[openssl-users] Reg issue in alert message

ramakrushna mishra rama.krushna7 at gmail.com
Wed Oct 24 12:25:55 UTC 2018 

Hi All,

Thank you for all for providing the information.
I suspect we are using " SSL_MODE_SEND_FALLBACK_SCSV  " and that might be
causing the issue.  The team is looking into this issue now with the
provided information.

 One doubt that came during  our investigation is :
" If client has highest version of TLS1.3 and server has support for TLS1.2
and SLV3 only.   How the handshake will  proceed ? "
I am not sure if this question should go to a new thread ?

Thanks and Regards,
Ram Krushna

On Wed, Oct 24, 2018 at 11:47 AM <openssl-users-request at openssl.org> wrote:

> Send openssl-users mailing list submissions to
>         openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
>         openssl-users-request at openssl.org
>
> You can reach the person managing the list at
>         openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>    1. Re: CAPI-Engine doc (Selva Nair)
>    2. Re: CAPI-Engine doc (Michael Wojcik)
>    3. Re: Reg issue in alert message (Michael Wojcik)
>    4. Re: CAPI-Engine doc (Jakob Bohm)
>    5. Re: Openssl Build Error- module unsafe for SAFESEH
>       image/Unable to generate SAFESEH image (sakdev)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 23 Oct 2018 11:22:04 -0400
> From: Selva Nair <selva.nair at gmail.com>
> To: richard.oehlinger at adbsafegate.com, openssl-users at openssl.org
> Subject: Re: [openssl-users] CAPI-Engine doc
> Message-ID:
>         <CAKuzo_iqEBP-QG19Hsg5dFVoUG+2q-5O=
> vfg_NTzAJsQj+D3Jw at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
> <openssl-users at openssl.org> wrote:
> >
> > Hi!
> >
> > I'm trying to get a handle on the CAPI engine, because I need to have a
> > secure Keystore on Windows. Furthermore I need it to work with Qt's
> > QSslKey, which fortunately can be constructed by EVP_PKEY *.
> >
> > So far so good. The key is found, but when I try to use it in a SSL
> > connection i get following error:
> >
> > error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
> > error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
>
> Which version of OpenSSL?
>
> > Trace Output is:
> >
> > Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
> > Opening certificate store MY
> > capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
> > provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
> > Called CAPI_rsa_sign()
>
> This CSP cannot do SHA2 hashes so won't work unless you restrict
> signature algorithms or set TLS version to 1.1. I believe OpenSSL
> 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
> can handle SHA2 and may work. I say "may" because, if the key store is
> a legacy hardware token, it also depends on signature algorithms supported
> by the token and may be necessary to downgrade to TLS 1.1.
>
> Selva
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 23 Oct 2018 15:37:24 +0000
> From: Michael Wojcik <Michael.Wojcik at microfocus.com>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Subject: Re: [openssl-users] CAPI-Engine doc
> Message-ID:
>         <
> DM5PR18MB1324455050CC00BD3A2DD70FF9F50 at DM5PR18MB1324.namprd18.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="Windows-1252"
>
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> > Of Richard Oehlinger via openssl-users
> > Sent: Tuesday, October 23, 2018 10:38
> >
> > I'm trying to get a handle on the CAPI engine, because I need to have a
> > secure Keystore on Windows. Furthermore I need it to work with Qt's
> > QSslKey, which fortunately can be constructed by EVP_PKEY *.
>
> What OpenSSL version are you using? Please remember to include this
> informtion in every question. (And, normally, we'd ask for the platform as
> well, but since CAPI is Windows-specific, we know that in this case.)
>
> > So far so good. The key is found, but when I try to use it in a SSL
> > connection i get following error:
> >
> > error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
> > error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
> >
> > I use a current Windows 10. Do I need to use a different Algorithm in
> > order to work? Some googeling is indicating the provider might be wrong.
>
> I haven't looked at the CAPI engine code since 1.0.1j. At that time, I
> needed CAPI support and discovered there were various issues with the
> extant CAPI code, so I forked and rewrote it. That was some time back,
> obviously, and I'm afraid I never got around to pushing the changes back to
> openssl.org. (In fact, it was sufficiently long ago that I believe the
> organization was still reluctant to take contributions from people in the
> US at the time.)
>
> The biggest issue was with provider handling. CAPI is something of a
> braindead API in many ways - Microsoft's replacement, CNG, is somewhat
> better - and the provider stuff is one of them. When a key (including a
> "key" which is actually just a reference to a key contained in an HSM) is
> imported into one of the Windows key stores, it has to be associated with a
> provider, and that provider has to accommodate that type and size of key;
> otherwise the key is unusable. Then, when you try to use the key in CAPI,
> you have to specify the same provider - CAPI isn't smart enough to figure
> it out on its own.
>
> So my version of the CAPI engine has code to look up the key's provider
> and silently correct the provider type information in the engine's context
> structure if it's a mismatch.
>
> Beyond that, it appears that my changes included:
>
> - Support for building all the necessary functionality when using
> Microsoft Windows SDK 6.0A, which was one of my requirements at the time.
>
> - Supporting hashes other than SHA-1 for DSA. We have US Federal customers
> who needed fairly comprehensive DSA support. For most people this is likely
> a non-issue.
>
> - Forcing stack probes on for the callback functions, because my engine
> was being built outside the OpenSSL build process, but needed to match the
> calling convention of OpenSSL, which (at least in 1.0.1j) included
> stack-probe support.
>
> - A fix suggested by Steven Henson years ago on the mailing list to
> capi_get_key, but never (at least by 1.0.1j) picked up in the source code:
> If CryptGetUserKey returns NTE_NO_KEY, xor keyspec with 3 to flip the key
> type and try CryptGetUesrKey again.
>
> I think that's it, though it's possible I tweaked some other things and
> didn't call them out in the comments.
>
> I suppose I should check what the CAPI engine source looks like in 1.1.1,
> merge my changes in if feasible, and submit a PR. One of these days...
>
> Really, though, what we need is a new engine written to use CNG rather
> than CAPI. Though that would have the disadvantage of not supporting
> ancient Windows OS and SDK versions which, while unsupported by Microsoft,
> are still used in far too many places.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 23 Oct 2018 15:37:25 +0000
> From: Michael Wojcik <Michael.Wojcik at microfocus.com>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Subject: Re: [openssl-users] Reg issue in alert message
> Message-ID:
>         <
> DM5PR18MB13246F528FB866508D8E9267F9F50 at DM5PR18MB1324.namprd18.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="Windows-1252"
>
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> > Of Viktor Dukhovni
> > Sent: Tuesday, October 23, 2018 10:02
> >
> > On Tue, Oct 23, 2018 at 01:29:27PM +0100, Matt Caswell wrote:
> >
> > > > So, I think client have set TLS_FALLBACK_SCSV in cipher suite list in
> > > > client hello.
> > >
> > > This suggests there is a bug in the client application. This can only
> > > happen if the client application calls SSL_CTX_set_mode() or
> > > SSL_set_mode() to set the SSL_MODE_SEND_FALLBACK_SCSV mode.
> >
> > I have a somewhat plausible, if dicey hunch:
> >
> >     Perhaps some application developers got confused between
> >     the similar functions SSL_CTX_set_session_cache_mode(3)
> >     and SSL_CTX_set_mode(3) and called the wrong one?
>
> Certainly possible, but I wouldn't discount the possibility that someone
> simply thought setting SSL_MODE_SEND_FALLBACK_SCSV was the Right Thing.
> There was a fair bit of confusion around the Fallback SCSV when it first
> appeared (we had questions from customers that indicated they didn't
> understand it, and I had to read the ID to make sure I did). And, of
> course, TLS is mightly confusing in general.
>
> It is interesting to note that those two options happen to have the same
> value, though, particularly given the similarity of the two function names.
>
> This is one of those cases where C's weak type system is a problem. Though
> it would be nice if OpenSSL used enums rather than macros for these things.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 23 Oct 2018 17:42:56 +0200
> From: Jakob Bohm <jb-openssl at wisemo.com>
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] CAPI-Engine doc
> Message-ID: <fc161e84-bf5f-f61b-0f1d-3bfa5641edd8 at wisemo.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 23/10/2018 17:22, Selva Nair wrote:
> > On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users
> > <openssl-users at openssl.org> wrote:
> >> Hi!
> >>
> >> I'm trying to get a handle on the CAPI engine, because I need to have a
> >> secure Keystore on Windows. Furthermore I need it to work with Qt's
> >> QSslKey, which fortunately can be constructed by EVP_PKEY *.
> >>
> >> So far so good. The key is found, but when I try to use it in a SSL
> >> connection i get following error:
> >>
> >> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object,
> >> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib
> > Which version of OpenSSL?
> >
> >> Trace Output is:
> >>
> >> Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt
> >> Opening certificate store MY
> >> capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C},
> >> provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1
> >> Called CAPI_rsa_sign()
> > This CSP cannot do SHA2 hashes so won't work unless you restrict
> > signature algorithms or set TLS version to 1.1. I believe OpenSSL
> > 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which
> > can handle SHA2 and may work. I say "may" because, if the key store is
> > a legacy hardware token, it also depends on signature algorithms
> supported
> > by the token and may be necessary to downgrade to TLS 1.1.
> >
> The above limitations are less severe in CNG ("CryptoAPI Next Generation")
> on Windows 6.00 and later, where the old API and CSP names are actually
> emulations on top of a new structure with much smaller "KSP" providers.
> At the same time, the CNG emulation of the classic CryptoAPI functions
> are limited to what was available in Windows 5.01 SP2 and 5.02 SP2, thus
> much of the SHA-2 functionality is available only by calling the CNG
> APIs directly on Windows >= 6.00, but the older APIs with a reference
> to newer enum values introduced in Windows 5.01 SP3 or 5.02 SP2+Hotfix.
>
> Put another way, Microsoft forked their crypto source tree sometime in
> 2004 or 2005, and anything added later was implemented differently in
> the 5.0x and 6.0x code bases.
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 S?borg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 23 Oct 2018 23:16:13 -0700 (MST)
> From: sakdev <best.sakthi3 at gmail.com>
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Openssl Build Error- module unsafe for
>         SAFESEH image/Unable to generate SAFESEH image
> Message-ID: <1540361773425-0.post at n7.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
> Added "/safeseh" in assembler flags and problem got solved. Thank you very
> much.
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> openssl-users mailing list
> openssl-users at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
>
> End of openssl-users Digest, Vol 47, Issue 45
> *********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181024/fe32d429/attachment-0001.html>

More information about the openssl-users mailing list