[openssl-users] openssl-users Digest, Vol 43, Issue 16

NATAWUT SUKRAT jackinter101 at gmail.com
Wed Jun 13 05:56:03 UTC 2018


No.

NATAWUT SUKRAT @jack

ในวันที่ พ. 13 มิ.ย. 2018 12:51 <openssl-users-request at openssl.org>
เขียนว่า:

> Send openssl-users mailing list submissions to
>         openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
>         openssl-users-request at openssl.org
>
> You can reach the person managing the list at
>         openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>    1. OpenSSL Security Advisory (OpenSSL)
>    2. Re: OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?
>       (Matt Caswell)
>    3. Re: 2 openssl installed? (Jan Just Keijser)
>    4. Re: Advantech openssl compatibility issue (Brian.Chou)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 12 Jun 2018 10:18:03 +0000
> From: OpenSSL <openssl at openssl.org>
> To: openssl-project at openssl.org, OpenSSL User Support ML
>         <openssl-users at openssl.org>, OpenSSL Announce ML
>         <openssl-announce at openssl.org>
> Subject: [openssl-users] OpenSSL Security Advisory
> Message-ID: <20180612101803.GA31999 at openssl.org>
> Content-Type: text/plain; charset=us-ascii
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> OpenSSL Security Advisory [12 June 2018]
> ========================================
>
> Client DoS due to large DH parameter (CVE-2018-0732)
> ====================================================
>
> Severity: Low
>
> During key agreement in a TLS handshake using a DH(E) based ciphersuite a
> malicious server can send a very large prime value to the client. This will
> cause the client to spend an unreasonably long period of time generating a
> key
> for this prime resulting in a hang until the client has finished. This
> could be
> exploited in a Denial Of Service attack.
>
> Due to the low severity of this issue we are not issuing a new release of
> OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL
> 1.1.0i
> and OpenSSL 1.0.2p when they become available. The fix is also available in
> commit ea7abeeab (for 1.1.0) and commit 3984ef0b7 (for 1.0.2) in the
> OpenSSL git
> repository.
>
> This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken who
> also
> developed the fix.
>
> References
> ==========
>
> URL for this Security Advisory:
> https://www.openssl.org/news/secadv/20180612.txt
>
> Note: the online version of the advisory may be updated with additional
> details
> over time.
>
> For details of OpenSSL severity classifications please see:
> https://www.openssl.org/policies/secpolicy.html
> -----BEGIN PGP SIGNATURE-----
>
> iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsfnTgACgkQ2cTSbQ5g
> RJE9Twf/VSgXaFPlW+JyA2BAiwGREMr/oMQe8mhmka3WQgNb7oMQRxk4ZqwRvLi2
> ggPVOQilJ+tkXgeifEQ3SDRxDnnmcUvxbWB8Lt+7tjhM6O+GYGbGbzupnkBs2IIY
> 72vll4l7ySMQ8/fcdU/uuNyObfigLC9XndH3tEewxffs6uvDxMyGhZmNQpq1aZNj
> rGj3dETUuO/Ln8siAD7nkv9xodRINViMP76fSKAtdaikvZa3uhLBMhX5tOzpR/ta
> tc2+6uthdU9JjSRZZpfDlzzhsOFqMrLfOLrJQIIXshxUNeOZyJCkmT9ED8XZRDMB
> twb1kOxCKz8Ky+Xm/Rki9uRVoZFjBg==
> =kKic
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 12 Jun 2018 11:32:21 +0100
> From: Matt Caswell <matt at openssl.org>
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] OpenSSL 1.1.0: How to get X509_STORE from
>         X509_LOOKUP?
> Message-ID: <3766b295-2914-b3a1-a259-0d9a81a2548f at openssl.org>
> Content-Type: text/plain; charset=utf-8
>
>
>
> On 12/06/18 10:58, Stephan M?hlstrasser wrote:
> > In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx"
> > member of the X509_LOOKUP structure was directly accessible. But in
> > OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can
> > see there is no API function available that would retrieve the
> > X509_STORE pointer from a X509_LOOKUP pointer.
> >
> > Is this intentional, or was this an omission when making the X509_LOOKUP
> > structure opaque in OpenSSL 1.1.0?
>
> It was an omission that is fixed in the latest dev version of OpenSSL
> 1.1.0. See this commit:
>
>
> https://github.com/openssl/openssl/commit/6912debb881e669f7a7fb621588e20347111c4f0
>
> This will be in 1.1.0i when it gets released (no released date as yet).
>
> Matt
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 12 Jun 2018 18:30:08 +0200
> From: Jan Just Keijser <janjust at nikhef.nl>
> To: openssl-users at openssl.org, Sampei <sampei02 at tiscali.it>
> Subject: Re: [openssl-users] 2 openssl installed?
> Message-ID: <a983eb13-92a8-f054-dfac-0c881ad8d64d at nikhef.nl>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi,
>
> On 07/06/18 06:14, Sampei wrote:
> >
> > t?s a server installed many many years ago and there are applications
> > which are no used.
> > Server is too late and I have new server (latest Centos 6) for
> > migrating where I installed latest version.
> > I?d like to take to new server all certificate database (certificated
> > included) which I created.
> > Openssl is only tool to create test certificates.
> > I don?t know if there are apps which are using the e configs, but I
> > think no.
> >
> this has little to do with OpenSSL itself and more with PKI management.
> Basically, your problem seems to be that you have an older server and
> you don't know where the certificates and private keys (i.e. the PKI)
> were stored. What you need to do, is find out where the certifcates are
> held, together with the index.txt file. In order to do so, you could use
> something like
>  ? find / -name '*.pem'
> or
>  ? find / -name index.txt
> and check all directories where such files are found. This will be a
> lengthy process, as the find command has to traverse the entire filesystem.
>
> good luck,
>
> JJK
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 13 Jun 2018 05:40:01 +0000
> From: Brian.Chou <Brian.Chou at advantech.com.tw>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Cc: "Brian.Ng" <brian.ng at advantech.com>, "Mojo.Huang"
>         <Mojo.Huang at advantech.com.tw>
> Subject: Re: [openssl-users] Advantech openssl compatibility issue
> Message-ID: <ea8de7a39ca24fd9bb6db14301d15d19 at taipei08.ADVANTECH.CORP>
> Content-Type: text/plain; charset="us-ascii"
>
> Subscribe and send again.
>
> From: Brian.Chou
> Sent: Wednesday, June 13, 2018 1:21 PM
> To: 'openssl-users at openssl.org'
> Cc: Brian.Ng; Mojo.Huang
> Subject: Advantech openssl compatibility issue
>
> Dear support team
>
>   We met openssl crash issue on our Intel Atom C3000 SoC platform.
> Openssl crashes when run "s_client -connect IP:Port" command.
> In win10 event viewer it show "Faulting module name:LIBEAY32.dll,
> version:1.0.2.8......". (Figure 1)
> The issue only happened to "1.0.2h" or older version. (Table 1)
> And other CPU/Chipset on our side can work normally with same command.
> Can you help to explain what changes are made between "1.0.2h" and
> "1.0.2i" that may cause this issue?
> Please let me know if you need more info, thank you.
>
> Note: We found similar issue by google, not sure if it's related. (
> https://forum.filezilla-project.org/viewtopic.php?f=6&t=32837&sid=14d3d99cb60f1a6867d16aba89403015
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.filezilla-2Dproject.org_viewtopic.php-3Ff-3D6-26t-3D32837-26sid-3D14d3d99cb60f1a6867d16aba89403015&d=DwMFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=lgpGrPZI_ai301hZxt6u5Jb3XQrxd6ed5-1gL-SJmDE&s=cNoUfknWBgsh-JRnghh6TVNsW72g89P7uuSrJLnLn8g&e=
> >)
>
> Table 1.Test under Winsvr 2016/Win10
> Openssl version
>
> Connect by "s_client -connect IP:Port"
>
> 1.0.2g
>
> Fail
>
> 1.0.2h
>
> Fail
>
> 1.0.2i
>
> Pass
>
> 1.0.2o
>
> Pass
>
> 1.0.0d
>
> Pass
>
>
>
> Figure 1
> [cid:image002.jpg at 01D40273.2D91C710]
> Best regards,
> Brian Chou
> Application Engineering of Industrial IoT Group
> Advantech Co., Ltd.
> Tel: 886-2-2792-7818 ext,1431
> e-mail:Brian.Chou at advantech.com.tw<mailto:brian.chou at advantech.com.tw>
>
>
>
> Best regards,
> Brian Chou
> Application Engineering of Industrial IoT Group
> Advantech Co., Ltd.
> Tel: 886-2-2792-7818 ext,1431
> e-mail:Brian.Chou at advantech.com.tw<mailto:brian.chou at advantech.com.tw>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/0053e43a/attachment.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.jpg
> Type: image/jpeg
> Size: 30883 bytes
> Desc: image001.jpg
> URL: <
> http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/0053e43a/attachment.jpg
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
>
> End of openssl-users Digest, Vol 43, Issue 16
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/f1befb62/attachment.html>


More information about the openssl-users mailing list