SSL handshake with a web server using Memory BIOs?

Suppose the TLS layer is initialized in the form: SSL_CTX *ctx = SSL_CTX_new(TLS_client_method()); BIO *r = BIO_new(BIO_s_mem()); BIO *w = BIO_new(BIO_s_mem()); SSL *ssl = SSL_new(ctx); SSL_set_bio(ssl, r, w); SSL_set_connect_state(ssl); I want to use BIO so that I can control IO to/f

buffering/blocking in chained BIOs

r has a low throughput? Does the socket BIO buffer data fed into it until it can feed it down to the TCP socket? How much data can it buffer until it fills up? Is there some error value I can examine? Should I just give this chain up completely and use BIOs individually and setup dynamic heap b

Re: [openssl-users] Async engine and BIOs

SSL_ERROR_WANT_ASYNC without using an SSL BIO 2) Use the ASYNC_start_job() interface directly. In the latter case you should not set the SSL object into async mode at all - because your code will be interfacing directly with the async API. If you really have to do it via BIOs you could imp

[openssl-users] Async engine and BIOs

Hi Everyone, I am trying to mix an application with a buffer BIO over a SSL BIO which uses an asynchronous engine for offloading. I had a quick look at the SSL BIO (ssl/bio_ssl.c) and it does not seem to care about the error SSL_ERROR_WANT_ASYNC coming from a SSL_write or a SSL_read. Do

RE: Injecting previously received data into the openssl bios?

>From: owner-openssl-us...@openssl.org On Behalf Of David Hinkle >Sent: Wednesday, 19 December, 2012 14:07 >I have a system where I want to selectively man in the middle >some SSL connections. My proxy server currently has the capability >to man in the middle all connections using openssl, or

Injecting previously received data into the openssl bios?

I have a system where I want to selectively man in the middle some SSL connections. My proxy server currently has the capability to man in the middle all connections using openssl, or simply extract the server names from the client hellos. What I'd like to do is use my code to parse the client h

MITM with OpenSSL v1.0.1c and BIOs

here, so I'm attempting to implement this using BIOs. (Note: MITM CA is installed for me client side) It seemed I was on the right track in my implementation, but I'm not stuck. It looks like servers are rejecting my negotiations with an "Protocol Version" (70) TLS alert. What

Re: DH exchange & socket BIOs

i all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need to send p,

Re: DH exchange & socket BIOs

Uh maybe this is the point: how do you init the size of a dh struct correctly? I just set it like size=64 - Reply message - From: "Michel" To: Subject: DH exchange & socket BIOs Date: Fri, Aug 24, 2012 5:47 pm Hi Carolin, "It is just about half the length of the

Re: DH exchange & socket BIOs

Yeah size is the same on both sides :( - Reply message - From: "Michel" To: Subject: DH exchange & socket BIOs Date: Fri, Aug 24, 2012 5:47 pm Hi Carolin, "It is just about half the length of the ..." [very] Quick response : Hex value is twice the lengh o

Re: DH exchange & socket BIOs

ice. I send it first without being subscribed to this list by accident) Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) wit

DH exchange & socket BIOs

Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters(prime_len,g,NULL,NULL) with prime_len=512 - I generate the keys using DH_generate_key(dh) Now I need

DH exchange & socket BIOs

(sorry if this mail arrives twice. I send it first without being subscribed to this list by accident) Hi all I try to implement a DH exchange using socket BIOs. Here is what I do: On the server - I initialize a DH structure with DH_new - I generate the parameters using DH_generate_parameters

RE: TLS, BIOs, SSL_read/write

submissions during the life > of a single client session) > > Thanks, > n8 > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Aut

Re: Handshake fails when using SSL-BIOs (ADH-AES256-SHA)

I understand why nobody gave an answer to this question, because the crucial hint was missing: I am using the GLib GSocketService for handling incoming connections. The GLib uses non-blocking sockets under the hood which I was not aware of. Especially the g_socket_set_blocking() function does n

Handshake fails when using SSL-BIOs (ADH-AES256-SHA)

Hi, I recently tried to refactor the TLS related code of my server application and wanted to use a SSL-BIO instead of performing all SSL-read/-write-operations by hand. As cipher suite I use ADH-AES256-SHA, because no authentication of the peers is needed and a man-in-the-middle-attack is highly u

RE: 64bit BIOs and support in OpenSSL

> From: owner-openssl-us...@openssl.org On Behalf Of Darryl Miles > Sent: Wednesday, 06 October, 2010 20:45 Very minor nits, but since we're being pedantic: > > The rules that you can trust are: > > The ones mandated by the C language. > > [From memory] > sizeof(char) == 1 (aka 8 bits) Yes a

Re: 64bit BIOs and support in OpenSSL

On 07-10-2010 08:28, Jeffrey Walton wrote: On Wed, Oct 6, 2010 at 8:45 PM, Darryl Miles wrote: [SNIP] Oh, and stdint.h is not available with all compilers! Isn't this an ANSI requirement, ah well, poor compiler users what standards do they conform to then ? Like the safer string functio

Re: 64bit BIOs and support in OpenSSL

First off: 64-bit filesys support would require a (minor?) API change; there's been a similar size_t move in the past (partly rolled back IIRC) and several 'int' or 'long' arguments should be turned into off_t types indeed, irrespective of the typedef used to define that type. Several systems have

Re: 64bit BIOs and support in OpenSSL

On Wed, Oct 6, 2010 at 8:45 PM, Darryl Miles wrote: >>> >>> [SNIP] > >> Oh, and stdint.h is not available with all compilers! > > Isn't this an ANSI requirement, ah well, poor compiler users what standards > do they conform to then ? Like the safer string functions (strcpy_s and friends) and TR 24

Re: 64bit BIOs and support in OpenSSL

Jakob Bohm wrote: On 04-10-2010 21:10, Victor Duchovni wrote: On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and

Re: 64bit BIOs and support in OpenSSL

sl itself) support those BIOs? > > I configured the build with 64bit support and didn't see any noticeable > > changes. > > Specifically, I'd like to know if BIO_tell() is able to return a 64bit > > value? > > No, BIO_tell() is a macro: > > include/

Re: 64bit BIOs and support in OpenSSL

On 04-10-2010 21:10, Victor Duchovni wrote: On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and didn't se

Re: 64bit BIOs and support in OpenSSL

On Mon, Oct 04, 2010 at 10:37:55AM -0400, Jeff Saremi wrote: > Does BIO support 64 bit IO (large files)? If so would the rest of > OpenSSL (such as the ssl itself) support those BIOs? > I configured the build with 64bit support and didn't see any noticeable > changes. > Speci

64bit BIOs and support in OpenSSL

Does BIO support 64 bit IO (large files)? If so would the rest of OpenSSL (such as the ssl itself) support those BIOs? I configured the build with 64bit support and didn't see any noticeable changes. Specifically, I'd like to know if BIO_tell() is able to return a 6

Re: base64 filter fails "only" with memory BIO but works with other BIOs

the end of that data? If I place a newline > on > it in your program string then it works. > No, it does not. I confirmed it multiple times. I am attaching the file that I am using, in case you want to take a closer look. There is no new line and without setting the below mentioned fl

Re: base64 filter fails "only" with memory BIO but works with other BIOs

On Mon, Oct 05, 2009, Srirang Doddihal wrote: > Hi Steve, > > On Mon, Oct 5, 2009 at 5:11 PM, Dr. Stephen Henson wrote: > > > [snipped] > > > > Does this simpler version help: > > > > http://www.openssl.org/support/faq.html#PROG15 > > > > Thank you for pointing me to this. I understand it bette

Re: base64 filter fails "only" with memory BIO but works with other BIOs

Hi Steve, On Mon, Oct 5, 2009 at 5:11 PM, Dr. Stephen Henson wrote: > [snipped] > > Does this simpler version help: > > http://www.openssl.org/support/faq.html#PROG15 > Thank you for pointing me to this. I understand it better now. However the problem is still unresolved. >From the FAQ I unders

Re: base64 filter fails "only" with memory BIO but works with other BIOs

On Mon, Oct 05, 2009, Srirang Doddihal wrote: > Hi all, > > I have some base64 encoded data in my own buffer (a character array). > I want to decode this. > > >From the man pages it appeared to me that I should > 1) create a memory bio, > 2) populate it with my base64 encoded data. > 3) Create a

base64 filter fails "only" with memory BIO but works with other BIOs

Hi all, I have some base64 encoded data in my own buffer (a character array). I want to decode this. >From the man pages it appeared to me that I should 1) create a memory bio, 2) populate it with my base64 encoded data. 3) Create a base64 filter bio 4) Create a chain like this: [base64_bio]

base64 filter fails "only" with memory BIO but works with other BIOs

Hi all, I have some base64 encoded data in my own buffer (a character array). I want to decode this. >From the man pages it appeared to me that I should 1) create a memory bio, 2) populate it with my base64 encoded data. 3) Create a base64 filter bio 4) Create a chain like this: [base64_bio]

Proper process when using BIOs and BIO pairs

I have an application which uses a "push" data model - that is my code sits and gets called to either decrypt data from the network, or encrypt data to the network. It can buffer data, and return an indication that nothing was done (yet), but must not block. So, I wrapped the encrypted side of an

Re: TLS, BIOs, SSL_read/write

nnection where the kernel > provides them. Mea culpa for the confusion this caused over the weekend. (And risking continuing my stupidity, I'd note with that 'locks around SSL session object', it's not just the SSL session object, it also includes all the BIOs used by such an

RE: TLS, BIOs, SSL_read/write

I did find this comment in ssltest.c : * A BIO pair behaves similar to a non-blocking socketpair * (but both endpoints must be handled by the same thread). i.e. You can NOT have Thread1 write to a BIO_pair and expect Thread2 to read it off the BIO_pair. Is that what you were referring to? Regard

RE: TLS, BIOs, SSL_read/write

> > be aware that SSL BIO's (and (SSL*) sessions!) are 'threadsafe' > > in the sense that OpenSSL *assumes* a (SSL *) or > > /any/ BIO remains inside a single thread from the moment it > > becomes 'active', i.e. is set up / is going to do some work. This is completely incorrect. It's totaly nonse

RE: TLS, BIOs, SSL_read/write

Again, thanks for all the pointers, these are really helpful getting me going in the right direction. I am still digesting all of your info, but wanted to discuss this point further, as it almost sounds like a show-stopper: > be aware that SSL BIO's (and (SSL*) sessions!) are 'threadsafe' in the s

Re: TLS, BIOs, SSL_read/write

l that OpenSSL offers BIO *chains*, so you should keep the regular chain intact (SSL_read/SSL_write at topside; traverse BIO chain down to source/sink to insert BIO_pair as a source+sink). The SSL layer should do its own cipher BIO adding and all; all you should replace is the source/sink BIOs. Sor

RE: TLS, BIOs, SSL_read/write

test idea, and thanks for the reply, n8 -Original Message- From: ger.hobb...@gmail.com [mailto:ger.hobb...@gmail.com] On Behalf Of Ger Hobbelt Sent: Tuesday, March 17, 2009 5:38 PM To: openssl-users@openssl.org Cc: n8l...@gmail.com Subject: Re: TLS, BIOs, SSL_read/write Please f

Re: TLS, BIOs, SSL_read/write

all times as you are plugging in your own I/O mechanism at the backend (IOCP)). Also check out how BIO pairs et al are used for in-memory SSL sessions, such as shown in the ssltest application which comes OpenSSL. (There are more sample apps which use in-memory BIOs for performing SSL communicatio

RE: TLS, BIOs, SSL_read/write

g [mailto:owner-openssl-us...@openssl.org] On Behalf Of Galina Goncharov Sent: Sunday, March 15, 2009 9:14 PM To: openssl-users@openssl.org Subject: Re: TLS, BIOs, SSL_read/write an other thought - I didn't notice your third SSL_set_bio(m_ssl, NULL, bioMem); so my suggestion wasn't quit

Re: TLS, BIOs, SSL_read/write

On Sun, Mar 15, 2009 at 11:14:04PM -0500, Galina Goncharov wrote: > an other thought - I didn't notice your third SSL_set_bio(m_ssl, NULL, > bioMem); so my suggestion wasn't quite correct. and its always usfull to > get error by calling SSL_get_error() - it can point to right direction. > and bel

Re: TLS, BIOs, SSL_read/write

an other thought - I didn't notice your third SSL_set_bio(m_ssl, NULL, bioMem); so my suggestion wasn't quite correct. and its always usfull to get error by calling SSL_get_error() - it can point to right direction. and below is from other thread: = The BIO_new_mem_buf creates a read-only buf

Re: TLS, BIOs, SSL_read/write

Hello, as I can see from code you first set readBIO and writeBIO to socket(scktUpstream ) and that makes TLS negotiation to succeed. Later you set SSL readBIO to mem_bio, and writeBIO to NULL and then try to use writeBIO ( calling SSL_write) - sure it will fail. During negotiation do you receive se

TLS, BIOs, SSL_read/write

Greetings, I am in the process of converting an SMTP/TLS server to use Async IO. (using IO Completion Ports on Windows) As such, the previously working style of using SSL_accept, select, and SSL_read / SSL_write is no longer sufficient. Now that I am using WSARecv to do the read, my app is notifie

Simple echo server with BIOs

I am trying to write a simple echo server. I first decided to try it with the BIO without any keys. I keep having problems with blocking. It seems that it gets stuck somewhere expecting a read or a write. You will notice on the client that I do BIO_write. Then I do a BIO_read in a loop to get the d

Re: Proper way to use BIO_f_cipher with socket BIOs

Hi, well there is a specific reason I am not using SSL :-). Anyway, I have already solved the problem without using the BIOs. Best regards, Jernej Kos. On Friday 29 of June 2007, David Schwartz wrote: > > i am trying to use the BIO_f_cipher to encrypt/decrypt data > > coming/goin

RE: Proper way to use BIO_f_cipher with socket BIOs

her BIO. SSL has a way to flush without ending the connection, cipher BIOs don't. So you can't be sure the other side gets the end of messsage X until you send enough data past it to give the cipher a full chunk. DS ___

Proper way to use BIO_f_cipher with socket BIOs

Hi, i am trying to use the BIO_f_cipher to encrypt/decrypt data coming/going over a socket BIO. Everything works fine, just the last message that is sent blocks the receiving side until a socket timeout ocurrs - at that time the last block is properly decrypted. Is there something that should b

Re: BIOs

Jagannadha Bhattu wrote: Hi, I am new to SSL and want to know more about BIOs. Is there a tutorial on how to use and on their uses. Thanks JB __ OpenSSL Project http://www.openssl.org User

BIOs

Hi, I am new to SSL and want to know more about BIOs. Is there a tutorial on how to use and on their uses. Thanks JB __ OpenSSL Project http://www.openssl.org User Support Mailing List

RE: memory BIOs during handshake.

Beniamino, Thanks for the help. I now have more data to send to the server. Martin. -Original Message- From: Beniamino Galvani [mailto:[EMAIL PROTECTED] Sent: 12 April 2005 12:20 To: openssl-users@openssl.org; Bradley,MP,Martin,XDP81 R Subject: Re: memory BIOs during handshake. On

Re: memory BIOs during handshake.

On Tue, Apr 12, 2005 at 10:43:46AM +0100, [EMAIL PROTECTED] wrote: > I am writing a piece of software to negotiate the client side of a TLS > connection over UDP. I have initialised openssl by using > ... > To get the client_hello message I call SSL_connect which returns a > negative result. Tr

memory BIOs during handshake.

clients private key. I have two BIOs of type BIO_s_mem called toClient and fromClient. SSL_set_bio(connection->ssl, connection->toClient, connection->fromClient) To get the client_hello message I call SSL_connect which returns a negative result. SSL_get_error then informs me that the

RE: use os BIOs

implement an eap-tls server using openssl and> I've found only few examples about using memory BIOs to> perform a TLS handshake.> Can you give me some pointer to documentation about this or> to some examples?>> The code that I'm using is very simple:>> > <.

RE: use os BIOs

> I'm trying to implement an eap-tls server using openssl and > I've found only few examples about using memory BIOs to > perform a TLS handshake. > Can you give me some pointer to documentation about this or > to some examples? > > The cod

use os BIOs

I'm trying to implement an eap-tls server using openssl and I've found only few examples about using memory BIOs to perform a TLS handshake. Can you give me some pointer to documentation about this or to some examples? The code that I'm using

Re: simpler example of "initial value from digest (md5 or sha1) using BIOs"

On Mon, Jul 05, 2004, Stephen Soltesz wrote: > Hello, > > I apologize if my last question was too involved to test easily. > > I've attached a new version of the test code that is much more direct in > its use of a message digest. > > The program opens /dev/zero and reads four bytes, one byte

simpler example of "initial value from digest (md5 or sha1) using BIOs"

Hello, I apologize if my last question was too involved to test easily. I've attached a new version of the test code that is much more direct in its use of a message digest. The program opens /dev/zero and reads four bytes, one byte at a time, and after each byte retrieves the digest using BIO_g

Re: determining incoming connection address using BIOs

int sk; BIO_get_fd(bio,&sk); getpeername(sk,&address,&address_len); On Jan 19, 2004, at 4:44 PM, Zac Hansen wrote: I'm trying to figure out how to get the client address/port when using BIOs to accep

determining incoming connection address using BIOs

I'm trying to figure out how to get the client address/port when using BIOs to accept new connections. I guess I can use normal accept() to od this, but I already have everything else written and working and I'd rather not go back and mess with it if there's an easy way I

Re: Implementing a connection server with BIOs

o (with BIO_pop()) > to read from and write to the socket, so that PORT1 is reserved to the > accept bio and any requests from connection bios are redirected to other > ports that can be dealed by other threads. > > How can I do that redirecting thing? > The redirect thing shoul

Implementing a connection server with BIOs

the accept bio and any requests from connection bios are redirected to other ports that can be dealed by other threads. How can I do that redirecting thing? Thanxs, Daniel.

How the chained BIOs work?

data read from the loop is the plain text to be hashed. So it seems that the chained BIOs have to be read/written one by one, that is, if there are ,say, four BIOs chained together, then we have to BIO_read/BIO_write four times to get the final result. Is it correct?   Best Regards, LH

Re: Memory BIOs size grows indefinitely

tten is more than the current size of the BIO buffer. Yes. If you don't like this, forget about memory BIOs and use BIO pairs instead. See example code in ssl/ssltest.c or in Postfix-TLS. BIO pairs do buffer allocation only once. -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.inf

Memory BIOs size grows indefinitely

Hi , Steve mentioned that the size of the memory BIO can grow indefinitely until memory allocations fail. I assume what he is referring to is that when BIO_write is called a reallocation is done if the data to be written is more than the current size of the BIO buffer. It needs documenting alr