<div dir="auto">No.<br><br><div data-smartmail="gmail_signature">NATAWUT SUKRAT @jack</div></div><br><div class="gmail_quote"><div dir="ltr">ในวันที่ พ. 13 มิ.ย. 2018 12:51 <<a href="mailto:openssl-users-request@openssl.org">openssl-users-request@openssl.org</a>> เขียนว่า:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send openssl-users mailing list submissions to<br>
<a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:openssl-users-request@openssl.org" target="_blank" rel="noreferrer">openssl-users-request@openssl.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:openssl-users-owner@openssl.org" target="_blank" rel="noreferrer">openssl-users-owner@openssl.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of openssl-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. OpenSSL Security Advisory (OpenSSL)<br>
2. Re: OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?<br>
(Matt Caswell)<br>
3. Re: 2 openssl installed? (Jan Just Keijser)<br>
4. Re: Advantech openssl compatibility issue (Brian.Chou)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 12 Jun 2018 10:18:03 +0000<br>
From: OpenSSL <<a href="mailto:openssl@openssl.org" target="_blank" rel="noreferrer">openssl@openssl.org</a>><br>
To: <a href="mailto:openssl-project@openssl.org" target="_blank" rel="noreferrer">openssl-project@openssl.org</a>, OpenSSL User Support ML<br>
<<a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a>>, OpenSSL Announce ML<br>
<<a href="mailto:openssl-announce@openssl.org" target="_blank" rel="noreferrer">openssl-announce@openssl.org</a>><br>
Subject: [openssl-users] OpenSSL Security Advisory<br>
Message-ID: <<a href="mailto:20180612101803.GA31999@openssl.org" target="_blank" rel="noreferrer">20180612101803.GA31999@openssl.org</a>><br>
Content-Type: text/plain; charset=us-ascii<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
<br>
OpenSSL Security Advisory [12 June 2018]<br>
========================================<br>
<br>
Client DoS due to large DH parameter (CVE-2018-0732)<br>
====================================================<br>
<br>
Severity: Low<br>
<br>
During key agreement in a TLS handshake using a DH(E) based ciphersuite a<br>
malicious server can send a very large prime value to the client. This will<br>
cause the client to spend an unreasonably long period of time generating a key<br>
for this prime resulting in a hang until the client has finished. This could be<br>
exploited in a Denial Of Service attack.<br>
<br>
Due to the low severity of this issue we are not issuing a new release of<br>
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i<br>
and OpenSSL 1.0.2p when they become available. The fix is also available in<br>
commit ea7abeeab (for 1.1.0) and commit 3984ef0b7 (for 1.0.2) in the OpenSSL git<br>
repository.<br>
<br>
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken who also<br>
developed the fix.<br>
<br>
References<br>
==========<br>
<br>
URL for this Security Advisory:<br>
<a href="https://www.openssl.org/news/secadv/20180612.txt" rel="noreferrer noreferrer" target="_blank">https://www.openssl.org/news/secadv/20180612.txt</a><br>
<br>
Note: the online version of the advisory may be updated with additional details<br>
over time.<br>
<br>
For details of OpenSSL severity classifications please see:<br>
<a href="https://www.openssl.org/policies/secpolicy.html" rel="noreferrer noreferrer" target="_blank">https://www.openssl.org/policies/secpolicy.html</a><br>
-----BEGIN PGP SIGNATURE-----<br>
<br>
iQEzBAEBCgAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAlsfnTgACgkQ2cTSbQ5g<br>
RJE9Twf/VSgXaFPlW+JyA2BAiwGREMr/oMQe8mhmka3WQgNb7oMQRxk4ZqwRvLi2<br>
ggPVOQilJ+tkXgeifEQ3SDRxDnnmcUvxbWB8Lt+7tjhM6O+GYGbGbzupnkBs2IIY<br>
72vll4l7ySMQ8/fcdU/uuNyObfigLC9XndH3tEewxffs6uvDxMyGhZmNQpq1aZNj<br>
rGj3dETUuO/Ln8siAD7nkv9xodRINViMP76fSKAtdaikvZa3uhLBMhX5tOzpR/ta<br>
tc2+6uthdU9JjSRZZpfDlzzhsOFqMrLfOLrJQIIXshxUNeOZyJCkmT9ED8XZRDMB<br>
twb1kOxCKz8Ky+Xm/Rki9uRVoZFjBg==<br>
=kKic<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 12 Jun 2018 11:32:21 +0100<br>
From: Matt Caswell <<a href="mailto:matt@openssl.org" target="_blank" rel="noreferrer">matt@openssl.org</a>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a><br>
Subject: Re: [openssl-users] OpenSSL 1.1.0: How to get X509_STORE from<br>
X509_LOOKUP?<br>
Message-ID: <<a href="mailto:3766b295-2914-b3a1-a259-0d9a81a2548f@openssl.org" target="_blank" rel="noreferrer">3766b295-2914-b3a1-a259-0d9a81a2548f@openssl.org</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
<br>
<br>
On 12/06/18 10:58, Stephan M?hlstrasser wrote:<br>
> In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx"<br>
> member of the X509_LOOKUP structure was directly accessible. But in<br>
> OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can<br>
> see there is no API function available that would retrieve the<br>
> X509_STORE pointer from a X509_LOOKUP pointer.<br>
> <br>
> Is this intentional, or was this an omission when making the X509_LOOKUP<br>
> structure opaque in OpenSSL 1.1.0?<br>
<br>
It was an omission that is fixed in the latest dev version of OpenSSL<br>
1.1.0. See this commit:<br>
<br>
<a href="https://github.com/openssl/openssl/commit/6912debb881e669f7a7fb621588e20347111c4f0" rel="noreferrer noreferrer" target="_blank">https://github.com/openssl/openssl/commit/6912debb881e669f7a7fb621588e20347111c4f0</a><br>
<br>
This will be in 1.1.0i when it gets released (no released date as yet).<br>
<br>
Matt<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 12 Jun 2018 18:30:08 +0200<br>
From: Jan Just Keijser <<a href="mailto:janjust@nikhef.nl" target="_blank" rel="noreferrer">janjust@nikhef.nl</a>><br>
To: <a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a>, Sampei <<a href="mailto:sampei02@tiscali.it" target="_blank" rel="noreferrer">sampei02@tiscali.it</a>><br>
Subject: Re: [openssl-users] 2 openssl installed?<br>
Message-ID: <<a href="mailto:a983eb13-92a8-f054-dfac-0c881ad8d64d@nikhef.nl" target="_blank" rel="noreferrer">a983eb13-92a8-f054-dfac-0c881ad8d64d@nikhef.nl</a>><br>
Content-Type: text/plain; charset=utf-8; format=flowed<br>
<br>
Hi,<br>
<br>
On 07/06/18 06:14, Sampei wrote:<br>
><br>
> t?s a server installed many many years ago and there are applications <br>
> which are no used.<br>
> Server is too late and I have new server (latest Centos 6) for <br>
> migrating where I installed latest version.<br>
> I?d like to take to new server all certificate database (certificated <br>
> included) which I created.<br>
> Openssl is only tool to create test certificates.<br>
> I don?t know if there are apps which are using the e configs, but I <br>
> think no.<br>
><br>
this has little to do with OpenSSL itself and more with PKI management. <br>
Basically, your problem seems to be that you have an older server and <br>
you don't know where the certificates and private keys (i.e. the PKI) <br>
were stored. What you need to do, is find out where the certifcates are <br>
held, together with the index.txt file. In order to do so, you could use <br>
something like<br>
? find / -name '*.pem'<br>
or<br>
? find / -name index.txt<br>
and check all directories where such files are found. This will be a <br>
lengthy process, as the find command has to traverse the entire filesystem.<br>
<br>
good luck,<br>
<br>
JJK<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Wed, 13 Jun 2018 05:40:01 +0000<br>
From: Brian.Chou <<a href="mailto:Brian.Chou@advantech.com.tw" target="_blank" rel="noreferrer">Brian.Chou@advantech.com.tw</a>><br>
To: "<a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a>" <<a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a>><br>
Cc: "Brian.Ng" <<a href="mailto:brian.ng@advantech.com" target="_blank" rel="noreferrer">brian.ng@advantech.com</a>>, "Mojo.Huang"<br>
<<a href="mailto:Mojo.Huang@advantech.com.tw" target="_blank" rel="noreferrer">Mojo.Huang@advantech.com.tw</a>><br>
Subject: Re: [openssl-users] Advantech openssl compatibility issue<br>
