Re: ubuntu testing dtls capabilities

2010-09-16 Thread Michael Tüxen
x27; case. > Is there something else that should be done here, or something I didn't do? Hmm, I'm not familiar with the output. Can you use Wireshark to trace the communication on the loopback interface? Is there a complete handshake? I would like to make sure that it is not a firewall o

Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?

2011-05-07 Thread Michael Tüxen
On May 7, 2011, at 2:16 PM, Justin Schoeman wrote: > Further information... > > I have read the source, and it says that either the port number (eg. "8008" > alone, or '*:' (eg:"*:8008) will bind to all interfaces, and > '::' (eg "::8008") will bind to the IPV6 wildcard, which on most > OSs wi

Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?

2011-05-07 Thread Michael Tüxen
On May 7, 2011, at 10:40 PM, Justin Schoeman wrote: > William A. Rowe Jr. wrote: >> On 5/7/2011 7:16 AM, Justin Schoeman wrote: >> >>> It does not matter which of these I try, openssl always binds to >>> '::1:8008', which does >>> not accept IPV4. >>> >> >> I have tried various comb

Re: OpenSSL 1.0.0 BIO_new_accept _only_ binds to IPV6 interface?

2011-05-08 Thread Michael Tüxen
On May 7, 2011, at 11:14 PM, Justin Schoeman wrote: > Michael Tüxen wrote: >> On May 7, 2011, at 10:40 PM, Justin Schoeman wrote: >> >> >>> William A. Rowe Jr. wrote: >>> >>>> On 5/7/2011 7:16 AM, Justin Schoeman wrote: >>>>

Re: openssl DTLS support?

2011-05-26 Thread Michael Tüxen
On May 26, 2011, at 12:32 AM, John Zavgren wrote: > Greetings: > > How does one configure openSSL so that it builds with DTLS support? I don't think any specific option is required. You just want to use the latest 1.0.0 version, or even OpenSSL 1.0.0-stable. http://sctp.fh-muenster.de/dtls-sampl

Re: How to derive EAP-TLS key material from TLS?

2011-05-31 Thread Michael Tüxen
On May 31, 2011, at 8:02 AM, Neo Liu wrote: > Hi, everyone, > > I'm developing a EAP-TLS server using OpenSSL. I need to derive key material > from TLS session as described in RFC5216. Like the follow figure shows: > > | | pre_master_secret | >serv

Re: How to derive EAP-TLS key material from TLS?

2011-06-01 Thread Michael Tüxen
On Jun 1, 2011, at 4:02 AM, Neo Liu wrote: > > > On Tue, May 31, 2011 at 6:41 PM, Michael Tüxen > wrote: > > What about using SSL_tls1_key_extractor()? > > I didn't this function in OpenSSL source. I don't understand what you are saying... > I c

Re: Openssl 1.0.0e: dtls segmentation fault after set SSL_OP_NO_QUERY_MTU

2011-09-21 Thread Michael Tüxen
On Sep 21, 2011, at 9:40 PM, Huaqing Wang wrote: > Hi, > > I don't know if any other person met this issue. > I use openssl1.0.0e, and working on dtls, in client side, if I set > SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_QUERY_MTU); > SSL_set_mtu(ss_ssl, 1500); > I met a segmentation fault on the

Re: how to generate relatively prime numbers

2010-04-30 Thread Michael Tüxen
On Apr 30, 2010, at 9:29 AM, denot...@libero.it wrote: > Hi all. > I need to generate a BIGNUM C that is relatively prime with a BIGNUM N( > GCD > (N,C)=1 ) > is there a pre-built function in openssl library ?? Doesn't C=1 or C=N+1 solve your problem? Best regards Michael > > Thanks. >

Re: RFC 3436 (tls-over-sctp) support?

2010-07-01 Thread Michael Tüxen
On Jun 30, 2010, at 1:03 PM, Byron Campen wrote: > I am looking into the possibility of using openssl on an sctp > association (for SIP, specifically), and the standardized way of doing it is > non-trivial (although not terribly complex; I call it non-trivial because it > is doing somethi

Re: ubuntu testing dtls capabilities

2010-09-15 Thread Michael Tüxen
Hi Sebastian, which version of openssl are you using? 0.9.8 contains a lot of bugs regarding DTLS. (You can see a list of fixes at http://sctp.fh-muenster.de/dtls-patches.html). They are fixed in 1.0.? Do the same problems show up with 1.0.?? Best regards Michael On Sep 15, 2010, at 7:10 PM, Se

Re: DTLS library

2008-11-11 Thread Michael Tüxen
Hi Henry, Robin (CCed) is currently debugging the DTLS implementation which is part of the OpenSSL library. He has sent 3 or 4 patches to the list which fix several bugs in the DTLS implementation. You might want to apply them yo your sources. Maybe it is possible that someone from the core t

Re: How to detect dead peers with DTLS?

2009-01-19 Thread Michael Tüxen
Hi Daniel, why not use DTLS on top of SCTP? SCTP would check using its heartbeat mechanism whether the connection is still alive. Best regards Michael On Jan 19, 2009, at 10:47 AM, Daniel Mentz wrote: Hi everybody, how can I detect a dead server with *DTLS*? I'm developing an application

Re: How to detect dead peers with DTLS?

2009-01-19 Thread Michael Tüxen
Hi Daniel, comments in-line. Best regards Michael On Jan 19, 2009, at 10:54 PM, Daniel Mentz wrote: Thank you all for your answers. I think I will go for the hack that misuses re-negotiation as a kind of heartbeat, keep alive or echo request. I tried to avoid this hack at first because it

Re: How to detect dead peers with DTLS?

2009-01-20 Thread Michael Tüxen
Hi Giang, I think Robin tested it, so yes it works... But you need the bugfixes he sent to the list... Robin: Am I right? Best regards Michael On Jan 20, 2009, at 5:59 PM, Giang Nguyen wrote: I think I will go for the hack that misuses re-negotiation as a kind of heartbeat, keep alive or

Re: How to detect dead peers with DTLS?

2009-01-20 Thread Michael Tüxen
gards, Robin Am 20.01.2009 um 18:38 schrieb Michael Tüxen: Hi Giang, I think Robin tested it, so yes it works... But you need the bugfixes he sent to the list... Robin: Am I right? Best regards Michael On Jan 20, 2009, at 5:59 PM, Giang Nguyen wrote: I think I will go for the hack that misus

Re: How to detect dead peers with DTLS?

2009-01-20 Thread Michael Tüxen
only affect DTLS but also TLS which supports session resumption, too. In my opinion neither a DTLS specific method nor an untested generic method is a good solution. Understood and agreed. Regards, Robin Am 20.01.2009 um 19:42 schrieb Michael Tüxen: Hi Robin, what would be needed to add

Re: help to implement DTLS record protocol - Beginner

2009-03-18 Thread Michael Tüxen
Hi, DTLS is already implemented in openssl-0.9.8j. We have done some testing and found a couple of bugs which where fixed bu Robin. These patches are available at http://sctp.fh-muenster.de/dtls-patches.html Robin also prepared some example programs which are available at http://sctp.fh-muenster.

Re: (DTLS) Nexuiz needs information on the open-ssl UDP stuff.

2009-04-11 Thread Michael Tüxen
You might want to take a look at the examples at http://sctp.fh-muenster.de/dtls-samples.html Best regards Michael On Apr 11, 2009, at 10:03 PM, Miguel Ghobangieno wrote: Any information on this? --- On Thu, 4/9/09, Miguel Ghobangieno wrote: From: Miguel Ghobangieno Subject: (DTLS) Nexu

Re: (DTLS) Nexuiz needs information on the open-ssl UDP stuff.

2009-04-16 Thread Michael Tüxen
On Apr 16, 2009, at 7:03 PM, Miguel Ghobangieno wrote: Thanks :) Though the memory leak in the guy's code might be a problem :P . "The bad news is that some have complained the OpenSSL developers aren't proactively applying patches for DTLS so it's unknown exactly when these issues will be

Re: DTLS: incorrect understanding of MTU

2009-05-12 Thread Michael Tüxen
Hi Daniel, yes, you are right. The command line arg is passed to SSL_set_mtu() which just sets d1->mtu. The rest of the code assumes that d1->mtu does only covers the UDP payload. So we need to fix the handling of SSL_CTRL_SET_MTU to reduce the value by 20+8. Regarding path MTU discovery there s

Re: DTLS: incorrect understanding of MTU

2009-05-12 Thread Michael Tüxen
bin, how we can handle that... Best regards Michael On May 13, 2009, at 12:48 AM, Michael Tüxen wrote: Hi Daniel, yes, you are right. The command line arg is passed to SSL_set_mtu() which just sets d1->mtu. The rest of the code assumes that d1->mtu does only covers the UDP payload. So we

Re: DTLS: incorrect understanding of MTU

2009-05-16 Thread Michael Tüxen
tract the overhead for the IP, UDP and DTLS Record Header but I think that's a violation of the layering principle. I - as an application developer - don't want to be concerned with the DTLS Record Layer. Best regards, Daniel Michael Tüxen wrote: Hi Daniel, yes, you are right.

Re: DTLS: incorrect understanding of MTU

2009-05-16 Thread Michael Tüxen
Hi Daniel, for discussing IETF specifications, you might want to use the appropriate IETF mailing list... However, as stated in my other mail, I think the definition on the RFC is correct. Your definition does only work for DTLS/UDP/IPv4 without using IP options. In all other cases your de