On 11/22/04 02:20 PM, Louis LeBlanc sat at the `puter and typed:
Hey everyone. Been a long time since I've been able to spend much time
on SSL code, but here I am again.
My app is a client side HTTP/HTTPS application, and the problem that
recently showed up (more likely it was just recently
On 12/08/04 11:44 AM, Louis LeBlanc sat at the `puter and typed:
SNIP
Ok, I finally figured this one out.
It was the cipher list after all.
My initial configuration used the list [EMAIL PROTECTED], which was intended
to maximize the list of ciphers used while giving preference
On 11/24/04 02:19 PM, Louis LeBlanc sat at the `puter and typed:
SNIP
Have you tried connecting using s_client? I suggest you try it with
-bugs and possibly also restricting the ciphersuites in use too and
possibly the SSL protocols too.
Now that sheds a little light. It comes through
On 11/23/04 10:47 PM, Dr. Stephen Henson sat at the `puter and typed:
On Tue, Nov 23, 2004, Louis LeBlanc wrote:
SNIP
Does the connection seem otherwise OK and you just get this error after all
data has been transferred?
Yes. The connection is established at the socket level - nonblocking
On 11/24/04 05:33 PM, Dr. Stephen Henson sat at the `puter and typed:
On Wed, Nov 24, 2004, Louis LeBlanc wrote:
On 11/23/04 10:47 PM, Dr. Stephen Henson sat at the `puter and typed:
On Tue, Nov 23, 2004, Louis LeBlanc wrote:
SNIP
Does the connection seem otherwise OK and you just
On 11/22/04 02:20 PM, Louis LeBlanc sat at the `puter and typed:
Hey everyone. Been a long time since I've been able to spend much time
on SSL code, but here I am again.
My app is a client side HTTP/HTTPS application, and the problem that
recently showed up (more likely it was just recently
to OpenSSL
0.9.7a, but is easily reproduced with 0.9.7e.
Here's the server string returned by the origin:
Server: IBM_HTTP_SERVER/1.3.19 Apache/1.3.20 (Unix)
Anyone have any ideas how best to debug this?
TIA
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper
to be open.
Check out SA (www.spamassassin.org). It's free and very effective.
Sorry for continuing the OT thread.
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
Carson's Consolation
later to find you have no more space on your disk. And
sometimes, the content *is* illegal, they just put it there so they
can spread it around without being caught distributing it.
So you probably want to google for spyware and BackOrifice remedies.
Good luck.
Lou
--
Louis LeBlanc
provided. Why
bother joining? Seems to me this is a grotesque breach of ettiquette
anyway.
Besides, I haven't sent mail to the list for awhile, and I want to see
if this is something other than SpamArrest - I won't get that one :)
Cheers
Lou
--
Louis LeBlanc [EMAIL PROTECTED
These are happening in the same routine, reading a line of data from
the connection (after the handshake is done) and an SSL_ERROR_SSL is
returned from SSL_read(). If anyone has an idea, or knows where in
the docs it is discussed, I'd really appreciate the pointer.
Thanks in advance
Lou
--
Louis LeBlanc
there,
but there's no link from the source page.
Thanks
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
QOTD:
A child of 5 could understand this! Fetch me a child of 5
On 07/30/02 09:05 AM, Louis LeBlanc sat at the `puter and typed:
On 07/30/02 11:08 AM, Ben Laurie sat at the `puter and typed:
SNIP
Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL
0.9.6e. Recompile all applications using OpenSSL to provide SSL or
TLS.
SNIP
. Not that it should have anything to do
with that.
Anyone have any other ideas? If there is some other little tidbit of
info that might help, but I've not included, please let me know.
Thanks.
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http
On 06/18/02 06:59 PM, Lutz Jaenicke sat at the `puter and typed:
On Tue, Jun 18, 2002 at 12:10:48PM -0400, Louis LeBlanc wrote:
The problem I'm seeing is apparently caused by a read or write attempt
returning SSL_ERROR_WANT_X509_LOOKUP. My understanding of this was
that I should simply
Hey Lutz. Thanks for your confirmation to my last message. Sorry to
bother everyone again, but I'm still not seeing what I expect with
this one call to see how many renegotiations I am getting.
On Sun, Nov 11, 2001 at 11:22:07PM -0500, Louis LeBlanc wrote:
. . .
Here is what I'm
msg.pgp
Description: PGP message
it with the browser. So long as you
have the mime types defined in httpd.conf, it should present the CA
cert to the browser for installation. You will then have to decide
wether and for what purposes to trust the CA.
HTH
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper
you have installed it, and the cert chain is properly defined,
your browser should trust the server implicitly.
HTH
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
vuja de:
The feeling that you've
and
the same CN will be on the certs after all.
If you can't do that for whatever reason, just change the OU name
(organizational Unit) and make it relevant to the server you are
running.
HTH
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http
On 10/03/01 09:03 PM, Lukasz Jazgar sat at the `puter and typed:
Louis LeBlanc wrote:
. . .
I use iPlanet Webserver. Every instance of this server manages its own
secure database of keys/certificates. Key pairs are generated internally
by server and there is no possibility to import
an openssl.cnf with the pathlen removed or raised to the maximum
chain length they wish to permit.
HTH
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
Radioactive cats have 18 half-lives
On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed:
Louis LeBlanc wrote:
Maybe OpenSSL does it this way when it encounters a cert without a
pathlen specified, but as I mentioned in an earlier message on this
thread, Netscape (4.76?) for Linux (running on FreeBSD) seems
CAs do define a pathlen:
American Express Global Certificate Authority
Deutsche Telekom AG
GTE Corporation
All of them define it to be 5.
Interesting.
Regards
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net
On 09/21/01 12:53 PM, Dr S N Henson sat at the `puter and typed:
Louis LeBlanc wrote:
I am including the x509 output of my intermediate below. I notice
that the CA constraint is false. Does this have anything to do with
the problem? I am guessing it does, but how do I fix this? I
on separate machines and continue to be used with minimum
modification.
Like I said, it's messy, but it works for now.
Thanks for the help Dr Henson!
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net Կ
Not After : Sep 18 20:25:12 2002 GMT
Subject: C=US, ST=Massachusetts, O=Mirror Image, O=Mirror Image Internet,
OU=Engineering, CN=Louis LeBlanc [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit
On 09/08/01 01:04 PM, Lutz Jaenicke sat at the `puter and typed:
On Fri, Sep 07, 2001 at 05:39:52PM -0400, Louis LeBlanc wrote:
Now I have another problem. In trying to call
SSL_CTX_flush_sessions(ssl_ctx, time(0));
I am being blessed with a core dump.
[output deleted]
I could
this means. I'll dupe this directory so I can make more traces as
needed for debugging/feedback, etc. so feel free to ask questions that
might shed some light.
Thanks to anyone who can help with this.
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http
if this is possible).
Avery Fay
How about SSL_renegotiate()? Check the archives over the last week,
Eric Rescorla dealt with a rehandshaking question recently, and
mentioned an article he is working on for Linux Journal. If it can be
done, I'd imagine that is the way to do it.
HTH
Lou
--
Louis
iling List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
Louis LeBlanc
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
[EMAIL PROTECTED]
http://acadia.ne.me
[EMAIL PROTECTED] wrote:
-Original Message-
From: Louis LeBlanc [mailto:[EMAIL PROTECTED]]
Sent: 19 January 2001 12:39
To: [EMAIL PROTECTED]
Subject: Re: Rainbow Cryptoswift cards
One quick question, just so I know how to answer when this kind of
project comes up
more than the system they are intended to sit on, we could just buy
more of those systems (maybe even 1/card) and possibly get a better
cost/performance benefit.
Lots to think about.
Regards
Lou
--
Louis LeBlanc
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
[EMAIL PROTECTED]
http
Hey all. This is a problem I have been trying to solve for some time.
Please read carefully, because as far as I can tell, some of these
details seem to contradict others. I am only bothering you with it
because I have no more ideas.
We are using an Intel appliance for server side SSL session
Actually, IE does get through the handshake. There is a name conflict
because we are going direct to a machine rather than going through a
global load balancer.
When there is a cert name conflict, IE warns you and will happily
continue if you direct it to. Remember I said it gets through the
Wait a minute! I just tried the server revocation suggestion, and it
seems to work. I guess I owe you an apology for a hasty reply.
Here is what I don't understand
Why is this causing trouble if the cert is not expired?
How can I fix this from the server side without requiring that all the
to
the server with in the case of client auth), and redoes the SSL
handshaking.
Greg Stark, [EMAIL PROTECTED]
Ethentica, Inc.
www.ethentica.com
- Original Message -
From: "Louis LeBlanc" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, January 12, 2001 3:06 PM
S
encompass
multiple scenarios? If the latter is true, is there some way we can narrow
down this case?
TIA
Lou
--
Louis LeBlanc
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
[EMAIL PROTECTED]
http://acadia.ne.mediaone.net
Slightly OT, but check out the online docs at www.apache.org, and look
at VirtualHost, and .htaccess.
The trick is to keep those things that are secure only in a separate
directory hierarchy than those that are available on clear http.
On my site, I have a separate branch at the root level for
Hey, all.
I am running into a problem with reading from a connection until a
newline is encountered.
I am unable to get a clear idea just what SSL_peek() is intended to do,
which is probably the cause of my problem.
I need to read from a socket, up to n bytes or until the first instance
of '\n'.
Dr S N Henson wrote:
What command did you use to produce that message? Were you attempting to
connect to a remote server, if its is on the internet its address would
help.
There are several possible causes of that message such as as connecting
to a server with a broken SSL/TLS
Ok, I have a general idea of how to manage my own client side caching.
My client already maintains a record for each server it connects to, and
can store either a copy of the session, or a pointer to that session
back in the SSL_CTX session cache. Which is better? I am trying to
preserve the
Here I go responding to my own post again. Now I know why there were no
answers. Seems I missed it the last time it was posted. I think I have
it now. Thanks all.
L
Louis LeBlanc wrote:
Ok, I have a general idea of how to manage my own client side caching.
My client already maintains
Not so much session caching this time, but cache stats.
Is there a way to reset these other than directly accessing the
structure members - for instance when the cache is purged? I noticed
they did not get reset when the cache gets purged using
SSL_CTX_flush_sessions(ssl_ctx,0). I also did not
You might also want to use the -rand flag and provide a path to the
entropy pool. You can use either egd or prngd - prngd won't block, and
it provides more than enough entropy - similar to the /dev/urandom
device.
You will find prngd here:
Louis LeBlanc wrote:
Hey all. I kind of feel like I'm beating a dead horse here, and that
this question may have been answered already, but here goes.
I have a client app that needs to connect to any number of servers and
cache sessions. This app will be expected to create up to 100
Hey all. I kind of feel like I'm beating a dead horse here, and that
this question may have been answered already, but here goes.
I have a client app that needs to connect to any number of servers and
cache sessions. This app will be expected to create up to 100
connections per second, with
That really depends on what you want to do. If you want your cgi script
to open its own SSL connection, you need to install the perl SSL module
(crypt:ssleay, or something like that - I've never used it myself). If
you just want to make your script work on a secure http connection, just
Lutz Jaenicke wrote: several weeks. If you are ever in the Boston Area, I owe you a
beer (we
have some decent American beers around here :)
I don't have any special plans to come to the Boston area, but I will remember
your words. (And be aware that the german type of invitation is more
helpful to me over the last
several weeks. If you are ever in the Boston Area, I owe you a beer (we
have some decent American beers around here :)
Lou
Lutz Jaenicke wrote:
On Thu, Oct 19, 2000 at 03:58:26PM -0400, Louis LeBlanc wrote:
I think the problem is here, in the check of verify_depth
Hello all.
First, thanks to everyone who has helped me with any feedback on my
previous problems.
I seem to be pretty much over the major hurdles at this point, but I
need to verify the cause of some SSL errors showing up under (very)
heavy load.
Here they are:
error:140943FC:SSL
*/
ERR_error_string(ERR_get_error(), buf);
sprintf(errbuf, "%s: %s:%d", buf, __FILE__, __LINE__);
log_error(errbuf);
close(sock);
return 0;
}
}
}
This works for me.
Thanks again.
Lou
Louis LeBlanc wrote:
Hell
My next roadblock is in making sure that my SSL_peek() calls take
nonblocking sockets into account.
I understand the way SSL_read and SSL_write work, but what is the best
way to make SSL_peek work correctly when the underlying socket is
nonblocking?
TIA
Lou
Here's an odd one. I looked in the archives, and didn't find this
precise phrase anywhere.
During the SSL_connect attempt, the error returned falls through to the
default: case.
This is the error message:
error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
Any idea what
Hello again, everyone.
I have solved some of the problems I have been having with setting
verification mode and depth, I think. (Thank you Lutz!)
I have also approached the problem of ensuring the connection is
successful on a nonblocking socket. What I was trying to do is use
SSL_state() to
Looks good, Lutz, but I suspect you meant SSL_set_verify on line 26,
rather than SSL_CTX_set_verify.
Lou
Lutz Jaenicke wrote:
On Wed, Oct 11, 2000 at 04:24:31PM +0200, Lutz Jaenicke wrote:
According to our results I have filled in the missing pieces and made changes
as necessary to my
directly to get the status rather than
managing my own for each connection, but it may come to that.
Any comments/ideas, etc will be appreciated.
Lou
Louis LeBlanc wrote:
Hello again, everyone.
I have solved some of the problems I have been having with setting
verification mode and depth, I
Hello, All.
In my attempts to learn more about the certificate verification process,
I have been looking at the apps/* code, the manpages, and the release
docs - not to mention the OpenSSL site. The closest thing I have found
to any documentation on the SSL_CTX_set_verify_depth() routine is the
available or (more probably) I just don't know what
to look for.
Any and all help is appreciated.
TIA
Lou
Louis LeBlanc wrote:
Hello, All.
In my attempts to learn more about the certificate verification process,
I have been looking at the apps/* code, the manpages, and the release
docs - not
nSSL error as reported by
ERR_error_string(ERR_get_error(), errbuf)
Does it shed any light?
--
Louis LeBlanc - Software Engineer - Mirror Image Internet, Inc.
http://www.mirror-image.com [EMAIL PROTECTED]
Phone: 781.376.1186Fax:78
G is under populated here. I was in the
process of finding the flaws here when I came back to find the fires
burning again on the issue.
Thanks everyone. Maybe I understand it now.
Lou
Richard Levitte - VMS Whacker wrote:
From: Louis LeBlanc [EMAIL PROTECTED]
leblanc Anyway, this is
to run on systems
that may or may not have the /dev/urandom device, so I can't use
something that relies on it.
Maybe stunnel isn't the problem? Try building it against 0.9.4. Just
for Yuks.
Louis LeBlanc
Richard Levitte - VMS Whacker wrote:
From: Lutz Jaenicke [EMAIL PROTECTED
62 matches
Mail list logo