From Walter.H at mathemainzel.info Sun Feb 1 17:48:24 2015 From: Walter.H at mathemainzel.info (Walter H.) Date: Sun, 01 Feb 2015 18:48:24 +0100 Subject: [openssl-users] Strange behaviour with Chrome (client OS = WinXP x64) ... Message-ID: <54CE66E8.4010609@mathemainzel.info> Hello, can someone please try the following website with Google Chrome - I use the latest release: Version 39.0.2171.99 m - https://banking.ing-diba.at/ (an electronic Banking site) with the following policy enabled: RequireOnlineRevocationChecksForLocalAnchors = 1 with this banking site I get the following error from Google Chrome "Your connection is not private Attackers might be trying to steal your information from banking.ing-diba.at (for example, passwords, messages, or credit cards)." with the following banking sites of other banks I have no troubles: https://ebanking.easybank.at/ or https://banking.raiffeisen.at/ without enabling the policy above or not setting at all, this banking site works, but the symbol it shows differs; it is the same as if a man-in-the-middle like SSL-Bump would be between; Google chrome uses the same cert store as IE, and with IE there is no connection problem, only another thing the banking site is telling: the browser is out dated, of course IE 7 the IE even shows a green bar when connecting to this banking site ... can someone please tell me what is there special with this banking site: https://banking.ing-diba.at/ ? I'm using SSL bump with the exception of banking sites, the specific part of the squid.conf looks like this: acl ssl_bump_domains_bankingsites dstdomain banking.raiffeisen.at banking.ing-diba.at ebanking.easybank.at services.kepler.at www.kepler.at www.rcb.at acl ssl_bump_domains_msftupdates dstdomain .update.microsoft.com ssl_bump none ssl_bump_domains_bankingsites ssl_bump none ssl_bump_domains_msftupdates ssl_bump server-first all sslproxy_cert_error allow all sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DSS:!SSLv2:+SSLv3:+3DES:!MD5 sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA sslproxy_options NO_SSLv2 NO_SSLv3 sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/local/squid/ssl_db -M 16MB sslcrtd_children 8 http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/cert/squid.pem options=NO_SSLv2,SINGLE_DH_USE dhparams=/etc/squid/cert/dhparam.pem # squid.pem contains both cert+key I'm using my own CA, this means this SSL-bump CA cert is signed by my root CA certificate; what is missing, wrong, ... so that this one banking site will work ...? the SSL-bump CA certificate contain this: Authority Information Access: OCSP - URI:#url-to-ocsp# CA Issuers - URI:#url-to-root-cert# and X509v3 CRL Distribution Points: Full Name: URI:#url-to-crl# everything is working, the OCSP, the root-cert, and the CRL ... what causes Google Chrome producing the mentioned error above, when activating this mentioned policy? the question to squid specialists: was it a good idea signing the SSL-bump CA certificate with the root certificate of my CA? Thanks -- Best regards, Walter H. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5971 bytes Desc: S/MIME Cryptographic Signature URL: From dpb795795 at gmail.com Sun Feb 1 19:37:47 2015 From: dpb795795 at gmail.com (Deepak) Date: Mon, 2 Feb 2015 01:07:47 +0530 Subject: [openssl-users] OpenSSL 'verify' command and c_ rehash script on Cygwin In-Reply-To: <88F86BCF-3A81-45E2-AC06-1CF379FA9A39@gmail.com> References: <88F86BCF-3A81-45E2-AC06-1CF379FA9A39@gmail.com> Message-ID: ---------- Forwarded message ---------- From: "Deepak" Date: Jan 31, 2015 8:05 AM Subject: OpenSSL 'verify' command and c_ rehash script on Cygwin To: Cc: Hi, Can following behaviour be confirmed as expected? OpenSSL verify test (test_verify) fails Env- c_rehash run using Cygwin. Run c_rehash on /path/to/certs/demo Cmd - openssl verify -CApath ../certs/demo ../certs/demo/*.pem Cause - Symbolic links (from hash.0 to file.pem) created by c_rehash when run with Cygwin could not be read by OpenSSL.exe verify command. Result - Error 20: could read issuer certificate OpenSSL.exe fails to establish certificate chain. Workaround - Modify c_rehash to use MS API 'mklink' Thank You. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rasjv at yandex.com Sun Feb 1 20:36:20 2015 From: rasjv at yandex.com (Serj) Date: Sun, 01 Feb 2015 23:36:20 +0300 Subject: [openssl-users] What is the best practise for shutdown SSL connections? Message-ID: <7145121422822980@web21h.yandex.ru> Hello, What is the best practise for shutdown SSL connections? When client and server both not mine. For example, http client or server. I have read: https://www.openssl.org/docs/ssl/SSL_shutdown.html https://www.openssl.org/docs/ssl/SSL_set_shutdown.html I use non-blocking sockets and create sockets manually, then with BIO_new_socket() and SSL_set_bio() associate them with SSL object. I have 3 themes and corresponding questions: 1. Return values for SSL_shutdown() I never get 2 as a return value! Only 1 as successful then SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN are both set. Maybe something wrong at the documentation? 2. What is the best practise for shutdown SSL connections for CLIENT? As I understand unidirectional shutdown for client is more suitable, doesn't require special work for waiting "close_notify". But we must be sure that server got a "close_notify" - this is the question! So, the code for CLIENT: ------------------------------------------------ //all data were obtained from the server SSL_shutdown(ssl); //here we must be sure that "close_notify" alert is gotten by server //... closesocket(s); ------------------------------------------------ How to do this check: server got the "close_notify" alert? What is the best practise? I see that SSL_get_shutdown() returns SSL_SENT_SHUTDOWN immediatly after we have called SSL_shutdown() first time, so it only sets the flag after sending "close_notify" but doesn't wait. 3. What is the best practise for shutdown SSL connections for SERVER? As I understand SERVER must get "close_notify" from client otherwise it will not be able to save a session, am i right? And the session will be invalid in this case. So, for server the code is: ------------------------------------------------ //all data has been sent to the client SSL_shutdown(ssl); //will not be superfluous //here we must wait a "close_notify" alert from client //we can do this by examine flag SSL_RECEIVED_SHUTDOWN with SSL_get_shutdown() //... //and only after this we can safely close the connection closesocket(s); ------------------------------------------------ I will be very glad if these 3 themes and corresponding questions will not go unanswered! -- Best Regards, Serj From openssl-users at dukhovni.org Sun Feb 1 20:48:13 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 1 Feb 2015 20:48:13 +0000 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <7145121422822980@web21h.yandex.ru> References: <7145121422822980@web21h.yandex.ru> Message-ID: <20150201204813.GE8034@mournblade.imrryr.org> On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote: > 1. Return values for SSL_shutdown() 0 initially if shutdown alert sent, but not yet received from the peer. > I never get 2 as a return value! Why do you expect "2"? [ Note, something is screwing up itemized lists in the on-line documentation. Instead of showing item labels, item numbers are showing up instead. ] The nroff manpage says: RETURN VALUES The following return values can occur: 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error(3) may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 1 The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received. -1 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error(3) with the return value ret to find out the reason. > 2. What is the best practise for shutdown SSL connections for CLIENT? Call ssl_shutdown() and if it returns 0, call it again processing WANT_READ/WANT_WRITE as required. -- Viktor. From rasjv at yandex.com Sun Feb 1 21:28:12 2015 From: rasjv at yandex.com (Serj) Date: Mon, 02 Feb 2015 00:28:12 +0300 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <20150201204813.GE8034@mournblade.imrryr.org> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> Message-ID: <17472611422826092@web4m.yandex.ru> Hi, Viktor. 01.02.2015, 23:50, "Viktor Dukhovni" : > On Sun, Feb 01, 2015 at 11:36:20PM +0300, Serj wrote: >> ?1. Return values for SSL_shutdown() > > ????0 ?initially if shutdown alert sent, but not yet received from > ???????the peer. >> ?I never get 2 as a return value! > > Why do you expect "2"? ?[ Note, something is screwing up itemized > lists in the on-line documentation. ?Instead of showing item labels, > item numbers are showing up instead. ] Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this: ----------------------------------------------------- RETURN VALUES The following return values can occur: 1. The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 2. The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received. <0 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. Call SSL_get_error with the return value ret to find out the reason. ----------------------------------------------------- >?The nroff manpage says: > ????RETURN VALUES > ???????The following return values can occur: > > ???????0 ??The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional > ???????????shutdown shall be performed. ?The output of SSL_get_error(3) may be misleading, as an erroneous > ???????????SSL_ERROR_SYSCALL may be flagged even though no error occurred. > > ???????1 ??The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close > ???????????notify" alert was received. > > ???????-1 ?The shutdown was not successful because a fatal error occurred either at the protocol level or a > ???????????connection failure occurred. It can also occur if action is need to continue the operation for > ???????????non-blocking BIOs. ?Call SSL_get_error(3) with the return value ret to find out the reason. Seems to be this is right. This is exactly what I wanted to see here: https://www.openssl.org/docs/ssl/SSL_shutdown.html >> ?2. What is the best practise for shutdown SSL connections for CLIENT? > > Call ssl_shutdown() and if it returns 0, call it again processing > WANT_READ/WANT_WRITE as required. I use non-blocking sockets. That's why I got -1 as return value after first ssl_shutdown(). I process WANT_READ/WANT_WRITE. But some servers don't send "close_notify", so we never got a 1 as a return value. We must be sure that server got a "close_notify" - this is the question! What is the best practise for that? -- Best Regards, Serj From rasjv at yandex.com Sun Feb 1 21:38:26 2015 From: rasjv at yandex.com (Serj) Date: Mon, 02 Feb 2015 00:38:26 +0300 Subject: [openssl-users] SSL/TLS sessions of client Message-ID: <17480231422826706@web4m.yandex.ru> Hello, I want to use only internal cache right now. SSL_SESS_CACHE_CLIENT is not set by default. As I understand for client we must: 1. Set SSL_SESS_CACHE_CLIENT flag with SSL_CTX_set_session_cache_mode() 2. Manually save SSL_SESSION object to be able to choose session with SSL_set_session() next time or we can only save a pointer to SSL_SESSION object with SSL_get1_session() (because all data already will be kept in memory until we explicitly call SSL_SESSION_free()) and then we can give this pointer to the SSL_set_session()? -- Best Regards, Serj From openssl-users at dukhovni.org Sun Feb 1 22:11:29 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 1 Feb 2015 22:11:29 +0000 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <17472611422826092@web4m.yandex.ru> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> <17472611422826092@web4m.yandex.ru> Message-ID: <20150201221129.GF8034@mournblade.imrryr.org> On Mon, Feb 02, 2015 at 12:28:12AM +0300, Serj wrote: > > Why do you expect "2"? ?[ Note, something is screwing up itemized > > lists in the on-line documentation. ?Instead of showing item labels, > > item numbers are showing up instead. ] > > Here: https://www.openssl.org/docs/ssl/SSL_shutdown.html I see only this: > ----------------------------------------------------- > RETURN VALUES > > The following return values can occur: > > 1. The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. > > 2. The shutdown was successfully completed. The "close notify" alert was sent and the peer's "close notify" alert was received. > > <0 The formatting of itemized lists in the on-line HTML is broken. -- Viktor. From rasjv at yandex.com Sun Feb 1 22:32:42 2015 From: rasjv at yandex.com (Serj) Date: Mon, 02 Feb 2015 01:32:42 +0300 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <20150201221129.GF8034@mournblade.imrryr.org> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> <17472611422826092@web4m.yandex.ru> <20150201221129.GF8034@mournblade.imrryr.org> Message-ID: <10257621422829962@web28o.yandex.ru> 02.02.2015, 01:13, "Viktor Dukhovni" : > The formatting of itemized lists in the on-line HTML is broken. Ok. But what about the best practise for shutdown of connection on the client side? Server can don't send "close notify" alert. And what about the best practise for shutdown of connection on the server side? Is it mandatory to wait "close_notify" from client to be able to save valid session for this client or not? If server close the connection after all data has been sent to the client and don't receive "close_notify", will be the session kept? -- Best Regards, Serj From openssl-users at dukhovni.org Sun Feb 1 23:06:46 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 1 Feb 2015 23:06:46 +0000 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <10257621422829962@web28o.yandex.ru> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> <17472611422826092@web4m.yandex.ru> <20150201221129.GF8034@mournblade.imrryr.org> <10257621422829962@web28o.yandex.ru> Message-ID: <20150201230646.GH8034@mournblade.imrryr.org> On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote: > But what about the best practice for shutdown of connection on the client side? http://tools.ietf.org/html/rfc5246#section-7.2.1 > And what about the best practice for shutdown of connection on the server > side? Is it mandatory to wait "close_notify" from client to be able to > save valid session for this client or not? If server close the connection > after all data has been sent to the client and don't receive "close_notify", > will be the session kept? http://tools.ietf.org/html/rfc5246#section-7.2.1 -- Viktor. From raji.kotamraju at gmail.com Mon Feb 2 02:18:10 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Mon, 2 Feb 2015 07:48:10 +0530 Subject: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error Message-ID: Hello Openssl users, Am facing an issue of "no shared cipher" error during SSL Handshake, when tried to negotiate ECDHE cipher suite. We are using openssl-1.0.1j version. Can you please share your thoughts? Following are the logs during SSL Handshake. Server has 2 from 0xE29690E0: 0x10B42900:ECDHE-ECDSA-AES256-SHA 0x10B428D0:ECDHE-ECDSA-AES128-SHA Client sent 2 from 0xE442F5B0: 0x10B42900:ECDHE-ECDSA-AES256-SHA 0x10B428D0:ECDHE-ECDSA-AES128-SHA rt=0 rte=0 dht=1 ecdht=1 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0 0:[00000080:00000040:00000089:00000005]0x10B42900:ECDHE-ECDSA-AES256-SHA rt=0 rte=0 dht=1 ecdht=1 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0 0:[00000080:00000040:00000089:00000005]0x10B428D0:ECDHE-ECDSA-AES128-SHA *Feb 2 01:00:46.884: SSL_accept:before/accept initialization *Feb 2 01:00:46.884: SSL_accept:would block on read in SSLv3 read client hello B *Feb 2 01:00:47.892: <<< TLS 1.2 Handshake [length 0092], ClientHello *Feb 2 01:00:47.892: 01 00 00 8E 03 03 C3 CB 15 58 20 B9 49 1D 73 C7 *Feb 2 01:00:47.892: F8 C1 4D 31 10 A1 B6 D9 62 9E DF 91 A8 DC 8F 79 *Feb 2 01:00:47.892: 95 79 20 55 AC CF 00 00 06 C0 0A C0 09 00 FF 01 *Feb 2 01:00:47.893: 00 00 5F 00 0B 00 04 03 00 01 02 00 0A 00 34 00 *Feb 2 01:00:47.893: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 *Feb 2 01:00:47.893: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 *Feb 2 01:00:47.893: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 *Feb 2 01:00:47.893: 10 00 11 00 0D 00 16 00 14 06 01 06 03 05 01 05 *Feb 2 01:00:47.893: 03 04 01 04 03 03 01 03 03 02 01 02 03 00 0F 00 *Feb 2 01:00:47.893: 01 01 *Feb 2 01:00:47.893: TLS client extension "EC point formats" (id=11), len=4 *Feb 2 01:00:47.893: 03 00 01 02 *Feb 2 01:00:47.893: TLS client extension "elliptic curves" (id=10), len=52 *Feb 2 01:00:47.893: 00 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 *Feb 2 01:00:47.893: 00 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 *Feb 2 01:00:47.893: 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F *Feb 2 01:00:47.893: 00 10 00 11 *Feb 2 01:00:47.893: TLS client extension "signature algorithms" (id=13), len=22 *Feb 2 01:00:47.893: 00 14 06 01 06 03 05 01 05 03 04 01 04 03 03 01 *Feb 2 01:00:47.893: 03 03 02 01 02 03 *Feb 2 01:00:47.893: TLS client extension "heartbeat" (id=15), len=1 *Feb 2 01:00:47.893: 01 *Feb 2 01:00:47.894: >>> TLS 1.2 Alert [length 0002], fatal handshake_failure *Feb 2 01:00:47.894: 02 28 *Feb 2 01:00:47.894: Router# *Feb 2 01:00:47.894: SSL3 alert write:fatal:handshake failure *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: Have updated with temporary ECDH callback during SSL Server initialization. ECDSA certificate is being signed using openssl commands. Am not seeing any issue with RSA baesd ciphers. But only with ECDSA based ciphers having problem on my setup. Can you please share will the certificate loading is something different than RSA? Thanks, Rajeswari. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rasjv at yandex.com Mon Feb 2 06:23:19 2015 From: rasjv at yandex.com (Serj) Date: Mon, 02 Feb 2015 09:23:19 +0300 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <20150201230646.GH8034@mournblade.imrryr.org> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> <17472611422826092@web4m.yandex.ru> <20150201221129.GF8034@mournblade.imrryr.org> <10257621422829962@web28o.yandex.ru> <20150201230646.GH8034@mournblade.imrryr.org> Message-ID: <9843941422858199@web1h.yandex.ru> Hi, Viktor. 02.02.2015, 02:08, "Viktor Dukhovni" : > On Mon, Feb 02, 2015 at 01:32:42AM +0300, Serj wrote: >> ?But what about the best practice for shutdown of connection on the client side? > > ????http://tools.ietf.org/html/rfc5246#section-7.2.1 I read RFC. Have read "7.2.1. Closure Alerts" once again. But this is the normative document. I ask: what in practise in terms of OpenSSL API? As I already said some servers don't send "close_notify" and just close the connection. So I think the shutdown algorithm for SSL client must be the following: ------------------------------------------------------------------------- //... //all data was obtained from the server if (SSL_shutdown(ssl)==1) { closesocket(s) goto l_shutdown_complete; } shutdown(s,SD_SEND); //set timeout for getting "close_notify" from SERVER //in the cycle... waiting events from socket or timeout (which comes first): // //1. process SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE (in this case only SSL_ERROR_WANT_READ because seems to be SSL_shutdown() send "close_notify" alert to SERVER), call SSL_shutdown() once again and examine it's return value for 1 OR examine SSL_get_shutdown() for (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN) // //2. Wait FD_CLOSE // //3. Timeout //if one of three happens closesocket(s) ------------------------------------------------------------------------- >> ?And what about the best practice for shutdown of connection on the server >> ?side? Is it mandatory to wait "close_notify" from client to be able to >> ?save valid session for this client or not? If server close the connection >> ?after all data has been sent to the client and don't receive "close_notify", >> ?will be the session kept? > > ????http://tools.ietf.org/html/rfc5246#section-7.2.1 I ask: what in practise in terms of OpenSSL API? If SERVER close the connection after all data has been sent to the client and will not wait for "close_notify" alert from CLIENT, will be the session kept and valid in OpenSLL API? I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid? -- Best Regards, Serj From raji.kotamraju at gmail.com Mon Feb 2 10:04:43 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Mon, 2 Feb 2015 15:34:43 +0530 Subject: [openssl-users] ECDSA private key load error Message-ID: Hello Openssl users, Am facing following issue while am loading ECDSA private key using EVP_PKCS82PKEY(). I hope am missing some initialization in this regard. Can you please point me what am i doing wrong. Steps followed : Have generated CSR and signed using openssl commans. Following are the parameters updated in the certificate. Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=ecdsa Validity Not Before: Feb 2 06:00:29 2015 GMT Not After : Feb 2 06:00:29 2016 GMT Subject: CN=eccert Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ASN1 OID: prime256v1 X509v3 extensions: X509v3 Subject Key Identifier: X509v3 Authority Key Identifier: X509v3 Key Usage: critical Digital Signature Signature Algorithm: ecdsa-with-SHA256 Step 2 : Tried to convert the private key in to PKCS8 format. Step 3 : Tried to call "EVP_PKCS82PKEY(pkey)". This function is always returning NULL. When further checked on the return types, i could see following. As part of "PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)", the type is of V_ASN1_OCTET_STRING. (i.e. p8->pkey->type == V_ASN1_OCTET_STRING). But OBJ_obj2nid(algoid) returning the nid value as 0 i.e. NID_undef. Due to this, EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid)) always returns NULL. Can you help me to get out of this error. Thanks, Rajeswari. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gayathri.annur at gmail.com Mon Feb 2 13:01:51 2015 From: gayathri.annur at gmail.com (Gayathri Manoj) Date: Mon, 2 Feb 2015 18:31:51 +0530 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References: Message-ID: Hi All, Please let me know shall I need to take care the memory separately for the fips mode. Only in FIPS mode i am getting the below error while calling i2d_x509_sig(). Program received signal SIGSEGV, Segmentation fault. 0x00d9d045 in __memcpy_ssse3_rep () from /lib/libc.so.6 Thanks, Gayathri On Fri, Jan 30, 2015 at 7:09 PM, Gayathri Manoj wrote: > Hi All, > > I am getting segfault while using i2d_X509_SIG() in FIPS mode. > (gdb) bt > #0 0x01f95045 in __memcpy_ssse3_rep () from /lib/libc.so.6 > #1 0x00466837 in asn1_ex_i2c () from /usr/local/cm/lib/libcrypto.so.1.0.1 > #2 0x00466a36 in asn1_i2d_ex_primitive () from > /usr/local/cm/lib/libcrypto.so.1.0.1 > #3 0x00466c4c in ASN1_item_ex_i2d () from > /usr/local/cm/lib/libcrypto.so.1.0.1 > #4 0x0046727a in asn1_template_ex_i2d () from > /usr/local/cm/lib/libcrypto.so.1.0.1 > #5 0x00466eb3 in ASN1_item_ex_i2d () from > /usr/local/cm/lib/libcrypto.so.1.0.1 > #6 0x004675f3 in ASN1_item_i2d () from > /usr/local/cm/lib/libcrypto.so.1.0.1 > #7 0x0045fb3e in i2d_X509_SIG () from /usr/local/cm/lib/libcrypto.so.1.0.1 > > unsigned char *ptr, *tmp=NULL; > len=i2d_X509_SIG(&sig,NULL); --> No issue > sig.algor->algorithm=OBJ_nid2obj(NID_sha1); > tmp = (unsigned char*) malloc(512+1); > ptr=tmp; > i2d_X509_SIG(&sig, &p); -->while calling secod time gettign core file. > > Its working fine in nonfips mode. But in FIPS getting core files. Please > let me know how can i solve this issue. > > Thanks, > Gayathri > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at openssl.org Mon Feb 2 13:08:58 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Mon, 2 Feb 2015 13:08:58 +0000 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

Message-ID: <20150202130858.GA14363@openssl.org> On Mon, Feb 02, 2015, Gayathri Manoj wrote: > Hi All, > > Please let me know shall I need to take care the memory separately for the > fips mode. > Only in FIPS mode i am getting the below error while calling i2d_x509_sig(). > I'm not sure how that can happen. The function i2d_X509_SIG isn't part of the FIPS module so shouldn't be affected. How are you calling i2d_X509_SIG? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From curious_freddy at gmsl.co.uk Mon Feb 2 13:13:40 2015 From: curious_freddy at gmsl.co.uk (Fred) Date: Mon, 02 Feb 2015 13:13:40 +0000 Subject: [openssl-users] Specify algorithm for openssl smime decrypt In-Reply-To: <20150106123859.GA5817@openssl.org> References: <54ABBC1B.3080107@gmsl.co.uk> <20150106123859.GA5817@openssl.org> Message-ID: <54CF7804.20701@gmsl.co.uk> On 06/01/2015 12:38, Dr. Stephen Henson wrote: > On Tue, Jan 06, 2015, Fred wrote: >> I need to decrypt some S/MIME content with an invalid key length >> for the AlgOID specified in the PCKS7 content. >> >> AES-256 is specified as the AlgOID, but a key length of 192 bits is >> being used. >> >> Is there anyway to get openssl to decrypt this using the openssl >> smime command? i.e. override the cipher used so that is uses >> aes-192-cbc ? > > Not using the smime command no. There are ways to handle this either with a > short program or by using a binary cut+paste using asn1parse. > > Another alternative is to use a modified version of OpenSSL which detects this > and works around the problem. (snip) I take it this kind of behaviour is non-standard, which is why OpenSSL has a problem? Does this behaviour (AlgID mismatch) explicitly contravene some RFC or is it that this is simply undefined and openssl is just being sensible? It would be useful to know if the software used to create the encrypted software is broken (it would seem it is). From gayathri.annur at gmail.com Mon Feb 2 13:45:12 2015 From: gayathri.annur at gmail.com (Gayathri Manoj) Date: Mon, 2 Feb 2015 19:15:12 +0530 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: <20150202130858.GA14363@openssl.org> References:

<20150202130858.GA14363@openssl.org> Message-ID: Hi Steve, unsigned char *ptr, *tmp=NULL; X509_SIG sig; .... len=i2d_X509_SIG(sig,NULL); tmp = (unsigned char*) malloc(513); ptr=tmp; i2d_X509_SIG(&sig, &ptr); // here causing problem. Thanks, Gayathri On Mon, Feb 2, 2015 at 6:38 PM, Dr. Stephen Henson wrote: > On Mon, Feb 02, 2015, Gayathri Manoj wrote: > > > Hi All, > > > > Please let me know shall I need to take care the memory separately for > the > > fips mode. > > Only in FIPS mode i am getting the below error while calling > i2d_x509_sig(). > > > > I'm not sure how that can happen. The function i2d_X509_SIG isn't part of > the > FIPS module so shouldn't be affected. How are you calling i2d_X509_SIG? > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Mon Feb 2 15:00:51 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 2 Feb 2015 15:00:51 +0000 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <9843941422858199@web1h.yandex.ru> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> <17472611422826092@web4m.yandex.ru> <20150201221129.GF8034@mournblade.imrryr.org> <10257621422829962@web28o.yandex.ru> <20150201230646.GH8034@mournblade.imrryr.org> <9843941422858199@web1h.yandex.ru> Message-ID: <20150202150051.GO8034@mournblade.imrryr.org> On Mon, Feb 02, 2015 at 09:23:19AM +0300, Serj wrote: > > http://tools.ietf.org/html/rfc5246#section-7.2.1 > > I read RFC. Have read "7.2.1. Closure Alerts" once again. > But this is the normative document. I ask: what in practise in terms of OpenSSL API? > > As I already said some servers don't send "close_notify" and just close the connection. If you close first, that's OK. Also OK, if there's an application-level end-of-data indication. For example, with SMTP client sends "QUIT" and server sends "221 Goodbye", there's no need to explicitly perform an SSL_shutdown(). However, Postfix does it by the book per TLSv1.0: if (SSL_shutdown() == 0) SSL_shutdown() with appropriate handling of WANT_READ/WANT_WRITE, timeouts, ... > >> And what about the best practice for shutdown of connection on the server > >> side? Is it mandatory to wait "close_notify" from client to be able to > >> save valid session for this client or not? If server close the connection > >> after all data has been sent to the client and don't receive "close_notify", > >> will be the session kept? > > > > http://tools.ietf.org/html/rfc5246#section-7.2.1 > > I ask: what in practise in terms of OpenSSL API? > If SERVER close the connection after all data has been sent to the client and will not wait for "close_notify" alert from CLIENT, will be the session kept and valid in OpenSLL API? It should be sufficient for the server to send its close notify without waiting for a client response. If the server destroys the SSL connection without calling SSL_shutdown() I am not sure whether the session remains cached. > I mean, can CLIENT then reuse this session, if it doesn't send "close_notify" alert? Or this session will be invalid? Try it, see what happens. The client is certainly free to *try* to the reuse the session, worst-case the server will perform a full handshake anyway. -- Viktor. From steve at openssl.org Mon Feb 2 15:57:59 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Mon, 2 Feb 2015 15:57:59 +0000 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

<20150202130858.GA14363@openssl.org> Message-ID: <20150202155759.GA8252@openssl.org> On Mon, Feb 02, 2015, Gayathri Manoj wrote: > Hi Steve, > > unsigned char *ptr, *tmp=NULL; > X509_SIG sig; > .... > len=i2d_X509_SIG(sig,NULL); > tmp = (unsigned char*) malloc(513); > ptr=tmp; > i2d_X509_SIG(&sig, &ptr); // here causing problem. > Well you should really malloc 'len' bytes as it could theoretically exceed 513 (in practice it's unlikely). How are you setting up "sig"? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From openssl-users at dukhovni.org Mon Feb 2 16:01:49 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 2 Feb 2015 16:01:49 +0000 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

<20150202130858.GA14363@openssl.org> Message-ID: <20150202160149.GT8034@mournblade.imrryr.org> On Mon, Feb 02, 2015 at 07:15:12PM +0530, Gayathri Manoj wrote: > unsigned char *ptr, *tmp=NULL; > X509_SIG sig; > .... How is "sig" initialized? > len=i2d_X509_SIG(sig,NULL); > tmp = (unsigned char*) malloc(513); Why 513 and not len? What is the value of len? > ptr=tmp; > i2d_X509_SIG(&sig, &ptr); // here causing problem. -- Viktor. From dthompson at prinpay.com Tue Feb 3 02:58:53 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Mon, 2 Feb 2015 21:58:53 -0500 Subject: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error In-Reply-To: References: Message-ID: <001801d03f5d$5a54f510$0efedf30$@prinpay.com> > From: openssl-users On Behalf Of Rajeswari K > Sent: Sunday, February 01, 2015 21:18 > Am facing an issue of "no shared cipher" error during SSL Handshake, > when tried to negotiate ECDHE cipher suite. > *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C > *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines: > SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: > Have updated with temporary ECDH callback during SSL Server initialization. > ECDSA certificate is being signed using openssl commands. How was the keypair and CSR generated? In particular, check the publickey in the CSR, and thus in the cert, has the curve encoded in "named" form (as an OID) not "explicit" form (with all the details of prime or polynomial, equation coefficients, base point, and cofactor). From raji.kotamraju at gmail.com Tue Feb 3 03:17:26 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Tue, 3 Feb 2015 08:47:26 +0530 Subject: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error In-Reply-To: <001801d03f5d$5a54f510$0efedf30$@prinpay.com> References: <001801d03f5d$5a54f510$0efedf30$@prinpay.com> Message-ID: Hello Dave, Thanks for responding. Following is the output printed by openssl ./openssl req -in csr.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=eccert/unstructuredName=xxxx Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ASN1 OID: prime256v1 Attributes: Requested Extensions: X509v3 Key Usage: critical Digital Signature Signature Algorithm: ecdsa-with-SHA256 Please share is there any issue with these parameters? Thanks, Rajeswari. On Tue, Feb 3, 2015 at 8:28 AM, Dave Thompson wrote: > > From: openssl-users On Behalf Of Rajeswari K > > Sent: Sunday, February 01, 2015 21:18 > > > Am facing an issue of "no shared cipher" error during SSL Handshake, > > when tried to negotiate ECDHE cipher suite. > > > *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C > > *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines: > > SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: > > > Have updated with temporary ECDH callback during SSL Server > initialization. > > > ECDSA certificate is being signed using openssl commands. > > How was the keypair and CSR generated? In particular, check the > publickey in the CSR, and thus in the cert, has the curve encoded in > "named" form (as an OID) not "explicit" form (with all the details of > prime or polynomial, equation coefficients, base point, and cofactor). > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From gayathri.annur at gmail.com Tue Feb 3 05:26:04 2015 From: gayathri.annur at gmail.com (Gayathri Manoj) Date: Tue, 3 Feb 2015 10:56:04 +0530 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: <20150202160149.GT8034@mournblade.imrryr.org> References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> Message-ID: Hi Steve, Viktor, I have tried with len also, But this also causing seg fault. my requiremnt is to store max 2048 bit keys. Hence I used length as 512 +1. currently i ma getting len value = 28514. X509_SIG sig; X509_ALGOR algor; ASN1_OCTET_STRING digest; ASN1_TYPE parameter; ASN1_item_digest() // to get digest details sig.algor = &algor; sig.algor->algorithm=OBJ_nid2obj(NID_md5); parameter.type=V_ASN1_NULL; parameter.value.ptr=NULL; sig.algor->parameter = ¶meter; sig.digest = &digest; sig.digest->data=(unsigned char*)msg; sig.digest->length=datalen; len = i2d_X509_SIG(&sig,NULL); Thanks, Gayathri On Mon, Feb 2, 2015 at 9:31 PM, Viktor Dukhovni wrote: > On Mon, Feb 02, 2015 at 07:15:12PM +0530, Gayathri Manoj wrote: > > > unsigned char *ptr, *tmp=NULL; > > X509_SIG sig; > > .... > > How is "sig" initialized? > > > len=i2d_X509_SIG(sig,NULL); > > tmp = (unsigned char*) malloc(513); > > Why 513 and not len? What is the value of len? > > > ptr=tmp; > > i2d_X509_SIG(&sig, &ptr); // here causing problem. > > -- > Viktor. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From goran.hammarback at foxt.com Tue Feb 3 08:41:02 2015 From: goran.hammarback at foxt.com (=?ISO-8859-1?Q?G=F6ran_Hammarb=E4ck?=) Date: Tue, 03 Feb 2015 09:41:02 +0100 Subject: [openssl-users] Openssl 1.0.2 evp_test core dumps on Sparc T4, solaris 11 Message-ID: <1422952862.19595.105.camel@rydra.dev.top> I am building openssl 1.0.2 on a number of platforms, and I am having problems on a virtual Solaris 11.0 machine running on a Sparc T4. The code builds fine, but the evp_test core dumps. Here are the last lines of output from the command (test/evp_test test/evptests.txt): Testing cipher id-aes256-CCM(encrypt/decrypt) Key 0000 1b de 32 51 d4 1a 8b 5e a0 13 c1 95 ae 12 8b 21 0010 8b 3e 03 06 37 63 57 07 7e f1 c1 c7 85 48 b9 2e IV 0000 5b 8e 40 74 6f 6b 98 e0 0f 1d 13 ff 41 Plaintext 0000 53 bd 72 a9 70 89 e3 12 42 2b f7 2e 24 23 77 b3 0010 c6 ee 3e 20 75 38 9b 99 9c 4e f7 f2 8b d2 b8 0a Ciphertext 0000 9a 5f cc cd b4 cf 04 e7 29 3d 27 75 cc 76 a4 88 0010 f0 42 38 2d 94 9b 43 b7 d6 bb 2b 98 64 78 67 26 AAD 0000 c1 7a 32 51 4e b6 10 3f 32 49 e0 76 d4 c8 71 dc 0010 97 e0 4b 28 66 99 e5 44 91 dc 18 f6 d7 34 d4 c0 Tag 0000 20 24 93 1d 73 bc a4 80 c2 4a 24 ec e6 b6 c2 bf zsh: segmentation fault (core dumped) ./test/evp_test test/evptests.txt pstack: sol11b% pstack core core 'core' of 19831: ./test/evp_test test/evptests.txt 00000b80 ???????? (6bb20, ffbfec80, ffbfd240, 20, b80, 1) ff20c3c4 aes_ccm_cipher (ffbfe240, ffbfd240, ffbfec80, 20, ff20c220, ff2d8894) + 1a4 ff205e90 EVP_EncryptUpdate (ffbfe240, ffbfd240, ffbfd22c, ffbfec80, 20, 1) + 110 00011afc test1 (ff2d8894, ffbfec24, ffffec00, ffbfe2d0, d, 0) + 33c 00012ed8 main (ffbfe394, ffffe76c, ffffffff, ffbfe398, ffffe768, ffffe794) + 658 0001161c _start (0, 0, 0, 0, 0, 0) + 5c If I comment out the aes-256-ccm line in evptests.txt, all other tests run fine. When I run the same binary on a virtual machine on a Sparc T2, it works fine. I also tried building the code on the T2, but it still fails on the T4. ldd on evp_test shows that it is using the correct 1.0.2 versions of libssl.so and libcrypto.so. I also tried with the openssl-1.0.2-stable-SNAP-20150202 snapshot but got the same result. Anyone had similar problems? G?ran Hammarb?ck From dfnsonfsduifb at gmx.de Tue Feb 3 09:00:18 2015 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Tue, 03 Feb 2015 10:00:18 +0100 Subject: [openssl-users] "openssl dgst" computes wrong HMAC? Message-ID: <54D08E22.9090904@gmx.de> Hi list, when I use OpenSSL I suspect some funny business going on with the HMAC computation of "openssl dgst" command line tool. Consider: $ echo -n foobar | openssl dgst -sha256 -hex -hmac aabbcc (stdin)= 6e74cdc3b72b8b66535b914357c7d656a22acbb1700b4e6de688fd5c091d305c But #include #include #include #include #include "hexdump.h" int main() { uint8_t digest[32]; HMAC_CTX hmacCtx; HMAC_CTX_init(&hmacCtx); HMAC_Init_ex(&hmacCtx, "\xaa\xbb\xcc", 3, EVP_sha256(), NULL); HMAC_Update(&hmacCtx, "foobar", 6); unsigned int length; HMAC_Final(&hmacCtx, digest, &length); HMAC_CTX_cleanup(&hmacCtx); HexDump(digest, 32); return 0; } Yields 985343745ee86b452c7c0b327171829c77e1a022f423d95156b52fa22083db8e Also, Python: #!/usr/bin/python3 import Crypto.Hash.HMAC import Crypto.Hash.SHA256 key = b"\xaa\xbb\xcc" data = b"foobar" hmac = Crypto.Hash.HMAC.new(digestmod = Crypto.Hash.SHA256, key = key) hmac.update(data) result = hmac.digest() print("".join("%02x" % (c) for c in result)) Yields 985343745ee86b452c7c0b327171829c77e1a022f423d95156b52fa22083db8e Am I using "openssl dgst" wrong or is it just plain broken? Regards, Johannes From dfnsonfsduifb at gmx.de Tue Feb 3 09:16:23 2015 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Tue, 03 Feb 2015 10:16:23 +0100 Subject: [openssl-users] "openssl dgst" computes wrong HMAC? In-Reply-To: <54D08E22.9090904@gmx.de> References: <54D08E22.9090904@gmx.de> Message-ID: <54D091E7.3050802@gmx.de> On 03.02.2015 10:00, Johannes Bauer wrote: > when I use OpenSSL I suspect some funny business going on with the HMAC > computation of "openssl dgst" command line tool. Consider: Damn, I'm sorry. Forgot to include the version: OpenSSL 1.0.1f 6 Jan 2014 Regards, Johannes From jan.weil at ptb.de Tue Feb 3 09:57:46 2015 From: jan.weil at ptb.de (jan.weil at ptb.de) Date: Tue, 3 Feb 2015 10:57:46 +0100 Subject: [openssl-users] Certificate verification fails with latest commits (ECDSA) Message-ID: Hi, we have noticed that with the latest Debian wheezy-security update of the libssl1.0.0 package sudenly the verification of some of our ECDSA-signed certificates failed. I've looked into this and I've traced it down to the following patch https://github.com/openssl/openssl/commit/684400ce192dac51df3d3e92b61830a6ef90be3e which introduces a new statement to check the length of the DER-coded signature in ecs_vrf.c: - if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err; + if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err; + /* Ensure signature uses DER and doesn't have trailing garbage */ + derlen = i2d_ECDSA_SIG(s, &der); + if (derlen != sig_len || memcmp(sigbuf, der, derlen)) + goto err; This check fails for some of our certificates and the reason is that openssl adds a padding byte for BIGNUMs in crypto/asn1/x_bignum.c if the MSB is set. Our encoding does not contain these padding bytes and, consequently, the re-encoded version of our certificate signature is two bytes longer than before which results in an error. RFC3279 defines Ecdsa-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER } I've looked up the DER encoding rules for INTEGER here http://www.itu.int/rec/T-REC-X.690-200811-I and I can't find any evidence that this padding byte is mandatory. See below for the relevant paragraph. So my question is: Would you agree that this is an openssl bug or is the padding byte indeed mandatory and we have to adapt the encoding of our certificates? I am attaching one of the certificates for which the verification fails along with the root ca's certificate. Cheers, Jan X.690 INTEGER: 8.3 Encoding of an integer value 8.3.1 The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets. 8.3.2 If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet: a) shall not all be ones; and b) shall not all be zero. NOTE ? These rules ensure that an integer value is always encoded in the smallest possible number of octets. 8.3.3 The contents octets shall be a two's complement binary number equal to the integer value, and consisting of bits 8 to 1 of the first octet, followed by bits 8 to 1 of the second octet, followed by bits 8 to 1 of each octet in turn up to and including the last octet of the contents octets. NOTE ? The value of a two's complement binary number is derived by numbering the bits in the contents octets, starting with bit 1 of the last octet as bit zero and ending the numbering with bit 8 of the first octet. Each bit is assigned a numerical value of 2N, where N is its position in the above numbering sequence. The value of the two's complement binary number is obtained by summing the numerical values assigned to each bit for those bits which are set to one, excluding bit 8 of the first octet, and then reducing this value by the numerical value assigned to bit 8 of the first octet if that bit is set to one. Jan Weil Physikalisch-Technische Bundesanstalt Arbeitsgruppe 8.52 Datenkommunikation und -sicherheit Abbestr. 2 - 12 10587 Berlin Telefon: (+49 30) 34 81 - 77 64 Fax: (+49 30) 34 81 - 69 77 64 Email: jan.weil at ptb.de -------------- next part -------------- A non-text attachment was scrubbed... Name: GTS001.pem Type: application/octet-stream Size: 631 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: OSM_ROOT.pem Type: application/octet-stream Size: 652 bytes Desc: not available URL: From bbrumley at gmail.com Tue Feb 3 10:16:06 2015 From: bbrumley at gmail.com (Billy Brumley) Date: Tue, 3 Feb 2015 12:16:06 +0200 Subject: [openssl-users] "openssl dgst" computes wrong HMAC? In-Reply-To: <54D08E22.9090904@gmx.de> References: <54D08E22.9090904@gmx.de> Message-ID: > $ echo -n foobar | openssl dgst -sha256 -hex -hmac aabbcc > (stdin)= 6e74cdc3b72b8b66535b914357c7d656a22acbb1700b4e6de688fd5c091d305c This gets posted every once in a while -- google around. Something about the hmac switch not doing what you think it's doing. $ echo -n foobar | openssl dgst -sha256 -mac HMAC -macopt hexkey:aabbcc (stdin)= 985343745ee86b452c7c0b327171829c77e1a022f423d95156b52fa22083db8e BBB From rasjv at yandex.com Tue Feb 3 10:18:20 2015 From: rasjv at yandex.com (Serj) Date: Tue, 03 Feb 2015 13:18:20 +0300 Subject: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY Message-ID: <3904601422958700@web2m.yandex.ru> Hello. I see many functions have prefixes: i2d_ d2i_ b2i_ i2b_ For example: i2d_PublicKey i2d_PrivateKey d2i_PublicKey d2i_PrivateKey b2i_PublicKey b2i_PrivateKey i2b_PublicKey_bio i2b_PrivateKey_bio I think these letters: 'i', 'd', 'b' have some meaning. Can somebody help me to understand what they are mean? And one more question. In accordance to: https://www.openssl.org/docs/crypto/EVP_PKEY_new.html, EVP_PKEY structure is used by OpenSSL to store private keys. But there are above functions which use as parameters pointer to EVP_PKEY structure and as they are named they can work with both public and private keys. So the questions are: 1. can we save to EVP_PKEY structure public key not private? 2. can we save to EVP_PKEY structure public and private keys at once? For example: EVP_PKEY * pkey; pkey = EVP_PKEY_new(); RSA * rsa; rsa = RSA_generate_key(...) EVP_PKEY_assign_RSA(pkey, rsa); What key or keys will be in pkey after that? -- Best Regards, Serj From dfnsonfsduifb at gmx.de Tue Feb 3 11:11:15 2015 From: dfnsonfsduifb at gmx.de (Johannes Bauer) Date: Tue, 03 Feb 2015 12:11:15 +0100 Subject: [openssl-users] "openssl dgst" computes wrong HMAC? In-Reply-To: References: <54D08E22.9090904@gmx.de> Message-ID: <54D0ACD3.3060608@gmx.de> On 03.02.2015 11:16, Billy Brumley wrote: >> $ echo -n foobar | openssl dgst -sha256 -hex -hmac aabbcc >> (stdin)= 6e74cdc3b72b8b66535b914357c7d656a22acbb1700b4e6de688fd5c091d305c > > This gets posted every once in a while -- google around. Something > about the hmac switch not doing what you think it's doing. > > $ echo -n foobar | openssl dgst -sha256 -mac HMAC -macopt hexkey:aabbcc > (stdin)= 985343745ee86b452c7c0b327171829c77e1a022f423d95156b52fa22083db8e Ah, interesting. I did google the issue, but only found post of people who didn't realize that echo without "-n" appends a newline. If this topic really comes up every now and then, I'd still suggest updating the help page to clarify while remaining identical behavior. Currently it reads "-hmac arg set the HMAC key to arg". I would suggest "-hmac str set the HMAC key to the string str". Regards, Johannes From rasjv at yandex.com Tue Feb 3 11:21:54 2015 From: rasjv at yandex.com (Serj) Date: Tue, 03 Feb 2015 14:21:54 +0300 Subject: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY In-Reply-To: <3904601422958700@web2m.yandex.ru> References: <3904601422958700@web2m.yandex.ru> Message-ID: <16531331422962514@web1o.yandex.ru> An HTML attachment was scrubbed... URL: From steve at openssl.org Tue Feb 3 12:41:12 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Tue, 3 Feb 2015 12:41:12 +0000 Subject: [openssl-users] Certificate verification fails with latest commits (ECDSA) In-Reply-To: References: Message-ID: <20150203124112.GA21538@openssl.org> On Tue, Feb 03, 2015, jan.weil at ptb.de wrote: > > This check fails for some of our certificates and the reason is that > openssl adds a padding byte for BIGNUMs in crypto/asn1/x_bignum.c if the > MSB is set. Our encoding does not contain these padding bytes and, > consequently, the re-encoded version of our certificate signature is two > bytes longer than before which results in an error. > > RFC3279 defines > > Ecdsa-Sig-Value ::= SEQUENCE { > r INTEGER, > s INTEGER } > > I've looked up the DER encoding rules for INTEGER here > > http://www.itu.int/rec/T-REC-X.690-200811-I > > and I can't find any evidence that this padding byte is mandatory. See > below for the relevant paragraph. > The MSB is effectively a sign bit but the explanation in the standard isn't very clear. If you take your example of GTS001.pem and do: openssl asn1parse -in GTS001.pem -strparse 367 -out sig.der It will parse out the Ecdsa-Sig-Value field and you get: 0:d=0 hl=2 l= 52 cons: SEQUENCE 2:d=1 hl=2 l= 24 prim: INTEGER :-0739E1C1762E2E3E1D4480425633EA0BB669CE784DC3ACCB 28:d=1 hl=2 l= 24 prim: INTEGER :-332658917A3B05831D91176C0512CF91C617819E1A7CF14B Note the two - signs. Just to show it isn't just OpenSSL: if you use dumpasn1 on the output (sig.der) you get: 0 52: SEQUENCE { 2 24: INTEGER : F8 C6 1E 3E 89 D1 D1 C1 E2 BB 7F BD A9 CC 15 F4 : 49 96 31 87 B2 3C 53 35 : Error: Integer has a negative value. 28 24: INTEGER : CC D9 A7 6E 85 C4 FA 7C E2 6E E8 93 FA ED 30 6E : 39 E8 7E 61 E5 83 0E B5 : Error: Integer has a negative value. : } >From your quote: > The value of the > two's complement binary number is obtained by > summing the numerical values assigned to each bit for those bits which are > set to one, excluding bit 8 of the first octet, and then > reducing this value by the numerical value assigned to bit 8 of the first > octet if that bit is set to one. > What this is saying is that if the MSB is one you subtract that value from the result. For example 0x80 without the MSB represents '0' the MSB represents 0x80 and you subtract that resulting in -0x80. That's why you need the 0 padding byte prepended if the MSB is one. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From Andre.Wendel at bmw.de Tue Feb 3 12:32:13 2015 From: Andre.Wendel at bmw.de (Andre.Wendel at bmw.de) Date: Tue, 3 Feb 2015 12:32:13 +0000 Subject: [openssl-users] Support of HMAC-Based ciphersuites (RFC6367) in openssl 1.0.1l Message-ID: <08BE65B36BBC1B4E907E2015603B0DF30B55B4@smucm55b> Hello everybody, today i tried to rework the cipher suites of my system and I wanted to integrate the Camellia HMAC-Based ciphersuites from RFC6367, extending TLS v1.2. I tried to find out, which ciphers are supported within the newest openssl version 1.0.1l, but openssl did not have any ciphers of the RFC included, because ./openssl ciphers -v 'CAMELLIA' did only print the following ciphers for SSLv3 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1 ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1 ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 Is there a special compiler option needed to enable the HMAC ciphersuites, or did I missed to do any configuration? Thanks & Best regards, Andr? -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Wojcik at microfocus.com Tue Feb 3 13:03:34 2015 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Tue, 3 Feb 2015 13:03:34 +0000 Subject: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY In-Reply-To: <16531331422962514@web1o.yandex.ru> References: <3904601422958700@web2m.yandex.ru> <16531331422962514@web1o.yandex.ru> Message-ID: "i" is an abbreviation for "internal", meaning OpenSSL's internal format. "2" means "to". "d" means "DER". "b" means "blob", and refers to a "key blob" format used by Microsoft. (That's based on the OpenSSL source code; I haven't looked into the actual provenance of this blob format.) It appears the key blob format typically uses the "PVK" file extension. Lots of things in OpenSSL aren't documented. It's not strange at all - programmers tend to write code first, documentation second (or later). This is true of a great many open-source projects, and many commercial ones as well. If you want something documented, your best bet is to research it in the code and write the documentation yourself. Regarding your second question: EVP_KEY is defined in evp.h, where we see it contains a pointer to one of the specific key types, such as rsa_st. rsa_st is defined in rsa.h, and if we look there we see that it contains all the RSA parameters, so it implicitly contains both the public and private key. Michael Wojcik Technology Specialist, Micro Focus From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Serj Sent: Tuesday, February 03, 2015 06:22 To: openssl-users at openssl.org Subject: Re: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY I have found some info and now some questions more clear for me. But still have 2 questions... i2d_ functions write the DER representation of the object into a buffer. d2i_ functions read the DER representation of the object from a buffer and creates the appropriate object in memory. 1. What is b2i_ and i2b_ functions? EVP_PKEY structure can hold public or private key. It's strangely why there is no this info in the official documentation on www.openssl.org 2. Can EVP_PKEY structure hold both private and public keys at once? I have some example of code and there is a use of EVP_PKEY in this manner, that's why I am asking. 03.02.2015, 13:21, "Serj" >: > Hello. > > I see many functions have prefixes: i2d_ d2i_ b2i_ i2b_ > > For example: > i2d_PublicKey > i2d_PrivateKey > > d2i_PublicKey > d2i_PrivateKey > > b2i_PublicKey > b2i_PrivateKey > > i2b_PublicKey_bio > i2b_PrivateKey_bio > > I think these letters: 'i', 'd', 'b' have some meaning. Can somebody help me to understand what they are mean? > > And one more question. > In accordance to: https://www.openssl.org/docs/crypto/EVP_PKEY_new.html, EVP_PKEY structure is used by OpenSSL to store private keys. But there are above functions which use as parameters pointer to EVP_PKEY structure and as they are named they can work with both public and private keys. So the questions are: > 1. can we save to EVP_PKEY structure public key not private? > 2. can we save to EVP_PKEY structure public and private keys at once? > > For example: > EVP_PKEY * pkey; > pkey = EVP_PKEY_new(); > RSA * rsa; > rsa = RSA_generate_key(...) > EVP_PKEY_assign_RSA(pkey, rsa); > > What key or keys will be in pkey after that? -- Best Regards, Serj Click here to report this email as spam. This message has been scanned for malware by Websense. www.websense.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jan.weil at ptb.de Tue Feb 3 14:19:50 2015 From: jan.weil at ptb.de (jan.weil at ptb.de) Date: Tue, 3 Feb 2015 15:19:50 +0100 Subject: [openssl-users] Certificate verification fails with latest commits (ECDSA) In-Reply-To: <20150203124112.GA21538@openssl.org> References: <20150203124112.GA21538@openssl.org> Message-ID: Hi Steve, thanks a lot for your quick response and for the clarification. > Von: "Dr. Stephen Henson" > The MSB is effectively a sign bit but the explanation in the standard isn't > very clear. If you take your example of GTS001.pem and do: > > openssl asn1parse -in GTS001.pem -strparse 367 -out sig.der > > It will parse out the Ecdsa-Sig-Value field and you get: > > 0:d=0 hl=2 l= 52 cons: SEQUENCE > 2:d=1 hl=2 l= 24 prim: INTEGER > :-0739E1C1762E2E3E1D4480425633EA0BB669CE784DC3ACCB > 28:d=1 hl=2 l= 24 prim: INTEGER > :-332658917A3B05831D91176C0512CF91C617819E1A7CF14B > > Note the two - signs. > [...] > What this is saying is that if the MSB is one you subtract that value from > the result. > > For example 0x80 without the MSB represents '0' the MSB represents 0x80 and > you subtract that resulting in -0x80. Well, yes, that's how two's complement works. > That's why you need the 0 padding byte prepended if the MSB is one. The actual problem is that I have totally ignored the mathematics of ECs and it only occured to me when I read your reply that the values of r and s, as far as i understand now, can never be negative. Not so good news for our certificates... Thanks again! Jan Jan Weil Physikalisch-Technische Bundesanstalt Arbeitsgruppe 8.52 Datenkommunikation und -sicherheit Abbestr. 2 - 12 10587 Berlin Telefon: (+49 30) 34 81 - 77 64 Fax: (+49 30) 34 81 - 69 77 64 Email: jan.weil at ptb.de From susumu.sai.2006 at gmail.com Tue Feb 3 15:54:42 2015 From: susumu.sai.2006 at gmail.com (Susumu Sai) Date: Tue, 3 Feb 2015 10:54:42 -0500 Subject: [openssl-users] OpenSSL FIPS Object Module 1.* is vulnerable to CVE-2014-3570? Message-ID: CVE-2014-3570 is fixed in 0.9.8ze. Does the BN_sqr implementation in FIPS Object Module 1.* also need to be fixed? If I run 0.9.8ze on FIPS mode with using FIPS Object Module 1.x, am I vulnerable to the CVE-2014-3570 attacks? -------------- next part -------------- An HTML attachment was scrubbed... URL: From tsutton at cspeed.com Tue Feb 3 17:39:41 2015 From: tsutton at cspeed.com (Sutton, Timothy) Date: Tue, 3 Feb 2015 12:39:41 -0500 Subject: [openssl-users] Windows Embedded Compact 7 OpenSSL Message-ID: I am trying to get OpenSSL to build for Windows Embebbed Compact 7 using Visual Studio 2008. Is there a write up some wheres that I have missed for doing this? I am having troubles finding much of anything in the way of support for doing this. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at openssl.org Tue Feb 3 22:02:31 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 3 Feb 2015 17:02:31 -0500 Subject: [openssl-users] The evolution of the 'master' branch Message-ID: <20150203220231.GA12587@openssl.org> As we've already said, we are moving to making most OpenSSL data structures opaque. We deliberately used a non-specific term. :) As of Matt's commit of the other day, this is starting to happen now. We know this will inconvenience people as some applications no longer build. We want to work with maintainers to help them migrate, as we head down this path. We have a wiki page to discuss this effort. It will eventually include tips on migration, application and code updates, and anything else the community finds useful. Please visit: http://wiki.openssl.org/index.php/1.1_API_Changes Thanks. From rasjv at yandex.com Tue Feb 3 23:07:31 2015 From: rasjv at yandex.com (Serj Rakitov) Date: Wed, 04 Feb 2015 02:07:31 +0300 Subject: [openssl-users] i2d_ d2i_ b2i_ i2b_ functions and EVP_PKEY In-Reply-To: References: <3904601422958700@web2m.yandex.ru> <16531331422962514@web1o.yandex.ru> Message-ID: <27158051423004851@web20m.yandex.ru> An HTML attachment was scrubbed... URL: From rasjv at yandex.com Tue Feb 3 23:12:02 2015 From: rasjv at yandex.com (Serj Rakitov) Date: Wed, 04 Feb 2015 02:12:02 +0300 Subject: [openssl-users] What is the best practise for shutdown SSL connections? In-Reply-To: <20150202150051.GO8034@mournblade.imrryr.org> References: <7145121422822980@web21h.yandex.ru> <20150201204813.GE8034@mournblade.imrryr.org> <17472611422826092@web4m.yandex.ru> <20150201221129.GF8034@mournblade.imrryr.org> <10257621422829962@web28o.yandex.ru> <20150201230646.GH8034@mournblade.imrryr.org> <9843941422858199@web1h.yandex.ru> <20150202150051.GO8034@mournblade.imrryr.org> Message-ID: <27160441423005122@web20m.yandex.ru> An HTML attachment was scrubbed... URL: From dpb795795 at gmail.com Wed Feb 4 08:23:47 2015 From: dpb795795 at gmail.com (Deepak) Date: Wed, 4 Feb 2015 13:53:47 +0530 Subject: [openssl-users] Openssl verify command and c_rehash Message-ID: Hi, Can following behaviour be confirmed as expected? OpenSSL verify test (test_verify) fails Env- c_rehash run using Cygwin. Run c_rehash on /path/to/certs/demo Cmd - openssl verify -CApath ../certs/demo ../certs/demo/*.pem Cause - Symbolic links (from hash.0 to file.pem) created by c_rehash when run with Cygwin could not be read by OpenSSL.exe verify command. Result - Error 20: could read issuer certificate OpenSSL.exe fails to establish certificate chain. Workaround - Modify c_rehash to use MS API 'mklink' Thank You. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dthompson at prinpay.com Wed Feb 4 12:39:15 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Wed, 4 Feb 2015 07:39:15 -0500 Subject: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error In-Reply-To: References: <001801d03f5d$5a54f510$0efedf30$@prinpay.com> Message-ID: <001a01d04077$979c6780$c6d53680$@prinpay.com> > From: openssl-users On Behalf Of Rajeswari K > Sent: Monday, February 02, 2015 22:17 > Thanks for responding. Following is the output printed by openssl > ./openssl req -in csr.csr -noout -text > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > > ASN1 OID: prime256v1 Yes, that is named form. Then I don't know what the problem is. Generic debugging advice, if you haven't tried these already: Does the problem occur with s_client to your server? Does the problem occur with s_client to s_server using the same cert&key, cipherlist (if not default) and same or reasonable tmp-ECDH? Actually, that's a thought. You said your server uses tmp-ECDH callback; does that (always) provide a curve/parameters object that *has* an OID which maps to one of the TLS standard curves in 4492 (and one specified in the client hello but your earlier trace looked like the client specified all). s_server *only* supports named curves (and defaults to p256). From jb-openssl at wisemo.com Wed Feb 4 12:54:42 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 04 Feb 2015 13:54:42 +0100 Subject: [openssl-users] Handle Leaks - shmem-win32.c shmem.c - OpenSSL 1.0.1l In-Reply-To: <001301d038cf$a1dee6f0$e59cb4d0$@sales@OnLine.fr> References: <004e01d037c1$61615950$24240bf0$@sales@OnLine.fr> <663f33f338a983a22e3c6aee5f400219@smtp.hushmail.com> <000601d0388e$e06bff70$a143fe50$@sales@OnLine.fr> <001301d038cf$a1dee6f0$e59cb4d0$@sales@OnLine.fr> Message-ID: <54D21692.7010108@wisemo.com> Following up on this somewhat old thread just to correct some misunderstandings about the nature of the Windows APIs. On 25/01/2015 19:49, Michel SALES wrote: > Hi Avery, > >> In the code I sent over before, I was calling CloseHandle on the thread: >> HANDLE h1=CreateThread(0,0,thread1,0,0,&t1); if(h1==0) { return > 0; } CloseHandle(h1); > > Yes, but you were trying to close the handle of a thread which was still > running ! > I have not checked what happens in this case. Just FYI: On Windows (unlike the fork-like semantics of POSIX pthreads), the handle to a thread is just one of N references to the thread object, another of which is the actual fact of the thread still running. As long as at least one such reference exists, the kernel resources associated with the thread (an ETHREAD structure, the thread identifier etc.) remain in use. The act of waiting for and/or closing the handle has no direct relationship to thread exit. So closing an unwanted thread handle right after thread creation is a normal and correct resource saving coding technique. > I am not sure to fully understand what your are doing now, but with the > modified version I've sent to you, _CrtDumpMemoryLeaks() doesn't report any > problem on my Windows 7 64 bits machine. Note that _Crt functions only check internal state in the per-compiler C runtime, they cannot check for leaks of OS level objects, that requires OS tools, such as those available via Task manager (taskmgr.exe) and the OS level debuggers (WinDbg.exe, GFlags.exe etc.). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From jb-openssl at wisemo.com Wed Feb 4 14:55:58 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 04 Feb 2015 15:55:58 +0100 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> Message-ID: <54D232FE.70705@wisemo.com> On 03/02/2015 06:26, Gayathri Manoj wrote: > Hi Steve, Viktor, > > I have tried with len also, But this also causing seg fault. > my requiremnt is to store max 2048 bit keys. Hence I used length as > 512 +1. > currently i ma getting len value = 28514. > > X509_SIG sig; > X509_ALGOR algor; > ASN1_OCTET_STRING digest; > ASN1_TYPE parameter; > ASN1_item_digest() // to get digest details > sig.algor = &algor; > sig.algor->algorithm=OBJ_nid2obj(NID_md5); There is the problem! FIPS does not allow use of MD5, probably never has. Have you checked if thisreturned NULL to indicate an error finding the MD5 OID? > parameter.type=V_ASN1_NULL; > parameter.value.ptr=NULL; > sig.algor->parameter = ¶meter; > sig.digest = &digest; > sig.digest->data=(unsigned char*)msg; > sig.digest->length=datalen; > len = i2d_X509_SIG(&sig,NULL); Have you checked if this returns a negative value to indicate an error? > > On Mon, Feb 2, 2015 at 9:31 PM, Viktor Dukhovni > > wrote: > > On Mon, Feb 02, 2015 at 07:15:12PM +0530, Gayathri Manoj wrote: > > > unsigned char *ptr, *tmp=NULL; > > X509_SIG sig; > > .... > > How is "sig" initialized? > > > len=i2d_X509_SIG(sig,NULL); > > tmp = (unsigned char*) malloc(513); > > Why 513 and not len? What is the value of len? > > > ptr=tmp; > > i2d_X509_SIG(&sig, &ptr); // here causing problem. > Note to OpenSSL documentation team: The documentation for the OpenSSL X509_SIG data type is circular at best, and refers to PKCS#1 only by name, not by its currently available location (one or more RFCs). Also there are apparently no documented functions using X509_SIG other than to read/write/encode/decode the structure, the closest I could find were some undocumented functions in pkcs12.h . Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From steve at openssl.org Wed Feb 4 15:26:49 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 4 Feb 2015 15:26:49 +0000 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> Message-ID: <20150204152649.GA18571@openssl.org> On Tue, Feb 03, 2015, Gayathri Manoj wrote: > Hi Steve, Viktor, > > I have tried with len also, But this also causing seg fault. > my requiremnt is to store max 2048 bit keys. Hence I used length as 512 > +1. > currently i ma getting len value = 28514. > > X509_SIG sig; > X509_ALGOR algor; > ASN1_OCTET_STRING digest; > ASN1_TYPE parameter; > ASN1_item_digest() // to get digest details > sig.algor = &algor; > sig.algor->algorithm=OBJ_nid2obj(NID_md5); > parameter.type=V_ASN1_NULL; > parameter.value.ptr=NULL; > sig.algor->parameter = ¶meter; > sig.digest = &digest; > sig.digest->data=(unsigned char*)msg; > sig.digest->length=datalen; > len = i2d_X509_SIG(&sig,NULL); > You should only use a pointer to an ASN.1 structure and not the actual structure itself because you can end up with various fields taking odd uninitialised values (I suspect the fact you haven't initialised "flags" is at least one problem here. A complete set of accessor functions unfortnately doesn't currently exist for X509_SIG so you have to access some internals. In outline something like this: X509_SIG *sig = X509_SIG_new(); X509_ALGOR_set0(sig->algor, OBJ_nid2obj(nid), V_ASN1_NULL, NULL); ASN1_STRING_set(sig->digest, digest, digestlen); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From jb-openssl at wisemo.com Wed Feb 4 15:27:28 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 04 Feb 2015 16:27:28 +0100 Subject: [openssl-users] Certificate verification fails with latest commits (ECDSA) In-Reply-To: <20150203124112.GA21538@openssl.org> References: <20150203124112.GA21538@openssl.org> Message-ID: <54D23A60.7090902@wisemo.com> Summary of thread so far: The latest security update enforces that any inherently unsigned BIGNUM must be encoded as a non- negative DER INTEGER (which has a leading 0 byte if the most significant bit of the first byte would otherwise be set). It is a well known historic bug that some other ASN.1 libraries incorrectly treat the DER/BER INTEGER type as unsigned when encoding and decoding inherently unsigned numbers, and that such libraries will thus accept the correct encoding (leading 0 byte) as a non-canonical BER encoding (and thankfully forget to normalize it to the wrong form), while producing an incorrect encoding without the leading 0 byte. Historically, OpenSSL (and probably some other ASN.1 libraries too) have intentionally tolerated this specific incorrect encoding, but the new security update now consistently rejects it. Would it reintroduce the related security issue to explicitly tolerate the alternative encoding, perhaps by allowing the EC code to accept negative numbers as their unsigned encoding equivalents, while preserving the signed form when round-tripping BER to BN to DER. (This of cause would still fail if the most significant 9 bits were all 1, e.g. 0xFF8...., but that would still be 256 times rarer). I am assuming without checking, that i2d_ASN1_INTEGER already handles negative values. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From jb-openssl at wisemo.com Wed Feb 4 15:48:18 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 04 Feb 2015 16:48:18 +0100 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <20150203220231.GA12587@openssl.org> References: <20150203220231.GA12587@openssl.org> Message-ID: <54D23F42.3060203@wisemo.com> On 03/02/2015 23:02, Rich Salz wrote: > As we've already said, we are moving to making most OpenSSL data > structures opaque. We deliberately used a non-specific term. :) > As of Matt's commit of the other day, this is starting to happen > now. We know this will inconvenience people as some applications > no longer build. We want to work with maintainers to help them > migrate, as we head down this path. > > We have a wiki page to discuss this effort. It will eventually include > tips on migration, application and code updates, and anything else the > community finds useful. Please visit: > > http://wiki.openssl.org/index.php/1.1_API_Changes > > Thanks. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Not much on that page so far, not even a "kill list" of intended victims except anadmission that EAY's popular DES library can no longer be accessed via the copyin OpenSSL. I fear that this is an indication that you will be killing off all the othernon-EVP entrypoints in libcrypto, making it much harder to use thelibrary with experimental or non-standard algorithms and methods. Just consider how hard it would now be to use libcrypto to implement stuff like AES-GCM (if it was not already in the library) or any of the block modes that were proposed in the FIPS process, but not standardised by NIST (and thus not included in EVP). With the classic non-EVP API, it is trivial to wrap a custom mode around the basic DES/AES/IDEA/... block functions. And this is just one example of the flexibility provided by not going through the more rigid EVP API. Should everyone not doing just TLS1.2 move to a different librarynow, such as crypto++ ? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: From pbellino at mrv.com Wed Feb 4 18:34:12 2015 From: pbellino at mrv.com (Philip Bellino) Date: Wed, 4 Feb 2015 18:34:12 +0000 Subject: [openssl-users] make depend error in openssl-1.0.2/crypto Message-ID: Hello, We built OpenSSL-1.0.1j (and OpenSSL-fips-2.0.7) within my PowerPC-target build environment and have been using it successfully. We now have upgraded to use OpenSSL-1.0.2 (and OpenSSL-fips-2.0.9). It cannot successfully build because of the following error (which occurs identically 16 times) from within the crypto directory: making depend in crypto... make[3]: Entering directory `openssl-1.0.2/crypto' :16:10: ISO C requires whitespace after the macro name Was there something that changed between 1.0.1j and 1.0.2 that might cause this? If not, can you shed any light on why it is happening? Thanks, Phil [E-Banner] The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Wed Feb 4 23:42:15 2015 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 4 Feb 2015 23:42:15 +0000 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <54D23F42.3060203@wisemo.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> Message-ID: <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> >Not much on that page so far, not even a "kill list" of >intended victims except an admission that EAY's popular DES >library can no longer be accessed via the copy in OpenSSL. Yup. Pretty empty. Over the coming year there will be more. >I fear that this is an indication that you will be killing >off all the other non-EVP entrypoints in libcrypto Yes there is a good chance of that happening. >, making > it much harder to use the library with experimental or > non-standard algorithms and methods. Well, not really much harder. I think that what DOES get harder is binary distributions of such things, as opposed to custom OpenSSL builds that have these new features. Don't forget, *you have the source* Hack away. Do what you want. And having a standard API that any of your consumers use will benefit your consumers greatly. And by making things like the EVP structure hidden from your consumers, then you can add a new experimental crypto mechanism and -- this is an important major benefit: THEIR CODE DOES NOT HAVE TO RECOMPILE. As an implementor, your work is a bit harder. For your users, it is much easier. Imagine being able to put an OID in a config file and applications can almost transparently use any crypto available without change. (Emphasis on ALMOST :) To us, this is clearly the right trade-off to make. > Should everyone not doing just TLS1.2 move to a different library now, such as crypto++ ? Use whatever works best for you, and your consumers/customers. Not everyone will agree with this direction. Some people will be inconvenienced and maybe even completely drop using OpenSSL. We discussed this pretty thoroughly, and while we respect that some may disagree, please give us credit for not doing this arbitrarily, or on a whim. /r$ From oyljerry at gmail.com Thu Feb 5 02:54:04 2015 From: oyljerry at gmail.com (Jerry OELoo) Date: Thu, 5 Feb 2015 10:54:04 +0800 Subject: [openssl-users] How to load local certificate folder on windows Message-ID: Hi All: I am using openssl 1.0.2 on windows 7 OS. I have put some root certificate files into a folder certs. when I using X509_STORE_load_locations() to load this folder into store, it returns 1 means success, but when I using X509_verify_cert(), it will return 0, and error shows 19(self signed certificate in certificate chain). It seems my local root certificates files is not checked by openssl, So what should I do to add certs folder? -- Rejoice,I Desire! From gayathri.annur at gmail.com Thu Feb 5 08:43:18 2015 From: gayathri.annur at gmail.com (Gayathri Manoj) Date: Thu, 5 Feb 2015 14:13:18 +0530 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: <20150204152649.GA18571@openssl.org> References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> <20150204152649.GA18571@openssl.org> Message-ID: Hi All, Tried with above method and its not worked. Please let me know is it possible to use NID_md5WithRSAEncryption, NID_md5 in fips mode. Thanks, Gayathri On Wed, Feb 4, 2015 at 8:56 PM, Dr. Stephen Henson wrote: > On Tue, Feb 03, 2015, Gayathri Manoj wrote: > > > Hi Steve, Viktor, > > > > I have tried with len also, But this also causing seg fault. > > my requiremnt is to store max 2048 bit keys. Hence I used length as > 512 > > +1. > > currently i ma getting len value = 28514. > > > > X509_SIG sig; > > X509_ALGOR algor; > > ASN1_OCTET_STRING digest; > > ASN1_TYPE parameter; > > ASN1_item_digest() // to get digest details > > sig.algor = &algor; > > sig.algor->algorithm=OBJ_nid2obj(NID_md5); > > parameter.type=V_ASN1_NULL; > > parameter.value.ptr=NULL; > > sig.algor->parameter = ¶meter; > > sig.digest = &digest; > > sig.digest->data=(unsigned char*)msg; > > sig.digest->length=datalen; > > len = i2d_X509_SIG(&sig,NULL); > > > > You should only use a pointer to an ASN.1 structure and not the actual > structure itself because you can end up with various fields taking odd > uninitialised values (I suspect the fact you haven't initialised "flags" is > at least one problem here. A complete set of accessor functions > unfortnately > doesn't currently exist for X509_SIG so you have to access some internals. > > In outline something like this: > > X509_SIG *sig = X509_SIG_new(); > X509_ALGOR_set0(sig->algor, OBJ_nid2obj(nid), V_ASN1_NULL, NULL); > ASN1_STRING_set(sig->digest, digest, digestlen); > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at openssl.org Thu Feb 5 12:47:10 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 5 Feb 2015 12:47:10 +0000 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> <20150204152649.GA18571@openssl.org> Message-ID: <20150205124710.GA9735@openssl.org> On Thu, Feb 05, 2015, Gayathri Manoj wrote: > Hi All, > > Tried with above method and its not worked. Please let me know is it > possible to use NID_md5WithRSAEncryption, NID_md5 in fips mode. > You can use the OID and encode structures using it: the ASN.1 code is not part of the FIPS module. You can't use the signing or digest algorithm (at least by default) as that is blocked in FIPS mode. But you'd get an error message and not a crash. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From srirrao at gmail.com Thu Feb 5 13:30:27 2015 From: srirrao at gmail.com (Srinivas Rao) Date: Thu, 5 Feb 2015 19:00:27 +0530 Subject: [openssl-users] using openssl to create PKCS#7/CMS on windows Message-ID: Hi All, Is there a way to use openssl to sign data using a private key (on USB token) and produce PKCS7 output on win32, if: a) the data to be signed message is not touched yet and goes as input to the solution to the answer to this problem, OR b) signature is already generated, i.e message is hashed and signed and only needs to be encoded in PKCS7, If yes, for which of the above case and how (please give some pointers on how to go about it). Thanks Srinivas On 1/30/15, Srinivas Rao wrote: > All, > > Please let me know if my below mentioned usage of PKCS7_sign()+adding > signer info is wrong and how. > > Really appreciate your response. > > cheers and regards > Srinivas > > On 1/29/15, Srinivas Rao wrote: >> OpenSSL experts, >> >> Here the intention is to get the signed data (raw signature obtained >> by PKCS11 APIs like C_Sign) to be packed in PKCS7 format (attached - >> with certificate, content and signer info) using openssl. >> >> I am using USB token (smart card) for signing. >> >> Here's the code snippet. >> >> PKCS7* p7 = PKCS7_new(); >> PKCS7_set_type(p7, NID_pkcs7_signed); >> //PKCS7_SIGNER_INFO* pSI = PKCS7_SIGNER_INFO_new(); >> //PKCS7_SIGNER_INFO_set(pSI, pX509, pX509->cert_info->key->pkey, >> EVP_sha256()); >> //PKCS7_add_signer(p7, pSI); >> PKCS7_SIGNER_INFO* pSI = PKCS7_add_signature(p7, pX509, >> pX509->cert_info->key->pkey, EVP_sha256()); // <== core dumps here >> : >> : >> where pX509 is correctly obtained X509* node using d2i_X509() from the >> value obtained from PKCS11 funcstions like C_GetAttributeValue() etc. >> >> I believe the set of the commented lines is the alternate way for this >> add signature function - that also dumps core at >> PKCS7_SIGNER_INFO_set() function. >> >> I have no clue as to what am I doing wrong here. >> >> Appreciate your help. >> >> regards >> Srinivas From steve at openssl.org Thu Feb 5 13:51:55 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 5 Feb 2015 13:51:55 +0000 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> <20150204152649.GA18571@openssl.org> Message-ID: <20150205135155.GA14940@openssl.org> On Thu, Feb 05, 2015, Gayathri Manoj wrote: > > Tried with above method and its not worked. Please let me know is it > possible to use NID_md5WithRSAEncryption, NID_md5 in fips mode. > I threw together a quick test program and it has no problems for me. Let me know if it doesn't work for you. #include #include #include main() { int len; unsigned char *der = NULL; BIO *out; X509_SIG *sig = X509_SIG_new(); FIPS_mode_set(1); printf("Fips mode is %d\n", FIPS_mode()); X509_ALGOR_set0(sig->algor, OBJ_nid2obj(NID_md5), V_ASN1_NULL, NULL); ASN1_STRING_set(sig->digest, "Hello World", -1); len = i2d_X509_SIG(sig, &der); out = BIO_new_fp(stdout, BIO_NOCLOSE); ASN1_parse(out, der, len, 0); } Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From florencej at us.panasonic.com Thu Feb 5 18:31:05 2015 From: florencej at us.panasonic.com (Florence, Jacques) Date: Thu, 5 Feb 2015 18:31:05 +0000 Subject: [openssl-users] Parameters for using ECDHE and ECDSA Message-ID: Hello, I am trying to use ECDHE and ECDSA on a simple openSSL application. Here are the steps I did relevant to the problem at hand: I generated the key and certificate with ECDSA. Then I load the cert and the key with SSL_CTX_use_PrivateKeyFile I select the ciphers: SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-AES128-GCM-SHA256"); But when I try to connect, the server tells me no shared cipher. I don't know where this comes from. I am using TLSv1_2_method(). Do I need to load some parameters like with PEM_read_bio_DHparams and SSL_CTX_set_tmp_dh ? There is not much documentation on openSSL ECC Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Thu Feb 5 19:31:09 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 05 Feb 2015 19:31:09 +0000 Subject: [openssl-users] Parameters for using ECDHE and ECDSA In-Reply-To: References: Message-ID: <54D3C4FD.7080402@openssl.org> On 05/02/15 18:31, Florence, Jacques wrote: > Hello, > > I am trying to use ECDHE and ECDSA on a simple openSSL application. > > Here are the steps I did relevant to the problem at hand: > > I generated the key and certificate with ECDSA. > > Then I load the cert and the key with SSL_CTX_use_PrivateKeyFile > > I select the ciphers: SSL_CTX_set_cipher_list(ctx, > ?ECDHE-ECDSA-AES128-GCM-SHA256?); > > > > But when I try to connect, the server tells me no shared cipher. > > I don?t know where this comes from. I am using TLSv1_2_method(). > > Do I need to load some parameters like with PEM_read_bio_DHparams and > SSL_CTX_set_tmp_dh ? Yes. If you are using OpenSSL 1.0.2 you can use: SSL_CTX_set_ecdh_auto The above will automatically select a suitable ECDH curve to use. Otherwise you can set a curve explicitly using: SSL_CTX_set_tmp_ecdh Matt From florencej at us.panasonic.com Thu Feb 5 23:15:50 2015 From: florencej at us.panasonic.com (Florence, Jacques) Date: Thu, 5 Feb 2015 23:15:50 +0000 Subject: [openssl-users] Parameters for using ECDHE and ECDSA In-Reply-To: <54D3C4FD.7080402@openssl.org> References: <54D3C4FD.7080402@openssl.org> Message-ID: Thanks, I found it! -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Matt Caswell Sent: Thursday, February 05, 2015 2:31 PM To: openssl-users at openssl.org Subject: Re: [openssl-users] Parameters for using ECDHE and ECDSA On 05/02/15 18:31, Florence, Jacques wrote: > Hello, > > I am trying to use ECDHE and ECDSA on a simple openSSL application. > > Here are the steps I did relevant to the problem at hand: > > I generated the key and certificate with ECDSA. > > Then I load the cert and the key with SSL_CTX_use_PrivateKeyFile > > I select the ciphers: SSL_CTX_set_cipher_list(ctx, > "ECDHE-ECDSA-AES128-GCM-SHA256"); > > > > But when I try to connect, the server tells me no shared cipher. > > I don't know where this comes from. I am using TLSv1_2_method(). > > Do I need to load some parameters like with PEM_read_bio_DHparams and > SSL_CTX_set_tmp_dh ? Yes. If you are using OpenSSL 1.0.2 you can use: SSL_CTX_set_ecdh_auto The above will automatically select a suitable ECDH curve to use. Otherwise you can set a curve explicitly using: SSL_CTX_set_tmp_ecdh Matt _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From florencej at us.panasonic.com Thu Feb 5 23:21:14 2015 From: florencej at us.panasonic.com (Florence, Jacques) Date: Thu, 5 Feb 2015 23:21:14 +0000 Subject: [openssl-users] custom name attributes not sent with certificate Message-ID: I created a client certificate with custom name attributes: In the openssl.cnf file, I addedunder section [ new_oids ] the line: myattribute=1.2.3.4 And under [ req_distinguished_name ] I added the line: myattribute = hello If I use the openssl tool x509, I see that my new attribute appears in the name, after the email address. However, when the certificate is sent to the server, the server cannot read this attribute. I used wireshark and saw that my custome attribute is not sent with the rest of the name. Why is that ? Thanks Jacques -------------- next part -------------- An HTML attachment was scrubbed... URL: From gayathri.annur at gmail.com Fri Feb 6 09:46:28 2015 From: gayathri.annur at gmail.com (Gayathri Manoj) Date: Fri, 6 Feb 2015 15:16:28 +0530 Subject: [openssl-users] i2d_X509_SIG() in FIPS mode In-Reply-To: <20150205135155.GA14940@openssl.org> References:

<20150202130858.GA14363@openssl.org> <20150202160149.GT8034@mournblade.imrryr.org> <20150204152649.GA18571@openssl.org> <20150205135155.GA14940@openssl.org> Message-ID: Thanks Steve for looking into this. Earlier I have tested the same way and no values came in der. Finally i find out the crash reason. For getting digest we have used ASN1_item_digest() and in this we have passed digest type as EVP_MD5() which is not allowed in fips and its not thrown any error. And got return value of this api as SUCCESS. Later i changed this to EVP_sha1() and able to get the value in i2d_X509_SIG(). Thanks, Gayathri On Thu, Feb 5, 2015 at 7:21 PM, Dr. Stephen Henson wrote: > On Thu, Feb 05, 2015, Gayathri Manoj wrote: > > > > > Tried with above method and its not worked. Please let me know is it > > possible to use NID_md5WithRSAEncryption, NID_md5 in fips mode. > > > > I threw together a quick test program and it has no problems for me. Let > me know if it doesn't work for you. > > #include > #include > #include > > main() > { > int len; > unsigned char *der = NULL; > BIO *out; > X509_SIG *sig = X509_SIG_new(); > FIPS_mode_set(1); > printf("Fips mode is %d\n", FIPS_mode()); > X509_ALGOR_set0(sig->algor, OBJ_nid2obj(NID_md5), V_ASN1_NULL, NULL); > ASN1_STRING_set(sig->digest, "Hello World", -1); > len = i2d_X509_SIG(sig, &der); > out = BIO_new_fp(stdout, BIO_NOCLOSE); > ASN1_parse(out, der, len, 0); > } > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Neil.Martin at ncr.com Fri Feb 6 10:08:35 2015 From: Neil.Martin at ncr.com (Martin, Neil) Date: Fri, 6 Feb 2015 05:08:35 -0500 Subject: [openssl-users] Is it possible to add eContent to a signedData which has no signers Message-ID: <58C1450995691B499FF4E7092826DB3026D1562102@susday214.corp.ncr.com> Hi, I'd like to know if it is possible to add eContent to a signedData which has no signers? The ANS X9 TR34 technical report defines a rebind token as having the following structure. SignedData (inner content): There are no digestAlgorithms included. The EncapsulatedContentInfo eContentType is id-data. The EncapsulatedContentInfo eContent includes an identifier as an issuerAndSerialNumber field. 1 Certificate is included in the certificates field. The CRL field is omitted. There are no signers on the content. SignedData (outer content): The digestAlgorithms field specifies id- sha256 : '2.16.840.1.101.3.4.2.1'. The EncapsulatedContentInfo eContentType is id-signedData. The certificates field is omitted. 1 is included in the crl field. IssuerAndSerialNumber is chosen for SignerInfo SignerIdentifier. The current certificate owner identifier is included in the SignerInfos issuerAndSerialNumber field. The SignerInfo digestAlgorithm field specifies id- sha256 : '2.16.840.1.101.3.4.2.1'. The random number, is included as random nonce authenticated attribute within SignerInfo SignedAttributes. The signatureAlgorithm is specified as id-sha256WithrsaEncryption '1.2.840.113549.1.1.11' The unsignedAttrs field is omitted. My problem is I can't include the eContent in the inner content. In the following code, CMS_final for the inner content fails. void CreateRebindToken(X509* deviceCertificate, X509* currentCertificate, EVP_PKEY* currentPrivateKey, X509* newCertificate, X509_CRL* crl, LPCSTR tokenFile) { int rc = 0; // Prepare the inner content CMS_ContentInfo* cms = CMS_sign(NULL, NULL, NULL, NULL, CMS_PARTIAL); rc = CMS_add1_cert(cms, newCertificate); BIO* eContentBio = BIO_new(BIO_s_mem()); CreateIssuerAndSerialNumberSequence(deviceCertificate, eContentBio); // This fails, presumably because no signer has been added. // How can eContent be added to a SignedData structure with no signers? rc = CMS_final(cms, eContentBio, NULL, CMS_NOATTR | SMIME_BINARY); rc = BIO_free(eContentBio); eContentBio = NULL; // Cache the inner content cms in DER format then free the cms eContentBio = BIO_new(BIO_s_mem()); rc = i2d_CMS_bio(eContentBio, cms); CMS_ContentInfo_free(cms); cms = NULL; // prepare the outer content cms = CMS_sign(NULL, NULL, NULL, NULL, CMS_PARTIAL); rc = CMS_add1_crl(cms, crl); CMS_SignerInfo* si = CMS_add1_signer(cms, currentCertificate, currentPrivateKey, EVP_sha256(), CMS_NOATTR | CMS_NOCERTS); rc = CMS_final(cms, eContentBio, NULL, SMIME_BINARY); BIO_free(eContentBio); eContentBio = NULL; // Write to file BIO* bio = BIO_new_file(tokenFile, "wb"); rc = i2d_CMS_bio(bio, cms); // Cleanup rc = BIO_free(bio); bio = NULL; CMS_ContentInfo_free(cms); cms = NULL; } Thanks, Neil From jb-openssl at wisemo.com Fri Feb 6 14:15:29 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Fri, 06 Feb 2015 15:15:29 +0100 Subject: [openssl-users] custom name attributes not sent with certificate In-Reply-To: References: Message-ID: <54D4CC81.3010002@wisemo.com> On 06/02/2015 00:21, Florence, Jacques wrote: > > I created a client certificate with custom name attributes: > > In the openssl.cnf file, I addedunder section [ new_oids ] the line: > myattribute=1.2.3.4 > > And under [ req_distinguished_name ] I added the line: myattribute = hello > > If I use the openssl tool x509, I see that my new attribute appears in > the name, after the email address. > > However, when the certificate is sent to the server, the server cannot > read this attribute. > > I used wireshark and saw that my custome attribute is not sent with > the rest of the name. > > Why is that ? > > Are you sure this is what is really happening? If any byte in the signed part of the certificate (and this most certainly includes the name) is changed, the certificate should completely fail to verify. So are you sure the name isn't sent? Maybe it is just the utility you use to display the sent certificate which fails to display unknown name components. P.S. I presume that for any real use, you would use an officially allocated OID to avoid clashing with what other people use. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From florencej at us.panasonic.com Fri Feb 6 14:37:52 2015 From: florencej at us.panasonic.com (Florence, Jacques) Date: Fri, 6 Feb 2015 14:37:52 +0000 Subject: [openssl-users] custom name attributes not sent with certificate In-Reply-To: <54D4CC81.3010002@wisemo.com> References: <54D4CC81.3010002@wisemo.com> Message-ID: Jakob, Thanks for the reply. You're right, the cert shouldn't verify if it's changed. However, using wireshark, I can see the other parts of the name being sent in clear ascii, but not that custom attribute. Assuming it's encoded in some format. Once the server receives the cert, it is not able to acces this attribute: Using X509_NAME_print_ex_fp(...) I don't see that attribute. Also, if I create an ASN1_OBJECT using OBJ_create() (with the OID and name I assigned in the cnf file) then OBJ_nid2obj(), and then use X509_NAME_get_entry and X509_NAME_ENTRY_get_object, I can display the standard fields, but not my attribute -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jakob Bohm Sent: Friday, February 06, 2015 9:15 AM To: openssl-users at openssl.org Subject: Re: [openssl-users] custom name attributes not sent with certificate On 06/02/2015 00:21, Florence, Jacques wrote: > > I created a client certificate with custom name attributes: > > In the openssl.cnf file, I addedunder section [ new_oids ] the line: > myattribute=1.2.3.4 > > And under [ req_distinguished_name ] I added the line: myattribute = > hello > > If I use the openssl tool x509, I see that my new attribute appears in > the name, after the email address. > > However, when the certificate is sent to the server, the server cannot > read this attribute. > > I used wireshark and saw that my custome attribute is not sent with > the rest of the name. > > Why is that ? > > Are you sure this is what is really happening? If any byte in the signed part of the certificate (and this most certainly includes the name) is changed, the certificate should completely fail to verify. So are you sure the name isn't sent? Maybe it is just the utility you use to display the sent certificate which fails to display unknown name components. P.S. I presume that for any real use, you would use an officially allocated OID to avoid clashing with what other people use. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From jb-openssl at wisemo.com Fri Feb 6 14:38:48 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Fri, 06 Feb 2015 15:38:48 +0100 Subject: [openssl-users] using openssl to create PKCS#7/CMS on windows In-Reply-To: References: Message-ID: <54D4D1F8.2000601@wisemo.com> On 05/02/2015 14:30, Srinivas Rao wrote: > Hi All, > > Is there a way to use openssl to sign data using a private key (on USB > token) and produce PKCS7 output on win32, if: > > a) the data to be signed message is not touched yet and goes as input > to the solution to the answer to this problem, OR > > b) signature is already generated, i.e message is hashed and signed > and only needs to be encoded in PKCS7, > > If yes, for which of the above case and how (please give some pointers > on how to go about it). > > Thanks > Srinivas Are you trying to get us to help with a school assignment? This looks a lot like how a teacher would ask a question to his students to find out how much they have understood themselves. That said, the main pointers I can give you are these: Verylittlein OpenSSL differs between Win32 and other systems. Howeverthere is one part in the question that will usually be slightly different onWin32.If you understand the question and OpenSSL general features, you should be able to recognize which part that is. One of the alternatives is going to be more difficult than the other because it is a less common task, but it may still be doable with some ingenuity. The task (either one if both are doable) can be performed using almost no APIs and interfaces other than those provided by OpenSSL and ANSI C. If you are tempted to use other tools, look closer at the OpenSSL feature lists and available options. In your code below you forgot to use two of the items your teacher gave you, which is probably the problem. > On 1/30/15, Srinivas Rao wrote: >> All, >> >> Please let me know if my below mentioned usage of PKCS7_sign()+adding >> signer info is wrong and how. >> >> Really appreciate your response. >> >> cheers and regards >> Srinivas >> >> On 1/29/15, Srinivas Rao wrote: >>> OpenSSL experts, >>> >>> Here the intention is to get the signed data (raw signature obtained >>> by PKCS11 APIs like C_Sign) to be packed in PKCS7 format (attached - >>> with certificate, content and signer info) using openssl. >>> >>> I am using USB token (smart card) for signing. >>> >>> Here's the code snippet. >>> >>> PKCS7* p7 = PKCS7_new(); >>> PKCS7_set_type(p7, NID_pkcs7_signed); >>> //PKCS7_SIGNER_INFO* pSI = PKCS7_SIGNER_INFO_new(); >>> //PKCS7_SIGNER_INFO_set(pSI, pX509, pX509->cert_info->key->pkey, >>> EVP_sha256()); >>> //PKCS7_add_signer(p7, pSI); >>> PKCS7_SIGNER_INFO* pSI = PKCS7_add_signature(p7, pX509, >>> pX509->cert_info->key->pkey, EVP_sha256()); // <== core dumps here >>> : >>> : >>> where pX509 is correctly obtained X509* node using d2i_X509() from the >>> value obtained from PKCS11 funcstions like C_GetAttributeValue() etc. >>> >>> I believe the set of the commented lines is the alternate way for this >>> add signature function - that also dumps core at >>> PKCS7_SIGNER_INFO_set() function. >>> >>> I have no clue as to what am I doing wrong here. >>> >>> Appreciate your help. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From Neil.Martin at ncr.com Fri Feb 6 10:08:35 2015 From: Neil.Martin at ncr.com (Martin, Neil) Date: Fri, 6 Feb 2015 05:08:35 -0500 Subject: [openssl-users] Is it possible to add eContent to a signedData which has no signers Message-ID: <58C1450995691B499FF4E7092826DB3026D1562102@susday214.corp.ncr.com> Hi, I'd like to know if it is possible to add eContent to a signedData which has no signers? The ANS X9 TR34 technical report defines a rebind token as having the following structure. SignedData (inner content): There are no digestAlgorithms included. The EncapsulatedContentInfo eContentType is id-data. The EncapsulatedContentInfo eContent includes an identifier as an issuerAndSerialNumber field. 1 Certificate is included in the certificates field. The CRL field is omitted. There are no signers on the content. SignedData (outer content): The digestAlgorithms field specifies id- sha256 : '2.16.840.1.101.3.4.2.1'. The EncapsulatedContentInfo eContentType is id-signedData. The certificates field is omitted. 1 is included in the crl field. IssuerAndSerialNumber is chosen for SignerInfo SignerIdentifier. The current certificate owner identifier is included in the SignerInfos issuerAndSerialNumber field. The SignerInfo digestAlgorithm field specifies id- sha256 : '2.16.840.1.101.3.4.2.1'. The random number, is included as random nonce authenticated attribute within SignerInfo SignedAttributes. The signatureAlgorithm is specified as id-sha256WithrsaEncryption '1.2.840.113549.1.1.11' The unsignedAttrs field is omitted. My problem is I can't include the eContent in the inner content. In the following code, CMS_final for the inner content fails. void CreateRebindToken(X509* deviceCertificate, X509* currentCertificate, EVP_PKEY* currentPrivateKey, X509* newCertificate, X509_CRL* crl, LPCSTR tokenFile) { int rc = 0; // Prepare the inner content CMS_ContentInfo* cms = CMS_sign(NULL, NULL, NULL, NULL, CMS_PARTIAL); rc = CMS_add1_cert(cms, newCertificate); BIO* eContentBio = BIO_new(BIO_s_mem()); CreateIssuerAndSerialNumberSequence(deviceCertificate, eContentBio); // This fails, presumably because no signer has been added. // How can eContent be added to a SignedData structure with no signers? rc = CMS_final(cms, eContentBio, NULL, CMS_NOATTR | SMIME_BINARY); rc = BIO_free(eContentBio); eContentBio = NULL; // Cache the inner content cms in DER format then free the cms eContentBio = BIO_new(BIO_s_mem()); rc = i2d_CMS_bio(eContentBio, cms); CMS_ContentInfo_free(cms); cms = NULL; // prepare the outer content cms = CMS_sign(NULL, NULL, NULL, NULL, CMS_PARTIAL); rc = CMS_add1_crl(cms, crl); CMS_SignerInfo* si = CMS_add1_signer(cms, currentCertificate, currentPrivateKey, EVP_sha256(), CMS_NOATTR | CMS_NOCERTS); rc = CMS_final(cms, eContentBio, NULL, SMIME_BINARY); BIO_free(eContentBio); eContentBio = NULL; // Write to file BIO* bio = BIO_new_file(tokenFile, "wb"); rc = i2d_CMS_bio(bio, cms); // Cleanup rc = BIO_free(bio); bio = NULL; CMS_ContentInfo_free(cms); cms = NULL; } Thanks, Neil From florencej at us.panasonic.com Fri Feb 6 15:26:40 2015 From: florencej at us.panasonic.com (Florence, Jacques) Date: Fri, 6 Feb 2015 15:26:40 +0000 Subject: [openssl-users] custom name attributes not sent with certificate References: <54D4CC81.3010002@wisemo.com> Message-ID: My bad. I was using the wrong version of the certificate. Sometimes double checking is not enough. I learned a lesson: Always triple check. Sorry, Jacques -----Original Message----- From: Florence, Jacques Sent: Friday, February 06, 2015 9:38 AM To: 'openssl-users at openssl.org' Subject: RE: [openssl-users] custom name attributes not sent with certificate Jakob, Thanks for the reply. You're right, the cert shouldn't verify if it's changed. However, using wireshark, I can see the other parts of the name being sent in clear ascii, but not that custom attribute. Assuming it's encoded in some format. Once the server receives the cert, it is not able to acces this attribute: Using X509_NAME_print_ex_fp(...) I don't see that attribute. Also, if I create an ASN1_OBJECT using OBJ_create() (with the OID and name I assigned in the cnf file) then OBJ_nid2obj(), and then use X509_NAME_get_entry and X509_NAME_ENTRY_get_object, I can display the standard fields, but not my attribute -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jakob Bohm Sent: Friday, February 06, 2015 9:15 AM To: openssl-users at openssl.org Subject: Re: [openssl-users] custom name attributes not sent with certificate On 06/02/2015 00:21, Florence, Jacques wrote: > > I created a client certificate with custom name attributes: > > In the openssl.cnf file, I addedunder section [ new_oids ] the line: > myattribute=1.2.3.4 > > And under [ req_distinguished_name ] I added the line: myattribute = > hello > > If I use the openssl tool x509, I see that my new attribute appears in > the name, after the email address. > > However, when the certificate is sent to the server, the server cannot > read this attribute. > > I used wireshark and saw that my custome attribute is not sent with > the rest of the name. > > Why is that ? > > Are you sure this is what is really happening? If any byte in the signed part of the certificate (and this most certainly includes the name) is changed, the certificate should completely fail to verify. So are you sure the name isn't sent? Maybe it is just the utility you use to display the sent certificate which fails to display unknown name components. P.S. I presume that for any real use, you would use an officially allocated OID to avoid clashing with what other people use. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From shinrich at ieee.org Fri Feb 6 15:48:36 2015 From: shinrich at ieee.org (Susan Hinrichs) Date: Fri, 06 Feb 2015 09:48:36 -0600 Subject: [openssl-users] Means to update read bio only Message-ID: <54D4E254.2060105@ieee.org> Hello, In Apache Traffic Server we are primarily using SSL_accept and SSL_read/SSL_write with file descriptor bios. But during the handshake, we need to feed in our own packets via read-only buffers. We use the BIO mem_buf to pass along this data without incurring another copy. But on each read during the handshake, we need to reset the read bio. We leave the write bio as the file descriptor bio the whole time. I originally tried to use SSL_set_bio(ssl, new_rbio, SSL_get_wbio(ssl)), but that would adjust the output buffering and the handshake would not complete. So we created a SSL_set_rbio(ssl, new_rbio), that just frees the old rbio and sets the new one. It leaves the wbio and the bbio alone. This has worked well for us for a couple releases, but looking forward to openssl 1.1, we will no longer be able to use this approach. Can someone point me to the preferred way of updating a read bio without affecting the write bio processing? Thanks, Susan From jb-openssl at wisemo.com Fri Feb 6 16:03:31 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Fri, 06 Feb 2015 17:03:31 +0100 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> Message-ID: <54D4E5D3.6090808@wisemo.com> On 05/02/2015 00:42, Salz, Rich wrote: >> Not much on that page so far, not even a "kill list" of >> intended victims except an admission that EAY's popular DES >> library can no longer be accessed via the copy in OpenSSL. > Yup. Pretty empty. Over the coming year there will be more. >> I fear that this is an indication that you will be killing >> off all the other non-EVP entrypoints in libcrypto > Yes there is a good chance of that happening. >> , making >> it much harder to use the library with experimental or >> non-standard algorithms and methods. > Well, not really much harder. I think that what DOES get harder is binary distributions of such things, as opposed to custom OpenSSL builds that have these new features. Don't forget, *you have the source* Hack away. Do what you want. And having a standard API that any of your consumers use will benefit your consumers greatly. And by making things like the EVP structure hidden from your consumers, then you can add a new experimental crypto mechanism and -- this is an important major benefit: THEIR CODE DOES NOT HAVE TO RECOMPILE. As an implementor, your work is a bit harder. For your users, it is much easier. Imagine being able to put an OID in a config file and applications can almost transparently use any crypto available without change. (Emphasis on ALMOST :) To us, this is clearly the right trade-off to make. You seem to misunderstand the scenario: My scenario is: 1. Load an unchanged shared libcrypto.so.1.1 provided by an OS distribution. 2. Implement / use / experiment with non-standard methods (such as new modes of operation or new zero-knowledge proofs) by calling the functions that are exported by libcrypto out of the box. The higher level libssl is not used for anything. Your scenario is: 1. Extend the higher level stuff (TLS1.2, CMS etc.) with non- standard methods (such as new modes of operation or new signature forms). 2. Inject this new functionality into existing applications that use OpenSSL in generic ways, such as wget and WebKit browsers. My scenario got great advantages from the large number of fundamental interfaces exported from libcrypto.so.1.0 and will automatically benefit when a new patch release of OpenSSL is installed on the system (e.g. to fix a timing attack on one of the algorithm implementations). Having to create a custom libnotquitecrypto.so.1.1 would not do this, and distributing such a library as source patches became much harder when you reformatted the source. Looking at the reverse dependencies in Debian, the followingprojects probably use low level libcrypto interfaces to do interesting things: afflib, asterisk, bind, clamav, crda (WiFi), crtmpserver, encfs, ewf-tools, faifa (Ethernet over Power), gfsd, gnugk, gnupg-pkcs11-scd, hfsprogs, hostapd (WiFi), ipppd, KAME IPSEC, OpenBSD IPSEC, ldnsutils, apache mod-auth-cas, apache mod-auth-openid, perl's Crypt::OpenSSL::Bignum, libh323, liblasso, barada, StrongSWAN, unbound, libxmlsec, libzrtpcpp, nsd, opensc, openssh, rdd, rdesktop, rsyncrypto, samdump, tor, tpm-tools, trousers, wpasupplicant (WiFi), yate, zfs-fuse. *This is only a rough list based on features claimed by OpenSSL-depending packages* >> Should everyone not doing just TLS1.2 move to a different library now, such as crypto++ ? > Use whatever works best for you, and your consumers/customers. > > Not everyone will agree with this direction. Some people will be inconvenienced and maybe even completely drop using OpenSSL. We discussed this pretty thoroughly, and while we respect that some may disagree, please give us credit for not doing this arbitrarily, or on a whim. I believe you have made the mistake of discussing only amongst yourselves, thus gradually convincing each other of the righteousness of a flawed decision. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Fri Feb 6 16:16:06 2015 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 6 Feb 2015 16:16:06 +0000 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <54D4E5D3.6090808@wisemo.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> Message-ID: Thanks for your detailed reply. Not sure what else I can say except that we disagree. From dthompson at prinpay.com Fri Feb 6 17:03:50 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Fri, 6 Feb 2015 12:03:50 -0500 Subject: [openssl-users] How to load local certificate folder on windows In-Reply-To: References: Message-ID: <000c01d0422e$e32fe4c0$a98fae40$@prinpay.com> > From: openssl-users On Behalf Of Jerry OELoo > Sent: Wednesday, February 04, 2015 21:54 > I am using openssl 1.0.2 on windows 7 OS. > > I have put some root certificate files into a folder certs. when I > using X509_STORE_load_locations() to load this folder into store, it > returns 1 means success, > but when I using X509_verify_cert(), it will return 0, and error shows > 19(self signed certificate in certificate chain). Nitpick: STORE_load_locations (and CTX_load_verify_locations which uses it) actually loads the contents of a CAfile into memory, but it only stores the *name* of a CApath and *later* dynamically loads files from that directory. Did you use filenames, or possibly* linknames, based on subject hash as described in https://www.openssl.org/docs/apps/verify.html ? * Windows beginning AIR XP or maybe NT does support links on NTFS, but they're not easy to use and not well known, and I think I saw a recent bug report that they don't even work for OpenSSL, at least sometimes. Less likely but possible if these files were prepared on an another system: did you use hashnames created with OpenSSL >1.0.0 or higher I am being required to generate the following type of digital signature: RSASSA-PKCS1-v1_5 I am doing the following: openssl genrsa -aes128 -out private.pem 2048 Can anyone confirm this is correct or point out what I should change? Thanks, Rex -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Wojcik at microfocus.com Fri Feb 6 19:19:22 2015 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Fri, 6 Feb 2015 19:19:22 +0000 Subject: [openssl-users] How to load local certificate folder on windows In-Reply-To: <000c01d0422e$e32fe4c0$a98fae40$@prinpay.com> References: <000c01d0422e$e32fe4c0$a98fae40$@prinpay.com> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Dave Thompson > Sent: Friday, February 06, 2015 12:04 > > * Windows beginning AIR XP or maybe NT does support links on NTFS, > but they're not easy to use and not well known, and I think I saw a recent > bug report that they don't even work for OpenSSL, at least sometimes. In modern versions of Windows, NTFS supports three sorts of link-like objects: file symbolic links, directory symbolic links, and junctions, all of which are types of reparse points. Older versions of NTFS only support junctions. These can be created with the mklink command. Prior to Vista, there was no command in the base OS for this purpose, and you needed something like linkd from the Windows Server Resource Kit to manipulate links. I just did a bit of testing with openssl.exe from OpenSSL 1.0.1k. It appears to work correctly with all three. Windows also supports "shortcuts", but those are a Windows Explorer artifact. They're just files that have a particular extension and particular sort of contents. OpenSSL doesn't support them, but then neither do most programs. Shortcuts were invented for Windows 95 to overcome some of the limitations of the FAT32 filesystem. They're rubbish. And Cygwin provides both hard and symbolic UNIX-style links for NTFS. Hard links can only be to files. I'm not sure how Cygwin implements them, but they seem to work fine with OpenSSL. Cygwin supports multiple implementations of symbolic links; see https://cygwin.com/cygwin-ug-net/using.html#pathnames-symlinks. Default symbolic links are ordinary files recognized by the Cygwin library as special, so they aren't handled by (non-Cygwin) OpenSSL. Shortcut-style symlinks are shortcuts, so per above they do not work. Native symlinks are Windows symlinks and should work fine with OpenSSL. The native implementation can be selected by setting the CYGWIN environment variable appropriately, so (contrary to recent messages on the list) there's no reason to rewrite c_rehash for use on Windows. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com From matt at openssl.org Fri Feb 6 20:59:17 2015 From: matt at openssl.org (Matt Caswell) Date: Fri, 06 Feb 2015 20:59:17 +0000 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <54D4E5D3.6090808@wisemo.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> Message-ID: <54D52B25.7010505@openssl.org> On 06/02/15 16:03, Jakob Bohm wrote: > I believe you have made the mistake of discussing only amongst > yourselves, thus gradually convincing each other of the > righteousness of a flawed decision. ...and, Rich said in a previous email (in response to your comment): >> I fear that this is an indication that you will be killing >> off all the other non-EVP entrypoints in libcrypto > > Yes there is a good chance of that happening. I'd like to stress that there has been no decision. In fact we're not even close to a decision on that at the moment. Whilst this has certainly been discussed I don't believe we are near to a consensus view at the moment. So whilst there is a good chance of that happening....there's also a very good chance of it not. It is still under discussion. Matt From openssl-users at dukhovni.org Fri Feb 6 21:37:17 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 6 Feb 2015 21:37:17 +0000 Subject: [openssl-users] openssl genrsa question In-Reply-To: <71570E7AB2E42D41A10FC97E532B699D0141985921DC@MAILSERVER.KalosInc.local> References: <71570E7AB2E42D41A10FC97E532B699D0141985921DC@MAILSERVER.KalosInc.local> Message-ID: <20150206213717.GY8034@mournblade.imrryr.org> On Fri, Feb 06, 2015 at 01:13:08PM -0600, Rex Bloom wrote: > I am being required to generate the following type of digital signature: > > RSASSA-PKCS1-v1_5 A PKCS#1 v1.5 signature. > I am doing the following: > > openssl genrsa -aes128 -out private.pem 2048 You're generating a private key, that could be used to create PKCS#1 signatures of various objects, or could be used for some other RSA signature scheme. -- Viktor. From matt at openssl.org Fri Feb 6 21:46:32 2015 From: matt at openssl.org (Matt Caswell) Date: Fri, 06 Feb 2015 21:46:32 +0000 Subject: [openssl-users] Means to update read bio only In-Reply-To: <54D4E254.2060105@ieee.org> References: <54D4E254.2060105@ieee.org> Message-ID: <54D53638.7030208@openssl.org> On 06/02/15 15:48, Susan Hinrichs wrote: > Hello, > > In Apache Traffic Server we are primarily using SSL_accept and > SSL_read/SSL_write with file descriptor bios. > > But during the handshake, we need to feed in our own packets via > read-only buffers. We use the BIO mem_buf to pass along this data > without incurring another copy. But on each read during the handshake, > we need to reset the read bio. We leave the write bio as the file > descriptor bio the whole time. > > I originally tried to use SSL_set_bio(ssl, new_rbio, SSL_get_wbio(ssl)), > but that would adjust the output buffering and the handshake would not > complete. > > So we created a SSL_set_rbio(ssl, new_rbio), that just frees the old > rbio and sets the new one. It leaves the wbio and the bbio alone. > > This has worked well for us for a couple releases, but looking forward > to openssl 1.1, we will no longer be able to use this approach. Can > someone point me to the preferred way of updating a read bio without > affecting the write bio processing? Hmmmm... that's a good question. I don't think you can set just the rbio by itself. I wonder if maybe we extended SSL_set_bio, so that you could do this: SSL_set_bio(s, rbio, NULL); I'll look into it. This would be a good item to add to Rich's wiki page. Matt From aixtools at gmail.com Sat Feb 7 11:12:26 2015 From: aixtools at gmail.com (Michael Felt) Date: Sat, 7 Feb 2015 12:12:26 +0100 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <54D52B25.7010505@openssl.org> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> <54D52B25.7010505@openssl.org> Message-ID: >From someone who does NOT understand the in's and out's of what people (developers and users) have been using openSSL for. My first reaction is: have developers been using openSSL, or has it gone to abusing it? For the sake of argument - let's say just use as it has always been intended. Many technologies - especially related to security - whether it be a big log through 'something', to skeleton keys', to digital keys, etc - we want to be able to trust our locks. When the lock technology is no longer trustworthy - whether it be packaging (which is what the discussion sounds like atm) or unrepairable "concerns" with the technology asis - we change our locks. Not everyone changes locks at the same moment in time. urgency depends on need, i.e., what is at risk. I started following these discussions because I am concerned (remember I am not really interested in the inner workings. I just think my locks are broken and wondering if it is time to change to something that maybe "can do less" - but what it does, does it better than what I have now. Regardless of the choices made by openssl - people outside openssl have needs and are looking at alternatives. To someone like me it is obvious something must change - even if technically it is cosmetic - because (open)SSL is losing the trust of it's users. As a user - I need a alternative. And just as I stopped using telnet/ftp/rsh/etc- because I could not entrust the integrity of my systems when those doors were open - so are my concerns re: (open)SSL. In short, is SSL still secure? And, very simply, as an un-knowledgeable user - given the choice of a library that does something well - and that's it, versus something else that does that - but leaves room for 'experiments' - Not on my systems. Experiment in experiment-land. My two bits. On Fri, Feb 6, 2015 at 9:59 PM, Matt Caswell wrote: > > > On 06/02/15 16:03, Jakob Bohm wrote: > > I believe you have made the mistake of discussing only amongst > > yourselves, thus gradually convincing each other of the > > righteousness of a flawed decision. > > > ...and, Rich said in a previous email (in response to your comment): > >> I fear that this is an indication that you will be killing > >> off all the other non-EVP entrypoints in libcrypto > > > > Yes there is a good chance of that happening. > > I'd like to stress that there has been no decision. In fact we're not > even close to a decision on that at the moment. > > Whilst this has certainly been discussed I don't believe we are near to > a consensus view at the moment. So whilst there is a good chance of that > happening....there's also a very good chance of it not. It is still > under discussion. > > Matt > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Sat Feb 7 14:33:40 2015 From: matt at openssl.org (Matt Caswell) Date: Sat, 07 Feb 2015 14:33:40 +0000 Subject: [openssl-users] Means to update read bio only In-Reply-To: <54D53638.7030208@openssl.org> References: <54D4E254.2060105@ieee.org> <54D53638.7030208@openssl.org> Message-ID: <54D62244.1000807@openssl.org> On 06/02/15 21:46, Matt Caswell wrote: > > > On 06/02/15 15:48, Susan Hinrichs wrote: >> Hello, >> >> In Apache Traffic Server we are primarily using SSL_accept and >> SSL_read/SSL_write with file descriptor bios. >> >> But during the handshake, we need to feed in our own packets via >> read-only buffers. We use the BIO mem_buf to pass along this data >> without incurring another copy. But on each read during the handshake, >> we need to reset the read bio. We leave the write bio as the file >> descriptor bio the whole time. >> >> I originally tried to use SSL_set_bio(ssl, new_rbio, SSL_get_wbio(ssl)), >> but that would adjust the output buffering and the handshake would not >> complete. >> >> So we created a SSL_set_rbio(ssl, new_rbio), that just frees the old >> rbio and sets the new one. It leaves the wbio and the bbio alone. >> >> This has worked well for us for a couple releases, but looking forward >> to openssl 1.1, we will no longer be able to use this approach. Can >> someone point me to the preferred way of updating a read bio without >> affecting the write bio processing? > > > Hmmmm... that's a good question. I don't think you can set just the rbio > by itself. > > I wonder if maybe we extended SSL_set_bio, so that you could do this: > > SSL_set_bio(s, rbio, NULL); > > I'll look into it. > > This would be a good item to add to Rich's wiki page. > I've just pushed a new commit to master (1.1.0), that adds SSL_set_rbio, and SSL_set_wbio as new API functions along with some associated documentation. Matt From richmoore44 at gmail.com Sat Feb 7 14:41:53 2015 From: richmoore44 at gmail.com (Richard Moore) Date: Sat, 7 Feb 2015 14:41:53 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: <20150203220231.GA12587@openssl.org> References: <20150203220231.GA12587@openssl.org> Message-ID: On 3 February 2015 at 22:02, Rich Salz wrote: > As we've already said, we are moving to making most OpenSSL data > structures opaque. We deliberately used a non-specific term. :) > As of Matt's commit of the other day, this is starting to happen > now. We know this will inconvenience people as some applications > no longer build. We want to work with maintainers to help them > migrate, as we head down this path. > > We have a wiki page to discuss this effort. It will eventually include > tips on migration, application and code updates, and anything else the > community finds useful. Please visit: > > http://wiki.openssl.org/index.php/1.1_API_Changes I've documented what got broken in Qt by the changes so far. I've listed the functions I think we can use instead where they exist, and those where there does not appear to be a replacement. Cheers Rich. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Sat Feb 7 14:44:53 2015 From: matt at openssl.org (Matt Caswell) Date: Sat, 07 Feb 2015 14:44:53 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: References: <20150203220231.GA12587@openssl.org> Message-ID: <54D624E5.70603@openssl.org> On 07/02/15 14:41, Richard Moore wrote: > > > On 3 February 2015 at 22:02, Rich Salz > wrote: > > As we've already said, we are moving to making most OpenSSL data > structures opaque. We deliberately used a non-specific term. :) > As of Matt's commit of the other day, this is starting to happen > now. We know this will inconvenience people as some applications > no longer build. We want to work with maintainers to help them > migrate, as we head down this path. > > We have a wiki page to discuss this effort. It will eventually include > tips on migration, application and code updates, and anything else the > community finds useful. Please visit: > > http://wiki.openssl.org/index.php/1.1_API_Changes > > > I've documented what got broken in Qt by the changes so far. I've listed > the functions I think we can use instead where they exist, and those > where there does not appear to be a replacement. Great. Thanks Rich - that's really useful. I'll take a look to see what we can do to plug the gap. Matt From giuseppe.dangelo at kdab.com Sat Feb 7 16:15:05 2015 From: giuseppe.dangelo at kdab.com (Giuseppe D'Angelo) Date: Sat, 07 Feb 2015 17:15:05 +0100 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: References: <20150203220231.GA12587@openssl.org> Message-ID: <54D63A09.5000003@kdab.com> Il 07/02/2015 15:41, Richard Moore ha scritto: > I've documented what got broken in Qt by the changes so far. I've listed > the functions I think we can use instead where they exist, and those > where there does not appear to be a replacement. The other question would be: assuming there's no replacement for some direct field access, are people willing to add the needed functions not only into 1.1 but also into 1.0.x, in order to avoid code duplication for end users? Thanks, -- Giuseppe D'Angelo | giuseppe.dangelo at kdab.com | Software Engineer KDAB (UK) Ltd., a KDAB Group company Tel. UK +44-1738-450410, Sweden (HQ) +46-563-540090 KDAB - Qt Experts - Platform-independent software solutions -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4048 bytes Desc: Firma crittografica S/MIME URL: From steve at openssl.org Sat Feb 7 17:22:11 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 7 Feb 2015 17:22:11 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: References: <20150203220231.GA12587@openssl.org> Message-ID: <20150207172211.GA26814@openssl.org> On Sat, Feb 07, 2015, Richard Moore wrote: > > I've documented what got broken in Qt by the changes so far. I've listed > the functions I think we can use instead where they exist, and those where > there does not appear to be a replacement. > For the DH case could you store the encoding of the DHparams structure and call d2i_DHparams instead? That should work on all versions of OpenSSL including 1.1. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From noloader at gmail.com Sat Feb 7 18:14:04 2015 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 7 Feb 2015 13:14:04 -0500 Subject: [openssl-users] Fwd: Automated Reminder: Your Domain Name Has Expired 2015-02-03 In-Reply-To: References: <312592453.0.07Feb2015035207-osrs-resellers-167404@cron01.osrs.prod.tucows.net> Message-ID: STOP FUCKING USING MY FUCKING EMAIL ADDRESS IN EMAILS. IF YOU WANT TO SEND AN EMAIL, SEND IT FROM YOUR OWN ACCOUNT. BELOW, I REPLIED TO AN EMAIL SENT BY OPENSRS. BUT BECAUSE OPENSRS IS PRETENDING TO BE ME, IT WAS SENT TO ME INSTEAD OF OPENSRS. I'VE CHANGED ALL THESE CONTACT POINTS TO OPENSRES, SO ALL THESE SHOULD BE COMING FROM OPENSRS AND NOT ME. OPENSRS IS NOT AUTHORIZED TO PRETEND TO BE ME. STOP FUCKING USING MY FUCKING EMAIL ADDRESS IN EMAILS. ---------- Forwarded message ---------- From: Jeffrey Walton Date: Sat, Feb 7, 2015 at 1:10 PM Subject: Re: Automated Reminder: Your Domain Name Has Expired 2015-02-03 To: Jeffrey Walton I'm not renewing the domain. There's no need to contact me 10 or 20 times. Please stop contacting me about this. On Sat, Feb 7, 2015 at 3:52 AM, None wrote: > Please note that your domain name has expired. > > Domain Name, Expiry Date > softwareintegrity.mobi, 2015-02-03 > > ********IMPORTANT******* > You can still retain this name by renewing it. Please contact your supplier immediately to renew your domain name. > > Thank you From richmoore44 at gmail.com Sat Feb 7 19:58:47 2015 From: richmoore44 at gmail.com (Richard Moore) Date: Sat, 7 Feb 2015 19:58:47 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: <20150207172211.GA26814@openssl.org> References: <20150203220231.GA12587@openssl.org> <20150207172211.GA26814@openssl.org> Message-ID: On 7 February 2015 at 17:22, Dr. Stephen Henson wrote: > On Sat, Feb 07, 2015, Richard Moore wrote: > > > > > I've documented what got broken in Qt by the changes so far. I've listed > > the functions I think we can use instead where they exist, and those > where > > there does not appear to be a replacement. > > > > For the DH case could you store the encoding of the DHparams structure and > call d2i_DHparams instead? That should work on all versions of OpenSSL > including 1.1. > Good idea, yes that should work for us. Cheers Rich. -------------- next part -------------- An HTML attachment was scrubbed... URL: From viktor at szepe.net Sat Feb 7 20:51:52 2015 From: viktor at szepe.net (=?utf-8?b?U3rDqXBl?= Viktor) Date: Sat, 07 Feb 2015 21:51:52 +0100 Subject: [openssl-users] SHA256 docs Message-ID: <20150207215152.Horde.AuuUM7N4D0zNQU6ea6Hbfg1@szepe.net> Please consider including other message digest algorithms like sha256 For example here: https://www.openssl.org/docs/apps/ca.html Thank you! Sz?pe Viktor -- +36-20-4242498 sms at szepe.net skype: szepe.viktor Budapest, XX. ker?let From matt at openssl.org Sun Feb 8 00:19:39 2015 From: matt at openssl.org (Matt Caswell) Date: Sun, 08 Feb 2015 00:19:39 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: References: <20150203220231.GA12587@openssl.org> Message-ID: <54D6AB9B.9070703@openssl.org> On 07/02/15 14:41, Richard Moore wrote: > > > On 3 February 2015 at 22:02, Rich Salz > wrote: > > As we've already said, we are moving to making most OpenSSL data > structures opaque. We deliberately used a non-specific term. :) > As of Matt's commit of the other day, this is starting to happen > now. We know this will inconvenience people as some applications > no longer build. We want to work with maintainers to help them > migrate, as we head down this path. > > We have a wiki page to discuss this effort. It will eventually include > tips on migration, application and code updates, and anything else the > community finds useful. Please visit: > > http://wiki.openssl.org/index.php/1.1_API_Changes > > > I've documented what got broken in Qt by the changes so far. I've listed > the functions I think we can use instead where they exist, and those > where there does not appear to be a replacement. On the wiki you say this: "cipher->valid - we were directly accessing the valid field of SSL_CIPHER. No replacement found." I'm just trying to work out why you need this? As far as I can tell from the code the only time valid isn't true is for cipher aliases ("ALL", "COMPLEMENTOFALL" etc)...but I thought these were only used as an SSL_CIPHER internally. E.g. if you call SSL_get_ciphers() then you only get valid ciphers I think?? What scenario do you have where you are seeing ciphers that aren't valid? Matt From richmoore44 at gmail.com Sun Feb 8 01:11:31 2015 From: richmoore44 at gmail.com (Richard Moore) Date: Sun, 8 Feb 2015 01:11:31 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: <54D6AB9B.9070703@openssl.org> References: <20150203220231.GA12587@openssl.org> <54D6AB9B.9070703@openssl.org> Message-ID: On 8 February 2015 at 00:19, Matt Caswell wrote: > > > On 07/02/15 14:41, Richard Moore wrote: > > > > > > On 3 February 2015 at 22:02, Rich Salz > > wrote: > > > > As we've already said, we are moving to making most OpenSSL data > > structures opaque. We deliberately used a non-specific term. :) > > As of Matt's commit of the other day, this is starting to happen > > now. We know this will inconvenience people as some applications > > no longer build. We want to work with maintainers to help them > > migrate, as we head down this path. > > > > We have a wiki page to discuss this effort. It will eventually > include > > tips on migration, application and code updates, and anything else > the > > community finds useful. Please visit: > > > > http://wiki.openssl.org/index.php/1.1_API_Changes > > > > > > I've documented what got broken in Qt by the changes so far. I've listed > > the functions I think we can use instead where they exist, and those > > where there does not appear to be a replacement. > > > On the wiki you say this: > > "cipher->valid - we were directly accessing the valid field of > SSL_CIPHER. No replacement found." > > I'm just trying to work out why you need this? As far as I can tell from > the code the only time valid isn't true is for cipher aliases ("ALL", > "COMPLEMENTOFALL" etc)...but I thought these were only used as an > SSL_CIPHER internally. E.g. if you call SSL_get_ciphers() then you only > get valid ciphers I think?? > > What scenario do you have where you are seeing ciphers that aren't valid? > Excellent question. This is code I inherited, and I can't see a sane reason why the cipher might not be valid. I strongly suspect removing this bit of code is actually the right solution here. The code is at http://code.woboq.org/qt5/qtbase/src/network/ssl/qsslsocket_openssl.cpp.html#651 Maybe some edge case for things like the TLS_FALLBACK_SCSV could have an effect, but even then I can't see how it would relevant to the code that's actually doing this. Cheers Rich. -------------- next part -------------- An HTML attachment was scrubbed... URL: From getur.srikanth at gmail.com Sun Feb 8 08:16:46 2015 From: getur.srikanth at gmail.com (Itsmesri) Date: Sun, 8 Feb 2015 01:16:46 -0700 (MST) Subject: [openssl-users] error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c Message-ID: <1423383406512-56325.post@n7.nabble.com> I am newbie to OPENSSL world.I am trying into install openssl certification on my microsoft exchange server. For this I was following below article step by step. at one place I stuck while createing 'ca' and getting below errors. I have created index.txt , serial files and have proper permissions. article: http://www.stephen-scotter.net/computers/windows/exchange/using-openssl-to-create-a-certificate-for-exchange-2010#exchange2010 C:\OpenSSL-Win64>bin\openssl.exe ca -name ServerCA -policy policy_anything -in SIFY_CA\requests\SIFYSERV4-EXCHANGE.csr -o t SIFY_CA\certs\SIFYSERV4-EXCHANGE-WRONGFORMAT.cer -md sha1 Using configuration from c:\OpenSSL-Win64\bin\openssl.cfg Loading 'screen' into random state - done Enter pass phrase for \\DALLAS\OpenSSL-Win64\SIFY_CA\private\SIFY_CA.key: Error Loading extension section ca_cert 11128:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:169:fopen('\\DALLAS\OpenSSL-Win64\SIFY_CA\index.txt.attr','rb') 11128:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file.c:172: 11128:error:0E078072:configuration file routines:DEF_LOAD:no such file:.\crypto\conf\conf_def.c:197: 11128:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:.