Re: Some functions are just plain slow... [Re-Sent]
On Sat, Jan 11, 2003 at 12:23:12AM -0800, Raymond C.Rodgers wrote: > I've managed to get OpenSSL 0.9.7 compiled and installed on a BeOS R5.0.x > system with BONE (a networking stack), but I'm not able to use OpenSSL for > reasons I've yet to determine. When I start up a freshly compiled app that > uses OpenSSL, and has worked fine under previous versions, I'm seeing that > RAND_egd(), RAND_status(), and other functions (including SSL_connect()) are > taking minutes to finish executing. I believe these functions are actually > failing, but I haven't been able to get any details on exactly what's > happening. > > Even "make test" for OpenSSL takes an extremely long time (over 12 hours in > fact), especially in exptest and randtest. I'm going to attach the > maketest.log file to this message so anyone that might have a clue what's > happening might be able to help. According to the maketest.log, the tests > passed but when in use my application's connection is timing out long before > it establishes a SSL connection. I hardly think that's successful. > > So, what configure options might cause such pitiful performance? I compiled > OpenSSL with the following options: > -DOPENSSL_THREADS -DOPENSSL_NO_KRB5 -DTERMIO -m486 l -D_REENTRANT -DSHA1_ASM > -DMD5_ASM -DELF -DNO_SYSLOG -DNO_SYS_UN_H -DTERMIOS -DL_ENDIAN -fomit-frame- > pointer -O3 -m486 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM Use a system call tracer (trace, strace, tusc or whatever it might be called on your system) to see, whether the program is hanging in some system call. It might for example happen , that such a behaviour occurs with a blocking /dev/random device. The OpenSSL library tries to read random bits and only returns once the amount of bits was received. In any case, the OpenSSL library does not have any timeouts on such operations, such that it might even hang completely. Hangs on I/O operations typically are indicated by a hanging program, that does however not show any system load. A long running loop is indicated by a corresponding system load and CPU time used. If you don't have a system call tracer, you can also run the application under a debugger and and interrupt during the time in which the application does not advance. You should then see the location and call stack... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Stunnel 4.04 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Version 4.04, 2003.01.12, urgency: MEDIUM: * New feature sponsored by SURFnet http://www.surfnet.nl/ - Encrypted private key can be used with Win32 GUI. * New features - New 'options' configuration option to setup OpenSSL library hacks with SSL_CTX_set_options(). - 'service' option also changes the name for TCP Wrappers access control in inetd mode. - Support for BeOS (thx to Mike I. Kozin <[EMAIL PROTECTED]>) - SSL is negotiated before connecting remote host or spawning local process whenever possible. - REMOTE_HOST variable is always placed in the enrivonment of a process spawned with 'exec'. - Whole SSL error stack is dumped on errors. - 'make cert' rule is back (was missing since 4.00). - Manual page updated (special thanks to Brian Hatch). - TODO updated. * Bugfixes - Major code cleanup (thx to Steve Grubb <[EMAIL PROTECTED]>). - Unsafe functions are removed from SIGCHLD handler. - Several bugs in auth_user() fixed. - Incorrect port when using 'local' option fixed. - OpenSSL tools '-rand' option is no longer directly used with a device (like '/dev/urandom'). Temporary random file is created with 'dd' instead. * DLLs for OpenSSL 0.9.7. The problem with unsafe SIGCHLD handler is a serious one, so I recommend the upgrade. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+IZBO/NU+nXTHMtERAki4AJ9orDnEQ/QAGLJLwUA/384LQINP0ACdHwZH gAcF2V4G00rBWtwLf+uMolg= =1mlP -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Stunnel 4.04 released
Michal Trojnara wrote: > > Version 4.04, 2003.01.12 ... Downloaded stunnel-4.04.exe to a Win 2K system. Tried to run it as "stunnel -help". Got nothing. Furthermore, looking at the source, as far as I can tell, when compiling for WIN32, no main procedure is compiled. What am I missing? Bill. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL client/server C code problems
first of all - you can initialize SSL context once per
process - and reuse it on every incoming or outgoing
connection request.
So you can remove :
SSL_library_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
ssl_context = SSL_CTX_new( SSLv3_method() );
from your connect functions.
2. Next be sure that you compile with /MD
/multithreaded DLL/ switch /or MDd for Debug versions/
I suggest you to look into your
openssl-0.9.6\demos\ssl directory for a working sample
--- Bryan Bishop Whitehead <[EMAIL PROTECTED]>
wrote:
> I'm trying to learn how to use the OpenSSL library
> so I thought I'd make a
> very simple client/server app to get started.
>
> I first made 2 simple programs that do this: The
> server listens on a port,
> and when a connection comes it it will echo whatever
> is sent from the
> client. The Client connects to this port and sends
> whatever the user
> types. After I did that the next step (so I thought)
> would be
> simple: throw in ssl.
>
> This is the section of code (that is broken) on the
> server side that now
> handles the ssl stuff. The connection is already
> established and I have a
> file descriptor:
>
> int client_connect() {
> SSL_CTX *ssl_context;
> SSL *ssl_struct;
> int ret;
> SSL_library_init();
> ERR_load_crypto_strings();
> SSL_load_error_strings();
> ssl_context = SSL_CTX_new( SSLv3_method() );
> if ( ssl_context == NULL )
> exit(10);
> ssl_struct = SSL_new( ssl_context );
> if ( ssl_struct == NULL )
> exit(11);
> SSL_clear( ssl_struct );
> if ( ! SSL_set_fd ( ssl_struct, fd ) )
> exit(12);
> ERR_clear_error();
> ret = SSL_accept ( ssl_struct );
> if ( ret != 1 )
> {
> ERR_print_errors_fp(stdout);
> fflush(stdout);
> exit(13);
> }
> while ( SSL_read(ssl_struct, buf, BUFFSIZE - 1)
> > 0 )
> {
> printf("%s",buf);
> fflush(stdin);
> }
> SSL_shutdown(ssl_struct);
> close(fd);
> }
>
> This chuck of code bombs out at SSL_accept with:
> 15654:error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:858:
>
> The client portion is this:
>
> int server_connect() {
> /* SSL vars */
> SSL_CTX *ssl_context;
> SSL *ssl_struct;
> int ret;
> DSA key;
> SSL_library_init();
> ERR_load_crypto_strings();
> SSL_load_error_strings();
> ssl_context = SSL_CTX_new( SSLv3_method() );
> ssl_struct = SSL_new( ssl_context );
> SSL_clear( ssl_struct );
> SSL_set_fd ( ssl_struct, sd );
> ret = SSL_connect ( ssl_struct );
> if ( ret != 1 )
> {
> ERR_print_errors_fp(stdout);
> fflush(stdout);
> exit(10);
> }
> while ( fgets(buf, BUFFSIZE - 1, stdin) )
> SSL_write( ssl_struct, buf, BUFFSIZE - 1 );
> SSL_shutdown( ssl_struct );
> close(sd);
> }
>
> This one bombs out on SSL_connect with this
> error: 15707:error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:s3_pkt.c:1031:SSL alert number 40
>
>
> the man page for ssl in the Description lists
> SSL_library_init, then
> SSL_CTX_new, SSL_new, SSL_set_fd, and finally
> SSL_accept/SSL_connect as
> the routines.
>
> I'm pretty sure I'm missing something major here,
> the part about
> SSL_CTX_new that says, "Various options regarding
> certificates, algorithms
> etc. can be set in this object." I can't seem to
> find the details to
> connect the dots
>
> Any help would be greatly appreciated!
>
> I tried subscribing to the list, but I'm not getting
> a reply from
> majordomo. :( So please CC me just in case. Better
> to get 2 emails than
> none.
>
> -Bryan
>
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
