From charlesm at mcn.org Sat Dec 1 00:25:12 2018 From: charlesm at mcn.org (Charles Mills) Date: Fri, 30 Nov 2018 16:25:12 -0800 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> Message-ID: <035b01d4890c$5312f070$f938d150$@mcn.org> Well, it ought then to say "I couldn't find any certificates at all" rather than "I found a self-signed certificate" when it did not. I used to manage product developers. Sometimes I would point out a need for product improvement and they would say "the code doesn't work that way." I would reply "I understand. I'm asking you to change the code." Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni Sent: Friday, November 30, 2018 3:35 PM To: openssl-users at openssl.org Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath > On Nov 30, 2018, at 5:00 PM, Charles Mills wrote: > > "Self-signed certificate in certificate chain" does not to me convey "No certificate hash links" (or "CA certificate not found in hash links"). That's not really possible, because the code that's doing certificate validation works with an abstract certificate store API, and does not know whether a particular certificate should or should not have been listed a trust-anchor in some store. All we know is that we've reached a self-signed certificate in the chain (so no further issuers can be found) and it is not in any of the trust stores, so verification fails. Perhaps we could document the errors in a bit more depth, but I don't think it is possible to tell you that your CApath was missing some specific symlink. -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From openssl-users at dukhovni.org Sat Dec 1 00:36:59 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 30 Nov 2018 19:36:59 -0500 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <035b01d4890c$5312f070$f938d150$@mcn.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> Message-ID: <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> > On Nov 30, 2018, at 7:25 PM, Charles Mills wrote: > > Well, it ought then to say "I couldn't find any certificates at all" rather > than "I found a self-signed certificate" when it did not. A self-signed certificate was found, in the chain being verified. The message should likely be more clear (perhaps along the lines suggested by Michael Wojcik), but it is not incorrect. -- Viktor. From dnsands at sandia.gov Sat Dec 1 00:33:20 2018 From: dnsands at sandia.gov (Sands, Daniel) Date: Sat, 1 Dec 2018 00:33:20 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> Message-ID: <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> On Fri, 2018-11-30 at 23:55 +0000, Michael Wojcik wrote: > > "Self-signed certificate in certificate chain" does not to me > > > convey "No > > > certificate hash links" (or "CA certificate not found in hash > > > links"). > > > Viktor's points are all good ones, but considering how often this > particular message causes confusion for users and developers (at > least in my experience), I wonder whether changing the text to > "Untrusted self-signed certificate in certificate chain" would help. > That would suggest to the user that the problem might be an issue > with the trust store. > My .02: The message "Self-signed certificate in certificate chain" does make it sound like OpenSSL rejected the certificate precisely because it's self signed, and not because it's an untrusted root certificate. I would suggest a less misleading reason, at least. From openssl-users at dukhovni.org Sat Dec 1 01:38:01 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 30 Nov 2018 20:38:01 -0500 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> Message-ID: > On Nov 30, 2018, at 7:33 PM, Sands, Daniel via openssl-users wrote: > >> Viktor's points are all good ones, but considering how often this >> particular message causes confusion for users and developers (at >> least in my experience), I wonder whether changing the text to >> "Untrusted self-signed certificate in certificate chain" would help. >> That would suggest to the user that the problem might be an issue >> with the trust store. >> > My .02: The message "Self-signed certificate in certificate chain" > does make it sound like OpenSSL rejected the certificate precisely > because it's self signed, and not because it's an untrusted root > certificate. I would suggest a less misleading reason, at least. Are there compatibility concerns around changing error message text for which users may have created regex patterns in scripts? I agree the text could be better, but not sure in what releases if any to change the text, since the change may cause issues for some users. -- Viktor. From Michael.Wojcik at microfocus.com Sat Dec 1 19:12:24 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Sat, 1 Dec 2018 19:12:24 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Friday, November 30, 2018 18:38 > > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? > > I agree the text could be better, but not sure in what releases > if any to change the text, since the change may cause issues > for some users. Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release. -- Michael Wojcik Distinguished Engineer, Micro Focus From charlesm at mcn.org Sat Dec 1 20:29:42 2018 From: charlesm at mcn.org (Charles Mills) Date: Sat, 1 Dec 2018 12:29:42 -0800 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> Message-ID: <040501d489b4$97481830$c5d84890$@mcn.org> I could easily be wrong -- you guys know more about certificates than I ever will -- but I do not *think* there is any self-signed certificate in this scenario. There should be exactly two certificates in this discussion: 1. The client certificate. It is not self-signed (in the correct sense of the term, as opposed to the erroneous popular sense): it is signed by my "in-house" CA. 2. The CA certificate. Yes, it is a root and self-signed, but you didn't find it, right? (Because of my error in not running the hash utility.) If you found it what is the problem? Does the hashing process imply trust? Then the error message should be "untrusted CA certificate," no? (There is only one certificate in the CApath folder.) Am I missing something? Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni Sent: Friday, November 30, 2018 4:37 PM To: openssl-users at openssl.org Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath > On Nov 30, 2018, at 7:25 PM, Charles Mills wrote: > > Well, it ought then to say "I couldn't find any certificates at all" rather > than "I found a self-signed certificate" when it did not. A self-signed certificate was found, in the chain being verified. The message should likely be more clear (perhaps along the lines suggested by Michael Wojcik), but it is not incorrect. From openssl-users at dukhovni.org Sat Dec 1 20:46:46 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sat, 1 Dec 2018 15:46:46 -0500 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <040501d489b4$97481830$c5d84890$@mcn.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> <040501d489b4$97481830$c5d84890$@mcn.org> Message-ID: <20181201204646.GA79754@straasha.imrryr.org> On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > I could easily be wrong -- you guys know more about certificates than I ever > will -- but I do not *think* there is any self-signed certificate in this > scenario. There should be exactly two certificates in this discussion: > > 1. The client certificate. It is not self-signed (in the correct sense of > the term, as opposed to the erroneous popular sense): it is signed by my > "in-house" CA. > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > find it, right? You seem to be stuck on a narrow meaning of the word "found". The self-signed certificate *was* found, but not in the trust-store. It was found in the chain of certificates sent by the client to the server for validation. That's what the error message is telling you, the chain building algorithm found a self-signed certificate in the peer's chain, without finding a suitable trust-anchor in the trust-store. So validation cannot proceed further and fails. > (Because of my error in not running the hash utility.) > If you found it what is the problem? ... Everything from here down is based on an incorrect reading of the word "found". > Am I missing something? Yes: "found" != "found in the trust store" Think "encountered" rather than "found" if that's more clear. -- Viktor. From openssl-users at dukhovni.org Sat Dec 1 20:53:12 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sat, 1 Dec 2018 15:53:12 -0500 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> Message-ID: <20181201205312.GB79754@straasha.imrryr.org> On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote: > > Are there compatibility concerns around changing error message > > text for which users may have created regex patterns in scripts? > > > > I agree the text could be better, but not sure in what releases > > if any to change the text, since the change may cause issues > > for some users. > > Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release. Care to create a PR against the "master" branch? Something along the lines of: "Provided chain ends with untrusted self-signed certificate" or better. Here "untrusted" might mean not trusted for the requested purpose, but more precise is not always more clear. -- Viktor. From charlesm at mcn.org Sat Dec 1 21:46:51 2018 From: charlesm at mcn.org (Charles Mills) Date: Sat, 1 Dec 2018 13:46:51 -0800 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <20181201204646.GA79754@straasha.imrryr.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> <040501d489b4$97481830$c5d84890$@mcn.org> <20181201204646.GA79754@straasha.imrryr.org> Message-ID: <040e01d489bf$5e31fc40$1a95f4c0$@mcn.org> > It was found in the chain of certificates sent by the client to the > server for validation Again, I could be wrong but that is my point. I do not think the client is sending a chain of certificates, but rather only one, the CA-signed client certificate. (I wrote and configured the client, and generated the certificate, and loaded it into the certificate store.) Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni Sent: Saturday, December 1, 2018 12:47 PM To: openssl-users at openssl.org Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > I could easily be wrong -- you guys know more about certificates than I ever > will -- but I do not *think* there is any self-signed certificate in this > scenario. There should be exactly two certificates in this discussion: > > 1. The client certificate. It is not self-signed (in the correct sense of > the term, as opposed to the erroneous popular sense): it is signed by my > "in-house" CA. > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > find it, right? You seem to be stuck on a narrow meaning of the word "found". The self-signed certificate *was* found, but not in the trust-store. It was found in the chain of certificates sent by the client to the server for validation. That's what the error message is telling From levitte at openssl.org Sun Dec 2 03:45:19 2018 From: levitte at openssl.org (Richard Levitte) Date: Sun, 02 Dec 2018 04:45:19 +0100 (CET) Subject: [openssl-users] openssl 1.1.1 opaque structures In-Reply-To: References:

Message-ID: <20181202.044519.1520531109363416067.levitte@openssl.org> Did you ever get an answer to that? There is a call BN_num_bytes(), so the fix should be this: *var = rc_vmalloc(BN_num_bytes(bn)); (*var)->l = BN_bn2bin(bn, (unsigned char *)(*var)->v); Cheers, Richard ( you should probably study include/openssl/bn.h in depth ) In message on Mon, 26 Nov 2018 11:15:27 +0530, priya p said: > I am trying to fix this part of code: > > int Func1 (var, bn) { > *var = rc_vmalloc(bn->top * BN_BYTES); ------------------> Trying to fix this. Error it throws is " error: > dereferencing pointer to incomplete type". > > (*var)->l = BN_bn2bin(bn, (unsigned char *)(*var)->v); > . > . > } > > Thanks, > Priya > > On Mon, 26 Nov 2018 at 11:06, Viktor Dukhovni wrote: > > > On Nov 26, 2018, at 12:14 AM, priya p wrote: > > > > I am unable to get the API to access bn->top value or any bn members in openssl 1.1.1 . > > Can you help me with the pointers to those APIs ? > > What actual problem are you trying to solve? Accessing bn->top is > a goal in itself. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > From aerowolf at gmail.com Sun Dec 2 06:28:59 2018 From: aerowolf at gmail.com (Kyle Hamilton) Date: Sat, 1 Dec 2018 22:28:59 -0800 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <040e01d489bf$5e31fc40$1a95f4c0$@mcn.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> <040501d489b4$97481830$c5d84890$@mcn.org> <20181201204646.GA79754@straasha.imrryr.org> <040e01d489bf$5e31fc40$1a95f4c0$@mcn.org> Message-ID: Wireshark and other packet capture tools can help you determine exactly what's in the chain sent by the client. If the self-signed root isn't being sent, then the "self-signed certificate in certificate chain" error should never have been sent, and a bug report on that issue would be appropriate. If the root is being sent, though, having some idea of what you're doing when constructing your sessions could help us to figure out why it is when you didn't intend it to be. -Kyle H On Sat, Dec 1, 2018 at 1:47 PM Charles Mills wrote: > > > It was found in the chain of certificates sent by the client to the > > server for validation > > Again, I could be wrong but that is my point. I do not think the client is > sending a chain of certificates, but rather only one, the CA-signed client > certificate. (I wrote and configured the client, and generated the > certificate, and loaded it into the certificate store.) > > Charles > > -----Original Message----- > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of > Viktor Dukhovni > Sent: Saturday, December 1, 2018 12:47 PM > To: openssl-users at openssl.org > Subject: Re: [openssl-users] Self-signed error when using > SSL_CTX_load_verify_locations CApath > > On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > > > I could easily be wrong -- you guys know more about certificates than I > ever > > will -- but I do not *think* there is any self-signed certificate in this > > scenario. There should be exactly two certificates in this discussion: > > > > 1. The client certificate. It is not self-signed (in the correct sense of > > the term, as opposed to the erroneous popular sense): it is signed by my > > "in-house" CA. > > > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > > find it, right? > > You seem to be stuck on a narrow meaning of the word "found". The > self-signed certificate *was* found, but not in the trust-store. > > It was found in the chain of certificates sent by the client to the > server for validation. That's what the error message is telling > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From dkg at fifthhorseman.net Sat Dec 1 19:54:37 2018 From: dkg at fifthhorseman.net (Daniel Kahn Gillmor) Date: Sat, 01 Dec 2018 14:54:37 -0500 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> Message-ID: <87zhtp9g5e.fsf@fifthhorseman.net> On Fri 2018-11-30 20:38:01 -0500, Viktor Dukhovni wrote: > Are there compatibility concerns around changing error message > text for which users may have created regex patterns in scripts? I advocate making the error message in english more comprehensible. Michael Wojcik's suggestion of "Untrusted self-signed certificate in certificate chain" more accurately reflects the semantics of this error message. The error message is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, whic his #defined in x509_vfy.h as 19, and 19 even shows up in the specific error message. Scripts should be keying on this value, not on the human-readable text. Scripts which expect certain human-readable text will fail when the text is localized (not done in OpenSSL yet, but perhaps it should be at some point, it certainly is in glibc and other libraries), or when the text is improved to be more accurate (this case). We shouldn't let those scripts stop us from improving OpenSSL going forward at least, though i can understand if folks are more reluctant to change old verisions in a point release. --dkg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 227 bytes Desc: not available URL: From openssl-users at dukhovni.org Sun Dec 2 22:13:18 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 2 Dec 2018 17:13:18 -0500 Subject: [openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x? Message-ID: <20181202221317.GJ79754@straasha.imrryr.org> [ While I could ask off-list, or RTFS, someone else might have the same question later, so might as well ask on-list. ] Postfix added support for ECDHE ciphers long ago, back when OpenSSL 1.0.0 was shiny and new, and the server-side ECDHE support was enabled by specifying a single preferred "temp" ECDH curve. At the time we allowed users to configure: smtpd_tls_eecdh_grade = none | strong | ultra which was later expanded to: smtpd_tls_eecdh_grade = none | strong | ultra | auto as documented at: http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade http://www.postfix.org/postconf.5.html#tls_eecdh_strong_curve http://www.postfix.org/postconf.5.html#tls_eecdh_ultra_curve http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves The "none" setting is documented to disable ECDHE, and did that by simply doing nothing, that is by not setting a specific ECDH temp curve and also not calling SSL_CTX_set_ecdh_auto(). But doing nothing no longer has the same effect in OpenSSL 1.1.0 and later, where ECDHE curve negotiation is always on, and SSL_CTX_set_ecdh_auto() is basically a NOOP (that returns "failure" if the requested behaviour is ECDHE "off"). I thought I might get the same effect by configuring an empty curve list, but OpenSSL 1.1.x, does not accept an empty list, and in any case that might also affect DHE support, since IIRC there's now a unified list of curves and FFDHE groups, and may not be an interface for configuring just the curves? Is there still a way to support the "none" setting other than to modify the cipherlist (ciphers = "!kECDHE:...")? The Postfix code that deals with DH settings is separate from the code that deals with ciphers, and I'd prefer to get these mixed up. I should say that I understand that turning off ECDHE is increasingly unwise, interoperability can and will suffer. So I may well decide to drop support for "none" and pretend the user meant "auto", but I'd like to understand the available options first. -- Viktor. From matt at openssl.org Sun Dec 2 22:48:33 2018 From: matt at openssl.org (Matt Caswell) Date: Sun, 2 Dec 2018 22:48:33 +0000 Subject: [openssl-users] How to disable EECDH in OpenSSL 1.0.2 and 1.1.x? In-Reply-To: <20181202221317.GJ79754@straasha.imrryr.org> References: <20181202221317.GJ79754@straasha.imrryr.org> Message-ID: On 02/12/2018 22:13, Viktor Dukhovni wrote: > > [ While I could ask off-list, or RTFS, someone else might have the > same question later, so might as well ask on-list. ] > > Postfix added support for ECDHE ciphers long ago, back when OpenSSL > 1.0.0 was shiny and new, and the server-side ECDHE support was > enabled by specifying a single preferred "temp" ECDH curve. At the > time we allowed users to configure: > > smtpd_tls_eecdh_grade = none | strong | ultra > > which was later expanded to: > > smtpd_tls_eecdh_grade = none | strong | ultra | auto > > as documented at: > > http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade > http://www.postfix.org/postconf.5.html#tls_eecdh_strong_curve > http://www.postfix.org/postconf.5.html#tls_eecdh_ultra_curve > http://www.postfix.org/postconf.5.html#tls_eecdh_auto_curves > > The "none" setting is documented to disable ECDHE, and did that by > simply doing nothing, that is by not setting a specific ECDH temp > curve and also not calling SSL_CTX_set_ecdh_auto(). But doing > nothing no longer has the same effect in OpenSSL 1.1.0 and later, > where ECDHE curve negotiation is always on, and SSL_CTX_set_ecdh_auto() > is basically a NOOP (that returns "failure" if the requested behaviour > is ECDHE "off"). > > I thought I might get the same effect by configuring an empty curve > list, but OpenSSL 1.1.x, does not accept an empty list, and in any > case that might also affect DHE support, since IIRC there's now a > unified list of curves and FFDHE groups, and may not be an interface > for configuring just the curves? > > Is there still a way to support the "none" setting other than to > modify the cipherlist (ciphers = "!kECDHE:...")? The Postfix > code that deals with DH settings is separate from the code > that deals with ciphers, and I'd prefer to get these mixed up. AFAIK this can't be done. If you don't want ECDHE then you should not configure ECDHE ciphersuites. WRT a unifed lists of curves that's not quite the case. TLSv1.3 has a single "supported_groups" list for both FFDHE and ECDHE - but OpenSSL does not support FFDHE in TLSv1.3 so in an OpenSSL context this still only relates to ECDHE groups. Matt > > I should say that I understand that turning off ECDHE is increasingly > unwise, interoperability can and will suffer. So I may well decide > to drop support for "none" and pretend the user meant "auto", but > I'd like to understand the available options first. > From Michal.Trojnara at stunnel.org Sun Dec 2 23:10:28 2018 From: Michal.Trojnara at stunnel.org (Michal Trojnara) Date: Mon, 3 Dec 2018 00:10:28 +0100 Subject: [openssl-users] stunnel 5.50 released Message-ID: <9e157ef6-fb10-5a66-af12-ff7cf41071ab@stunnel.org> Dear Users, I have released version 5.50 of stunnel. Version 5.50, 2018.12.02, urgency: MEDIUM * New features ? - 32-bit Windows builds replaced with 64-bit builds. ? - OpenSSL DLLs updated to version 1.1.1. ? - Check whether "output" is not a relative file name. ? - Major code cleanup in the configuration file parser. ? - Added sslVersion, sslVersionMin and sslVersionMax ??? for OpenSSL 1.1.0 and later. * Bugfixes ? - Fixed PSK session resumption with TLS 1.3. ? - Fixed a memory leak in WIN32 logging subsystem. ? - Allow for zero value (ignored) TLS options. ? - Partially refactored configuration file parsing ??? and logging subsystems for clearer code and minor ??? bugfixes. * Caveats ? - We removed FIPS support from our standard builds. ??? FIPS will still be available with bespoke builds. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: 951d92502908b852a297bd9308568f7c36598670b84286d3e05d4a3a550c0149? stunnel-5.50.tar.gz e855d58a05dca0943a5da8d030b5904630ee9cff47c3d747d326e151724f3bc8? stunnel-5.50-win64-installer.exe ad6c952cd26951c5a986efe8034b71af07c951e11d06e0b0ce73ef82594b1041? stunnel-5.50-android.zip Best regards, ??? Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From charlesm at mcn.org Mon Dec 3 00:38:19 2018 From: charlesm at mcn.org (Charles Mills) Date: Sun, 2 Dec 2018 16:38:19 -0800 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list Message-ID: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> I have an OpenSSL (v1.1.0f) server application that processes client certificates. The doc for SSL_CTX_load_verify_locations() states "In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list family of functions." The application makes no calls to SSL_CTX_set_client_CA_list() yet receives client certificates without errors. Can someone please explain the discrepancy. I'm especially wondering if I have set a trap that will spring down the road: "yes it works, but if a user does X then it will not work." Thanks! Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: From charlesm at mcn.org Mon Dec 3 00:43:17 2018 From: charlesm at mcn.org (Charles Mills) Date: Sun, 2 Dec 2018 16:43:17 -0800 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> <040501d489b4$97481830$c5d84890$@mcn.org> <20181201204646.GA79754@straasha.imrryr.org> <040e01d489bf$5e31fc40$1a95f4c0$@mcn.org> Message-ID: <051001d48aa1$2e69cb40$8b3d61c0$@mcn.org> Sorry, I do not have a packet capture tool configured. I have a verify callback with a lot of trace messages. I can see that it is only entered once; X509_STORE_CTX_get_error_depth() is 1. Does that tell us anything useful? Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Kyle Hamilton Sent: Saturday, December 1, 2018 10:29 PM To: openssl-users Subject: Re: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath Wireshark and other packet capture tools can help you determine exactly what's in the chain sent by the client. If the self-signed root isn't being sent, then the "self-signed certificate in certificate chain" error should never have been sent, and a bug report on that issue would be appropriate. If the root is being sent, though, having some idea of what you're doing when constructing your sessions could help us to figure out why it is when you didn't intend it to be. -Kyle H On Sat, Dec 1, 2018 at 1:47 PM Charles Mills wrote: > > > It was found in the chain of certificates sent by the client to the > > server for validation > > Again, I could be wrong but that is my point. I do not think the client is > sending a chain of certificates, but rather only one, the CA-signed client > certificate. (I wrote and configured the client, and generated the > certificate, and loaded it into the certificate store.) > > Charles > > -----Original Message----- > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of > Viktor Dukhovni > Sent: Saturday, December 1, 2018 12:47 PM > To: openssl-users at openssl.org > Subject: Re: [openssl-users] Self-signed error when using > SSL_CTX_load_verify_locations CApath > > On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote: > > > I could easily be wrong -- you guys know more about certificates than I > ever > > will -- but I do not *think* there is any self-signed certificate in this > > scenario. There should be exactly two certificates in this discussion: > > > > 1. The client certificate. It is not self-signed (in the correct sense of > > the term, as opposed to the erroneous popular sense): it is signed by my > > "in-house" CA. > > > > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't > > find it, right? > > You seem to be stuck on a narrow meaning of the word "found". The > self-signed certificate *was* found, but not in the trust-store. > > It was found in the chain of certificates sent by the client to the > server for validation. That's what the error message is telling > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From charlesm at mcn.org Mon Dec 3 01:14:44 2018 From: charlesm at mcn.org (Charles Mills) Date: Sun, 2 Dec 2018 17:14:44 -0800 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list Message-ID: <051701d48aa5$93721070$ba563150$@mcn.org> Do I need to say no calls to SSL_CTX_set_client_CA_list() nor any of the three related functions listed on the man page? Charles From: Charles Mills [mailto:charlesm at mcn.org] Sent: Sunday, December 2, 2018 4:38 PM To: 'openssl-users at openssl.org' Subject: Question on necessity of SSL_CTX_set_client_CA_list I have an OpenSSL (v1.1.0f) server application that processes client certificates. The doc for SSL_CTX_load_verify_locations() states "In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list family of functions." The application makes no calls to SSL_CTX_set_client_CA_list() yet receives client certificates without errors. Can someone please explain the discrepancy. I'm especially wondering if I have set a trap that will spring down the road: "yes it works, but if a user does X then it will not work." Thanks! Charles -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Mon Dec 3 01:50:19 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 2 Dec 2018 20:50:19 -0500 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> Message-ID: > On Dec 2, 2018, at 7:38 PM, Charles Mills wrote: > > I have an OpenSSL (v1.1.0f) server application that processes client certificates. > > The doc for SSL_CTX_load_verify_locations() states ?In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list family of functions.? > > The application makes no calls to SSL_CTX_set_client_CA_list() yet receives client certificates without errors. > > Can someone please explain the discrepancy. I?m especially wondering if I have set a trap that will spring down the road: ?yes it works, but if a user does X then it will not work.? The default list is empty. Some client implementations, IIRC Java's TLS stack or at least some Java TLS toolkits, will not use a client certificate unless the server's list is non-empty, and perhaps may also require that it include a CA name that matches an issuer of their certificate. Other clients have but one default certificate and use it regardless of the server's CA list. Your mileage may vary. -- Viktor. From openssl-users at dukhovni.org Mon Dec 3 01:54:29 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 2 Dec 2018 20:54:29 -0500 Subject: [openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <051001d48aa1$2e69cb40$8b3d61c0$@mcn.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <035b01d4890c$5312f070$f938d150$@mcn.org> <686C3EF8-553F-4FEA-A88A-22B19146A296@dukhovni.org> <040501d489b4$97481830$c5d84890$@mcn.org> <20181201204646.GA79754@straasha.imrryr.org> <040e01d489bf$5e31fc40$1a95f4c0$@mcn.org> <051001d48aa1$2e69cb40$8b3d61c0$@mcn.org> Message-ID: > On Dec 2, 2018, at 7:43 PM, Charles Mills wrote: > > Sorry, I do not have a packet capture tool configured. > > I have a verify callback with a lot of trace messages. I can see that it is > only entered once; X509_STORE_CTX_get_error_depth() is 1. > > Does that tell us anything useful? No further information is required. Your client certificate chain includes a self-signed root CA as a direct issuer of its certificate. That root CA was not found in the server's trust store. Someone should submit a pull request to improve the error message, if they've not done so yet. -- -- Viktor. From andreas.fuchs at sit.fraunhofer.de Mon Dec 3 09:41:19 2018 From: andreas.fuchs at sit.fraunhofer.de (Fuchs, Andreas) Date: Mon, 3 Dec 2018 09:41:19 +0000 Subject: [openssl-users] Question on implementing the ameth ctrl ASN1_PKEY_CTRL_DEFAULT_MD_NID In-Reply-To: References: <9F48E1A823B03B4790B7E6E69430724D014B459655@exch2010c.sit.fraunhofer.de> <9F48E1A823B03B4790B7E6E69430724D014B45A823@exch2010c.sit.fraunhofer.de>, Message-ID: <9F48E1A823B03B4790B7E6E69430724D014B46156F@EXCH2010B.sit.fraunhofer.de> Thanks for the hint... I'll implement this. Nevertheless, padding is not supported as far as I understand, right ? Thus, in order to prevent SHA256 on a P384 curve, I'll have to set the DEFAULT_MD_NID hint, right ? Could anybody give me some feedback, whether my intended approach is correct ? ________________________________________ From: openssl-users [openssl-users-bounces at openssl.org] on behalf of Blumenthal, Uri - 0553 - MITLL [uri at ll.mit.edu] Sent: Friday, November 30, 2018 18:44 To: openssl-users at openssl.org; William Roberts Subject: Re: [openssl-users] Question on implementing the ameth ctrl ASN1_PKEY_CTRL_DEFAULT_MD_NID The way I understand the ECDSA standard, it is supposed to truncate the provided hash - which is why it is possible to have ECDSA-over-P256-SHA384. One possibility would be for you to truncate the SHA2 output yourself, IMHO. ?On 11/30/18, 12:36 PM, "openssl-users on behalf of Fuchs, Andreas" wrote: The problem is as follows: The digest parameter of the TPM2_Sign command is checked against the hash algorithms supported by the TPM. If the TPM only supports SHA256, then the maximum size for the digest parameter is 32 bytes. So you cannot pass in a SHA512 hash, even though the TPM does not even perform a hash operation. Kind of stupid, I know, but thats how it goes. For RSA, I could "emulate" signing by using the TPM2_RSA_Decrypt command. For ECDSA however there is no equivalent. Thus the tpm2-tss-engine will only support up to SHA384 (since that's what most TPMs support). Therefore, the engine needs to communicate to OpenSSL's TLS not to negotiate SHA512. That was apparently added f?r 1.0.1 and 1.1.1 recently as the ASN1_PKEY_CTRL_DEFAULT_MD_NID ameth ctrl. I just don't know enough about OpenSSL as to where to start with this. Anyone have any hints please ? ________________________________________ From: William Roberts [bill.c.roberts at gmail.com] Sent: Friday, November 30, 2018 15:55 To: openssl-users at openssl.org Cc: Fuchs, Andreas Subject: Re: [openssl-users] Question on implementing the ameth ctrl ASN1_PKEY_CTRL_DEFAULT_MD_NID On Wed, Nov 28, 2018 at 1:22 AM Fuchs, Andreas wrote: > > Hi all, > > I'm currently implementing a TPM2 engine for OpenSSL over at https://github.com/tpm2-software/tpm2-tss-engine > The problem I'm facing is that OpenSSL's TLS negotiation will request ECDSA from my engine with any hash alg, even though the TPM's keys are restricted to just one specific hash alg. What about when keys aren't restricted to one specific signing scheme and support raw encrypt/decrypt? You could just synthesize it by building up the signature structure on the client side and using the raw primitives to encrypt the signing structure directly. > > Most recently, David Woodhouse pointed out the possibility to require a certain hash-alg from the key to TLS via the ameth ASN1_PKEY_CTRL_DEFAULT_MD_NID at https://github.com/tpm2-software/tpm2-tss-engine/issues/31 > > Since I'm not that familiar with OpenSSL, I wanted to confirm that I'm following the right path for implementing this. > Thus: Is the following approach correct ? > > So, at https://github.com/tpm2-software/tpm2-tss-engine/blob/master/src/tpm2-tss-engine-ecc.c#L328: > - I need to call "const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey)" to get the ameth ? > - I need to call EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, (*pkey_ctrl)) to some pkey_ctrl for ECC keys of mine ? > - That pkey_ctrl is a int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2)) that implements the op ASN1_PKEY_CTRL_DEFAULT_MD_NID ? > - That pkey_ctrl()'s ASN1_PKEY_CTRL_DEFAULT_MD_NID looks up the hash for the provided pkey's ecc key from the tpm2data and returns it via *(int *)arg2 = NID_sha1 or NID_sha256 or etc and then returns 1 or 2 or something ? > - Which one of the return codes (1 or 2) makes it mandatory rather than recommended ? > > Thanks a lot for any advice, > Andreas > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From Michael.Wojcik at microfocus.com Mon Dec 3 15:22:20 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Mon, 3 Dec 2018 15:22:20 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <20181201205312.GB79754@straasha.imrryr.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Saturday, December 01, 2018 13:53 > > On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text could be better, but not sure in what releases > > > if any to change the text, since the change may cause issues > > > for some users. > > > > Sure, this is always a concern. Maybe the change could be considered for > > OpenSSL 3.0, since that's a major release. > > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. I should be able to do that. (My OpenSSL contributor paperwork is still in progress, but since this PR wouldn't include any actual code, I don't think I need to wait for that.) May be a few days before I get a chance to do it. -- Michael Wojcik Distinguished Engineer, Micro Focus From charlesm at mcn.org Mon Dec 3 17:53:12 2018 From: charlesm at mcn.org (Charles Mills) Date: Mon, 3 Dec 2018 09:53:12 -0800 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> Message-ID: <05aa01d48b31$0f645900$2e2d0b00$@mcn.org> I appreciate it. OpenSSL is of course a great product but it can be a little mystifying to debug. I am a developer and I understand the problem of "layering" and virtualization, where the component that realizes there is a problem is so far removed that it does not know what the underlying real problem is. That said, I would suggest that "Provided chain ends with untrusted self-signed certificate" still does not really convey "no relevant CA certificate found in the provided path." Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Michael Wojcik Sent: Monday, December 3, 2018 7:22 AM To: openssl-users at openssl.org Subject: Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Saturday, December 01, 2018 13:53 > > On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text could be better, but not sure in what releases > > > if any to change the text, since the change may cause issues > > > for some users. > > > > Sure, this is always a concern. Maybe the change could be considered for > > OpenSSL 3.0, since that's a major release. > > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. I should be able to do that. (My OpenSSL contributor paperwork is still in progress, but since this PR wouldn't include any actual code, I don't think I need to wait for that.) May be a few days before I get a chance to do it. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From charlesm at mcn.org Mon Dec 3 17:54:47 2018 From: charlesm at mcn.org (Charles Mills) Date: Mon, 3 Dec 2018 09:54:47 -0800 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> Message-ID: <05b101d48b31$47d9c720$d78d5560$@mcn.org> Got it. Thanks. I would think the basic client case is "one certificate, one CA" so I think I will roll with what we have (especially since the product has been out there for years with no reported problems in this area -- although I think client certificate usage is rare) but keep the issue in mind if a problem comes up. Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni Sent: Sunday, December 2, 2018 5:50 PM To: openssl-users at openssl.org Subject: Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list > On Dec 2, 2018, at 7:38 PM, Charles Mills wrote: > > I have an OpenSSL (v1.1.0f) server application that processes client certificates. > > The doc for SSL_CTX_load_verify_locations() states ?In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list family of functions.? > > The application makes no calls to SSL_CTX_set_client_CA_list() yet receives client certificates without errors. > > Can someone please explain the discrepancy. I?m especially wondering if I have set a trap that will spring down the road: ?yes it works, but if a user does X then it will not work.? The default list is empty. Some client implementations, IIRC Java's TLS stack or at least some Java TLS toolkits, will not use a client certificate unless the server's list is non-empty, and perhaps may also require that it include a CA name that matches an issuer of their certificate. Other clients have but one default certificate and use it regardless of the server's CA list. Your mileage may vary. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From dnsands at sandia.gov Mon Dec 3 18:47:20 2018 From: dnsands at sandia.gov (Sands, Daniel) Date: Mon, 3 Dec 2018 18:47:20 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <20181201205312.GB79754@straasha.imrryr.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> Message-ID: On Sat, 2018-12-01 at 15:53 -0500, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote: > > > > Are there compatibility concerns around changing error message > > > text for which users may have created regex patterns in scripts? > > > > > > I agree the text could be better, but not sure in what releases > > > if any to change the text, since the change may cause issues > > > for some users. > > > > Sure, this is always a concern. Maybe the change could be > > considered for OpenSSL 3.0, since that's a major release. > > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. Just wondering, is there a different error for an untrusted cross- signed root? If it's the same error, then maybe remove "self-signed" from the above message too, because that would not always be the case either. From Michael.Wojcik at microfocus.com Mon Dec 3 18:57:58 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Mon, 3 Dec 2018 18:57:58 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <05aa01d48b31$0f645900$2e2d0b00$@mcn.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> <05aa01d48b31$0f645900$2e2d0b00$@mcn.org> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:53 > > I appreciate it. OpenSSL is of course a great product but it can be a little > mystifying to debug. If I were ever to write a book about OpenSSL, "a great product but a little mystifying" would be an appropriate epigraph. Maybe Ivan should use it for the next edition of his OpenSSL Cookbook. (Recommended, by the way, or its larger sibling Bulletproof TLS; find them at feistyduck.com.) Not that it hasn't gotten better over the years: better encapsulation and abstraction, a lot more convenience functionality, a lot more explanation and samples on the OpenSSL wiki (which I think didn't even exist when I first started using OpenSSL). I have great appreciation for the team's efforts. But SSL/TLS is a great big ball of hair to begin with, and while I have tremendous respect for Eric Young, Steven Hensen, and the rest of the original contributors, the OpenSSL source is not exactly a monument to readability. (Though even in the early versions there were some important steps in that direction, like mostly consistent, safe naming conventions for external identifiers, thank goodness.) -- Michael Wojcik Distinguished Engineer, Micro Focus From Michael.Wojcik at microfocus.com Mon Dec 3 18:57:58 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Mon, 3 Dec 2018 18:57:58 +0000 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <05b101d48b31$47d9c720$d78d5560$@mcn.org> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:55 > > Got it. Thanks. I would think the basic client case is "one certificate, one CA" I'm going to disagree somewhat with this assumption, but not necessarily with your decision. That assumption is probably safe for some use cases, but not all. For example, Windows-based clients that use Microsoft's TLS implementation (SChannel, via CAPI or CNG or any of the various wrapper APIs, including the .NET Framework) have access to all the "personal" certificates in the Windows per-machine and per-user certificate stores. In a Windows domain environment, certificates may be added to those stores by central administration, as well as being created or added locally. So such clients could have quite a few client certificates available to them. Some other TLS implementations can optionally use the Windows certificate stores. I believe Netscape's NSS can be configured to do so, for example. A suitable JSSE provider is included with the standard Windows JRE and JDK distributions. And OpenSSL itself has a CAPI engine that can (probably) be used to pull client certificates from the Windows stores. (I say "probably" because when we went to use the OpenSSL CAPI engine some years ago, we ran into some issues caused by Microsoft's awkward provider mechanism and how it interacts with private-key storage, and I ended up enhancing the OpenSSL CAPI module in various ways. So I don't recall what exactly works with it out of the box.) There are other environments which similarly provide centralized storage of certificates (and corresponding private keys) to all clients. zOS does, for example, at least if you're using the RACF security provider. Perhaps more importantly, as Viktor noted, some clients won't send a certificate at all unless they have one signed by a CA on the server's list, or at least only if the server sends a non-empty list. The list is also useful for clients that want to help the user select from among a set of certificates. > so I think I will roll with what we have (especially since the product has been > out there for years with no reported problems in this area -- although I think > client certificate usage is rare) but keep the issue in mind if a problem comes > up. Despite what I wrote above, the important thing, of course, is what your users need. If they haven't needed a server that sends a CA list, there's a good chance they won't need one any time soon. Often there are better things to address first. TLS configuration is important, but certainly for the software projects I work on there are any number of important areas for further work. You can't do everything at once. -- Michael Wojcik Distinguished Engineer, Micro Focus From openssl-users at dukhovni.org Mon Dec 3 19:53:16 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 3 Dec 2018 14:53:16 -0500 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> Message-ID: <43CDE844-0D2A-4B07-A96A-69AF90481B1C@dukhovni.org> > On Dec 3, 2018, at 1:47 PM, Sands, Daniel via openssl-users wrote: > > Just wondering, is there a different error for an untrusted cross- > signed root? If it's the same error, then maybe remove "self-signed" > from the above message too, because that would not always be the case > either. A cross-signed CA certificate is not self-signed (or even self-issued), the two are mutually exclusive: This specification covers two classes of certificates: CA certificates and end entity certificates. CA certificates may be further divided into three classes: cross-certificates, self-issued Cooper, et al. Standards Track [Page 12] RFC 5280 PKIX Certificate and CRL Profile May 2008 certificates, and self-signed certificates. Cross-certificates are CA certificates in which the issuer and subject are different entities. Cross-certificates describe a trust relationship between the two CAs. Self-issued certificates are CA certificates in which the issuer and subject are the same entity. Self-issued certificates are generated to support changes in policy or operations. Self- signed certificates are self-issued certificates where the digital signature may be verified by the public key bound into the certificate. Self-signed certificates are used to convey a public key for use to begin certification paths. End entity certificates are issued to subjects that are not authorized to issue certificates. In OpenSSL there's no such thing as a "cross-signed root", the constructed chain contains a leaf certificate, some set of cross-signed or self-issued intermediate certificates, and finally a self-signed "root" (ignoring for the moment support for "partial chains" and DANE). -- Viktor. From charlesm at mcn.org Mon Dec 3 20:24:22 2018 From: charlesm at mcn.org (Charles Mills) Date: Mon, 3 Dec 2018 12:24:22 -0800 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> <05aa01d48b31$0f645900$2e2d0b00$@mcn.org> Message-ID: <05ff01d48b46$2d9a1030$88ce3090$@mcn.org> LOL. Amen to that. It has gotten a WHOLE lot better. I started with OpenSSL somewhere around 2010 and the documentation was EXTREMELY sparse to say the list. Lots of functions documented as "under construction." Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Michael Wojcik Sent: Monday, December 3, 2018 10:58 AM To: openssl-users at openssl.org Subject: Re: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:53 > > I appreciate it. OpenSSL is of course a great product but it can be a little > mystifying to debug. If I were ever to write a book about OpenSSL, "a great product but a little mystifying" would be an appropriate epigraph. Maybe Ivan should use it for the next edition of his OpenSSL Cookbook. (Recommended, by the way, or its larger sibling Bulletproof TLS; find them at feistyduck.com.) Not that it hasn't gotten better over the years: better encapsulation and abstraction, a lot more convenience functionality, a lot more explanation and samples on the OpenSSL wiki (which I think didn't even exist when I first started using OpenSSL). I have great appreciation for the team's efforts. But SSL/TLS is a great big ball of hair to begin with, and while I have tremendous respect for Eric Young, Steven Hensen, and the rest of the original contributors, the OpenSSL source is not exactly a monument to readability. (Though even in the early versions there were some important steps in that direction, like mostly consistent, safe naming conventions for external identifiers, thank goodness.) -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From charlesm at mcn.org Mon Dec 3 20:35:04 2018 From: charlesm at mcn.org (Charles Mills) Date: Mon, 3 Dec 2018 12:35:04 -0800 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> Message-ID: <060c01d48b47$ac112290$043367b0$@mcn.org> > zOS does, for example, at least if you're using the RACF security provider. Ha! Spoken like a Micro Focus guy! One of the most likely clients for this server is in fact implemented on z/OS. Just FYI, the key variable is not so much RACF: (a.) RACF is just (in this case) a certificate store, not a TLS implementation; and (b.) I think the other two ESM's (CA TSS and ACF2) are 99% equivalent in their certificate facilities. The TLS implementation is named System SSL (sometimes known as GSK). That is the TLS library, roughly parallel to OpenSSL. (In fact I don't know of any other TLS implementation on z/OS other than the OpenSSL port -- but there could be some.) GSK also implements its own certificate store, but I don't think it is widely used in production. Yes, there would be lots of certificates in the certificate store, but at least in the case of the client I wrote, you configure it in advance to use a particular named certificate, so the server application itself does not have any choice at run time. It is "one certificate, take it or leave it." Thanks for the heads-up on Windows. I develop for both platforms, but I am much less familiar with all of the ins and outs of Windows. OCSP and OCSP stapling are currently higher on my wish list than this. Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Michael Wojcik Sent: Monday, December 3, 2018 10:58 AM To: openssl-users at openssl.org Subject: Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Charles Mills > Sent: Monday, December 03, 2018 10:55 > > Got it. Thanks. I would think the basic client case is "one certificate, one CA" I'm going to disagree somewhat with this assumption, but not necessarily with your decision. That assumption is probably safe for some use cases, but not all. For example, Windows-based clients that use Microsoft's TLS implementation (SChannel, via CAPI or CNG or any of the various wrapper APIs, including the .NET Framework) have access to all the "personal" certificates in the Windows per-machine and per-user certificate stores. In a Windows domain environment, certificates may be added to those stores by central administration, as well as being created or added locally. So such clients could have quite a few client certificates available to them. Some other TLS implementations can optionally use the Windows certificate stores. I believe Netscape's NSS can be configured to do so, for example. A suitable JSSE provider is included with the standard Windows JRE and JDK distributions. And OpenSSL itself has a CAPI engine that can (probably) be used to pull client certificates from the Windows stores. (I say "probably" because when we went to use the OpenSSL CAPI engine some years ago, we ran into some issues caused by Microsoft's awkward provider mechanism and how it interacts with private-key storage, and I ended up enhancing the OpenSSL CAPI module in various ways. So I don't recall what exactly works with it out of the box.) There are other environments which similarly provide centralized storage of certificates (and corresponding private keys) to all clients. zOS does, for example, at least if you're using the RACF security provider. Perhaps more importantly, as Viktor noted, some clients won't send a certificate at all unless they have one signed by a CA on the server's list, or at least only if the server sends a non-empty list. The list is also useful for clients that want to help the user select from among a set of certificates. > so I think I will roll with what we have (especially since the product has been > out there for years with no reported problems in this area -- although I think > client certificate usage is rare) but keep the issue in mind if a problem comes > up. Despite what I wrote above, the important thing, of course, is what your users need. If they haven't needed a server that sends a CA list, there's a good chance they won't need one any time soon. Often there are better things to address first. TLS configuration is important, but certainly for the software projects I work on there are any number of important areas for further work. You can't do everything at once. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From openssl-users at dukhovni.org Mon Dec 3 20:40:09 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 3 Dec 2018 15:40:09 -0500 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <060c01d48b47$ac112290$043367b0$@mcn.org> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> Message-ID: > On Dec 3, 2018, at 3:35 PM, Charles Mills wrote: > > OCSP and OCSP stapling are currently higher on my wish list than this. Good luck with OCSP, the documentation could definitely be better, and various projects get it wrong. IIRC curl gets OCSP right, so you could look there for example code, some other projects go through the motions, but don't always achieve a robust result. [ FWIW, I don't care much for OCSP, it's often not required, so it is then not clear what security properties it provides. ] -- Viktor. From charlesm at mcn.org Mon Dec 3 20:45:19 2018 From: charlesm at mcn.org (Charles Mills) Date: Mon, 3 Dec 2018 12:45:19 -0800 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> Message-ID: <061201d48b49$1aefbea0$50cf3be0$@mcn.org> Those darned customers are asking for it! I do understand the privacy exposure. Don't know if the customers do or do not. Charles -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni Sent: Monday, December 3, 2018 12:40 PM To: openssl-users at openssl.org Subject: Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list > On Dec 3, 2018, at 3:35 PM, Charles Mills wrote: > > OCSP and OCSP stapling are currently higher on my wish list than this. Good luck with OCSP, the documentation could definitely be better, and various projects get it wrong. IIRC curl gets OCSP right, so you could look there for example code, some other projects go through the motions, but don't always achieve a robust result. [ FWIW, I don't care much for OCSP, it's often not required, so it is then not clear what security properties it provides. ] From openssl at foocrypt.net Tue Dec 4 04:09:34 2018 From: openssl at foocrypt.net (openssl at foocrypt.net) Date: Tue, 4 Dec 2018 15:09:34 +1100 Subject: [openssl-users] Telecommunication and Other Legislation Amendment (Assistance and Access) Bill 2018 In-Reply-To: <81D70BA6-D8E3-4414-840D-CDC57215A57B@foocrypt.net> References: <81D70BA6-D8E3-4414-840D-CDC57215A57B@foocrypt.net> Message-ID: <68558DEA-6DA1-4723-8B92-306030E7FB70@foocrypt.net> It?s looking like AssAccess will be law here by the end of the week. Anyone know of a ?good? country to live / work in ? How many Openssl developers are within Australian boarders ? From vieuxtech at gmail.com Tue Dec 4 04:56:47 2018 From: vieuxtech at gmail.com (Sam Roberts) Date: Mon, 3 Dec 2018 20:56:47 -0800 Subject: [openssl-users] what is the relationship between (Client)SignatureAlgorithms and cipher_list()? Message-ID: Do they overlap in purpose, so the cipher list can be used to limit the signature algorithms? Or are the signature algorithms used for different purposes than the cipher suites in the cipher list? If they have to be configured seperately, is the mechanism to use https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd_value_type.html ? Thanks! Sam From jb-openssl at wisemo.com Tue Dec 4 15:15:11 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Tue, 4 Dec 2018 16:15:11 +0100 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <20181201205312.GB79754@straasha.imrryr.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> Message-ID: <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> On 01/12/2018 21:53, Viktor Dukhovni wrote: > On Sat, Dec 01, 2018 at 07:12:24PM +0000, Michael Wojcik wrote: > >>> Are there compatibility concerns around changing error message >>> text for which users may have created regex patterns in scripts? >>> >>> I agree the text could be better, but not sure in what releases >>> if any to change the text, since the change may cause issues >>> for some users. >> Sure, this is always a concern. Maybe the change could be considered for OpenSSL 3.0, since that's a major release. > Care to create a PR against the "master" branch? Something > along the lines of: > > "Provided chain ends with untrusted self-signed certificate" > > or better. Here "untrusted" might mean not trusted for the requested > purpose, but more precise is not always more clear. > Perhaps s/untrusted/unknown/ as in "Provided chain ends with unknown self-signed certificate". Or even better, two different error codes: ?- "Only self-signed end certificate provided" ?- "Provided chain ends with unknown root certificate" (Deciding which one keeps the old error code is left as ?an exercise). (Distinguishing a self-siged end cert from a self-signed ?root when no other certificate is provided is also left ?as an exercise). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From matt at openssl.org Tue Dec 4 17:17:49 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 4 Dec 2018 17:17:49 +0000 Subject: [openssl-users] what is the relationship between (Client)SignatureAlgorithms and cipher_list()? In-Reply-To: References: Message-ID: On 04/12/2018 04:56, Sam Roberts wrote: > Do they overlap in purpose, so the cipher list can be used to limit > the signature algorithms? Or are the signature algorithms used for > different purposes than the cipher suites in the cipher list? The answer varies depending on whether you are talking about TLSv1.2 or TLSv1.3. I'll discuss normal sig algs first (as opposed to client sig algs). In both TLSv1.2 and TLSv1.3 the sig algs describe what signature schemes the client is willing to accept from the server for the signature created in a ServerKeyExchange message (TLSv1.2) or a CertificateVerify message (TLSv1.3). The server will create the signature using the algorithm associated with the public key in the certificate. A TLSv1.2 ciphersuite contains a number of different components - one of which is an algorithm that will be used for signing. Therefore, in TLSv1.2, the ciphersuite that eventually gets selected must be consistent with the algorithm associated with the public key in the certificate and the selected sig alg. In TLSv1.2 on the client side OpenSSL will automatically restrict the cipher list to only include those ciphersuites which are consistent with its configured sig algs. So, for example, if the client is not willing to accept ECDSA based sig algs then it will not offer any ECDSA based ciphersuites. In TLSv1.2 on the server side OpenSSL will attempt to choose a ciphersuite from its configured set that is both consistent with the sig algs sent from the client and with its configured certificates. So for example if the server has both an RSA and an ECDSA certificate available but the client only offers RSA based sig algs, then the server will select an RSA based ciphersuite, and vice versa. In TLSv1.3 things are slightly different because TLSv1.3 ciphersuites do not specify a signature algorithm at all. So, on the client side, the TLSv1.3 ciphersuites sent are unaffected by the configured sig algs. On the server side the TLSv1.3 ciphersuite is selected independent of the sig algs. The server independently chooses a signature algorithm to use entirely based on its available certificate algorithms. Client sig algs are similar to normal sig algs but they only come in to play when client auth has been configured, i.e. the server requests a certificate from the client and the client provides one. In this case, both in TLSv1.2 and TLSv1.3, the sig alg selected is entirely based on the algorithm in the client cert. It is not impacted by the ciphersuite at all. So, for example, the ciphersuite could be based on RSA (because the server's certificate is based on RSA) but the client certificate's algorithm could be ECDSA (and hence the client sig alg in use will be ECDSA based). > > If they have to be configured seperately, is the mechanism to use > https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd_value_type.html > ? They do have to be configured separately. You can do this via the SSL_CONF interface if you wish. Or you can set them directly using the functions described on these man pages: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_sigalgs.html https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html Matt From anipatel at cisco.com Tue Dec 4 17:21:59 2018 From: anipatel at cisco.com (Animesh Patel (anipatel)) Date: Tue, 4 Dec 2018 17:21:59 +0000 Subject: [openssl-users] OCSP response signed by self-signed trusted responder validation Message-ID: <460801FD-7F2E-4D9A-A3A6-5373F0431D34@cisco.com> Have a question with implementing an OCSP requestor that can handle validating an OCSP response that is not signed by the CA who issued the certificate that we are requesting the OCSP status for but rather, the OCSP response is signed by a self-signed trusted responder that includes the OCSP Signing EKU and the self-signed certificate is configured as trusted on the requesting system. Question is how to get past the check in OCSP_basic_verify() that calls ocsp_check_issuer() with the responder chain and fails in ocsp_match_issuerid() since the issuer ID doesn?t match the self-signed responder certificate ID causing the verify to fail with ?OCSP routines:OCSP_basic_verify:root ca not trusted in ocsp_vfy.c line 176.? Could someone please shed light on how this is expected to work for this scenario? Is it expected that the self-signed certificate needs to be added to have explicit trust so that it is allowed via the call to X509_check_trust() or is there something else I?m missing here? Thanks, Animesh -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Tue Dec 4 17:39:27 2018 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 4 Dec 2018 17:39:27 +0000 Subject: [openssl-users] OCSP response signed by self-signed trusted responder validation In-Reply-To: <460801FD-7F2E-4D9A-A3A6-5373F0431D34@cisco.com> References: <460801FD-7F2E-4D9A-A3A6-5373F0431D34@cisco.com> Message-ID: <3DD2EF16-E241-4350-B213-4B29A0305812@akamai.com> The responder isn?t supposed to be self-signed. It?s supposed to be signed by the CA issuing the certs. That way you know that the CA ?trusts? the responder. Now, having said that, what you want to do is reasonable ? think of it as ?out of band? trust. You will probably have to modify the source to support it, however. -------------- next part -------------- An HTML attachment was scrubbed... URL: From anipatel at cisco.com Tue Dec 4 17:54:05 2018 From: anipatel at cisco.com (Animesh Patel (anipatel)) Date: Tue, 4 Dec 2018 17:54:05 +0000 Subject: [openssl-users] OCSP response signed by self-signed trusted responder validation In-Reply-To: <3DD2EF16-E241-4350-B213-4B29A0305812@akamai.com> References: <460801FD-7F2E-4D9A-A3A6-5373F0431D34@cisco.com> <3DD2EF16-E241-4350-B213-4B29A0305812@akamai.com> Message-ID: Thanks for the quick response Rich! Just a quick follow on. Per RFC6960 for OCSP, there are 3 options: All definitive response messages SHALL be digitally signed. The key used to sign the response MUST belong to one of the following: - the CA who issued the certificate in question - a Trusted Responder whose public key is trusted by the requestor - a CA Designated Responder (Authorized Responder, defined in Section 4.2.2.2) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA I?m seeing the self-signed and/or even a separate PKI root or hierarchy that is designated to sign responses as the 2nd option above which is essentially an ?out of band? trust that is configured on the requestor ahead of time. Are you saying option 2 from the RFC is not supported within OpenSSL and would require changes? Or am I misinterpreting option 2 above. Lastly, I assuming my understanding is correct, I was thinking X509_check_trust() allows for communicating this ?out of band? trust to OpenSSL for validation of OCSP responses, is this not what this trust setting is for? Thanks, Animesh From: "Salz, Rich" Date: Tuesday, December 4, 2018 at 12:39 PM To: "anipatel at cisco.com" , "openssl-users at openssl.org" Subject: Re: [openssl-users] OCSP response signed by self-signed trusted responder validation The responder isn?t supposed to be self-signed. It?s supposed to be signed by the CA issuing the certs. That way you know that the CA ?trusts? the responder. Now, having said that, what you want to do is reasonable ? think of it as ?out of band? trust. You will probably have to modify the source to support it, however. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Tue Dec 4 17:56:13 2018 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 4 Dec 2018 17:56:13 +0000 Subject: [openssl-users] OCSP response signed by self-signed trusted responder validation In-Reply-To: References: <460801FD-7F2E-4D9A-A3A6-5373F0431D34@cisco.com> <3DD2EF16-E241-4350-B213-4B29A0305812@akamai.com> Message-ID: Perhaps you can build a trust store to handle your needs. I am not sure. -------------- next part -------------- An HTML attachment was scrubbed... URL: From anipatel at cisco.com Tue Dec 4 18:01:18 2018 From: anipatel at cisco.com (Animesh Patel (anipatel)) Date: Tue, 4 Dec 2018 18:01:18 +0000 Subject: [openssl-users] OCSP response signed by self-signed trusted responder validation In-Reply-To: References: <460801FD-7F2E-4D9A-A3A6-5373F0431D34@cisco.com> <3DD2EF16-E241-4350-B213-4B29A0305812@akamai.com>

Message-ID: <399554DB-739C-45D2-9641-97831568A30C@cisco.com> Thanks again Rich. If anyone else has any ideas please share. From: "Salz, Rich" Date: Tuesday, December 4, 2018 at 12:56 PM To: "anipatel at cisco.com" , "openssl-users at openssl.org" Subject: Re: [openssl-users] OCSP response signed by self-signed trusted responder validation Perhaps you can build a trust store to handle your needs. I am not sure. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Wojcik at microfocus.com Tue Dec 4 22:58:32 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Tue, 4 Dec 2018 22:58:32 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Jakob Bohm via openssl-users > Sent: Tuesday, December 04, 2018 08:15 > > Care to create a PR against the "master" branch? Something > > along the lines of: > > > > "Provided chain ends with untrusted self-signed certificate" > > > > or better. Here "untrusted" might mean not trusted for the requested > > purpose, but more precise is not always more clear. > > > Perhaps s/untrusted/unknown/ as in > > "Provided chain ends with unknown self-signed certificate". Yes, that might be better. Or maybe "unrecognized". Of course there's scope for someone to misinterpret regardless of which term is used. I can suggest various alternatives in the PR and let the team decide. > Or even better, two different error codes: > > - "Only self-signed end certificate provided" > > - "Provided chain ends with unknown root certificate" > > (Deciding which one keeps the old error code is left as > an exercise). I can raise that as a possibility too, in the PR. Obviously it's a bit more work than simply changing the existing text. -- Michael Wojcik Distinguished Engineer, Micro Focus From uri at ll.mit.edu Tue Dec 4 23:19:53 2018 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 4 Dec 2018 23:19:53 +0000 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> Message-ID: > "Provided chain ends with unknown self-signed certificate". I like this. IMHO "unrecognized" would be more confusing. I hope the team makes up their mind quickly. ?On 12/4/18, 6:17 PM, "openssl-users on behalf of Michael Wojcik" wrote: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Jakob Bohm via openssl-users > Sent: Tuesday, December 04, 2018 08:15 > > Care to create a PR against the "master" branch? Something > > along the lines of: > > > > "Provided chain ends with untrusted self-signed certificate" > > > > or better. Here "untrusted" might mean not trusted for the requested > > purpose, but more precise is not always more clear. > > > Perhaps s/untrusted/unknown/ as in > > "Provided chain ends with unknown self-signed certificate". Yes, that might be better. Or maybe "unrecognized". Of course there's scope for someone to misinterpret regardless of which term is used. I can suggest various alternatives in the PR and let the team decide. > Or even better, two different error codes: > > - "Only self-signed end certificate provided" > > - "Provided chain ends with unknown root certificate" > > (Deciding which one keeps the old error code is left as > an exercise). I can raise that as a possibility too, in the PR. Obviously it's a bit more work than simply changing the existing text. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: From openssl-users at dukhovni.org Tue Dec 4 23:50:30 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 4 Dec 2018 18:50:30 -0500 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> Message-ID: <20181204235030.GU79754@straasha.imrryr.org> On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote: > > Care to create a PR against the "master" branch? Something > > along the lines of: > > > > "Provided chain ends with untrusted self-signed certificate" > > > > or better. Here "untrusted" might mean not trusted for the requested > > purpose, but more precise is not always more clear. > > Perhaps s/untrusted/unknown/ as in > > "Provided chain ends with unknown self-signed certificate". I don't see why "unknown" is better, it could under certain conditions be "known", but not trusted. > Or even better, two different error codes: > > - "Only self-signed end certificate provided" > > - "Provided chain ends with unknown root certificate" That already exists: crypto/x509/x509_txt.c: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: return "self signed certificate"; case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: return "self signed certificate in certificate chain"; -- Viktor. From zhongju_li at yahoo.com Wed Dec 5 00:00:28 2018 From: zhongju_li at yahoo.com (zhongju li) Date: Wed, 5 Dec 2018 00:00:28 +0000 (UTC) Subject: [openssl-users] Creating PKCS#8 from pvk format References: <330952622.1937937.1543968028802.ref@mail.yahoo.com> Message-ID: <330952622.1937937.1543968028802@mail.yahoo.com> Hello,I am working on a small homework which requires convert pvk private key to PKCS#8 format. The code is based on OpenSSL 1.0.2.?I can get pvk private key components (Public exponent, modulus, prime1, prime2, exponent1, exponent2, coefficient, private exponent) properly, and convert to a validRSA format (RSA_check_key()returns success).?Now I need to convert the key in RSA format to EVP_PKEY, then to PKCS#8. I have tried the following functions, all of these functions return 0 (failure) without anyfurther debugging information/clues:EVP_PKEY_assign_RSA(pEvpkey, rsa);EVP_PKEY_set1_RSA(pEvpkey, rsa);PEM_write_bio_RSAPrivateKey (out, rsa, cipher, NULL, 0, NULL, NULL);PEM_write_bio_PKCS8PrivateKey(out, pEvpkey, 0, 0, 0, 0, 0);?I did google searching, but have not figured out why the about functions failed (one posting mentions ?export version? vs. domestic version??).?So, I?d like to get some help, 1. hopefully, with more debug information. 2. suggestion: based on OpenSSL 1.0.2, what are the correct function-chain to change pvk private key to PKCS#5? Any suggestions, input are appreciated.Xuan ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From wiml at omnigroup.com Wed Dec 5 00:40:17 2018 From: wiml at omnigroup.com (Wim Lewis) Date: Tue, 4 Dec 2018 16:40:17 -0800 Subject: [openssl-users] Creating PKCS#8 from pvk format In-Reply-To: <330952622.1937937.1543968028802@mail.yahoo.com> References: <330952622.1937937.1543968028802.ref@mail.yahoo.com> <330952622.1937937.1543968028802@mail.yahoo.com> Message-ID: <8B64E15B-00B1-4302-869E-680160F1071D@omnigroup.com> On 4. des. 2018, at 4:00 e.h., zhongju li via openssl-users wrote: > Now I need to convert the key in RSA format to EVP_PKEY, then to PKCS#8. I have tried the following functions, all of these functions return 0 (failure) without any further debugging information/clues: > EVP_PKEY_assign_RSA(pEvpkey, rsa); Is it possible that pEvpkey or rsa is NULL? (You need to create a EVP_PKEY with EVP_PKEY_new() before putting a specific key into it.) Otherwise, have you checked whether there is anything in the openssl error stack (using ERR_get_error(), ERR_print_errors_fp(), or similar)? > I did google searching, but have not figured out why the about functions failed (one posting mentions ?export version? vs. domestic version??). There used to be different versions because of US export laws but I don't think that has been the case for many years. From zhongju_li at yahoo.com Wed Dec 5 03:05:21 2018 From: zhongju_li at yahoo.com (zhongju li) Date: Wed, 5 Dec 2018 03:05:21 +0000 (UTC) Subject: [openssl-users] Creating PKCS#8 from pvk format In-Reply-To: <8B64E15B-00B1-4302-869E-680160F1071D@omnigroup.com> References: <330952622.1937937.1543968028802.ref@mail.yahoo.com> <330952622.1937937.1543968028802@mail.yahoo.com> <8B64E15B-00B1-4302-869E-680160F1071D@omnigroup.com> Message-ID: <1356809009.2019733.1543979121685@mail.yahoo.com> Hi Wim,Thank you for your quick response.1. Yes. I called EVP_PKEY_new() before calling EVP_PKEY_assign_RSA(pEvpkey, rsa); 2. For your second quetion: no. I have not checked there is anything in the openssl error stack. I will check the openssl error stack. 3. (1). If it works, is EVP_PKEY_assign_RSA(pEvpkey, rsa) the correct function to call to get pEvpkey (EVP_PKEY) from a rsa private key?Is there any other alternative function to get pEvpkey (EVP_PKEY) from a rsa private key?(2), Once getting pEvpkey, can I call the following functions to get PKC#8 der format:(a). PKCS8_PRIV_KEY_INFO *p8 = EVP_PKEY2PKCS8(pEvpkey); (b). int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der); Do you expect the above function call work? If not, what are the correct way to get pkcs#8 der? from pvk format? Thank you On Tuesday, December 4, 2018, 7:40:19 PM EST, Wim Lewis wrote: On 4. des. 2018, at 4:00 e.h., zhongju li via openssl-users wrote: > Now I need to convert the key in RSA format to EVP_PKEY, then to PKCS#8. I have tried the following functions, all of these functions return 0 (failure) without any further debugging information/clues: > EVP_PKEY_assign_RSA(pEvpkey, rsa); Is it possible that pEvpkey or rsa is NULL? (You need to create a EVP_PKEY with EVP_PKEY_new() before putting a specific key into it.) Otherwise, have you checked whether there is anything in the openssl error stack (using ERR_get_error(), ERR_print_errors_fp(), or similar)? > I did google searching, but have not figured out why the about functions failed (one posting mentions ?export version? vs. domestic version??). There used to be different versions because of US export laws but I don't think that has been the case for many years. -------------- next part -------------- An HTML attachment was scrubbed... URL: From janjust at nikhef.nl Wed Dec 5 09:49:07 2018 From: janjust at nikhef.nl (Jan Just Keijser) Date: Wed, 5 Dec 2018 10:49:07 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> Message-ID: <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> Hi, On 03/12/18 21:40, Viktor Dukhovni wrote: >> On Dec 3, 2018, at 3:35 PM, Charles Mills wrote: >> >> OCSP and OCSP stapling are currently higher on my wish list than this. > Good luck with OCSP, the documentation could definitely be better, and > various projects get it wrong. IIRC curl gets OCSP right, so you > could look there for example code, some other projects go through the > motions, but don't always achieve a robust result. > > [ FWIW, I don't care much for OCSP, it's often not required, so it is > then not clear what security properties it provides. ] the only reason to use OCSP I currently have is in Firefox:? if you turn off "Query OCSP responder servers" in Firefox then EV certificates will no longer show up with their owner/domain name. Now the question is:?? does Firefox get OCSP "right" ;) ? cheers, JJK / Jan Just Keijser From vlebourl at gmail.com Wed Dec 5 13:21:28 2018 From: vlebourl at gmail.com (Vincent Le Bourlot) Date: Wed, 5 Dec 2018 14:21:28 +0100 Subject: [openssl-users] version OPENSSL_1_1_1 not defined in file libcrypto.so.1.1 with link time reference Message-ID: Hi After a fresh build of branch OpenSSL_1_1_1-stable on our ppc64 machine, openssl seems broken for an unknown reason? Executing `openssl version` results in: ``` $ openssl version openssl: relocation error: openssl: symbol SCRYPT_PARAMS_it, version OPENSSL_1_1_1 not defined in file libcrypto.so.1.1 with link time reference ``` Same kind of error happens when ctest tries to upload a file to our CDash: ``` ctest: relocation error: ctest: symbol SSL_CTX_set_post_handshake_auth, version OPENSSL_1_1_1 not defined in file libssl.so.1.1 with link time reference ``` Any help would be greatly appreciated! Thanks in advance Vincent -------------------------------------- Vincent Le Bourlot http://vlebourlot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From vieuxtech at gmail.com Wed Dec 5 16:08:48 2018 From: vieuxtech at gmail.com (Sam Roberts) Date: Wed, 5 Dec 2018 08:08:48 -0800 Subject: [openssl-users] version OPENSSL_1_1_1 not defined in file libcrypto.so.1.1 with link time reference In-Reply-To: References: Message-ID: On Wed, Dec 5, 2018 at 5:22 AM Vincent Le Bourlot wrote: > After a fresh build of branch OpenSSL_1_1_1-stable on our ppc64 machine, openssl seems broken for an unknown reason? > Executing `openssl version` results in: I'm no expert, but try `ldd openssl`, is it dynamically linking against the libcrypto/libssl that you just built? If not, try setting LD_LIBRARY_PATH (I had to do that with my local builds from source). From openssl-users at dukhovni.org Wed Dec 5 16:59:15 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 5 Dec 2018 11:59:15 -0500 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> Message-ID: <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> > On Dec 5, 2018, at 4:49 AM, Jan Just Keijser wrote: > > The only reason to use OCSP I currently have is in Firefox: if you turn off > "Query OCSP responder servers" in Firefox then EV certificates will no longer > show up with their owner/domain name. IIRC Apple's Safari is ending support for EV, and some say that EV has failed, and are not sorry to see it go. > Now the question is: does Firefox get OCSP "right" ;) ? Very likely yes. The Firefox TLS stack is maintained by experts. [ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ] -- Viktor. From lindblad at gmx.com Thu Dec 6 00:15:52 2018 From: lindblad at gmx.com (Eric Lindblad) Date: Thu, 6 Dec 2018 01:15:52 +0100 Subject: [openssl-users] Kermit Project Message-ID: An HTML attachment was scrubbed... URL: From jb-openssl at wisemo.com Thu Dec 6 09:03:21 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 6 Dec 2018 10:03:21 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> Message-ID: On 05/12/2018 17:59, Viktor Dukhovni wrote: >> On Dec 5, 2018, at 4:49 AM, Jan Just Keijser wrote: >> >> The only reason to use OCSP I currently have is in Firefox: if you turn off >> "Query OCSP responder servers" in Firefox then EV certificates will no longer >> show up with their owner/domain name. > IIRC Apple's Safari is ending support for EV, and some say that EV > has failed, and are not sorry to see it go. This is very bad for security.? So far the only real failures have been: 1. Some cloud provider(s) actively want to reduce all TLS security to ? the anonymous form provided by Let's encrypt, and are doing their worst ? to sabotage EV providing CAs. 2. As part of this campaign, those same cloud provider(s) take every ? opportunity to declare EV (and even OV) certificates as worthless ? and irrelevant. 3. At least one of those cloud provider(s) publishes a widely used ? "browser", in which they have preemptively removed support. Apple being tricked into removing support (contrary to their public hard stance on user security) is sad. >> Now the question is: does Firefox get OCSP "right" ;) ? > Very likely yes. The Firefox TLS stack is maintained by experts. > [ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ] > However Firefox code also contains lots of idiotic usability bugs, even in the code that talks to the TLS stack.? It is quite possible that the "OCSP must be on" rule is another bad usability hangover from the set of badly thought out UI changes made to initially promote EV certificates, just like the hiding of company names from non-EV certificates that actually contain them (so called OV certificates). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From jb-openssl at wisemo.com Thu Dec 6 09:18:47 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 6 Dec 2018 10:18:47 +0100 Subject: [openssl-users] [EXTERNAL] Re: Self-signed error when using SSL_CTX_load_verify_locations CApath In-Reply-To: <20181204235030.GU79754@straasha.imrryr.org> References: <027201d488d4$c06f2220$414d6660$@mcn.org> <032001d488f8$2dc529f0$894f7dd0$@mcn.org> <858BE247-C4BB-4C6B-B387-A9DC47C65915@dukhovni.org> <7d550152a633423611aa8df6bdc6a7897a97838f.camel@sandia.gov> <20181201205312.GB79754@straasha.imrryr.org> <27f1c6bb-832c-17d9-3ee5-a23bfeb726dc@wisemo.com> <20181204235030.GU79754@straasha.imrryr.org> Message-ID: On 05/12/2018 00:50, Viktor Dukhovni wrote: > On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote: > >>> Care to create a PR against the "master" branch? Something >>> along the lines of: >>> >>> "Provided chain ends with untrusted self-signed certificate" >>> >>> or better. Here "untrusted" might mean not trusted for the requested >>> purpose, but more precise is not always more clear. >> Perhaps s/untrusted/unknown/ as in >> >> "Provided chain ends with unknown self-signed certificate". > I don't see why "unknown" is better, it could under certain conditions > be "known", but not trusted. Unknown would differ from untrusted in cases where there is some setting indicating that some certificates in the CA directory are trusted only for some/no purposes. This could (in current or future code) represent things such as the trust bits in "Trusted Certificate" files. >> Or even better, two different error codes: >> >> - "Only self-signed end certificate provided" >> >> - "Provided chain ends with unknown root certificate" > That already exists: > > crypto/x509/x509_txt.c: > > case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: > return "self signed certificate"; > case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: > return "self signed certificate in certificate chain"; > In that case, maybe change the text to: ? "Provided chain ends with an unknown and thus untrusted root certificate" This would capture both the fact that the root is unknown (not in the CA stores configured/loaded) and that this is the specific fact causing it to be untrusted. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From openssl at foocrypt.net Thu Dec 6 09:47:20 2018 From: openssl at foocrypt.net (openssl at foocrypt.net) Date: Thu, 6 Dec 2018 20:47:20 +1100 Subject: [openssl-users] AssAccess was passed with no amendments Message-ID: <2F3815AC-C4E5-4A8A-85A9-091B80353559@foocrypt.net> Does OpenSSL have a policy stance on government enforced back doors ? -- Regards, Mark A. Lane Cryptopocalypse NOW 01 04 2016 Volumes 0.0 -> 10.0 Now available through iTunes - iBooks @ https://itunes.apple.com/au/author/mark-a.-lane/id1100062966?mt=11 ? Mark A. Lane 1980 - 2018, All Rights Reserved. ? FooCrypt 1980 - 2018, All Rights Reserved. ? FooCrypt, A Tale of Cynical Cyclical Encryption. 1980 - 2018, All Rights Reserved. ? Cryptopocalypse 1980 - 2018, All Rights Reserved. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Dec 6 10:48:09 2018 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 6 Dec 2018 11:48:09 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> Message-ID: <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com> On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote: > On 05/12/2018 17:59, Viktor Dukhovni wrote: >> IIRC Apple's Safari is ending support for EV, and some say that EV >> has failed, and are not sorry to see it go. > > This is very bad for security.? So far the only real failures have > been: > > 1. Some cloud provider(s) actively want to reduce all TLS security to > ? the anonymous form provided by Let's encrypt, and are doing their worst > ? to sabotage EV providing CAs. Quoting from Peter Gutmann's "Engineering Security", section "EV Certificates: PKI-me-Harder" Indeed, cynics would say that this was exactly the problem that certificates and CAs were supposed to solve in the first place, and that ?high-assurance? certificates are just a way of charging a second time for an existing service. I fully agree with the above and I'm also for removing this crap from the browser UI. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From jb-openssl at wisemo.com Thu Dec 6 12:11:59 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 6 Dec 2018 13:11:59 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com> Message-ID: On 06/12/2018 11:48, Michael Str?der wrote: > On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote: >> On 05/12/2018 17:59, Viktor Dukhovni wrote: >>> IIRC Apple's Safari is ending support for EV, and some say that EV >>> has failed, and are not sorry to see it go. >> This is very bad for security.? So far the only real failures have >> been: >> >> 1. Some cloud provider(s) actively want to reduce all TLS security to >> ? the anonymous form provided by Let's encrypt, and are doing their worst >> ? to sabotage EV providing CAs. > Quoting from Peter Gutmann's "Engineering Security", > section "EV Certificates: PKI-me-Harder" > > Indeed, cynics would say that this was exactly the problem that > certificates and CAs were supposed to solve in the first place, and > that ?high-assurance? certificates are just a way of charging a > second time for an existing service. > > I fully agree with the above and I'm also for removing this crap from > the browser UI. Peter Gutman, for all his talents, dislikes PKI with a vengeance. EV is a standard for OV certificates done right.? Which involves more thorough identity checks, stricter rules for the CAs to follow etc. The real point of EV certificates is to separate CAs that do a good job from those that do a more sloppy job, without completely distrusting the mediocre CA operations. Due to market forces, the good CAs also offer the weaker certificate types at a lower price to compete with the mediocre CAs that are aren't good/thorough enough to do the full job. The way EV certs are highlighted in Browsers (Green bar etc.) was a way to create market demand for the higher quality.? They could be indicated in some other useful way of cause, but the distinguishment between "The CA did something to check the name and real world address in the certificate" (OV) versus "The CA checked the name and and real world address thoroughly in accordance with the higher quality standard" (EV) is still of some significance. If you look at that long list of CA roots preinstalled in a typical browser, only a minority are authorized, trusted and audited to issue to the higher EV standard. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From uri at ll.mit.edu Thu Dec 6 20:06:58 2018 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 6 Dec 2018 20:06:58 +0000 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com> Message-ID: > > Quoting from Peter Gutmann's "Engineering Security", > > section "EV Certificates: PKI-me-Harder" > > > > Indeed, cynics would say that this was exactly the problem that > > certificates and CAs were supposed to solve in the first place, and > > that ?high-assurance? certificates are just a way of charging a > > second time for an existing service. > > Peter Gutman, for all his talents, dislikes PKI with a vengeance. > EV is a standard for OV certificates done right. Which involves more > thorough identity checks, stricter rules for the CAs to follow etc. > > The real point of EV certificates is to separate CAs that do a good > job from those that do a more sloppy job, without completely distrusting > the mediocre CA operations. So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money. I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5211 bytes Desc: not available URL: From openssl-users at dukhovni.org Thu Dec 6 20:16:05 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 6 Dec 2018 15:16:05 -0500 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

Message-ID: > On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL wrote: > > So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money. > > I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them. While the point of EV was that it certified a binding to a (domain + business name) rather than just a domain with DV, it turned out that displaying the business name was also subject to abuse, and the security gain proved elusive. https://www.troyhunt.com/extended-validation-certificates-are-dead/ -- Viktor. From jb-openssl at wisemo.com Thu Dec 6 22:56:14 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 6 Dec 2018 23:56:14 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

Message-ID: <8f667a91-0d89-f51c-8509-796f618f9caf@wisemo.com> On 06/12/2018 21:16, Viktor Dukhovni wrote: >> On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL wrote: >> >> So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money. >> >> I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them. No, Uri you get it wrong.? Different levels of certainty is the point. Consider it like this: DV: A regular printed business card that you can get from a ? vending machine, proves very little. ? ? The CA just checks that the person or robot requesting the ? certificate has some semblance of control over the domain ? name at the time of issuance.? Price is as low as $0. OV: A debit card with the supposed owners name on it, available ? from a number of companies that do minimal checking, but still ? a better ID proof than a business card. ? ? The CA must check that the company name and address are true, ? using some basic steps such as checking that a company by that ? name exists at that address and confirms they are the ones ? requesting the certificate.? There is no check that the company ? name is an official name or that the company has a business ? license etc.? A traditional lemonade stand run by children can ? potentially get an OV certificate if they stay in one place for ? the time it takes to get the certificate.? (A CA agent visiting ? the company site is enough checking of company existence for OV). EV: A proper photo ID with serious identity checking before being ? issued, like a government passport.? Includes the holders ? legal name and government ID number (literally), which can be ? used to look up the subjects legal status. ? ? The CA must check public records, and do some hard checks that ? the request is officially from that company.? There is a 50+ ? pages official specification listing how every tidbit of ? this information must be checked.? The CA cannot limit ? its own liability for certain failures to less than $2000. Each step up the ladder gives the user more certainty the person/website is who it says it is, but is more expensive and difficult to obtain for the person/website.? Each step also costs more money for the CA to check, because there is more work to do. The "make it look green" and "fights crime" slogans were just the old marketing campaign, repeated endlessly as a more efficient sales pressure than the real explanation. > While the point of EV was that it certified a binding to a (domain + business name) > rather than just a domain with DV, it turned out that displaying the business name > was also subject to abuse, and the security gain proved elusive. > > https://www.troyhunt.com/extended-validation-certificates-are-dead/ A traveling salesman for a cloud provider. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From openssl-users at dukhovni.org Thu Dec 6 23:12:07 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 6 Dec 2018 18:12:07 -0500 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <8f667a91-0d89-f51c-8509-796f618f9caf@wisemo.com> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<8f667a91-0d89-f51c-8509-796f618f9caf@wisemo.com> Message-ID: <78BA59AF-31BF-4FB1-A73A-9630B3833039@dukhovni.org> > On Dec 6, 2018, at 5:56 PM, Jakob Bohm via openssl-users wrote: > >> While the point of EV was that it certified a binding to a (domain + business name) >> rather than just a domain with DV, it turned out that displaying the business name >> was also subject to abuse, and the security gain proved elusive. >> >> https://www.troyhunt.com/extended-validation-certificates-are-dead/ > > A traveling salesman for a cloud provider. That's an ad-hominem argument. Just because he may have an agenda, does not mean he's wrong. One might wish he were wrong, but perhaps the market has spoken otherwise. Or perhaps he really is wrong, we'll see... -- Viktor. From michael at stroeder.com Fri Dec 7 11:18:32 2018 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Fri, 7 Dec 2018 12:18:32 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <8f667a91-0d89-f51c-8509-796f618f9caf@wisemo.com> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<8f667a91-0d89-f51c-8509-796f618f9caf@wisemo.com> Message-ID: <69f506b3-8079-60ca-c4e5-8265a22b68c8@stroeder.com> On 12/6/18 11:56 PM, Jakob Bohm via openssl-users wrote: > Different levels of certainty is the point. Which never worked well in practice, no matter how hard people tried to clearly define levels if certainty. Ciao, Michael. From aerowolf at gmail.com Fri Dec 7 22:00:53 2018 From: aerowolf at gmail.com (Kyle Hamilton) Date: Fri, 7 Dec 2018 16:00:53 -0600 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

Message-ID: CAs *do* verify the attributes they certify. That they're not presented as such is not the fault of the CAs, but rather of the browsers who insist on not changing or improving their UI. The thing is, if I run a website with a forum that I don't ask for money on and don't want any transactions happening on, why should I have to pay for the same level of certainty of my identity that a company like Amazon needs? (Why does Amazon need that much certainty? Well, I could set up wireless access points around coffee shops in December, point the DNS provided at those WAPs to my own server and run a fake amazon.com site to capture account credentials and credit cards. Without EV, that's a plausible attack. Especially with SSL being not-by-default, someone could type amazon.com and it can be intercepted without showing any certificate warning -- which then allows a redirect to a lookalike amazon.com name that could get certified by something like LetsEncrypt.) Plus, clouds have had a protocol available for doing queries to certs and keys held by other parties for several years. Cloudflare developed this protocol for banks, for whom loss of control of the certificate key is a reportable event, but who also often need DDoS protection. There's no reason it can't be extended to other clouds and sites -- unless Cloudflare patented it and wants royalties, in which case their rent-seeking is destroying the security of the web by convincing cloud salesmen to say that EV is too much trouble to deal with and thus should be killed off in the marketplace. Demanding that EV be perfect and dropping support for it if it has any found vulnerability falls into a class of human behavior known as "letting the perfect be the enemy of the good", which is also known as "cutting off the nose to spite the face". It still cuts down on a huge number of potential attacks, and doing away with it allows those attacks to flourish again. (Which, by the way, is what organized crime would prefer to permit.) -Kyle H On Thu, Dec 6, 2018, 14:07 Blumenthal, Uri - 0553 - MITLL > > Quoting from Peter Gutmann's "Engineering Security", > > > section "EV Certificates: PKI-me-Harder" > > > > > > Indeed, cynics would say that this was exactly the problem that > > > certificates and CAs were supposed to solve in the first > place, and > > > that ?high-assurance? certificates are just a way of charging a > > > second time for an existing service. > > > > Peter Gutman, for all his talents, dislikes PKI with a vengeance. > > EV is a standard for OV certificates done right. Which involves more > > thorough identity checks, stricter rules for the CAs to follow etc. > > > > The real point of EV certificates is to separate CAs that do a good > > job from those that do a more sloppy job, without completely > distrusting > > the mediocre CA operations. > > So, a CA that's supposed to validate its customer before issuing a > certificate, may do a "more sloppy job" if he doesn't cough up some extra > money. > > I think Peter is exactly right here. CA either do their job, or they > don't. If they agree to certify a set of attributes, they ought to verify > each one of them. > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From uri at ll.mit.edu Fri Dec 7 22:30:10 2018 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Fri, 7 Dec 2018 22:30:10 +0000 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

Message-ID: <3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu> If there's a non-EV CA that would give you a cert for DNS name amazon.com - I'd like to make sure it's in my list and marked Not Trusted. Regards, Uri Sent from my iPhone > On Dec 7, 2018, at 17:02, Kyle Hamilton wrote: > > CAs *do* verify the attributes they certify. That they're not presented as such is not the fault of the CAs, but rather of the browsers who insist on not changing or improving their UI. > > The thing is, if I run a website with a forum that I don't ask for money on and don't want any transactions happening on, why should I have to pay for the same level of certainty of my identity that a company like Amazon needs? > > (Why does Amazon need that much certainty? Well, I could set up wireless access points around coffee shops in December, point the DNS provided at those WAPs to my own server and run a fake amazon.com site to capture account credentials and credit cards. Without EV, that's a plausible attack. Especially with SSL being not-by-default, someone could type amazon.com and it can be intercepted without showing any certificate warning -- which then allows a redirect to a lookalike amazon.com name that could get certified by something like LetsEncrypt.) > > Plus, clouds have had a protocol available for doing queries to certs and keys held by other parties for several years. Cloudflare developed this protocol for banks, for whom loss of control of the certificate key is a reportable event, but who also often need DDoS protection. There's no reason it can't be extended to other clouds and sites -- unless Cloudflare patented it and wants royalties, in which case their rent-seeking is destroying the security of the web by convincing cloud salesmen to say that EV is too much trouble to deal with and thus should be killed off in the marketplace. > > Demanding that EV be perfect and dropping support for it if it has any found vulnerability falls into a class of human behavior known as "letting the perfect be the enemy of the good", which is also known as "cutting off the nose to spite the face". It still cuts down on a huge number of potential attacks, and doing away with it allows those attacks to flourish again. (Which, by the way, is what organized crime would prefer to permit.) > > -Kyle H > > >> On Thu, Dec 6, 2018, 14:07 Blumenthal, Uri - 0553 - MITLL > > > Quoting from Peter Gutmann's "Engineering Security", >> > > section "EV Certificates: PKI-me-Harder" >> > > >> > > Indeed, cynics would say that this was exactly the problem that >> > > certificates and CAs were supposed to solve in the first place, and >> > > that ?high-assurance? certificates are just a way of charging a >> > > second time for an existing service. >> > >> > Peter Gutman, for all his talents, dislikes PKI with a vengeance. >> > EV is a standard for OV certificates done right. Which involves more >> > thorough identity checks, stricter rules for the CAs to follow etc. >> > >> > The real point of EV certificates is to separate CAs that do a good >> > job from those that do a more sloppy job, without completely distrusting >> > the mediocre CA operations. >> >> So, a CA that's supposed to validate its customer before issuing a certificate, may do a "more sloppy job" if he doesn't cough up some extra money. >> >> I think Peter is exactly right here. CA either do their job, or they don't. If they agree to certify a set of attributes, they ought to verify each one of them. >> >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5801 bytes Desc: not available URL: From Michael.Wojcik at microfocus.com Fri Dec 7 22:44:23 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Fri, 7 Dec 2018 22:44:23 +0000 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: <3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu> References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Blumenthal, Uri - 0553 - MITLL > Sent: Friday, December 07, 2018 15:30 > If there's a non-EV CA that would give you a cert for DNS name amazon.com - I'd like to make sure it's in my list and > marked Not Trusted. Wrong threat model, I think. While it's certainly possible that someone could trick or coerce one of the (many) CAs trusted by popular browsers into issuing a DV certificate for *.amazon.com or similar, Certificate Transparency would (eventually) catch that. Homograph attacks combined with phishing would be much cheaper and easier. Get a DV certificate from Let's Encrypt for anazom.com or amazom.com, or any of the Unicode homograph possibilies (Cyrillic small letter a and small letter o are both applicable here) to catch the vast majority of users who haven't enabled raw punycode display (assuming their browser even supports it). Phishing is easy with a forged Amazon email about any purchase - users will tend to think someone has hacked their Amazon account and follow the link to investigate without questioning the provenance of the link itself. Part of the point of EV certificates was supposed to be making the difference in trust visible to end users. If user agents ignore the EV distinction, then I for one don't see how EV certificates are worth a premium. Stronger requirements don't accomplish anything if those requirements can't be verified by the vast majority of users. -- Michael Wojcik Distinguished Engineer, Micro Focus From michael at stroeder.com Sat Dec 8 11:58:46 2018 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 8 Dec 2018 12:58:46 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu> Message-ID: On 12/7/18 11:44 PM, Michael Wojcik wrote: > Homograph attacks combined with phishing would be much cheaper and > easier. Get a DV certificate from Let's Encrypt for anazom.com or > amazom.com, or any of the Unicode homograph possibilies> > Part of the point of EV certificates was supposed to be making the > difference in trust visible to end users. And how do you avoid such homograph attack on subject DN attribute "O" (organization's name) when display the holy EV green sign? => EV certs also don't help in this case. Also in case of amazon.com most users know the pure domain name but not the *exact* company name, not to speak of the multitude of names of all the subsidiaries. Ciao, Michael. From hemantranvir at gmail.com Mon Dec 10 10:30:05 2018 From: hemantranvir at gmail.com (Hemant Ranvir) Date: Mon, 10 Dec 2018 19:30:05 +0900 Subject: [openssl-users] AES encrypt expanded key is different with no-asm Message-ID: Dear all, After extracting openssl-1.1.1.tar.gz, openssl can be configured without asm by passing no-asm flag during config command. The expanded key can be obtained like follows: //Getting expanded key from inside openssl //Copied from crypto/evp/e_aes.c typedef struct { union { double align; AES_KEY ks; } ks; block128_f block; union { cbc128_f cbc; ctr128_f ctr; } stream; } EVP_AES_KEY; EVP_CIPHER_CTX *cipher_ctx = ssl->enc_write_ctx; EVP_AES_KEY * cipher_data = EVP_CIPHER_CTX_get_cipher_data(cipher_ctx); printf("Encrypted Expanded Key is : "); for(i=0;i<((cipher_ctx->cipher->key_len)/sizeof(cipher_data->ks.ks.rd_key[0])*11);i++) { printf("%08x", cipher_data->ks.ks.rd_key[i]); } printf("\n"); To get the 128 bit encrypted key : unsigned char* key = unsigned char* malloc(16); int i; for (i=0; i<4; i++) { key[4*i] = cipher_data->ks.ks.rd_key[i] >> 24; key[4*i+1] = cipher_data->ks.ks.rd_key[i] >> 16; key[4*i+2] = cipher_data->ks.ks.rd_key[i] >> 8; key[4*i+3] = cipher_data->ks.ks.rd_key[i]; } I am using this 128 bit key and using it in *Rijndael* Key Schedule function to get the expanded key. The expanded key will be 128*11 bit long. This expanded key is equal to the expanded key obtained from accessing structures inside openssl(shown in section "Getting expanded key from inside openssl" ) which is expected. Now if I configure openssl without no-asm flag and get the expanded key from inside openssl and compare it with the expanded key calculated using the function I wrote. They are not equal. As far as I know there is only one way to calculate expanded key. I have even checked whether the expanded key inside openssl is inverse cipher expanded key but yet it is different. Can someone point me in the right direction. Thanks! -- Best Regards, Hemant Ranvir *"To live a creative life, we must lose our fear of being wrong.**" - J.C.Pearce* -------------- next part -------------- An HTML attachment was scrubbed... URL: From mksarav at gmail.com Mon Dec 10 10:41:20 2018 From: mksarav at gmail.com (M K Saravanan) Date: Mon, 10 Dec 2018 18:41:20 +0800 Subject: [openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL? Message-ID: Hi, I read the recent research paper: The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations by Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong, and Yuval Yarom Nov 30, 2018 Research Paper: https://eprint.iacr.org/2018/1173.pdf As per this paper, OpenSSL was also vulnerable but OpenSSL fixed them independently of the authors' disclosure. ============= APPENDIX A VULNERABILITIES DESCRIPTION A. OpenSSL TLS Implementation [...] However, OpenSSL?s code does contain two side channel vulnerabilities. One vulnerability has been described in Section IV-A and the other is presented here. We note that OpenSSL replaced the vulnerable code in both locations with constant-time implementations independently of our disclosure. ============= The paper does not list the CVE for the openssl vulnerability. Is there a CVE for this? What are the affected versions and in which version they were fixed? with regards, Saravanan From Matthias.St.Pierre at ncp-e.com Mon Dec 10 11:11:14 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Mon, 10 Dec 2018 11:11:14 +0000 Subject: [openssl-users] The 9 Lives of Bleichenbacher's CAT - Is there a CVE for OpenSSL? In-Reply-To: References: Message-ID: <56fd61a88a074b07a8991ea11bb4a777@Ex13.ncp.local> > The paper does not list the CVE for the openssl vulnerability. > > Is there a CVE for this? What are the affected versions and in which > version they were fixed? A similar question has been asked at the end of the GitHub issue https://github.com/openssl/openssl/issues/7739. As far as I know, the question is still unanswered... HTH Matthias From Michael.Wojcik at microfocus.com Mon Dec 10 13:41:40 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Mon, 10 Dec 2018 13:41:40 +0000 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu>

Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Michael Str?der > Sent: Saturday, December 08, 2018 06:59 > > On 12/7/18 11:44 PM, Michael Wojcik wrote: > > Homograph attacks combined with phishing would be much cheaper and > > easier. Get a DV certificate from Let's Encrypt for anazom.com or > > amazom.com, or any of the Unicode homograph possibilies> > > Part of the point of EV certificates was supposed to be making the > > difference in trust visible to end users. > And how do you avoid such homograph attack on subject DN attribute "O" > (organization's name) when display the holy EV green sign? > > => EV certs also don't help in this case. > > Also in case of amazon.com most users know the pure domain name but not > the *exact* company name, not to speak of the multitude of names of all > the subsidiaries. Oh, I agree (at least on the latter point - I'm not sure how concerned I am about homograph attacks on the subject DN, since the common UAs are verifiying subjAltName values and ignoring the DN). That's why I wrote "was *supposed* to be". I don't think EV certificates accomplished this goal. I've never felt EV certificates were very useful, and they got progressively worse over time. Remember back in July when Entrust's Chris Baily put language on the CA/BF ballot (Ballot 255, specifically, if anyone wants to look it up) to restrict EV certificates to entities that had been incorporated for at least 18 months? That's the kind of terrible thinking that the EV process produced. The Stripe certificate fiasco that led to Baily's proposal is another example of why EV certificates Just Don't Work. The idea of having different certificates at different trust levels might be salvageable, but the EV implementation put the burden of evaluating those trust levels on the user (because user agents just passed it on to them), and the vast majority of users aren't in any position to do that. Nor were they in any position to determine how those trust levels ought to affect their threat model (that was the hole exploited by the Stripe attack). A site with a legitimate EV certificate might still misrepresent itself, perform hostile actions, or be vulnerable to attack (or already subverted) - EV says nothing about those risks. -- Michael Wojcik Distinguished Engineer, Micro Focus From jb-openssl at wisemo.com Tue Dec 11 07:23:47 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Tue, 11 Dec 2018 08:23:47 +0100 Subject: [openssl-users] AES encrypt expanded key is different with no-asm In-Reply-To: References: Message-ID: On 10/12/2018 11:30, Hemant Ranvir wrote: > Dear all, > ? ? After extracting openssl-1.1.1.tar.gz, openssl can be configured > without asm by passing no-asm flag during config command. > > ? ? The expanded key can be obtained like follows: > //Getting expanded key from inside openssl > //Copied from crypto/evp/e_aes.c > typedef struct { > ? union { > ? ? ? double align; > ? ? ? AES_KEY ks; > ? } ks; > ? block128_f block; > ? union { > ? ? ? cbc128_f cbc; > ? ? ? ctr128_f ctr; > ? } stream; > } EVP_AES_KEY; > > EVP_CIPHER_CTX *cipher_ctx = ssl->enc_write_ctx; > EVP_AES_KEY *?cipher_data = EVP_CIPHER_CTX_get_cipher_data(cipher_ctx); > printf("Encrypted Expanded Key is : "); > for(i=0;i<((cipher_ctx->cipher->key_len)/sizeof(cipher_data->ks.ks.rd_key[0])*11);i++) > { > ? ? printf("%08x", cipher_data->ks.ks.rd_key[i]); > } > printf("\n"); > > ?To get the 128 bit encrypted key : > unsigned char* key = unsigned?char* malloc(16); > ? int i; > ? for (i=0; i<4; i++) { > ? ? ? key[4*i]? ?= cipher_data->ks.ks.rd_key[i] >> 24; > ? ? ? key[4*i+1] = cipher_data->ks.ks.rd_key[i] >> 16; > ? ? ? key[4*i+2] = cipher_data->ks.ks.rd_key[i] >> 8; > ? ? ? key[4*i+3] = cipher_data->ks.ks.rd_key[i]; > ? } > > I am using this 128 bit key and using it in *Rijndael*?Key Schedule > function to get the expanded key. The expanded key will be 128*11 bit > long. > This expanded key is equal to the expanded key obtained from accessing > structures inside openssl(shown in section?"Getting expanded key from > inside openssl" ) which is expected. > > Now if I configure openssl without no-asm flag and get the expanded > key from inside openssl and compare it with the expanded key > calculated using the function I wrote. They are not equal. As far as I > know there is only one way to calculate expanded key. I have even > checked whether the expanded key inside openssl is inverse cipher > expanded key but yet it is different. > Can someone point me in the right direction. > Thanks! > > There have always been multiple ways to store the expanded AES key, each optimized a different implementation of the inner loops in the encryption block function.? It is highly likely the assembler implementation for any given processor uses a different inner loop, and thus a different expanded key data layout, than the generic C code. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From jb-openssl at wisemo.com Tue Dec 11 07:35:04 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Tue, 11 Dec 2018 08:35:04 +0100 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu>

Message-ID: On 10/12/2018 14:41, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf >> Of Michael Str?der >> Sent: Saturday, December 08, 2018 06:59 >> >> On 12/7/18 11:44 PM, Michael Wojcik wrote: >>> Homograph attacks combined with phishing would be much cheaper and >>> easier. Get a DV certificate from Let's Encrypt for anazom.com or >>> amazom.com, or any of the Unicode homograph possibilies> >>> Part of the point of EV certificates was supposed to be making the >>> difference in trust visible to end users. >> And how do you avoid such homograph attack on subject DN attribute "O" >> (organization's name) when display the holy EV green sign? >> >> => EV certs also don't help in this case. >> >> Also in case of amazon.com most users know the pure domain name but not >> the *exact* company name, not to speak of the multitude of names of all >> the subsidiaries. > Oh, I agree (at least on the latter point - I'm not sure how concerned I am about homograph attacks on the subject DN, since the common UAs are verifiying subjAltName values and ignoring the DN). That's why I wrote "was *supposed* to be". I don't think EV certificates accomplished this goal. > > I've never felt EV certificates were very useful, and they got progressively worse over time. Remember back in July when Entrust's Chris Baily put language on the CA/BF ballot (Ballot 255, specifically, if anyone wants to look it up) to restrict EV certificates to entities that had been incorporated for at least 18 months? That's the kind of terrible thinking that the EV process produced. > > The Stripe certificate fiasco that led to Baily's proposal is another example of why EV certificates Just Don't Work. The idea of having different certificates at different trust levels might be salvageable, but the EV implementation put the burden of evaluating those trust levels on the user (because user agents just passed it on to them), and the vast majority of users aren't in any position to do that. Nor were they in any position to determine how those trust levels ought to affect their threat model (that was the hole exploited by the Stripe attack). A site with a legitimate EV certificate might still misrepresent itself, perform hostile actions, or be vulnerable to attack (or already subverted) - EV says nothing about those risks. The Stripe certificate fiasco relied heavily on browsers not displaying the EV certificate fields (specificlly Jurisdiction of incorporation) correctly along with the name, as clearly spelled out in the EV specification. That Jurisdiction field along with the uniqueness checks done by the authorities of the jurisdiction is what is supposed to prevent homographs in the O field.? For example, using Cyrillic letters in a de jure company name is unlikely to be allowed outside the Cyrillic using jurisdictions (former USSR, Serbia, maybe Bosnia and Montenegro). ?If displayed, users should readily notice the wrong country in the green bar. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From hemantranvir at gmail.com Tue Dec 11 07:37:22 2018 From: hemantranvir at gmail.com (Hemant Ranvir) Date: Tue, 11 Dec 2018 16:37:22 +0900 Subject: [openssl-users] AES encrypt expanded key is different with no-asm In-Reply-To: References:

Message-ID: Hi Jacob, thanks for the input. On Tue 11 Dec, 2018, 4:24 PM Jakob Bohm via openssl-users, < openssl-users at openssl.org> wrote: > On 10/12/2018 11:30, Hemant Ranvir wrote: > > Dear all, > > After extracting openssl-1.1.1.tar.gz, openssl can be configured > > without asm by passing no-asm flag during config command. > > > > The expanded key can be obtained like follows: > > //Getting expanded key from inside openssl > > //Copied from crypto/evp/e_aes.c > > typedef struct { > > union { > > double align; > > AES_KEY ks; > > } ks; > > block128_f block; > > union { > > cbc128_f cbc; > > ctr128_f ctr; > > } stream; > > } EVP_AES_KEY; > > > > EVP_CIPHER_CTX *cipher_ctx = ssl->enc_write_ctx; > > EVP_AES_KEY * cipher_data = EVP_CIPHER_CTX_get_cipher_data(cipher_ctx); > > printf("Encrypted Expanded Key is : "); > > > for(i=0;i<((cipher_ctx->cipher->key_len)/sizeof(cipher_data->ks.ks.rd_key[0])*11);i++) > > > { > > printf("%08x", cipher_data->ks.ks.rd_key[i]); > > } > > printf("\n"); > > > > To get the 128 bit encrypted key : > > unsigned char* key = unsigned char* malloc(16); > > int i; > > for (i=0; i<4; i++) { > > key[4*i] = cipher_data->ks.ks.rd_key[i] >> 24; > > key[4*i+1] = cipher_data->ks.ks.rd_key[i] >> 16; > > key[4*i+2] = cipher_data->ks.ks.rd_key[i] >> 8; > > key[4*i+3] = cipher_data->ks.ks.rd_key[i]; > > } > > > > I am using this 128 bit key and using it in *Rijndael* Key Schedule > > function to get the expanded key. The expanded key will be 128*11 bit > > long. > > This expanded key is equal to the expanded key obtained from accessing > > structures inside openssl(shown in section "Getting expanded key from > > inside openssl" ) which is expected. > > > > Now if I configure openssl without no-asm flag and get the expanded > > key from inside openssl and compare it with the expanded key > > calculated using the function I wrote. They are not equal. As far as I > > know there is only one way to calculate expanded key. I have even > > checked whether the expanded key inside openssl is inverse cipher > > expanded key but yet it is different. > > Can someone point me in the right direction. > > Thanks! > > > > > There have always been multiple ways to store the expanded AES > key, each optimized a different implementation of the inner > loops in the encryption block function. It is highly likely > the assembler implementation for any given processor uses a > different inner loop, and thus a different expanded key data > layout, than the generic C code. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aerowolf at gmail.com Tue Dec 11 10:13:07 2018 From: aerowolf at gmail.com (Kyle Hamilton) Date: Tue, 11 Dec 2018 04:13:07 -0600 Subject: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list In-Reply-To: References: <050b01d48aa0$7d351be0$779f53a0$@mcn.org> <05b101d48b31$47d9c720$d78d5560$@mcn.org> <060c01d48b47$ac112290$043367b0$@mcn.org> <2f4931ad-ce4e-3b03-dcd5-0c268203c5b4@nikhef.nl> <1B3A82E8-FD3D-427A-894D-BEE483C749B9@dukhovni.org> <2df0e89e-0d78-e735-7433-e06863400d4c@stroeder.com>

<3F77FFFF-FF4D-4641-B7C3-B14FAEEA8DDB@ll.mit.edu>

Message-ID: Because only showing the O= is insufficient, you also need to show the jurisdiction the O= is based in. (In the case of Amazon, it's a Delaware corporation.) The fact that browsers are getting tricked into thinking EV doesn't help is only because their UX designers refuse to allow the information which is necessary for actual trust to be displayed. It's not the fault of the CAs or the EV guidelines, it's fully within the hands of the browsers to fix. But they're worried about "providing free advertising for the CAs" (when I suggested putting the name of the certifier on the chrome, so that any change would raise a flag in the users' mind) or "information overload for the users" and "insufficient space for other important things" (when I suggested putting more of the Subject DN on the chrome), even though those are things that would legitimately put the onus of being tricked fairly on the user, and off of the browsers which currently don't readily provide the information. Regardless, in my view it really doesn't matter. I lost faith in the browsers being willing to continue to improve things (i.e., work against the identity homograph arms race) long ago. So now they want to backslide? I've done my duty to try to convince them to continue to evolve against the threat landscape. The onus of and blame for their unwillingness to do so is on them. Now, I guess we'll only get to see how much of it might stick in court. On Sat, Dec 8, 2018, 05:59 Michael Str?der On 12/7/18 11:44 PM, Michael Wojcik wrote: > > Homograph attacks combined with phishing would be much cheaper and > > easier. Get a DV certificate from Let's Encrypt for anazom.com or > > amazom.com, or any of the Unicode homograph possibilies> > > Part of the point of EV certificates was supposed to be making the > > difference in trust visible to end users. > And how do you avoid such homograph attack on subject DN attribute "O" > (organization's name) when display the holy EV green sign? > By including the jurisdiction the O is organized in, of course. O=Amazon Inc,ST=Delaware,C=US. (That's the point of hierarchical names, after all. It's to reduce namespace collisions in spaces -- like independent political entities -- which don't often cooperate together to inhibit problems like these.) Interesting note: I could register a corporation named "Bank of America Corporation" in any state BofA doesn't currently have a presence, to obtain a potentially EV-valid certificate, and their only recourse might be a trademark lawsuit. If I registered it in a foreign nation, they wouldn't have any recourse at all unless they already had a presence in that nation. (Though they might try to convince the feds to prosecute me for attempted fraud, even if I didn't do anything to actually attempt or complete a fraud under that name.) Does this mean that EV is useless? No, it means that the overarching legal regime enables attacks that certificates already provide the means to combat -- but only if the certificate-consuming software properly implements it. The idea that a browser thinks EV is useless is worth nothing. It just means that they won't invest into this area of security the way they will into preventing their processes from being hijacked by arbitrary code. Should they have to invest in this way? I don't know. They took on the role on their own, either to try to build trust in web-based commerce (where they succeeded to the tune of tens of billions of dollars in economic activity every year) or because they had to try to "keep up with the Joneses" (i.e., Mozilla and Microsoft and Google, who were doing it for the more altruistic reason). I can't judge whether they "should". I just know enough to recognize what they "did". > => EV certs also don't help in this case. > > Also in case of amazon.com most users know the pure domain name but not > the *exact* company name, not to speak of the multitude of names of all > the subsidiaries. > Subsidiary names are relatively irrelevant, as long as the same subsidiary name shows up when they do the same thing. If it turns out that there's a need for them to become relevant, a DNS record with the expected Subject DN could be published, or a sitemap with the expected name of the subsidiary in question could be made available, or any of a host of other options could be explored and done. (And let's not forget the homograph attack enabled by the lack of https-by-default.) These arguments you make are arguments for letting the nonexistent perfect be the enemy of the existing good. They're also arguments for not trying to work toward the hypothetical ideal, and for throwing the baby out with the bathwater. > Ciao, Michael. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prithiraj.das at gmail.com Wed Dec 12 07:07:11 2018 From: prithiraj.das at gmail.com (prithiraj das) Date: Wed, 12 Dec 2018 07:07:11 +0000 Subject: [openssl-users] RSA Public Key error Message-ID: Hi, I have a RSA public key(PKCS 1v1.5) that I have obtained from somewhere. That key has been obtained after removing the first 24 bytes from the originally generated RSA public key. Those 24 bytes are being replaced by some custom 16 byte information which is being used as some sort of identifier in some future task and those 16 bytes are playing no role in encryption. OpenSSL fails to read this key. asn1parse shows some parsing error and most importantly RSA encryption in OpenSSL using this key fails. The untampered version of the RSA public key generated from the same source and containing the original 24 bytes at the beginning of the key is successfully read by OpenSSL and the RSA encryption using that key is also successful in OpenSSL. But our requirement is to use the first key containing the custom 16 byte information. My understanding is that the first 24 bytes of RSA public key following PKCS standards doesn't contain the modulus and exponent details required for RSA encryption. But OpenSSL seems to require these 24 bytes for encryption. Can someone please confirm what kind of information is present in the first 24 bytes of RSA Public key and/or why does OpenSSL need it? If possible, please suggest a solution to work with that RSA public key containing custom 16 byte information at the beginning of the key. Thanks and Regards, Prithiraj -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckashiquekvk at gmail.com Wed Dec 12 09:33:36 2018 From: ckashiquekvk at gmail.com (ASHIQUE CK) Date: Wed, 12 Dec 2018 15:03:36 +0530 Subject: [openssl-users] Multiple client connection to Nginx server Message-ID: Hi, We are using a Crypto Accelerator Engine to offload AESGCM and RSA parameters. Trying to connect multiple clients simultaneously with a single Nginx server, which is using this accelerator. The Key and IV is passing only at handshake, and after handshake this set of key and IV is using for all encryption and decryption. So at Engine side, we are storing this Key and IV to a buffer and while encrypting/decrypting , this Key and IV is used from this buffer. But, while multiple client connects, the last saved Key/IV is getting for all clients. So, is there any way to get a unique ID foer each client connection ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckashiquekvk at gmail.com Wed Dec 12 11:54:30 2018 From: ckashiquekvk at gmail.com (ASHIQUE CK) Date: Wed, 12 Dec 2018 17:24:30 +0530 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: References: Message-ID: Hi, Any help on this ? On Wed, Dec 12, 2018 at 3:03 PM ASHIQUE CK wrote: > Hi, > We are using a Crypto Accelerator Engine to offload AESGCM and RSA > parameters. Trying to connect multiple clients simultaneously with a single > Nginx server, which is using this accelerator. The Key and IV is passing > only at handshake, and after handshake this set of key and IV is using for > all encryption and decryption. So at Engine side, we are storing this Key > and IV to a buffer and while encrypting/decrypting , this Key and IV is > used from this buffer. But, while multiple client connects, the last saved > Key/IV is getting for all clients. > So, is there any way to get a unique ID foer each client > connection ? > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Erwann.Abalea at docusign.com Wed Dec 12 12:31:48 2018 From: Erwann.Abalea at docusign.com (Erwann Abalea) Date: Wed, 12 Dec 2018 12:31:48 +0000 Subject: [openssl-users] RSA Public Key error In-Reply-To: References: Message-ID: <28510262-6708-4CB1-B070-2CA5128923EC@docusign.com> Bonjour, Assuming the first 24 bytes you?re talking about are the very beginning of the SPKI structure (that is, the enclosing SEQUENCE, and the AlgorithmIdentifier), that means you?ve replaced up to the first byte of the BITSTRING containing the public key (this byte indicates the number of unused bits) for a 2048bits RSA key with 16 custom bytes. That?s perfectly normal for OpenSSL to refuse to load that beast, and for asn1parse to return errors (the first bytes do not represent a correct DER encoding of anything). Think of it as ? I took a Jpeg file, replaced some bytes at the beginning by my own, and now I can?t open the file again ?. Those bytes are there for a reason. A quick solution would be to *add* your 16 bytes before the public key, and remove them when passing the rest of the bytes to OpenSSL. Cordialement, Erwann Abalea De : openssl-users au nom de prithiraj das R?pondre ? : "openssl-users at openssl.org" Date : mercredi 12 d?cembre 2018 ? 08:08 ? : "openssl-users at openssl.org" Objet : [openssl-users] RSA Public Key error Hi, I have a RSA public key(PKCS 1v1.5) that I have obtained from somewhere. That key has been obtained after removing the first 24 bytes from the originally generated RSA public key. Those 24 bytes are being replaced by some custom 16 byte information which is being used as some sort of identifier in some future task and those 16 bytes are playing no role in encryption. OpenSSL fails to read this key. asn1parse shows some parsing error and most importantly RSA encryption in OpenSSL using this key fails. The untampered version of the RSA public key generated from the same source and containing the original 24 bytes at the beginning of the key is successfully read by OpenSSL and the RSA encryption using that key is also successful in OpenSSL. But our requirement is to use the first key containing the custom 16 byte information. My understanding is that the first 24 bytes of RSA public key following PKCS standards doesn't contain the modulus and exponent details required for RSA encryption. But OpenSSL seems to require these 24 bytes for encryption. Can someone please confirm what kind of information is present in the first 24 bytes of RSA Public key and/or why does OpenSSL need it? If possible, please suggest a solution to work with that RSA public key containing custom 16 byte information at the beginning of the key. Thanks and Regards, Prithiraj -------------- next part -------------- An HTML attachment was scrubbed... URL: From jb-openssl at wisemo.com Wed Dec 12 14:25:57 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 12 Dec 2018 15:25:57 +0100 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: References: Message-ID: On 12/12/2018 12:54, ASHIQUE CK wrote: > Hi, > Any help on this ? > > On Wed, Dec 12, 2018 at 3:03 PM ASHIQUE CK > wrote: > > Hi, > We are using a Crypto Accelerator Engine to offload AESGCM and RSA > parameters. Trying to connect multiple clients simultaneously with > a single Nginx server, which is using this accelerator.? The Key > and IV is passing only at handshake, and after handshake this set > of key and IV is using for all encryption and decryption. So at > Engine side, we are storing this Key and IV to a buffer and while > encrypting/decrypting , this Key and IV is used from this buffer. > But, while multiple client connects, the last saved Key/IV is > getting for all clients. > ? ? ? ? So, is there any way to get a unique ID foer each client > connection ? > > The following assumes that the accelerator is accessed using an OpenSSL "engine" plugin, if instead you are inserting code in NGINX to hand over the complete SSL/TLS record processing to the hardware, then a different approach is needed. OpenSSL Crypto Engines are not limited to SSL/TLS but can be used for other tasks using the OpenSSL libcrypto library. Thus the way this works is that the SSL/TLS requests an EVP "handle" for each key that it wants to use, this handle then maps (indirectly) to a structure passed to the engine, which is unique to each key. A correctly implemented engine is supposed to use that structure to tell the difference between different keys stored in the actual hardware. For the case of GCM key/IV pairs, it may be that in some situations OpenSSL requests more than one EVP key instance for the same key, typically to allow each to have its own independent state (for GCM, this is the counter, for CBC it would be the IV chaining from block to block).? The simple solution is to just treat them as different keys, but if this uses too many hardware key storage locations, an engine may use some way to recognize the reused key, share the hardware object and keep count of how many "handles" point to that key. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From ckashiquekvk at gmail.com Wed Dec 12 14:53:11 2018 From: ckashiquekvk at gmail.com (ASHIQUE CK) Date: Wed, 12 Dec 2018 20:23:11 +0530 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: References:

Message-ID: Hi, Thanks for your reply. Openssl only passes (ctx,type,arg,ptr) in the case of header and (ctx,out,in,inl) in the case of message, these two are the only links to engine after the handshake process for the whole process. In my case, I am downloading a file from nginx root directory using a client program. How can I get a unique id, so that I can copy the respective Key and Iv everytime when a sslwrite request comes from a client with that id. Because I am trying to run 3 clients simultaneously for downloading a file. I am able to download only at one client ,the last connected one, and other two shows that tag verification failed. Because both those connections got the same key and Iv of the last connection. So for every client connection, is there any way to get a unique id so that i can load respective Key and Iv. But the only link from openssl to the engine are the above mentioned two cases. Only what I am getting some other information is from *ctx*. Can I do something with that *ctx *get unique id. Thanks On Wed 12 Dec, 2018, 7:56 PM Jakob Bohm via openssl-users < openssl-users at openssl.org wrote: > On 12/12/2018 12:54, ASHIQUE CK wrote: > > Hi, > > Any help on this ? > > > > On Wed, Dec 12, 2018 at 3:03 PM ASHIQUE CK > > wrote: > > > > Hi, > > We are using a Crypto Accelerator Engine to offload AESGCM and RSA > > parameters. Trying to connect multiple clients simultaneously with > > a single Nginx server, which is using this accelerator. The Key > > and IV is passing only at handshake, and after handshake this set > > of key and IV is using for all encryption and decryption. So at > > Engine side, we are storing this Key and IV to a buffer and while > > encrypting/decrypting , this Key and IV is used from this buffer. > > But, while multiple client connects, the last saved Key/IV is > > getting for all clients. > > So, is there any way to get a unique ID foer each client > > connection ? > > > > > The following assumes that the accelerator is accessed using an > OpenSSL "engine" plugin, if instead you are inserting code in NGINX > to hand over the complete SSL/TLS record processing to the hardware, > then a different approach is needed. > > OpenSSL Crypto Engines are not limited to SSL/TLS but can be used > for other tasks using the OpenSSL libcrypto library. > > Thus the way this works is that the SSL/TLS requests an EVP "handle" > for each key that it wants to use, this handle then maps (indirectly) > to a structure passed to the engine, which is unique to each key. > > A correctly implemented engine is supposed to use that structure to > tell the difference between different keys stored in the actual > hardware. > > For the case of GCM key/IV pairs, it may be that in some situations > OpenSSL requests more than one EVP key instance for the same key, > typically to allow each to have its own independent state (for GCM, > this is the counter, for CBC it would be the IV chaining from block > to block). The simple solution is to just treat them as different > keys, but if this uses too many hardware key storage locations, an > engine may use some way to recognize the reused key, share the > hardware object and keep count of how many "handles" point to that > key. > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mcr at sandelman.ca Wed Dec 12 19:59:38 2018 From: mcr at sandelman.ca (Michael Richardson) Date: Wed, 12 Dec 2018 14:59:38 -0500 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: References: Message-ID: <28371.1544644778@localhost> ASHIQUE CK wrote: > We are using a Crypto Accelerator Engine to offload AESGCM and RSA > parameters. Trying to connect multiple clients simultaneously with a > single Nginx server, which is using this accelerator. The Key and IV You probably need to tell us: 1) which engine? did you write this engine? 2) whose driver? 3) what version of openssl? 4) what version of nginx? 5) how did you observe the problem you described? 6) is it different for, for instance, apache? or some other server software? > is passing only at handshake, and after handshake this set of key and > IV is using for all encryption and decryption. So at Engine side, we > are storing this Key and IV to a buffer and while > encrypting/decrypting , this Key and IV is used from this buffer. But, > while multiple client connects, the last saved Key/IV is getting for > all clients. > So, is there any way to get a unique ID foer each client connection ? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: From ckashiquekvk at gmail.com Thu Dec 13 03:30:25 2018 From: ckashiquekvk at gmail.com (ASHIQUE CK) Date: Thu, 13 Dec 2018 09:00:25 +0530 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: <28371.1544644778@localhost> References: <28371.1544644778@localhost> Message-ID: Hi, 1. The engine that we wrote is by the reference of qat, is just an interface which receives the openssl parameters of AES and RSA and offload them to an FPGA hardware accelerator. 2. 3. Openssl 1.1.0 h 4. Uses f-stack nginx 1.10.1 5. We ran nginx server which have a 1 Gb file in its root directory. Then connected 3 clients to this server. These clients waits after handshake is done. After I run 3rd client, I gave a Get request through 1 st client to download that 1 gb file. But it showed error message, "decryption failed or bad record mac". When I debugged using gdb, I understood that Tag verification is getting failed. But the matter is, I am storing the Key and IV at the time of handshake itself, to a buffer in my engine. When an SSLRead or SSLWrite occur, I will copy the saved Key and Iv to fill the respective descriptors. But, in this case what happens is, if there is 3rd client handshake occurred, its key and iv stored in a buffer. And when I give a Sslwrite in the 1st client, it used the last saved key and iv, but it is actually key and iv of 3 rd client. But I can download the file if I give get request through the last handshaked client. So what I can do is, save the key and iv of different clients in different buffers. If the SSLread/write from any client comes, then just offload the key and iv from the respective buffer. But for that, i need a unique id for each client, which must be the same for a client in the entire connection. How can i get the unique id. Beyond the parameters *in, *out, inl (in the case of plaintext/ cipher text offloading) and *ptr, *type, *arg (in the case of header/aad offload) only what I have is ctx. With this ctx, can i get a unique id or is there any way to solve this problem. 6. Didn't tried with Apache server. Thanks On Thu 13 Dec, 2018, 1:30 AM Michael Richardson > ASHIQUE CK wrote: > > We are using a Crypto Accelerator Engine to offload AESGCM and RSA > > parameters. Trying to connect multiple clients simultaneously with a > > single Nginx server, which is using this accelerator. The Key and IV > > You probably need to tell us: > > 1) which engine? did you write this engine? > 2) whose driver? > 3) what version of openssl? > 4) what version of nginx? > 5) how did you observe the problem you described? > 6) is it different for, for instance, apache? or some other server > software? > > > is passing only at handshake, and after handshake this set of key and > > IV is using for all encryption and decryption. So at Engine side, we > > are storing this Key and IV to a buffer and while > > encrypting/decrypting , this Key and IV is used from this buffer. But, > > while multiple client connects, the last saved Key/IV is getting for > > all clients. > > So, is there any way to get a unique ID foer each client connection ? > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From ckashiquekvk at gmail.com Thu Dec 13 05:16:18 2018 From: ckashiquekvk at gmail.com (ASHIQUE CK) Date: Thu, 13 Dec 2018 10:46:18 +0530 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: References: <28371.1544644778@localhost> Message-ID: 4. f-stack nginx server 1.11.10 On Thu, Dec 13, 2018 at 9:00 AM ASHIQUE CK wrote: > Hi, > 1. The engine that we wrote is by the reference of qat, is just an > interface which receives the openssl parameters of AES and RSA and offload > them to an FPGA hardware accelerator. > 2. > 3. Openssl 1.1.0 h > 4. Uses f-stack nginx 1.10.1 > 5. We ran nginx server which have a 1 Gb file in its root directory. Then > connected 3 clients to this server. These clients waits after handshake is > done. After I run 3rd client, I gave a Get request through 1 st client to > download that 1 gb file. But it showed error message, "decryption failed or > bad record mac". When I debugged using gdb, I understood that Tag > verification is getting failed. But the matter is, I am storing the Key and > IV at the time of handshake itself, to a buffer in my engine. When an > SSLRead or SSLWrite occur, I will copy the saved Key and Iv to fill the > respective descriptors. > But, in this case what happens is, if there is 3rd client handshake > occurred, its key and iv stored in a buffer. And when I give a Sslwrite in > the 1st client, it used the last saved key and iv, but it is actually key > and iv of 3 rd client. But I can download the file if I give get request > through the last handshaked client. > So what I can do is, save the key and iv of different clients in > different buffers. If the SSLread/write from any client comes, then just > offload the key and iv from the respective buffer. But for that, i need a > unique id for each client, which must be the same for a client in the > entire connection. > How can i get the unique id. Beyond the parameters *in, *out, inl (in > the case of plaintext/ cipher text offloading) and *ptr, *type, *arg (in > the case of header/aad offload) only what I have is ctx. With this ctx, can > i get a unique id or is there any way to solve this problem. > 6. Didn't tried with Apache server. > > Thanks > > On Thu 13 Dec, 2018, 1:30 AM Michael Richardson >> >> ASHIQUE CK wrote: >> > We are using a Crypto Accelerator Engine to offload AESGCM and RSA >> > parameters. Trying to connect multiple clients simultaneously with a >> > single Nginx server, which is using this accelerator. The Key and IV >> >> You probably need to tell us: >> >> 1) which engine? did you write this engine? >> 2) whose driver? >> 3) what version of openssl? >> 4) what version of nginx? >> 5) how did you observe the problem you described? >> 6) is it different for, for instance, apache? or some other server >> software? >> >> > is passing only at handshake, and after handshake this set of key and >> > IV is using for all encryption and decryption. So at Engine side, we >> > are storing this Key and IV to a buffer and while >> > encrypting/decrypting , this Key and IV is used from this buffer. But, >> > while multiple client connects, the last saved Key/IV is getting for >> > all clients. >> > So, is there any way to get a unique ID foer each client connection ? >> > >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From filipe.mfgfernandes at gmail.com Thu Dec 13 08:41:15 2018 From: filipe.mfgfernandes at gmail.com (Filipe Fernandes) Date: Thu, 13 Dec 2018 08:41:15 +0000 Subject: [openssl-users] Multiple client connection to Nginx server In-Reply-To: References: <28371.1544644778@localhost>

Message-ID: Hi, Socket file descriptor is unique during the entire connection time. You could save the data using the fd as key to a hashtable entry. Regards Na(o) quinta, 13 de dez de 2018, 05:16, ASHIQUE CK escreveu: > 4. f-stack nginx server 1.11.10 > > On Thu, Dec 13, 2018 at 9:00 AM ASHIQUE CK wrote: > >> Hi, >> 1. The engine that we wrote is by the reference of qat, is just an >> interface which receives the openssl parameters of AES and RSA and offload >> them to an FPGA hardware accelerator. >> 2. >> 3. Openssl 1.1.0 h >> 4. Uses f-stack nginx 1.10.1 >> 5. We ran nginx server which have a 1 Gb file in its root directory. Then >> connected 3 clients to this server. These clients waits after handshake is >> done. After I run 3rd client, I gave a Get request through 1 st client to >> download that 1 gb file. But it showed error message, "decryption failed or >> bad record mac". When I debugged using gdb, I understood that Tag >> verification is getting failed. But the matter is, I am storing the Key and >> IV at the time of handshake itself, to a buffer in my engine. When an >> SSLRead or SSLWrite occur, I will copy the saved Key and Iv to fill the >> respective descriptors. >> But, in this case what happens is, if there is 3rd client handshake >> occurred, its key and iv stored in a buffer. And when I give a Sslwrite in >> the 1st client, it used the last saved key and iv, but it is actually key >> and iv of 3 rd client. But I can download the file if I give get request >> through the last handshaked client. >> So what I can do is, save the key and iv of different clients in >> different buffers. If the SSLread/write from any client comes, then just >> offload the key and iv from the respective buffer. But for that, i need a >> unique id for each client, which must be the same for a client in the >> entire connection. >> How can i get the unique id. Beyond the parameters *in, *out, inl (in >> the case of plaintext/ cipher text offloading) and *ptr, *type, *arg (in >> the case of header/aad offload) only what I have is ctx. With this ctx, can >> i get a unique id or is there any way to solve this problem. >> 6. Didn't tried with Apache server. >> >> Thanks >> >> On Thu 13 Dec, 2018, 1:30 AM Michael Richardson > >>> >>> ASHIQUE CK wrote: >>> > We are using a Crypto Accelerator Engine to offload AESGCM and RSA >>> > parameters. Trying to connect multiple clients simultaneously with a >>> > single Nginx server, which is using this accelerator. The Key and IV >>> >>> You probably need to tell us: >>> >>> 1) which engine? did you write this engine? >>> 2) whose driver? >>> 3) what version of openssl? >>> 4) what version of nginx? >>> 5) how did you observe the problem you described? >>> 6) is it different for, for instance, apache? or some other server >>> software? >>> >>> > is passing only at handshake, and after handshake this set of key and >>> > IV is using for all encryption and decryption. So at Engine side, we >>> > are storing this Key and IV to a buffer and while >>> > encrypting/decrypting , this Key and IV is used from this buffer. But, >>> > while multiple client connects, the last saved Key/IV is getting for >>> > all clients. >>> > So, is there any way to get a unique ID foer each client connection ? >>> > >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>> >> -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prateep.kumar at broadcom.com Thu Dec 13 08:56:50 2018 From: prateep.kumar at broadcom.com (Prateep Kumar) Date: Thu, 13 Dec 2018 14:26:50 +0530 Subject: [openssl-users] Delay in converting CRL to binary data Message-ID: Hello, We are converting a *CRL* (Size *3.687 MB*) to binary data using *X509_CRL_get_REVOKED()* and it is taking *167.977* seconds to process the same. Please let us know if this is an expected behavior or something should be done to improve the above observation. With Regards, Prateep -------------- next part -------------- An HTML attachment was scrubbed... URL: From darshanmody at avaya.com Thu Dec 13 11:44:31 2018 From: darshanmody at avaya.com (Mody, Darshan (Darshan)) Date: Thu, 13 Dec 2018 11:44:31 +0000 Subject: [openssl-users] Openssl version in RHEL 8 Message-ID: Hi I am checking RHEL 8 feasibility on our systems. I observe that openssl fips module [root at puoasvorsr07 ~]# openssl version OpenSSL 1.1.1 FIPS 11 Sep 2018 [root at puoasvorsr07 ~]# My query is openssl 1.1.1 FIPS is also in the beta phase? Thanks Darshan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Thu Dec 13 12:49:20 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 13 Dec 2018 12:49:20 +0000 Subject: [openssl-users] Openssl version in RHEL 8 Message-ID: * [root at puoasvorsr07 ~]# openssl version * OpenSSL 1.1.1 FIPS 11 Sep 2018 Is that a version you built yourself, or from RedHat? I believe it is RedHat?s version, which did their own FIPS work. The OpenSSL FIPS module is starting development. -------------- next part -------------- An HTML attachment was scrubbed... URL: From uri at ll.mit.edu Thu Dec 13 19:23:15 2018 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 13 Dec 2018 19:23:15 +0000 Subject: [openssl-users] FW: Dgst sigopt parameters? Message-ID: <09B57D48-BDA1-4DB6-8558-E25B10B4E9FC@ll.mit.edu> I still would like to know where all the acceptable "dgst -sigopt" parameters are described for RSA and ECDSA. Google search and scouring openssl.org manual pages did not bring me anything. ?On 8/24/17, 5:42 PM, "Blumenthal, Uri - 0553 - MITLL" wrote: OpenSSL dgst manual page only days that sigopt value are algorithm-specific. Where are they described for ECDSA and RSA PSS? Thanks! Regards, Uri -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: From openssl-users at dukhovni.org Thu Dec 13 22:07:14 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 13 Dec 2018 17:07:14 -0500 Subject: [openssl-users] FW: Dgst sigopt parameters? In-Reply-To: <09B57D48-BDA1-4DB6-8558-E25B10B4E9FC@ll.mit.edu> References: <09B57D48-BDA1-4DB6-8558-E25B10B4E9FC@ll.mit.edu> Message-ID: <2A61B052-4052-4BA0-B785-CAA5F3F919B4@dukhovni.org> > On Dec 13, 2018, at 2:23 PM, Blumenthal, Uri - 0553 - MITLL wrote: > > I still would like to know where all the acceptable "dgst -sigopt" parameters are described for RSA and ECDSA. > > Google search and scouring openssl.org manual pages did not bring me anything. Take a look at the "-pkeyopt" option of pkeyutl(1). I believe these are the same options. If we ignore key generation parameters, all I'm finding is: dh: dh_pad rsa: rsa_padding_mode rsa: rsa_pss_saltlen rsa: rsa_mgf1_md rsa: rsa_oaep_md rsa: rsa_oaep_label And "dh_pad" many not be applicable to dgst(1). -- Viktor. From uri at ll.mit.edu Thu Dec 13 22:10:27 2018 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 13 Dec 2018 22:10:27 +0000 Subject: [openssl-users] FW: Dgst sigopt parameters? In-Reply-To: <2A61B052-4052-4BA0-B785-CAA5F3F919B4@dukhovni.org> References: <09B57D48-BDA1-4DB6-8558-E25B10B4E9FC@ll.mit.edu> <2A61B052-4052-4BA0-B785-CAA5F3F919B4@dukhovni.org> Message-ID: <039C7D3D-046D-452E-A64C-068B988CA136@ll.mit.edu> Viktor, Thank you! So, I should expect the format of the sigopt parameters to be the same as of pkeyopt? That's very good to know. I wish the man page mentioned this. ;-) Regards, Uri Sent from my iPhone On Dec 13, 2018, at 17:08, Viktor Dukhovni wrote: >> On Dec 13, 2018, at 2:23 PM, Blumenthal, Uri - 0553 - MITLL wrote: >> >> I still would like to know where all the acceptable "dgst -sigopt" parameters are described for RSA and ECDSA. >> >> Google search and scouring openssl.org manual pages did not bring me anything. > > Take a look at the "-pkeyopt" option of pkeyutl(1). I believe these are the > same options. > > If we ignore key generation parameters, all I'm finding is: > > dh: dh_pad > rsa: rsa_padding_mode > rsa: rsa_pss_saltlen > rsa: rsa_mgf1_md > rsa: rsa_oaep_md > rsa: rsa_oaep_label > > And "dh_pad" many not be applicable to dgst(1). > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5801 bytes Desc: not available URL: