From dfulger at gmx.com Thu Oct 1 11:28:37 2020 From: dfulger at gmx.com (Dan Fulger) Date: Thu, 1 Oct 2020 13:28:37 +0200 Subject: An idiosyncratic port of OpenSSL 1.1.1h to OS/400 ILE Message-ID: This port is for ILE (native OS/400)?not PASE (PASE is almost like Unix, and already comes with OpenSSL). ? The idiosyncrasies are explained in the README.as400 file in AS400patch.tar.gz. ? AS400patch.tar.gz (large patch for OpenSSL and other files): https://drive.google.com/file/d/1wx36GNr6TtJX_ZV8UaKlqGg-l-V8wE4Y/view?usp=sharing ? AS400_GNU.tar.gz (source for GNU/IBM tools required to build OpenSSL in ILE environment): https://drive.google.com/open?id=1DeKIE32nmUpvk7fvrcSYlflUn_k1CBso From aneeqabid at gmail.com Mon Oct 5 10:06:53 2020 From: aneeqabid at gmail.com (Aneeq Abid) Date: Mon, 5 Oct 2020 15:06:53 +0500 Subject: OpenSSL Config Error Message-ID: Hi, I have no familiarization with OpenSSL. I am installing it as a dependency for installing Erlang. I am using this guide: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ Version installing is openssl-1.0.2l I am facing the following error on make [3] while configuring OpenSSL. Can someone please guide me through it: make[3]: Entering directory '/media/erlang/openssl-1.0.2l' make[4]: Entering directory '/media/erlang/openssl-1.0.2l' /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: final link failed: Bad value collect2: error: ld returned 1 exit status Makefile.shared:169: recipe for target 'link_a.gnu' failed make[4]: *** [link_a.gnu] Error 1 make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:357: recipe for target 'do_linux-shared' failed make[3]: *** [do_linux-shared] Error 2 make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed make[2]: *** [libcrypto.so.1.0.0] Error 2 make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:109: recipe for target 'shared' failed make[1]: *** [shared] Error 2 make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' Makefile:287: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 I used the following command to configure: sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas_floodeenjr at mentor.com Mon Oct 5 13:59:56 2020 From: thomas_floodeenjr at mentor.com (Floodeenjr, Thomas) Date: Mon, 5 Oct 2020 13:59:56 +0000 Subject: OpenSSL Config Error In-Reply-To: References: Message-ID: Try removing the --openssldir=/usr/local/ssl flag. I think it is not needed. sudo ./config --prefix=/usr/local/ssl shared zlib -Tom From: openssl-users On Behalf Of Aneeq Abid Sent: Monday, October 5, 2020 4:07 AM To: openssl-users at openssl.org Subject: OpenSSL Config Error Hi, I have no familiarization with OpenSSL. I am installing it as a dependency for installing Erlang. I am using this guide: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ Version installing is openssl-1.0.2l I am facing the following error on make [3] while configuring OpenSSL. Can someone please guide me through it: make[3]: Entering directory '/media/erlang/openssl-1.0.2l' make[4]: Entering directory '/media/erlang/openssl-1.0.2l' /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: final link failed: Bad value collect2: error: ld returned 1 exit status Makefile.shared:169: recipe for target 'link_a.gnu' failed make[4]: *** [link_a.gnu] Error 1 make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:357: recipe for target 'do_linux-shared' failed make[3]: *** [do_linux-shared] Error 2 make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed make[2]: *** [libcrypto.so.1.0.0] Error 2 make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:109: recipe for target 'shared' failed make[1]: *** [shared] Error 2 make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' Makefile:287: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 I used the following command to configure: sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib From doctor at doctor.nl2k.ab.ca Wed Oct 7 14:32:30 2020 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Wed, 7 Oct 2020 08:32:30 -0600 Subject: 3 failures with Openssl 3 alpha Message-ID: <20201007143230.GA52864@doctor.nl2k.ab.ca> 1) The openssh project does not work openssh 8.4+ 2) Rust and OPEnssl 3 are not agrreing 3) ca_root_nss project and openssl 3 have a difference of opinion. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b BC save the Province; on 24 October 2020, vote Liberal and not NDP! From tomiii at tomiii.com Wed Oct 7 16:54:48 2020 From: tomiii at tomiii.com (Thomas Dwyer III) Date: Wed, 7 Oct 2020 09:54:48 -0700 Subject: 3 failures with Openssl 3 alpha In-Reply-To: <20201007143230.GA52864@doctor.nl2k.ab.ca> References: <20201007143230.GA52864@doctor.nl2k.ab.ca> Message-ID: On Wed, Oct 7, 2020 at 7:33 AM The Doctor wrote: > 1) The openssh project does not work openssh 8.4+ > This is a problem with the openssh codebase and not with openssl. You asked about this in openssh-unix-dev back in July. I posted this reply in August. The issue is that openssh needs the "current" IV state (which the now-deprecated EVP_CIPHER_CTX_iv() used to return) but it's calling the wrong openssl function to obtain it. See PR #12233 for additional discussion. Regards, Tom.III > 2) Rust and OPEnssl 3 are not agrreing > > 3) ca_root_nss project and openssl 3 have a difference of opinion. > > -- > Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@ > nl2k.ab.ca > Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist > rising! > Look at Psalms 14 and 53 on Atheism > https://www.empire.kred/ROOTNK?t=94a1f39b > BC save the Province; on 24 October 2020, vote Liberal and not NDP! > -------------- next part -------------- An HTML attachment was scrubbed... URL: From doctor at doctor.nl2k.ab.ca Wed Oct 7 17:54:07 2020 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Wed, 7 Oct 2020 11:54:07 -0600 Subject: 3 failures with Openssl 3 alpha In-Reply-To: References: <20201007143230.GA52864@doctor.nl2k.ab.ca> Message-ID: <20201007175407.GA93414@doctor.nl2k.ab.ca> On Wed, Oct 07, 2020 at 09:54:48AM -0700, Thomas Dwyer III wrote: > On Wed, Oct 7, 2020 at 7:33 AM The Doctor wrote: > > > 1) The openssh project does not work openssh 8.4+ > > > > This is a problem with the openssh codebase and not with openssl. You asked > > about this in openssh-unix-dev back in July. I posted this reply > > in August. The issue is that openssh needs the "current" IV state (which > the now-deprecated EVP_CIPHER_CTX_iv() used to return) but it's calling the > wrong openssl function to obtain it. See PR #12233 > for additional discussion. > > > Regards, > Tom.III > Will forward to openssh . > > > > 2) Rust and OPEnssl 3 are not agrreing > > > > 3) ca_root_nss project and openssl 3 have a difference of opinion. > > > > -- > > Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@ > > nl2k.ab.ca > > Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist > > rising! > > Look at Psalms 14 and 53 on Atheism > > https://www.empire.kred/ROOTNK?t=94a1f39b > > BC save the Province; on 24 October 2020, vote Liberal and not NDP! > > -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b BC save the Province; on 24 October 2020, vote Liberal and not NDP! From deric.sullivan at sympatico.ca Fri Oct 9 04:09:20 2020 From: deric.sullivan at sympatico.ca (deric.sullivan deric.sullivan) Date: Fri, 9 Oct 2020 00:09:20 -0400 (EDT) Subject: openssl with Entrust User Profile EPF Message-ID: <1185778416.1637771.1602216560371.JavaMail.open-xchange@mtlgui01> An HTML attachment was scrubbed... URL: From deric.sullivan at sympatico.ca Fri Oct 9 12:22:59 2020 From: deric.sullivan at sympatico.ca (deric.sullivan deric.sullivan) Date: Fri, 9 Oct 2020 08:22:59 -0400 (EDT) Subject: openssl with Entrust User Profile EPF Message-ID: <788301734.3118.1602246179393.JavaMail.open-xchange@mtlgui01> (My last post was formatted in HTML - Sorry about that. Let me try again with plain text.) Hello, This post relates to using openssl with an Entrust User Profile EPF file. I had some success using openssl to extract certificates and keys from an EPF file. This may be 18 to 21 years too late, but I successfully extracted the certificate and keys from the EPF file listed in the post: https://marc.info/?l=openssl-users&m=94888973208299&w=2 Entrust User Profile (again) and the info is likely useful for posts: https://marc.info/?l=openssl-users&m=101302596808738&w=2 RE: Entrust EPF File https://marc.info/?l=openssl-users&m=92251200512812&w=2 Entrust User Profile I wrote a bash script to extract the Signing Certificate and Signing Key from the EPF file and the script includes the openssl commands which were used. Included here are some sections of that script which I think might be useful for the old posts and the sections show the use of openssl. ... # Using the password and the salt, generate the encryption key and # IV (initialization vector). Note that the salt is used in its # base64 encoded form. # The Password Based Encryption (PBE) Key Derivation Function (KDF) # does not exactly match any option from RFC8018 # https://tools.ietf.org/html/rfc8018 # although there are similarities. # Entrust uses SHA1 (and possibly MD5 in some versions) and an # iteration count on the password and salt # in order to generate the key and IV. # Since SHA1 does not generate enough bytes for both the key and IV, # (at least not for CAST5) # the process is repeated, but this time the byte 0x01 is appended to # the password and salt. # The key and half of the IV come from the first pass. The rest of # the IV comes from the second pass. ... # pass 1 to generate the key and part of the IV echo "pass 1 to generate the key and part of the IV" declare -i index index=1 tmp_to_hash=$(echo -n "${epf_password}""${epf_salt}" | xxd -p -c 256) while [ $index -lt $(($epf_hashcount + 1)) ] do tmp_to_hash2="${tmp_to_hash}" tmp_to_hash=$(echo -n ${tmp_to_hash2} | xxd -p -r -c 256 | openssl dgst -sha1 -binary | xxd -p -c 256) ((index++)) done pbe_partial=${tmp_to_hash} echo "Treat the next line of output as a secret." echo "pbe_partial = " ${pbe_partial} ... # At this stage we have the full Key and part of the IV. encryption_key_in_hex=$(echo -n ${pbe_partial} | head --bytes=32) encryption_iv_in_hex=$(echo -n ${pbe_partial} | tail --bytes=-8) ... # pass 2 to generate the rest of the IV echo "pass 2 to generate the rest of the IV" declare -i index index=1 tmp_to_hash=$(echo -e -n "${epf_password}""${epf_salt}""\x01" | xxd -p -c 256) while [ $index -lt $(($epf_hashcount + 1)) ] do tmp_to_hash2="${tmp_to_hash}" tmp_to_hash=$(echo -n ${tmp_to_hash2} | xxd -p -r -c 256 | openssl dgst -sha1 -binary | xxd -p -c 256) ((index++)) done pbe_partial=${tmp_to_hash} echo "Treat the next line of output as a secret." echo "pbe_partial = " ${pbe_partial} ... # Complete the IV. encryption_iv_in_hex=$(echo -n ${encryption_iv_in_hex}; echo -n ${pbe_partial} | head --bytes=8) echo "Treat the next line of output as a secret." echo "encryption_key_in_hex = " ${encryption_key_in_hex} echo "Treat the next line of output as a secret." echo "encryption_iv_in_hex = " ${encryption_iv_in_hex} ... # Check if the generated key and IV are what we expect for this EPF file. # Encrypting 8 bytes of all zeros should produce the Token found # in the Password Token section in the EPF file. test_token=$(echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00" | openssl enc -cast5-cbc -nosalt -K ${encryption_key_in_hex} -iv ${encryption_iv_in_hex} | head --bytes=8 | od -A n -t x1 | tr -d '[:space:]') echo "test_token = " ${test_token^^} if [ ${epf_token} = ${test_token^^} ] then echo "The tokens match. The supplied password is correct." else echo "The tokens don't match. The supplied password is incorrect." echo "Exiting." exit 1 fi ... With the key and IV you should be able to get your certificates, keys and other information from the EPF file (the full script in question does this for you for the Signing Cert and Key). You'll want to use the decryption command (e.g. openssl enc -d -cast5-cbc -nosalt -K ${encryption_key_in_hex} -iv ${encryption_iv_in_hex}) again for the cert and the key, plus something like an "openssl x509 -inform DER" for the cert and an "openssl pkcs8 -topk8 -inform DER" for the key. This combined with some non openssl commands such as base64, sed, head and tail (e.g. to remove some non standard headers and footers) and even a little python to verify the CRC. I hope this helps someone out there although I realize the original posts are quite a while ago. Thanks, Deric From Michal.Trojnara at stunnel.org Sun Oct 11 17:56:37 2020 From: Michal.Trojnara at stunnel.org (=?UTF-8?Q?Micha=c5=82_Trojnara?=) Date: Sun, 11 Oct 2020 19:56:37 +0200 Subject: stunnel 5.57 released Message-ID: Dear Users, I have released version 5.57 of stunnel. This is a security release.? Make sure to upgrade if you use the "redirect" option. ### Version 5.57, 2020.10.11, urgency: HIGH * Security bugfixes ? - The "redirect" option was fixed to properly ??? handle "verifyChain = yes" (thx to Rob Hoes). ? - OpenSSL DLLs updated to version 1.1.1h. * New features ? - New securityLevel configuration file option. ? - FIPS support for RHEL-based distributions. ? - Support for modern PostgreSQL clients (thx to Bram Geron). ? - Windows tooltip texts updated to mention "stunnel". ? - TLS 1.3 configuration updated for better compatibility. * Bugfixes ? - Fixed a transfer() loop bug. ? - Fixed memory leaks on configuration reloading errors. ? - DH/ECDH initialization restored for client sections. ? - Delay startup with systemd until network is online. ? - bin\libssp-0.dll removed when uninstalling. ? - A number of testing framework fixes and improvements. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hashes: af5ab973dde11807c38735b87bdd87563a47d2fa1c72a07929fcfce80a600fe1? stunnel-5.57.tar.gz 6bcabe757e72a26463b054e7bf14d661b3a6734b4fa60dced491de170008d78c? stunnel-5.57-win64-installer.exe 8bae28d1376a70df69f5d47c41ebb95443934ac6efb058aaa9ae299a391c83e0? stunnel-5.57-android.zip Best regards, ??? Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From vladimir.levijev at gmail.com Mon Oct 12 16:36:46 2020 From: vladimir.levijev at gmail.com (Vladimir Levijev) Date: Mon, 12 Oct 2020 19:36:46 +0300 Subject: Restrict to TLS v1.3 Message-ID: Hi, I'd like to restrict the application to only work with TLS version >= 1.3 . That is, any attempt to establish a connection with LTS v1.2 and less should be dropped. I came up with the following being enough to ensure that: SSL_CTX_set_min_proto_version=TLSv1.3 But could you confirm that it is so? Perhaps there are more things I should do? TIA, VL From rajprudvi98 at gmail.com Mon Oct 12 20:50:51 2020 From: rajprudvi98 at gmail.com (prudvi raj) Date: Tue, 13 Oct 2020 02:20:51 +0530 Subject: i2d & ASN1_SEQUENCE related query in openssl 1.1.1. Message-ID: Hi, I am trying to write replacement ASN1 macros for i2d/d2i functions in openssl 1.1.1 Previously: typedef struct pkcs7_issuer_and_subject_st { X509_NAME *issuer; /* Certificate Issuer's name */ X509_NAME *subject; /* Certificate's subject name */ } PKCS7_ISSUER_AND_SUBJECT; ---- i2d function: int i2d_PKCS7_ISSUER_AND_SUBJECT (PKCS7_ISSUER_AND_SUBJECT * a, unsigned char **pp) { M_ASN1_I2D_vars (a); M_ASN1_I2D_len (a->issuer, i2d_X509_NAME); M_ASN1_I2D_len (a->subject, i2d_X509_NAME); M_ASN1_I2D_seq_total (); M_ASN1_I2D_put (a->issuer, i2d_X509_NAME); M_ASN1_I2D_put (a->subject, i2d_X509_NAME); M_ASN1_I2D_finish (); } ====================================== New : DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SUBJECT) ASN1_SEQUENCE(PKCS7_ISSUER_AND_SUBJECT) = { ASN1_SIMPLE(PKCS7_ISSUER_AND_SUBJECT, issuer, X509_NAME), ASN1_SIMPLE(PKCS7_ISSUER_AND_SUBJECT, subject, X509_NAME) } ASN1_SEQUENCE_END(PKCS7_ISSUER_AND_SUBJECT) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SUBJECT) Finally , we can call the function : ulLen = i2d_PKCS7_ISSUER_AND_SUBJECT (&pkcs7IssuerAndSub, &ptr); Is this the correct way , or am I missing anything ?? ( does it need DECLARE_ASN1_ALLOC_FUNCTIONS & DECLARE_ASN1_ITEM .. ...etc.,.) Can anyone help me out in this regard !! Thanks, Prudvi. -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Thu Oct 15 13:38:32 2020 From: openssl at openssl.org (OpenSSL) Date: Thu, 15 Oct 2020 13:38:32 +0000 Subject: OpenSSL version 3.0.0-alpha7 published Message-ID: <20201015133832.GA10055@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 OpenSSL version 3.0 alpha 7 released ==================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 3.0 is currently in alpha. OpenSSL 3.0 alpha 7 has now been made available. Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well as known issues are available on the OpenSSL Wiki, here: https://wiki.openssl.org/index.php/OpenSSL_3.0 The alpha release is available for download via HTTPS and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-3.0.0-alpha7.tar.gz Size: 14005200 SHA1 checksum: 1d05682f62b34038a37b196c7c43a21013f5f507 SHA256 checksum: 2884219ad2fae614c0f0d57b77af2f0720f32ffa3a569ac70bbf506bd8732298 The checksums were calculated using the following commands: openssl sha1 openssl-3.0.0-alpha7.tar.gz openssl sha256 openssl-3.0.0-alpha7.tar.gz Please download and check this alpha release as soon as possible. To report a bug, open an issue on GitHub: https://github.com/openssl/openssl/issues Please check the release notes and mailing lists to avoid duplicate reports of known issues. (Of course, the source is also available on GitHub.) Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+IS5sACgkQ2cTSbQ5g RJGBOAgAidOQVOhw5N3tLVOD1EqNvg+0FoEugGtM0lXSBFXXbcKc12jV/e1INyw6 iaZImtypZtlrEfIYFQUkTfEzfGAYXK8E9Xx6GTIV41tacd516MWz7NtMJkZlp3Fb D2DcEutqTO3Xi3XS+pPElLxSMzuSgGt8ZqqTv7ZqgseN+1uB/tdKUPZqDO+DTSpz n/0oMnpsqJsEXqv3N5sS/2ASa9paLkLsIoChDeJzc5j41aKnMTgwAPqF2r8vLBfo k851L5S/gsMw5Y9M3ljM4IYNiU0/lneGnT//uYOnLAKY/s1I9hNcWC/Q63xrOoqT zukZ2NoqTcCYC+a0Vg3yBpjwSYuaSA== =hL/2 -----END PGP SIGNATURE----- From aneeqabid at gmail.com Thu Oct 15 18:36:14 2020 From: aneeqabid at gmail.com (Aneeq Abid) Date: Thu, 15 Oct 2020 23:36:14 +0500 Subject: OpenSSL Config Error In-Reply-To: References: Message-ID: Dear Thomas, I tried different parameters and have found out that the error occurs only when the option "shared" is used in the command. It works fine for all others. Can you please explain to me what is the purpose of the shared parameter? And is it okay if I configure openssl without it? On Mon, Oct 5, 2020 at 7:00 PM Floodeenjr, Thomas < thomas_floodeenjr at mentor.com> wrote: > Try removing the --openssldir=/usr/local/ssl flag. I think it is not > needed. > > sudo ./config --prefix=/usr/local/ssl shared zlib > > -Tom > > From: openssl-users On Behalf Of > Aneeq Abid > Sent: Monday, October 5, 2020 4:07 AM > To: openssl-users at openssl.org > Subject: OpenSSL Config Error > > Hi, > > I have no familiarization with OpenSSL. I am installing it as a dependency > for installing Erlang. I am using this guide: > > > https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ > > Version installing is openssl-1.0.2l > > I am facing the following error on make [3] while configuring OpenSSL. Can > someone please guide me through it: > > make[3]: Entering directory '/media/erlang/openssl-1.0.2l' > make[4]: Entering directory '/media/erlang/openssl-1.0.2l' > /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against > symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; > recompile with -fPIC > /usr/bin/ld: final link failed: Bad value > collect2: error: ld returned 1 exit status > Makefile.shared:169: recipe for target 'link_a.gnu' failed > make[4]: *** [link_a.gnu] Error 1 > make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:357: recipe for target 'do_linux-shared' failed > make[3]: *** [do_linux-shared] Error 2 > make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed > make[2]: *** [libcrypto.so.1.0.0] Error 2 > make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:109: recipe for target 'shared' failed > make[1]: *** [shared] Error 2 > make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' > Makefile:287: recipe for target 'build_crypto' failed > make: *** [build_crypto] Error 1 > > > I used the following command to configure: > > sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared > zlib > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas_floodeenjr at mentor.com Thu Oct 15 19:04:52 2020 From: thomas_floodeenjr at mentor.com (Floodeenjr, Thomas) Date: Thu, 15 Oct 2020 19:04:52 +0000 Subject: OpenSSL Config Error In-Reply-To: References: Message-ID: <89f4ef30b60c4e9b8cce4dda35fd9b25@svr-orw-mbx-01.mgc.mentorg.com> Shared means to configure as shared libraries. From: Aneeq Abid Sent: Thursday, October 15, 2020 12:36 PM To: Floodeenjr, Thomas Cc: openssl-users at openssl.org Subject: Re: OpenSSL Config Error Dear Thomas, I tried different parameters and have found out that the error occurs only when the option "shared" is used in the command. It works fine for all others. Can you please explain to me what is the purpose of the shared parameter? And is it okay if I configure openssl without it? On Mon, Oct 5, 2020 at 7:00 PM Floodeenjr, Thomas > wrote: Try removing the --openssldir=/usr/local/ssl flag. I think it is not needed. sudo ./config --prefix=/usr/local/ssl shared zlib -Tom From: openssl-users > On Behalf Of Aneeq Abid Sent: Monday, October 5, 2020 4:07 AM To: openssl-users at openssl.org Subject: OpenSSL Config Error Hi, I have no familiarization with OpenSSL. I am installing it as a dependency for installing Erlang. I am using this guide: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ Version installing is openssl-1.0.2l I am facing the following error on make [3] while configuring OpenSSL. Can someone please guide me through it: make[3]: Entering directory '/media/erlang/openssl-1.0.2l' make[4]: Entering directory '/media/erlang/openssl-1.0.2l' /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: final link failed: Bad value collect2: error: ld returned 1 exit status Makefile.shared:169: recipe for target 'link_a.gnu' failed make[4]: *** [link_a.gnu] Error 1 make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:357: recipe for target 'do_linux-shared' failed make[3]: *** [do_linux-shared] Error 2 make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed make[2]: *** [libcrypto.so.1.0.0] Error 2 make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:109: recipe for target 'shared' failed make[1]: *** [shared] Error 2 make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' Makefile:287: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 I used the following command to configure: sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib -------------- next part -------------- An HTML attachment was scrubbed... URL: From aneeqabid at gmail.com Thu Oct 15 19:08:59 2020 From: aneeqabid at gmail.com (Aneeq Abid) Date: Fri, 16 Oct 2020 00:08:59 +0500 Subject: OpenSSL Config Error In-Reply-To: <89f4ef30b60c4e9b8cce4dda35fd9b25@svr-orw-mbx-01.mgc.mentorg.com> References: <89f4ef30b60c4e9b8cce4dda35fd9b25@svr-orw-mbx-01.mgc.mentorg.com> Message-ID: Thanks for your reply. I have already installed OpenSSL but when I install Erlang, I find that crypto is missing. And it gives me an error that OpenSSL might not be installed. Can you help me here? $ erl Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false] Eshell V6.0 (abort with ^G) 1> crypto:start(). ** exception error: undefined function crypto:start/0 2> =ERROR REPORT==== 15-Oct-2020::23:28:36 === Unable to load crypto library. Failed with error: "load_failed, Failed to load NIF library: '/usr/local/lib/erlang/lib/crypto-3.3/priv/lib/crypto.so: undefined symbol: HMAC_CTX_init'" OpenSSL might not be installed on this system. =ERROR REPORT==== 15-Oct-2020::23:28:36 === The on_load function for module crypto returned {error, {load_failed, "Failed to load NIF library: '/usr/local/lib/erlang/lib/crypto-3.3/priv/lib/crypto.so: undefined symbol: HMAC_CTX_init'"}} On Fri, Oct 16, 2020 at 12:04 AM Floodeenjr, Thomas < thomas_floodeenjr at mentor.com> wrote: > Shared means to configure as shared libraries. > > > > *From:* Aneeq Abid > *Sent:* Thursday, October 15, 2020 12:36 PM > *To:* Floodeenjr, Thomas > *Cc:* openssl-users at openssl.org > *Subject:* Re: OpenSSL Config Error > > > > Dear Thomas, > > > > I tried different parameters and have found out that the error occurs only > when the option "shared" is used in the command. It works fine for all > others. Can you please explain to me what is the purpose of the shared > parameter? And is it okay if I configure openssl without it? > > > > On Mon, Oct 5, 2020 at 7:00 PM Floodeenjr, Thomas < > thomas_floodeenjr at mentor.com> wrote: > > Try removing the --openssldir=/usr/local/ssl flag. I think it is not > needed. > > sudo ./config --prefix=/usr/local/ssl shared zlib > > -Tom > > From: openssl-users On Behalf Of > Aneeq Abid > Sent: Monday, October 5, 2020 4:07 AM > To: openssl-users at openssl.org > Subject: OpenSSL Config Error > > Hi, > > I have no familiarization with OpenSSL. I am installing it as a dependency > for installing Erlang. I am using this guide: > > > https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ > > Version installing is openssl-1.0.2l > > I am facing the following error on make [3] while configuring OpenSSL. Can > someone please guide me through it: > > make[3]: Entering directory '/media/erlang/openssl-1.0.2l' > make[4]: Entering directory '/media/erlang/openssl-1.0.2l' > /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against > symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; > recompile with -fPIC > /usr/bin/ld: final link failed: Bad value > collect2: error: ld returned 1 exit status > Makefile.shared:169: recipe for target 'link_a.gnu' failed > make[4]: *** [link_a.gnu] Error 1 > make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:357: recipe for target 'do_linux-shared' failed > make[3]: *** [do_linux-shared] Error 2 > make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed > make[2]: *** [libcrypto.so.1.0.0] Error 2 > make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:109: recipe for target 'shared' failed > make[1]: *** [shared] Error 2 > make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' > Makefile:287: recipe for target 'build_crypto' failed > make: *** [build_crypto] Error 1 > > > I used the following command to configure: > > sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared > zlib > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas_floodeenjr at mentor.com Thu Oct 15 19:10:19 2020 From: thomas_floodeenjr at mentor.com (Floodeenjr, Thomas) Date: Thu, 15 Oct 2020 19:10:19 +0000 Subject: OpenSSL Config Error In-Reply-To: References: <89f4ef30b60c4e9b8cce4dda35fd9b25@svr-orw-mbx-01.mgc.mentorg.com> Message-ID: <11abb9a4acc647d2bdbdedd9cae35f70@svr-orw-mbx-01.mgc.mentorg.com> Sorry, I am nog familiar with Erlang. From: Aneeq Abid Sent: Thursday, October 15, 2020 1:09 PM To: Floodeenjr, Thomas Cc: openssl-users at openssl.org Subject: Re: OpenSSL Config Error Thanks for your reply. I have already installed OpenSSL but when I install Erlang, I find that crypto is missing. And it gives me an error that OpenSSL might not be installed. Can you help me here? $ erl Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false] Eshell V6.0 (abort with ^G) 1> crypto:start(). ** exception error: undefined function crypto:start/0 2> =ERROR REPORT==== 15-Oct-2020::23:28:36 === Unable to load crypto library. Failed with error: "load_failed, Failed to load NIF library: '/usr/local/lib/erlang/lib/crypto-3.3/priv/lib/crypto.so: undefined symbol: HMAC_CTX_init'" OpenSSL might not be installed on this system. =ERROR REPORT==== 15-Oct-2020::23:28:36 === The on_load function for module crypto returned {error, {load_failed, "Failed to load NIF library: '/usr/local/lib/erlang/lib/crypto-3.3/priv/lib/crypto.so: undefined symbol: HMAC_CTX_init'"}} On Fri, Oct 16, 2020 at 12:04 AM Floodeenjr, Thomas > wrote: Shared means to configure as shared libraries. From: Aneeq Abid > Sent: Thursday, October 15, 2020 12:36 PM To: Floodeenjr, Thomas > Cc: openssl-users at openssl.org Subject: Re: OpenSSL Config Error Dear Thomas, I tried different parameters and have found out that the error occurs only when the option "shared" is used in the command. It works fine for all others. Can you please explain to me what is the purpose of the shared parameter? And is it okay if I configure openssl without it? On Mon, Oct 5, 2020 at 7:00 PM Floodeenjr, Thomas > wrote: Try removing the --openssldir=/usr/local/ssl flag. I think it is not needed. sudo ./config --prefix=/usr/local/ssl shared zlib -Tom From: openssl-users > On Behalf Of Aneeq Abid Sent: Monday, October 5, 2020 4:07 AM To: openssl-users at openssl.org Subject: OpenSSL Config Error Hi, I have no familiarization with OpenSSL. I am installing it as a dependency for installing Erlang. I am using this guide: https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ Version installing is openssl-1.0.2l I am facing the following error on make [3] while configuring OpenSSL. Can someone please guide me through it: make[3]: Entering directory '/media/erlang/openssl-1.0.2l' make[4]: Entering directory '/media/erlang/openssl-1.0.2l' /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; recompile with -fPIC /usr/bin/ld: final link failed: Bad value collect2: error: ld returned 1 exit status Makefile.shared:169: recipe for target 'link_a.gnu' failed make[4]: *** [link_a.gnu] Error 1 make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:357: recipe for target 'do_linux-shared' failed make[3]: *** [do_linux-shared] Error 2 make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed make[2]: *** [libcrypto.so.1.0.0] Error 2 make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' Makefile:109: recipe for target 'shared' failed make[1]: *** [shared] Error 2 make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' Makefile:287: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 I used the following command to configure: sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib -------------- next part -------------- An HTML attachment was scrubbed... URL: From aneeqabid at gmail.com Thu Oct 15 19:11:02 2020 From: aneeqabid at gmail.com (Aneeq Abid) Date: Fri, 16 Oct 2020 00:11:02 +0500 Subject: OpenSSL Config Error In-Reply-To: <11abb9a4acc647d2bdbdedd9cae35f70@svr-orw-mbx-01.mgc.mentorg.com> References: <89f4ef30b60c4e9b8cce4dda35fd9b25@svr-orw-mbx-01.mgc.mentorg.com> <11abb9a4acc647d2bdbdedd9cae35f70@svr-orw-mbx-01.mgc.mentorg.com> Message-ID: Alright. Thanks for your help. On Fri, 16 Oct 2020, 12:10 am Floodeenjr, Thomas, < thomas_floodeenjr at mentor.com> wrote: > Sorry, I am nog familiar with Erlang. > > > > *From:* Aneeq Abid > *Sent:* Thursday, October 15, 2020 1:09 PM > *To:* Floodeenjr, Thomas > *Cc:* openssl-users at openssl.org > *Subject:* Re: OpenSSL Config Error > > > > Thanks for your reply. I have already installed OpenSSL but when I install > Erlang, I find that crypto is missing. And it gives me an error that > OpenSSL might not be installed. Can you help me here? > > > > $ erl > Erlang/OTP 17 [erts-6.0] [source] [64-bit] [smp:4:4] [async-threads:10] > [hipe] [kernel-poll:false] > > Eshell V6.0 (abort with ^G) > 1> crypto:start(). > ** exception error: undefined function crypto:start/0 > 2> > =ERROR REPORT==== 15-Oct-2020::23:28:36 === > Unable to load crypto library. Failed with error: > "load_failed, Failed to load NIF library: > '/usr/local/lib/erlang/lib/crypto-3.3/priv/lib/crypto.so: undefined symbol: > HMAC_CTX_init'" > OpenSSL might not be installed on this system. > > =ERROR REPORT==== 15-Oct-2020::23:28:36 === > The on_load function for module crypto returned {error, > {load_failed, > "Failed to load NIF > library: '/usr/local/lib/erlang/lib/crypto-3.3/priv/lib/crypto.so: > undefined symbol: HMAC_CTX_init'"}} > > > > On Fri, Oct 16, 2020 at 12:04 AM Floodeenjr, Thomas < > thomas_floodeenjr at mentor.com> wrote: > > Shared means to configure as shared libraries. > > > > *From:* Aneeq Abid > *Sent:* Thursday, October 15, 2020 12:36 PM > *To:* Floodeenjr, Thomas > *Cc:* openssl-users at openssl.org > *Subject:* Re: OpenSSL Config Error > > > > Dear Thomas, > > > > I tried different parameters and have found out that the error occurs only > when the option "shared" is used in the command. It works fine for all > others. Can you please explain to me what is the purpose of the shared > parameter? And is it okay if I configure openssl without it? > > > > On Mon, Oct 5, 2020 at 7:00 PM Floodeenjr, Thomas < > thomas_floodeenjr at mentor.com> wrote: > > Try removing the --openssldir=/usr/local/ssl flag. I think it is not > needed. > > sudo ./config --prefix=/usr/local/ssl shared zlib > > -Tom > > From: openssl-users On Behalf Of > Aneeq Abid > Sent: Monday, October 5, 2020 4:07 AM > To: openssl-users at openssl.org > Subject: OpenSSL Config Error > > Hi, > > I have no familiarization with OpenSSL. I am installing it as a dependency > for installing Erlang. I am using this guide: > > > https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/ > > Version installing is openssl-1.0.2l > > I am facing the following error on make [3] while configuring OpenSSL. Can > someone please guide me through it: > > make[3]: Entering directory '/media/erlang/openssl-1.0.2l' > make[4]: Entering directory '/media/erlang/openssl-1.0.2l' > /usr/bin/ld: libcrypto.a(gost_eng.o): relocation R_X86_64_PC32 against > symbol `stderr@@GLIBC_2.2.5' can not be used when making a shared object; > recompile with -fPIC > /usr/bin/ld: final link failed: Bad value > collect2: error: ld returned 1 exit status > Makefile.shared:169: recipe for target 'link_a.gnu' failed > make[4]: *** [link_a.gnu] Error 1 > make[4]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:357: recipe for target 'do_linux-shared' failed > make[3]: *** [do_linux-shared] Error 2 > make[3]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:310: recipe for target 'libcrypto.so.1.0.0' failed > make[2]: *** [libcrypto.so.1.0.0] Error 2 > make[2]: Leaving directory '/media/erlang/openssl-1.0.2l' > Makefile:109: recipe for target 'shared' failed > make[1]: *** [shared] Error 2 > make[1]: Leaving directory '/media/erlang/openssl-1.0.2l/crypto' > Makefile:287: recipe for target 'build_crypto' failed > make: *** [build_crypto] Error 1 > > > I used the following command to configure: > > sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared > zlib > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From apphiajeyaraj at gmail.com Sun Oct 18 12:53:31 2020 From: apphiajeyaraj at gmail.com (Apphia Jeyaraj) Date: Sun, 18 Oct 2020 18:23:31 +0530 Subject: Pam linux does not have the local address from sshd Message-ID: Hi, The ask is the server IP during ssh user at server ip.when it reaches the server's Pam, is there a way to get the local address in Pam context. Please support Thanks and regards, Apphia -------------- next part -------------- An HTML attachment was scrubbed... URL: From bjorn.bidar at jolla.com Sun Oct 18 12:55:55 2020 From: bjorn.bidar at jolla.com (=?iso-8859-1?Q?Bj=F6rn_Bidar?