\crypto\x509v3\v3_alt.c:537: 11128:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName, value=D S:sifytech.com,DNS:www.sifytech.com;DNS:*.sifytech.com,mail.SIFY.com,owa.sifytech.com openssl.cfg --------------- HOME = \\\\DALLAS\\OpenSSL-Win64 #RANDFILE = $HOME\\.rnd [ca] default_ca = SIFY_CA [SIFY_CA] dir = $HOME\\SIFY_CA certs = $dir\\certs crl_dir = $dir\\crl database = $dir\\index.txt new_certs_dir = $dir\\newcerts certificate = $certs\\SIFY_CA.cer serial = $dir\\serial crl = $crl_dir\\SIFY_CA.crl private_key = $dir\\private\\SIFY_CA.key RANDFILE = $dir\\private\\.rnd unique_subject = no email_in_dn = yes policy = policy_match x509_extensions = ca_cert default_days = 18250 default_crl_days = 18250 default_md = md5 [ServerCA] dir = $HOME\\SIFY_CA certs = $dir\\certs crl_dir = $dir\\crl database = $dir\\index.txt new_certs_dir = $dir\\newcerts certificate = $certs\\SIFY_CA.cer serial = $dir\\serial #####crl = $crl_dir\\ServerCA.crl crl = $crl_dir\\SIFY_CA.crl private_key = $dir\\private\\SIFY_CA.key RANDFILE = $dir\\private\\.rnd unique_subject = no email_in_dn = yes policy = policy_match x509_extensions = ca_cert default_days = 18250 default_crl_days = 18250 default_md = md5 #####copy_extensions = copy #####copy_extensions = none [policy_match] countryName = match stateOrProvinceName = optional organizationName = optional organizationalUnitName = supplied commonName = supplied emailAddress = optional [policy_anything] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name #attributes = req_attributes x509_extensions = v3_ca req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = GB countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = West Midlands localityName = Locality Name (eg, city) localityName_default = Birmingham 0.organizationName = Organization Name (eg, company) 0.organizationName_default = WHLB (Certificate Authority) organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = commonName = Common Name (eg, YOUR name) commonName_default = WHLB (Certificate Authority) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [v3_ca] #basicConstraints = critical, CA:true, pathlen:0 basicConstraints = CA:true #nsCertType = sslCA #keyUsage = cRLSign, keyCertSign #extendedKeyUsage = serverAuth, clientAuth nsComment = "OpenSSL CA Certificate" crlDistributionPoints = URI:http://dallas.sifytech.com/SIFY_ca/crl/SIFY_CA.crl [v3_req] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment crlDistributionPoints = URI:http://dallas.sifytech.com/SIFY_ca/crl/SIFY_CA.crl [ca_cert] basicConstraints = CA:true nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid, issuer:always extendedKeyUsage = serverAuth, clientAuth crlDistributionPoints = URI:https://dallas.sifytech.com/SIFY_ca/crl/SIFY_CA.crl subjectAltName = DNS:sifytech.com,DNS:www.sifytech.com;DNS:*.sifytech.com,mail.intensify.com,owa.sifytech.com What could be wrong? Did I miss anything here? Help me out? -- View this message in context: http://openssl.6102.n7.nabble.com/error-02001002-system-library-fopen-No-such-file-or-directory-crypto-bio-bss-file-c-tp56325.html Sent from the OpenSSL - User mailing list archive at Nabble.com. From matt at openssl.org Sun Feb 8 16:14:03 2015 From: matt at openssl.org (Matt Caswell) Date: Sun, 08 Feb 2015 16:14:03 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: References: <20150203220231.GA12587@openssl.org> <54D6AB9B.9070703@openssl.org> Message-ID: <54D78B4B.8040206@openssl.org> On 08/02/15 01:11, Richard Moore wrote: > Maybe some edge case for things like the TLS_FALLBACK_SCSV could have an > effect, but even then I can't see how it would relevant to the code > that's actually doing this. I thought about that myself and so checked TLS_FALLBACK_SCSV - but even that is marked as "valid". Matt From rsalz at akamai.com Sun Feb 8 23:21:32 2015 From: rsalz at akamai.com (Salz, Rich) Date: Sun, 8 Feb 2015 23:21:32 +0000 Subject: [openssl-users] [openssl-dev] The evolution of the 'master' branch In-Reply-To: <54D63A09.5000003@kdab.com> References: <20150203220231.GA12587@openssl.org> <54D63A09.5000003@kdab.com> Message-ID: <19d281b1a3cf49cd84429a19f5e9604c@ustx2ex-dag1mb2.msg.corp.akamai.com> > The other question would be: assuming there's no replacement for some > direct field access, are people willing to add the needed functions not only > into 1.1 but also into 1.0.x, in order to avoid code duplication for end users? The idea of a 'shim' layer that helps bridge the gap between 1.1 new functions and 1.0.x exposed struct's seems like a great idea and hopefully not a lot of work. From khang.social at gmail.com Mon Feb 9 10:56:34 2015 From: khang.social at gmail.com (Khang Nguyen) Date: Mon, 9 Feb 2015 17:56:34 +0700 Subject: [openssl-users] ui_openssl.c is assuming that current console is ECHO(termios) enabled In-Reply-To: References: Message-ID: Hi, OpenSSL, to be specific, ui_openssl.c, in my opinion, is assuming that the current console before "Enter PEM pass phrase" prompt being carried out is set with ECHO on (termios). After using that prompt to get a pass phrase, applications using stdin with ECHO off such as in the case of pseudo-terminals (pty) will display any character twice when its key was pressed instead of only once. One example is text-mode pty IRC client irssi 0.8.15, using self-signed certificate login protected with a pass phrase, utilizing the "Enter PEM pass phrase" prompt. crypto/ui/ui_openssl.c static int noecho_console(UI *ui) { #ifdef TTY_FLAGS memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig)); tty_new.TTY_FLAGS &= ~ECHO; #endif ... } static int echo_console(UI *ui) { #if defined(TTY_set) && !defined(OPENSSL_SYS_VMS) memcpy(&(tty_new),&(tty_orig),sizeof(tty_orig)); tty_new.TTY_FLAGS |= ECHO; #endif ... } Of course, a guard can be put into client applications to back up and restore the attributes. But should this behaviour in openssl be allowed ? Or am I looking into the wrong place ? I wonder why ECHO is added to the current terminal attributes after the prompt is finished. My strace log found that c_lflags (local modes) before the prompt is 0x8a31 and 0x8a39 afterwards. OS : Slackware 14.1 Regards, Khang. From shinrich at ieee.org Mon Feb 9 15:15:00 2015 From: shinrich at ieee.org (Susan Hinrichs) Date: Mon, 09 Feb 2015 09:15:00 -0600 Subject: [openssl-users] Means to update read bio only In-Reply-To: <54D62244.1000807@openssl.org> References: <54D4E254.2060105@ieee.org> <54D53638.7030208@openssl.org> <54D62244.1000807@openssl.org> Message-ID: <54D8CEF4.3040903@ieee.org> On 2/7/2015 8:33 AM, Matt Caswell wrote: > > On 06/02/15 21:46, Matt Caswell wrote: >> >> On 06/02/15 15:48, Susan Hinrichs wrote: >>> Hello, >>> >>> In Apache Traffic Server we are primarily using SSL_accept and >>> SSL_read/SSL_write with file descriptor bios. >>> >>> But during the handshake, we need to feed in our own packets via >>> read-only buffers. We use the BIO mem_buf to pass along this data >>> without incurring another copy. But on each read during the handshake, >>> we need to reset the read bio. We leave the write bio as the file >>> descriptor bio the whole time. >>> >>> I originally tried to use SSL_set_bio(ssl, new_rbio, SSL_get_wbio(ssl)), >>> but that would adjust the output buffering and the handshake would not >>> complete. >>> >>> So we created a SSL_set_rbio(ssl, new_rbio), that just frees the old >>> rbio and sets the new one. It leaves the wbio and the bbio alone. >>> >>> This has worked well for us for a couple releases, but looking forward >>> to openssl 1.1, we will no longer be able to use this approach. Can >>> someone point me to the preferred way of updating a read bio without >>> affecting the write bio processing? >> >> Hmmmm... that's a good question. I don't think you can set just the rbio >> by itself. >> >> I wonder if maybe we extended SSL_set_bio, so that you could do this: >> >> SSL_set_bio(s, rbio, NULL); >> >> I'll look into it. >> >> This would be a good item to add to Rich's wiki page. >> > I've just pushed a new commit to master (1.1.0), that adds SSL_set_rbio, > and SSL_set_wbio as new API functions along with some associated > documentation. > > Matt Great! Thanks for the addition. I'll take it for a spin. > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From sanchit1.arora at gmail.com Mon Feb 9 20:17:46 2015 From: sanchit1.arora at gmail.com (sanchit arora) Date: Mon, 9 Feb 2015 15:17:46 -0500 Subject: [openssl-users] DTLS Handshake issue (openssl-1.0.1e-dtls-ecc-ext.patch) leads to process crash Message-ID: Bug report OS: Linux OpenSSL Version: 1.0.1e-30 While doing DTLS testing with openssl-1.0.1e-30 Version and patches for RT3327, RT3470 and RT3483 on top of that, we are facing an issue where our process is crashing during the duration run of 24 hours. Use Case: * There are 125 DTLS Server Connections and 125 DTLS Client Connections. * Connection Attempts towards Server connections are also being made every 1 second. * Client Connections are initiating connection attempts every 1 second . * SSL Handshake is made to fail so that connection attempts continues and there are no crashes observed. During the above duration run, process is always crashing at the below location always. #4 #5 0x00007f61e97188e9 in sha1_block_data_order_ssse3 () from /usr/lib64/libcrypto.so.10 #6 0xad89a0d6776026f6 in ?? () #7 0xf9e71fd74025dad7 in ?? () #8 0x2243d5d8167d7997 in ?? () #9 0x8bbb75d9b4efd5d8 in ?? () #10 0xea9689da4d4ac2cb in ?? () #11 0x7067bc5f5034983b in ?? () #12 0xe19f5aa4a5679ed0 in ?? () #13 0x8ecbf7e83d1d8ccd in ?? () #14 0x00007f61e9a827ce in state () from /usr/lib64/libcrypto.so.10 #15 0x00000000bc803cd0 in ?? () #16 0x0000000000000011 in ?? () #17 0x00007f61e9715de7 in SHA1_Update () from /usr/lib64/libcrypto.so.10 #18 0x00007f61e97899fd in ssleay_rand_add () from /usr/lib64/libcrypto.so.10 #19 0x00007f61e9ed92f9 in dtls1_accept () from /usr/lib64/libssl.so.10 When we tested with openssl-1.0.1e-16 Version and patches for RT3327, RT3470 and RT3483 on top of that, the use case works fine. On investigation, we found that there are 11 patches added between openssl-1.0.1e-30 and openssl-1.0.1e-16 version out of which following 3 patches are related to DTLS. openssl-1.0.1e-dtls-ecc-ext. patch openssl-1.0.1e-cve-2014-3513. patch openssl-1.0.1e-fallback-scsv.patch We have narrowed down that when we use openssl-1.0.1e-30 Version with the openssl-1.0.1e-dtls-ecc-ext.patch and patches for RT3327, RT3470 and RT3483 on top of that, process crashes with the above abterm during the duration run of 24 hours. When we excluded the openssl-1.0.1e-dtls-ecc-ext.patch from openssl-1.0.1e-30 Version, we didn't see an abterm during the duration run of 24 hours. Therefore, it seems that the openssl-1.0.1e-dtls-ecc-ext.patch is causing the abterm in the duration run. Please let us know if there could be issues with the openssl-1.0.1e-dtls-ecc-ext.patch? Regards, Sanchit Arora From matt at openssl.org Mon Feb 9 23:07:50 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 09 Feb 2015 23:07:50 +0000 Subject: [openssl-users] DTLS Handshake issue (openssl-1.0.1e-dtls-ecc-ext.patch) leads to process crash In-Reply-To: References: Message-ID: <54D93DC6.90300@openssl.org> On 09/02/15 20:17, sanchit arora wrote: > Bug report > > OS: Linux Which distro? > > OpenSSL Version: 1.0.1e-30 That is not an OpenSSL version - that is an OS vendor specific version based on OpenSSL 1.0.1e > While doing DTLS testing with openssl-1.0.1e-30 Version and patches > for RT3327, RT3470 and RT3483 on top of that, we are facing an issue > where our process is crashing during the duration run of 24 hours. > > Use Case: > * There are 125 DTLS Server Connections and 125 DTLS Client Connections. > * Connection Attempts towards Server connections are also being > made every 1 second. > * Client Connections are initiating connection attempts every 1 second . > * SSL Handshake is made to fail so that connection attempts > continues and there are no crashes observed. > > During the above duration run, process is always crashing at the below > location always. > > #4 > #5 0x00007f61e97188e9 in sha1_block_data_order_ssse3 () from > /usr/lib64/libcrypto.so.10 > #6 0xad89a0d6776026f6 in ?? () > #7 0xf9e71fd74025dad7 in ?? () > #8 0x2243d5d8167d7997 in ?? () > #9 0x8bbb75d9b4efd5d8 in ?? () > #10 0xea9689da4d4ac2cb in ?? () > #11 0x7067bc5f5034983b in ?? () > #12 0xe19f5aa4a5679ed0 in ?? () > #13 0x8ecbf7e83d1d8ccd in ?? () > #14 0x00007f61e9a827ce in state () from /usr/lib64/libcrypto.so.10 > #15 0x00000000bc803cd0 in ?? () > #16 0x0000000000000011 in ?? () > #17 0x00007f61e9715de7 in SHA1_Update () from /usr/lib64/libcrypto.so.10 > #18 0x00007f61e97899fd in ssleay_rand_add () from /usr/lib64/libcrypto.so.10 > #19 0x00007f61e9ed92f9 in dtls1_accept () from /usr/lib64/libssl.so.10 There is insufficient information in the above to diagnose the problem. We would need a build with full debugging symbols. > > When we tested with openssl-1.0.1e-16 Version and patches for RT3327, > RT3470 and RT3483 on top of that, the use case works fine. > > On investigation, we found that there are 11 patches added between > openssl-1.0.1e-30 and openssl-1.0.1e-16 version out of which following > 3 patches are related to DTLS. > > openssl-1.0.1e-dtls-ecc-ext. > patch > openssl-1.0.1e-cve-2014-3513. > patch > openssl-1.0.1e-fallback-scsv.patch > > We have narrowed down that when we use openssl-1.0.1e-30 Version with > the openssl-1.0.1e-dtls-ecc-ext.patch and patches for RT3327, RT3470 > and RT3483 on top of that, process crashes with the above abterm > during the duration run of 24 hours. > > When we excluded the openssl-1.0.1e-dtls-ecc-ext.patch from > openssl-1.0.1e-30 Version, we didn't see an abterm during the duration > run of 24 hours. > > Therefore, it seems that the openssl-1.0.1e-dtls-ecc-ext.patch is > causing the abterm in the duration run. > > Please let us know if there could be issues with the > openssl-1.0.1e-dtls-ecc-ext.patch? All of the above are vendor specific patches (probably based on original OpenSSL commits). However I don't know from the name what dtls-ecc-ext is referring to. You would need to address your specific question to your vendor. Is it possible that you can run the latest 1.0.1 version of standard OpenSSL (i.e. OpenSSL 1.0.1l)? There have been some significant DTLS related fixes that have been applied in recent versions. Matt From jb-openssl at wisemo.com Tue Feb 10 00:46:27 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Tue, 10 Feb 2015 01:46:27 +0100 Subject: [openssl-users] How to load local certificate folder on windows In-Reply-To: References: <000c01d0422e$e32fe4c0$a98fae40$@prinpay.com> Message-ID: <54D954E3.7000103@wisemo.com> On 06/02/2015 20:19, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf >> Of Dave Thompson >> Sent: Friday, February 06, 2015 12:04 >> >> * Windows beginning AIR XP or maybe NT does support links on NTFS, >> but they're not easy to use and not well known, and I think I saw a recent >> bug report that they don't even work for OpenSSL, at least sometimes. > In modern versions of Windows, NTFS supports three sorts of link-like objects: file symbolic links, directory symbolic links, and junctions, all of which are types of reparse points. Older versions of NTFS only support junctions. These can be created with the mklink command. Prior to Vista, there was no command in the base OS for this purpose, and you needed something like linkd from the Windows Server Resource Kit to manipulate links. Actually, there is a 4th and 5th form of NTFS native symbolic links: "POSIX" subsystem symbolic links, which have all the expected semantics but may not work with Win32 programs such as OpenSSL; and DFS junctions which have special semantics for the SMB/CIFS file sharing protocol. > I just did a bit of testing with openssl.exe from OpenSSL 1.0.1k. It appears to work correctly with all three. > > Windows also supports "shortcuts", but those are a Windows Explorer artifact. They're just files that have a particular extension and particular sort of contents. OpenSSL doesn't support them, but then neither do most programs. Shortcuts were invented for Windows 95 to overcome some of the limitations of the FAT32 filesystem. They're rubbish. Actually, shortcuts are really desktop/start menu entries, which store a command line, startup directory, menu icon and launch options. They work like the ".desktop" files in modern Linux desktop environments and should never have been confused with symbolic links. They were created as a more flexible replacement for the Windows 3.x program manager icon group files. > And Cygwin provides both hard and symbolic UNIX-style links for NTFS. Hard links can only be to files. I'm not sure how Cygwin implements them, but they seem to work fine with OpenSSL. All versions of NTFS support hard links natively, though there is no command in the base OS to create them, and prior to Windows 2000, they could only be created via an undocumented API and/or by using the "POSIX" subsystem (which did include a working ln command though). When you run chkdsk (fsck) on an NTFS file system, you will see inodes referred to as "Files" in the "Master File Table" and directories as "Indexes". > Cygwin supports multiple implementations of symbolic links; see https://cygwin.com/cygwin-ug-net/using.html#pathnames-symlinks. Default symbolic links are ordinary files recognized by the Cygwin library as special, so they aren't handled by (non-Cygwin) OpenSSL. Shortcut-style symlinks are shortcuts, so per above they do not work. Native symlinks are Windows symlinks and should work fine with OpenSSL. The native implementation can be selected by setting the CYGWIN environment variable appropriately, so (contrary to recent messages on the list) there's no reason to rewrite c_rehash for use on Windows. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From secaficionado at gmail.com Tue Feb 10 00:53:19 2015 From: secaficionado at gmail.com (Sec_Aficionado) Date: Mon, 9 Feb 2015 19:53:19 -0500 Subject: [openssl-users] AES-GCM failing from Command Line Interface Message-ID: Hello, I am trying to encrypt a short message using AES-256-GCM as mentioned in the subject. My command is: openssl enc -aes-256-gcm -p -in payload.txt -out enc.txt I get prompted for password as expected. The encryption goes well, and then I proceed to decrypt using: openssl enc -d -aes-256-gcm -p -in enc.txt -out dec.txt The program executes but I get a "bad decrypt" message. However, when I open dec.txt, it is the same as the original file payload.txt My guess is that the problem is in the padding, but I have not been able to eliminate the error message, even setting the -nopad option and padding manually. Can someone please explain to me why this might be happening? I am running openSSL 1.0.1f (6 Jan 14) on an Ubuntu 14.04 LTS VM with current patches. Thanks in advance for your help. Sent from my mobile From jb-openssl at wisemo.com Tue Feb 10 01:16:33 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Tue, 10 Feb 2015 02:16:33 +0100 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> <54D52B25.7010505@openssl.org> Message-ID: <54D95BF1.5080003@wisemo.com> On 07/02/2015 12:12, Michael Felt wrote: > From someone who does NOT understand the in's and out's of what people > (developers and users) have been using openSSL for. > My first reaction is: have developers been using openSSL, or has it > gone to abusing it? > For the sake of argument - let's say just use as it has always been > intended. > Fundamentally, since its inception by EAY years ago, "OpenSSL" has provided two things to other software developers: A very popular implementation of the SSL protocols defined by Netscape/Mozilla/IETF, and an equally popular library of fundamental cryptographic building blocks such as large numbers and various types of encryption and decryption. My criticism of the OpenSSL changes in the future version 1.1.0 is that they are removing the most flexible building blocks from the part that is intended to be used. > Many technologies - especially related to security - whether it be a > big log through 'something', to skeleton keys', to digital keys, etc - > we want to be able to trust our locks. When the lock technology is no > longer trustworthy - whether it be packaging (which is what the > discussion sounds like atm) or unrepairable "concerns" with the > technology asis - we change our locks. > 2014 saw some widely published problems with various SSL variants. "Heartbleed" was a programming error found *only* in the OpenSSL SSL code and did not affect the handful of competing SSL implementations (such as the NSS one by Mozilla and the STUNNEL one by Microsoft). Essentially, heartbleed allowed people to put a hook through the keyhole and steal the key from behind the locked door. "Poodle" was a new way to attack a known weakness in the old version 3.0 of the SSL protocol, affecting all implementations, combined with a weakness in how Web Browsers work around bad SSL libraries that refuse to even reply to requests for protocol version 3.1 ("TLS 1.0"). On top of that, it turned out that a few minor competing SSL implementations (not OpenSSL, NSS and STUNNEL) never implemented the TLS 1.0 protection against the known weakness, leading to a rumor that poodle affected all "TLS 1.0" implementations, and not just the few broken ones. > Not everyone changes locks at the same moment in time. urgency depends > on need, i.e., what is at risk. > > I started following these discussions because I am concerned (remember > I am not really interested in the inner workings. I just think my > locks are broken and wondering if it is time to change to something > that maybe "can do less" - but what it does, does it better than what > I have now. > > Regardless of the choices made by openssl - people outside openssl > have needs and are looking at alternatives. To someone like me it is > obvious something must change - even if technically it is cosmetic - > because (open)SSL is losing the trust of it's users. > > As a user - I need a alternative. And just as I stopped using > telnet/ftp/rsh/etc- because I could not entrust the integrity of my > systems when those doors were open - so are my concerns re: (open)SSL. > In short, is SSL still secure? And, very simply, as an > un-knowledgeable user - given the choice of a library that does > something well - and that's it, versus something else that does that - > but leaves room for 'experiments' - Not on my systems. Experiment in > experiment-land. > > My two bits. > > On Fri, Feb 6, 2015 at 9:59 PM, Matt Caswell > wrote: > > > > On 06/02/15 16:03, Jakob Bohm wrote: > > I believe you have made the mistake of discussing only amongst > > yourselves, thus gradually convincing each other of the > > righteousness of a flawed decision. > > > ...and, Rich said in a previous email (in response to your comment): > >> I fear that this is an indication that you will be killing > >> off all the other non-EVP entrypoints in libcrypto > > > > Yes there is a good chance of that happening. > > I'd like to stress that there has been no decision. In fact we're not > even close to a decision on that at the moment. > > Whilst this has certainly been discussed I don't believe we are > near to > a consensus view at the moment. So whilst there is a good chance > of that > happening....there's also a very good chance of it not. It is still > under discussion. > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at openssl.org Tue Feb 10 02:23:30 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Tue, 10 Feb 2015 02:23:30 +0000 Subject: [openssl-users] AES-GCM failing from Command Line Interface In-Reply-To: References: Message-ID: <20150210022330.GA15638@openssl.org> On Mon, Feb 09, 2015, Sec_Aficionado wrote: > Hello, > > I am trying to encrypt a short message using AES-256-GCM as mentioned in the subject. > > My command is: > openssl enc -aes-256-gcm -p -in payload.txt -out enc.txt > > I get prompted for password as expected. > > The encryption goes well, and then I proceed to decrypt using: > openssl enc -d -aes-256-gcm -p -in enc.txt -out dec.txt > > The program executes but I get a "bad decrypt" message. However, when I open dec.txt, it is the same as the original file payload.txt > > My guess is that the problem is in the padding, but I have not been able to eliminate the error message, even setting the -nopad option and padding manually. > > Can someone please explain to me why this might be happening? > > I am running openSSL 1.0.1f (6 Jan 14) on an Ubuntu 14.04 LTS VM with current patches. > AES GCM is not supported by the 'enc' utility. More recent versions of OpenSSL throw out and error message if you try to use it from the command line. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From oyljerry at gmail.com Tue Feb 10 07:17:18 2015 From: oyljerry at gmail.com (Jerry OELoo) Date: Tue, 10 Feb 2015 15:17:18 +0800 Subject: [openssl-users] How to construct certificate chain In-Reply-To: <20141117074340.GZ13179@mournblade.imrryr.org> References: <20141117074340.GZ13179@mournblade.imrryr.org> Message-ID: I am using 1.0.2 stable release and add below code but it still get Equifax but browser get GeoTrust Global CA X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); On Mon, Nov 17, 2014 at 3:43 PM, Viktor Dukhovni wrote: > On Mon, Nov 17, 2014 at 03:13:22PM +0800, Jerry OELoo wrote: > >> When I construct google's (www.google.com) certificate chain, it is >> different with browser's >> >> [openssl API] >> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA >> -> Equifax Secure Certificate Authority > > This is what Google sends on the wire. > >> [IE/Chrome] >> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA > > The browsers short-cicuit the chain, by finding an alternative trusted > issuer for "G2" > >> It seems openssl use one certificate path with "bridge cert" but >> browsers use another certificate path, and in answer, it said >> "OpenSSL, which curl uses, is not, or at least not yet; thus you must >> tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2 >> release, currently in beta, is announced to have enhancements in the >> area of cert chain validation, which I haven't looked at in detail >> yet.", > > Commit 9d2006d8 (1.0.2 branch) implements a new X509_V_FLAG_TRUSTED_FIRST > flag which should give similar (to the browsers) results if set in > the X509_STORE_CTX used to validate the chain via: > > X509_VERIFY_PARAM_set_flags() > > and > > SSL_CTX_set1_param() > > see apps/apps.c and apps/s_client.c > >> So is there any way that openssl 1.0.1j can solve this and construct >> same certificate path with browsers did? > > No, but it is far from clear why "this" is a problem. Google sends > a chain signed by Equifax. So OpenSSL builds a chain with that. > When Google stops sending the Equifax cert, OpenSSL will use the > GeoTrust root CA if that's configured. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users at openssl.org > Automated List Manager majordomo at openssl.org -- Rejoice,I Desire! From secaficionado at gmail.com Tue Feb 10 14:09:02 2015 From: secaficionado at gmail.com (Sec_Aficionado) Date: Tue, 10 Feb 2015 09:09:02 -0500 Subject: [openssl-users] AES-GCM failing from Command Line Interface In-Reply-To: <20150210022330.GA15638@openssl.org> References: <20150210022330.GA15638@openssl.org> Message-ID: Ah, thank you! I tried a lot of things and was very frustrated. I wish the documentation reflected that. I'll see if I can contribute by updating it. Regarding AES-GCM from the command line, or PHP bindings, is that something that any of the OpenSSL components support? I think EVP is the intended way but there are no PHP bindings, only C from what I can tell. As a bit of background, I need to send an encrypted token to a client, which will return it when communicating back with the server. I need some form of authenticated encryption for that and OpenSSL seems like a perfect fit. Thanks for your help. Sent from my mobile > On Feb 9, 2015, at 9:23 PM, Dr. Stephen Henson wrote: > >> On Mon, Feb 09, 2015, Sec_Aficionado wrote: >> >> Hello, >> >> I am trying to encrypt a short message using AES-256-GCM as mentioned in the subject. >> >> My command is: >> openssl enc -aes-256-gcm -p -in payload.txt -out enc.txt >> >> I get prompted for password as expected. >> >> The encryption goes well, and then I proceed to decrypt using: >> openssl enc -d -aes-256-gcm -p -in enc.txt -out dec.txt >> >> The program executes but I get a "bad decrypt" message. However, when I open dec.txt, it is the same as the original file payload.txt >> >> My guess is that the problem is in the padding, but I have not been able to eliminate the error message, even setting the -nopad option and padding manually. >> >> Can someone please explain to me why this might be happening? >> >> I am running openSSL 1.0.1f (6 Jan 14) on an Ubuntu 14.04 LTS VM with current patches. > > AES GCM is not supported by the 'enc' utility. More recent versions of OpenSSL > throw out and error message if you try to use it from the command line. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From matt at openssl.org Tue Feb 10 14:21:16 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 10 Feb 2015 14:21:16 +0000 Subject: [openssl-users] AES-GCM failing from Command Line Interface In-Reply-To: References: <20150210022330.GA15638@openssl.org> Message-ID: <54DA13DC.8050305@openssl.org> On 10/02/15 14:09, Sec_Aficionado wrote: > Ah, thank you! I tried a lot of things and was very frustrated. I wish the documentation reflected that. I'll see if I can contribute by updating it. It does: https://www.openssl.org/docs/apps/enc.html "The enc program does not support authenticated encryption modes like CCM and GCM. The utility does not store or retrieve the authentication tag." > > Regarding AES-GCM from the command line, or PHP bindings, is that something that any of the OpenSSL components support? I think EVP is the intended way but there are no PHP bindings, only C from what I can tell. No - you can't do AES-GCM from the command line (things like s_server and s_client support it - but that doesn't help you for what you want to do). We don't supply the PHP bindings - you'll have to talk to the PHP guys about that. Matt From sanchit1.arora at gmail.com Tue Feb 10 14:50:06 2015 From: sanchit1.arora at gmail.com (sanchit arora) Date: Tue, 10 Feb 2015 09:50:06 -0500 Subject: [openssl-users] DTLS Handshake issue (openssl-1.0.1e-dtls-ecc-ext.patch) leads to process crash In-Reply-To: <54D93DC6.90300@openssl.org> References: <54D93DC6.90300@openssl.org> Message-ID: Which distro? >>>>>>>>>>>>>> OS is Red Hat Enterprise Linux Server release 6.5 OpenSSL Version :1.0.1e All of the above are vendor specific patches (probably based on original OpenSSL commits). However I don't know from the name what dtls-ecc-ext is referring to. You would need to address your specific question to your vendor. >>>>>>> The patch openssl-1.0.1e-dtls-ecc-ext.patch with changes is decribed below: https://bugzilla.redhat.com/show_bug.cgi?id=1119800 Could it be that the changes in the above patch are causing issues in DTLS Handshake causing the process to crash always at the below location: #4 #5 0x00007f61e97188e9 in sha1_block_data_order_ssse3 () from /usr/lib64/libcrypto.so.10 #6 0xad89a0d6776026f6 in ?? () #7 0xf9e71fd74025dad7 in ?? () #8 0x2243d5d8167d7997 in ?? () #9 0x8bbb75d9b4efd5d8 in ?? () #10 0xea9689da4d4ac2cb in ?? () #11 0x7067bc5f5034983b in ?? () #12 0xe19f5aa4a5679ed0 in ?? () #13 0x8ecbf7e83d1d8ccd in ?? () #14 0x00007f61e9a827ce in state () from /usr/lib64/libcrypto.so.10 #15 0x00000000bc803cd0 in ?? () #16 0x0000000000000011 in ?? () #17 0x00007f61e9715de7 in SHA1_Update () from /usr/lib64/libcrypto.so.10 #18 0x00007f61e97899fd in ssleay_rand_add () from /usr/lib64/libcrypto.so.10 #19 0x00007f61e9ed92f9 in dtls1_accept () from /usr/lib64/libssl.so.10 Is it possible that you can run the latest 1.0.1 version of standard OpenSSL (i.e. OpenSSL 1.0.1l)? There have been some significant DTLS related fixes that have been applied in recent versions. >>>>>>>>> it would not be possible as other modules are also using 1.0.1e version. Thanks, Sanchit Arora On Mon, Feb 9, 2015 at 6:07 PM, Matt Caswell wrote: > > > On 09/02/15 20:17, sanchit arora wrote: >> Bug report >> >> OS: Linux > > Which distro? > >> >> OpenSSL Version: 1.0.1e-30 > > That is not an OpenSSL version - that is an OS vendor specific version > based on OpenSSL 1.0.1e > >> While doing DTLS testing with openssl-1.0.1e-30 Version and patches >> for RT3327, RT3470 and RT3483 on top of that, we are facing an issue >> where our process is crashing during the duration run of 24 hours. >> >> Use Case: >> * There are 125 DTLS Server Connections and 125 DTLS Client Connections. >> * Connection Attempts towards Server connections are also being >> made every 1 second. >> * Client Connections are initiating connection attempts every 1 second . >> * SSL Handshake is made to fail so that connection attempts >> continues and there are no crashes observed. >> >> During the above duration run, process is always crashing at the below >> location always. >> >> #4 >> #5 0x00007f61e97188e9 in sha1_block_data_order_ssse3 () from >> /usr/lib64/libcrypto.so.10 >> #6 0xad89a0d6776026f6 in ?? () >> #7 0xf9e71fd74025dad7 in ?? () >> #8 0x2243d5d8167d7997 in ?? () >> #9 0x8bbb75d9b4efd5d8 in ?? () >> #10 0xea9689da4d4ac2cb in ?? () >> #11 0x7067bc5f5034983b in ?? () >> #12 0xe19f5aa4a5679ed0 in ?? () >> #13 0x8ecbf7e83d1d8ccd in ?? () >> #14 0x00007f61e9a827ce in state () from /usr/lib64/libcrypto.so.10 >> #15 0x00000000bc803cd0 in ?? () >> #16 0x0000000000000011 in ?? () >> #17 0x00007f61e9715de7 in SHA1_Update () from /usr/lib64/libcrypto.so.10 >> #18 0x00007f61e97899fd in ssleay_rand_add () from /usr/lib64/libcrypto.so.10 >> #19 0x00007f61e9ed92f9 in dtls1_accept () from /usr/lib64/libssl.so.10 > > There is insufficient information in the above to diagnose the problem. > We would need a build with full debugging symbols. > > >> >> When we tested with openssl-1.0.1e-16 Version and patches for RT3327, >> RT3470 and RT3483 on top of that, the use case works fine. >> >> On investigation, we found that there are 11 patches added between >> openssl-1.0.1e-30 and openssl-1.0.1e-16 version out of which following >> 3 patches are related to DTLS. >> >> openssl-1.0.1e-dtls-ecc-ext. >> patch >> openssl-1.0.1e-cve-2014-3513. >> patch >> openssl-1.0.1e-fallback-scsv.patch >> >> We have narrowed down that when we use openssl-1.0.1e-30 Version with >> the openssl-1.0.1e-dtls-ecc-ext.patch and patches for RT3327, RT3470 >> and RT3483 on top of that, process crashes with the above abterm >> during the duration run of 24 hours. >> >> When we excluded the openssl-1.0.1e-dtls-ecc-ext.patch from >> openssl-1.0.1e-30 Version, we didn't see an abterm during the duration >> run of 24 hours. >> >> Therefore, it seems that the openssl-1.0.1e-dtls-ecc-ext.patch is >> causing the abterm in the duration run. >> >> Please let us know if there could be issues with the >> openssl-1.0.1e-dtls-ecc-ext.patch? > > All of the above are vendor specific patches (probably based on original > OpenSSL commits). However I don't know from the name what dtls-ecc-ext > is referring to. You would need to address your specific question to > your vendor. > > Is it possible that you can run the latest 1.0.1 version of standard > OpenSSL (i.e. OpenSSL 1.0.1l)? There have been some significant DTLS > related fixes that have been applied in recent versions. > > Matt > > > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From secaficionado at gmail.com Tue Feb 10 15:31:10 2015 From: secaficionado at gmail.com (Sec_Aficionado) Date: Tue, 10 Feb 2015 10:31:10 -0500 Subject: [openssl-users] AES-GCM failing from Command Line Interface In-Reply-To: <54DA13DC.8050305@openssl.org> References: <20150210022330.GA15638@openssl.org> <54DA13DC.8050305@openssl.org> Message-ID: Matt, Thanks for keeping me honest! I see it now, but I totally missed it before. I must have just played with the cli and not read the full page. Can you please confirm that EVP is the way to go? I'll create my own little PHP extension since I only need a very specific action. Thanks for your help! Sent from my mobile Please forgive any "autocorrections" I may have missed > On Feb 10, 2015, at 9:21 AM, Matt Caswell wrote: > > > >> On 10/02/15 14:09, Sec_Aficionado wrote: >> Ah, thank you! I tried a lot of things and was very frustrated. I wish the documentation reflected that. I'll see if I can contribute by updating it. > > It does: > > https://www.openssl.org/docs/apps/enc.html > "The enc program does not support authenticated encryption modes like > CCM and GCM. The utility does not store or retrieve the authentication tag." > >> >> Regarding AES-GCM from the command line, or PHP bindings, is that something that any of the OpenSSL components support? I think EVP is the intended way but there are no PHP bindings, only C from what I can tell. > > No - you can't do AES-GCM from the command line (things like s_server > and s_client support it - but that doesn't help you for what you want to > do). We don't supply the PHP bindings - you'll have to talk to the PHP > guys about that. > > Matt > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From matt at openssl.org Tue Feb 10 15:43:26 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 10 Feb 2015 15:43:26 +0000 Subject: [openssl-users] AES-GCM failing from Command Line Interface In-Reply-To: References: <20150210022330.GA15638@openssl.org> <54DA13DC.8050305@openssl.org> Message-ID: <54DA271E.9010608@openssl.org> On 10/02/15 15:31, Sec_Aficionado wrote: > Matt, > > Thanks for keeping me honest! I see it now, but I totally missed it before. I must have just played with the cli and not read the full page. > > Can you please confirm that EVP is the way to go? I'll create my own little PHP extension since I only need a very specific action. Yes. EVP is the correct way to use GCM. See: http://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption and https://www.openssl.org/docs/crypto/EVP_EncryptInit.html#gcm_and_ocb_modes Note the docs on the website are for 1.1.0 (unreleased) and are subtly different to 1.0.2/1.0.1. In particular they use the newly introduced AEAD flags instead of mode specific ones. So where the docs talk about: EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_AEAD_GET_TAG EVP_CTRL_AEAD_SET_TAG You should instead use the GCM specific versions: EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_GCM_GET_TAG EVP_CTRL_GCM_SET_TAG These will still work when 1.1.0 is released. Matt From rsalz at akamai.com Tue Feb 10 21:15:36 2015 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 10 Feb 2015 21:15:36 +0000 Subject: [openssl-users] Proposed cipher changes for post-1.0.2 Message-ID: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> I would like to make the following changes in the cipher specs, in the master branch, which is planned for the next release after 1.0.2 Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW Anything that was 40-bit encryption is removed: /* Cipher 03 "EXP-RC4-MD5" removed */ /* Cipher 06 "EXP-RC2-CBC-MD5" removed */ /* Cipher 08 "EXP-DES-CBC-SHA" removed */ /* Cipher 0B "EXP-DH-DSS-DES-CBC-SHA" removed */ /* Cipher 0E "EXP-DH-RSA-DES-CBC-SHA" removed */ /* Cipher 11 "EXP-DHE-DSS-DES-CBC-SHA" removed */ /* Cipher 14 "EXP-DHE-RSA-DES-CBC-SHA" removed */ /* Cipher 17 "EXP-ADH-RC4-MD5" removed */ /* Cipher 19 "EXP-ADH-DES-CBC-SHA" removed */ /* Cipher 26 "EXP-KRB5-DES-CBC-SHA" removed */ /* Cipher 27 "EXP-KRB5-RC2-CBC-SHA" removed */ /* Cipher 28 "EXP-KRB5-RC4-SHA" removed */ /* Cipher 29 "EXP-KRB5-DES-CBC-MD5" removed */ /* Cipher 2A "EXP-KRB5-RC2-CBC-MD5" removed */ /* Cipher 2B "EXP-KRB5-RC4-MD5" removed */ The value of DEFAULT changes to this: ALL:!LOW:!EXPORT:!aNULL:!eNULL The combination of the first and last changes means that anyone who wants or needs to use, say RC4 must explicitly say so. Comments? -- Principal Security Engineer, Akamai Technologies IM: rsalz at jabber.me Twitter: RichSalz -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas.francis.jr at pobox.com Tue Feb 10 21:16:59 2015 From: thomas.francis.jr at pobox.com (Tom Francis) Date: Tue, 10 Feb 2015 16:16:59 -0500 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <54D4E5D3.6090808@wisemo.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> Message-ID: <37FA559B-F877-42C5-9166-12DE5B320FC7@pobox.com> I think Jakob?s real concern (as expressed to me off-list a month or so ago) is that OpenSSL?s libcrypto will become entirely hidden. I found several of his comments confusing until he mentioned that. So, I think the fair question to be asking is: Is there any plan to make libcrypto go completely opaque, such that _only_ the APIs exposed in libssl will be available? Thanks! TOM > On Feb 6, 2015, at 11:03 AM, Jakob Bohm wrote: > > On 05/02/2015 00:42, Salz, Rich wrote: >>> Not much on that page so far, not even a "kill list" of >>> intended victims except an admission that EAY's popular DES >>> library can no longer be accessed via the copy in OpenSSL. >>> >> Yup. Pretty empty. Over the coming year there will be more. >> >>> I fear that this is an indication that you will be killing >>> off all the other non-EVP entrypoints in libcrypto >>> >> Yes there is a good chance of that happening. >> >>> , making >>> it much harder to use the library with experimental or >>> non-standard algorithms and methods. >>> >> Well, not really much harder. I think that what DOES get harder is binary distributions of such things, as opposed to custom OpenSSL builds that have these new features. Don't forget, *you have the source* Hack away. Do what you want. And having a standard API that any of your consumers use will benefit your consumers greatly. And by making things like the EVP structure hidden from your consumers, then you can add a new experimental crypto mechanism and -- this is an important major benefit: THEIR CODE DOES NOT HAVE TO RECOMPILE. As an implementor, your work is a bit harder. For your users, it is much easier. Imagine being able to put an OID in a config file and applications can almost transparently use any crypto available without change. (Emphasis on ALMOST :) To us, this is clearly the right trade-off to make. >> > You seem to misunderstand the scenario: > > My scenario is: > > 1. Load an unchanged shared libcrypto.so.1.1 provided by an > OS distribution. > > 2. Implement / use / experiment with non-standard methods > (such as new modes of operation or new zero-knowledge > proofs) by calling the functions that are exported by > libcrypto out of the box. The higher level libssl is > not used for anything. > > Your scenario is: > > 1. Extend the higher level stuff (TLS1.2, CMS etc.) with non- > standard methods (such as new modes of operation or new > signature forms). > > 2. Inject this new functionality into existing applications > that use OpenSSL in generic ways, such as wget and WebKit > browsers. > > My scenario got great advantages from the large number of > fundamental interfaces exported from libcrypto.so.1.0 and > will automatically benefit when a new patch release of > OpenSSL is installed on the system (e.g. to fix a timing > attack on one of the algorithm implementations). Having > to create a custom libnotquitecrypto.so.1.1 would not do > this, and distributing such a library as source patches > became much harder when you reformatted the source. > > Looking at the reverse dependencies in Debian, the > following projects probably use low level libcrypto > interfaces to do interesting things: afflib, asterisk, > bind, clamav, crda (WiFi), crtmpserver, encfs, ewf-tools, > faifa (Ethernet over Power), gfsd, gnugk, gnupg-pkcs11-scd, > hfsprogs, hostapd (WiFi), ipppd, KAME IPSEC, OpenBSD IPSEC, > ldnsutils, apache mod-auth-cas, apache mod-auth-openid, > perl's Crypt::OpenSSL::Bignum, libh323, liblasso, barada, > StrongSWAN, unbound, libxmlsec, libzrtpcpp, nsd, opensc, > openssh, rdd, rdesktop, rsyncrypto, samdump, tor, > tpm-tools, trousers, wpasupplicant (WiFi), yate, zfs-fuse. > *This is only a rough list based on features claimed by > OpenSSL-depending packages* > >>> >>> Should everyone not doing just TLS1.2 move to a different library now, such as crypto++ ? >>> >> Use whatever works best for you, and your consumers/customers. >> >> Not everyone will agree with this direction. Some people will be inconvenienced and maybe even completely drop using OpenSSL. We discussed this pretty thoroughly, and while we respect that some may disagree, please give us credit for not doing this arbitrarily, or on a whim. >> > I believe you have made the mistake of discussing only amongst > yourselves, thus gradually convincing each other of the > righteousness of a flawed decision. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. > http://www.wisemo.com > > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From openssl-users at dukhovni.org Tue Feb 10 21:46:46 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 10 Feb 2015 21:46:46 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> Message-ID: <20150210214646.GB12867@mournblade.imrryr.org> On Tue, Feb 10, 2015 at 09:15:36PM +0000, Salz, Rich wrote: > I would like to make the following changes in the cipher specs, in the master branch, which is planned for the next release after 1.0.2 > > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW Note, that RC4 is already the only commonly used cipher-suite in MEDIUM. Changing the definitions of EXPOR, LOW, MEDIUM introduces significant compatibility issues for opportunistic TLS (e.g. Postfix) where RC4 is still required for interop and is better than cleartext. I have no issues with changing "DEFAULT", but would strongly prefer to not see RC4 demoted to LOW. Just define: DEFAULT = ALL:!aNULL:!EXPORT:!LOW:!RC4:!MD5 Which leaves from MEDIUM just SEED and IDEA: $ openssl ciphers -v 'MEDIUM:!aNULL:!MD5:!RC4' DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1 DH-RSA-SEED-SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1 DH-DSS-SEED-SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1 SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 -- Viktor. From rsalz at akamai.com Tue Feb 10 22:00:35 2015 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 10 Feb 2015 22:00:35 +0000 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <37FA559B-F877-42C5-9166-12DE5B320FC7@pobox.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> <37FA559B-F877-42C5-9166-12DE5B320FC7@pobox.com> Message-ID: > Is there any plan to make libcrypto go completely opaque, such that _only_ > the APIs exposed in libssl will be available? Absolutely not. Thanks for asking! From matt at openssl.org Tue Feb 10 22:48:36 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 10 Feb 2015 22:48:36 +0000 Subject: [openssl-users] The evolution of the 'master' branch In-Reply-To: <37FA559B-F877-42C5-9166-12DE5B320FC7@pobox.com> References: <20150203220231.GA12587@openssl.org> <54D23F42.3060203@wisemo.com> <453ad2042e6c43e5897f1689e230883f@ustx2ex-dag1mb2.msg.corp.akamai.com> <54D4E5D3.6090808@wisemo.com> <37FA559B-F877-42C5-9166-12DE5B320FC7@pobox.com> Message-ID: <54DA8AC4.6080700@openssl.org> On 10/02/15 21:16, Tom Francis wrote: > I think Jakob?s real concern (as expressed to me off-list a month or so ago) is that OpenSSL?s libcrypto will become entirely hidden. I found several of his comments confusing until he mentioned that. So, I think the fair question to be asking is: > > Is there any plan to make libcrypto go completely opaque, such that _only_ the APIs exposed in libssl will be available? No. There is a plan to make "most structures" opaque, with accessor functions provided instead if required (in much the same way as we are doing with libssl). The bn stuff has already had that treatment applied. There is also a discussion about whether low-level cipher APIs should be removed in favour of EVP or not. It's a discussion. No decisions or consensus either way at the moment. Matt From rsalz at akamai.com Wed Feb 11 00:22:44 2015 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 11 Feb 2015 00:22:44 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <87bnl1qru5.fsf@alice.fifthhorseman.net> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> Message-ID: > currently, this is an error: > > 0 dkg at alice:~$ openssl ciphers -v ALL:!NO-SUCH-CIPHER > bash: !NO-SUCH-CIPHER: event not found > 0 dkg at alice:~$ Yeah, but that's coming from bash, not openssl :) ; openssl ciphers -v ALL | wc 111 675 8403 ; openssl ciphers -v ALL:!FOOBAR | wc 111 675 8403 RC4 in LOW has a bit of pushback so far. My cover for it is that the IETF says "don't use it." So I think saying "if you want it, say so" is the way to go. /r$ From openssl-users at dukhovni.org Wed Feb 11 01:21:37 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 11 Feb 2015 01:21:37 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <87bnl1qru5.fsf@alice.fifthhorseman.net> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> Message-ID: <20150211012137.GH12867@mournblade.imrryr.org> On Tue, Feb 10, 2015 at 06:17:38PM -0500, Daniel Kahn Gillmor wrote: > On Tue 2015-02-10 16:15:36 -0500, Salz, Rich wrote: > > I would like to make the following changes in the cipher specs, in the master branch, which is planned for the next release after 1.0.2 > > > > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW > > yes, please! There are lots of ways to disable RC4: * You can do that in a browser, or any other application * The NCONF interface allows one to specify this in suitable configuration files. * Security levels can be similarly specified, ... * TLS 1.3 will not support RC4, ... However, OpenSSL MUST NOT force this choice on applications or require them to be explicitly modified to continue to support RC4. It is NOT the library's job to set this policy. > when these are "removed", what will that do to a cipherstring that > specifies them by negation? > > currently, this is an error: > > 0 dkg at alice:~$ openssl ciphers -v ALL:!NO-SUCH-CIPHER > bash: !NO-SUCH-CIPHER: event not found PBKAC: $ openssl ciphers -v 'RC4:!FOOBARXYZZY' ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1 ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1 EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export -- Viktor. From openssl-users at dukhovni.org Wed Feb 11 02:00:50 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 11 Feb 2015 02:00:50 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> Message-ID: <20150211020050.GI12867@mournblade.imrryr.org> On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote: > RC4 in LOW has a bit of pushback so far. My cover for it is that > the IETF says "don't use it." So I think saying "if you want it, > say so" is the way to go. By all means, don't use it, but it is not OpenSSL's choice to make by breaking the meaning of existing interfaces. If you put RC4 in LOW, one can no longer exclude LOW ciphers if one still needs RC4. Nobody uses single-DES, but enough peers still use (only) RC4 to make disabling of RC4 a choice best made by applications. -- Viktor. From rsalz at akamai.com Wed Feb 11 03:30:57 2015 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 11 Feb 2015 03:30:57 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <20150211020050.GI12867@mournblade.imrryr.org> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> Message-ID: > By all means, don't use it, but it is not OpenSSL's choice to make by breaking > the meaning of existing interfaces. Except that we've explicitly stated we're breaking things with this new release. Those magic cipher keywords are point-in-time statements. And time has moved on. From openssl-users at dukhovni.org Wed Feb 11 03:49:53 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 11 Feb 2015 03:49:53 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> Message-ID: <20150211034953.GP12867@mournblade.imrryr.org> On Wed, Feb 11, 2015 at 03:30:57AM +0000, Salz, Rich wrote: > > By all means, don't use it, but it is not OpenSSL's choice to make by breaking > > the meaning of existing interfaces. > > Except that we've explicitly stated we're breaking things with this new release. > > Those magic cipher keywords are point-in-time statements. And time has moved on. Those categories had and continue to have sensible definitions to which the proposed changes would do unwarranted violence. It is OK to drop EXPORT ciphers entirely. It is OK to drop LOW ciphers entirely. Nobody is using either. The deprecation of RC4 is still aspirational, and reclassifying it as LOW breaks configurations where it is still needed. It is largely sufficient to drop RC4 from the "DEFAULT" cipherlist, leaving applications that make more fine-grained choices to make their own RC4 decisions. The DEFAULT cipherlist is a point-in-time definition, but EXPORT, LOW, MEDIUM and HIGH have more precise expected semantics. Libraries should only break compatibility when there is no choice. Here there are many alternatives. Including the "security level" features already in the master release, which address the issue more systematically. This, plus further work on documenting NCONF, publishing reasonably complete best-practice sample client and server programs will do a lot more good than needlessly breaking non-browser opportunistic TLS applications. -- Viktor. From openssl-users at dukhovni.org Wed Feb 11 07:13:46 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 11 Feb 2015 07:13:46 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <87twytosbk.fsf@alice.fifthhorseman.net> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <87twytosbk.fsf@alice.fifthhorseman.net> Message-ID: <20150211071345.GT12867@mournblade.imrryr.org> On Wed, Feb 11, 2015 at 01:50:07AM -0500, Daniel Kahn Gillmor wrote: > > RC4 in LOW has a bit of pushback so far. My cover for it is that the > > IETF says "don't use it." So I think saying "if you want it, say so" is > > the way to go. > > I think that's the correct position. People who want to be able to > negotiate a deprecated cipher should need to explicitly state that > that's their intent. I do: aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH The proposal to now misclassify RC4 as LOW (lumped in with single DES and similar) needlessly breaks this. -- Viktor. From joerg.eyring at topix.de Wed Feb 11 08:44:21 2015 From: joerg.eyring at topix.de (=?iso-8859-1?Q?J=F6rg_Eyring?=) Date: Wed, 11 Feb 2015 09:44:21 +0100 Subject: [openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken? Message-ID: <2F7A0129-3291-4E1B-895B-5705E92A5C02@topix.de> Hi all, I'm generating a certificate request and the necessary entries are added with: ... if(!X509_NAME_add_entry_by_txt(subj,"C", MBSTRING_ASC, (unsigned char *) CountryName,-1,-1,0)) ... if(!X509_NAME_add_entry_by_txt(subj,"O", MBSTRING_ASC, (unsigned char *) OrganizationName,-1,-1,0)) ... if(!X509_NAME_add_entry_by_txt(subj,"OU", MBSTRING_ASC, (unsigned char *) OrganizationUnit,-1,-1,0)) ... X509_NAME_add_entry_by_txt does only respect the given encoding MBSTRING_ASC for the first entry, the subsequent entries are encoded with MBSTRING_UTF8 (seen with a BER Viewer). The certificate request is declined by the authority with an error: "...doesn't contain five PRINTABLESTRING elements..." The most recent version of OpenSSL we've been using was 1.0.1c where everything worked fine. Any ideas what's going wrong? Thanks, J?rg From joerg.eyring at topix.de Wed Feb 11 09:09:04 2015 From: joerg.eyring at topix.de (=?iso-8859-1?Q?J=F6rg_Eyring?=) Date: Wed, 11 Feb 2015 10:09:04 +0100 Subject: [openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken? In-Reply-To: <2F7A0129-3291-4E1B-895B-5705E92A5C02@topix.de> References: <2F7A0129-3291-4E1B-895B-5705E92A5C02@topix.de> Message-ID: <9C42C70C-DBD9-44CD-B674-B37CC4BAA9A3@topix.de> Sorry, if my post shows up several times - I had some problems with my mail client ;-) It was meant to posted only once... J?rg From Michael.Wojcik at microfocus.com Wed Feb 11 15:07:11 2015 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Wed, 11 Feb 2015 15:07:11 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <20150211020050.GI12867@mournblade.imrryr.org> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Tuesday, February 10, 2015 21:01 > To: openssl-dev at openssl.org; openssl-users at openssl.org > Subject: Re: [openssl-users] [openssl-dev] Proposed cipher changes for > post-1.0.2 > > On Wed, Feb 11, 2015 at 12:22:44AM +0000, Salz, Rich wrote: > > > RC4 in LOW has a bit of pushback so far. My cover for it is that > > the IETF says "don't use it." So I think saying "if you want it, > > say so" is the way to go. > > By all means, don't use it, but it is not OpenSSL's choice to make > by breaking the meaning of existing interfaces. > > If you put RC4 in LOW, one can no longer exclude LOW ciphers if > one still needs RC4. Nobody uses single-DES, but enough peers > still use (only) RC4 to make disabling of RC4 a choice best made > by applications. I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it explicilty in DEFAULT) is a good one that maintains important backward compatibility while providing the desired removal of RC4 by default. There's no advantage to moving RC4 to LOW. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com From rsalz at akamai.com Wed Feb 11 15:46:54 2015 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 11 Feb 2015 15:46:54 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> Message-ID: <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> > I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it > explicilty in DEFAULT) is a good one that maintains important backward > compatibility while providing the desired removal of RC4 by default. There's > no advantage to moving RC4 to LOW. Sure there is: it's an accurate description of the quality of protection provided by the algorithm. :) It's also compatible with our documentation, which as was pointed out, always uses the word "currently" to describe the magic keywords. And it's also planned for the next version which won't be available until near the end of the year. And it's also compliant with the expected publication of the IETF RFC's that talk about TLS configuration and attacks. Postfix can work lay the groundwork to be future-compliant by changing its default configuration to be HIGH:MEDIUM:RC4. From Michael.Wojcik at microfocus.com Wed Feb 11 18:16:06 2015 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Wed, 11 Feb 2015 18:16:06 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Salz, Rich > Sent: Wednesday, February 11, 2015 10:47 > To: openssl-users at openssl.org; openssl-dev at openssl.org > Subject: Re: [openssl-users] [openssl-dev] Proposed cipher changes for > post-1.0.2 > > > I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it > > explicilty in DEFAULT) is a good one that maintains important backward > > compatibility while providing the desired removal of RC4 by default. There's > > no advantage to moving RC4 to LOW. > > Sure there is: it's an accurate description of the quality of protection > provided by the algorithm. :) Hobgoblin consistency. > It's also compatible with our documentation, which as was pointed out, > always uses the word "currently" to describe the magic keywords. Hobgoblins everywhere. And by that argument, any action is equally "compatible" with the documentation. > And it's also planned for the next version which won't be available until near > the end of the year. I'm not sure why that's relevant. > And it's also compliant with the expected publication of the IETF RFC's that > talk about TLS configuration and attacks. Frankly, that's rubbish. OpenSSL cipher lists are not "compliant" with RFCs because RFCs don't specify OpenSSL cipher lists. It's an entirely specious justification. And even if it weren't, explicitly disabling RC4 in the DEFAULT list would "comply" with the RFC. > Postfix can work lay the groundwork to be future-compliant by changing its > default configuration to be HIGH:MEDIUM:RC4. All sorts of things can be done. Clearly, in the Brave New World of well-funded OpenSSL, they'll have to be, because it's apparent that we're going to see a lot of disruptive change made on the flimsiest of pretexts, with objections from the user community brushed aside. That's your prerogative, of course, and anyone's free to fork OpenSSL. But it's a shame. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com From rsalz at akamai.com Wed Feb 11 18:25:44 2015 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 11 Feb 2015 18:25:44 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> Message-ID: > All sorts of things can be done. Clearly, in the Brave New World of well- > funded OpenSSL, they'll have to be, because it's apparent that we're going to > see a lot of disruptive change made on the flimsiest of pretexts, with > objections from the user community brushed aside. That's your prerogative, > of course, and anyone's free to fork OpenSSL. But it's a shame. I am surprised by the strength of your reaction. Hmm. From jb-openssl at wisemo.com Wed Feb 11 19:06:52 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 11 Feb 2015 20:06:52 +0100 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> Message-ID: <54DBA84C.8000001@wisemo.com> On 11/02/2015 16:46, Salz, Rich wrote: >> I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it >> explicilty in DEFAULT) is a good one that maintains important backward >> compatibility while providing the desired removal of RC4 by default. There's >> no advantage to moving RC4 to LOW. > Sure there is: it's an accurate description of the quality of protection provided by the algorithm. :) Is the security level (i.e. log2 of the cost of the best known direct attack) 40 bits (historical EXPORT label), 56 bits (historical LOW label), 112 to 127 bits (historical MEDIUM) level, or somewhere in between? This is the real question that should guide its classification, not if it is "lower than what is currently recommended". Given the currenly available ciphers, it may make sense to add new groups: HIGH192, HIGH256 and larger ones still. As time progresses, the default can then move from HIGH to HIGH192, to HIGH256 as the state of the art changes, without redefining semantics. Furthermore, the various attacks on SSL3/TLS1.0 padding and IV logic creates an ongoing need to have a widely supported, TLS1.0 compatible stream-or-otherwise-unpadded cipher choice as an emergency fallback as other protections are being rolled out by all kinds of vendors. For example RC4 is immune to POODLE as well as a previous widelypublicized attack, simply because it uses neither the flawed SSL3padding nor the sometimes problematic TLS1.0 IV selection. No other cipher provides this protection when talking to older peers that cannot or will not upgrade to the latest-and-greatest TLS standards. > It's also compatible with our documentation, which as was pointed out, always uses the word "currently" to describe the magic keywords. > > And it's also planned for the next version which won't be available until near the end of the year. > > And it's also compliant with the expected publication of the IETF RFC's that talk about TLS configuration and attacks. > > Postfix can work lay the groundwork to be future-compliant by changing its default configuration to be HIGH:MEDIUM:RC4. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Wed Feb 11 19:47:11 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 11 Feb 2015 19:47:11 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com> Message-ID: <20150211194711.GX12867@mournblade.imrryr.org> On Wed, Feb 11, 2015 at 03:46:54PM +0000, Salz, Rich wrote: > > I agree with Viktor. His suggestion (keep RC4 in MEDIUM, suppress it > > explicitly in DEFAULT) is a good one that maintains important backward > > compatibility while providing the desired removal of RC4 by default. There's > > no advantage to moving RC4 to LOW. > > Sure there is: it's an accurate description of the quality of protection provided by the algorithm. :) Except that it is not. There are off-the-shelf key recovery attacks on 56-bit DES (essentially the only LOW cipher anyone might actually use, though nobody does anymore). The known attacks on RC4 are only effective when a great many plaintexts includes the same sensitive content at a fixed position in the data stream. While this does mean we should stop using RC4 as soon as practical, it is far from equating the security of RC4 with single-DES. > It's also compatible with our documentation, which as was pointed > out, always uses the word "currently" to describe the magic keywords. Sure, there's some rope there, it does not mean we need to hang ourselves. The basic ciphersuite primitives by now have well understood meanings that should only be changed with great care if at all. > Postfix can work lay the groundwork to be future-compliant by changing its default configuration to be HIGH:MEDIUM:RC4. Except that "RC4" includes export-grade RC4, so that would be wrong. Also Postfix defines a more usable user-interface of cipher "grades": smtp_tls_cipher_grade = null | export | low | medium | high where "export" is EXPORT and up, "low" is "LOW" and up, "medium" is "MEDIUM" and up, with the underlying definitions also configurable but most users are encouraged to stay well clear of those: tls_null_cipherlist = eNULL:!aNULL tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH instead users choose a grade, and may also specify exclusions: smtp_tls_exclude_ciphers = RC4, PSK, aDSS, ... this provides enough flexibility to allow emergency tweaks to be applied by users to deal with future issues, without requiring users to be experts in OpenSSL cipherlists. It is important to remember that all the moving pieces are part of an ecosystem: * The OpenSSL project provides a foundation library to application developers (like myself with Postfix) AND to O/S release engineering teams that take upstream Postfix and upstream OpenSSL and package these into integrated systems. * The Postfix developers create a Postfix release with sensible backwards-compatible and reasonably future-proof cipherlist settings. * Postfix is built from source by the O/S release engineering team against some OpenSSL library available at the time of the build. * Users deploy systems with some Postfix version and some OpenSSL version. They expect Postfix to be reasonably interoperable and backwards-compatible out of the box. I am not sympathetic to the view that libraries should set application policy because application developers are lazy. I am not lazy, and take the time to give users carefully chosen cipher settings. These setting use documented primitives that avoid being too specific, so that Postfix will take advantage of new ciphers (not block progress) as these become available, and prioritizes these appropriately. If some developers do nothing and just want the library to be magic security pixie-dust, then they benefit or get hurt by the "DEFAULT" ciphersuite. If developers or users do make more fine-grained choices, those ought not change capriciously. -- Viktor. From Michael.Wojcik at microfocus.com Wed Feb 11 19:58:53 2015 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Wed, 11 Feb 2015 19:58:53 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com>

Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Salz, Rich > Sent: Wednesday, February 11, 2015 13:26 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] [openssl-dev] Proposed cipher changes for > post-1.0.2 > > > All sorts of things can be done. Clearly, in the Brave New World of well- > > funded OpenSSL, they'll have to be, because it's apparent that we're going to > > see a lot of disruptive change made on the flimsiest of pretexts, with > > objections from the user community brushed aside. That's your prerogative, > > of course, and anyone's free to fork OpenSSL. But it's a shame. > > I am surprised by the strength of your reaction. Hmm. Well, let me try to explain. There are two related issues here. One is simply that we're seeing a lot of OpenSSL roadmap announcements. That's good in the sense that before the funding boost, progress was of course much slower and communication much less frequent. On the other hand, it's worrying because those changes have consequences for developers working with OpenSSL, and so we need to account for them in our plans. And while those announcements are generally couched as requests for feedback, arguments against them usually don't seem to carry much weight. Things are changing relatively quickly with OpenSSL and that is a destabilizing circumstance in itself. (The obvious answer would be to delay adopting new OpenSSL releases, and only pick up fixes. Sometimes that's a solution. Sometimes new fix levels change behavior, though; and sometimes, in these post-Heartbleed days, customers demand the latest release for no very good reason. Right now I have a customer insisting we update one product line to OpenSSL 1.0.1m, which obviously is a little difficult.) The second issue is that any user-visible change in behavior that's not solely a fix to a vulnerability is significant work for us, particularly if it involves code changes. We have to make the necessary updates, test, provide documentation, and ensure customers are aware of the change. It's a substantial effort if the change in OpenSSL requires a corresponding change in our code, but at least in that case the integration process catches it. If it's a runtime behavior change, then we have to make sure all the affected development teams are aware of it, because we can't be sure that everyone has tests that will catch it. We have multiple teams in the organization using OpenSSL independently. We're working on a plan to bring all our OpenSSL builds under a single group which can be responsible for tracking changes, but that's a long way off yet. We have product lines that use our other products internally to provide SSL/TLS, and those teams don't know what's happening with OpenSSL - they just expect it to work. (This does raise a rather delicate point: sponsorship. Let's just say that I've suggested it in the past and it hasn't gotten a lot of traction. I keep meaning to donate personally but ... oh, hell, let's just do it now. Done. Coals to Newcastle these days, but every bit helps, I suppose.) So, for the components I personally work on, this change (RC4 into LOW) isn't a big deal. One product line sets ciphers explicitly, either using its own default list or one configured by the user; another might need a change (haven't checked) to maintain existing behavior, but it's time to review that anyway. It's the 20-odd other product lines that I'm more worried about, because i don't even know what all of them are. And I don't know how changes like this in OpenSSL behavior affect, say, the SUSE division - how many updated packages they'll have to integrate and test. Maybe it's not a big deal; maybe it's a lot of work. Maybe they welcome this particular change regardless. (I'll have to ask on our next security call.) Anyway, this has gone on too long already. The basic point is that these changes affect us, the users of OpenSSL, sometimes in quite disruptive ways. And sometimes they leak through to our users, and we have to handle that situation. So yes, some of us will be resistant to changes that we think aren't strongly justified. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com From openssl-users at dukhovni.org Wed Feb 11 20:21:37 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 11 Feb 2015 20:21:37 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: <1672004.gQCVnt9D6P@pintsize.usersys.redhat.com> References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <20150210214646.GB12867@mournblade.imrryr.org> <1672004.gQCVnt9D6P@pintsize.usersys.redhat.com> Message-ID: <20150211202137.GY12867@mournblade.imrryr.org> On Wed, Feb 11, 2015 at 12:59:22PM +0100, Hubert Kario wrote: > On Tuesday 10 February 2015 21:46:46 Viktor Dukhovni wrote: > > On Tue, Feb 10, 2015 at 09:15:36PM +0000, Salz, Rich wrote: > > > I would like to make the following changes in the cipher specs, in the > > > master branch, which is planned for the next release after 1.0.2 > > > > > > Anything that uses RC4 or MD5 what was in MEDIUM is now moved to LOW > > > > Note, that RC4 is already the only commonly used cipher-suite in MEDIUM. > > > > Changing the definitions of EXPOR, LOW, MEDIUM introduces significant > > compatibility issues for opportunistic TLS (e.g. Postfix) where > > RC4 is still required for interop and is better than cleartext. > > Opportunistic TLS is a-typical use of TLS. One that is vulnerable to trivial > MitM attacks by the very definition. Using "ALL", possibly "ALL:!aNULL", > instead of "DEFAULT" doesn't make it much less secure. Yeah, right, 70-90% of the world's email using opportunistic TLS is "atypical". XMPP server-to-server using opportunistic TLS is "atypical", sorry the browser use-case is not the sole use of TLS. As for vulnerable to MiTM, opportunistic TLS is less vulnerable than cleartext. (I'll believe that you actually care that opportunistic TLS is not secure enough when Redhat deploys DNSSEC and DANE TLSA RRs for its MX hosts). -- Viktor. From jb-openssl at wisemo.com Wed Feb 11 20:58:40 2015 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 11 Feb 2015 21:58:40 +0100 Subject: [openssl-users] Changelog inconsistency between 1.0.1l and 1.0.2 Message-ID: <54DBC280.6070603@wisemo.com> The changelog (file CHANGES) in the 1.0.2 tarball contains some confusingdifferences fromthe one in 1.0.1l. Specifically: The 1.0.2 changelog seems to indicate that a few bugs that were fixed in the 1.0.1 branch were not fixed in the 1.0.2 branch (dtls1_get_record segmentation fault, dtls1_buffer_record memory leak, no-ssl3 NULL issue, unverified DH client certificates, BN_sqr bug). The 1.0.2 changelog also contains a spurious copy of an incomplete draft of the 1.0.1j changes, sandwiched between 1.0.1h and 1.0.1i. Please clarify if the missing entries are actually fixed in 1.0.2 anyway. Also pleaseclean up any differences that are just typos before the future 1.0.2arelease. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: From dthompson at prinpay.com Thu Feb 12 00:28:09 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Wed, 11 Feb 2015 19:28:09 -0500 Subject: [openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken? In-Reply-To: <2F7A0129-3291-4E1B-895B-5705E92A5C02@topix.de> References: <2F7A0129-3291-4E1B-895B-5705E92A5C02@topix.de> Message-ID: <003601d0465a$ca77e380$5f67aa80$@prinpay.com> > From: openssl-users On Behalf Of J?rg Eyring > Sent: Wednesday, February 11, 2015 03:44 > I'm generating a certificate request and the necessary entries are added > with: > ... > if(!X509_NAME_add_entry_by_txt(subj,"C", MBSTRING_ASC, (unsigned > char *) CountryName,-1,-1,0)) > X509_NAME_add_entry_by_txt does only respect the given encoding > MBSTRING_ASC for the first entry, the subsequent entries are encoded with > MBSTRING_UTF8 (seen with a BER Viewer). The certificate request is > declined by the authority with an error: "...doesn't contain five > PRINTABLESTRING elements..." > > The most recent version of OpenSSL we've been using was 1.0.1c where > everything worked fine. > ASN1 strings set with the "generic" MBSTRING_ types that are for known/standard OID-value pairs are constrained by tbl_standard in asn1/a_strnid.c. A few like Country are forced to Printable as per standard. Those standardized as DirectoryString are anded with a "default mask" then a_mbstr.c chooses the "lowest" type supporting the characters in the value. Which allowed *two* of the eight single-byte types (Teletex and Printable). This is mentioned, very briefly, in the manpage for X509_NAME_add_entry. 1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe to implement the MUST UTF8 for DirectoryString's in 2459 and 3280, even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable, I suspect to be safe for implementations of the older standard. req and ca override this by calling ASN1_STRING_set_default_mask_asc with the (string) value of string_mask in the configuration if specified, and the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils. There is also a numeric version ASN1_STRING_set_default_mask . HTH. From raji.kotamraju at gmail.com Thu Feb 12 05:39:32 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Thu, 12 Feb 2015 11:09:32 +0530 Subject: [openssl-users] i2d and d2i fucntions Message-ID: Hello Openssl users, I have a query on d2i_PUBKEY() and i2d_PUBKEY(). i have a EC public key in form of character buffer. Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY format EC key. Now i tried to input this EVP_PKEY to i2d_PUBKEY() to compare will i get exactly same data which i gave as input to d2i_PUBKEY(). But i see that the outputs are completely different. i2d_PUBKEY() is leaving lots of 0's at the o/p buffer. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 FD 1 10 DF AB 12 34 CD 0 6F 0 0 0 0 1 83 F 8B AF D8 D ................................................ My goal is, to get complete EC public key in form of asn1 der encoded from EC_KEY structure. I tried to use i2d_EC_PUBKEY() and i20_ECPublickey(). But both results seems similar. 0 FD 1 10 DF AB 12 34 CD 0 6F 0 0 0 0 1 83 F 8B AF D8 D ...................................... Can you please help me with respective API's to call to get complete EC public key buffer which will have asn1 oid's, formats etc. included in the public key buffer. Thanks, Rajeswari. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Thu Feb 12 10:15:53 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 12 Feb 2015 10:15:53 +0000 Subject: [openssl-users] Code Reformat blog post Message-ID: <54DC7D59.9010603@openssl.org> I have posted a new blog article covering the recent reformat activity: https://www.openssl.org/blog/blog/2015/02/11/code-reformat-finished/ It's basically a review of what we did, how we did it and the problems we encountered. It also discusses the various tags that we've created in the repo, and outlines how you might go about reformatting patches that you maintain. Matt From joerg.eyring at topix.de Thu Feb 12 11:16:49 2015 From: joerg.eyring at topix.de (=?iso-8859-1?Q?J=F6rg_Eyring?=) Date: Thu, 12 Feb 2015 12:16:49 +0100 Subject: [openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken? In-Reply-To: <003601d0465a$ca77e380$5f67aa80$@prinpay.com> References: <2F7A0129-3291-4E1B-895B-5705E92A5C02@topix.de> <003601d0465a$ca77e380$5f67aa80$@prinpay.com> Message-ID: <76DBA776-4B76-493C-BF39-1F524967E05C@topix.de> Am 12.02.2015 um 01:28 schrieb Dave Thompson : > ASN1 strings set with the "generic" MBSTRING_ types that are for > known/standard OID-value pairs are constrained by tbl_standard in > asn1/a_strnid.c. A few like Country are forced to Printable as per standard. > > Those standardized as DirectoryString are anded with a "default mask" then > a_mbstr.c chooses the "lowest" type supporting the characters in the value. > Which allowed *two* of the eight single-byte types (Teletex and Printable). > This is mentioned, very briefly, in the manpage for X509_NAME_add_entry. > > 1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe > to implement the MUST UTF8 for DirectoryString's in 2459 and 3280, > even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable, > I suspect to be safe for implementations of the older standard. > > req and ca override this by calling ASN1_STRING_set_default_mask_asc > with the (string) value of string_mask in the configuration if specified, > and > the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils. > There is also a numeric version ASN1_STRING_set_default_mask . > > HTH. Hi Dave, thanks for your explanation. I wish these changes would have been documented somewhere in the version history of OpenSSL. unsigned long defaultMask = ASN1_STRING_get_default_mask(); ASN1_STRING_set_default_mask (B_ASN1_PRINTABLESTRING); ...add entries? ASN1_STRING_set_default_mask (defaultMask); seems to do the job. J?rg -------------- next part -------------- An HTML attachment was scrubbed... URL: From dthompson at prinpay.com Thu Feb 12 21:06:34 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Thu, 12 Feb 2015 16:06:34 -0500 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: Message-ID: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> > From: openssl-users On Behalf Of Rajeswari K > Sent: Thursday, February 12, 2015 00:40 > I have a query on d2i_PUBKEY() and i2d_PUBKEY(). > i have a EC public key in form of character buffer. > Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY format EC key. To be exact, a byte (or even more exact octet) buffer. In C (and C++ and ObjC) it's type 'char[]' or better 'unsigned char[]', but the values do not and often cannot represent *characters&. > Now i tried to input this EVP_PKEY to i2d_PUBKEY() to compare will i get > exactly same data which i gave as input to d2i_PUBKEY(). > But i see that the outputs are completely different. > i2d_PUBKEY() is leaving lots of 0's at the o/p buffer. > 0 > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 > FD 1 10 DF AB 12 34 CD 0 6F 0 0 0 0 1 83 > F 8B AF D8 D ................................................ You must be doing something wrong. Probably the most common is, are you looking at the beginning of the buffer? Remember that after calling i2d_whatever, the pointer you give it is moved to point *after* the encoded data, at unused and often junk memory. If that's not it, reduce your code to the minimum that shows the problem, post it, and identify the version and build you are using. > My goal is, to get complete EC public key in form of asn1 der > encoded from EC_KEY structure. > I tried to use i2d_EC_PUBKEY() and i20_ECPublickey(). Note that PUBKEY is the X.509 SPKI format: it contains an AlgorithmIdentifier identifying the algorithm and the curve, *and* the public key value (a point) embedded in a bitstring, all combined into an ASN.1 structure and DER encoded. i2o_ECPublicKey (letter o not zero) uses a special non-ASN1 non-DER encoding that contains *only* the point. From raji.kotamraju at gmail.com Thu Feb 12 23:18:15 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Fri, 13 Feb 2015 04:48:15 +0530 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> Message-ID: Hello Dave, Am really thankful to you. I am unaware that i2d_EC_PUBKEY() or i2d_xxxxx function will move the pointer to after the encoded data. Due to which am seeing unexpected data. Based on your reply, i tried to print the data from the memory address which i allocated. Now the data is exactly same as what i inputted through d2i_PUBKEY(). This resolves my current issue. Once again, thanks alot. Rajeswari. On Fri, Feb 13, 2015 at 2:36 AM, Dave Thompson wrote: > > From: openssl-users On Behalf Of Rajeswari K > > Sent: Thursday, February 12, 2015 00:40 > > > I have a query on d2i_PUBKEY() and i2d_PUBKEY(). > > > i have a EC public key in form of character buffer. > > Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY > format EC key. > > To be exact, a byte (or even more exact octet) buffer. In C > (and C++ and ObjC) it's type 'char[]' or better 'unsigned char[]', > but the values do not and often cannot represent *characters&. > > > Now i tried to input this EVP_PKEY to i2d_PUBKEY() to compare will i get > > exactly same data which i gave as input to d2i_PUBKEY(). > > > But i see that the outputs are completely different. > > > i2d_PUBKEY() is leaving lots of 0's at the o/p buffer. > > > 0 > > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 > > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 > > FD 1 10 DF AB 12 34 CD 0 6F 0 0 0 0 1 83 > > F 8B AF D8 D ................................................ > > You must be doing something wrong. Probably the most common is, > are you looking at the beginning of the buffer? Remember that after > calling i2d_whatever, the pointer you give it is moved to point > *after* the encoded data, at unused and often junk memory. > > If that's not it, reduce your code to the minimum that shows the > problem, post it, and identify the version and build you are using. > > > My goal is, to get complete EC public key in form of asn1 der > > encoded from EC_KEY structure. > > > I tried to use i2d_EC_PUBKEY() and i20_ECPublickey(). > > Note that PUBKEY is the X.509 SPKI format: it contains an > AlgorithmIdentifier identifying the algorithm and the curve, > *and* the public key value (a point) embedded in a bitstring, > all combined into an ASN.1 structure and DER encoded. > > i2o_ECPublicKey (letter o not zero) uses a special non-ASN1 > non-DER encoding that contains *only* the point. > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From raji.kotamraju at gmail.com Fri Feb 13 14:47:40 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Fri, 13 Feb 2015 20:17:40 +0530 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> Message-ID: Hello Openssl Team, Currently am seeing an issue as follows. We would like to use our internal verification logics for the key exchange message received at SSL client. As part of this, we have registered with our function pointers. ECDSA_verify() is now calling our registered function to perform signature verification. As part of signature verification, we first take lenght_of_signature received and compare with double the size of number_of_bytes from curve parameter. Have converted the ECDSA_SIG to unsigned char * using the function i2d_ECDSA_SIG(). Length returned by i2d_ECDSA_SIG() is 103. Whereas, the number_of_bytes value from curve parameter is 48. Our verification failing as (103 != 2*48). Can you please share do we need to skip any number of bytes from the sig_buf converted via i2d_ECDSA_SIG()? Or, am i missing anything in this context? Thanks, Rajeswari. On Fri, Feb 13, 2015 at 4:48 AM, Rajeswari K wrote: > Hello Dave, > > Am really thankful to you. I am unaware that i2d_EC_PUBKEY() or i2d_xxxxx > function will move the pointer to after the encoded data. Due to which am > seeing unexpected data. > > Based on your reply, i tried to print the data from the memory address > which i allocated. Now the data is exactly same as what i inputted through > d2i_PUBKEY(). > > This resolves my current issue. Once again, thanks alot. > > Rajeswari. > > On Fri, Feb 13, 2015 at 2:36 AM, Dave Thompson > wrote: > >> > From: openssl-users On Behalf Of Rajeswari K >> > Sent: Thursday, February 12, 2015 00:40 >> >> > I have a query on d2i_PUBKEY() and i2d_PUBKEY(). >> >> > i have a EC public key in form of character buffer. >> > Have inputted this character buffer to d2i_PUBKEY() and got EVP_PKEY >> format EC key. >> >> To be exact, a byte (or even more exact octet) buffer. In C >> (and C++ and ObjC) it's type 'char[]' or better 'unsigned char[]', >> but the values do not and often cannot represent *characters&. >> >> > Now i tried to input this EVP_PKEY to i2d_PUBKEY() to compare will i get >> > exactly same data which i gave as input to d2i_PUBKEY(). >> >> > But i see that the outputs are completely different. >> >> > i2d_PUBKEY() is leaving lots of 0's at the o/p buffer. >> >> > 0 >> > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 >> > 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 >> > FD 1 10 DF AB 12 34 CD 0 6F 0 0 0 0 1 83 >> > F 8B AF D8 D ................................................ >> >> You must be doing something wrong. Probably the most common is, >> are you looking at the beginning of the buffer? Remember that after >> calling i2d_whatever, the pointer you give it is moved to point >> *after* the encoded data, at unused and often junk memory. >> >> If that's not it, reduce your code to the minimum that shows the >> problem, post it, and identify the version and build you are using. >> >> > My goal is, to get complete EC public key in form of asn1 der >> > encoded from EC_KEY structure. >> >> > I tried to use i2d_EC_PUBKEY() and i20_ECPublickey(). >> >> Note that PUBKEY is the X.509 SPKI format: it contains an >> AlgorithmIdentifier identifying the algorithm and the curve, >> *and* the public key value (a point) embedded in a bitstring, >> all combined into an ASN.1 structure and DER encoded. >> >> i2o_ECPublicKey (letter o not zero) uses a special non-ASN1 >> non-DER encoding that contains *only* the point. >> >> >> _______________________________________________ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mikec1404 at gmail.com Fri Feb 13 15:29:41 2015 From: mikec1404 at gmail.com (Mike Collins) Date: Fri, 13 Feb 2015 09:29:41 -0600 Subject: [openssl-users] 1.0.1 upgrade issue Message-ID: I am upgrading an embedded linux board's BSP from 1.0.0m to 1.0.1l due to a requirement for TLS v1.1. Version 1.0.1 will cross compile without errors using my 1.0.0 configuration but I have identified the following errors on the board (so far) with the build using 1.0.1: 1.) Cannot create a RSA key 2.) Trying to connect to the board's Lighttpd web server via https will timeout with PKCS #11 error 3.) Curl https POST calls fail with RSA padding error. Board has a ARM926EJ based processor and I am using a Codesourcery Lite toolchain. Configure settings (besides --prefix, etc) are shared, no-asm, linux-generic32, no-ssl2. All the other packages on the board have been rebuilt against the new openssl version. I am looking at the key creation first since that may be causing the other issues. If I try to create a key from the board command line using "openssl genrsa -out testkey.pem 2048" I get a response of "Generating RSA private key, 2048 bit long modulus". At this point it seems to get stuck in a loop; I am seeing the progress indicators (".") but it will never finish creating the key. I have let it run 10-15 minutes without completion; it just keeps displaying successive progress indicators. I can do Ctrl-C and it will exit. I don't think so but are there any dependency changes from 1.0.0 to 1.0.1? I noticed 1.0.2 has been released so tried that as well but have the same result as 1.0.1 Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Fri Feb 13 16:14:37 2015 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 13 Feb 2015 16:14:37 +0000 Subject: [openssl-users] [openssl-dev] Proposed cipher changes for post-1.0.2 In-Reply-To: References: <8f03875f82be44f2894e7c7ac29fdd04@ustx2ex-dag1mb2.msg.corp.akamai.com> <87bnl1qru5.fsf@alice.fifthhorseman.net> <20150211020050.GI12867@mournblade.imrryr.org> <240867ca3376443fae0aa6ef966b8552@ustx2ex-dag1mb2.msg.corp.akamai.com>

Message-ID: <9a867e735e8c4148a789854a4c85a1b0@ustx2ex-dag1mb4.msg.corp.akamai.com> > From: Michael Wojcik [mailto:Michael.Wojcik at microfocus.com] Thanks for the detailed and thoughtful response. I only want to respond to a few of your points. > One is simply that we're seeing a lot of > OpenSSL roadmap announcements. That's good in the sense that before the > funding boost, progress was of course much slower and communication > much less frequent. On the other hand, it's worrying because those changes > have consequences for developers working with OpenSSL, and so we need > to account for them in our plans. It seems to me that now folks are being told what is coming (or planned, or might, or we want to) a pretty long time in advance. I don't think that's ever happened before. I understand the stress this can cause -- "how will we handle it" -- but at least there's advance notice now, which there never was before. Also, keep in mind that the big flurry of activity is happening in master, which isn't going to be released until, at best, year-end. That's a pretty long time. And we are working pretty hard to keep the community informed and engaged. > And while those announcements are > generally couched as requests for feedback, arguments against them usually > don't seem to carry much weight. I disagree with this. On the platform issue, Netware was kept and nodbody else raised an issue. On the #ifdef issue, Brian Smith raised a concern and Richard reassured him. On the API issue, Jakob is upset; some of that is, supposedly, addressed by overall retaining the crypto API's, and some of it we just disagree. On the cipher strength, the discussion is still ongoing and I haven't seen much support for Viktor's viewpoint. Have I missed any? -- Principal Security Engineer, Akamai Technologies IM: rsalz at jabber.me Twitter: RichSalz From jayf0ster at roadrunner.com Fri Feb 13 16:48:12 2015 From: jayf0ster at roadrunner.com (Jay Foster) Date: Fri, 13 Feb 2015 08:48:12 -0800 Subject: [openssl-users] 1.0.1 upgrade issue In-Reply-To: References: Message-ID: <54DE2ACC.2010807@roadrunner.com> I have successfully built OpenSSL 1.0.0..., 1.0.1..., and 1.0.2 also on an ARM926EJ linux based system. I used the 'no-ssl2 no-ssl3 linux-armv4 shared' options (plus some others). I found that it works with and without the ARM assembly accelerations (no-asm option), even though the ARM926EJ is an arm5te. It works fine with lighttpd and passes the OpenSSL tests. I assume you are also using the appropriate '--cross-compile-prefix=' option. You might try adding "-mlittle-endian -mcpu=arm926ej-s -DL_ENDIAN" to the CFLAGS, although that should be redundant (the compiler should already know this). Also, make sure there are no '-nostdinc' (or similar) type compiler options creeping in. These change the search order of header files, which can cause OpenSSL to be built against the (old) headers in your tool chain, rather than it's local (current) headers. I did discover that with 1.0.2, I also needed to add '-DOPENSSL_USE_BUILD_DATE' to the CFLAGS to get the 'openssl version -a' command to report a useful build date. Jay On 2/13/2015 7:29 AM, Mike Collins wrote: > I am upgrading an embedded linux board's BSP from 1.0.0m to 1.0.1l due > to a requirement for TLS v1.1. Version 1.0.1 will cross compile > without errors using my 1.0.0 configuration but I have identified the > following errors on the board (so far) with the build using 1.0.1: > 1.) Cannot create a RSA key > 2.) Trying to connect to the board's Lighttpd web server via https > will timeout with PKCS #11 error > 3.) Curl https POST calls fail with RSA padding error. > > Board has a ARM926EJ based processor and I am using a Codesourcery > Lite toolchain. Configure settings (besides --prefix, etc) are shared, > no-asm, linux-generic32, no-ssl2. All the other packages on the board > have been rebuilt against the new openssl version. > > I am looking at the key creation first since that may be causing the > other issues. If I try to create a key from the board command line > using "openssl genrsa -out testkey.pem 2048" I get a response of > "Generating RSA private key, 2048 bit long modulus". At this point it > seems to get stuck in a loop; I am seeing the progress indicators > (".") but it will never finish creating the key. I have let it run > 10-15 minutes without completion; it just keeps displaying successive > progress indicators. I can do Ctrl-C and it will exit. > > I don't think so but are there any dependency changes from 1.0.0 to 1.0.1? > > I noticed 1.0.2 has been released so tried that as well but have the > same result as 1.0.1 > > Mike > > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From dev+openssl at seantek.com Fri Feb 13 18:43:01 2015 From: dev+openssl at seantek.com (Sean Leonard) Date: Fri, 13 Feb 2015 10:43:01 -0800 Subject: [openssl-users] pkcs12 how to have different key friendlyName? Message-ID: <54DE45B5.7000000@seantek.com> Using the openssl pkcs12 -export command, how can one specify a different friendlyName attribute for the private key? For example, consider the command: openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey key.txt -in user.crt -name "sean user cert 2015" -certfile othercerts.txt The resulting PKCS #12 file is structured: ================================================= Certificate bag Bag Attributes localKeyID: A8 27 59 DA... friendlyName: sean user cert 2015 subject=/... issuer=/... -----BEGIN CERTIFICATE----- MIIFNzCCBB+gAwIBAgIQM9l4W5HgK1Amk8O6j/ceiDANBgkqhkiG9w0BAQsFADCB ... -----END CERTIFICATE----- Certificate bag ... -----BEGIN CERTIFICATE----- MIIFOjCCBCKgAwIBAgIRAOeNEe8GIrMlFJ1tdJReavQwDQYJKoZIhvcNAQELBQAw ... -----END CERTIFICATE----- Certificate bag ... -----BEGIN CERTIFICATE----- MIIFNzCCBB+gAwIBAgIQNeTi/66wrvlNcjCDiUjjWzANBgkqhkiG9w0BAQsFADCB ... -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Bag Attributes localKeyID: A8 27 59 DA... friendlyName: sean user cert 2015 Key Attributes: Enter PEM pass phrase: [input] Verifying - Enter PEM pass phrase: [input] -----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIgGNOtafMxE8CAggA ... -----END ENCRYPTED PRIVATE KEY----- ================================================= Note that the friendlyName of the Shrouded Keybag is the friendly name of the certificate, which is not the intent. If it is not possible to change the key name with the command-line, perhaps someone can point me to the source code location(s) where the key name can be altered? Thanks! Sean From dev+openssl at seantek.com Fri Feb 13 19:33:46 2015 From: dev+openssl at seantek.com (Sean Leonard) Date: Fri, 13 Feb 2015 11:33:46 -0800 Subject: [openssl-users] pkcs12 is no encryption possible for certs? Message-ID: <54DE519A.10201@seantek.com> Using the openssl pkcs12 -export command, is it possible to specify a "-certpbe" value that does not do encryption? Perhaps you only want integrity protection--you don't care whether the certificates are shrouded. The PKCS #12 standard seems to imply that "certBags" can be used as-is; however, all examples of PKCS #12 files that I have seen encrypt the certificates. Will other common crypto stacks be able to process such a PKCS #12 file (that does not encrypt the certificates)? Thanks, Sean From dthompson at prinpay.com Fri Feb 13 19:54:36 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Fri, 13 Feb 2015 14:54:36 -0500 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> Message-ID: <004801d047c6$e754b790$b5fe26b0$@prinpay.com> > From: openssl-users On Behalf Of Rajeswari K > Sent: Friday, February 13, 2015 09:48 > As part of [ECDSA] signature verification, we first take lenght_of_signature received > and compare with double the size of number_of_bytes from curve parameter. > Have converted the ECDSA_SIG to unsigned char * using the function i2d_ECDSA_SIG(). > Length returned by i2d_ECDSA_SIG() is 103. > Whereas, the number_of_bytes value from curve parameter is 48. An EDCSA signature, like a DSA signature, and as the 'i2d' should clue you in, is an ASN1 DER-encoded value. Specifically it is a SEQUENCE of two INTEGERs. That means it consists of: 2 octets tag and length for the sequence -- OR 3 if the components together exceed 127 octets, which will occur almost always if the curve size exceeds 496 bits and sometimes for slightly smaller curves, see below. For each integer, 2 octets tag and length then N octets value, as long as the curve size does not exceed 1015 bits (and none currently come even close). Remember DER INTEGERs are two's complement, and the R and S values are positive numbers that are for practical purposes uniform random up to the curve order which is usually chosen to be nearly a power of two that is a multiple of 8 (like 192, 256, 384) and thus require an extra sign octet. Thus for a 384-bit curve, the encoded signature will be 6+2*48=102 roughly 25% of the time, 6+48+49 about 50% and 6+49*2 about 25%. From kudzu at tenebras.com Fri Feb 13 20:02:06 2015 From: kudzu at tenebras.com (Michael Sierchio) Date: Fri, 13 Feb 2015 12:02:06 -0800 Subject: [openssl-users] pkcs12 is no encryption possible for certs? In-Reply-To: <54DE519A.10201@seantek.com> References: <54DE519A.10201@seantek.com> Message-ID: On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard wrote: > Using the openssl pkcs12 -export command, is it possible to specify a > "-certpbe" value that does not do encryption? Perhaps you only want > integrity protection--you don't care whether the certificates are shrouded. > The PKCS #12 standard seems to imply that "certBags" can be used as-is; > however, all examples of PKCS #12 files that I have seen encrypt the > certificates. > > Will other common crypto stacks be able to process such a PKCS #12 file > (that does not encrypt the certificates)? Whenever I hear someone talking about encrypting a certificate, I conclude that they are horribly confused. A cert is signed, over the entire contents, so integrity is reducible to the cryptographic algorithms employed. A cert is not a secret, does not contain secrets, etc. - M From openssl-users at dukhovni.org Fri Feb 13 20:07:45 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 13 Feb 2015 20:07:45 +0000 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> Message-ID: <20150213200745.GO1260@mournblade.imrryr.org> On Fri, Feb 13, 2015 at 08:17:40PM +0530, Rajeswari K wrote: > We would like to use our internal verification logics for the key exchange > message received at SSL client. That sounds like a bad idea. Let OpenSSL do the work for you, configure appropriate trust anchors, or trusted leaf certificate fingerprints. -- Viktor. From steve at openssl.org Fri Feb 13 20:12:19 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 13 Feb 2015 20:12:19 +0000 Subject: [openssl-users] pkcs12 is no encryption possible for certs? In-Reply-To: <54DE519A.10201@seantek.com> References: <54DE519A.10201@seantek.com> Message-ID: <20150213201219.GA29935@openssl.org> On Fri, Feb 13, 2015, Sean Leonard wrote: > Using the openssl pkcs12 -export command, is it possible to specify > a "-certpbe" value that does not do encryption? Perhaps you only > want integrity protection--you don't care whether the certificates > are shrouded. The PKCS #12 standard seems to imply that "certBags" > can be used as-is; however, all examples of PKCS #12 files that I > have seen encrypt the certificates. > Try -certpbe NONE Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From steve at openssl.org Fri Feb 13 20:23:21 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 13 Feb 2015 20:23:21 +0000 Subject: [openssl-users] pkcs12 how to have different key friendlyName? In-Reply-To: <54DE45B5.7000000@seantek.com> References: <54DE45B5.7000000@seantek.com> Message-ID: <20150213202321.GB29935@openssl.org> On Fri, Feb 13, 2015, Sean Leonard wrote: > Using the openssl pkcs12 -export command, how can one specify a > different friendlyName attribute for the private key? > > For example, consider the command: > openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey > key.txt -in user.crt -name "sean user cert 2015" -certfile > othercerts.txt > I'm curious as to why you want to do this. If no friendlyname is specified on the command line an "alias" associated with the certificate is used instead. You can associate an alias with a certificate like this: openssl x509 -in cert.pem -setalias "some name" -out newcert.pem Unfortunately the -name option specified on the command line will also be used even if there is an alias present. You can change this by looking in crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the following lines: if (name && !PKCS12_add_friendlyname(bag, name, -1)) goto err; Then you can specify the certificate friendlyname using the alias and the private key friendly name using the command line -name option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From openssl-users at dukhovni.org Fri Feb 13 20:32:35 2015 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 13 Feb 2015 20:32:35 +0000 Subject: [openssl-users] pkcs12 is no encryption possible for certs? In-Reply-To: References: <54DE519A.10201@seantek.com> Message-ID: <20150213203234.GP1260@mournblade.imrryr.org> On Fri, Feb 13, 2015 at 12:02:06PM -0800, Michael Sierchio wrote: > Whenever I hear someone talking about encrypting a certificate, I > conclude that they are horribly confused. A cert is signed, over the > entire contents, so integrity is reducible to the cryptographic > algorithms employed. A cert is not a secret, does not contain secrets, > etc. And yet, PKCS#12 objects are encrypted, and include certificates. -- Viktor. From gregs at sloop.net Fri Feb 13 20:32:13 2015 From: gregs at sloop.net (Gregory Sloop) Date: Fri, 13 Feb 2015 12:32:13 -0800 Subject: [openssl-users] pkcs12 is no encryption possible for certs? In-Reply-To: References: <54DE519A.10201@seantek.com> Message-ID: <1712104131.20150213123213@sloop.net> MS> On Fri, Feb 13, 2015 at 11:33 AM, Sean Leonard wrote: >> Using the openssl pkcs12 -export command, is it possible to specify a >> "-certpbe" value that does not do encryption? Perhaps you only want >> integrity protection--you don't care whether the certificates are shrouded. >> The PKCS #12 standard seems to imply that "certBags" can be used as-is; >> however, all examples of PKCS #12 files that I have seen encrypt the >> certificates. >> Will other common crypto stacks be able to process such a PKCS #12 file >> (that does not encrypt the certificates)? MS> Whenever I hear someone talking about encrypting a certificate, I MS> conclude that they are horribly confused. A cert is signed, over the MS> entire contents, so integrity is reducible to the cryptographic MS> algorithms employed. A cert is not a secret, does not contain secrets, MS> etc. It's easy to make a mistake and... ...type "cert" when you really mean "key." ...not remember/understand/grok that PKCS12 files often contain both certs and keys. [And that both can be encrypted.] BTW, as long as we're talking about p12's and encryption. It's my experience that using a cipher other than 3DES [i.e. AES128/256] won't be handled well [i.e. not at all] by current versions of Windows or OSX. I know that's not the direction of the question, and only oblique to it, but perhaps it's useful. -Greg -------------- next part -------------- An HTML attachment was scrubbed... URL: From kudzu at tenebras.com Fri Feb 13 21:25:11 2015 From: kudzu at tenebras.com (Michael Sierchio) Date: Fri, 13 Feb 2015 13:25:11 -0800 Subject: [openssl-users] pkcs12 is no encryption possible for certs? In-Reply-To: <20150213203234.GP1260@mournblade.imrryr.org> References: <54DE519A.10201@seantek.com> <20150213203234.GP1260@mournblade.imrryr.org> Message-ID: Yes, I am sure that some folks find known plaintext in an encrypted object to be helpful. [apologies for top-posting... dumb smart phone] - M On Feb 13, 2015 1:21 PM, "Viktor Dukhovni" wrote: > On Fri, Feb 13, 2015 at 12:02:06PM -0800, Michael Sierchio wrote: > > > Whenever I hear someone talking about encrypting a certificate, I > > conclude that they are horribly confused. A cert is signed, over the > > entire contents, so integrity is reducible to the cryptographic > > algorithms employed. A cert is not a secret, does not contain secrets, > > etc. > > And yet, PKCS#12 objects are encrypted, and include certificates. > > -- > Viktor. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From raji.kotamraju at gmail.com Sat Feb 14 04:50:06 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Sat, 14 Feb 2015 10:20:06 +0530 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: <004801d047c6$e754b790$b5fe26b0$@prinpay.com> References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> <004801d047c6$e754b790$b5fe26b0$@prinpay.com> Message-ID: Hello Dave, Based on your input, have stopped calling i2d_ECDSA_SIG() and used BN_bn2bin() to overcome the der headers. And now, my verification is working fine. Is there any function at openssl, to get the HASH used for the digest at ECDSA_verify()? I see that, for ECDSA_verify(), first argument is type. But when its calling the function pointer, ECDSA_verify() is not passing the type of the hash. So, would like to get the hash type from digest data. I can understand that for TLS1.2, openssl uses SHA512. But the same information i would like to get from digest data. Is there any way to get this? Please share. Thanks, Rajeswari. On Sat, Feb 14, 2015 at 1:24 AM, Dave Thompson wrote: > > From: openssl-users On Behalf Of Rajeswari K > > Sent: Friday, February 13, 2015 09:48 > > > As part of [ECDSA] signature verification, we first take > lenght_of_signature received > > and compare with double the size of number_of_bytes from curve parameter. > > Have converted the ECDSA_SIG to unsigned char * using the function > i2d_ECDSA_SIG(). > > Length returned by i2d_ECDSA_SIG() is 103. > > Whereas, the number_of_bytes value from curve parameter is 48. > > An EDCSA signature, like a DSA signature, and as the 'i2d' should clue you > in, > is an ASN1 DER-encoded value. Specifically it is a SEQUENCE of two > INTEGERs. > That means it consists of: > > 2 octets tag and length for the sequence -- OR 3 if the components together > exceed 127 octets, which will occur almost always if the curve size exceeds > 496 bits and sometimes for slightly smaller curves, see below. > > For each integer, 2 octets tag and length then N octets value, as long as > the > curve size does not exceed 1015 bits (and none currently come even close). > Remember DER INTEGERs are two's complement, and the R and S values > are positive numbers that are for practical purposes uniform random up to > the curve order which is usually chosen to be nearly a power of two that > is a multiple of 8 (like 192, 256, 384) and thus require an extra sign > octet. > > Thus for a 384-bit curve, the encoded signature will be 6+2*48=102 > roughly 25% of the time, 6+48+49 about 50% and 6+49*2 about 25%. > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dev+openssl at seantek.com Sat Feb 14 07:36:06 2015 From: dev+openssl at seantek.com (Sean Leonard) Date: Fri, 13 Feb 2015 23:36:06 -0800 Subject: [openssl-users] pkcs12 is no encryption possible for certs? In-Reply-To: <20150213201219.GA29935@openssl.org> References: <54DE519A.10201@seantek.com> <20150213201219.GA29935@openssl.org> Message-ID: <54DEFAE6.5060309@seantek.com> On 2/13/2015 12:12 PM, Dr. Stephen Henson wrote: > On Fri, Feb 13, 2015, Sean Leonard wrote: > >> Using the openssl pkcs12 -export command, is it possible to specify >> a "-certpbe" value that does not do encryption? Perhaps you only >> want integrity protection--you don't care whether the certificates >> are shrouded. The PKCS #12 standard seems to imply that "certBags" >> can be used as-is; however, all examples of PKCS #12 files that I >> have seen encrypt the certificates. >> > Try -certpbe NONE Thank you! That did the trick. The resultant PKCS #12 file contains the certBag type containing OCTET STRINGS identified as x509Certificate, containing the binary certificates. A partial analyzed example from "asn1js" is included for doubters. Importing this PKCS #12 file into Microsoft CryptoAPI, Mozilla NSS, and Apple Mac OS X Keychain succeeded in all cases. (Note that the -macalg was not changed; it used the default of SHA-1.) Best regards, Sean -------------- next part -------------- A non-text attachment was scrubbed... Name: shows-certbag-oids-example.png Type: image/png Size: 22280 bytes Desc: not available URL: From dev+openssl at seantek.com Sat Feb 14 07:56:05 2015 From: dev+openssl at seantek.com (Sean Leonard) Date: Fri, 13 Feb 2015 23:56:05 -0800 Subject: [openssl-users] pkcs12 how to have different key friendlyName? In-Reply-To: <20150213202321.GB29935@openssl.org> References: <54DE45B5.7000000@seantek.com> <20150213202321.GB29935@openssl.org> Message-ID: <54DEFF95.50103@seantek.com> On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote: > On Fri, Feb 13, 2015, Sean Leonard wrote: > >> Using the openssl pkcs12 -export command, how can one specify a >> different friendlyName attribute for the private key? >> >> For example, consider the command: >> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey >> key.txt -in user.crt -name "sean user cert 2015" -certfile >> othercerts.txt >> > I'm curious as to why you want to do this. Well, as a PKI and S/MIME developer I am researching how various bits of information relating to crypto objects can be preserved between systems. It is useful to set the cert and key friendly names independently for certain development and possibly usability reasons. Development reasons include needing to address the private key specifically, regardless of whether it is associated with any particular certificate, and to see when certificates have private key (instances) on particular crypto tokens. Usability reasons include distinguishing between certificates and private keys for users, who tend to get confused about these things because virtually no existing UIs meaningfully distinguish between the two (usually certificates for which you have a private key are simply called "certificates", or possibly "your certificates"...thus a user sends "your [his/her] certificate" and while the user's mental model is that the certificate is intended to be shared, the user unwittingly sends along a p12 file with a simple password like 123456). Whether the usability is an area of research that I am looking into. No pronouncements can be made one way or another yet. Suffice to say that the technical capability has to exist at the lower layer before one can evaluate usability enhancements at higher layers. > > If no friendlyname is specified on the command line an "alias" associated with > the certificate is used instead. You can associate an alias with a certificate > like this: > > openssl x509 -in cert.pem -setalias "some name" -out newcert.pem > > Unfortunately the -name option specified on the command line will also be > used even if there is an alias present. You can change this by looking in > crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the > following lines: > > if (name && !PKCS12_add_friendlyname(bag, name, -1)) > goto err; > > Then you can specify the certificate friendlyname using the alias and the > private key friendly name using the command line -name option. Sounds good...I will attempt this and report back. Ah, the TRUSTED CERTIFICATE format returns... Sean From BenBE at geshi.org Sat Feb 14 12:05:48 2015 From: BenBE at geshi.org (Benny Baumann) Date: Sat, 14 Feb 2015 13:05:48 +0100 Subject: [openssl-users] Fwd: Problem with encoding a CRL's signing algorithm In-Reply-To: <54DB2525.3000300@dogcraft.de> References: <54DB2525.3000300@dogcraft.de> Message-ID: <54DF3A1C.8010106@geshi.org> Hi, I think there is somewhat strange behaviour in OpenSSL that causes interesting bugs to happen when trying to encode CRLs based on deltas. More information about the issue (causing a segfault under certain conditions) is in the attached mail by Felix who discovered it. Regards, BenBE. -------------- next part -------------- An embedded message was scrubbed... From: =?UTF-8?B?RmVsaXggRMO2cnJl?= Subject: Problem with encoding a CRL's signing algorithm Date: Wed, 11 Feb 2015 10:47:17 +0100 Size: 5922 URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From steve at openssl.org Sat Feb 14 16:54:49 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 14 Feb 2015 16:54:49 +0000 Subject: [openssl-users] Fwd: Problem with encoding a CRL's signing algorithm In-Reply-To: <54DF3A1C.8010106@geshi.org> References: <54DB2525.3000300@dogcraft.de> <54DF3A1C.8010106@geshi.org> Message-ID: <20150214165449.GA13918@openssl.org> On Sat, Feb 14, 2015, Benny Baumann wrote: > > I want to encode a new CRL's (X509_CRL_new), currently invalid, > Signing algorithm (i2d_X509_ALGOR( crl->siging_alg, ... ) ) and > restore that with "d2i_X509_ALGOR( &crl->signing_alg, ...)" > afterwards. Restoring of the algorithm works fine in OpenSSL > 1.0.1.f, but fails in OpenSSL 1.0.1j and 1.0.1l. This is probably > because the "i2d" function encodes the (invalid) Signing algorithms > slightly different in the different versions. This happens, because > the invalid signing algorithm is represented slightly different in > the internal structure. > In version 1.0.1f the invalid algorithm is encoded as sequence with > an object id with length 1 and content "00" ( -> 30 03 06 01 00). In > the newer versions (1.0.1j and 1.0.1l) the invalid algorithm gets > encoded as sequence with an object id of length 0 ( -> 30 02 06 00). > This new encoding causes the "d2i" function to fail. Now the "d2i" > function nulls the "sig_alg". This causes a "X509_CRL_verify" to > cause a segfault. > > Is this behavior expected? Am I doing something wrong? Is there a > problem with what "X509_CRL_new" does (setting different > "UNDEFINED"-ObjectId-Objects)? > For better clarifying my problem, I have attached a small example > code that creates such a CRL, tries to verify it (what will fail, > but not crash), does the i2d, d2i re-setting of the Algorithm and > re-calls X509_CRL_verify which now crashes in 1.0.1j and 1.0.1l, but > works fine in 1.0.1.f. > Arguably the bug is in the i2d functions which should refuse to encode a structure which hasn't been properly initialised. If you set the algorithm OID to a valid value (which you can change later) this should work in all versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From raji.kotamraju at gmail.com Mon Feb 16 08:05:23 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Mon, 16 Feb 2015 13:35:23 +0530 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> <004801d047c6$e754b790$b5fe26b0$@prinpay.com> Message-ID: Hello Dave, Our current signature and verification logics are working just fine with TLS1.0 and TLS1.1 for ECDHE_ECDSA cipher suite. But, when tested the same cipher suite with TLS1.2, SSL handshake always failing with "bad signature". Do we need to take care of anything specific for TLS1.2 handshake? Thanks, Rajeswari. On Sat, Feb 14, 2015 at 10:20 AM, Rajeswari K wrote: > Hello Dave, > > Based on your input, have stopped calling i2d_ECDSA_SIG() and used > BN_bn2bin() to overcome the der headers. > > And now, my verification is working fine. > > Is there any function at openssl, to get the HASH used for the digest at > ECDSA_verify()? > > I see that, for ECDSA_verify(), first argument is type. But when its > calling the function pointer, ECDSA_verify() is not passing the type of the > hash. > > So, would like to get the hash type from digest data. > > I can understand that for TLS1.2, openssl uses SHA512. But the same > information i would like to get from digest data. Is there any way to get > this? Please share. > > Thanks, > Rajeswari. > > On Sat, Feb 14, 2015 at 1:24 AM, Dave Thompson > wrote: > >> > From: openssl-users On Behalf Of Rajeswari K >> > Sent: Friday, February 13, 2015 09:48 >> >> > As part of [ECDSA] signature verification, we first take >> lenght_of_signature received >> > and compare with double the size of number_of_bytes from curve >> parameter. >> > Have converted the ECDSA_SIG to unsigned char * using the function >> i2d_ECDSA_SIG(). >> > Length returned by i2d_ECDSA_SIG() is 103. >> > Whereas, the number_of_bytes value from curve parameter is 48. >> >> An EDCSA signature, like a DSA signature, and as the 'i2d' should clue >> you in, >> is an ASN1 DER-encoded value. Specifically it is a SEQUENCE of two >> INTEGERs. >> That means it consists of: >> >> 2 octets tag and length for the sequence -- OR 3 if the components >> together >> exceed 127 octets, which will occur almost always if the curve size >> exceeds >> 496 bits and sometimes for slightly smaller curves, see below. >> >> For each integer, 2 octets tag and length then N octets value, as long as >> the >> curve size does not exceed 1015 bits (and none currently come even close). >> Remember DER INTEGERs are two's complement, and the R and S values >> are positive numbers that are for practical purposes uniform random up to >> the curve order which is usually chosen to be nearly a power of two that >> is a multiple of 8 (like 192, 256, 384) and thus require an extra sign >> octet. >> >> Thus for a 384-bit curve, the encoded signature will be 6+2*48=102 >> roughly 25% of the time, 6+48+49 about 50% and 6+49*2 about 25%. >> >> >> >> _______________________________________________ >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dthompson at prinpay.com Mon Feb 16 18:23:46 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Mon, 16 Feb 2015 13:23:46 -0500 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> <004801d047c6$e754b790$b5fe26b0$@prinpay.com> Message-ID: <001e01d04a15$b5eb74e0$21c25ea0$@prinpay.com> > From: openssl-users On Behalf Of Rajeswari K > Sent: Monday, February 16, 2015 03:05 > Our current signature and verification logics are working just fine > with TLS1.0 and TLS1.1 for ECDHE_ECDSA cipher suite. > But, when tested the same cipher suite with TLS1.2, SSL handshake > always failing with "bad signature". > Do we need to take care of anything specific for TLS1.2 handshake? Not as such. But you do need to correctly handle truncating a hash to be signed/verified that is longer than the key size, both in bits, as shown in OpenSSL's implementation in ecs_ossl.c. That case will occur for TLS1.2 if SHA512 is offered and chosen for the hash and the key in use is a 384-bit key, which your previous questions have suggested. That case will only occur for 1.0 and 1.1 only if using a key too small to be secure, which obviously you shouldn't do. From dthompson at prinpay.com Mon Feb 16 18:23:46 2015 From: dthompson at prinpay.com (Dave Thompson) Date: Mon, 16 Feb 2015 13:23:46 -0500 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> <004801d047c6$e754b790$b5fe26b0$@prinpay.com> Message-ID: <001f01d04a15$b776a8c0$2663fa40$@prinpay.com> > From: openssl-users On Behalf Of Rajeswari K > Sent: Friday, February 13, 2015 23:50 > Hello Dave, > Based on your input, have stopped calling i2d_ECDSA_SIG() > and used BN_bn2bin() to overcome the der headers. > And now, my verification is working fine. ECDSA_verify in ecs_vrf.c only uses i2d to *check* that the input was canonical, to block certain possible attacks. It's the d2i that parsed the signature, and the internal form (ECDSA_SIG structure) is used for the actual verification. > Is there any function at openssl, to get the HASH used for > the digest at ECDSA_verify()? > I see that, for ECDSA_verify(), first argument is type. But > when its calling the function pointer, ECDSA_verify() is not > passing the type of the hash. > So, would like to get the hash type from digest data. ECDSA (and DSA) signatures do not care about the hash algorithm, only the length of the hash *value*. Notice that ECDSA_verify does not pass type to ECDSA_do_verify, which does the actual dispatch to a possible engine. (This differs from RSA, at least PKCS#1 as used by SSL/TLS, where the hash algorithm identifier is included in padding.) > I can understand that for TLS1.2, openssl uses SHA512. > But the same information i would like to get from digest data. > Is there any way to get this? Please share. For the ServerKeyExchange message (the case you said you cared about) in TLS1.2, it appears OpenSSL server uses the client's preference as stated in the sigalgs extension, except in 1.0.2 a new SuiteB option forces SuiteB choices. If the client offers all current hashes for ECDSA in strength order, which is very reasonable, SHA512 will be the choice. From dev+openssl at seantek.com Mon Feb 16 22:48:50 2015 From: dev+openssl at seantek.com (Sean Leonard) Date: Mon, 16 Feb 2015 14:48:50 -0800 Subject: [openssl-users] pkcs12 how to have different key friendlyName? In-Reply-To: <20150213202321.GB29935@openssl.org> References: <54DE45B5.7000000@seantek.com> <20150213202321.GB29935@openssl.org> Message-ID: <54E273D2.1080102@seantek.com> On 2/13/2015 12:23 PM, Dr. Stephen Henson wrote: > On Fri, Feb 13, 2015, Sean Leonard wrote: > >> Using the openssl pkcs12 -export command, how can one specify a >> different friendlyName attribute for the private key? >> >> For example, consider the command: >> openssl pkcs12 -export -out pkcs12.p12 -name "sean key 2015" -inkey >> key.txt -in user.crt -name "sean user cert 2015" -certfile >> othercerts.txt >> > I'm curious as to why you want to do this. > > If no friendlyname is specified on the command line an "alias" associated with > the certificate is used instead. You can associate an alias with a certificate > like this: > > openssl x509 -in cert.pem -setalias "some name" -out newcert.pem > > Unfortunately the -name option specified on the command line will also be > used even if there is an alias present. You can change this by looking in > crypto/pkcs12/p12_crt.c in the function PKCS12_create. Comment out the > following lines: > > if (name && !PKCS12_add_friendlyname(bag, name, -1)) > goto err; > > Then you can specify the certificate friendlyname using the alias and the > private key friendly name using the command line -name option. I attempted to do this today (comment out those two lines) with OpenSSL 1.0.2. It was around line 127 in p12_crt.c in the 1.0.2 distribution. Using the -name option managed to set the friendly name of the private key, not the certificate. Unfortunately, using {x509 -setalias} followed by inputting it to {pkcs12 -in aliasedcert.pem} did not work: the friendly name attribute was not set on the certificate. Only the localKeyID property was set. I verified the pkcs12 output with {pkcs12 -in pkcs12.p12 -info}. When I changed the code to: if (!PKCS12_add_friendlyname(bag, "HARDCODED FRIENDLYNAME", -1)) goto err; the friendly name of the certificate was set properly to the hardcoded value, and the private key friendly name was set to the -name option (presumably the name local variable in the same function). Any ideas on why the alias name is not getting used? I looked into PKCS12_add_cert (also in p12_crt.c) and did not see anything particularly amiss. That function calls X509_alias_get0 -> PKCS12_add_friendlyname. As long as the certificate structure has the "aux" appendage, it should work. I ran {x509 -in aliasedcert.pem -alias} and the proper alias was output. Therefore, I am thinking that something is going on with certificate processing prior to the PKCS12_create call, which strips the aux information. Kind regards, Sean From trapni at gmail.com Tue Feb 17 09:47:46 2015 From: trapni at gmail.com (Christian Parpart) Date: Tue, 17 Feb 2015 10:47:46 +0100 Subject: [openssl-users] How to retrieve the commonName / Alt-Name (DNS-Name) from a .crt file Message-ID: Hey guys, I am rather new to OpenSSL development, but I'd like to integrate SSL communication in my little HTTP server. While this one is working so far, for SNI I actually need to read out the server certificates DNS name extenion and commonName subject. Currently I am doing something like: SSL_CTX* ctx = SSL_CTX_new(TLSv1_2_server_method()); SSL_CTX_use_certificate_file(ctx, "/path/to/server1.crt",SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, "/path/to/server1.key", SSL_FILETYPE_PEM); I need to somehow get a ptr to the X509 struct to do something like: X509* crt = /* how to get my X509 out of the SSL_CTX */ STACK_OF(GENERAL_NAME) altnames = X509_get_ext_d2i(crt, NID_subject_alt_name, NULL, NULL); int numAltNames = sk_GENERAL_NAME_num(altnames); for (int i = 0; i < numAltNames; ++i) { GENERAL_NAME* altname = sk_GENERAL_NAME_value(altnames, i); if (altname->type == GEN_DNS) { printf("found DNS-Name: %s\n", altname->d.dNSName); } } GENERAL_NAMES_free(altnames); in order to get the DNS alt-name at least. But how do I come from the SSL_CTX to my X509 struct, or how to I do it else? Many thanks in advance, Christian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From raji.kotamraju at gmail.com Tue Feb 17 11:44:16 2015 From: raji.kotamraju at gmail.com (Rajeswari K) Date: Tue, 17 Feb 2015 17:14:16 +0530 Subject: [openssl-users] i2d and d2i fucntions In-Reply-To: <001f01d04a15$b776a8c0$2663fa40$@prinpay.com> References: <001701d04707$ca50f1f0$5ef2d5d0$@prinpay.com> <004801d047c6$e754b790$b5fe26b0$@prinpay.com> <001f01d04a15$b776a8c0$2663fa40$@prinpay.com> Message-ID: Hello Dave, What you said is right. Have checked ecs_ossl.c and implemented similar way to truncate the digest based on the order. Now, handshake is successful even for TLS1.2. Thanks alot. Rajeswari. On Mon, Feb 16, 2015 at 11:53 PM, Dave Thompson wrote: > > From: openssl-users On Behalf Of Rajeswari K > > Sent: Friday, February 13, 2015 23:50 > > Hello Dave, > > Based on your input, have stopped calling i2d_ECDSA_SIG() > > and used BN_bn2bin() to overcome the der headers. > > And now, my verification is working fine. > > ECDSA_verify in ecs_vrf.c only uses i2d to *check* that the > input was canonical, to block certain possible attacks. It's > the d2i that parsed the signature, and the internal form > (ECDSA_SIG structure) is used for the actual verification. > > > Is there any function at openssl, to get the HASH used for > > the digest at ECDSA_verify()? > > I see that, for ECDSA_verify(), first argument is type. But > > when its calling the function pointer, ECDSA_verify() is not > > passing the type of the hash. > > So, would like to get the hash type from digest data. > > ECDSA (and DSA) signatures do not care about the hash > algorithm, only the length of the hash *value*. Notice > that ECDSA_verify does not pass type to ECDSA_do_verify, > which does the actual dispatch to a possible engine. > (This differs from RSA, at least PKCS#1 as used by SSL/TLS, > where the hash algorithm identifier is included in padding.) > > > I can understand that for TLS1.2, openssl uses SHA512. > > But the same information i would like to get from digest data. > > Is there any way to get this? Please share. > > For the ServerKeyExchange message (the case you said > you cared about) in TLS1.2, it appears OpenSSL server uses > the client's preference as stated in the sigalgs extension, > except in 1.0.2 a new SuiteB option forces SuiteB choices. > If the client offers all current hashes for ECDSA in strength > order, which is very reasonable, SHA512 will be the choice. > > > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rasjv at yandex.com Tue Feb 17 19:56:13 2015 From: rasjv at yandex.com (Serj Rakitov) Date: Tue, 17 Feb 2015 22:56:13 +0300 Subject: [openssl-users] How to retrieve the commonName / Alt-Name (DNS-Name) from a .crt file In-Reply-To: References: Message-ID: <15186611424202973@web21o.yandex.ru> Hi, Christian 17.02.2015, 12:55, "Christian Parpart" : > I am rather new to OpenSSL development, but I'd like to integrate SSL > communication in my little HTTP server. > While this one is working so far, for SNI I actually need to read out the > server certificates DNS name extenion and commonName subject. How to get CN and "subject alternative names" from cert you can see this wiki page:?http://wiki.openssl.org/index.php/Hostname_validation > But how do I come from the SSL_CTX to my X509 struct, or how to I do it else? 1.?SSL_CTX_set_verify() or SSL_set_verify(),??then in callback X509_STORE_CTX_get_current_cert() 2. SSL_get_peer_certificate() -- Best Regards, Serj Rakitov From noloader at gmail.com Tue Feb 17 20:14:56 2015 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 17 Feb 2015 15:14:56 -0500 Subject: [openssl-users] How to retrieve the commonName / Alt-Name (DNS-Name) from a .crt file In-Reply-To: References: Message-ID: > X509* crt = /* how to get my X509 out of the SSL_CTX */ X509* cert = SSL_get_peer_certificate(ssl); if(cert) { X509_free(cert); } Its reference counted, so be sure to free it. Jeff On Tue, Feb 17, 2015 at 4:47 AM, Christian Parpart wrote: > Hey guys, > > I am rather new to OpenSSL development, but I'd like to integrate SSL > communication in my little HTTP server. > While this one is working so far, for SNI I actually need to read out the > server certificates DNS name extenion and commonName subject. > > Currently I am doing something like: > > SSL_CTX* ctx = SSL_CTX_new(TLSv1_2_server_method()); > SSL_CTX_use_certificate_file(ctx, "/path/to/server1.crt",SSL_FILETYPE_PEM); > SSL_CTX_use_PrivateKey_file(ctx, "/path/to/server1.key", SSL_FILETYPE_PEM); > > I need to somehow get a ptr to the X509 struct to do something like: > > X509* crt = /* how to get my X509 out of the SSL_CTX */ > STACK_OF(GENERAL_NAME) altnames = > X509_get_ext_d2i(crt, NID_subject_alt_name, NULL, NULL); > int numAltNames = sk_GENERAL_NAME_num(altnames); > > for (int i = 0; i < numAltNames; ++i) { > GENERAL_NAME* altname = sk_GENERAL_NAME_value(altnames, i); > if (altname->type == GEN_DNS) { > printf("found DNS-Name: %s\n", altname->d.dNSName); > } > } > GENERAL_NAMES_free(altnames); > > in order to get the DNS alt-name at least. > But how do I come from the SSL_CTX to my X509 struct, or how to I do it > else? From kebabking2015 at gmail.com Tue Feb 17 20:49:34 2015 From: kebabking2015 at gmail.com (=?UTF-8?B?U8O4cmViw7ggTGluZGE=?=) Date: Tue, 17 Feb 2015 12:49:34 -0800 Subject: [openssl-users] (no subject) Message-ID: confirm -------------- next part -------------- An HTML attachment was scrubbed... URL: From trapni at gmail.com Wed Feb 18 11:20:55 2015 From: trapni at gmail.com (Christian Parpart) Date: Wed, 18 Feb 2015 11:20:55 +0000 Subject: [openssl-users] How to retrieve the commonName / Alt-Name (DNS-Name) from a .crt file References:

Message-ID: On Tue Feb 17 2015 at 9:23:36 PM Jeffrey Walton wrote: > > X509* crt = /* how to get my X509 out of the SSL_CTX */ > > X509* cert = SSL_get_peer_certificate(ssl); > if(cert) { X509_free(cert); } > > Its reference counted, so be sure to free it. > Thanks for the notice. Cheers, Christian. > Jeff > > On Tue, Feb 17, 2015 at 4:47 AM, Christian Parpart > wrote: > > Hey guys, > > > > I am rather new to OpenSSL development, but I'd like to integrate SSL > > communication in my little HTTP server. > > While this one is working so far, for SNI I actually need to read out the > > server certificates DNS name extenion and commonName subject. > > > > Currently I am doing something like: > > > > SSL_CTX* ctx = SSL_CTX_new(TLSv1_2_server_method()); > > SSL_CTX_use_certificate_file(ctx, "/path/to/server1.crt",SSL_ > FILETYPE_PEM); > > SSL_CTX_use_PrivateKey_file(ctx, "/path/to/server1.key", > SSL_FILETYPE_PEM); > > > > I need to somehow get a ptr to the X509 struct to do something like: > > > > X509* crt = /* how to get my X509 out of the SSL_CTX */ > > STACK_OF(GENERAL_NAME) altnames = > > X509_get_ext_d2i(crt, NID_subject_alt_name, NULL, NULL); > > int numAltNames = sk_GENERAL_NAME_num(altnames); > > > > for (int i = 0; i < numAltNames; ++i) { > > GENERAL_NAME* altname = sk_GENERAL_NAME_value(altnames, i); > > if (altname->type == GEN_DNS) { > > printf("found DNS-Name: %s\n", altname->d.dNSName); > > } > > } > > GENERAL_NAMES_free(altnames); > > > > in order to get the DNS alt-name at least. > > But how do I come from the SSL_CTX to my X509 struct, or how to I do it > > else? > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stm at pdflib.com Wed Feb 18 12:19:59 2015 From: stm at pdflib.com (=?UTF-8?B?U3RlcGhhbiBNw7xobHN0cmFzc2Vy?=) Date: Wed, 18 Feb 2015 13:19:59 +0100 Subject: [openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify() Message-ID: <54E4836F.6010406@pdflib.com> Hi, I have a question about the behavior of OCSP_basic_verify() and the meaning of the OCSP_NOEXPLICIT flag. The OCSP_basic_verify() function is the only place where this flag has an effect in the whole OpenSSL source, and in the "openssl ocsp" application it can be set with the "-no_explicit" command line option: /* * Easy case: explicitly trusted. Get root CA and check for explicit * trust */ if (flags & OCSP_NOEXPLICIT) goto end; x = sk_X509_value(chain, sk_X509_num(chain) - 1); if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); goto end; } Unfortunately the "-no_explicit" command line option is not documented: https://www.openssl.org/docs/apps/ocsp.html What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the "-no_explicit" command line option. What exactly is checked by the X509_check_trust() call above with respect to the relevant RFCs? Best regards Stephan From mikec1404 at gmail.com Wed Feb 18 16:03:31 2015 From: mikec1404 at gmail.com (Mike Collins) Date: Wed, 18 Feb 2015 10:03:31 -0600 Subject: [openssl-users] 1.0.1 upgrade issue Message-ID: Thanks for the suggestions Jay but am still not having much luck. Does 1.0.1 have any minimum requirements for the libc version or kernel version? I am currently building against libc version 2.5 with the kernel at 2.6.30. Mike ---------- Forwarded message ---------- From: Jay Foster To: openssl-users at openssl.org Cc: Date: Fri, 13 Feb 2015 08:48:12 -0800 Subject: Re: [openssl-users] 1.0.1 upgrade issue I have successfully built OpenSSL 1.0.0..., 1.0.1..., and 1.0.2 also on an ARM926EJ linux based system. I used the 'no-ssl2 no-ssl3 linux-armv4 shared' options (plus some others). I found that it works with and without the ARM assembly accelerations (no-asm option), even though the ARM926EJ is an arm5te. It works fine with lighttpd and passes the OpenSSL tests. I assume you are also using the appropriate '--cross-compile-prefix=' option. You might try adding "-mlittle-endian -mcpu=arm926ej-s -DL_ENDIAN" to the CFLAGS, although that should be redundant (the compiler should already know this). Also, make sure there are no '-nostdinc' (or similar) type compiler options creeping in. These change the search order of header files, which can cause OpenSSL to be built against the (old) headers in your tool chain, rather than it's local (current) headers. I did discover that with 1.0.2, I also needed to add '-DOPENSSL_USE_BUILD_DATE' to the CFLAGS to get the 'openssl version -a' command to report a useful build date. Jay On 2/13/2015 7:29 AM, Mike Collins wrote: I am upgrading an embedded linux board's BSP from 1.0.0m to 1.0.1l due to a requirement for TLS v1.1. Version 1.0.1 will cross compile without errors using my 1.0.0 configuration but I have identified the following errors on the board (so far) with the build using 1.0.1: 1.) Cannot create a RSA key 2.) Trying to connect to the board's Lighttpd web server via https will timeout with PKCS #11 error 3.) Curl https POST calls fail with RSA padding error. Board has a ARM926EJ based processor and I am using a Codesourcery Lite toolchain. Configure settings (besides --prefix, etc) are shared, no-asm, linux-generic32, no-ssl2. All the other packages on the board have been rebuilt against the new openssl version. I am looking at the key creation first since that may be causing the other issues. If I try to create a key from the board command line using "openssl genrsa -out testkey.pem 2048" I get a response of "Generating RSA private key, 2048 bit long modulus". At this point it seems to get stuck in a loop; I am seeing the progress indicators (".") but it will never finish creating the key. I have let it run 10-15 minutes without completion; it just keeps displaying successive progress indicators. I can do Ctrl-C and it will exit. I don't think so but are there any dependency changes from 1.0.0 to 1.0.1? I noticed 1.0.2 has been released so tried that as well but have the same result as 1.0.1 Mike -------------- next part -------------- An HTML attachment was scrubbed... URL: From jayf0ster at roadrunner.com Wed Feb 18 18:30:40 2015 From: jayf0ster at roadrunner.com (Jay Foster) Date: Wed, 18 Feb 2015 10:30:40 -0800 Subject: [openssl-users] 1.0.1 upgrade issue In-Reply-To: References: