<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<blockquote>
<blockquote type="cite">
<pre wrap="">Added a define in include/openssl/ssl.h:
# define SSL_TXT_MYCIPHER "MYCIPHER"
Integrated into ssl/s3_lib.c:
static SSL_CIPHER ssl3_ciphers[] = {
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_MYCIPHER,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
64,
64,
},
</pre>
</blockquote>
<pre wrap="">>That's a pretty small number of bits. Do you really mean it to be only 64?
>
>Does you ciphersuite show up with cipher -s?
>
>It's possible it is being rejected because it has insufficient security. If
>the number of bits is really 64 you could try droppping the security level to
>0 to allow it.
>
>If that doesn't help enable trace support with enable-ssl-trace and then try
>the -trace command ot s_client/s_server and see if the new ciphersuites is
>sent in ClientHello
>
>Steve.
>--
>Dr Stephen N. Henson. OpenSSL project core developer.
>Commercial tech support now available see: <a class="moz-txt-link-freetext" href="http://www.openssl.org">http://www.openssl.org</a>
</pre>
</blockquote>
After some debugging (exactly as mentioned above) it appears that the cipher suite does not show up in the ClientHello using the s_client/s_server. I modified the cipher for testing to use 512 bits instead of 64 so that it is ranked highest.<br>
<br>
Error server side:<br>
SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1979<br>
<br>
Error Client side:<br>
SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1469:SSL alert number 80<br>
<br>
Any idea why the cipher would appear under the list of supported tls1.2 ciphers, yet it does not appear under the ClientHello even if specified with the -cipher option?<br>
<br>
Thank you for any leads!<br>
Rob <br>
<br>
<br>
<div class="moz-cite-prefix">On 4/12/17 8:06 AM, <a class="moz-txt-link-abbreviated" href="mailto:openssl-users-request@openssl.org">
openssl-users-request@openssl.org</a> wrote:<br>
</div>
<blockquote type="cite" cite="mid:mailman.418.1491998781.2156.openssl-users@openssl.org">
<pre wrap="">Send openssl-users mailing list submissions to
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>
To subscribe or unsubscribe via the World Wide Web, visit
<a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a>
or, via email, send a message with subject or body 'help' to
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users-request@openssl.org">openssl-users-request@openssl.org</a>
You can reach the person managing the list at
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users-owner@openssl.org">openssl-users-owner@openssl.org</a>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."
Today's Topics:
1. Re: Integrating New Cipher Suite (Dr. Stephen Henson)
2. Re: RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS (Davy Souza)
3. Escaped Issuer/Subject (<a class="moz-txt-link-abbreviated" href="mailto:c.holper@ades.at">c.holper@ades.at</a>)
4. Multithreading: Global locks causing bottleneck in parallel
SSL_write calls (dipakgaigole)
----------------------------------------------------------------------
Message: 1
Date: Tue, 11 Apr 2017 18:54:09 +0000
From: "Dr. Stephen Henson" <a class="moz-txt-link-rfc2396E" href="mailto:steve@openssl.org"><steve@openssl.org></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>
Subject: Re: [openssl-users] Integrating New Cipher Suite
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20170411185409.GA23595@openssl.org"><20170411185409.GA23595@openssl.org></a>
Content-Type: text/plain; charset=us-ascii
On Tue, Apr 11, 2017, Schmicker, Robert wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Added a define in include/openssl/ssl.h:
# define SSL_TXT_MYCIPHER "MYCIPHER"
Integrated into ssl/s3_lib.c:
static SSL_CIPHER ssl3_ciphers[] = {
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_MYCIPHER_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_MYCIPHER,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
64,
64,
},
</pre>
</blockquote>
<pre wrap="">
That's a pretty small number of bits. Do you really mean it to be only 64?
Does you ciphersuite show up with cipher -s?
It's possible it is being rejected because it has insufficient security. If
the number of bits is really 64 you could try droppping the security level to
0 to allow it.
If that doesn't help enable trace support with enable-ssl-trace and then try
the -trace command ot s_client/s_server and see if the new ciphersuites is
sent in ClientHello
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: <a class="moz-txt-link-freetext" href="http://www.openssl.org">http://www.openssl.org</a>
------------------------------
Message: 2
Date: Tue, 11 Apr 2017 12:50:29 +0000
From: Davy Souza <a class="moz-txt-link-rfc2396E" href="mailto:davy.souza@outlook.com"><davy.souza@outlook.com></a>
To: <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org">"openssl-users@openssl.org"</a> <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org"><openssl-users@openssl.org></a>
Subject: Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and
RSASSA-PSS
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto:CP2P152MB179454491F9BCC350F89E1FB8A000@CP2P152MB1794.LAMP152.PROD.OUTLOOK.COM"><CP2P152MB179454491F9BCC350F89E1FB8A000@CP2P152MB1794.LAMP152.PROD.OUTLOOK.COM></a>
Content-Type: text/plain; charset="iso-8859-1"
</pre>
<blockquote type="cite">
<pre wrap="">In what context do you want to use it? For example CMS, certificates, TLS,
</pre>
</blockquote>
<pre wrap=""> general application code or via the command line?
It's a C++ embedded application for a POS. One requirement is to use PKCS#1 v2.1 for RSA functions.
Davy Alves de Souza
Computer Scientist
Federal University of S?o Carlos, Sorocaba / SP - Brazil
________________________________
De: openssl-users <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a> em nome de Dr. Stephen Henson <a class="moz-txt-link-rfc2396E" href="mailto:steve@openssl.org"><steve@openssl.org></a>
Enviado: segunda-feira, 10 de abril de 2017 10:46:26
Para: <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>
Assunto: Re: [openssl-users] RSA PKCS1 v2.1 - Multi-primes and RSASSA-PSS
On Wed, Apr 05, 2017, Davy Souza wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
I'm using RSA, but I need to know if OpenSSL RSA implements PKCS#1 v2.1. I have the following questions:
1) Does OpenSSL support multi-prime?
</pre>
</blockquote>
<pre wrap="">
No.
</pre>
<blockquote type="cite">
<pre wrap=""> 2) Does OpenSSL support RSASSA-PSS?
</pre>
</blockquote>
<pre wrap="">
Yes.
</pre>
<blockquote type="cite">
<pre wrap=""> 3) If so, how can I use it?
</pre>
</blockquote>
<pre wrap="">
In what context do you want to use it? For example CMS, certificates, TLS,
general application code or via the command line?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: <a class="moz-txt-link-freetext" href="http://www.openssl.org">http://www.openssl.org</a>
--
openssl-users mailing list
To unsubscribe: <a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-rfc2396E" href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/7e8a5420/attachment-0001.html"><http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/7e8a5420/attachment-0001.html></a>
------------------------------
Message: 3
Date: Wed, 12 Apr 2017 06:47:25 +0200
From: <a class="moz-txt-link-rfc2396E" href="mailto:c.holper@ades.at">"c.holper@ades.at"</a> <a class="moz-txt-link-rfc2396E" href="mailto:c.holper@ades.at"><c.holper@ades.at></a>
To: <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>
Subject: [openssl-users] Escaped Issuer/Subject
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:614474ba-574f-1df9-134a-91fa8c3eac1f@ades.at"><614474ba-574f-1df9-134a-91fa8c3eac1f@ades.at></a>
Content-Type: text/plain; charset=utf-8; format=flowed
I thought about escaping regarding DN itself (LDAP DN).
<a class="moz-txt-link-freetext" href="https://www.ietf.org/rfc/rfc4514.txt">https://www.ietf.org/rfc/rfc4514.txt</a>
<a class="moz-txt-link-freetext" href="https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzahy/rzahyunderdn.htm">https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzahy/rzahyunderdn.htm</a>
<a class="moz-txt-link-freetext" href="https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx">https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx</a>
Best regards
------------------------------
Message: 4
Date: 12 Apr 2017 10:54:28 -0000
From: "dipakgaigole" <a class="moz-txt-link-rfc2396E" href="mailto:dipakgaigole@rediffmail.com"><dipakgaigole@rediffmail.com></a>
To: <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org"><openssl-users@openssl.org></a>
Subject: [openssl-users] Multithreading: Global locks causing
bottleneck in parallel SSL_write calls
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:20170412105428.2021.qmail@f4mail-235-235.rediffmail.com"><20170412105428.2021.qmail@f4mail-235-235.rediffmail.com></a>
Content-Type: text/plain; charset="utf-8"
Hi, I have a windows multi-threaded SSL server application which handles each client request in a new thread. The Server handles different types of requests. One of the request type is like “send file” where server thread has to read a file from local filesystem and send the content to the client.Server configurations: FIPS: Enabled SSL Protocol: TLSv1.2 Cipher: AES256-SHA It was observed that as the number of thread parallelism increases, the throughput decreases.To profile the server, I had recompiled the OpenSSL and FIPS source with debug symbol information. When run under a statistical profiler “verysleepy“ (<a class="moz-txt-link-freetext" href="http://www.codersnotes.com/sleepy">http://www.codersnotes.com/sleepy</a>) points out below stack (hotspot
) which was consuming most of the time.###################################WaitForSingleObjectEx KERNELBASE [unknown] 0 0x7fefd2610dcCRYPTO_lock LIBEAY64 c:\openssl_src\openssl-1.0.2f\crypto\cryptlib.c 597 0xfb0bb26FIPS_lock &nb
sp; LIBEAY64 c:\fips_src\openssl-fips-2.0.10\fips\utl\fips_lck.c 69 0xfceb291fips_drbg_bytes LIBEAY64 c:\fips_src\openssl-fips-2.0.10\fips\rand\fips_drbg_rand.c 86 0xfcfe868RAND_bytes &n
bsp; LIBEAY64 c:\openssl_src\openssl-1.0.2f\crypto\rand\rand_lib.c 159 0xfc0dbe5tls1_enc SSLEAY64 c:\openssl_src\openssl-1.0.2f\ssl\t1_enc.c 786 0x3b6675cdo_ssl3_write SSLEAY64 &
nbsp; c:\openssl_src\openssl-1.0.2f\ssl\s3_pkt.c 1042 0x3b4c336ssl3_write_bytes SSLEAY64 c:\openssl_src\openssl-1.0.2f\ssl\s3_pkt.c 830 0x3b4baddssl3_write SSLEAY64 c:\openssl_src\openssl-1.0.2f\ssl\s3_lib.c &
nbsp; 4404 0x3b4796cSSL_write SSLEAY64 c:\openssl_src\openssl-1.0.2f\ssl\ssl_lib.c 1047 0x3b7a3e4################################### To check if this behavior can be seen outside of our code, I wrote a standalone multi threaded SSL server which performs same task as “send file”. And profiling of the standalone server also point out at the similar stack. So I was able to reproduced this behavior in standalone program.File size used: 340 MB To find out how the bottleneck varies with increasing the parallel thread count
in standalone SSL server program, I analyzed one thread behavior with different parallelism and here are the results:######################“Parallel thread count” -> “% of time spend in waiting for global lock”1 -> 1 %2 -> 2 %5 -> 5 %10 -> 40 %15 -> 46 %20 -> 65 %25 -> 68 %30 -> 70 %###################### After digging into the FIPS code found that there is a global lock around the random number generation code which is causing the bottleneck when multiple threads want to perform SSL_write operation in parallel.Code snippet from fips/rand/fips_drbg_rand.c:######################/* Since we only have one global PRNG used at any time in OpenSSL use a global* variable to store context.*/static DRBG_CTX ossl_dctx;….….static int fips_drbg_bytes(unsigned char *out, int count) {
DRBG_CTX *dctx = &ossl_dctx; int rv = 0; unsigned char *adin = NULL; size_t adinlen = 0; CRYPTO_w_lock(CRYPTO_LOCK_RAND); …. …. CRYPTO_w_unlock(CRYPTO_LOCK_RAND);###################### As comment from fips_drbg_rand.c says, do we really need to have one global PRNG at any time in OpenSSL? Does any
one has any suggestion about how starvation (due to the global locks) of parallel SSL_write can be reduced? Any suggestions are welcome :) Thanks,Dipak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <a class="moz-txt-link-rfc2396E" href="http://mta.openssl.org/pipermail/openssl-users/attachments/20170412/70b473ef/attachment.html"><http://mta.openssl.org/pipermail/openssl-users/attachments/20170412/70b473ef/attachment.html></a>
------------------------------
Subject: Digest Footer
_______________________________________________
openssl-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>
<a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a>
------------------------------
End of openssl-users Digest, Vol 29, Issue 13
*********************************************
</pre>
</blockquote>
<br>
</body>
</html>