Re: Error in 20060610 releases

On Sat, Jun 10, 2006 at 06:25:33AM -0600, The Doctor wrote: [...] > making all in crypto/evp... > make: don't know how to make e_camellia.o. Stop > *** Error code 1 Oops ... a new file that I forgot to add to the CVS. This will be fixed in the next snapshot (20060611). _

RE: renegotiating problem - connection hanging?

> Hello, > > If you call SSL_read, an application-level read function, > > with a blocking > > socket, you are asking it to block until it can read > application-level data. > Here is information from www.openssl.org: > -- If the underlying BIO is blocking, SSL_read() will only return, once

RE: renegotiating problem - connection hanging?

Hello, > An SSL_read on a blocking socket should block until data can be read, > just > as a regular 'read' on a TCP connection does. Even in regular read() from blocking socket there may be situation when -1 is returned but no critical error occur and you should simply retry read() - when

Re: renegotiating problem - connection hanging?

On Sat, Jun 10, 2006 at 03:54:18PM -0700, David Schwartz wrote: > > I do not agree. SSL_read() should be corrected. > > If you call SSL_read, an application-level read function, with a blocking > socket, you are asking it to block until it can read application-level data. > > The error is simple

RE: renegotiating problem - connection hanging?

Hello, > If you call SSL_read, an application-level read function, with a > blocking > socket, you are asking it to block until it can read application-level data. Here is information from www.openssl.org: -- If the underlying BIO is blocking, SSL_read() will only return, once -- the read

RE: renegotiating problem - connection hanging?

Hello, > > It is very simple - if SSL_read() has to do other work than reading > > application data records (encrypted user data) like renegotiation > > it should return WANT_READ. > > An SSL_read on a blocking socket should block until data can be read, > just > as a regular 'read' on a T

RE: renegotiating problem - connection hanging?

> It is very simple - if SSL_read() has to do other work than reading > application data records (encrypted user data) like renegotiation > it should return WANT_READ. An SSL_read on a blocking socket should block until data can be read, just as a regular 'read' on a TCP connection does.

RE: renegotiating problem - connection hanging?

Hello, > > Here's a hypothetical. The 'select' function gives you a 'read' hit. You > > call SSL_read (thinking there's application-level data, but you don't really > > know, do you?). SSL_read reads part of a re-negotiation but has no data to > > return to you, so it calls 'read' again (how d

RE: renegotiating problem - connection hanging?

> Did you look at my logs with s_client? I'm starting to suspect that the > correct way to put it is: "there is *spposed* to be no deadlock, > but there > is a bug in SSL_read that can make you screwed". The bug is not in SSL_read. The bug is in the decision to call SSL_read. Th

RE: renegotiating problem - connection hanging?

> The discussion below wherein the term "you're screwed" is used > seems to indicate that there is a deadlock situation, which isn't > the case. There may or may not be performance issues associated > with the scenario/use-case, but there's no deadlock. > > R There is a deadlock. You are

RE: renegotiating problem - connection hanging?

> I'd agree with you if it was not working consistently. It's a race condition. > But in most cases > blocking SSL_read returns helpful WANT_READ. My understanding is that > WANT_READ return from SSL_read is especially for avoiding the > deadlock I'm > running into. You would b

RE: renegotiating problem - connection hanging?

> > If you call SSL_read on a blocking socket when select says > > it is readable you expect it not to block [forever]. Of course > > it might block > > if there is some data available on the underlying socket but not > > enough to > > complete SSL deciphering, but under normal circumstances it wi

RE: renegotiating problem - connection hanging?

> The discussion below wherein the term "you're screwed" is used seems to > indicate that there is a deadlock situation, which isn't the case. There > may or may not be performance issues associated with the > scenario/use-case, but there's no deadlock. Did you look at my logs with s_client?

RE: renegotiating problem - connection hanging?

The discussion below wherein the term "you're screwed" is used seems to indicate that there is a deadlock situation, which isn't the case. There may or may not be performance issues associated with the scenario/use-case, but there's no deadlock. R -Original Message- From: [EMAIL PRO

Re: renegotiating problem - connection hanging?

I'm watching this thread with great interest as I have not figured out the correct way to handling OpenSSL with non-blocking sockets which are a requirement in my case. Can anyone expand on the correct way to handle OpenSSL over non-blocking sockets please? I haven't been able to find any reli

RE: renegotiating problem - connection hanging?

> Well, we are talking about s_client here... part of openssl executable. > select() is used with the blocking sockets to make sure that, well, they > don't block. It doesn't work that way. The only way to ensure that socket operations don't block is to set the sockets non-blocking. > If

Re: No client certificate CA names sent

On Fri, Jun 09, 2006 at 05:25:59PM -0500, Kenyatta Senior wrote: > >> No client certificate CA names sent > > > >The server is not asking for client certificates. You need to > >configure it to do that and give it a non-empty CAfile. > > > >> Shouldn't i see something like: > >> > >> Acceptable cl

RE: renegotiating problem - connection hanging?

> > > Is your socket non-blocking? > > > No, socket is blocking. When I run s_client in non-blocking mode it > > doesn't get stuck. > > You can't use 'select' reliably with blocking sockets. Well, it is > possible > to do so, but it is extremely difficult and can only be done with OpenS

RE: renegotiating problem - connection hanging?

> > > I always call SSL_pending() before going into select(), as far as I > > > understand that should be sufficient. Anyways, the server is > > > not hanging > > > in select(), it is definitely inside SSL_read(). > > > > Is your socket non-blocking? > No, socket is blocking. When I run s_c

Re: No client certificate CA names sent

Hello, > Like i was saying earlier I keep seeing that error message > connection_read(11): unable to get TLS client DN, error=49 id=0 After looking in OpenLDAP code this seems that server tries to get from client SSL object certificate DN name. Of course client did not supply this certificate (bec

Re: No client certificate CA names sent

I got it... i understand what is going on, i guess my head was gathering water why i never noticed it before. Thanks Marek On 6/9/06, Kenyatta Senior <[EMAIL PROTECTED]> wrote: Marek, Thanks for ur help Like i was saying earlier I keep seeing that error message connection_read(11): unabl

Re: CSR Without Prompting

> Likely you are already in a Perl script? What about copying a > template config to a scratch file, making appropriate substitutions > from the form data? Or if your form processor isn't a convenient > place to do this, you could fork a command that pipes the template > through e.g. sed. Actua

Error in 20060610 releases

Script started on Sat Jun 10 06:12:11 2006 doctor.nl2k.ab.ca//usr/source/openssl-0.9.8-stable-SNAP-20060610$ make &&       cat /usr/contr ib/bin/configopenssl ./Configure threads shared no-sse2 --prefix=/usr/contrib --openssldir=/usr/contrib debug-bsdi-x86-elf "

Re: No client certificate CA names sent

Marek, Thanks for ur help Like i was saying earlier I keep seeing that error message connection_read(11): unable to get TLS client DN, error=49 id=0 and when i look at teh debug info none of my information is being encrypted Sorry if i seem dumb in this whole process, want to get a better

Re: No client certificate CA names sent

On 6/9/06, Marek Marcola <[EMAIL PROTECTED]> wrote: Hello, > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 writ

Re: No client certificate CA names sent

On 6/9/06, Victor Duchovni <[EMAIL PROTECTED]> wrote: On Fri, Jun 09, 2006 at 07:18:30AM -0500, [Yatta] wrote: > snip > LS trace: SSL_accept:SSLv3 flush data > connection_read(12): unable to get TLS client DN, error=49 id=0 > snip- > > Why is that??? > > --- > No client certifica

Re: CSR Without Prompting

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 9 Jun 2006 [EMAIL PROTECTED] wrote: > I need to generate a CSR without prompting the user (I am getting the > info from an HTML form). Likely you are already in a Perl script? What about copying a template config to a scratch file, making app

create_serial

Hi I am trying to install a new certificate with CA.pl, but it terminates telling me that the create_serial option doesn’t exist. I am using version 0.9.8b_1 – and it should be introduced in version 0.9.7j… The command openssl ca –create_serial tells me the same. OS: FreeBSD 6.1. In th

Error revoking a certificate

We are in the process of migrating from box A (AIX 4.3.3.0 running openssl 0.9.6g) to box B (also AIX 5.3.0.0 running openssl 0.9.8). Both A and B access the same file system which contains our CA files. When I revoke a certificate from box A, the process works as expected. When I revoke a cer