On Sun, Dec 05, 2021, russellb...@gmail.com wrote:
> Dec 5 08:56:54 mydomain sm-mta[30576]: STARTTLS=client, error:
> SSL_CTX_use_certificate_file(/etc/ssl/certs/server.csr) failed
> Dec 5 08:56:54 mydomain sm-mta[30576]: STARTTLS=client, error:
> SSL_CTX_check_private_key failed(/etc/ssl/cert
Just curious: Why is the output of
openssl ciphers MEDIUM
"empty" for 3.0.0.a2?
Error in cipher list
00:00:00:00:error:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:ssl/ssl_lib.c:2705:
Using 1.1.1 lists several, and at least
TLS_AES_128_GCM_SHA256
is also listed by
openssl-3.0.0.a2 ciphers
On Tue, May 19, 2020, Claus Assmann wrote:
Here's another (confusing) note: the (failing) S8 trace log:
> Sent Record
> Header:
> Version = TLS 1.2 (0x303)
> Content Type = Handshake (22)
...
> extensions, length = 12
> extension_type=supported
Sorry for just another (intermediate) update: further debugging
shows the I/O laywer (unsurprisingly) wasn't the problem. I have
to take some steps back and start over :-(
On Wed, May 20, 2020, Matt Caswell wrote:
> This sounds odd. Why does the client fail because it hasn't read the
> expected data yet? Normally (with non-blocking sockets), a failure to
Sorry, I should have written that the read call is timing out
(doesn't matter whether the timeout is 5s or 20s).
On Wed, May 20, 2020, Matt Caswell wrote:
[Thanks for still helping me with this!]
> Can you test the underlying socket to see if it has been closed down in
> an orderly way (i.e. recv() should return 0 on the socket if so)? That
Yes, that what happens.
So I added some debugging to the client a
On Wed, May 20, 2020, Matt Caswell wrote:
> I wonder if there could be some middlebox in between these two peers
> that is interfering with the connection in some way and arbitrarily
> closing it down?
No, it's being tested on localhost. And it works fine if I use a
different server (e.g., opens
On Wed, May 20, 2020, Matt Caswell wrote:
> SSL_accept:TLSv1.3 early data
> What happens in the application code? What was the function being called
> (SSL_accept?) and what return value do you get? What does
> SSL_get_error() return at this point?
It's:
r = SSL_accept(srv_ssl);
On Tue, May 19, 2020, Matt Caswell wrote:
> > SSL_accept:error in TLSv1.3 early data
> This comes from this code in the info callback which you lifted from s_cb.c:
> Please could you modify this as follows:
> +ERR_print_errors(bio_err);
That's basically already in the code:
while ((l =
On Mon, May 18, 2020, Viktor Dukhovni wrote:
> I'll strongly second Matt's request for a PCAP file.
If tcpdump is "good enough" then that should be attached.
If wireshark and some TLS decoding is needed, then I need
some time to figure that out.
> The client trace looks rather odd, why is writin
On Tue, May 19, 2020, Jan Just Keijser wrote:
> FWIW: adding TLS 1.3 support to my EAP-TLS code got me stumped for a while as
> well. I eventually added up the following snippet:
> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT |
> SSL_SESS_CACHE_NO_INTERNAL_STORE);
> SSL_CTX_
On Mon, May 18, 2020, Alexander Gryanko wrote:
[thanks for the hints, I will try that ASAP]
> But first of all, check your cert type. Looks like you are using non-RSA
> cert which is not supported by S8.
As I wrote: it works fine if I don't use TLSv1.3 or if I use openssl
s_client with TLSv1.3 (
I'm stuck and looking for some hints/help. I have two MTAs (let's
call them M1 and S8), both built with OpenSSL 1.1.1g. The problem
is M1 cannot establish a TLSv1.3 connection with S8. Using other
MTAs/sites/protocols/tools works just fine, e.g., M1 can send mail
to google using TLSv1.3, and S8 ca
It seems something went wrong when include/openssl/opensslv.h
was generated?
cc -Icrypto -I. -Iinclude -Iproviders/common/include
-Iproviders/implementations/include -Icrypto/include -DAES_ASM -DBSAES_ASM
-DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM
-DOPENSSL_BN_ASM_GF
On Tue, Apr 21, 2020, Matt Caswell wrote:
> changes in this area. Were you successfully able to run the tests with
> previous versions of OpenSSL?
It's the first time I compiled 1.1.1 on that host. Just to check I
tried 1.1.1d and it shows the same problem, so it's not a regression.
On Tue, Apr 21, 2020, Benjamin Kaduk via openssl-users wrote:
> On Tue, Apr 21, 2020 at 07:22:38PM +0200, Claus Assmann wrote:
> > ../test/recipes/80-test_ssl_old.t ..
> > Dubious, test returned 1 (wstat 256, 0x100)
> Please run again with `make V=1 TESTS=test
Note sure whether this is already known (a search didn't bring up
anything meaningful):
../test/recipes/80-test_ssl_old.t ..
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/6 subtests
Test Summary Report
---
../test/recipes/80-test_ssl_old.t(W
I just got a compiler warning while modifying some code:
SSL_set_tlsext_host_name(ssl, sni)
->
#define IS_EMPTY(s) (NULL == (s) || '\0' == *(s))
SSL_set_tlsext_host_name(ssl, !IS_EMPTY(sni) ? sni : other)
warning: cast to 'char *' from smaller integer type 'int'
'SSL_set_tlsext_host_name
On Fri, Jan 03, 2020, Benjamin Kaduk via openssl-users wrote:
> On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:
> > Seems it is impossible to override the list with NULL for SSL, as
> > the code will then use the list from CTX (if my limited understanding
> >
On Sat, Nov 23, 2019, Richard Levitte wrote:
> You don't happen to have a libcrypto.so lying around in your build
> directory?
That was probably be the (my) mistake, sorry for the false alarm
(I cannot reproduce the problem in a setup where I just untar'ed
the source code).
> Just now, I noticed
Seems it is impossible to override the list with NULL for SSL, as
the code will then use the list from CTX (if my limited understanding
of the code is correct):
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
...
if (s->client_CA != NULL)
return (s->client_CA);
Just FYI: trying to build openssl 1.1.1d with no-shared fails (on
OpenBSD 6.5) see below. I'm not sure why test/cipher_overhead_test
is needed for the build.
rm -f test/cipher_overhead_test
${LDCMD:-cc} -Wa,--noexecstack -Qunused-arguments -Wall -O3 -L.-o
test/cipher_overhead_test test/cipher
I'm trying to find what's wrong when I use
SSL_set_client_CA_list(ssl, NULL);
in a server:
openssl s_client still shows "Acceptable client CA names"
(those which are previously set using
SSL_CTX_load_verify_locations())
instead of the expected
"No client certificate CA names sent"
which happens if
On Mon, Mar 04, 2019, Richard Levitte wrote:
> So if I'm reading the patches correctly,
> patch-Configurations_unix-Makefile_tmpl is all about that "e" stuff,
Nope, seems you missed one change in all the text you quoted:
- $generator = 'm4 -B 8192'.$generator_incs.' '.$generator.' >'
There are some patches for OpenSSL 1.1.1X in the OpenBSD ports tree.
Are there any plans to put (parts of) them into the next OpenSSL
version?
patch-Configurations_10-main_conf
patch-Configurations_shared-info_pl
patch-Configurations_unix-Makefile_tmpl
The changes in the last one which add an "e"
Thanks for the reply, it helped me adding some more debugging
statements to various places to track down the problem:
it is due to a change in TLS session handling in TLSv1.3.
It seems there are multiple SSL_SESSION structures for a single SSL
connection (SMTP session). The callback installed usin
I'm trying OpenSSL 1.1.1a on FreeBSD 11.2-RELEASE-p4 and got the following
crash in one of my test programs (I compiled OpenSSL with -g after the
first time this happened to get at least some debug info):
#0 __je_huge_salloc (tsdn=, ptr=) at
extent.h:114
#1 0x00080122d01e in ifree (tsd=) at
On Mon, Oct 15, 2018, Viktor Dukhovni wrote:
> With TLS 1.3, you suddenly have clients optionally soliciting certificates
> by specific CA from servers [[...]]
> With 149 certs, and typical CA names O(80) bytes, we're looking at
> ~12KB of cert names, which should fit into an extension that can b
On Mon, Oct 15, 2018, Carl Byington wrote:
> O CACertFile=/etc/pki/tls/certs/ca-bundle.crt
> pointing the CACertFile to 750KB file with 149 certificates. That just
> seems wrong, but perhaps there is some reason for it. If CACertFile is
sendmail: op.*:
However, do not list too many root
Would it be a good idea to allow disabling these extensions at
runtime (via some option)? That would minimize the impact of security
holes like this, right? Instead of having to recompile "everything"
you would "just" have to set an option (yes, I know, not every
application might have support for
As I'm having some problems understanding the ASN.1 parsing code,
I would like to ask here for feedback about the bug. DKIM-Filter
(OpenDKIM) uses d2i_PUBKEY_bio() with a key (input) that is at most
1KB long.
According to the advisory:
> Any application which uses BIO or FILE based functions to
On Tue, Mar 22, 2011, Victor Duchovni wrote:
> > client() has some code like this:
> > SSL_CTX_set_ex_data(a_ctx->a_ssl_ctx, myidx, a_ctx->cb_arg);
>
> No, don't do that, the SSL_CTX application context object is global.
I was demonstrating that the callback API has some problems.
If the commo
On Mon, Mar 21, 2011, Victor Duchovni wrote:
> Can you explain a bit more clearly why you can't initialize an
> integer index or two when the application starts?
I can, but that's not the problem. Here's an example:
initialize:
SSL_load_error_strings(); ...
ssl_ctx = SSL_CTX_new();
myidx = SSL_C
On Sun, Mar 20, 2011, Victor Duchovni wrote:
> once, ... so there needs to be some once-only code in your application,
That's trivial to do and already working fine.
> and setting a write-once global there does not seem burdensome.
As Graham points out it makes it hard for some applications to
I'm trying to implement TLS client side session caching, but I'm
running into problems with the OpenSSL callback API. It seems most
callbacks don't pass an application context which makes using them
awkward (at least in my application that doesn't have global
variables). SSL_CTX_set_cert_verify_ca
On Tue, Mar 23, 2010, Dr. Stephen Henson wrote:
> Another possible cause is multiple closes on the same file descriptor in a
> multi threaded application. I saw this once myself where the SSL_free() closed
> the file descriptor and the application itself closed it as well.
The application is send
On Fri, Mar 12, 2010, Darryl Miles wrote:
> int rc = SSL_shutdown(ssl);
> /* BEGIN - INSERT THIS CODE AFTER EVERY SSL_shutdown()
> INVOCATION IN YOUR CODE */
> if(rc == -1) {
> int ssl_errno;
> SSL_get_error(ssl, ssl_errno);
> if(ssl_errno == SSL_ERROR_WANT_READ || ssl_er
I've got a bug report that my MTA fails from time to time during the
TLS handshake with the following error:
4476:error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context
uninitialized:ssl_sess.c:413
(OpenSSL 0.9.8m and 1.0.0.Beta5)
The MTA tries to turn off the session cache using
S
On Mon, Mar 02, 2009, Victor Duchovni wrote:
> On Mon, Mar 02, 2009 at 05:36:15PM -0800, Claus Assmann wrote:
> > Out of the box OpenSSL 0.9.8j fails to install on SunOS 5.10 ( cp:
> > What's the "correct" way to fix this? For now I "hacked" the Mak
On Tue, Mar 03, 2009, Dr. Stephen Henson wrote:
> On Tue, Mar 03, 2009, Claus Assmann wrote:
> > On Tue, Mar 03, 2009, Dr. Stephen Henson wrote:
> > > Please try a recent 0.9.8 snapshot, for example:
> > Fails in a different way:
> > PS: patch for Makefile:
>
On Tue, Mar 03, 2009, Dr. Stephen Henson wrote:
> On Mon, Mar 02, 2009, Claus Assmann wrote:
> > Out of the box OpenSSL 0.9.8j fails to install on SunOS 5.10 ( cp:
> > cannot access fipscanister.o). I found a mail in the archives about
> Please try a recent 0.9.8 snapshot, f
Out of the box OpenSSL 0.9.8j fails to install on SunOS 5.10 ( cp:
cannot access fipscanister.o). I found a mail in the archives about
this and applied the patch to disable FIPS (see below). However,
after doing that compilation fails because fips.h is missing:
cc -I. -I.. -I../include -DOPENSSL_
On Sun, Nov 06, 2005, Henk A.M. Weebers wrote:
Please trim your reply, don't quote everything and don't toppost.
Usually I wouldn't reply, but it's Sunday and the weather sucks.
> sendmail is nat able to start due to
> Nov 4 21:54:44 centraal sendmail[20702]: STARTTLS=server, error:
> SSL_CTX_u
On Fri, Nov 04, 2005, Henk A.M. Weebers wrote:
> Nov 4 21:54:44 centraal sendmail[20702]: NOQUEUE: SYSERR(root):
> opendaemonsocket: daemon MTA: cannot bind: Permission denied
Looks like you don't start sendmail as root. See the sendmail
documentation.
_
On Wed, Jun 15, 2005, Andy W. Clements wrote:
> I'm currently having a problem with setting up STARTTLS with my sendmail
> on my FreeBSD 5.3 box. I've used openssl to create the cert and key:
>
> openssl dsaparam 1024 -out dsa1024.pem
> openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycer
On Sat, Sep 27, 2003, Dann Daggett wrote:
> > I still need to keep this short as long emails still a problem.
> > Tried setting MTU to 1450, still hangs on emails over 800 bytes.
> > Last lines in maillog is (DebugLevel 99):
> > Sep 27 22:11:38 ns1 sm-mta[2513]: h8S5BKkL002513: <-- DATA
> > Se
On Mon, Nov 18, 2002, Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Mon, 18 Nov 2002
>10:43:54 -0800, Ed Kasky <[EMAIL PROTECTED]> said:
>
> ed> 27781:error:140890E9:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:tls peer did
> ed> not respond with certificate list:s3_srvr.c
On Thu, Apr 25, 2002, Nick Simicich wrote:
Maybe we can create a new list: how to manage a mailing list?
This stuff comes up now and then, esp. if some idiot creates
a loop or other idiots turn on their "out of office" garbage
replying to mailing lists.
> At 10:28 AM 2002-04-25 +0200, Richard L
On Wed, Sep 26, 2001, Darrin Powell wrote:
> I have question about using ssl for sendmail. Can you run secure email
> via ssl "wrapper of some sort" and nonsecure email no ssl wrapper at the same
> time? Reason being is to have both running to migrate off of regular mail to
> secure mail.
On Fri, May 19, 2000, Richard Levitte - VMS Whacker wrote:
> From: Claus Assmann <[EMAIL PROTECTED]>
> ca+ssl> ! According to the SSL/TLS standard, the first 2 bytes of that secret
> ca+ssl> ! should be the protocol version. Since CgatePro insists on TLSv0 (aka
> ca+ssl&
Me again... sorry to bother you. I still have a problem with the
MTA at mail.stalker.com. The developer from Stalker was very helpful
and he concluded there is a bug in OpenSSL.
Here is his e-mail:
! We have added the check for the "premaster secret" verification.
! According to the SSL/TLS sta
I have a question about the different SSL versions, i.e., which one
should a client use to be interoperable? The specific problem is
with the MTA at mail.stalker.com. I finally got around to do some
more debugging and found out that openssl (starttls) can connect
to it if it uses either SSLv23 wit
Is there a "simple" way to achieve a non-hierarchical trust model
within TLS?
The X.509 certificates currently allow only for one signature, right?
If this is wrong, how can several CAs sign a certificate?
Is someone working on "Extensions to TLS for OpenPGP keys"? I would
like so have an imple
On Tue, Apr 11, 2000, Bodo Moeller wrote:
> On Tue, Apr 11, 2000 at 12:49:32PM +0200, Bodo Moeller wrote:
> > On Sat, Apr 08, 2000 at 04:13:27PM -0700, Claus Assmann wrote:
> >> I'm trying to send e-mail to a host which runs CommuniGate Pro 3.2.
> >> My MT
On Mon, Mar 20, 2000, Bodo Moeller wrote:
> On Sun, Mar 19, 2000 at 07:51:38PM -0800, Claus Assmann wrote:
> > I'm trying to write a server (using OpenSSL) that doesn't use
> > patented algorithms, which means I have to restrict my server to
> > TLSv1 or SSLv3 (
I'm trying to write a server (using OpenSSL) that doesn't use
patented algorithms, which means I have to restrict my server to
TLSv1 or SSLv3 (right?), so I would like to use TLSv1 only, but
then a "default" client (SSL23_method) does not talk to my server.
Is there a description which versions o
On Tue, Nov 16, 1999, Bodo Moeller wrote:
> On Sun, Aug 08, 1999 at 03:05:26PM +, Bodo Moeller wrote:
> > Claus Assmann <[EMAIL PROTECTED]>:
> >> how do I correctly set the verify_mode? Reading the code,
> >> SSL_VERIFY_CLIENT_ONCE and SSL_VERIFY_PEER seem
On Thu, Oct 21, 1999, Steven J Sobol wrote:
> On Thu, Oct 21, 1999 at 03:52:17PM -0600, Terrell Larson wrote:
>
> > Would sombody like to shoot Oracle Corp with a silver bullet?
>
> No, the list should not be accepting posts from any addresses other than
> those that are subscribed to the list.
On Sun, Aug 08, 1999, Bodo Moeller wrote:
> Claus Assmann <[EMAIL PROTECTED]>:
> >>> Question: is there some simple way to find out whether the client
> >>> has been authenticated? I registered a callback with SSL_CTX_set_verify,
> >>> but I don&#x
Question: is there some simple way to find out whether the client
has been authenticated? I registered a callback with SSL_CTX_set_verify,
but I don't completely understand it...
I need this information in my application which makes certain
decisions based on it (e.g. allow different operations).
60 matches
Mail list logo
