Does anyone have solid numbers on the perfomance of OpenSSL's SHA-1
on 32-bit vs. 64-bit platforms?
Thanks,
-Ekr
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
the client side. Consider what happens if there
is a protocol which uses the first four bytes of the packet
as the length of the remaining data. Such a protocol will
block indefinitely when handed an SSL client hello.
All the client can do in this case is time out.
-Ekr
--
[Eric Rescorla
also difficulties with writing.
This can easily lead to deadlock with OpenSSL because there might
still be data in the SSL buffers but not on the network socket.
These issues are discussed quite extensively in "SSL and TLS" as well as
in my "Introduction to OpenSSL Programming"
David Schwartz <[EMAIL PROTECTED]> writes:
> On 03 Feb 2003 22:00:08 -0800, Eric Rescorla wrote:
>
> >David Schwartz <[EMAIL PROTECTED]> writes:
>
> >>You nearly always need non-blocking, even if it's just for
> >>timeouts.
>
> >Depe
David Schwartz <[EMAIL PROTECTED]> writes:
> On 03 Feb 2003 19:01:53 -0800, Eric Rescorla wrote:
> >Tim Regovich <[EMAIL PROTECTED]> writes:
>
> >>*always* operate in non blocking mode. The code may
> >>be slightly more complex but will *always* work
Tim Regovich <[EMAIL PROTECTED]> writes:
> *always* operate in non blocking mode. The code may
> be slightly more complex but will *always* work
> better.
I don't agree with this. Getting non-blocking code correct
with OpenSSL is quite tricky. If you don't need non-blocking,
there's no reason to d
have been put forward as to what this is or is not are simply best
> guesses without much evidence to back them up.
>
Certainly guessing is all I've been doing.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
driver.
Unfortunately it needs to be ported to kernel 2.4, which is
what I'm currently doing. As I said, I have a semi-usable port
but it's got some problems.
-Ekr
--
[Eric Rescorla [EMAIL PROTEC
Stephen Amadei <[EMAIL PROTECTED]> writes:
> On Tue, 17 Dec 2002, Eric Rescorla wrote:
>
> > Now consider what happens if you're running 512 virtual servers (IPs)
> > with 256 child processes. If Slapper contacts all of them, it will
> > freeze all your c
tions from any
> previously exploited/controlled servers). The question however is; what
> *exactly* is the problem?
I don't think it matters. Just open a connection and spit out a
partial SSL message. This ought to stall the server till the network
timeouts are done.
-Ekr
--
Eric Rescorla <[EMAIL PROTECTED]> writes:
> Now consider what happens if you're running 512 virtual servers (IPs)
> with 256 child processes. If Slapper contacts all of them, it will
> freeze all your children and you're frozen until the timeouts
> happen. Joe, do y
your server when it contacts it.
Now consider what happens if you're running 512 virtual servers (IPs)
with 256 child processes. If Slapper contacts all of them, it will
freeze all your children and you're frozen until the timeouts
happen. Joe, do you have more virtual servers than chil
as access on port 443 gets blocked.
Thanks,
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl
sites. Somehow this attack is
> choking the accept queue, preventing access to the other unaffected
> children.
That's one possibility... Another would be clogging of access to the
session cache. In the first case, it's hard to understand how OpenSSL
could be the cause of the probl
Since Apache 1.3.x runs separate
server processes, it's kind of surprising that a single client
would stall all server processes. Could you put a debugger on
one of the stalled processes and see where it is?
Thanks,
-Ekr
--
[Eric Rescorla
I'd like to announce the availability for downlaod of the following
paper.
Security holes... Who cares?
Eric Rescorla
RTFM, Inc. <http://www.rtfm.com/>
We report on an observational study of user response fo
pted path.
>
> He explained what he wanted in 3 minutes before leaving on a week of
> vacation, so I'm kind of confused myself. :)
If you have the private key for the server, the easiest thing
to do is use ssldump (http://www.rtfm.com/ssldump). Then you
don't need a proxy, jus
the developers, but I have it pretty hard to get excited about
this sort of thing.
In the case of SSL in particular, the private key is generally
kept in memory for the life of the process. If it's not zeroed,
there's not a lot of point in zeroing other keys, since compromi
convenient with application
level code unless you have some other thread to handle
network flushes.
[1] In some implementations, you can add buffering BEFORE
the SSL code, but this is a different story.
--
[Eric Rescorla
ne
> clear my doubt please.
While SSL CAN coalesce data, in general implementations don't coalesce
user writes, in order to avoid confused programmers :)
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
___
"Le-Vazquez, Thuy" <[EMAIL PROTECTED]> writes:
> I've written an SSL server, will the server communicate with SSH client?
> If not, does anyone know how to hook this two together?
You don't. They're different protocols.
-Ekr
--
[Eric Rescorla
http://www.rtfm.com/ssldump
If you downloaded ssldump from the link on the ssldump web site this
morning, please make sure you got version 0.9b3 and not version
0.9b2. The link on the web site had not been adjusted to point to
0.9b3.
You can check this by checking either the name on the
tarball
ANNOUNCE: ssldump: an SSL protocol analyzer v 0.9b3
Version 0.9b3
http://www.rtfm.com/ssldump/
RTFM, Inc. is pleased to announce the availability of ssldump 0.9b3
ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP
connections on the chosen network interface and attempts to inte
o OpenSSL Programming"
at:
http://www.rtfm.com/openssl-examples
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project
"Paul L. Allen" <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> Hmmm... When I watch a demo client and server with client
> authentication,
> I see the client's cert going over the wire. I wonder why I don't see
> it in the case of my real code? W
"Paul L. Allen" <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
> > > I've watched my Java client connecting to my OpenSSL server using
> > > ssldump. I can see the server's cert going over to the client. The
> > > client does
rhaps mean an X.509v1 certificate?
(2) I very much doubt you have an SSLv1 anything since AFAIK
no production implementations of SSLv1 were ever released, being
as it was riddled with security flaws.
-Ekr
--
[Eric Rescorla
e
encrypted randomness is just as random than simple randomness :)
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project
detail about what you're doing
here. In particular, what do you mean by "two servers running the app"?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
POP3S port appears to be 995, not 110.
My guess would be that what's listening on port 110 is normal POP. Try
telnetting to port 110 to see if you get the POP banner. If so
that's what's going on.
-Ekr
--
[Eric Rescorla
but the hope is that when you mash it all together you get enough entropy...
> c) Does the server generate an ephemeral RSA private key for each SSL
> connection, or just once for the lifetime of the process which it uses
> across all clients?
Typically the latter, th
5) to account for data expansion and the record header.
That said, some implementations (Microsoft) violate this limit.
In any case, since TCP segments are typically <1500 bytes long,
most records will span multiple TCP segments.
-Ekr
--
[Eric Rescorla [EMA
es quite widely. The SASL mechanisms that are as secure as SSL are
no faster. On the other hand, if you're willing to live with a lower
security level (or if you have a lot of different authentication
mechanisms to support) than SASL may be better for you.
-Ekr
--
[Eric Rescorla
[EMAIL PROTECTED] writes:
> We were trying to have JCE implementation only. I think you are getting to
> the point.
> Could you provide some more info on this?
Try Cryptix: www.cryptix.org
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
e you trying to achieve? It doesn't sound like
you're trying to do SSL, so you just want some JCE implementation.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
_
s specified in the TLS and SSL specifications.
PureTLS and JSSE are both complete implementations and so they take care
of the padding internally. You should not need to do anything along these
lines.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
[EMAIL PROTECTED] writes:
> Did Test this link. Finding problem that there is no implementation for
> NO-Padding option from this provider.
>
> Any Idea as to how to resolve this?
Can you be a little more specific about what the problem is?
-Ekr
--
[E
try
PureTLS <http://www.rtfm.com/puretls/>
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www
60 bytes of plaintext and all 200 bytes of ciphertext
are read?
If so, that's unsurprising. Remember that SSL is a record-oriented
protocol, so OpenSSL needs to read the entire record to give you
your data, no matter how many
http://www.rtfm.com/openssl-examples
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.o
o:
You don't need a private key on the client, just on the server.
The client needs to either:
(1) Have a copy of the server's certificate.
(2) Trust the CA who signed the server's certificate.
(3) Just accept the server's public key/certificate without verifying
it. This is fine
. All you need to do for
this is convert it into an OpenSSL keyfile. It's not clear what
kind of keyfile you're starting with here...
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
___
or mod_ssl.
(2) Use Tomcat with Java SSL support via PureTLS or JSSE.
How to do all of these is documented at:
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ssl-howto.html
-Ekr
--
[Eric Rescorla [
Chris Cleeland <[EMAIL PROTECTED]> writes:
> On 30 Apr 2002, Eric Rescorla wrote:
> Right. Good point. However, for some reason I remember that we had problems
> with JSSE doing RSA properly, too. But memory is fuzzy anymore.
That could be. I've heard such reports but n
s a free Java SSL/TLS
implementation that interoperates fine with OpenSSL.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project
C-only export
browsers out there.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.opens
ng crypto Strong crypto
There is no way to tag an X.509 certificate in such a way that
it is 40-bit only.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
mp can read data captured with 'tcpdump -s 8192 -w' if that
helps at all.
In general, this sort of thing is very difficult to diagnose
without either ssldump traces or OpenSSL logging info.
-Ekr
--
[Eric Rescorla [EMAIL PROTECT
m to be able to fix this is to re-create all new certificates. The
> certificates are set to expire in a year but the problem occurs within
> weeks/months of deployment and continues to happen. Does anyone have any
> insight on how this could be happening? Thank you for your time.
What d
Michael Sierchio <[EMAIL PROTECTED]> writes:
> It's also the case that the client may send a 'Hello request' instead
> of a client hello, in order to see what the server supports...
HelloRequests may only be sent by the server
(See RFC 2246 S 7.4.1.1)
"Tobias Mattsson" <[EMAIL PROTECTED]> writes:
> Well it might not be such a good design,
> but what I asked initially was only if it is possible to restrict apache from giving
>the cert out, and if that somehow can stop people from connecting to the server
>without having the certificate.
No. T
;re doing static
RSA key exchange). The client ENCRYPTS the PreMasterSecret under
the server's public key. This necessitates knowing the public key.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure S
.
> If so, could you please tell me how to do it. The need for this is to
> use only
> 112bit key length because of 128bit key export restriction.
Which country has such an export restriction? Not the US.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]
ce, know why I am having difficulties snooping an https
> request from IE6 on a local windows client ( proxied via a linux box which
> is running the https-proxy-sniff utility from Net_SSLeay.pm ) ?
No idea.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
vely snoop an HTTP transaction.
There's no need to pose as the server. Decrypting the traffic
requires, as you say, the private key, but not the certificate.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
indows client on the local ( private ) network - it works for requests from
> a linux client running on the same machine as the proxy, so the code is
> basically correct. I've written into the newgroup 2 times, but nobody has
> been able to answer my problem.
If all you want to do is s
this public key during
> the handshake. This how this is normally handled?
Kevin,
SSL really doesn't know how to work with raw private keys.
Your best bet is to use self-signed certificates, which
have the same security properties but fit the SSL operations
model better.
-Ekr
--
waste my
> time pouring over documentation for something not suited for my purpose.
> Is this the case?
I believe so.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
ot to put too fine a point on it, but what do you want to DO with SSL?
SSL is a network security protocol, so if you don't have any networking,
it's not clear why you'd want it.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm
nel .I think it
> will be fastest solution but I'm newbie and don't sure . Can you help me ?
Why would you want to do this?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
l |
| Client | <>| |<--->| Server |
++ Protocol/SSL | +--+ /|\ +-
| |
Firewall Normal
Protocol
Stunnel is one such proxy.
-Ekr
--
[Eric Rescorla [EMAIL
ether an encrypted MD is as secure as
> an HMAC?
Mode (3) is potentially insecure if the attacker can control the
IV. There's only a very small performance benefit to using a digest
instead of HMAC so I would advise doing it.
-Ekr
--
[Eric Rescorla
67 6e 2e 3d 95 b0 sign.=..
00771 ; 82 57<1> CONTEXT-SPECIFIC 2, 87 octets =
00773 ; 38 93 b4 19 8a f8 46 91 c2 28 4f f6 68 61 f7 b08.F..(O.ha..
00789 ; 51 d9 ab 41 4c 62 78 77 67 48 c1 22 70 a0 b6 9f
penssl-examples/>
> Will everything be handled "automagically" on the client side, or if not,
> how do I know I have to shake hands with the server and what do I do?
Sometimes :). This is discussed in the article as well.
-Ekr
--
[Eric Rescorla
SSL Programming" at
http://www.rtfm.com/openssl-examples. Part 2 covers non-blocking
I/O.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project
Adam Wosotowsky <[EMAIL PROTECTED]> writes:
> On Mon, Jan 14, 2002 at 09:26:22AM -0800, Eric Rescorla wrote:
>
> > SSL does not require that the client and server have synchronized
> > clocks, except in the loose sense that a certificate verifier's
> > clo
in order to avoid
falsely evaluating expiry.
Exactly what behavior are you seeing that leads you to believe
that this is a problem?
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
Vadim Zaliva <[EMAIL PROTECTED]> writes:
> On 6 Jan 2002, Eric Rescorla wrote:
>
> I would like to thank everybody who responded to my previous messages.
>
> > This can't be done with SSL exactly the way you want to do it. The
> > only way that SSL kn
Michael Sierchio <[EMAIL PROTECTED]> writes:
> Eric Rescorla wrote:
>
> > That said, it's not clear how these results apply to passwords.
> > The entropy of short chunks of text is lower.
>
> No. The entropy of short chunks of text, without syntax, is
&g
Michael Sierchio <[EMAIL PROTECTED]> writes:
> Jeffrey Altman wrote:
>
> > A passphrase consisting of human readable/typable text provides
> > approximately 2 bits of entropy per character.
>
> English text contains approx. 3.5 bits of entropy per character.
This seems high, considering that
nects. The client then
authenticates to the server with a password. Once the client
has authenticated he puts his own public key on the server.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of &qu
gle certificate and the server's cert
chain as a whole are limited to 2^24-1 bytes. In practice
the limit is 5-10 bytes longer because no handshake message can
be longer than 2^24-1 bytes and so when you factor in the
size of various length bytes and such you get a l
"Krishnaswamy R." <[EMAIL PROTECTED]> writes:
> Is there is any maximum size defined in TLS for a server's
> certificate sent to the client?
Yes, but it's ridiculously large.
No single certificate can be longer than 2^24 bytes.
-Ekr
--
[Eric Rescorla
h you then JSSE is a reasonable
choice. Otherwise, you should probably check out PureTLS which is (as
far as I know) equally capable to JSSE and is Open Source.
PureTLS can be found at http://www.rtfm.com/puretls
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED
sh). (Assuming, of course,
that no attack better than brute force is known for the digest
in question).
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Pr
data from being tampered with. This is done by SHA.
> Also reading in Eric's book he says 1024-bit assymetric keys are
> about as strong as 80-bit symmertic keys. So why is assymetric used? I
> assume its bec
t it.
Of course, it's obvious that there must be collisions and for
MD5 at least it's technically possible to find them by brute
force, since the birthday attack is 2^64 hard.
This doesn't mean that the use of MD5 in SSL is insecure. The
only property that SSL really requir
it's an admin guide more
than a book on the protocols. I'm generally a lot more interested
in the latter (though there's a bigger market in the former so
maybe I should have targetted "SSL and TLS" differently :))
-Ekr
--
[Eric Rescorla
tp://www.amazon.com/exec/obidos/ASIN/0201702096/qid=1007480469/sr=1-3/ref=sr_1_11_3/107-6458714-3717315
Neither of these books is wholly satisfactory. Harkins and Doraswamy
is old and was always a bit thin. Yuan and Strayer is rather academic
for my taste.
-Ekr
--
[Eric Rescorla
usual way SSL prevents man-in-the-middle attacks is by having the
client check the server's certificate against a trusted CA. If you're
using self-signed certificates and the client doesn't have any
independent knowledge of the server's certificate you certainly are
vulnerable to
Venugopal Panchamukhi <[EMAIL PROTECTED]> writes:
>I've modified the client code in such a way that reading and writing
> is done in a single thread. But my basic problem was not cleared. When
> i'm calling select() it is returning the read condition after which the
> read_SSL() method is retu
"Matthew Fleming" <[EMAIL PROTECTED]> writes:
> I would appreciate your help with the following, although it is not
> strictly (or not only) and OpenSSL problem.
>
> I am trying to connect a Pocket PC to a Linux server. The Pocket PC uses
> Schannel (which on the PPC apparently includes SSLv2 and
> appreciated.
In general your best approach is to look and see what errors the
client and server are generating. Failing that, use ssldump
<http://www.rtfm.com/ssldump> to watch the traffic and see what's
going wrong.
-Ekr
[Eric Rescorla [EMAIL PROTECTE
Ludovic Courtès <[EMAIL PROTECTED]> writes:
> > This is pretty confusing. Are you trying to connect to an OpenSSH
> > server with SSL? That won't work.
>
> Ok. I am getting a bit confused with secure protocols, and i guess i didn't get
> it at all... ;)
It's a little confusing because OpenSSH us
Ludovic Courtès <[EMAIL PROTECTED]> writes:
> I am new to OpenSSL and I am currently trying to use it to make a simple sort of
> `rexec' program. I first started with the examples taken from
> http://www.rtfm.com/openssl-examples .
>
> Actually, the problem I am facing is that my program (which i
"Richard Booth [Web Developer]" <[EMAIL PROTECTED]> writes:
> When performing a post from a non-secure sever to a secure server is the
> connection made secure before any data passes through?
It's not clear what you mean here. Servers don't typically post
to other servers. Perhaps you mean when a
what they're
talking about.
If you want to understand how this all fits into SSL/TLS, you
might check out my book, "SSL and TLS: Designing and Building
Secure Systems" (see my .sig for a link)
-Ekr
--
[Eric Rescorla [EMAIL PR
Andrew Finnell <[EMAIL PROTECTED]> writes:
> [1 ]
> In my application , I am doing something simliar to this on the client
>
> SSL_use_PrivateKey_file ( "blah" );
> SSL_use_certificate_file ( "blah" );
> SSL_renegotiate ( ssl );
>
> Not after that is done I try send
julien Bournelle <[EMAIL PROTECTED]> writes:
> I try to developp a client/server application using TLS...
> My client.c file is like this :
>
> first : initialize_ctx();
> tcp_connect6(); -> I use IPv6 socket
> SSL_new();
> BIO_new_socket()
> SSL_set_bio()
> SS
Rich Salz <[EMAIL PROTECTED]> writes:
> > SSLv3 is a defacto, industry standard, devised by the best cryptanalyst
> > we have. It is represented only by an expired Internet Draft. TLS is a
> > committee effort. You be the judge.
>
> That is unfair, misleading, and wrong.
>
> All IETF standard
Endre Meckelborg Rognerud <[EMAIL PROTECTED]> writes:
> I'm trying to write a client in Java that should connect to an OpenSSL
> server through a SSLConnection. I have tried to write it with the JSSE
> package from Sun, but I've had a lot of problems. The first problem
> was related to the message
julien Bournelle <[EMAIL PROTECTED]> writes:
> Hi,
> as part of my thesis I must developp an application which uses
> TLS. I use OpenSSL on FreeBSD 4.2. The problem is that I don't know how to
> create a TLS connection between a client and a server. I searched on
> google and other FAQs but
"Nancy Pawlowski" <[EMAIL PROTECTED]> writes:
> Does anyone recognize this error?
>
> I've had jsse with tomcat configured under linux - and it is running ok;
>but am having problems running it under windows2000.
This isn't an OpenSSL issue. Why are you posting it here?
-Ekr
Wirta Ville <[EMAIL PROTECTED]> writes:
> Yes, there is someone listening. And the whole thing works if client
> doesn't use non blocking sockets. For some reason non blocking
> BIO_do_connect doesn't send anything with it's first few attempts (it's
> fourth or fifth time that makes things w
Jeremy Smith <[EMAIL PROTECTED]> writes:
> > Also, the documentation refers to the concept of a "BIO" all over the places, but
>never defines it anywhere that I can find. Is BIO some kind of universally
>understood concept that I have only just heard of? In any case, where can I go to
>learn
Neff Robert A <[EMAIL PROTECTED]> writes:
> I loved your book. Ordered it from B&N as soon as
> I saw it. Helped me overcome some early initial
> mindblocks when first integrating with OpenSSL.
> For those of you reading this, Erik's book is
> titled: SSL and TLS - Designing and Building
> Secur
nnects. This doubles the compute cost to the server. Whether
sockets or CPU time is more precious to the server depends on
the server.
-Ekr
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Syst
Ruby Cruiser <[EMAIL PROTECTED]> writes:
> Also,
> "SSL_read" does not return at all... I don't know
> what's going on.
>
> What does Blocking and non_blocking IO mean??
Blocking I/O means that when you ask to read or write
on the socket and there's no data or buffer space available
the call won'
"Christopher L. Everett" <[EMAIL PROTECTED]> writes:
> Hello again:
>
> I read the OSPKI book, which pointed me at the sign.sh
> script which helped quite a bit. I'm wondering if anyone can
> help me with a few specifics.
>
> So far, how I understand a certificate request gets signed
> is:
>
Götz Babin-Ebell <[EMAIL PROTECTED]> writes:
> And how gets he the connection IP-Address <-> FQDN ?
> ->He uses DNS.
I think you need to reread his message since that's not
what he says.
> If he wants to allow user XYZ presenting certificate C_XYZ to
> do some things, all he has to do is look in
1 - 100 of 186 matches
Mail list logo