From matt at openssl.org Mon Oct 1 07:34:49 2018 From: matt at openssl.org (Matt Caswell) Date: Mon, 1 Oct 2018 08:34:49 +0100 Subject: [openssl-users] Two sessions in a single full handshake In-Reply-To: References: <8BD8B17B-B091-42D1-9AA4-FAEFE5C9AE5F@akamai.com> <20180930034645.GM19845@akamai.com> Message-ID: On 30/09/18 06:05, John Jiang wrote: > Now that full handshake sends two sessions, does that mean option > -sess_out saves both of the sessions to a local file? The last session received is the one in the sess_out file. Matt > If so, when resume session via option -sess_in, which session will be > resumed? > > On Sun, Sep 30, 2018 at 11:47 AM Benjamin Kaduk via openssl-users > > wrote: > > s_client has -sess_out and -sess_in options that can be used > to save session information to a file and read it in for a subsequent > connection.? Neither is used by default. > > -Ben > > On Sun, Sep 30, 2018 at 11:06:14AM +0800, John Jiang wrote: > > Does s_client resume any session in the local session file? > > > > On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users < > > openssl-users at openssl.org > wrote: > > > > > > > >? ? - The debug logs display two "SSL-Session" blocks in a full > handshake. > > > > > > Only one "SSL-Session" block is displayed in a resumption. > > > > > > Why does full handshake has two sessions? > > > > > > > > > > > > This is part of the TLS 1.3 standard.? A server can send back > multiple > > > sessions, so that a client may resume with a different session, and > > > therefore prevent an observer from ?linking? two different > activities. > > > -- > > > openssl-users mailing list > > > To unsubscribe: > https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > -- > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > From lintamaria194 at gmail.com Mon Oct 1 09:11:45 2018 From: lintamaria194 at gmail.com (Linta Maria) Date: Mon, 1 Oct 2018 14:41:45 +0530 Subject: [openssl-users] Sign and verification using ECC 25519 curve- Bernstein Message-ID: Hi all, Does openssl supports sign and verification using ECC 25519 curve Bernstein? -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Mon Oct 1 10:11:04 2018 From: matt at openssl.org (Matt Caswell) Date: Mon, 1 Oct 2018 11:11:04 +0100 Subject: [openssl-users] Sign and verification using ECC 25519 curve- Bernstein In-Reply-To: References: Message-ID: On 01/10/18 10:11, Linta Maria wrote: > Hi all, > > Does openssl supports sign and verification using ECC 25519 curve > Bernstein?? > > Yes. See: https://www.openssl.org/docs/man1.1.1/man7/Ed25519.html Matt From jan.burgmeier at unicon-software.com Mon Oct 1 12:43:11 2018 From: jan.burgmeier at unicon-software.com (Jan Burgmeier) Date: Mon, 01 Oct 2018 14:43:11 +0200 Subject: [openssl-users] Same dir with different type in X509_LOOKUP_hash_dir In-Reply-To: <20180929.141352.865554983569125909.levitte@openssl.org> References: <2e5a9e53712a0e0138eee7d07d7145194286024a.camel@unicon-software.com> <20180929.141352.865554983569125909.levitte@openssl.org> Message-ID: Performance wise it would also be possible to use the type parameter as bit field. As 1 and 2 are the only used types at the moment this won't break anything. Then the second type is only used if the first fails. If a patch for this is wanted I can provide one. The other way would be to convert all certificates to one type. What is the preferred way to do this? We are not interested in running a patched ssl. Regards Jan On Sat, 2018-09-29 at 14:13 +0200, Richard Levitte wrote: > Well, that will kinda sorta work, I think... what you're basically > doing there, albeit not entirely clearly, is making the type a part > of > the directory index, not just its name. I haven't looked thoroughly > enough to see if there are corner cases that will screw that up. > > That being said, you will see an increase in processing time. The > type setting for a directory is applied to ALL hash-named files this > code can find, so if you have two lookups, one with each file type > setting, what will happen is that it will attempt through all the > files, which will of course fail for those with the wrong > format. You > won't notice, because the loading errors are simply ignored and there > will be success as soon as a file could be loaded and matches your > lookup criteium. > > So in essence, that does look like a workable solution, but with bad > optimization. > > Cheers, > Richard > > In message < > 2e5a9e53712a0e0138eee7d07d7145194286024a.camel at unicon-software.com> > on Fri, 28 Sep 2018 13:11:25 +0200, Jan Burgmeier < > jan.burgmeier at unicon-software.com> said: > > > Hi, > > > > during setup of my X509_STORE I use X509_LOOKUP_hash_dir with same > > dir > > but different type X509_FILETYPE_PEM and X509_FILETYPE_ASN1. But > > only > > certificates of the first type are looked up. > > I dig into the code and made a little change to fix my problem, see > > attached patched. Is this behavior by design and I am doing > > anything > > wrong or is this a bug? > > > > Regards > > Jan Burgmeier > > > > --- a/crypto/x509/by_dir.c > > +++ b/crypto/x509/by_dir.c > > @@ -217,7 +217,8 @@ > > continue; > > for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) { > > ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j); > > - if (strlen(ent->dir) == (size_t)len && > > + if (type == ent->dir_type && > > + strlen(ent->dir) == (size_t)len && > > strncmp(ent->dir, ss, (unsigned int)len) == 0) > > break; > > } > > > > From aaron.friesen at non.keysight.com Mon Oct 1 16:29:15 2018 From: aaron.friesen at non.keysight.com (aaron.friesen at non.keysight.com) Date: Mon, 1 Oct 2018 16:29:15 +0000 Subject: [openssl-users] How to build libcrypto64*.lib and libssl64*.lib on Windows 64-bit? Message-ID: A current project using Net-SNMP and OpenSSL require that these both are built locally (customer requirement). I am attempting to build OpenSSL 1.1.1. After building OpenSSL, "nmake test" succeeds. However, the Net-SNMP build is looking for various .lib files that are in the pre-built package, but do not seem to be in what I build locally. >From the pre-built package, in the lib/VC folder: libcrypto64MD.lib libcrypto64MDd.lib libcrypto64MT.lib libcrypto64MTd.lib libssl64MD.lib libssl64MDd.lib libssl64MT.lib libssl64MTd.lib But the VC folder is not part of my locally built version. What am I missing in order to get these .lib files to build locally? Thank you for your assistance. Best Regards, Aaron Friesen Contract Software Engineer of Aerotek on behalf of Keysight Keysight Technologies, Inc. 970.679.5632 T -------------- next part -------------- An HTML attachment was scrubbed... URL: From gdejin at gmail.com Tue Oct 2 08:00:49 2018 From: gdejin at gmail.com (=?UTF-8?B?7J6l7KeE7ZmU?=) Date: Tue, 2 Oct 2018 17:00:49 +0900 Subject: [openssl-users] How to get OCSP response in CMS through openssl library in C++ In-Reply-To: <44f04a8d-1f94-4306-8cd5-9c52c2ff1b68@googlegroups.com> References: <44f04a8d-1f94-4306-8cd5-9c52c2ff1b68@googlegroups.com> Message-ID: > Hello, > > I've been developing some broadcast apps signing logic on a TV. > > Actually, I should receive and verify the signing information such as > certificates and ocsp responses which are included in CMS signed data > format. > These application data are sent to TV with certain frequency without > internet connection. And, CMS signed data is attached to SMIME. > > So, I succeeded to extract and use the certificates through > "CMS_get1_certs" to use it on verification processes. > > But, in case of ocsp responses I do not know how to get it. > I've tried to extract OCSP responses through > "STACK_OF(CMS_RevocationInfoChoice) *crls;" , > "CMS_OtherRevocationInfoFormat *other;" and etc in CMS_Signed_data, but > failed. > Not only it's a private, but also Most of apis related to > CMS_OtherRevocationInfoFormat are unaccessible. > > Could you help me to solve this problem?? > > p.s. In contrast, as for crls there is an efficient api named > "CMS_get1_crls". > -------------- next part -------------- An HTML attachment was scrubbed... URL: From benjamin.dupalut at esiee.fr Tue Oct 2 09:47:08 2018 From: benjamin.dupalut at esiee.fr (DUPALUT, Benjamin) Date: Tue, 2 Oct 2018 11:47:08 +0200 Subject: [openssl-users] SubjectAltName syntax in openssl.cnf In-Reply-To: References: Message-ID: Hello, Does anyone, please, have informations about my question ? Thanks in advance. Cordialement, *Benjamin Dupalut* Ing?nieur syst?me et r?seau Service Informatique, T?l?communications, Audiovisuel et Reprographie (SITAR) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut at esiee.fr www.esiee.fr / www.cci-paris-idf.fr Le ven. 28 sept. 2018 ? 18:00, DUPALUT, Benjamin a ?crit : > Hello, > > i Have to set a SubjectAltName for a server certificate but documentations > on the web does not provide the same syntax. > > Is this syntax correct ? > > subjectAltName=DNS:test.example.com > > Also, does it belong in the [ usr_cert ] section ? > > Thank you for your help. > > Regards, > > *Benjamin Dupalut* > Ing?nieur syst?me et r?seau > Service Informatique, T?l?communications, Audiovisuel et Reprographie > (SITAR) > ESIEE Paris > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex > T : +33 1 45 92 66 17 > benjamin.dupalut at esiee.fr > www.esiee.fr / www.cci-paris-idf.fr > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dcoombs at carillon.ca Tue Oct 2 13:11:46 2018 From: dcoombs at carillon.ca (Dave Coombs) Date: Tue, 2 Oct 2018 09:11:46 -0400 Subject: [openssl-users] SubjectAltName syntax in openssl.cnf In-Reply-To: References:

Message-ID: <7C6D7985-82E1-47D0-AB1A-B3B2C031787D@carillon.ca> Hello, That syntax looks correct, yes. It belongs in the [section] name you are passing to the "-extensions" argument on the "openssl ca" command when issuing the certificate. I hope this helps. -Dave > On Oct 2, 2018, at 05:47, DUPALUT, Benjamin wrote: > > Hello, > > Does anyone, please, have informations about my question ? > > Thanks in advance. > > Cordialement, > > Benjamin Dupalut > Ing?nieur syst?me et r?seau > Service Informatique, T?l?communications, Audiovisuel et Reprographie (SITAR) > ESIEE Paris > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex > T : +33 1 45 92 66 17 > benjamin.dupalut at esiee.fr > www.esiee.fr / www.cci-paris-idf.fr > > > Le ven. 28 sept. 2018 ? 18:00, DUPALUT, Benjamin > a ?crit : > Hello, > > i Have to set a SubjectAltName for a server certificate but documentations on the web does not provide the same syntax. > > Is this syntax correct ? > > subjectAltName=DNS:test.example.com > > Also, does it belong in the [ usr_cert ] section ? > > Thank you for your help. > > Regards, > > Benjamin Dupalut > Ing?nieur syst?me et r?seau > Service Informatique, T?l?communications, Audiovisuel et Reprographie (SITAR) > ESIEE Paris > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex > T : +33 1 45 92 66 17 > benjamin.dupalut at esiee.fr > www.esiee.fr / www.cci-paris-idf.fr > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Tue Oct 2 15:59:12 2018 From: levitte at openssl.org (Richard Levitte) Date: Tue, 02 Oct 2018 17:59:12 +0200 (CEST) Subject: [openssl-users] How to build libcrypto64*.lib and libssl64*.lib on Windows 64-bit? In-Reply-To: References: Message-ID: <20181002.175912.1353134730697848028.levitte@openssl.org> Our scripts have *never*, as far as I know, produced libraries named like that. Don't those DLLs come from some specific packager that produces binary install kits? For 1.1.x, *our* naming is a bit more elaborate, you will see these names: libcrypto-1_1.dll & libssl-1_1.dll - VC-WIN32 build libcrypto-1_1-x64.dll & libssl-1_1-x64.dll - VC-WIN64A build libcrypto-1_1-ia64.dll & libssl-1_1-ia64.dll - VC-WIN64I build You will also see the corresponding import libraries: libcrypto.lib & libssl.lib Cheers, Richard In message on Mon, 1 Oct 2018 16:29:15 +0000, said: > A current project using Net-SNMP and OpenSSL require that these both are built locally (customer > requirement). > > I am attempting to build OpenSSL 1.1.1. > > After building OpenSSL, ?nmake test? succeeds. > > However, the Net-SNMP build is looking for various .lib files that are in the pre-built package, but > do not seem to be in what I build locally. > > From the pre-built package, in the lib/VC folder: > > libcrypto64MD.lib > > libcrypto64MDd.lib > > libcrypto64MT.lib > > libcrypto64MTd.lib > > libssl64MD.lib > > libssl64MDd.lib > > libssl64MT.lib > > libssl64MTd.lib > > But the VC folder is not part of my locally built version. > > What am I missing in order to get these .lib files to build locally? > > Thank you for your assistance. > > Best Regards, > Aaron Friesen > > Contract Software Engineer of Aerotek on behalf of Keysight > > Keysight Technologies, Inc. > > 970.679.5632 T > From blaufish.public.email at gmail.com Wed Oct 3 12:51:57 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Wed, 3 Oct 2018 14:51:57 +0200 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 Message-ID: Hi, It is my understanding "openssl verify" should raise X509_V_ERR_PATH_LENGTH_EXCEEDED should be raised if pathlen=0 intermediate issues a new CA, but that does not seem to occur when I test with a couple pf openssl versions. I am not sure due to limited understanding of the code, but I am wonder if there isn't an off-by-one or out-of-order increment error in x509_vfy.c in this check: (plen > (x->ex_pathlen + proxy_path_length + 1))). if plen=1 and x->ex_pathlen=0, the check would become 1>1 (false) while it was expected to raise an error? openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem evil.pem evil.pem: OK openssl x509 -text -in root.pem | egrep -a1 X509v3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: A5:70:7B:56:F1:93:E9:CC:FD:15:EF:FA:64:67:41:99:6F:40:DA:C5 -- -- A5:70:7B:56:F1:93:E9:CC:FD:15:EF:FA:64:67:41:99:6F:40:DA:C5 X509v3 Authority Key Identifier: keyid:A5:70:7B:56:F1:93:E9:CC:FD:15:EF:FA:64:67:41:99:6F:40:DA:C5 -- -- X509v3 Key Usage: Certificate Sign, CRL Sign -- -- Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 openssl x509 -text -in intermediate.pem | egrep -a1 X509v3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: B5:5A:8A:64:CE:A4:1E:51:6F:AB:E4:8E:E3:71:8D:EF:2D:42:A7:AD -- -- B5:5A:8A:64:CE:A4:1E:51:6F:AB:E4:8E:E3:71:8D:EF:2D:42:A7:AD X509v3 Authority Key Identifier: keyid:A5:70:7B:56:F1:93:E9:CC:FD:15:EF:FA:64:67:41:99:6F:40:DA:C5 -- -- X509v3 Key Usage: Certificate Sign, CRL Sign -- -- Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 openssl x509 -text -in evil.pem | egrep -a1 X509v3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 81:3A:5A:BD:9E:6C:08:0F:C7:6A:31:A2:0D:0F:2A:02:62:BE:63:12 -- -- 81:3A:5A:BD:9E:6C:08:0F:C7:6A:31:A2:0D:0F:2A:02:62:BE:63:12 X509v3 Authority Key Identifier: keyid:B5:5A:8A:64:CE:A4:1E:51:6F:AB:E4:8E:E3:71:8D:EF:2D:42:A7:AD -- -- X509v3 Basic Constraints: critical CA:TRUE -- -- CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign From openssl-users at dukhovni.org Wed Oct 3 14:51:01 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 3 Oct 2018 10:51:01 -0400 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: References: Message-ID: <20181003145101.GR3589@straasha.imrryr.org> On Wed, Oct 03, 2018 at 02:51:57PM +0200, Peter Magnusson wrote: > $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem evil.pem > evil.pem: OK This is expected to work when intermediate.pem has pathlen 0, because you're verifying "evil.pem" as a *leaf* certificate, its CA:true is irrelevant when it is the last (leaf) certificate in the chain. An actually unexpected result would be: $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem -untrusted evil.pem badee.pem badee.pem: OK where badee.pem is signed by evil.pem. The path length constraint is not a constraint against issuing EE certs with CA:true, it only constraints the number additional intermediate (non-self-issued) CAs in a valid path. In your example that number is zero. https://tools.ietf.org/html/rfc5280#section-4.2.1.9 The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. -- Viktor. From benjamin.dupalut at esiee.fr Wed Oct 3 15:36:44 2018 From: benjamin.dupalut at esiee.fr (DUPALUT, Benjamin) Date: Wed, 3 Oct 2018 17:36:44 +0200 Subject: [openssl-users] SubjectAltName syntax in openssl.cnf In-Reply-To: <7C6D7985-82E1-47D0-AB1A-B3B2C031787D@carillon.ca> References:

<7C6D7985-82E1-47D0-AB1A-B3B2C031787D@carillon.ca> Message-ID: Hi Dave, Thank you for your answer. Cordialement, *Benjamin Dupalut* Ing?nieur syst?me et r?seau Service Informatique, T?l?communications, Audiovisuel et Reprographie (SITAR) ESIEE Paris 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex T : +33 1 45 92 66 17 benjamin.dupalut at esiee.fr www.esiee.fr / www.cci-paris-idf.fr Le mar. 2 oct. 2018 ? 15:12, Dave Coombs a ?crit : > Hello, > > That syntax looks correct, yes. It belongs in the [section] name you are > passing to the "-extensions" argument on the "openssl ca" command when > issuing the certificate. > > I hope this helps. > -Dave > > > On Oct 2, 2018, at 05:47, DUPALUT, Benjamin > wrote: > > Hello, > > Does anyone, please, have informations about my question ? > > Thanks in advance. > > Cordialement, > > *Benjamin Dupalut* > Ing?nieur syst?me et r?seau > Service Informatique, T?l?communications, Audiovisuel et Reprographie > (SITAR) > ESIEE Paris > 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex > T : +33 1 45 92 66 17 > benjamin.dupalut at esiee.fr > www.esiee.fr / www.cci-paris-idf.fr > > > Le ven. 28 sept. 2018 ? 18:00, DUPALUT, Benjamin < > benjamin.dupalut at esiee.fr> a ?crit : > >> Hello, >> >> i Have to set a SubjectAltName for a server certificate but >> documentations on the web does not provide the same syntax. >> >> Is this syntax correct ? >> >> subjectAltName=DNS:test.example.com >> >> Also, does it belong in the [ usr_cert ] section ? >> >> Thank you for your help. >> >> Regards, >> >> *Benjamin Dupalut* >> Ing?nieur syst?me et r?seau >> Service Informatique, T?l?communications, Audiovisuel et Reprographie >> (SITAR) >> ESIEE Paris >> 2 bd Blaise Pascal - 93162 Noisy-le-Grand Cedex >> T : +33 1 45 92 66 17 >> benjamin.dupalut at esiee.fr >> www.esiee.fr / www.cci-paris-idf.fr >> > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaufish.public.email at gmail.com Wed Oct 3 17:16:51 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Wed, 3 Oct 2018 19:16:51 +0200 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: <20181003145101.GR3589@straasha.imrryr.org> References: <20181003145101.GR3589@straasha.imrryr.org> Message-ID: The following test case attempts to validates evilserver.pem, issued by evilca.pem. evil*.pem is violating: 1/ pathlen=0 constraint of the compromised intermediate.pem (issuer of evilserver.pem) 2/ pathlen=1 constraint of the non-compromised root-ca.pem (issuer of intermediate.pem) The particular example execution is from Mac (LibreSSL) but same behaviour observed with e.g. homebrew as well. https://github.com/blaufish/openssl-pathlen openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 openssl x509 -text -in intermediate.pem | grep -a1 "X509v3 Basic" Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" X509v3 Basic Constraints: critical CA:TRUE openssl verify -verbose -CAfile root.pem -untrusted untrusted.pem evilserver.pem evilserver.pem: OK On Wed, Oct 3, 2018 at 4:51 PM Viktor Dukhovni wrote: > > On Wed, Oct 03, 2018 at 02:51:57PM +0200, Peter Magnusson wrote: > > > $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem evil.pem > > evil.pem: OK > > This is expected to work when intermediate.pem has pathlen 0, because > you're verifying "evil.pem" as a *leaf* certificate, its CA:true > is irrelevant when it is the last (leaf) certificate in the chain. > > An actually unexpected result would be: > > $ openssl verify -verbose -CAfile root.pem -untrusted intermediate.pem -untrusted evil.pem badee.pem > badee.pem: OK > > where badee.pem is signed by evil.pem. The path length constraint > is not a constraint against issuing EE certs with CA:true, it only > constraints the number additional intermediate (non-self-issued) > CAs in a valid path. In your example that number is zero. > > https://tools.ietf.org/html/rfc5280#section-4.2.1.9 > > The pathLenConstraint field is meaningful only if the cA boolean is > asserted and the key usage extension, if present, asserts the > keyCertSign bit (Section 4.2.1.3). In this case, it gives the > maximum number of non-self-issued intermediate certificates that may > follow this certificate in a valid certification path. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From blaufish.public.email at gmail.com Thu Oct 4 09:15:15 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Thu, 4 Oct 2018 11:15:15 +0200 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: References: <20181003145101.GR3589@straasha.imrryr.org> Message-ID: Is this expected? (plen > (x->ex_pathlen + proxy_path_length + 1)) evaluates to false (constraint not violated) when checking constraint 0 against plen=1 (constraint violated as far as I can understand?). Doesn't make much sense to me. Is there something I haven't understood about how the constraint is supposed to work? ******* important variables ******* *** check_chain_extensions:523 i=0 *** check_chain_extensions:524 plen=0 *** check_chain_extensions:525 x->ex_pathlen=-1 ******* if statement components ******* *** check_chain_extensions:527 i > 1=0 *** check_chain_extensions:528 !(x->ex_flags & EXFLAG_SI)=0 *** check_chain_extensions:529 (x->ex_pathlen != -1)=0 *** check_chain_extensions:530 (plen > (x->ex_pathlen + proxy_path_length + 1))=0 ******* important variables ******* *** check_chain_extensions:523 i=1 *** check_chain_extensions:524 plen=0 *** check_chain_extensions:525 x->ex_pathlen=-1 ******* if statement components ******* *** check_chain_extensions:527 i > 1=0 *** check_chain_extensions:528 !(x->ex_flags & EXFLAG_SI)=1 *** check_chain_extensions:529 (x->ex_pathlen != -1)=0 *** check_chain_extensions:530 (plen > (x->ex_pathlen + proxy_path_length + 1))=0 ******* important variables ******* *** check_chain_extensions:523 i=2 *** check_chain_extensions:524 plen=1 *** check_chain_extensions:525 x->ex_pathlen=0 ******* if statement components ******* *** check_chain_extensions:527 i > 1=1 *** check_chain_extensions:528 !(x->ex_flags & EXFLAG_SI)=1 *** check_chain_extensions:529 (x->ex_pathlen != -1)=1 *** check_chain_extensions:530 (plen > (x->ex_pathlen + proxy_path_length + 1))=0 ******* important variables ******* *** check_chain_extensions:523 i=3 *** check_chain_extensions:524 plen=2 *** check_chain_extensions:525 x->ex_pathlen=1 ******* if statement components ******* *** check_chain_extensions:527 i > 1=1 *** check_chain_extensions:528 !(x->ex_flags & EXFLAG_SI)=0 *** check_chain_extensions:529 (x->ex_pathlen != -1)=1 *** check_chain_extensions:530 (plen > (x->ex_pathlen + proxy_path_length + 1))=0 From openssl-users at dukhovni.org Thu Oct 4 10:25:48 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 4 Oct 2018 06:25:48 -0400 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: References: <20181003145101.GR3589@straasha.imrryr.org> Message-ID: <20181004102548.GW3589@straasha.imrryr.org> On Wed, Oct 03, 2018 at 07:16:51PM +0200, Peter Magnusson wrote: > The following test case attempts to validates evilserver.pem, issued > by evilca.pem. More specifically, we see that in this test the leaf server certificate has the same subject and issuer, so EXFLAG_SI is set for that certificate, and it did not count in the path length: $ /usr/local/bin/openssl verify -show_chain -verbose -trusted root.pem -untrusted untrusted.pem evilserver.pem evilserver.pem: OK Chain: depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted) depth=1: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted) depth=2: C = SE, ST = Intermediate, O = Intermediate, OU = Intermediate, CN = Intermediate (untrusted) depth=3: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root but this corner-case is not correct, the concept of "self-issued" only applies to CAs, so for the leaf to be skipped it would have the be a self-issued CA. Try the patch below: -- Viktor. diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 3a60d412da..77ca325d54 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -445,6 +445,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) int i, must_be_ca, plen = 0; X509 *x; int proxy_path_length = 0; + int is_ca; int purpose; int allow_proxy_certs; int num = sk_X509_num(ctx->chain); @@ -484,7 +485,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)) return 0; } - ret = X509_check_ca(x); + ret = is_ca = X509_check_ca(x); switch (must_be_ca) { case -1: if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) @@ -524,8 +525,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) return 0; } - /* Increment path length if not self issued */ - if (!(x->ex_flags & EXFLAG_SI)) + /* Increment path length if not a self issued CA */ + if (!(is_ca && x->ex_flags & EXFLAG_SI)) plen++; /* * If this certificate is a proxy certificate, the next certificate From blaufish.public.email at gmail.com Thu Oct 4 12:07:55 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Thu, 4 Oct 2018 14:07:55 +0200 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: <20181004102548.GW3589@straasha.imrryr.org> References: <20181003145101.GR3589@straasha.imrryr.org> <20181004102548.GW3589@straasha.imrryr.org> Message-ID: Your patch does seem to resolve the test case. II have maximised confusion by generating a CSR with the same textual information for EvilCA as EvilServer. I don't think the chain includes any self signed certificates except the root; 73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 (root, self issued) DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70 issued by 73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6. 17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0 issued by DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70. 1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6 issued by 17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0. Modulus of evilca.pem begins with 00:cd:ba:9f and modulus of evilserver.pem begins with 00:af:83:6f, so they are different even if both have Subject: C=SE, ST=EvilServer, L=EvilServer, O=EvilServer, OU=EvilServer, CN=EvilServer. Funnily enough I don't trigger the edge case on regenerated files with correct Subject information. openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" X509v3 extensions: X509v3 Subject Key Identifier: 73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 -- -- 73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 X509v3 Authority Key Identifier: keyid:73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 openssl x509 -text -in intermediate.pem | egrep -a1 "X509v3 .* Key Identifier" X509v3 extensions: X509v3 Subject Key Identifier: DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70 -- -- DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70 X509v3 Authority Key Identifier: keyid:73:40:2A:49:4B:AA:69:06:CF:45:F3:24:A6:B6:76:6A:10:97:74:D6 openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" X509v3 extensions: X509v3 Subject Key Identifier: 17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0 -- -- 17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0 X509v3 Authority Key Identifier: keyid:DC:99:4E:EE:8A:5C:75:D3:C7:5E:03:1E:73:57:F2:C4:C5:89:FD:70 openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" TLS Web Server Authentication X509v3 Subject Key Identifier: 1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6 -- -- 1F:95:2F:26:9D:E1:37:BD:1F:9C:B5:51:FC:28:9C:EA:9F:1E:C8:B6 X509v3 Authority Key Identifier: keyid:17:49:AA:01:F6:25:85:23:3F:A6:7A:43:D3:97:2A:F8:74:27:89:A0 On Thu, Oct 4, 2018 at 12:26 PM Viktor Dukhovni wrote: > > On Wed, Oct 03, 2018 at 07:16:51PM +0200, Peter Magnusson wrote: > > > The following test case attempts to validates evilserver.pem, issued > > by evilca.pem. > > More specifically, we see that in this test the leaf server certificate > has the same subject and issuer, so EXFLAG_SI is set for that > certificate, and it did not count in the path length: > > $ /usr/local/bin/openssl verify -show_chain -verbose -trusted root.pem -untrusted untrusted.pem evilserver.pem > evilserver.pem: OK > Chain: > depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted) > depth=1: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted) > depth=2: C = SE, ST = Intermediate, O = Intermediate, OU = Intermediate, CN = Intermediate (untrusted) > depth=3: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root > > but this corner-case is not correct, the concept of "self-issued" > only applies to CAs, so for the leaf to be skipped it would have > the be a self-issued CA. Try the patch below: > > -- > Viktor. > > diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c > index 3a60d412da..77ca325d54 100644 > --- a/crypto/x509/x509_vfy.c > +++ b/crypto/x509/x509_vfy.c > @@ -445,6 +445,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) > int i, must_be_ca, plen = 0; > X509 *x; > int proxy_path_length = 0; > + int is_ca; > int purpose; > int allow_proxy_certs; > int num = sk_X509_num(ctx->chain); > @@ -484,7 +485,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) > X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)) > return 0; > } > - ret = X509_check_ca(x); > + ret = is_ca = X509_check_ca(x); > switch (must_be_ca) { > case -1: > if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) > @@ -524,8 +525,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) > if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED)) > return 0; > } > - /* Increment path length if not self issued */ > - if (!(x->ex_flags & EXFLAG_SI)) > + /* Increment path length if not a self issued CA */ > + if (!(is_ca && x->ex_flags & EXFLAG_SI)) > plen++; > /* > * If this certificate is a proxy certificate, the next certificate > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From andres.traumann.01 at gmail.com Thu Oct 4 14:49:02 2018 From: andres.traumann.01 at gmail.com (Andres Traumann) Date: Thu, 4 Oct 2018 17:49:02 +0300 Subject: [openssl-users] Seeding before RSA key generation Message-ID: Hello, In the documentation it is written: "The pseudo-random number generator must be seeded prior to calling RSA_generate_key_ex()". After reading the documentation in https://wiki.openssl.org/index.php/Random_Numbers and investigating the source code, it seems that the seeding is in fact done automatically from /dev/random in systems that have it. Also, when examining the source code of apps/genrsa.c there does not seem to be any explicit seeding either. Do I still need to explicitly seed before calling RSA_generate_key_ex? Best Andres From rsalz at akamai.com Thu Oct 4 15:14:38 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 4 Oct 2018 15:14:38 +0000 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: References: Message-ID: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> Which version of OpenSSL are you using? 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. 1.1.1 has a good random number generator and auto-seeds. From jb-openssl at wisemo.com Thu Oct 4 15:33:41 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 4 Oct 2018 17:33:41 +0200 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> Message-ID: <393c0e6c-c189-60a6-f158-908055e90ee2@wisemo.com> On 04/10/2018 17:14, Salz, Rich via openssl-users wrote: > Which version of OpenSSL are you using? > > 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. 1.1.1 has a good random number generator and auto-seeds. > What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other than not being an NSA/NIST design? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From rsalz at akamai.com Thu Oct 4 15:38:48 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 4 Oct 2018 15:38:48 +0000 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <393c0e6c-c189-60a6-f158-908055e90ee2@wisemo.com> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <393c0e6c-c189-60a6-f158-908055e90ee2@wisemo.com> Message-ID: > What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other than not being an NSA/NIST design? Poor locking; been known to crash. Does not reseed. Global across the process, rather than isolated for private-key generation or per-connection. Mixes in getpid and time to get "better" random bytes. Has a "pseudo-rand" feature. Never was cryptographically evaluated. From matt at openssl.org Thu Oct 4 15:47:39 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 4 Oct 2018 16:47:39 +0100 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> Message-ID: <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> On 04/10/18 16:14, Salz, Rich via openssl-users wrote: > Which version of OpenSSL are you using? > > 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds. There is no need to explicitly seed it. I also wouldn't describe it as "bad". 1.1.1 has a much better RNG, but there is no reason not to trust and use the 1.0.2 and 1.1.0 RNG. > 1.1.1 has a good random number generator and auto-seeds. > 1.0.2 and 1.1.0 auto seed. 1.1.1 additionally auto-*re*seeds. Matt From openssl-users at dukhovni.org Thu Oct 4 15:54:49 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 4 Oct 2018 11:54:49 -0400 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: References: <20181003145101.GR3589@straasha.imrryr.org> <20181004102548.GW3589@straasha.imrryr.org> Message-ID: <20181004155449.GY3589@straasha.imrryr.org> On Thu, Oct 04, 2018 at 02:07:55PM +0200, Peter Magnusson wrote: > Modulus of evilca.pem begins with 00:cd:ba:9f and modulus of > evilserver.pem begins with 00:af:83:6f, so they are different even if > both have Subject: C=SE, ST=EvilServer, L=EvilServer, O=EvilServer, > OU=EvilServer, CN=EvilServer. That's the difference between self-signed and self-issued. The root CA is self-signed. Your previous EE cert would have been self-issued, had it been a CA. But it had CA:FALSE, which makes it not self-issued per RFC5280, as that classification applies only to CAs. > Funnily enough I don't trigger the edge case on regenerated files with > correct Subject information. That's not "funnily enough", that's expected, if my analysis of the problem is correct, i.e. the problem is that the existing code treats even non-CA leaf certs as self-issued provided the subject and issuer match. This throws the path length constraint checks off by 1 in just the case of "self-issued but for the CA bit" EE certs. The proposed patch is intended to resolve that issue. If my analysis is correct (please test any more interesting combinations you can come up with), then the patch should be merged into the existing OpenSSL supported releases and perhaps also related OpenSSL forks (either or both of LibreSSL or BoringSSL that have not changed the code in question). -- Viktor. From jb-openssl at wisemo.com Thu Oct 4 15:58:43 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Thu, 4 Oct 2018 17:58:43 +0200 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <393c0e6c-c189-60a6-f158-908055e90ee2@wisemo.com> Message-ID: <95d2501d-5a51-fc08-d7ae-00fc38efe7cd@wisemo.com> On 04/10/2018 17:38, Salz, Rich wrote: >> What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other > than not being an NSA/NIST design? > > Poor locking; been known to crash. Simple bug, not a reason to change the algorithm. > > Does not reseed. But can be reseeded if so desired, subject to locking. > > Global across the process, rather than isolated for private-key generation or per-connection. This is good, not bad. > > Mixes in getpid and time to get "better" random bytes. This gives 2 to 5 extra bits on machines with little available entropy, provided init is not done too early in the machine boot process. There seem to be much stronger sources loaded where available. > > Has a "pseudo-rand" feature. This is a clearly marked feature useful when the entropy sources are significantly slower than the random bit need, such as on a busy TLS server with a serial port (or slower) entropy source. > > Never was cryptographically evaluated. > By whom?, I would expect the very public OpenSSL RNG to have been subjected to lots of 3rd party review outside the Foundation. The new design is taken from a document that was insufficiently publicly reviewed and was later found to contain a likely backdoor in one of its other suggested RNG designs, making the entire document highly dubious. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From rsalz at akamai.com Thu Oct 4 16:05:46 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 4 Oct 2018 16:05:46 +0000 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <95d2501d-5a51-fc08-d7ae-00fc38efe7cd@wisemo.com> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <393c0e6c-c189-60a6-f158-908055e90ee2@wisemo.com> <95d2501d-5a51-fc08-d7ae-00fc38efe7cd@wisemo.com> Message-ID: We disagree, and as I wrote the latest RNG code and docs, I'm biased (sic). I'll leave on that weak pun. From rsalz at akamai.com Thu Oct 4 16:06:42 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 4 Oct 2018 16:06:42 +0000 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> Message-ID: > This is not correct. Thanks for the corrections, Matt. From andres.traumann.01 at gmail.com Thu Oct 4 17:54:11 2018 From: andres.traumann.01 at gmail.com (Andres Traumann) Date: Thu, 4 Oct 2018 20:54:11 +0300 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> Message-ID: <33957bf2-be89-bd11-3002-f1a62dea4695@gmail.com> Thank you for your help. Andres On 10/4/18 6:47 PM, Matt Caswell wrote: > > On 04/10/18 16:14, Salz, Rich via openssl-users wrote: >> Which version of OpenSSL are you using? >> >> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. > This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds. > There is no need to explicitly seed it. I also wouldn't describe it as > "bad". 1.1.1 has a much better RNG, but there is no reason not to trust > and use the 1.0.2 and 1.1.0 RNG. > >> 1.1.1 has a good random number generator and auto-seeds. >> > 1.0.2 and 1.1.0 auto seed. 1.1.1 additionally auto-*re*seeds. > > Matt From paul.dale at oracle.com Thu Oct 4 23:33:24 2018 From: paul.dale at oracle.com (Paul Dale) Date: Thu, 4 Oct 2018 23:33:24 +0000 (UTC) Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <33957bf2-be89-bd11-3002-f1a62dea4695@gmail.com> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> <33957bf2-be89-bd11-3002-f1a62dea4695@gmail.com> Message-ID: <61e07d1f-495c-46e7-9795-1c1941c9a4b4@default> Not mentioned thus far is that if you are using 1.0.2 with FIPS support, the random number generator does not self-seed. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -----Original Message----- From: Andres Traumann [mailto:andres.traumann.01 at gmail.com] Sent: Friday, 5 October 2018 3:54 AM To: openssl-users at openssl.org Subject: Re: [openssl-users] Seeding before RSA key generation Thank you for your help. Andres On 10/4/18 6:47 PM, Matt Caswell wrote: > > On 04/10/18 16:14, Salz, Rich via openssl-users wrote: >> Which version of OpenSSL are you using? >> >> 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. > This is not correct. The RNG in 1.0.2 and 1.1.0 automatically seeds. > There is no need to explicitly seed it. I also wouldn't describe it as > "bad". 1.1.1 has a much better RNG, but there is no reason not to > trust and use the 1.0.2 and 1.1.0 RNG. > >> 1.1.1 has a good random number generator and auto-seeds. >> > 1.0.2 and 1.1.0 auto seed. 1.1.1 additionally auto-*re*seeds. > > Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From openssl-users at dukhovni.org Fri Oct 5 05:09:48 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 5 Oct 2018 01:09:48 -0400 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: <20181004102548.GW3589@straasha.imrryr.org> References: <20181003145101.GR3589@straasha.imrryr.org> <20181004102548.GW3589@straasha.imrryr.org> Message-ID: > On Oct 4, 2018, at 6:25 AM, Viktor Dukhovni wrote: > > but this corner-case is not correct, the concept of "self-issued" > only applies to CAs, so for the leaf to be skipped it would have > the be a self-issued CA. Try the patch below: I've simplified the patch in https://github.com/openssl/openssl/pull/7353 please take a look. -- Viktor. From saimohangajula at gmail.com Fri Oct 5 05:12:40 2018 From: saimohangajula at gmail.com (Saimohan Gajula) Date: Fri, 5 Oct 2018 10:42:40 +0530 Subject: [openssl-users] Reg: [Crash inside SSL_CTX_free ()] Message-ID: Hi, We are encountering the crash inside the SSL_CTX_free(). Any leads for the solution will be greatly appreciated. We are using openssl 1_0_2 and libcrypto.so.1.0.0. Please help us know if anyone else also faced this issue earlier. Kindly find the Stack trace for your reference Stack: #0 0x00007fc013fae51d in lh_insert () from /lib/x86_64/libcrypto.so.1.0.0 #1 0x00007fc013ef74f9 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 #2 0x00007fc013ef7ed2 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 #3 0x00007fc013fdd879 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 #4 0x00007fc013fe2530 in asn1_item_combine_free () from /lib/x86_64/libcrypto.so.1.0.0 #5 0x00007fc013fe27a4 in ASN1_item_free () from /lib/x86_64/libcrypto.so.1.0.0 #6 0x00007fc0140063d1 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 #7 0x00007fc013fae001 in sk_pop_free () from /lib/x86_64/libcrypto.so.1.0.0 #8 0x00007fc0140068f4 in X509_STORE_free () from /lib/x86_64/libcrypto.so.1.0.0 #9 0x00007fc01433ef12 in SSL_CTX_free () from /lib/x86_64/libssl.so.1.0.0 Thanks for your help!!! Best Regards, Sai. -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Fri Oct 5 05:21:05 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 5 Oct 2018 01:21:05 -0400 Subject: [openssl-users] Reg: [Crash inside SSL_CTX_free ()] In-Reply-To: References: Message-ID: <2A9F84B6-4AE6-417C-BBC1-18633D392702@dukhovni.org> You either have threading problems are sharing structures without proper reference counting or other protections. Perhaps the X509_STORE used in the context was already freed by some other caller? Or something completely unrelated corrupted the heap. The below is not sufficient for anyone else to help you, time to get good at using a debugger, you probably want an SSL library compiled with debugging symbols and not stripped. > On Oct 5, 2018, at 1:12 AM, Saimohan Gajula wrote: > > We are encountering the crash inside the SSL_CTX_free(). Any leads for the solution will be greatly appreciated. > > We are using openssl 1_0_2 and libcrypto.so.1.0.0. > > Please help us know if anyone else also faced this issue earlier. > > Kindly find the Stack trace for your reference > > Stack: #0 0x00007fc013fae51d in lh_insert () from /lib/x86_64/libcrypto.so.1.0.0 > #1 0x00007fc013ef74f9 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > #2 0x00007fc013ef7ed2 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > #3 0x00007fc013fdd879 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > #4 0x00007fc013fe2530 in asn1_item_combine_free () from /lib/x86_64/libcrypto.so.1.0.0 > #5 0x00007fc013fe27a4 in ASN1_item_free () from /lib/x86_64/libcrypto.so.1.0.0 > #6 0x00007fc0140063d1 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > #7 0x00007fc013fae001 in sk_pop_free () from /lib/x86_64/libcrypto.so.1.0.0 > #8 0x00007fc0140068f4 in X509_STORE_free () from /lib/x86_64/libcrypto.so.1.0.0 > #9 0x00007fc01433ef12 in SSL_CTX_free () from /lib/x86_64/libssl.so.1.0.0 -- Viktor. From saimohangajula at gmail.com Fri Oct 5 06:07:50 2018 From: saimohangajula at gmail.com (Saimohan Gajula) Date: Fri, 5 Oct 2018 11:37:50 +0530 Subject: [openssl-users] Reg: [Crash inside SSL_CTX_free ()] In-Reply-To: <2A9F84B6-4AE6-417C-BBC1-18633D392702@dukhovni.org> References: <2A9F84B6-4AE6-417C-BBC1-18633D392702@dukhovni.org> Message-ID: Hi Viktor, Please find the stack trace with the debugging information . Kindly check if it helps. #0 0x00007fc013fae51d in lh_insert () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #1 0x00007fc013ef74f9 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #2 0x00007fc013ef7ed2 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #3 0x00007fc013fdd879 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #4 0x00007fc013fe2530 in asn1_item_combine_free () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #5 0x00007fc013fe27a4 in ASN1_item_free () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #6 0x00007fc0140063d1 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #7 0x00007fc013fae001 in sk_pop_free () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #8 0x00007fc0140068f4 in X509_STORE_free () from /lib/x86_64/libcrypto.so.1.0.0 No symbol table info available. #9 0x00007fc01433ef12 in SSL_CTX_free () from /lib/x86_64/libssl.so.1.0.0 No symbol table info available. #10 0x00007fc0089b9a89 in bedrock::net::ContextEntry::~ContextEntry (this=0x558451bc6730, __in_chrg=) at src/libs/libjcore/src/bedrock/net/ssl/MultidomainCerts.hpp:63 No locals. #11 bedrock::net::ContextEntry::~ContextEntry (this=0x558451bc6730, __in_chrg=) at src/libs/libjcore/src/bedrock/net/ssl/MultidomainCerts.hpp:66 No locals. #12 bedrock::net::MultidomainCertContexts::~MultidomainCertContexts (this=0x558451ba6778, __in_chrg=) at src/libs/libjcore/src/bedrock/net/ssl/MultidomainCerts.cpp:368 entry = 0x558451bc6730 iter = { _M_node = 0x558451bbb7b0 } #13 0x00007fc0089b85cd in bedrock::net::OpenSSL_SSLParams::~OpenSSL_SSLParams (this=0x558451ba65e0, __in_chrg=) at src/libs/libjcore/src/bedrock/net/ssl/OpenSSL_SSL.cpp:404 No locals. #14 0x00007fc0089b86fc in bedrock::net::OpenSSL_SSLParams::~OpenSSL_SSLParams (this=0x558451ba65e0, __in_chrg=) at src/libs/libjcore/src/bedrock/net/ssl/OpenSSL_SSL.cpp:453 No locals. #15 0x00007fc014f137c7 in jax::JAXConnection::~JAXConnection (this=0x558451b96f10, __in_chrg=) at src/libs/libjcore/src/jax/JAXConnection.cpp:184 No locals. #16 0x00007fc014f138dc in jax::JAXConnection::~JAXConnection (this=0x558451b96f10, __in_chrg=) at src/libs/libjcore/src/jax/JAXConnection.cpp:185 No locals. #17 0x00007fc014f158e8 in jax::JAXConnection::_shutdown_cb (this=0x558451b96f10) at src/libs/libjcore/src/jax/JAXConnection.cpp:357 No locals. #18 0x00007fc014ebee9c in bedrock::ThreadPool::Worker::run (arg=0x558451ade050) at src/libs/libjcore/src/bedrock/ThreadPool.cpp:379 fh = 0x558451be4180 worker = 0x558451ade050 #19 0x00007fc0126ac633 in start_thread (arg=0x7fc010024700) at pthread_create.c:463 pd = 0x7fc010024700 now = unwind_buf = { cancel_jmp_buf = {[0] = { jmp_buf = {[0] = 140462879033088, [1] = -4982464771670778168, [2] = 140729306381518, [3] = 140729306381519, [4] = 140729306381520, [5] = 0, [6] = 4997476835555696328, [7] = 4997480896125492936}, mask_was_saved = 0 }}, priv = { pad = {[0] = 0x0, [1] = 0x0, [2] = 0x0, [3] = 0x0}, data = { prev = 0x0, cleanup = 0x0, canceltype = 0 } } } not_first_call = #20 0x00007fc0123df98f in clone () from /lib/x86_64/libc.so.6 Thanks & Regards, Sai On Fri, Oct 5, 2018 at 10:51 AM Viktor Dukhovni wrote: > You either have threading problems are sharing structures without > proper reference counting or other protections. Perhaps the > X509_STORE used in the context was already freed by some other > caller? Or something completely unrelated corrupted the heap. > The below is not sufficient for anyone else to help you, time > to get good at using a debugger, you probably want an SSL > library compiled with debugging symbols and not stripped. > > > On Oct 5, 2018, at 1:12 AM, Saimohan Gajula > wrote: > > > > We are encountering the crash inside the SSL_CTX_free(). Any leads for > the solution will be greatly appreciated. > > > > We are using openssl 1_0_2 and libcrypto.so.1.0.0. > > > > Please help us know if anyone else also faced this issue earlier. > > > > Kindly find the Stack trace for your reference > > > > Stack: #0 0x00007fc013fae51d in lh_insert () from > /lib/x86_64/libcrypto.so.1.0.0 > > #1 0x00007fc013ef74f9 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > > #2 0x00007fc013ef7ed2 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > > #3 0x00007fc013fdd879 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > > #4 0x00007fc013fe2530 in asn1_item_combine_free () from > /lib/x86_64/libcrypto.so.1.0.0 > > #5 0x00007fc013fe27a4 in ASN1_item_free () from > /lib/x86_64/libcrypto.so.1.0.0 > > #6 0x00007fc0140063d1 in ?? () from /lib/x86_64/libcrypto.so.1.0.0 > > #7 0x00007fc013fae001 in sk_pop_free () from > /lib/x86_64/libcrypto.so.1.0.0 > > #8 0x00007fc0140068f4 in X509_STORE_free () from > /lib/x86_64/libcrypto.so.1.0.0 > > #9 0x00007fc01433ef12 in SSL_CTX_free () from /lib/x86_64/libssl.so.1.0.0 > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Fri Oct 5 06:14:05 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 5 Oct 2018 02:14:05 -0400 Subject: [openssl-users] Reg: [Crash inside SSL_CTX_free ()] In-Reply-To: References: <2A9F84B6-4AE6-417C-BBC1-18633D392702@dukhovni.org> Message-ID: <0643F14B-1661-4290-987D-708EC83419B8@dukhovni.org> > On Oct 5, 2018, at 2:07 AM, Saimohan Gajula wrote: > > Please find the stack trace with the debugging information . > Kindly check if it helps. No, this problem really is yours to debug I'm afraid... -- Viktor. From Matthias.St.Pierre at ncp-e.com Fri Oct 5 08:38:41 2018 From: Matthias.St.Pierre at ncp-e.com (Dr. Matthias St. Pierre) Date: Fri, 5 Oct 2018 08:38:41 +0000 Subject: [openssl-users] Seeding before RSA key generation In-Reply-To: <61e07d1f-495c-46e7-9795-1c1941c9a4b4@default> References: <50652E6F-6B8C-4333-8D39-EC1FFEEB933C@akamai.com> <5dbbc1b1-3f3d-94a5-8f3b-46c030e9bbc9@openssl.org> <33957bf2-be89-bd11-3002-f1a62dea4695@gmail.com> <61e07d1f-495c-46e7-9795-1c1941c9a4b4@default> Message-ID: > -----Urspr?ngliche Nachricht----- > Von: openssl-users Im Auftrag von Paul Dale > Gesendet: Freitag, 5. Oktober 2018 01:33 > An: openssl-users at openssl.org > Betreff: Re: [openssl-users] Seeding before RSA key generation > > Not mentioned thus far is that if you are using 1.0.2 with FIPS support, the random number generator does not self-seed. This is true, but it will be fixed in the next letter release 1.0.2q, see commit https://github.com/openssl/openssl/commit/f58001c35f39c50cb4aabcbc234d871ac740c179 which has been added recently to the OpenSSL_1_0_2-stable branch. Matthias From lintamaria194 at gmail.com Fri Oct 5 09:38:20 2018 From: lintamaria194 at gmail.com (Linta Maria) Date: Fri, 5 Oct 2018 15:08:20 +0530 Subject: [openssl-users] Sign and verification using ECC 25519 curve- Bernstein In-Reply-To: References:

Message-ID: Hi, I am using Qnx 7.0.0 which make use of openssl 1.0.2j. Can you please confirm if I can use ECC related api from openssl which is supported by openssl 1.1.0. On Mon, 1 Oct 2018, 3:41 pm Matt Caswell, wrote: > > > On 01/10/18 10:11, Linta Maria wrote: > > Hi all, > > > > Does openssl supports sign and verification using ECC 25519 curve > > Bernstein? > > > > > > Yes. See: > > https://www.openssl.org/docs/man1.1.1/man7/Ed25519.html > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaufish.public.email at gmail.com Fri Oct 5 09:57:32 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Fri, 5 Oct 2018 11:57:32 +0200 Subject: [openssl-users] openssl verify accepting CA certs issued by intermediate with CA:TRUE, pathlen:0 In-Reply-To: References: <20181003145101.GR3589@straasha.imrryr.org> <20181004102548.GW3589@straasha.imrryr.org> Message-ID: Thanks, I provided some input regarding off by one calculation of plen still present in the patch. You are very much correct on the definition of self-issued; rfc5280, "A certificate is self-issued if the same DN appears in the subject and issuer fields (the two DNs are the same if they match according to the rules specified in Section 7.1)." Effectively path length constraint is useless for limiting impact of a temporary CA breach, as attacker can just issue an intermediate authority with a DN that matches the definition of self-issued. The feature simply doesn't provide the functionality I presumed it was it core purpose of providing. It was very lucky for me I messed up my DN's so I could learn that, thank you *very* much for your input, that was very useful to be aware of! Best Regards //P On Fri, Oct 5, 2018 at 7:10 AM Viktor Dukhovni wrote: > > > > > On Oct 4, 2018, at 6:25 AM, Viktor Dukhovni wrote: > > > > but this corner-case is not correct, the concept of "self-issued" > > only applies to CAs, so for the leaf to be skipped it would have > > the be a self-issued CA. Try the patch below: > > I've simplified the patch in https://github.com/openssl/openssl/pull/7353 > please take a look. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From matt at openssl.org Fri Oct 5 10:07:57 2018 From: matt at openssl.org (Matt Caswell) Date: Fri, 5 Oct 2018 11:07:57 +0100 Subject: [openssl-users] Sign and verification using ECC 25519 curve- Bernstein In-Reply-To: References:

Message-ID: On 05/10/18 10:38, Linta Maria wrote: > Hi, > > I am using Qnx 7.0.0 which make use of openssl 1.0.2j. > > Can you please confirm if I can use ECC related api from openssl which > is supported by openssl 1.1.0. OpenSSL 1.1.0 does not support sign/verify using 25519 (i.e. Ed25519). That is only available in OpenSSL 1.1.1. Matt > > > > > On Mon, 1 Oct 2018, 3:41 pm Matt Caswell, > wrote: > > > > On 01/10/18 10:11, Linta Maria wrote: > > Hi all, > > > > Does openssl supports sign and verification using ECC 25519 curve > > Bernstein?? > > > > > > Yes. See: > > https://www.openssl.org/docs/man1.1.1/man7/Ed25519.html > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > From bbrumley at gmail.com Sat Oct 6 13:15:13 2018 From: bbrumley at gmail.com (Billy Brumley) Date: Sat, 6 Oct 2018 16:15:13 +0300 Subject: [openssl-users] Sign and verification using ECC 25519 curve- Bernstein In-Reply-To: References:

Message-ID: > > I am using Qnx 7.0.0 which make use of openssl 1.0.2j. > > > > Can you please confirm if I can use ECC related api from openssl which > > is supported by openssl 1.1.0. > > OpenSSL 1.1.0 does not support sign/verify using 25519 (i.e. Ed25519). > That is only available in OpenSSL 1.1.1. Shameless self plug -- libsuola is an OpenSSL engine providing curve25519 and ed25519 support for 1.0.2, 1.1.0, and 1.1.1: https://github.com/romen/libsuola With different "backends" including libsodium or formally verified HACL*. BBB From paul at zil.li Sat Oct 6 20:48:01 2018 From: paul at zil.li (Paul Zillmann) Date: Sat, 6 Oct 2018 22:48:01 +0200 Subject: [openssl-users] Wiki misleading Enc Message-ID: <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0@zil.li> Hello, the wiki page [1] is wrong about the pass parameter. According to [2] the parameter for a keyfile is -pass file:path and not -pass pass:path - Paul 1: https://wiki.openssl.org/index.php/Enc 2: https://www.openssl.org/docs/man1.0.2/apps/openssl.html From john.hughes at secid.co.uk Sun Oct 7 20:39:34 2018 From: john.hughes at secid.co.uk (John Hughes) Date: Sun, 7 Oct 2018 21:39:34 +0100 Subject: [openssl-users] Incompatible Object error from EC_POINT_mul Message-ID: <010701d45e7d$dbb7dd50$932797f0$@secid.co.uk> I'm trying to generate a public key from a private key generated on a HSM (and obtained by calling PKCS#11). Everything works fine until I call EC_POINT_mul - at which point I get the error message: error:100BB065:elliptic curve routines:ec_wNAF_mul:incompatible objects I have checked the BIGNUM conversion - and that seems to be fine. The key pair on the HSM is also generated using brainpoolP256r1. The basis of the code can be found at the end of the email. I'm basically trying to follow the example provided in: https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography. I'm using openssl 1.10h Any pointers or help would be appreciated. John --------------------------------------------------------------- BN_CTX *ctx; ctx = BN_CTX_new(); if(!ctx) { outputInfo("unable to create openssl BN_CTX"); return; } EC_GROUP *curve; outputInfo("about to create EC_GROUP_new_by_curve_name"); if(NULL == (curve = EC_GROUP_new_by_curve_name(NID_brainpoolP256r1))) { outputERRORmess("unable to setup curve"); } outputInfo("about to create EC_KEY_new_by_curve_name"); EC_KEY *key; if(NULL == (key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1))) { outputERRORmess("unable to setup EC_KEY"); } // now get the private key contained in CKA_VALUE via PKCS#111 and place in *attrPrivate.pValue .......... (handle error) EC_POINT *pub; BIGNUM *prv = BN_bin2bn((unsigned char*)attrPrivate.pValue, attrPrivate.ulValueLen, NULL); if (prv == NULL) { ...... (handle error) } if (1 != EC_KEY_set_private_key(key, prv)) { ........ (handle error) } if (1 != EC_POINT_mul(curve, pub, prv, NULL, NULL, ctx)) { outputInfo("unable to calculate the public key from the HSM's private key using EC_POINT_mul"); (handle error) } From levitte at openssl.org Mon Oct 8 05:03:34 2018 From: levitte at openssl.org (Richard Levitte) Date: Mon, 08 Oct 2018 07:03:34 +0200 (CEST) Subject: [openssl-users] Wiki misleading Enc In-Reply-To: <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0@zil.li> References: <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0@zil.li> Message-ID: <20181008.070334.1188127225315146424.levitte@openssl.org> Fixed. Thanks. In message <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0 at zil.li> on Sat, 6 Oct 2018 22:48:01 +0200, Paul Zillmann said: > Hello, > > the wiki page [1] is wrong about the pass parameter. > According to [2] the parameter for a keyfile is -pass file:path and > not -pass pass:path > > - Paul > > 1: https://wiki.openssl.org/index.php/Enc > 2: https://www.openssl.org/docs/man1.0.2/apps/openssl.html > From aakash.kumar at orange.com Mon Oct 8 05:50:40 2018 From: aakash.kumar at orange.com (aakash.kumar at orange.com) Date: Mon, 8 Oct 2018 05:50:40 +0000 Subject: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 References: <16481_1538732473_5BB731B9_16481_434_1_1817b836-b685-4a91-8f34-48220e57495b@OPEXCSINM92.corporate.adroot.infra.ftgroup> Message-ID: <14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA271107638A@OPEXCSINM91.corporate.adroot.infra.ftgroup> Hi Team, Please find below error in text format. [root at g3r1 ~]# systemctl status bind -l ? bind.service - LSB: DNS Daemon Loaded: loaded (/etc/rc.d/init.d/bind) Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago Docs: man:systemd-sysv-generator(8) Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited, status=0/SUCCESS) Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited, status=0/SUCCESS) Oct 05 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library) Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data] Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon. [root at g3r1 ~]# tail /var/log/message Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon... Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg: command not found Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016 Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl' '--disable-static' '--with-randomdev=/dev/urandom' Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named -c /etc/named.conf Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems Consortium, Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for BIND 9 are Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Thanks & Regards, Aakash kumar ITE - India Tower B, 8th Floor, DLF Infinity Towers, DLF Cyber City Phase - II Gurgaon - 122002, Haryana, INDIA Aakash.kumar at orange.com Mobile: +91-8527288977 CVS: 7357 3706 -----Original Message----- From: Viktor Dukhovni [mailto:openssl-users at dukhovni.org] Sent: 05 October 2018 21:23 To: KUMAR Aakash IMT/OINIS Cc: osf-contact at openssl.org; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen IMT/OINIS Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Please try to send the text of error reports, not pictures. > I am getting below error while starting the bind service. > > If you ask on the openssl-users list, someone else may have seen the same issue, and may have useful advice to share. NOTE!!!: I've set the Reply-To: address to . If you just hit "Reply", your answer may go to the list, though you'd need to join the list first to be able to post... Does the error still happen when you disable "chroot" in BIND? Perhaps BIND is doing late initialization of the PRNG after entering the chroot jail, and maybe trying to use "/dev/urandom", which not be in the jail? That's a wild guess. You'd need to trace system calls to see what it is actually doing... -- Viktor. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nic.tuv at gmail.com Mon Oct 8 07:35:33 2018 From: nic.tuv at gmail.com (Nicola) Date: Mon, 8 Oct 2018 10:35:33 +0300 Subject: [openssl-users] Incompatible Object error from EC_POINT_mul In-Reply-To: <010701d45e7d$dbb7dd50$932797f0$@secid.co.uk> References: <010701d45e7d$dbb7dd50$932797f0$@secid.co.uk> Message-ID: Hi, I did not run this in the debugger, but one issue is that you are not initializing `pub` before calling EC_POINT_mul : try adding pub = EC_POINT_new(curve); (and check for errors making sure pub is not null afterwards). Hope this helps! Best regards, Nicola On Mon, Oct 8, 2018, 00:31 John Hughes wrote: > I'm trying to generate a public key from a private key generated on a HSM > (and obtained by calling PKCS#11). Everything works fine until I call > EC_POINT_mul - at which point I get the error message: > > error:100BB065:elliptic curve routines:ec_wNAF_mul:incompatible > objects > > I have checked the BIGNUM conversion - and that seems to be fine. The key > pair on the HSM is also generated using brainpoolP256r1. > > The basis of the code can be found at the end of the email. I'm basically > trying to follow the example provided in: > https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography. > > I'm using openssl 1.10h > > Any pointers or help would be appreciated. > > > John > > --------------------------------------------------------------- > > > BN_CTX *ctx; > ctx = BN_CTX_new(); > if(!ctx) { > outputInfo("unable to create openssl BN_CTX"); > return; > } > > EC_GROUP *curve; > > outputInfo("about to create EC_GROUP_new_by_curve_name"); > if(NULL == (curve = > EC_GROUP_new_by_curve_name(NID_brainpoolP256r1))) { > outputERRORmess("unable to setup curve"); > } > > outputInfo("about to create EC_KEY_new_by_curve_name"); > EC_KEY *key; > if(NULL == (key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1))) { > outputERRORmess("unable to setup EC_KEY"); > } > > // now get the private key contained in CKA_VALUE via PKCS#111 and > place in *attrPrivate.pValue > > .......... (handle error) > > EC_POINT *pub; > > > BIGNUM *prv = BN_bin2bn((unsigned char*)attrPrivate.pValue, > attrPrivate.ulValueLen, NULL); > if (prv == NULL) { > > ...... (handle error) > } > > if (1 != EC_KEY_set_private_key(key, prv)) { > > ........ (handle error) > } > > if (1 != EC_POINT_mul(curve, pub, prv, NULL, NULL, ctx)) { > outputInfo("unable to calculate the public key from the > HSM's private key using EC_POINT_mul"); > (handle error) > > } > > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaufish.public.email at gmail.com Mon Oct 8 08:57:19 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Mon, 8 Oct 2018 10:57:19 +0200 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate Message-ID: One more logic confusion in the OpenSSL Path Length Constraint check. Any Path Length Constraint set by Root (or any other Self-Issued Certificate) is ignored. Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly applied to the checker (i.e. the checker and the calculation logic have been mixed up). https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE ---- openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" X509v3 extensions: X509v3 Subject Key Identifier: 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 -- -- 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 X509v3 Authority Key Identifier: keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" X509v3 extensions: X509v3 Subject Key Identifier: B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C -- -- B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C X509v3 Authority Key Identifier: keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" TLS Web Server Authentication X509v3 Subject Key Identifier: 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE -- -- 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE X509v3 Authority Key Identifier: keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C ---- ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile root.pem -untrusted evilca.pem evilserver.pem ******* important variables ******* *** check_chain_extensions:524 i=0 *** check_chain_extensions:525 plen=0 *** check_chain_extensions:526 x->ex_pathlen=-1 ******* if statement components ******* *** check_chain_extensions:528 i > 1=0 *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 *** check_chain_extensions:531 (plen > (x->ex_pathlen + proxy_path_length + 1))=0 ******* important variables ******* *** check_chain_extensions:524 i=1 *** check_chain_extensions:525 plen=1 *** check_chain_extensions:526 x->ex_pathlen=0 ******* if statement components ******* *** check_chain_extensions:528 i > 1=0 *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 *** check_chain_extensions:531 (plen > (x->ex_pathlen + proxy_path_length + 1))=0 ******* important variables ******* *** check_chain_extensions:524 i=2 *** check_chain_extensions:525 plen=2 *** check_chain_extensions:526 x->ex_pathlen=0 ******* if statement components ******* *** check_chain_extensions:528 i > 1=1 *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 *** check_chain_extensions:531 (plen > (x->ex_pathlen + proxy_path_length + 1))=1 evilserver.pem: OK Chain: depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = EvilServer, CN = EvilServer (untrusted) depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN = EvilCA (untrusted) depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root From d3ck0r at gmail.com Mon Oct 8 11:27:10 2018 From: d3ck0r at gmail.com (J Decker) Date: Mon, 8 Oct 2018 04:27:10 -0700 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References: Message-ID: It was my interpretation that 0 pathlen on the root self signed meant infinite. The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson < blaufish.public.email at gmail.com> wrote: > One more logic confusion in the OpenSSL Path Length Constraint check. > Any Path Length Constraint set by Root (or any other Self-Issued > Certificate) is ignored. > Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly > applied to the checker (i.e. the checker and the calculation logic > have been mixed up). > > https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 > > openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" > Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE, pathlen:0 > openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" > Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE, pathlen:0 > openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" > X509v3 extensions: > X509v3 Basic Constraints: critical > CA:FALSE > ---- > openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" > X509v3 extensions: > X509v3 Subject Key Identifier: > 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > -- > -- > 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > X509v3 Authority Key Identifier: > > keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" > X509v3 extensions: > X509v3 Subject Key Identifier: > B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > -- > -- > B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > X509v3 Authority Key Identifier: > > keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key > Identifier" > TLS Web Server Authentication > X509v3 Subject Key Identifier: > 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE > -- > -- > 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE > X509v3 Authority Key Identifier: > > keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > ---- > ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile > root.pem -untrusted evilca.pem evilserver.pem > ******* important variables ******* > *** check_chain_extensions:524 i=0 > *** check_chain_extensions:525 plen=0 > *** check_chain_extensions:526 x->ex_pathlen=-1 > ******* if statement components ******* > *** check_chain_extensions:528 i > 1=0 > *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 > *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 > *** check_chain_extensions:531 (plen > (x->ex_pathlen + > proxy_path_length + 1))=0 > ******* important variables ******* > *** check_chain_extensions:524 i=1 > *** check_chain_extensions:525 plen=1 > *** check_chain_extensions:526 x->ex_pathlen=0 > ******* if statement components ******* > *** check_chain_extensions:528 i > 1=0 > *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 > *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 > *** check_chain_extensions:531 (plen > (x->ex_pathlen + > proxy_path_length + 1))=0 > ******* important variables ******* > *** check_chain_extensions:524 i=2 > *** check_chain_extensions:525 plen=2 > *** check_chain_extensions:526 x->ex_pathlen=0 > ******* if statement components ******* > *** check_chain_extensions:528 i > 1=1 > *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 > *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 > *** check_chain_extensions:531 (plen > (x->ex_pathlen + > proxy_path_length + 1))=1 > evilserver.pem: OK > Chain: > depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = > EvilServer, CN = EvilServer (untrusted) > depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN > = EvilCA (untrusted) > depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaufish.public.email at gmail.com Mon Oct 8 12:47:53 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Mon, 8 Oct 2018 14:47:53 +0200 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References: Message-ID: That is not correct behaviour as far as I can understand. RFC5280 Certification Path Validation algorithm process from root to leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 Preparation for Certificate i+1 is expected to occur upon Root certificate, i.e. the following should be expected behaviour: * max_path_length=n (initialisation) * max_path_length=n-1 (first decrement) * max_path_length=0 (copied from root certificate constraint) * VERIFY(max_path_length>0) error upon preparing transition from i=1 (Root) to i=2 (EvilCA). OpenSSL does everything in a slightly different reverse algorithm, but should perform the same controls and behaivor as the RFC imho. And aside from the RFC algorithm checking for this condition, it is also analog with the description of the expected behaviour: The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) A pathLenConstraint of zero indicates that no non- self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed. So my understanding is that the OpenSSL algorithm is confused and fails to perform a check that is applicable to self-issued certificates. The decrement of max_path_length (aka plen++ in OpenSSL implementation) should not occur for self issued certificates, but the validation of max_path_length>0 (aka plen>(constraint+1)) should occur. On Mon, Oct 8, 2018 at 1:27 PM J Decker wrote: > > It was my interpretation that 0 pathlen on the root self signed meant infinite. > The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) > > On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson wrote: >> >> One more logic confusion in the OpenSSL Path Length Constraint check. >> Any Path Length Constraint set by Root (or any other Self-Issued >> Certificate) is ignored. >> Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly >> applied to the checker (i.e. the checker and the calculation logic >> have been mixed up). >> >> https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 >> >> openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" >> Certificate Sign, CRL Sign >> X509v3 Basic Constraints: critical >> CA:TRUE, pathlen:0 >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" >> Certificate Sign, CRL Sign >> X509v3 Basic Constraints: critical >> CA:TRUE, pathlen:0 >> openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" >> X509v3 extensions: >> X509v3 Basic Constraints: critical >> CA:FALSE >> ---- >> openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" >> X509v3 extensions: >> X509v3 Subject Key Identifier: >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> -- >> -- >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> X509v3 Authority Key Identifier: >> >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" >> X509v3 extensions: >> X509v3 Subject Key Identifier: >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >> -- >> -- >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >> X509v3 Authority Key Identifier: >> >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >> openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" >> TLS Web Server Authentication >> X509v3 Subject Key Identifier: >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE >> -- >> -- >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE >> X509v3 Authority Key Identifier: >> >> keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >> ---- >> ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile >> root.pem -untrusted evilca.pem evilserver.pem >> ******* important variables ******* >> *** check_chain_extensions:524 i=0 >> *** check_chain_extensions:525 plen=0 >> *** check_chain_extensions:526 x->ex_pathlen=-1 >> ******* if statement components ******* >> *** check_chain_extensions:528 i > 1=0 >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >> proxy_path_length + 1))=0 >> ******* important variables ******* >> *** check_chain_extensions:524 i=1 >> *** check_chain_extensions:525 plen=1 >> *** check_chain_extensions:526 x->ex_pathlen=0 >> ******* if statement components ******* >> *** check_chain_extensions:528 i > 1=0 >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >> proxy_path_length + 1))=0 >> ******* important variables ******* >> *** check_chain_extensions:524 i=2 >> *** check_chain_extensions:525 plen=2 >> *** check_chain_extensions:526 x->ex_pathlen=0 >> ******* if statement components ******* >> *** check_chain_extensions:528 i > 1=1 >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >> proxy_path_length + 1))=1 >> evilserver.pem: OK >> Chain: >> depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = >> EvilServer, CN = EvilServer (untrusted) >> depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN >> = EvilCA (untrusted) >> depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From blaufish.public.email at gmail.com Mon Oct 8 12:51:06 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Mon, 8 Oct 2018 14:51:06 +0200 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References: Message-ID: sorry, typo on the verify line, this was what I should have written: VERIFY(max_path_length>0) error upon preparing transition from i=2 (EvilCA) to i=2 (EvilServer). On Mon, Oct 8, 2018 at 2:47 PM Peter Magnusson wrote: > > That is not correct behaviour as far as I can understand. > > RFC5280 Certification Path Validation algorithm process from root to > leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 > Preparation for Certificate i+1 is expected to occur upon Root > certificate, i.e. the following should be expected behaviour: > * max_path_length=n (initialisation) > * max_path_length=n-1 (first decrement) > * max_path_length=0 (copied from root certificate constraint) > * VERIFY(max_path_length>0) error upon preparing transition from i=1 > (Root) to i=2 (EvilCA). > > OpenSSL does everything in a slightly different reverse algorithm, but > should perform the same controls and behaivor as the RFC imho. > > And aside from the RFC algorithm checking for this condition, it is > also analog with the description of the expected behaviour: > > The pathLenConstraint field is meaningful only if the cA boolean is > asserted and the key usage extension, if present, asserts the > keyCertSign bit (Section 4.2.1.3). In this case, it gives the > maximum number of non-self-issued intermediate certificates that may > follow this certificate in a valid certification path. (Note: The > last certificate in the certification path is not an intermediate > certificate, and is not included in this limit. Usually, the last > certificate is an end entity certificate, but it can be a CA > certificate.) A pathLenConstraint of zero indicates that no non- > self-issued intermediate CA certificates may follow in a valid > certification path. Where it appears, the pathLenConstraint field > MUST be greater than or equal to zero. Where pathLenConstraint does > not appear, no limit is imposed. > > So my understanding is that the OpenSSL algorithm is confused and > fails to perform a check that is applicable to self-issued > certificates. The decrement of max_path_length (aka plen++ in OpenSSL > implementation) should not occur for self issued certificates, but the > validation of max_path_length>0 (aka plen>(constraint+1)) should > occur. > On Mon, Oct 8, 2018 at 1:27 PM J Decker wrote: > > > > It was my interpretation that 0 pathlen on the root self signed meant infinite. > > The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) > > > > On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson wrote: > >> > >> One more logic confusion in the OpenSSL Path Length Constraint check. > >> Any Path Length Constraint set by Root (or any other Self-Issued > >> Certificate) is ignored. > >> Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly > >> applied to the checker (i.e. the checker and the calculation logic > >> have been mixed up). > >> > >> https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 > >> > >> openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" > >> Certificate Sign, CRL Sign > >> X509v3 Basic Constraints: critical > >> CA:TRUE, pathlen:0 > >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" > >> Certificate Sign, CRL Sign > >> X509v3 Basic Constraints: critical > >> CA:TRUE, pathlen:0 > >> openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" > >> X509v3 extensions: > >> X509v3 Basic Constraints: critical > >> CA:FALSE > >> ---- > >> openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" > >> X509v3 extensions: > >> X509v3 Subject Key Identifier: > >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > >> -- > >> -- > >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > >> X509v3 Authority Key Identifier: > >> > >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" > >> X509v3 extensions: > >> X509v3 Subject Key Identifier: > >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > >> -- > >> -- > >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > >> X509v3 Authority Key Identifier: > >> > >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > >> openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" > >> TLS Web Server Authentication > >> X509v3 Subject Key Identifier: > >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE > >> -- > >> -- > >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE > >> X509v3 Authority Key Identifier: > >> > >> keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > >> ---- > >> ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile > >> root.pem -untrusted evilca.pem evilserver.pem > >> ******* important variables ******* > >> *** check_chain_extensions:524 i=0 > >> *** check_chain_extensions:525 plen=0 > >> *** check_chain_extensions:526 x->ex_pathlen=-1 > >> ******* if statement components ******* > >> *** check_chain_extensions:528 i > 1=0 > >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 > >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 > >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + > >> proxy_path_length + 1))=0 > >> ******* important variables ******* > >> *** check_chain_extensions:524 i=1 > >> *** check_chain_extensions:525 plen=1 > >> *** check_chain_extensions:526 x->ex_pathlen=0 > >> ******* if statement components ******* > >> *** check_chain_extensions:528 i > 1=0 > >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 > >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 > >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + > >> proxy_path_length + 1))=0 > >> ******* important variables ******* > >> *** check_chain_extensions:524 i=2 > >> *** check_chain_extensions:525 plen=2 > >> *** check_chain_extensions:526 x->ex_pathlen=0 > >> ******* if statement components ******* > >> *** check_chain_extensions:528 i > 1=1 > >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 > >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 > >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + > >> proxy_path_length + 1))=1 > >> evilserver.pem: OK > >> Chain: > >> depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = > >> EvilServer, CN = EvilServer (untrusted) > >> depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN > >> = EvilCA (untrusted) > >> depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root > >> -- > >> openssl-users mailing list > >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > -- > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From tshort at akamai.com Mon Oct 8 13:55:50 2018 From: tshort at akamai.com (Short, Todd) Date: Mon, 8 Oct 2018 13:55:50 +0000 Subject: [openssl-users] How to build libcrypto64*.lib and libssl64*.lib on Windows 64-bit? In-Reply-To: <20181002.175912.1353134730697848028.levitte@openssl.org> References: <20181002.175912.1353134730697848028.levitte@openssl.org> Message-ID: Could that be LibreSSL? (Or some similar wrapper for OpenSSL?) https://github.com/Ruzzz/LibreSSL This above repo creates libraries in the named format below; to match how Microsoft provides multiple versions of libraries. Looks to be debug (d) and multi-thread (MT?) versions of the libraries; not sure what MD stands for. Also: https://gitlab.kitware.com/cmake/cmake/commit/ed1758f8eb58a4e52acf0f3885f82403814f5ffd -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." On Oct 2, 2018, at 11:59 AM, Richard Levitte > wrote: Our scripts have *never*, as far as I know, produced libraries named like that. Don't those DLLs come from some specific packager that produces binary install kits? For 1.1.x, *our* naming is a bit more elaborate, you will see these names: libcrypto-1_1.dll & libssl-1_1.dll - VC-WIN32 build libcrypto-1_1-x64.dll & libssl-1_1-x64.dll - VC-WIN64A build libcrypto-1_1-ia64.dll & libssl-1_1-ia64.dll - VC-WIN64I build You will also see the corresponding import libraries: libcrypto.lib & libssl.lib Cheers, Richard In message > on Mon, 1 Oct 2018 16:29:15 +0000, > said: A current project using Net-SNMP and OpenSSL require that these both are built locally (customer requirement). I am attempting to build OpenSSL 1.1.1. After building OpenSSL, ?nmake test? succeeds. However, the Net-SNMP build is looking for various .lib files that are in the pre-built package, but do not seem to be in what I build locally. From the pre-built package, in the lib/VC folder: libcrypto64MD.lib libcrypto64MDd.lib libcrypto64MT.lib libcrypto64MTd.lib libssl64MD.lib libssl64MDd.lib libssl64MT.lib libssl64MTd.lib But the VC folder is not part of my locally built version. What am I missing in order to get these .lib files to build locally? Thank you for your assistance. Best Regards, Aaron Friesen Contract Software Engineer of Aerotek on behalf of Keysight Keysight Technologies, Inc. 970.679.5632 T -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaufish.public.email at gmail.com Mon Oct 8 14:47:46 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Mon, 8 Oct 2018 16:47:46 +0200 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References:

Message-ID: Tested mbedtls to see how other code bases handle thus. mbedtls rejects the EvilCA certificate when connecting to openssl s_server (as opposed to openssl c_client -verify that accepts the connection). Verify requested for (Depth 1): cert. version : 3 serial number : 10:00 issuer name : C=SE, ST=Root, L=Root, O=Root, OU=Root, CN=Root subject name : C=SE, ST=EvilCA, L=EvilCA, O=EvilCA, OU=EvilCA, CN=EvilCA issued on : 2018-10-08 08:20:21 expires on : 2028-10-05 08:20:21 signed using : RSA with SHA-256 RSA key size : 4096 bits basic constraints : CA=true, max_pathlen=0 key usage : Key Cert Sign, CRL Sign ! The certificate is not correctly signed by the trusted CA The handshake fails after this error, mbedtls_ssl_handshake returned -9984. On Mon, Oct 8, 2018 at 2:51 PM Peter Magnusson wrote: > > sorry, typo on the verify line, this was what I should have written: > VERIFY(max_path_length>0) error upon preparing transition from i=2 > (EvilCA) to i=2 (EvilServer). > On Mon, Oct 8, 2018 at 2:47 PM Peter Magnusson > wrote: > > > > That is not correct behaviour as far as I can understand. > > > > RFC5280 Certification Path Validation algorithm process from root to > > leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 > > Preparation for Certificate i+1 is expected to occur upon Root > > certificate, i.e. the following should be expected behaviour: > > * max_path_length=n (initialisation) > > * max_path_length=n-1 (first decrement) > > * max_path_length=0 (copied from root certificate constraint) > > * VERIFY(max_path_length>0) error upon preparing transition from i=1 > > (Root) to i=2 (EvilCA). > > > > OpenSSL does everything in a slightly different reverse algorithm, but > > should perform the same controls and behaivor as the RFC imho. > > > > And aside from the RFC algorithm checking for this condition, it is > > also analog with the description of the expected behaviour: > > > > The pathLenConstraint field is meaningful only if the cA boolean is > > asserted and the key usage extension, if present, asserts the > > keyCertSign bit (Section 4.2.1.3). In this case, it gives the > > maximum number of non-self-issued intermediate certificates that may > > follow this certificate in a valid certification path. (Note: The > > last certificate in the certification path is not an intermediate > > certificate, and is not included in this limit. Usually, the last > > certificate is an end entity certificate, but it can be a CA > > certificate.) A pathLenConstraint of zero indicates that no non- > > self-issued intermediate CA certificates may follow in a valid > > certification path. Where it appears, the pathLenConstraint field > > MUST be greater than or equal to zero. Where pathLenConstraint does > > not appear, no limit is imposed. > > > > So my understanding is that the OpenSSL algorithm is confused and > > fails to perform a check that is applicable to self-issued > > certificates. The decrement of max_path_length (aka plen++ in OpenSSL > > implementation) should not occur for self issued certificates, but the > > validation of max_path_length>0 (aka plen>(constraint+1)) should > > occur. > > On Mon, Oct 8, 2018 at 1:27 PM J Decker wrote: > > > > > > It was my interpretation that 0 pathlen on the root self signed meant infinite. > > > The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) > > > > > > On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson wrote: > > >> > > >> One more logic confusion in the OpenSSL Path Length Constraint check. > > >> Any Path Length Constraint set by Root (or any other Self-Issued > > >> Certificate) is ignored. > > >> Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly > > >> applied to the checker (i.e. the checker and the calculation logic > > >> have been mixed up). > > >> > > >> https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 > > >> > > >> openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" > > >> Certificate Sign, CRL Sign > > >> X509v3 Basic Constraints: critical > > >> CA:TRUE, pathlen:0 > > >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" > > >> Certificate Sign, CRL Sign > > >> X509v3 Basic Constraints: critical > > >> CA:TRUE, pathlen:0 > > >> openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" > > >> X509v3 extensions: > > >> X509v3 Basic Constraints: critical > > >> CA:FALSE > > >> ---- > > >> openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" > > >> X509v3 extensions: > > >> X509v3 Subject Key Identifier: > > >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > > >> -- > > >> -- > > >> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > > >> X509v3 Authority Key Identifier: > > >> > > >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > > >> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" > > >> X509v3 extensions: > > >> X509v3 Subject Key Identifier: > > >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > > >> -- > > >> -- > > >> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > > >> X509v3 Authority Key Identifier: > > >> > > >> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 > > >> openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" > > >> TLS Web Server Authentication > > >> X509v3 Subject Key Identifier: > > >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE > > >> -- > > >> -- > > >> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE > > >> X509v3 Authority Key Identifier: > > >> > > >> keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C > > >> ---- > > >> ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile > > >> root.pem -untrusted evilca.pem evilserver.pem > > >> ******* important variables ******* > > >> *** check_chain_extensions:524 i=0 > > >> *** check_chain_extensions:525 plen=0 > > >> *** check_chain_extensions:526 x->ex_pathlen=-1 > > >> ******* if statement components ******* > > >> *** check_chain_extensions:528 i > 1=0 > > >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 > > >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 > > >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + > > >> proxy_path_length + 1))=0 > > >> ******* important variables ******* > > >> *** check_chain_extensions:524 i=1 > > >> *** check_chain_extensions:525 plen=1 > > >> *** check_chain_extensions:526 x->ex_pathlen=0 > > >> ******* if statement components ******* > > >> *** check_chain_extensions:528 i > 1=0 > > >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 > > >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 > > >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + > > >> proxy_path_length + 1))=0 > > >> ******* important variables ******* > > >> *** check_chain_extensions:524 i=2 > > >> *** check_chain_extensions:525 plen=2 > > >> *** check_chain_extensions:526 x->ex_pathlen=0 > > >> ******* if statement components ******* > > >> *** check_chain_extensions:528 i > 1=1 > > >> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 > > >> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 > > >> *** check_chain_extensions:531 (plen > (x->ex_pathlen + > > >> proxy_path_length + 1))=1 > > >> evilserver.pem: OK > > >> Chain: > > >> depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = > > >> EvilServer, CN = EvilServer (untrusted) > > >> depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN > > >> = EvilCA (untrusted) > > >> depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root > > >> -- > > >> openssl-users mailing list > > >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > > > -- > > > openssl-users mailing list > > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From Andrew_Porter at bmc.com Mon Oct 8 14:17:32 2018 From: Andrew_Porter at bmc.com (Porter, Andrew) Date: Mon, 8 Oct 2018 14:17:32 +0000 Subject: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 In-Reply-To: <14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA271107638A@OPEXCSINM91.corporate.adroot.infra.ftgroup> References: <16481_1538732473_5BB731B9_16481_434_1_1817b836-b685-4a91-8f34-48220e57495b@OPEXCSINM92.corporate.adroot.infra.ftgroup> <14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA271107638A@OPEXCSINM91.corporate.adroot.infra.ftgroup> Message-ID: <89a51b4e433049f382add74aab7eac8e@phx-exmbprd-02.adprod.bmc.com> See the error message about looking at the FAQ? Here it is: https://www.openssl.org/docs/faq.html#USER1 From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of aakash.kumar at orange.com Sent: Sunday, October 07, 2018 22:51 To: openssl-users at openssl.org Cc: osf-contact at openssl.org Subject: Re: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Hi Team, Please find below error in text format. [root at g3r1 ~]# systemctl status bind -l ? bind.service - LSB: DNS Daemon Loaded: loaded (/etc/rc.d/init.d/bind) Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago Docs: man:systemd-sysv-generator(8) Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited, status=0/SUCCESS) Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited, status=0/SUCCESS) Oct 05 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library) Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data] Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon. [root at g3r1 ~]# tail /var/log/message Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon... Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg: command not found Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016 Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl' '--disable-static' '--with-randomdev=/dev/urandom' Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named -c /etc/named.conf Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems Consortium, Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for BIND 9 are Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Thanks & Regards, Aakash kumar ITE - India Tower B, 8th Floor, DLF Infinity Towers, DLF Cyber City Phase - II Gurgaon - 122002, Haryana, INDIA Aakash.kumar at orange.com Mobile: +91-8527288977 CVS: 7357 3706 -----Original Message----- From: Viktor Dukhovni [mailto:openssl-users at dukhovni.org] Sent: 05 October 2018 21:23 To: KUMAR Aakash IMT/OINIS Cc: osf-contact at openssl.org; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen IMT/OINIS Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Please try to send the text of error reports, not pictures. > I am getting below error while starting the bind service. > > If you ask on the openssl-users list, someone else may have seen the same issue, and may have useful advice to share. NOTE!!!: I've set the Reply-To: address to . If you just hit "Reply", your answer may go to the list, though you'd need to join the list first to be able to post... Does the error still happen when you disable "chroot" in BIND? Perhaps BIND is doing late initialization of the PRNG after entering the chroot jail, and maybe trying to use "/dev/urandom", which not be in the jail? That's a wild guess. You'd need to trace system calls to see what it is actually doing... -- Viktor. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Wojcik at microfocus.com Mon Oct 8 14:54:47 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Mon, 8 Oct 2018 14:54:47 +0000 Subject: [openssl-users] How to build libcrypto64*.lib and libssl64*.lib on Windows 64-bit? In-Reply-To: References: <20181002.175912.1353134730697848028.levitte@openssl.org> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Short, Todd via openssl-users > Sent: Monday, October 08, 2018 09:56 > Looks to be debug (d) and multi-thread (MT?) versions of the libraries; not sure what MD stands for. It's Microsoft's naming convention for their C runtime. MT is multithreaded, statically linked; MD is multithreaded, dynamically linked. The "d" suffix is, as Todd guessed, the debug version. This is important with Microsoft Visual C, because the various runtimes do not play together. Their heaps, iobs, etc are separate. So, for example, if you link your program with the MT runtime and with a library that was linked with the MD runtime, and your code tries to free memory allocated by the library, you'll get a heap exception (if you're lucky) or heap corruption. You can get away with mixed runtimes if you're careful - if every module frees the storage it allocates, and you don't try to create a FILE* in one and use it in another, and so on. Nonetheless, it's a gaping architectural flaw, and some packages try to accommodate it by providing equivalent versions of their libraries. Todd may well be correct that OP is looking at a LibreSSL package, not an OpenSSL one. (LibreSSL isn't "a wrapper for OpenSSL", but whatever.) -- Michael Wojcik Distinguished Engineer, Micro Focus From sglazier456 at gmail.com Mon Oct 8 15:43:02 2018 From: sglazier456 at gmail.com (Sean Glazier) Date: Mon, 8 Oct 2018 11:43:02 -0400 Subject: [openssl-users] Issue with using TLS Message-ID: Hi, I have an issue with using a TLS client-server set up. on the client side I am using 32 open ssl library version 1.1 and the same set on the server side in VA smalltalk. Both are on windows. On the c side I set the SSL_CTX_new(TLS_client_method()) on the server I restricted to TLS only as per our security policy. I get through the hand shake and the client sends data over to the sever. however upon reading the server gives and openSSL error as follows: OpenSSLError Error Code: 336130315 Error Object: ('wrong version number') Error String: 'error:1408F10B:SSL routines:ssl3_get_record:wrong version number' Error Hint: 'ssl3_get_record:wrong version number' AuxiliaryData: nil. I have attempted to work around this by setting on the server side the following option: SSL_OP_TLS_ROLLBACK_BUG . I saw from forums that this will tell the server to ignore this bug. However, I still get the same bug. Does anyone know the workaround for this issue? Kind Regards, Sean Glazier -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Mon Oct 8 16:15:16 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 8 Oct 2018 12:15:16 -0400 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References: Message-ID: > On Oct 8, 2018, at 8:47 AM, Peter Magnusson wrote: > > RFC5280 Certification Path Validation algorithm process from root to > leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 > Preparation for Certificate i+1 is expected to occur upon Root > certificate, i.e. the following should be expected behaviour: > * max_path_length=n (initialisation) > * max_path_length=n-1 (first decrement) > * max_path_length=0 (copied from root certificate constraint) > * VERIFY(max_path_length>0) error upon preparing transition from i=1 > (Root) to i=2 (EvilCA). Well, strictly speaking, the trust-anchor is not part of the certificate chain in RFC5280, it is a public key and an issuer name, not a certificate in the chain. However, when the trust-anchor is in the form of a self-signed CA certificate, one might take the view that this is a self-issued certificate to be included in the chain: trust anchor -> self-issued root CA cert (i = 1) -> ... -> EE (i = n) in which case the "path lenth: 0" in the self-issed root CA cert precludes the root from issuing any subsidiary CAs that can in turn issue further EE certs. That is perhaps reasonable, so I updated PR #7353 with a further commit: https://github.com/openssl/openssl/pull/7353/commits/02804dbd04180bdb87046bcd7581f9ba9cb2baf3 Does that address your concerns? -- Viktor. From matt at openssl.org Mon Oct 8 17:08:58 2018 From: matt at openssl.org (Matt Caswell) Date: Mon, 8 Oct 2018 18:08:58 +0100 Subject: [openssl-users] Issue with using TLS In-Reply-To: References: Message-ID: <8323ead9-cdb8-088d-827e-b137cb45f9a3@openssl.org> On 08/10/18 16:43, Sean Glazier wrote: > Hi, > > I have an issue with using a TLS client-server?set up. > > on the client side I am using 32 open ssl?library version 1.1 and the > same set on the server side in VA smalltalk. Both are on windows. > > On the c side I set the SSL_CTX_new(TLS_client_method()) on the server I > restricted to TLS only as per our security policy. > > I get through the hand shake and the client sends data over to the > sever. however upon reading the server gives and openSSL?error as follows: > OpenSSLError > Error Code: 336130315 > Error Object: ('wrong version number') > Error String: 'error:1408F10B:SSL routines:ssl3_get_record:wrong version > number' > Error Hint: 'ssl3_get_record:wrong version number' > AuxiliaryData: nil. This usually occurs if the data that is received doesn't look like TLS, either because it is corrupted or is some other protocol. The TLS record version number is the first thing we check, so if you've got bad data then this is the first error you hit. > > I have attempted to work around this by setting on the server side the > following option:??SSL_OP_TLS_ROLLBACK_BUG .?I saw from forums that this > will tell the server to ignore this bug. However, I still get the same bug. Don't do that. That option is an ancient client bug workaround that should not be necessary in modern code. > Does anyone know the workaround for this issue?? Send me a wireshark trace of a failing connection and I can take a look at it. Matt > ? > Kind Regards, > ? > Sean Glazier > ? > > From john.hughes at secid.co.uk Mon Oct 8 17:21:53 2018 From: john.hughes at secid.co.uk (John Hughes) Date: Mon, 8 Oct 2018 18:21:53 +0100 Subject: [openssl-users] Incompatible Object error from EC_POINT_mul (Nicola) Message-ID: <014601d45f2b$684aec00$38e0c400$@secid.co.uk> Nicola, Brilliant - that sorted it. I have produced a public key this way and successfully compared it with the public key in the original key pair. You may want to update the wiki page to add that step into the sample code Regards John -----Original Message----- From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of openssl-users-request at openssl.org Sent: 08 October 2018 08:36 To: openssl-users at openssl.org Subject: openssl-users Digest, Vol 47, Issue 8 Send openssl-users mailing list submissions to openssl-users at openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://mta.openssl.org/mailman/listinfo/openssl-users or, via email, send a message with subject or body 'help' to openssl-users-request at openssl.org You can reach the person managing the list at openssl-users-owner at openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Wiki misleading Enc (Richard Levitte) 2. Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 (aakash.kumar at orange.com) 3. Re: Incompatible Object error from EC_POINT_mul (Nicola) ---------------------------------------------------------------------- Message: 1 Date: Mon, 08 Oct 2018 07:03:34 +0200 (CEST) From: Richard Levitte To: paul at zil.li Cc: openssl-users at openssl.org Subject: Re: [openssl-users] Wiki misleading Enc Message-ID: <20181008.070334.1188127225315146424.levitte at openssl.org> Content-Type: Text/Plain; charset=us-ascii Fixed. Thanks. In message <1df7e534-d4f0-7ac1-4de5-4cb8fb37d9e0 at zil.li> on Sat, 6 Oct 2018 22:48:01 +0200, Paul Zillmann said: > Hello, > > the wiki page [1] is wrong about the pass parameter. > According to [2] the parameter for a keyfile is -pass file:path and > not -pass pass:path > > - Paul > > 1: https://wiki.openssl.org/index.php/Enc > 2: https://www.openssl.org/docs/man1.0.2/apps/openssl.html > ------------------------------ Message: 2 Date: Mon, 8 Oct 2018 05:50:40 +0000 From: To: "openssl-users at openssl.org" Cc: "osf-contact at openssl.org" Subject: Re: [openssl-users] osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Message-ID: <14773_1538977844_5BBAF034_14773_368_1_D9E1007BEB274445807B4DF1046EDA2711076 38A at OPEXCSINM91.corporate.adroot.infra.ftgroup> Content-Type: text/plain; charset="iso-2022-jp" Hi Team, Please find below error in text format. [root at g3r1 ~]# systemctl status bind -l ? bind.service - LSB: DNS Daemon Loaded: loaded (/etc/rc.d/init.d/bind) Active: active (exited) since Fri 2018-10-05 13:31:09 CEST; 2 days ago Docs: man:systemd-sysv-generator(8) Process: 32417 ExecStop=/etc/rc.d/init.d/bind stop (code=exited, status=0/SUCCESS) Process: 32421 ExecStart=/etc/rc.d/init.d/bind start (code=exited, status=0/SUCCESS) Oct 05 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 05 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 05 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 05 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 05 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 05 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 05 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Oct 05 13:31:09 g3r1 named[32429]: exiting (due to fatal error in library) Oct 05 13:31:09 g3r1 bind[32421]: [13B blob data] Oct 05 13:31:09 g3r1 systemd[1]: Started LSB: DNS Daemon. [root at g3r1 ~]# tail /var/log/message Oct 5 13:31:09 g3r1 systemd: Starting LSB: DNS Daemon... Oct 5 13:31:09 g3r1 bind: /etc/rc.d/init.d/bind: line 36: log_info_msg: command not found Oct 5 13:31:09 g3r1 named[32429]: starting BIND 9.12.2-P2 Oct 5 13:31:09 g3r1 named[32429]: running on Linux x86_64 3.10.0-327.13.1.el7.x86_64 #1 SMP Mon Feb 29 13:22:02 EST 2016 Oct 5 13:31:09 g3r1 named[32429]: built with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' 'mandir=/usr/share/man' '--enable-threads' '--with-libtool' '--with-openssl=/usr/local/ssl' '--disable-static' '--with-randomdev=/dev/urandom' Oct 5 13:31:09 g3r1 named[32429]: running as: named -u named -t /srv/named -c /etc/named.conf Oct 5 13:31:09 g3r1 named[32429]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-28) Oct 5 13:31:09 g3r1 named[32429]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Oct 5 13:31:09 g3r1 named[32429]: compiled with zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: linked to zlib version: 1.2.7 Oct 5 13:31:09 g3r1 named[32429]: threads support is enabled Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: BIND 9 is maintained by Internet Systems Consortium, Oct 5 13:31:09 g3r1 named[32429]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Oct 5 13:31:09 g3r1 named[32429]: corporation. Support and training for BIND 9 are Oct 5 13:31:09 g3r1 named[32429]: available at https://www.isc.org/support Oct 5 13:31:09 g3r1 named[32429]: ---------------------------------------------------- Oct 5 13:31:09 g3r1 named[32429]: adjusted limit on open files from 4096 to 1048576 Oct 5 13:31:09 g3r1 named[32429]: found 1 CPU, using 1 worker thread Oct 5 13:31:09 g3r1 named[32429]: using 1 UDP listener per interface Oct 5 13:31:09 g3r1 named[32429]: using up to 4096 sockets Oct 5 13:31:09 g3r1 named[32429]: openssl_link.c:296: fatal error: Oct 5 13:31:09 g3r1 named[32429]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Thanks & Regards, Aakash kumar ITE - India Tower B, 8th Floor, DLF Infinity Towers, DLF Cyber City Phase - II Gurgaon - 122002, Haryana, INDIA Aakash.kumar at orange.com Mobile: +91-8527288977 CVS: 7357 3706 -----Original Message----- From: Viktor Dukhovni [mailto:openssl-users at dukhovni.org] Sent: 05 October 2018 21:23 To: KUMAR Aakash IMT/OINIS Cc: osf-contact at openssl.org; SRIVASTAVA Himanshu IMT/OINIS; VARSHNEY Praveen IMT/OINIS Subject: Re: osf-contact Latest Openssl Issue with Bind 9.12.2-P2 on RHEL 7.5 Please try to send the text of error reports, not pictures. > I am getting below error while starting the bind service. > > If you ask on the openssl-users list, someone else may have seen the same issue, and may have useful advice to share. NOTE!!!: I've set the Reply-To: address to . If you just hit "Reply", your answer may go to the list, though you'd need to join the list first to be able to post... Does the error still happen when you disable "chroot" in BIND? Perhaps BIND is doing late initialization of the PRNG after entering the chroot jail, and maybe trying to use "/dev/urandom", which not be in the jail? That's a wild guess. You'd need to trace system calls to see what it is actually doing... -- Viktor. ____________________________________________________________________________ _____________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Message: 3 Date: Mon, 8 Oct 2018 10:35:33 +0300 From: Nicola To: openssl-users at openssl.org Subject: Re: [openssl-users] Incompatible Object error from EC_POINT_mul Message-ID: Content-Type: text/plain; charset="utf-8" Hi, I did not run this in the debugger, but one issue is that you are not initializing `pub` before calling EC_POINT_mul : try adding pub = EC_POINT_new(curve); (and check for errors making sure pub is not null afterwards). Hope this helps! Best regards, Nicola On Mon, Oct 8, 2018, 00:31 John Hughes wrote: > I'm trying to generate a public key from a private key generated on a > HSM (and obtained by calling PKCS#11). Everything works fine until I > call EC_POINT_mul - at which point I get the error message: > > error:100BB065:elliptic curve routines:ec_wNAF_mul:incompatible > objects > > I have checked the BIGNUM conversion - and that seems to be fine. The > key pair on the HSM is also generated using brainpoolP256r1. > > The basis of the code can be found at the end of the email. I'm > basically trying to follow the example provided in: > https://wiki.openssl.org/index.php/Elliptic_Curve_Cryptography. > > I'm using openssl 1.10h > > Any pointers or help would be appreciated. > > > John > > --------------------------------------------------------------- > > > BN_CTX *ctx; > ctx = BN_CTX_new(); > if(!ctx) { > outputInfo("unable to create openssl BN_CTX"); > return; > } > > EC_GROUP *curve; > > outputInfo("about to create EC_GROUP_new_by_curve_name"); > if(NULL == (curve = > EC_GROUP_new_by_curve_name(NID_brainpoolP256r1))) { > outputERRORmess("unable to setup curve"); > } > > outputInfo("about to create EC_KEY_new_by_curve_name"); > EC_KEY *key; > if(NULL == (key = EC_KEY_new_by_curve_name(NID_brainpoolP256r1))) { > outputERRORmess("unable to setup EC_KEY"); > } > > // now get the private key contained in CKA_VALUE via PKCS#111 > and place in *attrPrivate.pValue > > .......... (handle error) > > EC_POINT *pub; > > > BIGNUM *prv = BN_bin2bn((unsigned char*)attrPrivate.pValue, > attrPrivate.ulValueLen, NULL); > if (prv == NULL) { > > ...... (handle error) > } > > if (1 != EC_KEY_set_private_key(key, prv)) { > > ........ (handle error) > } > > if (1 != EC_POINT_mul(curve, pub, prv, NULL, NULL, ctx)) { > outputInfo("unable to calculate the public key from > the HSM's private key using EC_POINT_mul"); > (handle error) > > } > > > > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: ------------------------------ Subject: Digest Footer _______________________________________________ openssl-users mailing list openssl-users at openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users ------------------------------ End of openssl-users Digest, Vol 47, Issue 8 ******************************************** From Erwann.Abalea at docusign.com Mon Oct 8 16:48:35 2018 From: Erwann.Abalea at docusign.com (Erwann Abalea) Date: Mon, 8 Oct 2018 16:48:35 +0000 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References: Message-ID: <1F596F70-C94B-434F-A031-7BC7EC256B64@docusign.com> Bonjour, The prospective certification path excludes the Trust Anchor. Therefore, the ? max_path_length=0 ? step is attained only when dealing with your EvilCA cert. Cordialement, Erwann Abalea > Le 8 oct. 2018 ? 14:47, Peter Magnusson a ?crit : > > That is not correct behaviour as far as I can understand. > > RFC5280 Certification Path Validation algorithm process from root to > leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 > Preparation for Certificate i+1 is expected to occur upon Root > certificate, i.e. the following should be expected behaviour: > * max_path_length=n (initialisation) > * max_path_length=n-1 (first decrement) > * max_path_length=0 (copied from root certificate constraint) > * VERIFY(max_path_length>0) error upon preparing transition from i=1 > (Root) to i=2 (EvilCA). > > OpenSSL does everything in a slightly different reverse algorithm, but > should perform the same controls and behaivor as the RFC imho. > > And aside from the RFC algorithm checking for this condition, it is > also analog with the description of the expected behaviour: > > The pathLenConstraint field is meaningful only if the cA boolean is > asserted and the key usage extension, if present, asserts the > keyCertSign bit (Section 4.2.1.3). In this case, it gives the > maximum number of non-self-issued intermediate certificates that may > follow this certificate in a valid certification path. (Note: The > last certificate in the certification path is not an intermediate > certificate, and is not included in this limit. Usually, the last > certificate is an end entity certificate, but it can be a CA > certificate.) A pathLenConstraint of zero indicates that no non- > self-issued intermediate CA certificates may follow in a valid > certification path. Where it appears, the pathLenConstraint field > MUST be greater than or equal to zero. Where pathLenConstraint does > not appear, no limit is imposed. > > So my understanding is that the OpenSSL algorithm is confused and > fails to perform a check that is applicable to self-issued > certificates. The decrement of max_path_length (aka plen++ in OpenSSL > implementation) should not occur for self issued certificates, but the > validation of max_path_length>0 (aka plen>(constraint+1)) should > occur. > On Mon, Oct 8, 2018 at 1:27 PM J Decker wrote: >> >> It was my interpretation that 0 pathlen on the root self signed meant infinite. >> The pathlen only applies on the certs between root and the leaf (which obviously can be 0, and CA true or not, but bad form to say true I'd imagine.) >> >> On Mon, Oct 8, 2018 at 1:57 AM Peter Magnusson wrote: >>> >>> One more logic confusion in the OpenSSL Path Length Constraint check. >>> Any Path Length Constraint set by Root (or any other Self-Issued >>> Certificate) is ignored. >>> Root cause appears to be !(x->ex_flags & EXFLAG_SI)=0 incorrectly >>> applied to the checker (i.e. the checker and the calculation logic >>> have been mixed up). >>> >>> https://github.com/blaufish/openssl-pathlen/tree/master/testcase_2 >>> >>> openssl x509 -text -in root.pem | grep -a1 "X509v3 Basic" >>> Certificate Sign, CRL Sign >>> X509v3 Basic Constraints: critical >>> CA:TRUE, pathlen:0 >>> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 Basic" >>> Certificate Sign, CRL Sign >>> X509v3 Basic Constraints: critical >>> CA:TRUE, pathlen:0 >>> openssl x509 -text -in evilserver.pem | grep -a1 "X509v3 Basic" >>> X509v3 extensions: >>> X509v3 Basic Constraints: critical >>> CA:FALSE >>> ---- >>> openssl x509 -text -in root.pem | egrep -a1 "X509v3 .* Key Identifier" >>> X509v3 extensions: >>> X509v3 Subject Key Identifier: >>> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >>> -- >>> -- >>> 49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >>> X509v3 Authority Key Identifier: >>> >>> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >>> openssl x509 -text -in evilca.pem | grep -a1 "X509v3 .* Key Identifier" >>> X509v3 extensions: >>> X509v3 Subject Key Identifier: >>> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >>> -- >>> -- >>> B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >>> X509v3 Authority Key Identifier: >>> >>> keyid:49:39:72:82:78:39:E8:60:AD:17:79:83:DB:65:B8:5C:E6:A7:84:B5 >>> openssl x509 -text -in evilserver.pem | egrep -a1 "X509v3 .* Key Identifier" >>> TLS Web Server Authentication >>> X509v3 Subject Key Identifier: >>> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE >>> -- >>> -- >>> 03:C6:48:91:09:73:F5:DF:EF:B5:9D:A4:66:00:16:C3:E9:DB:99:EE >>> X509v3 Authority Key Identifier: >>> >>> keyid:B6:B4:75:66:18:B5:D2:4F:57:10:53:93:4F:CD:51:71:A4:27:84:7C >>> ---- >>> ../openssl-1.1.1/apps/openssl verify -show_chain -verbose -CAfile >>> root.pem -untrusted evilca.pem evilserver.pem >>> ******* important variables ******* >>> *** check_chain_extensions:524 i=0 >>> *** check_chain_extensions:525 plen=0 >>> *** check_chain_extensions:526 x->ex_pathlen=-1 >>> ******* if statement components ******* >>> *** check_chain_extensions:528 i > 1=0 >>> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 >>> *** check_chain_extensions:530 (x->ex_pathlen != -1)=0 >>> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >>> proxy_path_length + 1))=0 >>> ******* important variables ******* >>> *** check_chain_extensions:524 i=1 >>> *** check_chain_extensions:525 plen=1 >>> *** check_chain_extensions:526 x->ex_pathlen=0 >>> ******* if statement components ******* >>> *** check_chain_extensions:528 i > 1=0 >>> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=1 >>> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 >>> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >>> proxy_path_length + 1))=0 >>> ******* important variables ******* >>> *** check_chain_extensions:524 i=2 >>> *** check_chain_extensions:525 plen=2 >>> *** check_chain_extensions:526 x->ex_pathlen=0 >>> ******* if statement components ******* >>> *** check_chain_extensions:528 i > 1=1 >>> *** check_chain_extensions:529 !(x->ex_flags & EXFLAG_SI)=0 >>> *** check_chain_extensions:530 (x->ex_pathlen != -1)=1 >>> *** check_chain_extensions:531 (plen > (x->ex_pathlen + >>> proxy_path_length + 1))=1 >>> evilserver.pem: OK >>> Chain: >>> depth=0: C = SE, ST = EvilServer, L = EvilServer, O = EvilServer, OU = >>> EvilServer, CN = EvilServer (untrusted) >>> depth=1: C = SE, ST = EvilCA, L = EvilCA, O = EvilCA, OU = EvilCA, CN >>> = EvilCA (untrusted) >>> depth=2: C = SE, ST = Root, L = Root, O = Root, OU = Root, CN = Root >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From bill.c.roberts at gmail.com Mon Oct 8 17:44:52 2018 From: bill.c.roberts at gmail.com (William Roberts) Date: Mon, 8 Oct 2018 10:44:52 -0700 Subject: [openssl-users] public version of encode_pkcs1 Message-ID: I would like to use OpenSSL to compute the DigestInfo structure to pass to a TPM for a TPM side RSA_Decrypt() operation when the TPM doesn't support the digest algorithm. I see in crypt/rsa_sign.c the routine encode_pkcs1() seems to do what I want. Is their a public version of this or a better way to do this? I could just use the pre-computed ASN1 headers from the Notes section in RFC3447 and concatenate the digest but my initial reaction to that idea is don't do it. Thoughts or ideas? Bill From blaufish.public.email at gmail.com Tue Oct 9 07:42:18 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Tue, 9 Oct 2018 09:42:18 +0200 Subject: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate In-Reply-To: References:

Message-ID: > trust anchor -> self-issued root CA cert (i = 1) -> ... -> EE (i = n) Yes that seems to be aligned with how the intended the path validation algorithm should be applied, i.e. first certificate processed is the cert of the trust anchor. But it could be clearer, and wording "recommended" (lowercase) does seem to imply implementers SHOULD process trust anchor cert rather than MUST process it. " In Section 6.1, the text describes basic path validation. Valid paths begin with certificates issued by a trust anchor. The algorithm requires the public key of the CA, the CA's name, and any constraints upon the set of paths that may be validated using this key." ... " Where a CA distributes self-signed certificates to specify trust anchor information, certificate extensions can be used to specify recommended inputs to path validation. For example, a policy constraints extension could be included in the self-signed certificate to indicate that paths beginning with this trust anchor should be trusted only for the specified policies." > https://github.com/openssl/openssl/pull/7353/commits/02804dbd04180bdb87046bcd7581f9ba9cb2baf3 > Does that address your concerns? I think so! I'll integrate it into my tests and try to do Q/A on the change, see if I can figure out any other edge case. Best Regards //P On Mon, Oct 8, 2018 at 6:15 PM Viktor Dukhovni wrote: > > > On Oct 8, 2018, at 8:47 AM, Peter Magnusson wrote: > > > > RFC5280 Certification Path Validation algorithm process from root to > > leaf, i.e. (Root, EvilCA, EvilServer). 6.1.2 Initialization and 6.1.4 > > Preparation for Certificate i+1 is expected to occur upon Root > > certificate, i.e. the following should be expected behaviour: > > * max_path_length=n (initialisation) > > * max_path_length=n-1 (first decrement) > > * max_path_length=0 (copied from root certificate constraint) > > * VERIFY(max_path_length>0) error upon preparing transition from i=1 > > (Root) to i=2 (EvilCA). > > Well, strictly speaking, the trust-anchor is not part of the certificate > chain in RFC5280, it is a public key and an issuer name, not a certificate > in the chain. However, when the trust-anchor is in the form of a self-signed > CA certificate, one might take the view that this is a self-issued certificate > to be included in the chain: > > trust anchor -> self-issued root CA cert (i = 1) -> ... -> EE (i = n) > > in which case the "path lenth: 0" in the self-issed root CA cert precludes > the root from issuing any subsidiary CAs that can in turn issue further > EE certs. That is perhaps reasonable, so I updated PR #7353 with > a further commit: > > https://github.com/openssl/openssl/pull/7353/commits/02804dbd04180bdb87046bcd7581f9ba9cb2baf3 > > Does that address your concerns? > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From satish.lvr at gmail.com Tue Oct 9 09:43:38 2018 From: satish.lvr at gmail.com (Satish Lvr) Date: Tue, 9 Oct 2018 15:13:38 +0530 Subject: [openssl-users] Backward compatibility for openSSL letter releases (openSSL 1.0.2 x) Message-ID: Hi All, Can we assume that backward compatibility would be maintained between letter releases of a version such as openSSL 1.0.2 (Eg: between openSSL 1.0.2a and openSSL 1.0.2p) unless there is security bug fix ? Regards Satish. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Tue Oct 9 09:51:11 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Tue, 9 Oct 2018 05:51:11 -0400 Subject: [openssl-users] Backward compatibility for openSSL letter releases (openSSL 1.0.2 x) In-Reply-To: References: Message-ID: I am sorry On Tue, Oct 9, 2018, 5:44 AM Satish Lvr wrote: > Hi All, > > Can we assume that backward compatibility would be maintained between > letter releases of a version such as openSSL 1.0.2 (Eg: between openSSL > 1.0.2a and openSSL 1.0.2p) unless there is security bug fix ? > > Regards > Satish. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mcr at sandelman.ca Tue Oct 9 12:38:12 2018 From: mcr at sandelman.ca (Michael Richardson) Date: Tue, 09 Oct 2018 08:38:12 -0400 Subject: [openssl-users] Backward compatibility for openSSL letter releases (openSSL 1.0.2 x) In-Reply-To: References: Message-ID: <29367.1539088692@localhost> Satish Lvr wrote: > Can we assume that backward compatibility would be maintained between letter > releases of a version such as openSSL 1.0.2 (Eg: between openSSL 1.0.2a and > openSSL 1.0.2p) unless there is security bug fix ? If one breaks backward (ABI) compatibility for a security bug fix, then the old code needs to be recompiled, so you can't fix the bug with an update to the .so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: From satish.lvr at gmail.com Tue Oct 9 12:42:18 2018 From: satish.lvr at gmail.com (Satish Lvr) Date: Tue, 9 Oct 2018 18:12:18 +0530 Subject: [openssl-users] Backward compatibility for openSSL letter releases (openSSL 1.0.2 x) In-Reply-To: <29367.1539088692@localhost> References: <29367.1539088692@localhost> Message-ID: I am fine with recompilation. My question is more related to same functional behavior between versions (say from 1.0.2a to 1.0.2b ..... 1.0.2p) unless it is related to some security fix which breaks the old behavior. On Tue, Oct 9, 2018 at 6:08 PM Michael Richardson wrote: > > Satish Lvr wrote: > > Can we assume that backward compatibility would be maintained > between letter > > releases of a version such as openSSL 1.0.2 (Eg: between openSSL > 1.0.2a and > > openSSL 1.0.2p) unless there is security bug fix ? > > If one breaks backward (ABI) compatibility for a security bug fix, then > the old code needs to be recompiled, so you can't fix the bug with an > update to > the .so. > > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Tue Oct 9 12:50:18 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 9 Oct 2018 13:50:18 +0100 Subject: [openssl-users] Backward compatibility for openSSL letter releases (openSSL 1.0.2 x) In-Reply-To: References: Message-ID: <5ff90aa3-3e19-9b2b-df8f-7c3b4eaeec60@openssl.org> On 09/10/18 10:43, Satish Lvr wrote: > Hi All, > > Can we assume that backward compatibility would be maintained between > letter releases of a version such as openSSL 1.0.2 (Eg: between openSSL > 1.0.2a and openSSL 1.0.2p) unless there is security bug fix ? The OpenSSL policy on this is here (first para): https://www.openssl.org/policies/releasestrat.html Letter releases are backwards ABI and API compatible. There should be no need to recompile your application to update to a later letter release. Matt From dustin.albright04 at gmail.com Tue Oct 9 13:32:57 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Tue, 9 Oct 2018 09:32:57 -0400 Subject: [openssl-users] Backward compatibility for openSSL letter releases (openSSL 1.0.2 x) In-Reply-To: <5ff90aa3-3e19-9b2b-df8f-7c3b4eaeec60@openssl.org> References: <5ff90aa3-3e19-9b2b-df8f-7c3b4eaeec60@openssl.org> Message-ID: Hey I tried I didn't know what was up On Tue, Oct 9, 2018, 8:50 AM Matt Caswell wrote: > > > On 09/10/18 10:43, Satish Lvr wrote: > > Hi All, > > > > Can we assume that backward compatibility would be maintained between > > letter releases of a version such as openSSL 1.0.2 (Eg: between openSSL > > 1.0.2a and openSSL 1.0.2p) unless there is security bug fix ? > > The OpenSSL policy on this is here (first para): > > https://www.openssl.org/policies/releasestrat.html > > Letter releases are backwards ABI and API compatible. There should be no > need to recompile your application to update to a later letter release. > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jgh at wizmail.org Tue Oct 9 21:27:14 2018 From: jgh at wizmail.org (Jeremy Harris) Date: Tue, 9 Oct 2018 22:27:14 +0100 Subject: [openssl-users] client ignoring alert Message-ID: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> Hi, OpenSSL version 1.1.1 FIPS, on Fedora 29 (on both client and server) I'm seeing a client not receiving, or ignoring, what should be a fatal alert from the server during handshake. The server is requiring a client-certificate, via: SSL_CTX_set_verify(sctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) ... server_ssl = SSL_new(server_ctx) ... SSL_accept(server_ssl) ... and the client is not supplying one. This is a deliberate testcase. The server debug output goes: ============== 21:31:54 8729 SMTP>> 220 TLS go ahead 21:31:54 8729 Calling SSL_accept 21:31:54 8729 SSL info: before SSL initialization 21:31:54 8729 SSL info: before SSL initialization 21:31:54 8729 SSL info: before SSL initialization 21:31:54 8729 SSL info: SSLv3/TLS read client hello 21:31:54 8729 SSL info: SSLv3/TLS write server hello 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions 21:31:54 8729 SSL info: SSLv3/TLS write certificate request 21:31:54 8729 SSL info: SSLv3/TLS write certificate 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify 21:31:54 8729 SSL info: SSLv3/TLS write finished 21:31:54 8729 SSL info: TLSv1.3 early data 21:31:54 8729 SSL info: TLSv1.3 early data 21:31:54 8729 SSL info: error 21:31:54 8729 SSL info: error 21:31:54 8729 LOG: MAIN 21:31:54 8729 TLS error on connection from (rhu.barb) [192.168.122.94] (SSL_accept): error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate =================== So far so good. The client however sees: =================== <<< 220 TLS go ahead Attempting to start TLS SSL info: before SSL initialization SSL info: before SSL initialization SSL info: SSLv3/TLS write client hello SSL info: SSLv3/TLS write client hello SSL info: SSLv3/TLS read server hello SSL info: TLSv1.3 read encrypted extensions SSL info: SSLv3/TLS read server certificate request SSL info: SSLv3/TLS read server certificate SSL info: TLSv1.3 read server certificate verify SSL info: SSLv3/TLS read finished SSL info: SSLv3/TLS write change cipher spec SSL info: SSLv3/TLS write client certificate SSL info: SSLv3/TLS write finished SSL info: SSL negotiation finished successfully SSL info: SSL negotiation finished successfully SSL connection using TLS_AES_256_GCM_SHA384 ================= The code running up to that last line indicates that SSL_connect() returned without error: ---- rc = SSL_connect (*ssl); alarm(0); if (sigalrm_seen) { printf("SSL_connect timed out\n"); return 0; } if (rc <= 0) { ERR_print_errors_fp(stdout); return 0; } printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); ---- What am I doing wrong? -- Thanks, Jeremy From dustin.albright04 at gmail.com Tue Oct 9 22:06:13 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Tue, 9 Oct 2018 18:06:13 -0400 Subject: [openssl-users] client ignoring alert In-Reply-To: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> References: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> Message-ID: No had to bring in grocery sorry about that On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris wrote: > Hi, > > OpenSSL version 1.1.1 FIPS, on Fedora 29 > > (on both client and server) > > > I'm seeing a client not receiving, or ignoring, what > should be a fatal alert from the server during handshake. > > The server is requiring a client-certificate, via: > > SSL_CTX_set_verify(sctx, > SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) > ... > server_ssl = SSL_new(server_ctx) > ... > SSL_accept(server_ssl) > > ... and the client is not supplying one. This is a deliberate > testcase. The server debug output goes: > ============== > 21:31:54 8729 SMTP>> 220 TLS go ahead > 21:31:54 8729 Calling SSL_accept > 21:31:54 8729 SSL info: before SSL initialization > 21:31:54 8729 SSL info: before SSL initialization > 21:31:54 8729 SSL info: before SSL initialization > 21:31:54 8729 SSL info: SSLv3/TLS read client hello > 21:31:54 8729 SSL info: SSLv3/TLS write server hello > 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec > 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions > 21:31:54 8729 SSL info: SSLv3/TLS write certificate request > 21:31:54 8729 SSL info: SSLv3/TLS write certificate > 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify > 21:31:54 8729 SSL info: SSLv3/TLS write finished > 21:31:54 8729 SSL info: TLSv1.3 early data > 21:31:54 8729 SSL info: TLSv1.3 early data > 21:31:54 8729 SSL info: error > 21:31:54 8729 SSL info: error > 21:31:54 8729 LOG: MAIN > 21:31:54 8729 TLS error on connection from (rhu.barb) > [192.168.122.94] (SSL_accept): error:1417C0C7:SSL > routines:tls_process_client_certificate:peer did not return a certificate > =================== > So far so good. The client however sees: > =================== > <<< 220 TLS go ahead > Attempting to start TLS > SSL info: before SSL initialization > SSL info: before SSL initialization > SSL info: SSLv3/TLS write client hello > SSL info: SSLv3/TLS write client hello > SSL info: SSLv3/TLS read server hello > SSL info: TLSv1.3 read encrypted extensions > SSL info: SSLv3/TLS read server certificate request > SSL info: SSLv3/TLS read server certificate > SSL info: TLSv1.3 read server certificate verify > SSL info: SSLv3/TLS read finished > SSL info: SSLv3/TLS write change cipher spec > SSL info: SSLv3/TLS write client certificate > SSL info: SSLv3/TLS write finished > SSL info: SSL negotiation finished successfully > SSL info: SSL negotiation finished successfully > SSL connection using TLS_AES_256_GCM_SHA384 > ================= > > The code running up to that last line indicates that > SSL_connect() returned without error: > ---- > rc = SSL_connect (*ssl); > alarm(0); > > if (sigalrm_seen) > { > printf("SSL_connect timed out\n"); > return 0; > } > > if (rc <= 0) > { > ERR_print_errors_fp(stdout); > return 0; > } > > printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); > ---- > > > What am I doing wrong? > -- > Thanks, > Jeremy > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Tue Oct 9 22:08:32 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Tue, 9 Oct 2018 18:08:32 -0400 Subject: [openssl-users] client ignoring alert In-Reply-To: References: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> Message-ID: I don't want to I don't know how to do this On Tue, Oct 9, 2018, 6:06 PM Dustin Albright wrote: > No had to bring in grocery sorry about that > > On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris wrote: > >> Hi, >> >> OpenSSL version 1.1.1 FIPS, on Fedora 29 >> >> (on both client and server) >> >> >> I'm seeing a client not receiving, or ignoring, what >> should be a fatal alert from the server during handshake. >> >> The server is requiring a client-certificate, via: >> >> SSL_CTX_set_verify(sctx, >> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) >> ... >> server_ssl = SSL_new(server_ctx) >> ... >> SSL_accept(server_ssl) >> >> ... and the client is not supplying one. This is a deliberate >> testcase. The server debug output goes: >> ============== >> 21:31:54 8729 SMTP>> 220 TLS go ahead >> 21:31:54 8729 Calling SSL_accept >> 21:31:54 8729 SSL info: before SSL initialization >> 21:31:54 8729 SSL info: before SSL initialization >> 21:31:54 8729 SSL info: before SSL initialization >> 21:31:54 8729 SSL info: SSLv3/TLS read client hello >> 21:31:54 8729 SSL info: SSLv3/TLS write server hello >> 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec >> 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions >> 21:31:54 8729 SSL info: SSLv3/TLS write certificate request >> 21:31:54 8729 SSL info: SSLv3/TLS write certificate >> 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify >> 21:31:54 8729 SSL info: SSLv3/TLS write finished >> 21:31:54 8729 SSL info: TLSv1.3 early data >> 21:31:54 8729 SSL info: TLSv1.3 early data >> 21:31:54 8729 SSL info: error >> 21:31:54 8729 SSL info: error >> 21:31:54 8729 LOG: MAIN >> 21:31:54 8729 TLS error on connection from (rhu.barb) >> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL >> routines:tls_process_client_certificate:peer did not return a certificate >> =================== >> So far so good. The client however sees: >> =================== >> <<< 220 TLS go ahead >> Attempting to start TLS >> SSL info: before SSL initialization >> SSL info: before SSL initialization >> SSL info: SSLv3/TLS write client hello >> SSL info: SSLv3/TLS write client hello >> SSL info: SSLv3/TLS read server hello >> SSL info: TLSv1.3 read encrypted extensions >> SSL info: SSLv3/TLS read server certificate request >> SSL info: SSLv3/TLS read server certificate >> SSL info: TLSv1.3 read server certificate verify >> SSL info: SSLv3/TLS read finished >> SSL info: SSLv3/TLS write change cipher spec >> SSL info: SSLv3/TLS write client certificate >> SSL info: SSLv3/TLS write finished >> SSL info: SSL negotiation finished successfully >> SSL info: SSL negotiation finished successfully >> SSL connection using TLS_AES_256_GCM_SHA384 >> ================= >> >> The code running up to that last line indicates that >> SSL_connect() returned without error: >> ---- >> rc = SSL_connect (*ssl); >> alarm(0); >> >> if (sigalrm_seen) >> { >> printf("SSL_connect timed out\n"); >> return 0; >> } >> >> if (rc <= 0) >> { >> ERR_print_errors_fp(stdout); >> return 0; >> } >> >> printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); >> ---- >> >> >> What am I doing wrong? >> -- >> Thanks, >> Jeremy >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Tue Oct 9 22:11:58 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Tue, 9 Oct 2018 18:11:58 -0400 Subject: [openssl-users] client ignoring alert In-Reply-To: References: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> Message-ID: trying to get it open On Tue, Oct 9, 2018, 6:08 PM Dustin Albright wrote: > I don't want to I don't know how to do this > > On Tue, Oct 9, 2018, 6:06 PM Dustin Albright > wrote: > >> No had to bring in grocery sorry about that >> >> On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris wrote: >> >>> Hi, >>> >>> OpenSSL version 1.1.1 FIPS, on Fedora 29 >>> >>> (on both client and server) >>> >>> >>> I'm seeing a client not receiving, or ignoring, what >>> should be a fatal alert from the server during handshake. >>> >>> The server is requiring a client-certificate, via: >>> >>> SSL_CTX_set_verify(sctx, >>> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) >>> ... >>> server_ssl = SSL_new(server_ctx) >>> ... >>> SSL_accept(server_ssl) >>> >>> ... and the client is not supplying one. This is a deliberate >>> testcase. The server debug output goes: >>> ============== >>> 21:31:54 8729 SMTP>> 220 TLS go ahead >>> 21:31:54 8729 Calling SSL_accept >>> 21:31:54 8729 SSL info: before SSL initialization >>> 21:31:54 8729 SSL info: before SSL initialization >>> 21:31:54 8729 SSL info: before SSL initialization >>> 21:31:54 8729 SSL info: SSLv3/TLS read client hello >>> 21:31:54 8729 SSL info: SSLv3/TLS write server hello >>> 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec >>> 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions >>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate request >>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate >>> 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify >>> 21:31:54 8729 SSL info: SSLv3/TLS write finished >>> 21:31:54 8729 SSL info: TLSv1.3 early data >>> 21:31:54 8729 SSL info: TLSv1.3 early data >>> 21:31:54 8729 SSL info: error >>> 21:31:54 8729 SSL info: error >>> 21:31:54 8729 LOG: MAIN >>> 21:31:54 8729 TLS error on connection from (rhu.barb) >>> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL >>> routines:tls_process_client_certificate:peer did not return a certificate >>> =================== >>> So far so good. The client however sees: >>> =================== >>> <<< 220 TLS go ahead >>> Attempting to start TLS >>> SSL info: before SSL initialization >>> SSL info: before SSL initialization >>> SSL info: SSLv3/TLS write client hello >>> SSL info: SSLv3/TLS write client hello >>> SSL info: SSLv3/TLS read server hello >>> SSL info: TLSv1.3 read encrypted extensions >>> SSL info: SSLv3/TLS read server certificate request >>> SSL info: SSLv3/TLS read server certificate >>> SSL info: TLSv1.3 read server certificate verify >>> SSL info: SSLv3/TLS read finished >>> SSL info: SSLv3/TLS write change cipher spec >>> SSL info: SSLv3/TLS write client certificate >>> SSL info: SSLv3/TLS write finished >>> SSL info: SSL negotiation finished successfully >>> SSL info: SSL negotiation finished successfully >>> SSL connection using TLS_AES_256_GCM_SHA384 >>> ================= >>> >>> The code running up to that last line indicates that >>> SSL_connect() returned without error: >>> ---- >>> rc = SSL_connect (*ssl); >>> alarm(0); >>> >>> if (sigalrm_seen) >>> { >>> printf("SSL_connect timed out\n"); >>> return 0; >>> } >>> >>> if (rc <= 0) >>> { >>> ERR_print_errors_fp(stdout); >>> return 0; >>> } >>> >>> printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); >>> ---- >>> >>> >>> What am I doing wrong? >>> -- >>> Thanks, >>> Jeremy >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Tue Oct 9 22:24:19 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Tue, 9 Oct 2018 18:24:19 -0400 Subject: [openssl-users] client ignoring alert In-Reply-To: References: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> Message-ID: I'm trying to get on a open ss user I'm on a phone On Tue, Oct 9, 2018, 6:11 PM Dustin Albright wrote: > trying to get it open > > On Tue, Oct 9, 2018, 6:08 PM Dustin Albright > wrote: > >> I don't want to I don't know how to do this >> >> On Tue, Oct 9, 2018, 6:06 PM Dustin Albright >> wrote: >> >>> No had to bring in grocery sorry about that >>> >>> On Tue, Oct 9, 2018, 5:45 PM Jeremy Harris wrote: >>> >>>> Hi, >>>> >>>> OpenSSL version 1.1.1 FIPS, on Fedora 29 >>>> >>>> (on both client and server) >>>> >>>> >>>> I'm seeing a client not receiving, or ignoring, what >>>> should be a fatal alert from the server during handshake. >>>> >>>> The server is requiring a client-certificate, via: >>>> >>>> SSL_CTX_set_verify(sctx, >>>> SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) >>>> ... >>>> server_ssl = SSL_new(server_ctx) >>>> ... >>>> SSL_accept(server_ssl) >>>> >>>> ... and the client is not supplying one. This is a deliberate >>>> testcase. The server debug output goes: >>>> ============== >>>> 21:31:54 8729 SMTP>> 220 TLS go ahead >>>> 21:31:54 8729 Calling SSL_accept >>>> 21:31:54 8729 SSL info: before SSL initialization >>>> 21:31:54 8729 SSL info: before SSL initialization >>>> 21:31:54 8729 SSL info: before SSL initialization >>>> 21:31:54 8729 SSL info: SSLv3/TLS read client hello >>>> 21:31:54 8729 SSL info: SSLv3/TLS write server hello >>>> 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec >>>> 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions >>>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate request >>>> 21:31:54 8729 SSL info: SSLv3/TLS write certificate >>>> 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify >>>> 21:31:54 8729 SSL info: SSLv3/TLS write finished >>>> 21:31:54 8729 SSL info: TLSv1.3 early data >>>> 21:31:54 8729 SSL info: TLSv1.3 early data >>>> 21:31:54 8729 SSL info: error >>>> 21:31:54 8729 SSL info: error >>>> 21:31:54 8729 LOG: MAIN >>>> 21:31:54 8729 TLS error on connection from (rhu.barb) >>>> [192.168.122.94] (SSL_accept): error:1417C0C7:SSL >>>> routines:tls_process_client_certificate:peer did not return a >>>> certificate >>>> =================== >>>> So far so good. The client however sees: >>>> =================== >>>> <<< 220 TLS go ahead >>>> Attempting to start TLS >>>> SSL info: before SSL initialization >>>> SSL info: before SSL initialization >>>> SSL info: SSLv3/TLS write client hello >>>> SSL info: SSLv3/TLS write client hello >>>> SSL info: SSLv3/TLS read server hello >>>> SSL info: TLSv1.3 read encrypted extensions >>>> SSL info: SSLv3/TLS read server certificate request >>>> SSL info: SSLv3/TLS read server certificate >>>> SSL info: TLSv1.3 read server certificate verify >>>> SSL info: SSLv3/TLS read finished >>>> SSL info: SSLv3/TLS write change cipher spec >>>> SSL info: SSLv3/TLS write client certificate >>>> SSL info: SSLv3/TLS write finished >>>> SSL info: SSL negotiation finished successfully >>>> SSL info: SSL negotiation finished successfully >>>> SSL connection using TLS_AES_256_GCM_SHA384 >>>> ================= >>>> >>>> The code running up to that last line indicates that >>>> SSL_connect() returned without error: >>>> ---- >>>> rc = SSL_connect (*ssl); >>>> alarm(0); >>>> >>>> if (sigalrm_seen) >>>> { >>>> printf("SSL_connect timed out\n"); >>>> return 0; >>>> } >>>> >>>> if (rc <= 0) >>>> { >>>> ERR_print_errors_fp(stdout); >>>> return 0; >>>> } >>>> >>>> printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); >>>> ---- >>>> >>>> >>>> What am I doing wrong? >>>> -- >>>> Thanks, >>>> Jeremy >>>> -- >>>> openssl-users mailing list >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Tue Oct 9 22:53:54 2018 From: matt at openssl.org (Matt Caswell) Date: Tue, 9 Oct 2018 23:53:54 +0100 Subject: [openssl-users] client ignoring alert In-Reply-To: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> References: <60975f52-7927-c7d7-5818-3222610cfff2@wizmail.org> Message-ID: <3ac44ea4-9720-040b-92d7-b9b54fdfe554@openssl.org> On 09/10/18 22:27, Jeremy Harris wrote: > Hi, > > OpenSSL version 1.1.1 FIPS, on Fedora 29 > > (on both client and server) > > > I'm seeing a client not receiving, or ignoring, what > should be a fatal alert from the server during handshake. > > The server is requiring a client-certificate, via: > > SSL_CTX_set_verify(sctx, > SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ...) > ... > server_ssl = SSL_new(server_ctx) > ... > SSL_accept(server_ssl) > > ... and the client is not supplying one. This is a deliberate > testcase. The server debug output goes: > ============== > 21:31:54 8729 SMTP>> 220 TLS go ahead > 21:31:54 8729 Calling SSL_accept > 21:31:54 8729 SSL info: before SSL initialization > 21:31:54 8729 SSL info: before SSL initialization > 21:31:54 8729 SSL info: before SSL initialization > 21:31:54 8729 SSL info: SSLv3/TLS read client hello > 21:31:54 8729 SSL info: SSLv3/TLS write server hello > 21:31:54 8729 SSL info: SSLv3/TLS write change cipher spec > 21:31:54 8729 SSL info: TLSv1.3 write encrypted extensions > 21:31:54 8729 SSL info: SSLv3/TLS write certificate request > 21:31:54 8729 SSL info: SSLv3/TLS write certificate > 21:31:54 8729 SSL info: TLSv1.3 write server certificate verify > 21:31:54 8729 SSL info: SSLv3/TLS write finished > 21:31:54 8729 SSL info: TLSv1.3 early data > 21:31:54 8729 SSL info: TLSv1.3 early data > 21:31:54 8729 SSL info: error > 21:31:54 8729 SSL info: error > 21:31:54 8729 LOG: MAIN > 21:31:54 8729 TLS error on connection from (rhu.barb) > [192.168.122.94] (SSL_accept): error:1417C0C7:SSL > routines:tls_process_client_certificate:peer did not return a certificate > =================== > So far so good. The client however sees: > =================== > <<< 220 TLS go ahead > Attempting to start TLS > SSL info: before SSL initialization > SSL info: before SSL initialization > SSL info: SSLv3/TLS write client hello > SSL info: SSLv3/TLS write client hello > SSL info: SSLv3/TLS read server hello > SSL info: TLSv1.3 read encrypted extensions > SSL info: SSLv3/TLS read server certificate request > SSL info: SSLv3/TLS read server certificate > SSL info: TLSv1.3 read server certificate verify > SSL info: SSLv3/TLS read finished > SSL info: SSLv3/TLS write change cipher spec > SSL info: SSLv3/TLS write client certificate > SSL info: SSLv3/TLS write finished > SSL info: SSL negotiation finished successfully > SSL info: SSL negotiation finished successfully > SSL connection using TLS_AES_256_GCM_SHA384 > ================= > > The code running up to that last line indicates that > SSL_connect() returned without error: > ---- > rc = SSL_connect (*ssl); > alarm(0); > > if (sigalrm_seen) > { > printf("SSL_connect timed out\n"); > return 0; > } > > if (rc <= 0) > { > ERR_print_errors_fp(stdout); > return 0; > } > > printf("SSL connection using %s\n", SSL_get_cipher (*ssl)); > ---- > > > What am I doing wrong? > Nothing. This is expected behaviour. The messages in this TLSv1.3 handshake are: Client Server ------ ------ ClientHello ServerHello EncryptedExtensions CertificateRequest Certificate CertificateVerify Finished Certificate(empty) Finished Alert Note that it is the client that sends the last flight of messages in the handshake, and the (empty) Certificate message is part of that flight. As far as the client is concerned it has sent all the messages it needs to, to the complete the handshake. Therefore SSL_connect() completes successfully. On the server side the handshake won't be complete until it sees the client Finished - but before it gets that far it notices the missing Certificate and sends the alert. From a client perspective this will appear as if the handshake successfully completed but then the server immediately aborts with a fatal alert. Matt From walter.h at mathemainzel.info Wed Oct 10 06:12:45 2018 From: walter.h at mathemainzel.info (Walter H.) Date: Wed, 10 Oct 2018 08:12:45 +0200 Subject: [openssl-users] Wildcard: how are they correct? Message-ID: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Hello, which of these possibilities is the correct one? (a) CN=*.example.com and subjectAltName = DNS:*.example.com, DNS:example.com (b) CN=example.com and subjectAltName = DNS:example.com, DNS:*.example.com (c) CN=example.com and subjectAltName = DNS:*.example.com, DNS:example.com (d) CN=hello world and subjectAltName = DNS:example.com, DNS:*.example.com Thanks, Walter From dustin.albright04 at gmail.com Wed Oct 10 06:23:59 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 02:23:59 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 06:24:26 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 02:24:26 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: may we talk On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 06:37:44 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 02:37:44 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: so the way I'm take this it's pick and chose who walks right On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 06:40:45 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 02:40:45 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: I can pick any one of my own family old man's in the back me Lil man and girl in liven room On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 06:43:24 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 02:43:24 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: I'm 25 Lil 18 old man in back the man in the back I'm not Goin to fight u I know I have to give my phone to u and are willing to so the rest is up to u and watch u diside On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From aerowolf at gmail.com Wed Oct 10 06:54:55 2018 From: aerowolf at gmail.com (Kyle Hamilton) Date: Tue, 9 Oct 2018 23:54:55 -0700 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: If subjectAltName exists, CN= is not evaluated. All the given examples should work. (The only exceptions are validators that haven't been current for more than 20 years.) None of the examples is correct. CN= should not even be included in the certificate. If it is, (d) is the closest to correct, if "hello world" is replaced by something meaningful to the identification or naming of the subject. -Kyle H On Tue, Oct 9, 2018 at 11:18 PM Walter H. wrote: > > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From dustin.albright04 at gmail.com Wed Oct 10 06:58:47 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 02:58:47 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: I'm Dustin Albright I see what u r say thing there two listed so that's old man in back and me inn liven room with Lil Lil man On Wed, Oct 10, 2018, 2:55 AM Kyle Hamilton wrote: > If subjectAltName exists, CN= is not evaluated. All the given > examples should work. (The only exceptions are validators that > haven't been current for more than 20 years.) None of the examples is > correct. CN= should not even be included in the certificate. If it > is, (d) is the closest to correct, if "hello world" is replaced by > something meaningful to the identification or naming of the subject. > > -Kyle H > On Tue, Oct 9, 2018 at 11:18 PM Walter H. > wrote: > > > > Hello, > > > > which of these possibilities is the correct one? > > > > (a) CN=*.example.com > > and subjectAltName = DNS:*.example.com, DNS:example.com > > > > (b) CN=example.com > > and subjectAltName = DNS:example.com, DNS:*.example.com > > > > (c) CN=example.com > > and subjectAltName = DNS:*.example.com, DNS:example.com > > > > (d) CN=hello world > > and subjectAltName = DNS:example.com, DNS:*.example.com > > > > Thanks, > > Walter > > > > -- > > openssl-users mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 07:02:04 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 03:02:04 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: if u would like to talk I will come talk with u because u divers the respect On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 07:02:50 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 03:02:50 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: this really wasn't my intention on all this not really sure how I don't it eat her On Wed, Oct 10, 2018, 2:18 AM Walter H. wrote: > Hello, > > which of these possibilities is the correct one? > > (a) CN=*.example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (b) CN=example.com > and subjectAltName = DNS:example.com, DNS:*.example.com > > (c) CN=example.com > and subjectAltName = DNS:*.example.com, DNS:example.com > > (d) CN=hello world > and subjectAltName = DNS:example.com, DNS:*.example.com > > Thanks, > Walter > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 07:14:08 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 03:14:08 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: I come out side on fruit porch the kid and dad's in side like I said I can't pick I'd how I ended up doing this but I'm here on the porch u diseve the respece On Wed, Oct 10, 2018, 3:02 AM Dustin Albright wrote: > this really wasn't my intention on all this not really sure how I don't > it eat her > > On Wed, Oct 10, 2018, 2:18 AM Walter H. > wrote: > >> Hello, >> >> which of these possibilities is the correct one? >> >> (a) CN=*.example.com >> and subjectAltName = DNS:*.example.com, DNS:example.com >> >> (b) CN=example.com >> and subjectAltName = DNS:example.com, DNS:*.example.com >> >> (c) CN=example.com >> and subjectAltName = DNS:*.example.com, DNS:example.com >> >> (d) CN=hello world >> and subjectAltName = DNS:example.com, DNS:*.example.com >> >> Thanks, >> Walter >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dustin.albright04 at gmail.com Wed Oct 10 07:23:30 2018 From: dustin.albright04 at gmail.com (Dustin Albright) Date: Wed, 10 Oct 2018 03:23:30 -0400 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: nothing don't need to happen to the kid and I can't pick any one so I just come out side On Wed, Oct 10, 2018, 3:14 AM Dustin Albright wrote: > I come out side on fruit porch the kid and dad's in side like I said I > can't pick I'd how I ended up doing this but I'm here on the porch u diseve > the respece > > On Wed, Oct 10, 2018, 3:02 AM Dustin Albright > wrote: > >> this really wasn't my intention on all this not really sure how I don't >> it eat her >> >> On Wed, Oct 10, 2018, 2:18 AM Walter H. >> wrote: >> >>> Hello, >>> >>> which of these possibilities is the correct one? >>> >>> (a) CN=*.example.com >>> and subjectAltName = DNS:*.example.com, DNS:example.com >>> >>> (b) CN=example.com >>> and subjectAltName = DNS:example.com, DNS:*.example.com >>> >>> (c) CN=example.com >>> and subjectAltName = DNS:*.example.com, DNS:example.com >>> >>> (d) CN=hello world >>> and subjectAltName = DNS:example.com, DNS:*.example.com >>> >>> Thanks, >>> Walter >>> >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From jb-openssl at wisemo.com Wed Oct 10 07:58:40 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 10 Oct 2018 09:58:40 +0200 Subject: [openssl-users] Wildcard: how are they correct? In-Reply-To: References: <1a1be1440e255de72d915c211ccbcc33.1539151965@squirrel.mail> Message-ID: <450ad601-bb10-b54c-b90a-484e3ad1481e@wisemo.com> Actually, for public CAs, the current standard (the CAB/F Basic Requirements) require (a), (b) or (c), and prohibit (d). The prohibition on (d) is stated indirectly as a prohibition against putting something that isn't the subjects validated public DNS name in CN. In practice, most public CAs use (a) for maximum backward compatibility. It should also be noted that it is a lot less than 20 years since the popular GNU wget utility started looking at subjectAltName.? Lesser known tools may have been even slower to implement it. On 10/10/2018 08:54, Kyle Hamilton wrote: > If subjectAltName exists, CN= is not evaluated. All the given > examples should work. (The only exceptions are validators that > haven't been current for more than 20 years.) None of the examples is > correct. CN= should not even be included in the certificate. If it > is, (d) is the closest to correct, if "hello world" is replaced by > something meaningful to the identification or naming of the subject. > > -Kyle H > On Tue, Oct 9, 2018 at 11:18 PM Walter H. wrote: >> Hello, >> >> which of these possibilities is the correct one? >> >> (a) CN=*.example.com >> and subjectAltName = DNS:*.example.com, DNS:example.com >> >> (b) CN=example.com >> and subjectAltName = DNS:example.com, DNS:*.example.com >> >> (c) CN=example.com >> and subjectAltName = DNS:*.example.com, DNS:example.com >> >> (d) CN=hello world >> and subjectAltName = DNS:example.com, DNS:*.example.com >> >> Thanks, >> Walter >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From murugesh.pitchaiah at gmail.com Wed Oct 10 11:36:49 2018 From: murugesh.pitchaiah at gmail.com (murugesh pitchaiah) Date: Wed, 10 Oct 2018 17:06:49 +0530 Subject: [openssl-users] Regarding Full PKI Authentication Message-ID: Hi All, I came across a term "Full PKI Authentication". Please someone clarify, what the name "Full" suggests here ? Is there any specific "Full PKI" version available ? Anay specific RFC available for "Full" PKI other than the following ? https://tools.ietf.org/html/rfc5280.html I could see something like "SPKI (simple)". Thanks in advance. Regards, Murugesh P. From rpo at compumatica.com Wed Oct 10 11:55:05 2018 From: rpo at compumatica.com (RudyAC) Date: Wed, 10 Oct 2018 04:55:05 -0700 (MST) Subject: [openssl-users] CMS_verify provides empty output Message-ID: <1539172505468-0.post@n7.nabble.com> Hello, when verifying a signed email with CMS_verify() the verification failed. That is not the main problem. My problem is that the out data is empty. Using the library I got following error: OpenSSL Error code all: <772382878d> OpenSSL Error code lib: <46d> OpenSSL Error code func: <154d> OpenSSL Error code reason: <158d> OpenSSL Error: error:2E09A09E:CMS routines:CMS_SignerInfo_verify_content:verification failure The mail body is base64 encoded. When verifying the email on console with "openssl cms -verify" there is no message output, only the error message : Verification failure 47883249174256:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:278: 47883249174256:error:2E09809E:CMS routines:CMS_SignerInfo_verify:verification failure:cms_sd.c:775: Any hints are welcome Best regards RudyAC -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html From jb-openssl at wisemo.com Wed Oct 10 12:06:42 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 10 Oct 2018 14:06:42 +0200 Subject: [openssl-users] CMS_verify provides empty output In-Reply-To: <1539172505468-0.post@n7.nabble.com> References: <1539172505468-0.post@n7.nabble.com> Message-ID: <8a594640-5278-c5f5-8cd4-0e4f4ad3a640@wisemo.com> On 10/10/2018 13:55, RudyAC wrote: > Hello, > > when verifying a signed email with CMS_verify() the verification failed. > That is not the main problem. > My problem is that the out data is empty. Using the library I got following > error: > > OpenSSL Error code all: <772382878d> > OpenSSL Error code lib: <46d> > OpenSSL Error code func: <154d> > OpenSSL Error code reason: <158d> > OpenSSL Error: error:2E09A09E:CMS > routines:CMS_SignerInfo_verify_content:verification failure > > The mail body is base64 encoded. > > When verifying the email on console with "openssl cms -verify" there is no > message output, only the error > message : > > Verification failure > 47883249174256:error:04091068:rsa routines:INT_RSA_VERIFY:bad > signature:rsa_sign.c:278: > 47883249174256:error:2E09809E:CMS > routines:CMS_SignerInfo_verify:verification failure:cms_sd.c:775: > > Any hints are welcome The general assumption in OpenSSL is that if the signature is invalid, the contents is probably fake,false or invalid, and thus unwanted. This is generally true in cryptography, but for actual e-mail applications it may very well be desired to allow the user to ignore signature verification failures.? If so, one could combine allowing the mail software to access the MIME message normally (as if the signature was some unknown MIME part) with a meaningful (human readable) form of the actual error message from verification (there is more than one way the verification can fail, and the desired human response would often differ). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From mythjill at gmail.com Wed Oct 10 22:04:23 2018 From: mythjill at gmail.com (Dave Wang) Date: Wed, 10 Oct 2018 15:04:23 -0700 Subject: [openssl-users] SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1 Message-ID: Hi there, I have a client can talk with server, where the client certificate is loaded in client_cert_cb based on matching the server side certificate. it works perfectly in openssl 1.1.0h, however it stops working after I upgrade to openssl 1.1.1. In client_cert_cb , when I call SSL_get_peer_certificate, it returns NULL, which is different from openssl 1.1.0h. I do set SSL_VERIFY_PEER on both sides. any thoughts on this? Regards, Dave -------------- next part -------------- An HTML attachment was scrubbed... URL: From paul at kinetic.com.au Wed Oct 10 23:16:09 2018 From: paul at kinetic.com.au (Paul Chubb) Date: Thu, 11 Oct 2018 10:16:09 +1100 Subject: [openssl-users] openssl commandline client use Message-ID: Hi, I am in the process of using the openssl suite for many things including encrypting private information. There is a heap of information on the internet suggesting using the openssl client for these sort of purposes. However in a very few places there are also statements that the client is only for testing the library and shouldn't be used in anger, that it isn't secure or that only certain protocols are correctly implemented. There isn't a statement in the documentation about this and we all know the religiosity of some statements on the internet. I am using aes-256-cbc to encrypt streamed data (a backup). I am running OpenSSL 1.1.0g 2 Nov 2017 Any comments would be helpful. many thanks in advance Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: From Michael.Wojcik at microfocus.com Thu Oct 11 01:23:41 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 11 Oct 2018 01:23:41 +0000 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Paul Chubb > Sent: Wednesday, October 10, 2018 19:16 > I am in the process of using the openssl suite for many things including > encrypting private information. There is a heap of information on the internet > suggesting using the openssl client for these sort of purposes. However in a very few > places there are also statements that the client is only for testing the library and > shouldn't be used in anger, that it isn't secure or that only certain protocols are > correctly implemented. ... > I am using aes-256-cbc to encrypt streamed data (a backup). You haven't explained your threat model. If you're encrypting your diary so your kid sister can't read about your crush at school, then sure, use the openssl utility with aes-256-cbc. If the data you're encrypting falls under a regulatory regime with potential stiff legal consequences, like HIPPA or GDPR, then this is a Bad Idea. Here's the thing: Forget, for a moment, the question of whether you should script crypto using the openssl utility. The real issue, to my mind, is that cryptographic systems assembled by non-cryptographers are very often - probably almost often - fatally flawed. And AES is not a cryptosystem; it's a primitive. All the openssl utility is giving you there is a cipher, key length, and combining mode. Some potential problems that are obvious right off the bat: - No integrity protection over the data. You've run into the Moxie Marlinspike Cryptographic Doom Principle right off the bat. - CBC has problems. *All* the block cipher combining modes have problems. Stream ciphers have problems. How are you avoiding those problems? (Note that experienced people make implementation mistakes in this area.) - What are you doing about padding? Do you have predictable plaintext near the beginning? When do you re-key? - How do you generate and manage your keys? Are you practicing good key hygiene? - Data recovery from an encrypted backup is tough. With CBC, one bit goes astray and you've lost everything after that. (Well, you can brute-force a single-bit error, but it's going to be a tiresome exercise unless you automate it. Multi-bit errors will obviously be worse, and combinatorial explosion will bite you quickly.) ECC after encryption would be a good idea here, perhaps with an erasure code. Maybe you're storing to a suitable RAID mode or something; you haven't told us. I can't really suggest alternatives, partly because this isn't an area I pay a lot of attention to, but mostly because you haven't explained your use case. "Data backup" doesn't mean much unless we have some idea of how much data, how often, what sort of data, what it's being backed up to, how sensitive it is, and so forth. Sorry if this sounds overly negative, but in my opinion your question is severely underdetermined, and it sounds like you're potentially open to some rather serious failures. That may not be a concern - again, I don't know what your use case or threat model is. -- Michael Wojcik Distinguished Engineer, Micro Focus From openssl-users at dukhovni.org Thu Oct 11 03:12:17 2018 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 10 Oct 2018 23:12:17 -0400 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: Message-ID: <20181011031216.GA3589@straasha.imrryr.org> On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote: > - Data recovery from an encrypted backup is tough. With CBC, one bit goes > astray and you've lost everything after that. No, a 1 bit error in CBC ciphertext breaks only the current block, and introduces a 1 bit error into the plaintext of the next block. After that, you're back in sync. But yes, indeed "openssl enc" offers little integrity protection. One should probably break the data into chunks and encrypt and MAC each chunk with the MAC covering the chunk sequence number, and whether it is the last chunk. -- Viktor. From paul at kinetic.com.au Thu Oct 11 04:44:56 2018 From: paul at kinetic.com.au (Paul Chubb) Date: Thu, 11 Oct 2018 15:44:56 +1100 Subject: [openssl-users] openssl commandline client use In-Reply-To: <20181011031216.GA3589@straasha.imrryr.org> References: <20181011031216.GA3589@straasha.imrryr.org> Message-ID: Hi thanks for the responses. I try not to do crypto for the very reasons you raise - i simply don't know enough and your (good) pointed questions have demonstrated that. Context: We are trying for GDPR and other privacy law compliance. We probably need to meet GDPR, US requirements, Australian requirements, Japanese requirements and UK requirements. The data is not hugely critical. It contains names and exercise metrics. It doesn't contain credit card details or anything above the level of names. I don't think it contains addresses but probably does contain names of recognizable organisations which could provide a tuple for identification purposes if the data was compromised. A mysqldump of the db in production at present is around 170Gb however that is text based and we are using a binary solution based on percola xtrabackup so the final size should be smaller for the current time. The documentation on this by the backup software provider is very simplistic and simply pipes the stream of data through openssl and then gzip: mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc -aes-256-cbc -k mypass > backup.xb.gz.enc There are thousands of posts that do similar and in non-crypto circles it is the accepted way of doing things. That was my starting point. I am not using a password but generating keys. The symetric key is generated by "openssl rand -hex 32" which I have read is suitable. The Nonce or IV is generated by "openssl rand -hex 16". These values are used once and then kept for decryption of that file. They in turn are encrypted before storing - see below. The two keys are held in ram while the backup occurs. They are applied to openssl using the -K and -iv switches. They are then written out to disk. encrypted with a list of public RSA keys and the original deleted from disk. I then package it all up and delete the intervening encrypted files leaving me with an archive with the encrypted backup and several copies of the nonce and key each encrypted by different people's public keys. The backup regime has not been decided as yet. I expect it will be something like a full backup per week and then either incrementals or differentials on the other days. I expect that the fulls will be kept for 30 days and the deltas for 14days. The database backups will sit on a secured server disk which in turn will be backed up by the hosting provider with whatever process and rotation they use. I would expect that headers in the backup stream would be predictable, whether they provide a good enough attack surface I don't know. In addition the clients of course know their data that may also provide an attack surface. Finally I have included an encrypted file with a known plain text phrase. Based on your comments, this will probably not get into production but provides an easy way for testing and debugging to check that things are encrypted or not. The kind of statements that prompted my question was: https://security.stackexchange.com/questions/182277/is-openssl-aes-256-cbc-encryption-safe-for-offsite-backup whose comments suggest that openssl should never be used for production purposes.Their suggestion was GnuPG which isn't suitable for this purpose because it does password/key management that assumes a desktop/laptop environment and manual process. I also looked at ccrypt and mcrypt but then went back to openssl. Cheers Paul On Thu, Oct 11, 2018 at 2:12 PM Viktor Dukhovni wrote: > On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote: > > > - Data recovery from an encrypted backup is tough. With CBC, one bit goes > > astray and you've lost everything after that. > > No, a 1 bit error in CBC ciphertext breaks only the current block, > and introduces a 1 bit error into the plaintext of the next block. > After that, you're back in sync. > > But yes, indeed "openssl enc" offers little integrity protection. > One should probably break the data into chunks and encrypt and MAC > each chunk with the MAC covering the chunk sequence number, and > whether it is the last chunk. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From blaufish.public.email at gmail.com Thu Oct 11 08:47:34 2018 From: blaufish.public.email at gmail.com (Peter Magnusson) Date: Thu, 11 Oct 2018 10:47:34 +0200 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: <20181011031216.GA3589@straasha.imrryr.org> Message-ID: You would be better off with AES-CCM or such for your backup, that gives you the integrity check. i.e. you would be reasonably sure what you decrypt is encrypted with your key. So the fist question would be why even consider AES-CBC? Somewhere in the decision process you ought to go "Is the major goal to support very strange extremely limited legacy embedded environment where library developers claims CBC is the only option?" and if no: don't consider CBC. Since you are using OpenSSL, you clearly does not have any problem that would give you a compelling reason to use CBC. Using CBC in anything new design does not make much sense. - CBC is weak against oracle attacks (online interactions with a decryption oracle) - CBC has no protection against modifications. If decryption succeeds, you don't know if the resulting plaintext originated from However - Your use-case as explained ( openssl enc -aes-256-cbc -k mypass > backup.xb.gz.enc ) might not be a use-case where the AES-CBC vulnerabilities are most dangerous though, if the decryption process is a slow manual process. E.g. Padding oracle attacks against CBC requires on average 128 decryption to crack one byte, and need an online oracle (such as e.g. a backup decryption/restore service) to be executed. With a human entering the decryption key manually for each attempt, you'd expect the human to get suspicious with thousands of decryption requests. But as soon as you want to automate restore functions and remove the human, you might enable oracle style attacks. On Thu, Oct 11, 2018 at 6:45 AM Paul Chubb wrote: > > Hi thanks for the responses. I try not to do crypto for the very reasons you raise - i simply don't know enough and your (good) pointed questions have demonstrated that. > > Context: > > We are trying for GDPR and other privacy law compliance. We probably need to meet GDPR, US requirements, Australian requirements, Japanese requirements and UK requirements. The data is not hugely critical. It contains names and exercise metrics. It doesn't contain credit card details or anything above the level of names. I don't think it contains addresses but probably does contain names of recognizable organisations which could provide a tuple for identification purposes if the data was compromised. > > A mysqldump of the db in production at present is around 170Gb however that is text based and we are using a binary solution based on percola xtrabackup so the final size should be smaller for the current time. The documentation on this by the backup software provider is very simplistic and simply pipes the stream of data through openssl and then gzip: > > mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc -aes-256-cbc -k mypass > backup.xb.gz.enc > > There are thousands of posts that do similar and in non-crypto circles it is the accepted way of doing things. That was my starting point. > > I am not using a password but generating keys. The symetric key is generated by "openssl rand -hex 32" which I have read is suitable. The Nonce or IV is generated by "openssl rand -hex 16". These values are used once and then kept for decryption of that file. They in turn are encrypted before storing - see below. > > The two keys are held in ram while the backup occurs. They are applied to openssl using the -K and -iv switches. They are then written out to disk. encrypted with a list of public RSA keys and the original deleted from disk. I then package it all up and delete the intervening encrypted files leaving me with an archive with the encrypted backup and several copies of the nonce and key each encrypted by different people's public keys. > > The backup regime has not been decided as yet. I expect it will be something like a full backup per week and then either incrementals or differentials on the other days. I expect that the fulls will be kept for 30 days and the deltas for 14days. The database backups will sit on a secured server disk which in turn will be backed up by the hosting provider with whatever process and rotation they use. > > I would expect that headers in the backup stream would be predictable, whether they provide a good enough attack surface I don't know. In addition the clients of course know their data that may also provide an attack surface. Finally I have included an encrypted file with a known plain text phrase. Based on your comments, this will probably not get into production but provides an easy way for testing and debugging to check that things are encrypted or not. > > The kind of statements that prompted my question was: https://security.stackexchange.com/questions/182277/is-openssl-aes-256-cbc-encryption-safe-for-offsite-backup whose comments suggest that openssl should never be used for production purposes.Their suggestion was GnuPG which isn't suitable for this purpose because it does password/key management that assumes a desktop/laptop environment and manual process. I also looked at ccrypt and mcrypt but then went back to openssl. > > Cheers Paul > > > > > > > On Thu, Oct 11, 2018 at 2:12 PM Viktor Dukhovni wrote: >> >> On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote: >> >> > - Data recovery from an encrypted backup is tough. With CBC, one bit goes >> > astray and you've lost everything after that. >> >> No, a 1 bit error in CBC ciphertext breaks only the current block, >> and introduces a 1 bit error into the plaintext of the next block. >> After that, you're back in sync. >> >> But yes, indeed "openssl enc" offers little integrity protection. >> One should probably break the data into chunks and encrypt and MAC >> each chunk with the MAC covering the chunk sequence number, and >> whether it is the last chunk. >> >> -- >> Viktor. >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From matt at openssl.org Thu Oct 11 09:03:39 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 11 Oct 2018 10:03:39 +0100 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: <20181011031216.GA3589@straasha.imrryr.org> Message-ID: On 11/10/18 09:47, Peter Magnusson wrote: > You would be better off with AES-CCM or such for your backup, that > gives you the integrity check. > i.e. you would be reasonably sure what you decrypt is encrypted with your key. I'd just point out that CCM and other AEAD modes are not supported in the openssl enc app. Matt > > So the fist question would be why even consider AES-CBC? Somewhere in > the decision process you ought to go "Is the major goal to support > very strange extremely limited legacy embedded environment where > library developers claims CBC is the only option?" and if no: don't > consider CBC. Since you are using OpenSSL, you clearly does not have > any problem that would give you a compelling reason to use CBC. > > Using CBC in anything new design does not make much sense. > - CBC is weak against oracle attacks (online interactions with a > decryption oracle) > - CBC has no protection against modifications. If decryption succeeds, > you don't know if the resulting plaintext originated from > > However - Your use-case as explained ( openssl enc -aes-256-cbc -k > mypass > backup.xb.gz.enc ) might not be a use-case where the AES-CBC > vulnerabilities are most dangerous though, if the decryption process > is a slow manual process. E.g. Padding oracle attacks against CBC > requires on average 128 decryption to crack one byte, and need an > online oracle (such as e.g. a backup decryption/restore service) to be > executed. With a human entering the decryption key manually for each > attempt, you'd expect the human to get suspicious with thousands of > decryption requests. But as soon as you want to automate restore > functions and remove the human, you might enable oracle style attacks. > > On Thu, Oct 11, 2018 at 6:45 AM Paul Chubb wrote: >> >> Hi thanks for the responses. I try not to do crypto for the very reasons you raise - i simply don't know enough and your (good) pointed questions have demonstrated that. >> >> Context: >> >> We are trying for GDPR and other privacy law compliance. We probably need to meet GDPR, US requirements, Australian requirements, Japanese requirements and UK requirements. The data is not hugely critical. It contains names and exercise metrics. It doesn't contain credit card details or anything above the level of names. I don't think it contains addresses but probably does contain names of recognizable organisations which could provide a tuple for identification purposes if the data was compromised. >> >> A mysqldump of the db in production at present is around 170Gb however that is text based and we are using a binary solution based on percola xtrabackup so the final size should be smaller for the current time. The documentation on this by the backup software provider is very simplistic and simply pipes the stream of data through openssl and then gzip: >> >> mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc -aes-256-cbc -k mypass > backup.xb.gz.enc >> >> There are thousands of posts that do similar and in non-crypto circles it is the accepted way of doing things. That was my starting point. >> >> I am not using a password but generating keys. The symetric key is generated by "openssl rand -hex 32" which I have read is suitable. The Nonce or IV is generated by "openssl rand -hex 16". These values are used once and then kept for decryption of that file. They in turn are encrypted before storing - see below. >> >> The two keys are held in ram while the backup occurs. They are applied to openssl using the -K and -iv switches. They are then written out to disk. encrypted with a list of public RSA keys and the original deleted from disk. I then package it all up and delete the intervening encrypted files leaving me with an archive with the encrypted backup and several copies of the nonce and key each encrypted by different people's public keys. >> >> The backup regime has not been decided as yet. I expect it will be something like a full backup per week and then either incrementals or differentials on the other days. I expect that the fulls will be kept for 30 days and the deltas for 14days. The database backups will sit on a secured server disk which in turn will be backed up by the hosting provider with whatever process and rotation they use. >> >> I would expect that headers in the backup stream would be predictable, whether they provide a good enough attack surface I don't know. In addition the clients of course know their data that may also provide an attack surface. Finally I have included an encrypted file with a known plain text phrase. Based on your comments, this will probably not get into production but provides an easy way for testing and debugging to check that things are encrypted or not. >> >> The kind of statements that prompted my question was: https://security.stackexchange.com/questions/182277/is-openssl-aes-256-cbc-encryption-safe-for-offsite-backup whose comments suggest that openssl should never be used for production purposes.Their suggestion was GnuPG which isn't suitable for this purpose because it does password/key management that assumes a desktop/laptop environment and manual process. I also looked at ccrypt and mcrypt but then went back to openssl. >> >> Cheers Paul >> >> >> >> >> >> >> On Thu, Oct 11, 2018 at 2:12 PM Viktor Dukhovni wrote: >>> >>> On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote: >>> >>>> - Data recovery from an encrypted backup is tough. With CBC, one bit goes >>>> astray and you've lost everything after that. >>> >>> No, a 1 bit error in CBC ciphertext breaks only the current block, >>> and introduces a 1 bit error into the plaintext of the next block. >>> After that, you're back in sync. >>> >>> But yes, indeed "openssl enc" offers little integrity protection. >>> One should probably break the data into chunks and encrypt and MAC >>> each chunk with the MAC covering the chunk sequence number, and >>> whether it is the last chunk. >>> >>> -- >>> Viktor. >>> -- >>> openssl-users mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users From matt at openssl.org Thu Oct 11 09:25:22 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 11 Oct 2018 10:25:22 +0100 Subject: [openssl-users] SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1 In-Reply-To: References: Message-ID: On 10/10/18 23:04, Dave Wang wrote: > Hi there, > > I have a client can talk with server, where the client certificate is > loaded in?client_cert_cb? based on matching the server side certificate. > > it works perfectly in openssl 1.1.0h, however it stops working after I > upgrade to openssl 1.1.1. > > In client_cert_cb , when I call?SSL_get_peer_certificate, it returns > NULL, which is different from openssl 1.1.0h. > > I do set SSL_VERIFY_PEER on both sides.? > > > any thoughts on this? I assume this only happens with a TLSv1.3 handshake? >From the documentation, the client_cert_cb is called: "when a client certificate is requested by a server". In practice this means when we have received the CertificateRequest message from the server. In TLSv1.2 (and below) the server's first flight of messages for a client-auth full handshake in response to a ClientHello looks like this: ServerHello Certificate ServerKeyExchange CertificateRequest ServerHelloDone In TLSv1.3 it looks like this: ServerHello EncryptedExtensions CertificateRequest Certificate CertificateVerify Finished Note that in TLSv1.2 the CertificateRequest message comes *after* the server has sent the Certificate but in TLSv1.3 it comes *before*. That means of course that in TLSv1.3 the client_cert_cb gets called before we have processed the server's certificate and hence SSL_get_peer_certificate() returns NULL. I'm wondering whether we should delay calling the client_cert_cb in TLSv1.3 until after the CertificateVerify has been processed. Matt From matt at openssl.org Thu Oct 11 09:36:28 2018 From: matt at openssl.org (Matt Caswell) Date: Thu, 11 Oct 2018 10:36:28 +0100 Subject: [openssl-users] SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1 In-Reply-To: References:

Message-ID: <9eb95cdb-72c2-235d-f75a-f9c51982f14b@openssl.org> I opened this issue to track this problem: https://github.com/openssl/openssl/issues/7384 Matt On 11/10/18 10:25, Matt Caswell wrote: > > > On 10/10/18 23:04, Dave Wang wrote: >> Hi there, >> >> I have a client can talk with server, where the client certificate is >> loaded in?client_cert_cb? based on matching the server side certificate. >> >> it works perfectly in openssl 1.1.0h, however it stops working after I >> upgrade to openssl 1.1.1. >> >> In client_cert_cb , when I call?SSL_get_peer_certificate, it returns >> NULL, which is different from openssl 1.1.0h. >> >> I do set SSL_VERIFY_PEER on both sides.? >> >> >> any thoughts on this? > > I assume this only happens with a TLSv1.3 handshake? > > From the documentation, the client_cert_cb is called: "when a client > certificate is requested by a server". In practice this means when we > have received the CertificateRequest message from the server. > > In TLSv1.2 (and below) the server's first flight of messages for a > client-auth full handshake in response to a ClientHello looks like this: > > ServerHello > Certificate > ServerKeyExchange > CertificateRequest > ServerHelloDone > > In TLSv1.3 it looks like this: > > ServerHello > EncryptedExtensions > CertificateRequest > Certificate > CertificateVerify > Finished > > Note that in TLSv1.2 the CertificateRequest message comes *after* the > server has sent the Certificate but in TLSv1.3 it comes *before*. That > means of course that in TLSv1.3 the client_cert_cb gets called before we > have processed the server's certificate and hence > SSL_get_peer_certificate() returns NULL. > > I'm wondering whether we should delay calling the client_cert_cb in > TLSv1.3 until after the CertificateVerify has been processed. > > Matt > From uri at ll.mit.edu Thu Oct 11 10:15:24 2018 From: uri at ll.mit.edu (Uri Blumenthal) Date: Thu, 11 Oct 2018 06:15:24 -0400 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: <20181011031216.GA3589@straasha.imrryr.org>

Message-ID: On Oct 11, 2018, at 05:03, Matt Caswell wrote: > On 11/10/18 09:47, Peter Magnusson wrote: >> You would be better off with AES-CCM or such for your backup, that >> gives you the integrity check. >> i.e. you would be reasonably sure what you decrypt is encrypted with your key. > > I'd just point out that CCM and other AEAD modes are not supported in > the openssl enc app. Yes, and many of us are eagerly waiting for this deficiency to be remedied! ;-) >> Using CBC in anything new design does not make much sense. This depends on the use case and the threat model. >> - CBC is weak against oracle attacks (online interactions with a >> decryption oracle) Assuming decryption oracle is applicable in the given use case. Not everything is online, and not everything is a web service. ;-) >> - CBC has no protection against modifications. If decryption succeeds, >> you don't know if the resulting plaintext originated from Which is why non-AE modes should be accompanied by MAC?ing the ciphertext. (Moxie Marlinspike?s principle ;) On the other hand, AEAD modes tend to fail catastrophically if key+nonce is reused. Unlike, e.g., CBC, which merely reveals that two cipher texts came from the same plaintext (?pick your poison"). Again, depends on the use case and the threat model. From Michael.Wojcik at microfocus.com Thu Oct 11 12:42:30 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 11 Oct 2018 12:42:30 +0000 Subject: [openssl-users] openssl commandline client use In-Reply-To: <20181011031216.GA3589@straasha.imrryr.org> References: <20181011031216.GA3589@straasha.imrryr.org> Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Wednesday, October 10, 2018 23:12 > > On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote: > > > - Data recovery from an encrypted backup is tough. With CBC, one bit goes > > astray and you've lost everything after that. > > No, a 1 bit error in CBC ciphertext breaks only the current block, > and introduces a 1 bit error into the plaintext of the next block. > After that, you're back in sync. Right, right. Emailing at bedtime again... Still, this is trouble enough. > But yes, indeed "openssl enc" offers little integrity protection. > One should probably break the data into chunks and encrypt and MAC > each chunk with the MAC covering the chunk sequence number, and > whether it is the last chunk. Clearly an improvement (and better than a single MAC over the entire message, for reasons we've discussed in the past on this list). But we're back to designing and implementing a cryptosystem, and that's fraught with dangers for non-experts (and for experts too, if we're honest). -- Michael Wojcik Distinguished Engineer, Micro Focus From Michael.Wojcik at microfocus.com Thu Oct 11 12:42:31 2018 From: Michael.Wojcik at microfocus.com (Michael Wojcik) Date: Thu, 11 Oct 2018 12:42:31 +0000 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: <20181011031216.GA3589@straasha.imrryr.org>

Message-ID: > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf > Of Matt Caswell > Sent: Thursday, October 11, 2018 05:04 > > > On 11/10/18 09:47, Peter Magnusson wrote: > > You would be better off with AES-CCM or such for your backup, that > > gives you the integrity check. > > i.e. you would be reasonably sure what you decrypt is encrypted with your > key. > > I'd just point out that CCM and other AEAD modes are not supported in > the openssl enc app. And even if they were, the AEAD modes are fragile (vulnerable to misuse). GCM of course is completely vulnerable to nonce reuse, which is why some people (e.g. Bernstein) disavow it completely. CCM is similarly vulnerable to key+counter reuse, so RFC 4309, for example, requires fresh keys for each encryption. That was the main point of my original message: roll-your-own cryptosystems are a Bad Idea. I think providing advice like "use an AEAD mode" is bad, because it implies that crypto non-experts can safely create cryptosystems that avoid well-known pitfalls. History suggests otherwise. -- Michael Wojcik Distinguished Engineer, Micro Focus From rsalz at akamai.com Thu Oct 11 14:50:24 2018 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 11 Oct 2018 14:50:24 +0000 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: Message-ID: <293F3555-8937-495E-B0C4-4EDC46F55468@akamai.com> As with essentially all open source software, there is no warranty with OpenSSL. Having said that, people use the OpenSSL applications for all sorts of things, including what you are doing. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mythjill at gmail.com Thu Oct 11 17:06:35 2018 From: mythjill at gmail.com (Dave Wang) Date: Thu, 11 Oct 2018 10:06:35 -0700 Subject: [openssl-users] SSL_get_peer_certificate returns NULL in client_cert_cb after upgrade to openssl 1.1.1 In-Reply-To: <9eb95cdb-72c2-235d-f75a-f9c51982f14b@openssl.org> References:

<9eb95cdb-72c2-235d-f75a-f9c51982f14b@openssl.org> Message-ID: Hi Matt, this make sense. As if I disable TLS1.3, the issue is gone. Thanks for your help. Regards, Dave On Thu, Oct 11, 2018 at 2:36 AM Matt Caswell wrote: > I opened this issue to track this problem: > > https://github.com/openssl/openssl/issues/7384 > > Matt > > > On 11/10/18 10:25, Matt Caswell wrote: > > > > > > On 10/10/18 23:04, Dave Wang wrote: > >> Hi there, > >> > >> I have a client can talk with server, where the client certificate is > >> loaded in client_cert_cb based on matching the server side certificate. > >> > >> it works perfectly in openssl 1.1.0h, however it stops working after I > >> upgrade to openssl 1.1.1. > >> > >> In client_cert_cb , when I call SSL_get_peer_certificate, it returns > >> NULL, which is different from openssl 1.1.0h. > >> > >> I do set SSL_VERIFY_PEER on both sides. > >> > >> > >> any thoughts on this? > > > > I assume this only happens with a TLSv1.3 handshake? > > > > From the documentation, the client_cert_cb is called: "when a client > > certificate is requested by a server". In practice this means when we > > have received the CertificateRequest message from the server. > > > > In TLSv1.2 (and below) the server's first flight of messages for a > > client-auth full handshake in response to a ClientHello looks like this: > > > > ServerHello > > Certificate > > ServerKeyExchange > > CertificateRequest > > ServerHelloDone > > > > In TLSv1.3 it looks like this: > > > > ServerHello > > EncryptedExtensions > > CertificateRequest > > Certificate > > CertificateVerify > > Finished > > > > Note that in TLSv1.2 the CertificateRequest message comes *after* the > > server has sent the Certificate but in TLSv1.3 it comes *before*. That > > means of course that in TLSv1.3 the client_cert_cb gets called before we > > have processed the server's certificate and hence > > SSL_get_peer_certificate() returns NULL. > > > > I'm wondering whether we should delay calling the client_cert_cb in > > TLSv1.3 until after the CertificateVerify has been processed. > > > > Matt > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dheinz at softwarekey.com Thu Oct 11 20:56:30 2018 From: dheinz at softwarekey.com (Dan Heinz) Date: Thu, 11 Oct 2018 20:56:30 +0000 Subject: [openssl-users] Manual Shutdown of OpenSSL 1.1.x library In-Reply-To: References: Message-ID: Is there currently a way to manually shutdown the OpenSSL library? We have a DLL that statically links OpenSSL. Our DLL gets loaded and unloaded multiple times by a process (not our process), and we need to release OpenSSL each time. This was not possible with OpenSSL 1.1 as of September 2017 as the process's atexit is where it gets released which will not be called after a FreeLibrary() call on our DLL. Has this been revisited? If there now a way to manually release OpenSSL, or are there any plans to add this ability? Here is a link to our original post and discussion from January 2017: https://www.mail-archive.com/openssl-users at openssl.org/msg80781.html >From the previous post, something like this would address the issue: "I'm wondering whether an option to override the default behavior might be possible, e.g. an explicit call to OPENSSL_init_crypto() with something like an OPENSSL_INIT_NO_ATEXIT_CLEANUP option. The application would then have to call OPENSSL_cleanup() explicitly." -------------- next part -------------- An HTML attachment was scrubbed... URL: From doctor at doctor.nl2k.ab.ca Thu Oct 11 22:51:03 2018 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Thu, 11 Oct 2018 16:51:03 -0600 Subject: [openssl-users] Openssl 1.1. compliant apps Message-ID: <20181011225103.GA70699@doctor.nl2k.ab.ca> Looks like bind9 Exim Inn apache POstgresql and openssh > 7.8 Are all compliant. What about Dovecot php ? MySQL / Mariadb / Percona are not yet. Any full lists? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism Love much. Earth has enough of bitter in it. -Ella Wheeler Wilcox From dclarke at blastwave.org Fri Oct 12 01:19:52 2018 From: dclarke at blastwave.org (Dennis Clarke) Date: Thu, 11 Oct 2018 21:19:52 -0400 Subject: [openssl-users] Openssl 1.1. compliant apps In-Reply-To: <20181011225103.GA70699@doctor.nl2k.ab.ca> References: <20181011225103.GA70699@doctor.nl2k.ab.ca> Message-ID: On 10/11/2018 06:51 PM, The Doctor wrote: > Looks like > > apache > There is still considerable discussion in the httpd mailists on the topic. Don't be so certain. Dennis From jb-openssl at wisemo.com Fri Oct 12 02:31:43 2018 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Fri, 12 Oct 2018 04:31:43 +0200 Subject: [openssl-users] openssl commandline client use In-Reply-To: References: <20181011031216.GA3589@straasha.imrryr.org> Message-ID: <07d605e3-11c0-09d6-acdd-20187a42a7f0@wisemo.com> On 11/10/2018 06:44, Paul Chubb wrote: > Hi thanks for the responses. I try not to do crypto for the very > reasons you raise - i simply don't know enough and your (good) pointed > questions have demonstrated that. > > ?Context: > > We are trying for GDPR and other privacy law compliance. We probably > need to meet GDPR, US requirements, Australian requirements, Japanese > requirements and UK requirements. The data is not hugely critical. It > contains names and exercise metrics. It doesn't contain credit card > details or anything above the level of names. I don't think it > contains addresses but probably does contain names of recognizable > organisations which could provide a tuple for identification purposes > if the data was compromised. > > A mysqldump of the db in production at present is around 170Gb however > that is text based and we are using a binary solution based on percola > xtrabackup so the final size should be smaller for the current time. > The documentation on this by the backup software provider is very > simplistic and simply pipes the stream of data through openssl and > then gzip: > > mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc -aes-256-cbc -k mypass > backup.xb.gz.enc > There are thousands of posts that do similar and in non-crypto circles > it is the accepted way of doing things. That was my starting point. > > I am? not using a password but generating keys. The symetric key is > generated by "openssl rand -hex 32" which I have read is suitable. The > Nonce or IV is generated? by "openssl rand -hex 16". These values are > used once and then kept for decryption of that file. They in turn are > encrypted before storing - see below. > > The two keys are held in ram while the backup occurs. They are applied > to openssl using the -K and -iv switches. They are then written out to > disk. encrypted with a list of public RSA keys and the original > deleted from disk. I then package it all up and delete the intervening > encrypted files leaving me with an archive with the encrypted backup > and several copies of the nonce and key each encrypted by different > people's public keys. > > The backup regime has not been decided as yet. I expect it will be > something like a full backup per week and then either incrementals or > differentials on the other days. I expect that the fulls will be kept > for 30 days and the deltas for 14days. The database backups will sit > on a secured server disk which in turn will be backed up by the > hosting provider with whatever process and rotation they use. > > I would expect that headers in the backup stream would be predictable, > whether they provide a good enough attack surface I don't know. In > addition the clients of course know their data that may also provide > an attack surface. Finally I have included an encrypted file with a > known plain text phrase. Based on your comments, this will probably > not get into production but provides an easy way for testing and > debugging to check that things are encrypted or not. > > The kind of statements that prompted my question was: > https://security.stackexchange.com/questions/182277/is-openssl-aes-256-cbc-encryption-safe-for-offsite-backup > whose comments suggest that openssl should never be used for > production purposes.Their suggestion was GnuPG which isn't suitable > for this purpose because it does password/key management that assumes > a desktop/laptop environment and manual process. I also looked at > ccrypt and mcrypt but then went back to openssl. > > Cheers Paul > > > > > > > On Thu, Oct 11, 2018 at 2:12 PM Viktor Dukhovni > > wrote: > > On Thu, Oct 11, 2018 at 01:23:41AM +0000, Michael Wojcik wrote: > > > - Data recovery from an encrypted backup is tough. With CBC, one > bit goes > > astray and you've lost everything after that. > > No, a 1 bit error in CBC ciphertext breaks only the current block, > and introduces a 1 bit error into the plaintext of the next block. > After that, you're back in sync. > > But yes, indeed "openssl enc" offers little integrity protection. > One should probably break the data into chunks and encrypt and MAC > each chunk with the MAC covering the chunk sequence number, and > whether it is the last chunk. > I have not tested it with your huge data sizes, but I have had a lot of success with the following pipeline which avoids a number of security pitfalls by using higher levelOpenSSL commandline features: BackupCmd | \ ? openssl smime -sign -binary -nodetach -signer SomeDir/mycert.pem \ ??? -inkey SomeDir/mycert.key -outform DER | \ ? gzip -n -9 | \ ? openssl smime -encrypt -binary -out backup.enc -outform DER -aes256 \ SomeDir/restorecert.pem Where mycert.pem is a certificate issued to the system being backed up by an internal company CA (also used for intranet https servers) and restorecert.pem is another such certificate where the private key is available only to restore procedures. A feature of this pipeline is that backups can be reencrypted with a different key / mechanism without ruining the integrity signature, and can also be recompressed with a better compression algorithm in the same way. Another feature is that the server being backed up does not need to know the decryption key (restorecert.key), while the server doing restores or backup verifications does not need to know the integrity signing key (mycert.key). Dealing with the risk of not being able to decrypt a corrupted backup is handled by having more than one backup, just like the risk of completely loosing a backup (fire, flood, ...). Special note: Because the openssl smime (and openssl cms) signature verify commands do not have an option to verify signatures as of some past date (such as the date a backup was made) my restore scripts have to run openssl under the "faketime" utility to make openssl think it is being run on the day the backup was made. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From matt at openssl.org Fri Oct 12 07:45:10 2018 From: matt at openssl.org (Matt Caswell) Date: Fri, 12 Oct 2018 08:45:10 +0100 Subject: [openssl-users] Manual Shutdown of OpenSSL 1.1.x library In-Reply-To: