() function is broken and never enters the
"while" loop. Even though the DN has an 'em
01:25AM, Richard Levitte - VMS Whacker <[EMAIL
PROTECTED]> wrote:
>In message <[EMAIL PROTECTED]> on Thu, 20 Nov 2003 19:56:23 -0700, Joseph Bruni
><[EMAIL PROTECTED]> said:
>
>jbruni> I've been trying to get the "subjectAltName=email:move" directi
Given an RSA private key, you can regenerate its matching public key
with this:
% openssl rsa -in privatekey.pem -pubout >key1.pem
The public key in a certificate can be extracted with this:
% openssl x509 -in certificate.pem -pubout -noout >key2.pem
With the two public keys, you should be abl
work. Has anyone ever
gotten this to work aside from hard-coding the email address in the CA
section?
Joseph Bruni
smime.p7s
Description: S/MIME cryptographic signature
80 matches
Mail list logo