I'm sure David will have more to say about how the locking callbacks are
used in OpenSSL. But my understanding is that just because you
implement these, you still cannot freely call SSL_read/SSL_write from
different threads without the proper locking. The reason is because you
have direct access
> Is it the case that both SSL_read and SSL_write modify the same
> part of the
> SSL object ?
Yes, but that's not the issue.
> Could you give some more details about this? Could you throw some
> more light
> on the ssl state maintained
> by the SSL object during SSL_read and SSL_write?
I'm not
> I assume this a reason why OpenSSL has the locking callback functions.
No. OpenSSL has the locking callback functions so it can protect internal
structures. For example, if two SSL objects internally reference the
objects.
> As long as you use these it is safe to share the object AFAIK.
Then
Hi Dr. Stephen, is there a way to verify/test these vulnerabilities? I
have compiled a new version of customized openssl/openssh but how do I
know that my openssl/openssh is not vulnerable to these attacks? Thanks,
Fei
__
OpenSSL
Hello,
> >>
> >> What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version
> >> number" and "SSL: connect failed"?
> >> From server side, you may get this error when:
> > - server is setup to SSL/TLS and client is connecting in plain mode,
> > for example:
> > $ telnet some_server 4
On 05/10/2006, at 4:49 AM, Marek Marcola wrote:
Hello,
Dear all,
...
tls_tcpconn_init: Setting in ACCEPT mode (server)
11(5927) tcpconn_add: hashes: 835, 11
11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags:
0002
11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0
7(591
Trying to compile openssl-0.9.7l on s390x. Able to compile w/o errors
using ./config --prefix=/web/software/openssl-0.9.7l
--openssldir=/web/software/openssl-0.9.7l.
It compiles for s390x, the problem is when I create a self-signed
certificate. I am able to create a key but receive Segmentation
Hello,
> $ openssl s_client -connect adtest:636 "-CAfile" homeca_cert.pem
> CONNECTED(0003)
> depth=1 /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
> verify return:1
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=adtest.altd
At 06:54 AM 10/5/2006, Marek Marcola wrote:
Hello,
> > > >>Trying to test certs before moving on to LDAP tests. The certs were
> > > >>obtained from a CA running on a MS box. Here's what happens:
> > > >>
> > > >>openssl s_client -connect adtest:636 -cert foo.pem "-CAfile"
homeca_ce
> > > >>
Hello,
> > > >>Trying to test certs before moving on to LDAP tests. The certs were
> > > >>obtained from a CA running on a MS box. Here's what happens:
> > > >>
> > > >>openssl s_client -connect adtest:636 -cert foo.pem "-CAfile" homeca_ce
> > > >>rt_chain.p7b
> >
> >The above command is the pro
At 05:34 AM 10/5/2006, Dr. Stephen Henson wrote:
On Thu, Oct 05, 2006, Dan O'Reilly wrote:
> At 12:48 AM 10/5/2006, Bernhard Froehlich wrote:
> >Dan O'Reilly wrote:
> >>Trying to test certs before moving on to LDAP tests. The certs were
> >>obtained from a CA running on a MS box. Here's what h
On Thu, Oct 05, 2006, Dan O'Reilly wrote:
> At 12:48 AM 10/5/2006, Bernhard Froehlich wrote:
> >Dan O'Reilly wrote:
> >>Trying to test certs before moving on to LDAP tests. The certs were
> >>obtained from a CA running on a MS box. Here's what happens:
> >>
> >>openssl s_client -connect adtest
At 12:48 AM 10/5/2006, Bernhard Froehlich wrote:
Dan O'Reilly wrote:
Trying to test certs before moving on to LDAP tests. The certs were
obtained from a CA running on a MS box. Here's what happens:
openssl s_client -connect adtest:636 -cert foo.pem "-CAfile" homeca_ce
rt_chain.p7b
Enter pas
- Original Message -
From: "David Schwartz" <[EMAIL PROTECTED]>
To:
Sent: Thursday, October 05, 2006 3:36 PM
Subject: RE: Need help: Understanding SSL object in multi-threaded
environment
>
> > 1. Is OpenSSL thread-safe?
> > Yes (with limitations: an SSL connection may not concurrently
David,
> > 1. Is OpenSSL thread-safe?
> > Yes (with limitations: an SSL connection may not
> concurrently be used by multiple threads)
>
> This means exactly what it says. A single SSL connection may
> not be used concurrently by multiple threads. This means it is illegal
> for one thread to d
> 1. Is OpenSSL thread-safe?
> Yes (with limitations: an SSL connection may not concurrently be used by
> multiple threads)
This means exactly what it says. A single SSL connection may not be used
concurrently by multiple threads. This means it is illegal for one thread to
do a 'write' on the con
- Original Message -
From: "Mark" <[EMAIL PROTECTED]>
To:
Sent: Thursday, October 05, 2006 2:49 PM
Subject: RE: Need help: Understanding SSL object in multi-threaded
environment
> you may use the same H_SSL_CTX (handle to an SSL context) in
> concurrent threads. This structure serves a
> you may use the same H_SSL_CTX (handle to an SSL context) in
> concurrent threads. This structure serves as a factory of ssl
> connections.
> You use SSL_new to create SSL connection handles (H_SSL).
> These you can use only within one thread.
> So, you may share H_SSL_CTX, you may not share
Vincenzo Sciarra wrote:
I want to verify that a client certificate is issued by an acceptable CA.
Thanks
You'd do it the same way as verifying that the server's CA is
acceptable. Would be something like
* Setting a CA-file or a CA directory containing the acceptable CAs
into the contex
Hi there,
I still can't get a grip on the security implications of those DH
parameters. I understand that they have to be "chosen carefully" but
otherwise they may be public. This would imply that once a good set of
parameters has been found everybody could use them "forever" (that is,
until
Hi,
you may use the same H_SSL_CTX (handle to an SSL
context) in concurrent threads. This structure serves as a factory of ssl
connections.
You use SSL_new to create SSL connection handles (H_SSL).
These you can use only within one thread.
So, you may share H_SSL_CTX, you may not share
H_
I want to verify that a client certificate is issued by an acceptable CA.
Thanks
2006/10/5, Bernhard Froehlich <[EMAIL PROTECTED]>:
Vincenzo Sciarra wrote:> Hi,>> I'm developing an application using X509 cert stardard.
> I'm trying to use a remote Certification Authority in> client-server authe
Hi all,
I have some doubts about openssl and
multithreaded environment. I will appreciate if you could help me understand
this better.
It is said that openssl is thread-safe with a
limitation that "an SSL connection may not
concurrently be used by multiple threads"
I am not clear on this point
23 matches
Mail list logo