Message-ID: <ea8de7a39ca24fd9bb6db14301d15d19@taipei08.ADVANTECH.CORP><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Subscribe and send again.<br>
<br>
From: Brian.Chou<br>
Sent: Wednesday, June 13, 2018 1:21 PM<br>
To: '<a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a>'<br>
Cc: Brian.Ng; Mojo.Huang<br>
Subject: Advantech openssl compatibility issue<br>
<br>
Dear support team<br>
<br>
We met openssl crash issue on our Intel Atom C3000 SoC platform.<br>
Openssl crashes when run "s_client -connect IP:Port" command.<br>
In win10 event viewer it show "Faulting module name:LIBEAY32.dll, version:1.0.2.8......". (Figure 1)<br>
The issue only happened to "1.0.2h" or older version. (Table 1)<br>
And other CPU/Chipset on our side can work normally with same command.<br>
Can you help to explain what changes are made between "1.0.2h" and "1.0.2i" that may cause this issue?<br>
Please let me know if you need more info, thank you.<br>
<br>
Note: We found similar issue by google, not sure if it's related. (<a href="https://forum.filezilla-project.org/viewtopic.php?f=6&t=32837&sid=14d3d99cb60f1a6867d16aba89403015" rel="noreferrer noreferrer" target="_blank">https://forum.filezilla-project.org/viewtopic.php?f=6&t=32837&sid=14d3d99cb60f1a6867d16aba89403015</a><<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.filezilla-2Dproject.org_viewtopic.php-3Ff-3D6-26t-3D32837-26sid-3D14d3d99cb60f1a6867d16aba89403015&d=DwMFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=lgpGrPZI_ai301hZxt6u5Jb3XQrxd6ed5-1gL-SJmDE&s=cNoUfknWBgsh-JRnghh6TVNsW72g89P7uuSrJLnLn8g&e=" rel="noreferrer noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__forum.filezilla-2Dproject.org_viewtopic.php-3Ff-3D6-26t-3D32837-26sid-3D14d3d99cb60f1a6867d16aba89403015&d=DwMFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=lgpGrPZI_ai301hZxt6u5Jb3XQrxd6ed5-1gL-SJmDE&s=cNoUfknWBgsh-JRnghh6TVNsW72g89P7uuSrJLnLn8g&e=</a>>)<br>
<br>
Table 1.Test under Winsvr 2016/Win10<br>
Openssl version<br>
<br>
Connect by "s_client -connect IP:Port"<br>
<br>
1.0.2g<br>
<br>
Fail<br>
<br>
1.0.2h<br>
<br>
Fail<br>
<br>
1.0.2i<br>
<br>
Pass<br>
<br>
1.0.2o<br>
<br>
Pass<br>
<br>
1.0.0d<br>
<br>
Pass<br>
<br>
<br>
<br>
Figure 1<br>
[cid:image002.jpg@01D40273.2D91C710]<br>
Best regards,<br>
Brian Chou<br>
Application Engineering of Industrial IoT Group<br>
Advantech Co., Ltd.<br>
Tel: 886-2-2792-7818 ext,1431<br>
<a href="mailto:e-mail%3ABrian.Chou@advantech.com.tw" target="_blank" rel="noreferrer">e-mail:Brian.Chou@advantech.com.tw</a><mailto:<a href="mailto:brian.chou@advantech.com.tw" target="_blank" rel="noreferrer">brian.chou@advantech.com.tw</a>><br>
<br>
<br>
<br>
Best regards,<br>
Brian Chou<br>
Application Engineering of Industrial IoT Group<br>
Advantech Co., Ltd.<br>
Tel: 886-2-2792-7818 ext,1431<br>
<a href="mailto:e-mail%3ABrian.Chou@advantech.com.tw" target="_blank" rel="noreferrer">e-mail:Brian.Chou@advantech.com.tw</a><mailto:<a href="mailto:brian.chou@advantech.com.tw" target="_blank" rel="noreferrer">brian.chou@advantech.com.tw</a>><br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/0053e43a/attachment.html" rel="noreferrer noreferrer" target="_blank">http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/0053e43a/attachment.html</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: image001.jpg<br>
Type: image/jpeg<br>
Size: 30883 bytes<br>
Desc: image001.jpg<br>
URL: <<a href="http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/0053e43a/attachment.jpg" rel="noreferrer noreferrer" target="_blank">http://mta.openssl.org/pipermail/openssl-users/attachments/20180613/0053e43a/attachment.jpg</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
openssl-users mailing list<br>
<a href="mailto:openssl-users@openssl.org" target="_blank" rel="noreferrer">openssl-users@openssl.org</a><br>
<a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of openssl-users Digest, Vol 43, Issue 16<br>
*********************************************<br>
</blockquote></div>