A Few General OpenSSL Questions...

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

A Few General OpenSSL Questions...

Usman Riaz
Hi*!
     I am implementing SSL support for my IOCP server using bio pairs. I
would like if someone can throw some light on the following ...

a. Do the bio pairs support full duplex data flow, like for example I get
some data from client thats less then a complete SSL record, I write that
incomplete SSL record to bio and then reading the other end of bio yeilds
nothing (since the record wasn't complete, so this seems ok), now I have
some data to send, should I wait for until the previous record is completly
decrypted and read out of the bio before writing it to the bio???
b. Secondly, I set the SSL version to 3 via "SSLv3_method" and wait for
client to connect. When the client connects (client is a FireFox browser,
with SSLv2,3 & TLSv1 enabled), on the server side when i try to read from
the bio (after writing the initial handshake data to the BIO) the read fails
and BIO_should_retry also fails with the error being incorrect version
number. Now if i change the SSL method on my server to "SSLv2_method" then i
dont have any problems and i can connect fine. But since i have enabled all
available version on my client (SSLv2,3 TLS v1), the BIO should not return
an error. Can someone tell what do i need to do to make the server connect
with SSL v3, or TLS ver 1????
Thanks in Advance,
Regards,
Usman.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A Few General OpenSSL Questions...

Cesc Santa
On 11/30/05, Usman Riaz <[hidden email]> wrote:

> b. Secondly, I set the SSL version to 3 via "SSLv3_method" and wait for
> client to connect. When the client connects (client is a FireFox browser,
> with SSLv2,3 & TLSv1 enabled), on the server side when i try to read from
> the bio (after writing the initial handshake data to the BIO) the read fails
> and BIO_should_retry also fails with the error being incorrect version
> number. Now if i change the SSL method on my server to "SSLv2_method" then i
> dont have any problems and i can connect fine. But since i have enabled all
> available version on my client (SSLv2,3 TLS v1), the BIO should not return
> an error. Can someone tell what do i need to do to make the server connect
> with SSL v3, or TLS ver 1????

Have you tried the SSLv23_method? it starts with a v2 Hello, then it
upgrades to v3 or tlsv1 ...

Regards,

Cesc
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: A Few General OpenSSL Questions...

Usman Riaz



>On 11/30/05, Usman Riaz <[hidden email]> wrote:
> > b. Secondly, I set the SSL version to 3 via "SSLv3_method" and wait for
> > client to connect. When the client connects (client is a FireFox
>browser,
> > with SSLv2,3 & TLSv1 enabled), on the server side when i try to read
>from
> > the bio (after writing the initial handshake data to the BIO) the read
>fails
> > and BIO_should_retry also fails with the error being incorrect version
> > number. Now if i change the SSL method on my server to "SSLv2_method"
>then i
> > dont have any problems and i can connect fine. But since i have enabled
>all
> > available version on my client (SSLv2,3 TLS v1), the BIO should not
>return
> > an error. Can someone tell what do i need to do to make the server
>connect
> > with SSL v3, or TLS ver 1????
>
>Have you tried the SSLv23_method? it starts with a v2 Hello, then it
>upgrades to v3 or tlsv1 ...
>
>Regards,
>
>Cesc

Thanks for the reply, Cesc. I havn't tried with v23, but actually I dont
want to use SSLv2 for my server. But if i disable all the other protocols in
Firefox except of the one used by my server, it works fine. Probably, there
might be some flag so that OpenSSL can fall back to some other protocol if
one is not supported by the client. I actually want to use either SSLv3 or
TLSv1 for my server.
Regards,
Usman.

P.S: Can someone comment about ssl bio_pairs being full duplex????

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A Few General OpenSSL Questions...

Mark-62
In reply to this post by Usman Riaz
Hello Usman,

> > > an error. Can someone tell what do i need to do to make
> the server
> >connect
> > > with SSL v3, or TLS ver 1????
> >
> >Have you tried the SSLv23_method? it starts with a v2 Hello, then it
> >upgrades to v3 or tlsv1 ...

Try this with SSLv23_method:

    /* Set any parameters such as disabling v2 protocol. */
    SSL_CTX_set_options(ctx,
                        SSL_OP_ALL  |   /* All bug workarounds.      */
                        SSL_OP_NO_SSLv2 /* Disable v2 protocol       */
                        );


Regards, Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: A Few General OpenSSL Questions...

Usman Riaz



>From: "Mark" <[hidden email]>
>Reply-To: [hidden email]
>To: [hidden email]
>Subject: RE: A Few General OpenSSL Questions...
>Date: Thu, 1 Dec 2005 12:37:55 -0000
>
>Hello Usman,
>
> > > > an error. Can someone tell what do i need to do to make
> > the server
> > >connect
> > > > with SSL v3, or TLS ver 1????
> > >
> > >Have you tried the SSLv23_method? it starts with a v2 Hello, then it
> > >upgrades to v3 or tlsv1 ...
>
>Try this with SSLv23_method:
>
>     /* Set any parameters such as disabling v2 protocol. */
>     SSL_CTX_set_options(ctx,
>                         SSL_OP_ALL  |   /* All bug workarounds.      */
>                         SSL_OP_NO_SSLv2 /* Disable v2 protocol       */
>                         );
>
>
>Regards, Mark
>

Thanks for the reply Mark, I gather, using method v23 with setting option to
disable v2 is same as using just v3, since my problem is OpenSSL on the
server does not want to continue if the client is using a different version
and returns an error instead of sending client some data to use a different
protocol (i guess that's not part of SSL specs). But I'll give it a try &
post back I have any further questions.
Thanks,
Usman.

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]