Adding custom data to SSL certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Adding custom data to SSL certificates

Jernej Kos-2
Hi,

is there a way to add custom data (fields?) to SSL certificates ? If so, where
can i find more documentation about it ?

Regards,
Jernej Kos.
--
Jernej Kos <[hidden email]>
Unimatrix One
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adding custom data to SSL certificates

Katie Lucas
On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote:
> Hi,
 
> is there a way to add custom data (fields?) to SSL certificates ? If
> so, where can i find more documentation about it ?


There's not a huge amount of documentation about this. Several things
I've found;

You need an ASN.1 OID to add your data under. We ended up using the
service at http://www.itu.int/ITU-T/asn1/ to generate and register an
oid under {joint-iso-itu-t(2) uuid(25)} under which we can then
generate our opwn oids.

You then get a huge long code which you can use in a call to

        OBJ_create(YOUR_OID, SHORTNAME, LONGNAME)

which gets you a "nid". The "nid" is the thing that you use to create
& read X509V3 extensions in the certificates.

You need to explain to openssl what format the extension field is. The
easiest way to do this is to call

        X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID)

passing in some field which is the same sort of style as yours.

There's an example in the O'Reilly openssl book (the source is
available as a download at http://www.opensslbook.com/code.html) about
how to sign certificates, and along the way add extensions, and you
can add your own in at that point.

You make a stack of extensions, put your extensions into the stack, add
the stack to the request, sign the request.


Reading them is fairly easy once you've got a nid. You go;

        X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM);

Probably with START_FROM= -1, unless you're trying to find the second
occurance of a field. This gives you -1 for not found, or a position.

You then go

        X509_get_ext(CERTIFICATE,POSITION);

And it'll get you the extension. There's then things to read the data
out of it, and get its name and so on, which are all
X509_EXTENSION_xxx type functions.


Once you know the function calls to be looking for, it all gets a bit
easier!

There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt

Also worth reading http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adding custom data to SSL certificates

Cesc Santa
I hit the wall some time ago trying the same ... adding my custom data to the certs.
Certainly this email back then would have come in handy.
 
Anyway, just a remark ... the pain in the ass, when you generate the certificate and add your V3 extension (ass explained in one of the links), is having to manually encode the value as DER ... it is easy for a small number ... even for a short string ... but beyond that, it is just too much. Does anybody know of some software that does that automatically? i mean ... provide a string/int/bool ... return the hex DER encoded version.
 
Regards,
 
Cesc

 
On 10/19/05, Katie Lucas <[hidden email]> wrote:
On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote:
> Hi,

> is there a way to add custom data (fields?) to SSL certificates ? If
> so, where can i find more documentation about it ?


There's not a huge amount of documentation about this. Several things
I've found;

You need an ASN.1 OID to add your data under. We ended up using the
service at http://www.itu.int/ITU-T/asn1/ to generate and register an
oid under {joint-iso-itu-t(2) uuid(25)} under which we can then
generate our opwn oids.

You then get a huge long code which you can use in a call to

       OBJ_create(YOUR_OID, SHORTNAME, LONGNAME)

which gets you a "nid". The "nid" is the thing that you use to create
& read X509V3 extensions in the certificates.

You need to explain to openssl what format the extension field is. The
easiest way to do this is to call

       X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID)

passing in some field which is the same sort of style as yours.

There's an example in the O'Reilly openssl book (the source is
available as a download at http://www.opensslbook.com/code.html) about
how to sign certificates, and along the way add extensions, and you
can add your own in at that point.

You make a stack of extensions, put your extensions into the stack, add
the stack to the request, sign the request.


Reading them is fairly easy once you've got a nid. You go;

       X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM);

Probably with START_FROM= -1, unless you're trying to find the second
occurance of a field. This gives you -1 for not found, or a position.

You then go

       X509_get_ext(CERTIFICATE,POSITION);

And it'll get you the extension. There's then things to read the data
out of it, and get its name and so on, which are all
X509_EXTENSION_xxx type functions.


Once you know the function calls to be looking for, it all gets a bit
easier!

There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt

Also worth reading http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Adding custom data to SSL certificates

Dr. Stephen Henson
On Wed, Oct 19, 2005, Cesc wrote:

> I hit the wall some time ago trying the same ... adding my custom data to
> the certs.
> Certainly this email back then would have come in handy.
>  Anyway, just a remark ... the pain in the ass, when you generate the
> certificate and add your V3 extension (ass explained in one of the links),
> is having to manually encode the value as DER ... it is easy for a small
> number ... even for a short string ... but beyond that, it is just too much.
> Does anybody know of some software that does that automatically? i mean ...
> provide a string/int/bool ... return the hex DER encoded version.

OpenSSL 0.9.8. There is a mini-ASN1 compiler in 0.9.8 which is integrated
into various parts of the library.

The asn1parse utility has a -genstr option for simple structures and a
-genconf one for more complex cases. The Fine Manual has details of the syntax
used.

However that isn't really needed because as well as the DER option for non
standard extensions there is also an ASN1 option which uses the same syntax
and adds it to extensions directly.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adding custom data to SSL certificates

Dr. Stephen Henson
In reply to this post by Jernej Kos-2
On Tue, Oct 18, 2005, Jernej Kos wrote:

> Hi,
>
> is there a way to add custom data (fields?) to SSL certificates ? If so, where
> can i find more documentation about it ?
>

In OpenSSL 0.9.8 the section ARBITRARY EXTENSIONS in the x509v3_config manual
page.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Using OpenSSL over a high level peer-to-peer middleware

Alain Damiral
In reply to this post by Cesc Santa
Greetings to everyone,

This is my first mail to this list so first of all I hope to avoid
making too much of a fool of myself.

I am a student in computer science and I have been charged with the task
of implementing a secure communication mechanism for a high level
peer-to-peer middleware designed for use in the Oz language
(www.mosart-oz.org). This peer-to-peer network is a structured network
in which there should not necessarily be a direct TCP connexion between
two communicating peers. So far it seems like a fine idea to use SSL
over this network rather than directly over TCP as is usually done.
Before damaging my health too much on this work I'd appreciate some
advice from fine people such as many of you certainly are about the
following questions:

How feasible is it to use OpenSSL's SSL library to generate the raw data
that is to be sent through the transport layer independent of the
latter's implementation ? And read this data on the other end...

Would it be a better idea to use OpenSSL's crypto library to handle
cryptographic operations and certificates and reimplement the rest of
SSL's behaviour according to it's specification ? (At least to the
extent required for my piece of work)

Is there any known similar project, in which OpenSSL has been used to
implement SSL over non-TCP connexions ?


Well that's it for now and I thank you all for your time,

Alain Damiral,

Université Catholique de Louvain - student,
alain.damiral'at'student.uclouvian.be
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adding custom data to SSL certificates

Jernej Kos-2
In reply to this post by Katie Lucas
Thank you very much for this info, I was looking for it for ages :)

Best regards,
Jernej Kos.

On Wednesday 19 of October 2005 12:03, Katie Lucas wrote:

> On Tue, Oct 18, 2005 at 04:04:57PM +0200, Jernej Kos wrote:
> > Hi,
> >
> > is there a way to add custom data (fields?) to SSL certificates ? If
> > so, where can i find more documentation about it ?
>
> There's not a huge amount of documentation about this. Several things
> I've found;
>
> You need an ASN.1 OID to add your data under. We ended up using the
> service at http://www.itu.int/ITU-T/asn1/ to generate and register an
> oid under {joint-iso-itu-t(2) uuid(25)} under which we can then
> generate our opwn oids.
>
> You then get a huge long code which you can use in a call to
>
> OBJ_create(YOUR_OID, SHORTNAME, LONGNAME)
>
> which gets you a "nid". The "nid" is the thing that you use to create
> & read X509V3 extensions in the certificates.
>
> You need to explain to openssl what format the extension field is. The
> easiest way to do this is to call
>
> X509V3_EXT_add_alias(YOUR_NID,SOME_EXISTING_NID)
>
> passing in some field which is the same sort of style as yours.
>
> There's an example in the O'Reilly openssl book (the source is
> available as a download at http://www.opensslbook.com/code.html) about
> how to sign certificates, and along the way add extensions, and you
> can add your own in at that point.
>
> You make a stack of extensions, put your extensions into the stack, add
> the stack to the request, sign the request.
>
>
> Reading them is fairly easy once you've got a nid. You go;
>
> X509_get_ext_by_NID(CERTIFICATE,NID,START_FROM);
>
> Probably with START_FROM= -1, unless you're trying to find the second
> occurance of a field. This gives you -1 for not found, or a position.
>
> You then go
>
> X509_get_ext(CERTIFICATE,POSITION);
>
> And it'll get you the extension. There's then things to read the data
> out of it, and get its name and so on, which are all
> X509_EXTENSION_xxx type functions.
>
>
> Once you know the function calls to be looking for, it all gets a bit
> easier!
>
> There's info at http://www.cise.ufl.edu/depot/doc/openssl/openssl.txt
>
> Also worth reading http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

--
Jernej Kos <[hidden email]>
Unimatrix One
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using OpenSSL over a high level peer-to-peer middleware

Ning Ke
In reply to this post by Alain Damiral

> How feasible is it to use OpenSSL's SSL library to generate the raw data
> that is to be sent through the transport layer independent of the
> latter's implementation ? And read this data on the other end...

openSSL library uses the BIO abstraction for IO operations. You could use a memory BIO and manipulate that buffer any way you want.

> Is there any known similar project, in which OpenSSL has been used to
> implement SSL over non-TCP connexions ?


openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP. I am not aware of anyone using it, though. The EAP-TLS protocol that has been around for a while uses TLS over PPP (v.s. TCP). Be careful when you create you own protocol because TLS assumes reliable transport, breaking this assumption presents serious security implications.



Alain Damiral <[hidden email]>
Sent by: [hidden email]

10/19/2005 08:32 AM

Please respond to
[hidden email]

To
[hidden email]
cc
Subject
Using OpenSSL over a high level peer-to-peer middleware





Greetings to everyone,

This is my first mail to this list so first of all I hope to avoid
making too much of a fool of myself.

I am a student in computer science and I have been charged with the task
of implementing a secure communication mechanism for a high level
peer-to-peer middleware designed for use in the Oz language
(www.mosart-oz.org). This peer-to-peer network is a structured network
in which there should not necessarily be a direct TCP connexion between
two communicating peers. So far it seems like a fine idea to use SSL
over this network rather than directly over TCP as is usually done.
Before damaging my health too much on this work I'd appreciate some
advice from fine people such as many of you certainly are about the
following questions:

How feasible is it to use OpenSSL's SSL library to generate the raw data
that is to be sent through the transport layer independent of the
latter's implementation ? And read this data on the other end...

Would it be a better idea to use OpenSSL's crypto library to handle
cryptographic operations and certificates and reimplement the rest of
SSL's behaviour according to it's specification ? (At least to the
extent required for my piece of work)

Is there any known similar project, in which OpenSSL has been used to
implement SSL over non-TCP connexions ?


Well that's it for now and I thank you all for your time,

Alain Damiral,

Université Catholique de Louvain - student,
alain.damiral'at'student.uclouvian.be
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Using OpenSSL over a high level peer-to-peer middleware

Rich Salz
> openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP.

Another point for the original poster to keep in mind is that SSL/TLS can
require multiple read/writes for a single application-level packet
exchange.  This isn't always obvious to folks starting out.  I think the
DTLS spec discusses some of the implications.

You might also want to look at the "security" in SNMPv3.

        /r$

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Adding custom data to SSL certificates

Dr. Stephen Henson
In reply to this post by Jernej Kos-2
On Wed, Oct 19, 2005, Jernej Kos wrote:

> Thank you very much for this info, I was looking for it for ages :)
>

I'd advise using the mini-ASN1 compiler if possible.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using OpenSSL over a high level peer-to-peer middleware

Alain Damiral
In reply to this post by Rich Salz
Rich Salz wrote:

>>openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP.
>>    
>>
>
>Another point for the original poster to keep in mind is that SSL/TLS can
>require multiple read/writes for a single application-level packet
>exchange.  This isn't always obvious to folks starting out.  I think the
>DTLS spec discusses some of the implications.
>
>You might also want to look at the "security" in SNMPv3.
>
> /r$
>
>  
>
Thank you for all the replies.

I'll grab the opportunity here to point out that I am aware of SSL
requiring more message exchanges than should be perceived at the
application level. Allow me to try to be more accurate about what I'm
looking for.

What I would like to do is to use OpenSSL's normal functionality, but
without encapsulation of the actual operation of sending messages.
Instead I would like all messages "forged" by OpenSSL - including
handshake messages - to be sent back up to my module (which would be
implemented in the Oz language I mentionned in my original post). Then
the data would be sent accross the "high level" structured peer-to-peer
network in a reliable way, and the reverse operation run on the other end.

If I understand what Ning Ke suggests, OpenSSL uses a BIO output to send
all those messages regardless of what that BIO is actually encapsulating
? (That would normally be the TCP connexion) If it is so, I believe I
have the answer to my questions.

Thanks again to all those whose time I have stolen

--
Alain Damiral,

Université Catholique de Louvain - student
alain.damiral'at'student.info.ucl.ac.be

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using OpenSSL over a high level peer-to-peer middleware

Justin Karneges
On Wednesday 19 October 2005 08:37, Alain Damiral wrote:
> If I understand what Ning Ke suggests, OpenSSL uses a BIO output to send
> all those messages regardless of what that BIO is actually encapsulating
> ? (That would normally be the TCP connexion) If it is so, I believe I
> have the answer to my questions.

Right, you use a memory BIO.  The openssl-based plugin for QCA works this way,
so you might have a look:
  http://delta.affinix.com/qca/

QCA presents SSL/TLS as a filter interface to the application.  One neat thing
this has allowed our application to do is run a single TLS session over a
series of non-persistant HTTP connections.

Hopefully you find this encouraging. :)

-Justin
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Using OpenSSL over a high level peer-to-peer middleware

Mouse-2
In reply to this post by Rich Salz
> > openSSL 0.9.8 comes with support for DTLS, which is TLS over UDP.
>
> Another point for the original poster to keep in mind is that
> SSL/TLS can require multiple read/writes for a single
> application-level packet exchange.

SA establishment cost...

> This isn't always obvious to folks starting out.  I think the
> DTLS spec discusses some of the implications.



> You might also want to look at the "security" in SNMPv3.

Means what?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using OpenSSL over a high level peer-to-peer middleware

Goetz Babin-Ebell
In reply to this post by Justin Karneges
Justin Karneges wrote:
> On Wednesday 19 October 2005 08:37, Alain Damiral wrote:
>> If I understand what Ning Ke suggests, OpenSSL uses a BIO output to send
>> all those messages regardless of what that BIO is actually encapsulating
>> ? (That would normally be the TCP connexion) If it is so, I believe I
>> have the answer to my questions.
>
> Right, you use a memory BIO.

My experience is that implementing an own BIO is not that hard.
If you understand C, bang your head against the existing BIO
implementations (especially bss_sock.c) and look for ideas that fall
out of it...

This way you can drop an additional layer of complexity:

Instead of:

Your code <=> SSL_BIO <=> memory_BIO <=> your code

you get

Your code <=> SSL_BIO <=> your BIO

Bye

Goetz


--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Using OpenSSL over a high level peer-to-peer middleware

JoelKatz
In reply to this post by Alain Damiral

> What I would like to do is to use OpenSSL's normal functionality, but
> without encapsulation of the actual operation of sending messages.
> Instead I would like all messages "forged" by OpenSSL - including
> handshake messages - to be sent back up to my module (which would be
> implemented in the Oz language I mentionned in my original post). Then
> the data would be sent accross the "high level" structured peer-to-peer
> network in a reliable way, and the reverse operation run on the other end.

        I recommend using BIO paris for this purpose. There's example code in
ssltest.c. Basically, your code then does 4 things:

        1) When you have unencrypted data to send, you hand it the OpenSSL.

        2) When OpenSSL has encrypted data to send, you grab it from OpenSSL.

        3) When you receive encrypted data from the other side, you hand it to
OpenSSL.

        4) When OpenSSL has decrypted data to give, you grab it from OpenSSL.

        The trick is to understand that these operations will not always appear
logically related. For example, you may hand some unencrypted data to
OpenSSL and it will not have any encrypted data ready for you to send yet.
Or you may receive some encrypted data, hand it the OpenSSL, and then find
there is no unencrypted data for you.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Using OpenSSL over a high level peer-to-peer middleware

Rich Salz
In reply to this post by Mouse-2
> > You might also want to look at the "security" in SNMPv3.
>
> Means what?

The security work in SNMPv3 is old and outdated and years behind current
practice.  Some of that is understandable, but but even back then we knew
enough to know that raw UDP is almost architecturally flawed.

        /r$
--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
This address will be going away; please use [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Using OpenSSL over a high level peer-to-peer middleware

Mouse-2
> The security work in SNMPv3 is old and outdated and years
> behind current practice.  Some of that is understandable, but
> but even back then we knew enough to know that raw UDP is
> almost architecturally flawed.

Not quite on the list topic - but if you were aware of the constraints
placed on SNMP protocol and its security model, you probably wouldn't be so
rash in judgement.

P.S. I'm sure Marshall Rose would love to hear your arguments against UDP.
:-)   And so would DTLS crowd. :-)

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Using OpenSSL over a high level peer-to-peer middleware

Johan Stokman
In reply to this post by Alain Damiral
Alain,
One of the nice things about the openssl
implementation is the use of BIO's for communication,
protocol becomes totally irrelevant, if you could
write a bio to control white (or grey or black) mice
to carry your data you could implement secure
communications across any road/way/path the mice could
trave(mmm cats and timeouts would maybe a trouble).
Johan  

--- Alain Damiral <[hidden email]>
wrote:

> Greetings to everyone,
>
> This is my first mail to this list so first of all I
> hope to avoid
> making too much of a fool of myself.
>
> I am a student in computer science and I have been
> charged with the task
> of implementing a secure communication mechanism for
> a high level
> peer-to-peer middleware designed for use in the Oz
> language
> (www.mosart-oz.org). This peer-to-peer network is a
> structured network
> in which there should not necessarily be a direct
> TCP connexion between
> two communicating peers. So far it seems like a fine
> idea to use SSL
> over this network rather than directly over TCP as
> is usually done.
> Before damaging my health too much on this work I'd
> appreciate some
> advice from fine people such as many of you
> certainly are about the
> following questions:
>
> How feasible is it to use OpenSSL's SSL library to
> generate the raw data
> that is to be sent through the transport layer
> independent of the
> latter's implementation ? And read this data on the
> other end...
>
> Would it be a better idea to use OpenSSL's crypto
> library to handle
> cryptographic operations and certificates and
> reimplement the rest of
> SSL's behaviour according to it's specification ?
> (At least to the
> extent required for my piece of work)
>
> Is there any known similar project, in which OpenSSL
> has been used to
> implement SSL over non-TCP connexions ?
>
>
> Well that's it for now and I thank you all for your
> time,
>
> Alain Damiral,
>
> Université Catholique de Louvain - student,
> alain.damiral'at'student.uclouvian.be
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Core dump with 0.9.7i

David Brock
Hi, I'm trying to upgrade to 0.9.7i (at this time we can't go to 0.9.8).
If I try and connect to a server and the client has a root CA that is
different that the server I'm getting the following core dump in the
client code:
#0  0x081adeac in ?? ()
(gdb) up
#1  0x08088692 in BIO_ctrl (b=0x819a548, cmd=7, larg=0, parg=0x0) at
bio_lib.c:324
324             ret=b->method->ctrl(b,cmd,larg,parg);
(gdb) where
#0  0x081adeac in ?? ()
#1  0x08088692 in BIO_ctrl (b=0x819a548, cmd=7, larg=0, parg=0x0) at
bio_lib.c:324
#2  0x0808b20c in buffer_ctrl (b=0x819b268, cmd=7, num=0, ptr=0x0) at
bf_buff.c:432
#3  0x08088692 in BIO_ctrl (b=0x819b268, cmd=7, larg=0, parg=0x0) at
bio_lib.c:324
#4  0x080886bd in BIO_pop (b=0x819b268) at bio_lib.c:398
#5  0x08067a4e in SSL_free (s=0x819ae10) at ssl_lib.c:441

The application is running with non-blocking turned on.
I'm getting the following error:
Error 19:self signed certificate in certificate chain

The code looks something like:
if ((ret == SSL_connect(ssl)) <= 0)
{
      if ( /* check if time out occurred, if so deal with it */)
      {
                   ...
      }
      else                  
      {
                        BIO_free(conn);
                        SSL_free(ssl);  /* This frees the underlying
connection BIOs */
                        connection->conn = NULL;
        }
}


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Core dump with 0.9.7i

Martin Del Vecchio
I think SSL_free() also frees the BIO.  I spent a day tracking down a
similar problem.
 

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of David Brock
Sent: Monday, October 24, 2005 2:37 PM
To: [hidden email]
Subject: Core dump with 0.9.7i

Hi, I'm trying to upgrade to 0.9.7i (at this time we can't go to 0.9.8).

If I try and connect to a server and the client has a root CA that is
different that the server I'm getting the following core dump in the
client code:
#0  0x081adeac in ?? ()
(gdb) up
#1  0x08088692 in BIO_ctrl (b=0x819a548, cmd=7, larg=0, parg=0x0) at
bio_lib.c:324
324             ret=b->method->ctrl(b,cmd,larg,parg);
(gdb) where
#0  0x081adeac in ?? ()
#1  0x08088692 in BIO_ctrl (b=0x819a548, cmd=7, larg=0, parg=0x0) at
bio_lib.c:324
#2  0x0808b20c in buffer_ctrl (b=0x819b268, cmd=7, num=0, ptr=0x0) at
bf_buff.c:432
#3  0x08088692 in BIO_ctrl (b=0x819b268, cmd=7, larg=0, parg=0x0) at
bio_lib.c:324
#4  0x080886bd in BIO_pop (b=0x819b268) at bio_lib.c:398
#5  0x08067a4e in SSL_free (s=0x819ae10) at ssl_lib.c:441

The application is running with non-blocking turned on.
I'm getting the following error:
Error 19:self signed certificate in certificate chain

The code looks something like:
if ((ret == SSL_connect(ssl)) <= 0)
{
      if ( /* check if time out occurred, if so deal with it */)
      {
                   ...
      }
      else                  
      {
                        BIO_free(conn);
                        SSL_free(ssl);  /* This frees the underlying
connection BIOs */
                        connection->conn = NULL;
        }
}


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
12