'Re: some VC++ help wanted: can not step into SSL_xxx functions (debug'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: some VC++ help wanted: can not step into SSL_xxx functions (debug
From:       Modem Man <modem-man () gmx ! net>
Date:       2010-04-25 20:55:08
Message-ID: 4BD4AC2C.4000801 () gmx ! net
[Download RAW message or body]

Kyle Hamilton wrote:
> 'no peer certificate available' is a different error than 'peer
> certificate did not verify'.  This means that the TLS server is
> running without a certificate.  (TLS and SSL do *not* require servers
> to provide certificates, but they do require that servers must provide
> certificates before they ask for client authentication, else it's a
> protocol error.)
>
> -Kyle H
>   

Thank you for this essential information!
Good to know. Am I right to believe this has to do with
SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, verify_cert_foo );
 /vs./
SSL_CTX_set_verify( ctx, SSL_VERIFY_NONE, verify_cert_foo );
?

In between I added /Zi to CFLAGS (as Mounir said, .\util\pl\VC-32.pl is
the right place)
and after this I rebuild the whole OpenSSL 1.0.0 suite again.
This made me able to step into SSL_* and to figure out where I used
wrong directory names.

**One more question:** Is it still a good idea to use:
ctx = SSL_CTX_new( SSLv23_method() )
combined with
SSL_CTX_set_options( ctx, (SSL_OP_NO_SSLv2 | SSL_OP_ALL) );
to get SSLv3 + TLSv1 on, but SSLv2=off?
This is often shown for OpenSSL 0.9.x in the books and I used it.


Actually, I get:
*openssl.exe s_client -debug -state -connect 192.168.0.192:21  *
Loading 'screen' into random state -CONNECTED(00000774)
write to 0xa626a0 [0xa62700] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 91 a5 45 62   ..............Eb
0060 - 1d cb 55 d0 62 e2 95 b6-4f 41 fe 3c e4 c5 43 d1   ..U.b...OA.<..C.
0070 - 32 d6 04 aa 06 c1 35 00-22 75 3e 09               2.....5."u>.
read from 0xa626a0 [0xa67c60] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
 done
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A
5044:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:596:

May I forgot to set accept/connect direction of SLL, before calling
BIO_do_handshake(bio)? (pls. note: bio is a chain of buffer + ssl +
accept_socket, where buffer + accept_socket already up and running
fine). I did read somewhere some command to set ssl direction, but I
don't remember it! SSL_state_server/accept() or such? And this is what
makes me some more headache.

But it's pretty late now and this noon I tried a very good red wine
together with my wife, so I think I'll delay further investigations till
tomorrow. May be the headache is from the wine? Anyway. If you think my
above dump is easy to give next hint for me ... this would be very
kindly, again!

have a silent night,
Modem Man


[Attachment #3 (text/html)]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Kyle Hamilton wrote:
<blockquote
 cite="mid:o2l6b9359641004251156kddbeed1bk45a6858b33186f3b@mail.gmail.com"
 type="cite">
  <pre wrap="">'no peer certificate available' is a different error than 'peer
certificate did not verify'.  This means that the TLS server is
running without a certificate.  (TLS and SSL do *not* require servers
to provide certificates, but they do require that servers must provide
certificates before they ask for client authentication, else it's a
protocol error.)

-Kyle H
  </pre>
</blockquote>
<br>
Thank you for this essential information!<br>
Good to know. Am I right to believe this has to do with<br>
SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, verify_cert_foo );<br>
 /vs./<br>
SSL_CTX_set_verify( ctx, SSL_VERIFY_NONE, verify_cert_foo );<br>
?<br>
<br>
In between I added /Zi to CFLAGS (as Mounir said, .\util\pl\VC-32.pl is
the right place)<br>
and after this I rebuild the whole OpenSSL 1.0.0 suite again.<br>
This made me able to step into SSL_* and to figure out where I used
wrong directory names.<br>
<br>
<b>*One more question:*</b> Is it still a good idea to use:<br>
ctx = SSL_CTX_new( SSLv23_method() )<br>
combined with<br>
SSL_CTX_set_options( ctx, (SSL_OP_NO_SSLv2 | SSL_OP_ALL) );<br>
to get SSLv3 + TLSv1 on, but SSLv2=off? <br>
This is often shown for OpenSSL 0.9.x in the books and I used it.<br>
<br>
<br>
Actually, I get:<br>
<b>openssl.exe s_client -debug -state -connect 192.168.0.192:21  </b><br>
Loading 'screen' into random state -CONNECTED(00000774)<br>
write to 0xa626a0 [0xa62700] (124 bytes =&gt; 124 (0x7C))<br>
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q...
..9..<br>
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0  
8..5............<br>
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03  
..3..2../.......<br>
0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00  
................<br>
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08  
......@.........<br>
0050 - 00 00 06 04 00 80 00 00-03 02 00 80 91 a5 45 62  
..............Eb<br>
0060 - 1d cb 55 d0 62 e2 95 b6-4f 41 fe 3c e4 c5 43 d1  
..U.b...OA.&lt;..C.<br>
0070 - 32 d6 04 aa 06 c1 35 00-22 75 3e 09               2.....5."u&gt;.<br>
read from 0xa626a0 [0xa67c60] (7 bytes =&gt; 7 (0x7))<br>
0000 - 15 03 01 00 02 02 28                              ......(<br>
 done<br>
SSL_connect:before/connect initialization<br>
SSL_connect:SSLv2/v3 write client hello A<br>
SSL3 alert read:fatal:handshake failure<br>
SSL_connect:error in SSLv2/v3 read server hello A<br>
5044:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:596:<br>
<br>
May I forgot to set accept/connect direction of SLL, before calling
BIO_do_handshake(bio)? (pls. note: bio is a chain of buffer + ssl +
accept_socket, where buffer + accept_socket already up and running
fine). I did read somewhere some command to set ssl direction, but I
don't remember it! SSL_state_server/accept() or such? And this is what
makes me some more headache. <br>
<br>
But it's pretty late now and this noon I tried a very good red wine
together with my wife, so I think I'll delay further investigations
till tomorrow. May be the headache is from the wine? Anyway. If you
think my above dump is easy to give next hint for me ... this would be
very kindly, again!<br>
<br>
have a silent night,<br>
Modem Man<br>
<br>
</body>
</html>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic