1 #### Programming with OpenSSL
3 * Is OpenSSL thread-safe?
5 Yes but with some limitations; for example, an SSL connection
6 cannot be used concurrently by multiple threads. This is true for
9 For version 1.1.0 and later, there is nothing further you need do.
11 For earlier versions than 1.1.0, it is necessary for your
12 application to set up the thread callback functions. To do this,
13 your application must call CRYPTO_set_locking_callback(3) and one of
14 the CRYPTO_THREADID_set... API's. See the OpenSSL threads manpage for
15 details and "note on multi-threading" in the INSTALL file in the source
18 * My code gets "undefined structure" or "unknown size" when building
21 In 1.1.0 we made most of the structures opaque. This means that you can
22 no longer access the fields directly, but must use settor and accessor
23 functions. You can also no longer have direct instances of the objects,
24 but can only use pointers to them.
25 For example, the first line below is wrong; the second is correct:
30 * I've compiled a program under Windows and it crashes: why?
32 This is usually because you've missed the comment in INSTALL.W32.
33 Your application must link against the same version of the Win32
34 C-Runtime against which your openssl libraries were linked. The
35 default version for OpenSSL is /MD - "Multithreaded DLL".
37 If you are using Microsoft Visual C++'s IDE (Visual Studio), in
38 many cases, your new project most likely defaulted to "Debug
39 Singlethreaded" - /ML. This is NOT interchangeable with /MD and your
40 program will crash, typically on the first BIO related read or write
43 For each of the six possible link stage configurations within Win32,
44 your application must link against the same by which OpenSSL was
45 built. If you are using MS Visual C++ (Studio) this can be changed
48 1. Select Settings... from the Project Menu.
49 2. Select the C/C++ Tab.
50 3. Select "Code Generation from the "Category" drop down list box
51 4. Select the Appropriate library (see table below) from the "Use
52 run-time library" drop down list box. Perform this step for both
53 your debug and release versions of your application (look at the
54 top left of the settings panel to change between the two)
56 Single Threaded /ML - MS VC++ often defaults to
58 version of a new project.
59 Debug Single Threaded /MLd - MS VC++ often defaults to
60 this for the debug version
63 Debug Multithreaded /MTd
64 Multithreaded DLL /MD - OpenSSL defaults to this.
65 Debug Multithreaded DLL /MDd
67 Note that debug and release libraries are NOT interchangeable. If you
68 built OpenSSL with /MD your application must use /MD and cannot use /MDd.
70 As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
71 .DLLs compiled with some specific run-time option [we insist on the
72 default /MD] can be deployed with application compiled with different
73 option or even different compiler. But there is a catch! Instead of
74 re-compiling OpenSSL toolkit, as you would have to with prior versions,
75 you have to compile small C snippet with compiler and/or options of
76 your choice. The snippet gets installed as
77 <install-root>/include/openssl/applink.c and should be either added to
78 your application project or simply #include-d in one [and only one]
79 of your application source files. Failure to link this shim module
80 into your application manifests itself as fatal "no OPENSSL_Applink"
81 run-time error. An explicit reminder is due that in this situation
82 [mixing compiler options] it is as important to add CRYPTO_malloc_init
83 prior first call to OpenSSL.
85 * How do I read or write a DER encoded buffer using the ASN1 functions?
87 You have two options. You can either use a memory BIO in conjunction
88 with the i2d_*_bio() or d2i_*_bio() functions or you can use the
89 i2d_*(), d2i_*() functions directly. Since these are often the
90 cause of grief here are some code fragments using PKCS7 as an example:
92 unsigned char *buf, *p;
93 int len = i2d_PKCS7(p7, NULL);
95 buf = OPENSSL_malloc(len); /* error checking omitted */
99 At this point buf contains the len bytes of the DER encoding of p7.
101 The opposite assumes we already have len bytes in buf:
103 unsigned char *p = buf;
105 p7 = d2i_PKCS7(NULL, &p, len);
107 At this point p7 contains a valid PKCS7 structure or NULL if an error
108 occurred. If an error occurred ERR_print_errors(bio) should give more
111 The reason for the temporary variable 'p' is that the ASN1 functions
112 increment the passed pointer so it is ready to read or write the next
113 structure. This is often a cause of problems: without the temporary
114 variable the buffer pointer is changed to point just after the data
115 that has been read or written. This may well be uninitialized data
116 and attempts to free the buffer will have unpredictable results
117 because it no longer points to the same address.
119 Memory allocation and encoding can also be combined in a single
120 operation by the ASN1 routines:
122 unsigned char *buf = NULL;
123 int len = i2d_PKCS7(p7, &buf);
128 /* Do some things with 'buf' */
130 /* Finished with buf: free it */
133 In this special case the "buf" parameter is *not* incremented, it points
134 to the start of the encoding.
136 * OpenSSL uses DER but I need BER format: does OpenSSL support BER?
138 The short answer is yes, because DER is a special case of BER and OpenSSL
139 ASN1 decoders can process BER.
141 The longer answer is that ASN1 structures can be encoded in a number of
142 different ways. One set of ways is the Basic Encoding Rules (BER) with
143 various permissible encodings. A restriction of BER is the Distinguished
144 Encoding Rules (DER): these uniquely specify how a given structure is
147 Therefore, because DER is a special case of BER, DER is an acceptable encoding
150 * The encoding for GeneralName is wrong; why is the SEQUENCE tag missing?
152 In RFC 5280 GeneralName is defined in the module in Appendix A.2, and that
153 module specifies the use of IMPLICIT tagging. This means that there is not an
154 explicit SEQUENCE (30) tag following the A0 tag (you just know from the ASN.1
155 that what follows the A1 tag is a SEQUENCE). This is in contrast to the value
156 field within OtherName (test@kerberose-domain.internal), where the tag for
157 UTF8String (0C) follows the A0 tag, since EXPLICIT tagging is specified for
158 that particular field.
160 You will notice the same thing if you look at other choices within
161 GeneralName. If you look at the DNS names encoded in the subjectAltName
162 extension, the 82 tag (corresponding to [2]) is not followed by a tag for
163 IA5String (22). It is not needed since the ASN.1 indicates that what follows
164 the 82 tag is an IA5String. However, if the module specified EXPLICIT
165 encoding, then there would be a 16 tag after the 82 tag.
167 (Thanks to David Cooper for this text.)
169 * I tried to set a cipher list with a valid cipher, but the call fails, why?
171 OpenSSL 1.1.0 introduced the concept of a “security level”, allowing
172 for a configuration to be made more secure by excluding algorithms
173 and key sizes that are known to be flawed or susceptible to brute force at
174 a given level of work. SSL_CTX_set_security_level(3) can be used to
175 programmatically set a security level, or the keyword "@SECLEVEL=N" can
176 be used in a TLS cipher string, for values of N from 0 to 5 (inclusive).
177 The default is level 1, which excludes MD5 as the MAC and algorithms
178 with less than 80 bits of security. A value of 0 can be used, with appropriate
179 caution, to produce behavior compatible with previous versions of OpenSSL
180 (to the extent possible), but this is not recommended for general usage.
182 * I've called <some function> and it fails, why?
184 Before submitting a report or asking in one of the mailing lists, you
185 should try to determine the cause. In particular, you should call
186 ERR_print_errors(3) or ERR_print_errors_fp(3) after the failed call
187 and see if the message helps. Note that the problem may occur earlier
188 than you think -- you should check for errors after every call where
189 it is possible, otherwise the actual problem may be hidden because
190 some OpenSSL functions clear the error state.
192 * I just get a load of numbers for the error output, what do they mean?
194 The actual format is described in the ERR_print_errors(3) manual page.
195 You should call the function ERR_load_crypto_strings(3) before hand and
196 the message will be output in text form. If you can't do this (for example
197 it is a pre-compiled binary) you can use the errstr(1) utility on the error
198 code itself (the hex digits after the second colon).
200 * Why do I get errors about unknown algorithms?
202 The cause is forgetting to load OpenSSL's table of algorithms with
203 OpenSSL_add_all_algorithms(3). See the manual page for more information. This
204 can cause several problems such as being unable to read in an encrypted
205 PEM file, unable to decrypt a PKCS12 file or signature failure when
206 verifying certificates.
208 * Why can't the OpenSSH configure script detect OpenSSL?
210 Several reasons for problems with the automatic detection exist.
211 OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
212 Sometimes the distribution has installed an older version in the system
213 locations that is detected instead of a new one installed. The OpenSSL
214 library might have been compiled for another CPU or another mode (32/64 bits).
215 Permissions might be wrong.
217 The general answer is to check the config.log file generated when running
218 the OpenSSH configure script. It should contain the detailed information
219 on why the OpenSSL library was not detected or considered incompatible.
221 * Can I use OpenSSL's SSL library with non-blocking I/O?
223 Yes; make sure to read the SSL_get_error(3) manual page!
225 A pitfall to avoid: Don't assume that SSL_read(3) will just read from
226 the underlying transport or that SSL_write(3) will just write to it --
227 it is also possible that SSL_write(3) cannot do any useful work until
228 there is data to read, or that SSL_read(3) cannot do anything until it
229 is possible to send data. One reason for this is that the peer may
230 request a new TLS/SSL handshake at any time during the protocol,
231 requiring a bi-directional message exchange; both SSL_read(3) and
232 SSL_write(3) will try to continue any pending handshake.
234 * Why doesn't my server application receive a client certificate?
236 Due to the TLS protocol definition, a client will only send a certificate,
237 if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
238 SSL_CTX_set_verify(3) function to enable the use of client certificates.
240 * I think I've detected a memory leak, is this a bug?
242 In most cases the cause of an apparent memory leak is an OpenSSL internal table
243 that is allocated when an application starts up. Since such tables do not grow
244 in size over time they are harmless.
246 Starting with OpenSSL 1.1.0, everything should be cleaned up on exit (or
247 when the shared library unloads). If not, please find out what resource is
248 leaked and report an issue. In previous releases, internal tables can be
249 freed up when an application closes using various
250 functions. Currently these include following:
252 Thread-local cleanup functions include ERR_remove_state(3).
253 Application-global cleanup functions that are aware of usage (and therefore
254 thread-safe) include ENGINE_cleanup(3) and CONF_modules_unload(3).
255 "Brutal" (thread-unsafe) Application-global cleanup functions include:
256 ERR_free_strings(3), EVP_cleanup(3) and CRYPTO_cleanup_all_ex_data(3).
258 * Why doesn't a memory BIO work when a file does?
260 This can occur in several cases for example reading an S/MIME email message.
261 The reason is that a memory BIO can do one of two things when all the data
262 has been read from it.
264 The default behaviour is to indicate that no more data is available and that
265 the call should be retried, this is to allow the application to fill up the BIO
268 Alternatively it can indicate that no more data is available and that EOF has
271 If a memory BIO is to behave in the same way as a file this second behaviour
272 is needed. This must be done by calling:
274 BIO_set_mem_eof_return(bio, 0);
276 See the manual pages for more details.
278 * Where are the declarations and implementations of d2i_X509(3) etc?
280 These are defined and implemented by macros of the form:
282 DECLARE_ASN1_FUNCTIONS(X509) and
283 IMPLEMENT_ASN1_FUNCTIONS(X509)
285 The implementation passes an ASN1 "template" defining the structure into an
286 ASN1 interpreter using generalised functions such as ASN1_item_d2i(3).
288 * When debugging I observe SIGILL during OpenSSL initialization: why?
290 OpenSSL adapts to processor it executes on and for this reason has to
291 query its capabilities. Unfortunately on some processors the only way
292 to achieve this for non-privileged code is to attempt instructions
293 that can cause Illegal Instruction exceptions. The initialization
294 procedure is coded to handle these exceptions to manipulate corresponding
295 bits in capabilities vector. This normally appears transparent, except
296 when you execute it under debugger, which stops prior delivering signal
297 to handler. Simply resuming execution does the trick, but when debugging
298 a lot it might feel counterproductive. Two options. Either set explicit
299 capability environment variable in order to bypass the capability query
300 (see corresponding crypto/*cap.c for details). Or configure debugger not
301 to stop upon SIGILL exception, e.g. in gdb case add 'handle SIGILL nostop'