RE: Signing certificates on Windows
>-Original Message- >From: Charles B Cranston [mailto:[EMAIL PROTECTED]] >Sent: Mittwoch, 8. Januar 2003 21:53 >To: [EMAIL PROTECTED] >Subject: Re: Signing certificates on Windows > > >> Franck Martin wrote: >> You can't use virtual hosts on apache with https. >> Each host must have its own IP address, that's what I learnt >from the doc... >> May be it is fixed somehow... > >The reason is that the security is negotiated before even one byte >is sent down the channel, and the server has no way of knowing >WHICH of the various virtual hosts you want to talk to until it has >read the incoming HTTP header, which it cannot do until the >security has been negotiated. > >One might think the server would have a single certificate that it >uses before trying to find out the desired virtual host name. >However, it turns out it has to know WHICH virtual host name is >wanted to select WHICH certificate to use! Chicken and egg. > >There might be a solution with a single certificate that has all >the virtual host names as subjectAltNames but I'm too much in >alligator mode to look at such swamps... The important thing is that SSL is as much about authentication as it is about encryption. If all we were concerned about was encryption, then you would just have a certificate bound to the server's IP address, and the SSL channel could be established without bothering about which VH to use. Then, NBVH would work with encryption-only SSL. However, it is also vital to *authenticate* the server. That is, the URL the user types into the browser must match the Common Name in the certificate (remember that in a real certificate, the Common Name is guaranteed to belong to the server by the certificate signing authority - not just anyone can get a certificate for www.amazon.com, for instance). This is why the certificate must be defined at a VH level and not server-wide. Encryption is like sending your money to the bank in an armoured car. Authentication is making sure that the armoured car really does go to the bank. Rgds, Owen Boyle > >-- > >Charles B. (Ben) Cranston >mailto:[EMAIL PROTECTED] >http://www.wam.umd.edu/~zben >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cancelling RSA Key Generation
Aram Perez wrote: Is there a way of cancelling the generation of an RSA key pair when RSA_generate_key(...) is used? I plan to use a callback function. AFAIK it's not possible with 0penSSL <= 0.9.7 . If you use the current head (== 0.9.8-dev) you can use the callback function to abort the key/parameter generation (see how it's done in apps/dsaparam.c). Regards, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hi, Please help me.
Hi there,
The problem that I encountered was with a call to ERR_get_error_line_data(),
and has not yet been solved. I was not encountering any memory leaks
with SSL_connect(). We are using OpenSSL V 0.9.6b currently, we plan
to upgrade in the near future.
When creating an SSL*, I tend to do the following:
SSL*
SSLConnection::createSSLConnection(int socket)
{
assert(_sslContext != 0);
SSL* sslConnection = SSL_new(_sslContext);
assert(sslConnection != 0);
SSL_clear(sslConnection);
SSL_set_fd(sslConnection, socket);
return sslConnection;
}
I don't do anything special in the destruction, simply call SSL_shutdown().
I leave it to another part of the application to close the socket for me.
Hope it helps!
-Anthony
"Jack Y." wrote:
Hi,
I am sorry to send you directly, hope it not bother.
Openssl mail list seem does not work, I can not
subscript one. I also send my mail to [EMAIL PROTECTED],
but get no response.
You seem had the same problem as me, pls give me
hints, many thanks, if you do not solve the problem yet, please post this
mail on mail list, many thanks.
I ran into a tribble problem, my client application
that use openssl 0.9.6h lose 4K memory every SSL_connect()...
The product is under release, things become very
clear, remove the leak, or throw openssl lib, do the total job, authentication,
encryption by myself.
In list, I saw many persons solve the problem by
close socket before free ssl object. But it does not work in my program.
So, if you are one of them, send a copy of your client program, MANY THANKS.
Purify says I leak memory allocated in CRYPTO_malloc,
I think it is no use.
I tried
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
for
...
end for
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);
CRYPTO_mem_leaks_fp(stderr);
the program crash at CRYPTO_mem_leaks_fp(..)!!!
I saw a post long time ago says there do have memory
leak in openssl, http://marc.theaimsgroup.com/?l=openssl-users&m=99973677617001&w=2,
is it fixed now, if not, ...oh, hurt!
My environment is: w2k professional, .9.6h
The code flow of the client is as follows
* SSL_CTX_new(...)
* SSL_CTX_use_certificate_ASN1(...)
* SSL_CTX_use_RSAPrivateKey_ASN1(...)
* X509_STORE_add_cert() // To add CA cert
* SSL_CTX_sess_set_cache_size(ctx, 0);
* SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF);
* other init actions
* for ever
* SSL_new(...)
* create read & write BIOs
* SSL_connect(...)
* .
* SSL_shutdown(...)
* closesock(...)
* SSL_free(...)
* ERR_remove_state(0);
* ERR_free_strings();
* EVP_cleanup();
* sleep
* endfor
I also tried:
* for ever
* SSL_CTX_new(...)
* SSL_CTX_use_certificate_ASN1(...)
* SSL_CTX_use_RSAPrivateKey_ASN1(...)
* X509_STORE_add_cert() // To add CA cert
* other init actions
* SSL_new(...)
* create read & write BIOs
* SSL_connect(...)
* .
* SSL_shutdown(...)
* closesock(...)
* SSL_free(...)
* SSL_CTX_free(...)
* ERR_remove_state(0);
* ERR_free_strings();
* EVP_cleanup();
* sleep
* endfor
but I still lose 4K memory every loop...
My code is below for details.
// TestClntSSL.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "TestClntSSL.h"
#include "Winsock2.h"
#include
#include
#include
#include
#include
#include
typedef struct CLIENT_PARA
{
SSL_CTX * pctx;
char * szFile;
unsigned long ulAddr;
int server_port;
} CLIENT_PARA;
static int port = 4433;
static char* server_ip = "192.168.xx.xx";
static char *ciphers = "DES-CBC3-SHA";
static int s_server_session_id_context = 1;
static char *passwd = "n1234";
static char *srvr_cert_file = "c:\\VCDebug\\nnn.crt";
static char *srvr_key_file = "c:\\VCDebug\\nnn.key";
static char *ca_cert_file = "c:\\VCDebug\\ca.crt";
static char *host = "CN=mmm";
static int password_cb(char *buf,int num,
int rwflag,void *userdata);
SSL_CTX *initialize_ctx()
{
SSL_METHOD *meth;
SSL_CTX *ctx;
int seed_int[1000];
/* Global system initialization*/
SSL_library_init();
SSL_load_error_strings();
/* Set up a SIGPIPE handler */
// signal(SIGPIPE,sigpipe_handle);
/* Create our context*/
meth=SSLv3_client_method();
ctx=SSL_CTX_new(meth);
/* Load our keys and certificates*/
if(!(SSL_CTX_use_certificate_file(ctx,
srvr_cert_file, SSL_FILETYPE_PEM)))
{
char szTemp[100] = "Can't
read certificate file";
Log(szTemp);
return NULL;
}
SSL_CTX_set_default_passwd_cb(ctx,
password_cb);
if(!(SSL_CTX_use_PrivateKey_file(ctx,
srvr_key_file, SSL_FILETYPE_PEM)))
{
char szTemp[100] = "Can't
read key file";
Log(szTemp);
return NULL;
}
/* Load the CAs we trust*/
if(!(SSL_CTX_load_verify_l
memory leaks under openssl-0.9.7 on windows
Hi,
I used to do openssl memory leaks checking using following code under
openssl-0.9.6x:
int main(int argc, char* argv[])
{
CRYPTO_malloc_debug_init();
CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
OpenSSL_add_all_algorithms();
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
if(bio_stdout)
BIO_free(bio_stdout);
printf("\n");
OBJ_cleanup();
EVP_cleanup();
ERR_clear_error();
ERR_free_strings();
ERR_remove_state(0);
CRYPTO_mem_leaks_fp(stderr);
printf("\n");
return 0;
}
Above code looks like it worked fine, I mean it detected if I miss any free
call.
But the same code is giving me following leaks under openssl-0.9.7 and its
betas:
[12:55:41] 351 file=.\crypto\stack\stack.c, line=124, thread=892,
number=20, a
ddress=008D3390
[12:55:41] 350 file=.\crypto\ex_data.c, line=308, thread=892, number=12,
addre
ss=008D3460
[12:55:41] 348 file=.\crypto\lhash\lhash.c, line=119, thread=892,
number=96, a
ddress=008D3630
[12:55:41] 349 file=.\crypto\lhash\lhash.c, line=121, thread=892,
number=64, a
ddress=008D3530
[12:55:41] 353 file=.\crypto\lhash\lhash.c, line=193, thread=892,
number=12, a
ddress=008D31F0
[12:55:41] 352 file=.\crypto\stack\stack.c, line=126, thread=892,
number=16, a
ddress=008D32C0
220 bytes leaked in 6 chunks
What I should do to resolve these? Are there any leaks or no leaks ??
Thanks
Aslam
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Stripping the OpenSSL library
Dear OpenSSL users, I have sucessfully implemented a message system mechanism using the OpenSSL library as the foundation for all the cryptography operations. The system was deployed and now, the client asked me to do a dependency checking and find all the OpenSSL source files that are being used by my code and with this information to produce a makefile to compile only what I really need from OpenSSL. I have tried to find the dependencies using a map from all the linked functions from OpenSSL and it turns to be something around 1700 functions. My Question is, Is anybody out there that have done that sucessfully? If so, what is the best approach to get it done? Is that going to make easy for me to port my app to another "not yet ported OS" ? PS.( I don't really agree with the client's idea (but they are "Client" anyway), So if anybody else has an good idea in how to convince them that we need to keep the OpenSSL library as a single unit, that would be very appreciated) Thanks for any and all replies, Sidney Fortes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Stripping the OpenSSL library
I would be interested in looking at what you did. I and others in the past have run into issues with the way OpenSSL does server side I/O. Perhaps this will be part of a solution. Please advise how I can get the code. [EMAIL PROTECTED] Thanx On Thu, Jan 09, 2003 at 02:07:03PM -0500, Sidney Fortes wrote: > Dear OpenSSL users, > > I have sucessfully implemented a message system mechanism using the OpenSSL > library as the foundation for all the cryptography operations. The system > was deployed and now, the client asked me to > do a dependency checking and find all the OpenSSL source files that are > being used by my code and > with this information to produce a makefile to compile only what I really > need from OpenSSL. > I have tried to find the dependencies using a map from all the linked > functions from OpenSSL and > it turns to be something around 1700 functions. > My Question is, Is anybody out there that have done that sucessfully? > If so, what is the best approach to get it done? > Is that going to make easy for me to port my app to another "not yet ported > OS" ? > > PS.( I don't really agree with the client's idea (but they are "Client" > anyway), So if anybody else has an good > idea in how to convince them that we need to keep the OpenSSL library as a > single unit, that would be > very appreciated) > > Thanks for any and all replies, > > Sidney Fortes > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: memory leaks under openssl-0.9.7 on windows
On Thu, Jan 09, 2003, Aslam wrote:
> Hi,
>
> I used to do openssl memory leaks checking using following code under
> openssl-0.9.6x:
>
> int main(int argc, char* argv[])
> {
> CRYPTO_malloc_debug_init();
> CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
> CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
> OpenSSL_add_all_algorithms();
>
> bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
>
> if(bio_stdout)
> BIO_free(bio_stdout);
>
> printf("\n");
>
> OBJ_cleanup();
> EVP_cleanup();
> ERR_clear_error();
> ERR_free_strings();
> ERR_remove_state(0);
>
> CRYPTO_mem_leaks_fp(stderr);
> printf("\n");
>
> return 0;
> }
>
> Above code looks like it worked fine, I mean it detected if I miss any free
> call.
>
> But the same code is giving me following leaks under openssl-0.9.7 and its
> betas:
>
> [12:55:41] 351 file=.\crypto\stack\stack.c, line=124, thread=892,
> number=20, a
> ddress=008D3390
> [12:55:41] 350 file=.\crypto\ex_data.c, line=308, thread=892, number=12,
> addre
> ss=008D3460
> [12:55:41] 348 file=.\crypto\lhash\lhash.c, line=119, thread=892,
> number=96, a
> ddress=008D3630
> [12:55:41] 349 file=.\crypto\lhash\lhash.c, line=121, thread=892,
> number=64, a
> ddress=008D3530
> [12:55:41] 353 file=.\crypto\lhash\lhash.c, line=193, thread=892,
> number=12, a
> ddress=008D31F0
> [12:55:41] 352 file=.\crypto\stack\stack.c, line=126, thread=892,
> number=16, a
> ddress=008D32C0
> 220 bytes leaked in 6 chunks
>
> What I should do to resolve these? Are there any leaks or no leaks ??
>
Probably the new ex_data code. Try adding CRYPTO_cleanup_all_ex_data();
in there.
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Build problems with openssl.
Hi, Query about openssl-0.9.7 build, I built openssl-0.9.7, using config: ./config --prefix=/usr/local/opensslbuilds no-threads no-shared This created all files in /usr/local/opensslbuilds. Then, I copied libssl.a and libcrypto.a into my source directory, and made changes to my Makefile to link with these libraries, I get the below link error in libssl.a. Any pointers what may be wrong? thanks, ../openssl/linux/lib/libssl.a(t1_enc.o): In function `tls1_P_hash': t1_enc.o(.text+0x28): undefined reference to `HMAC_CTX_init' t1_enc.o(.text+0x33): undefined reference to `HMAC_CTX_init' t1_enc.o(.text+0x51): undefined reference to `HMAC_Init_ex' t1_enc.o(.text+0x6d): undefined reference to `HMAC_Init_ex' t1_enc.o(.text+0x86): undefined reference to `HMAC_Update' t1_enc.o(.text+0x9d): undefined reference to `HMAC_Final' t1_enc.o(.text+0xb1): undefined reference to `HMAC_Init_ex' t1_enc.o(.text+0xc2): undefined reference to `HMAC_Init_ex' t1_enc.o(.text+0xd1): undefined reference to `HMAC_Update' t1_enc.o(.text+0xe0): undefined reference to `HMAC_Update' t1_enc.o(.text+0xf9): undefined reference to `HMAC_Update' t1_enc.o(.text+0x116): undefined reference to `HMAC_Final' t1_enc.o(.text+0x149): undefined reference to `HMAC_Final' t1_enc.o(.text+0x169): undefined reference to `HMAC_CTX_cleanup' t1_enc.o(.text+0x174): undefined reference to `HMAC_CTX_cleanup' ../openssl/linux/lib/libssl.a(t1_enc.o): In function `tls1_change_cipher_state': t1_enc.o(.text+0x247): undefined reference to `COMP_CTX_free' t1_enc.o(.text+0x267): undefined reference to `COMP_CTX_new' t1_enc.o(.text+0x388): undefined reference to `COMP_CTX_free' __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