=) Date: Sun, 18 Oct 2020 12:55:55 +0000 Subject: Pam linux does not have the local address from sshd In-Reply-To: References: Message-ID: <1713903.oocp8lP7yb@odin> This is the mailinglist of OpenSSL not OpenSSH. From win_i008 at yahoo.com Mon Oct 19 06:10:42 2020 From: win_i008 at yahoo.com (Vinay Kumar) Date: Mon, 19 Oct 2020 06:10:42 +0000 (UTC) Subject: OpenSSL support for MacOS Big Sur(Cross compilation for ARM architecture/Apple silicon)? References: <952495579.911127.1603087842022.ref@mail.yahoo.com> Message-ID: <952495579.911127.1603087842022@mail.yahoo.com> Hi All, As Apple is moving from Intel to ARM architecture, does OpenSSL support cross-compiling(using Xcode 12.2) on MacOS Big Sur for Apple silicon(ARM architecture)?If not, any expected date? Thanks,Vinay -------------- next part -------------- An HTML attachment was scrubbed... URL: From shivakumar2696 at gmail.com Fri Oct 23 09:09:01 2020 From: shivakumar2696 at gmail.com (shiva kumar) Date: Fri, 23 Oct 2020 14:39:01 +0530 Subject: alternative for x509 "name" field Message-ID: Hi, Compared to OpenSSL 1.0.2 and 1.1.0 and above, in struct x509_st , char *name field has been removed, what is the alternative for it and what is the impact? can anyone please answer the query? Thanks and regards Shivakumar -------------- next part -------------- An HTML attachment was scrubbed... URL: From tmraz at redhat.com Fri Oct 23 10:07:01 2020 From: tmraz at redhat.com (Tomas Mraz) Date: Fri, 23 Oct 2020 12:07:01 +0200 Subject: alternative for x509 "name" field In-Reply-To: References: Message-ID: On Fri, 2020-10-23 at 14:39 +0530, shiva kumar wrote: > Hi, > > Compared to OpenSSL 1.0.2 and 1.1.0 and above, in struct > x509_st , char *name field has been removed, what is the alternative > for it and what is the impact? can anyone please answer the query? Hi, although the name field was present in 1.0.2 it was not used for anything. So there was no point in keeping it once the structure was made non-public in 1.1.0. Regards, -- Tom?? Mr?z No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] From brettstahlman at gmail.com Fri Oct 23 13:10:03 2020 From: brettstahlman at gmail.com (Brett Stahlman) Date: Fri, 23 Oct 2020 09:10:03 -0400 Subject: CAPI engine seems to break server validation Message-ID: Hello, I'm attempting to use the s_client command on Windows 10 to connect to a secure server (client.badssl.com) that requires client authentication. When I run the following command... echo -e 'GET / HTTP/1.1\r\nHost: client.badssl.com\r\n\r\n' | ./dist/bin/openssl.exe s_client -ign_eof -verifyCAfile ca-bundle.crt -connect client.badssl.com:443 ...server verification succeeds, but I get a 400 error: "No required SSL certificate was sent" So I tried using the CAPI engine to handle ssl client authentication: echo -e 'GET / HTTP/1.1\r\nHost: client.badssl.com\r\n\r\n' | ./dist/bin/openssl.exe s_client -ign_eof -verifyCAfile ca-bundle.crt -ssl_client_engine capi -connect client.badssl.com:443 But now the failure occurs even earlier: No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3310 bytes and written 330 bytes Verification error: certificate signature failure It seems that the CAPI engine is breaking the server verification somehow. Note that the only reason I'm using the ca-bundle.crt is that I couldn't figure out how to get CAPI to load the Windows "ROOT" certificate store, which contains the requisite CA certs. Ideally, server authentication would use the CA certs in the Windows "ROOT" store, and client authentication would use the certs in the Windows "MY" store, but CAPI doesn't appear to be loading either one. Note: I can use the openssl "engine" command to get CAPI to list the certs in a store by name: e.g., ./dist/bin/openssl.exe engine -t -post store_name:ROOT -post list_certs capi But this doesn't help much if the engine doesn't load them automatically when a client connection is made with s_client. I was under the impression that CAPI would automatically use the Windows cert stores for client and server authentication. Have I misunderstood the goal of the CAPI engine? Thanks, Brett S. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Fri Oct 23 13:45:05 2020 From: matt at openssl.org (Matt Caswell) Date: Fri, 23 Oct 2020 14:45:05 +0100 Subject: CAPI engine seems to break server validation In-Reply-To: References: Message-ID: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> On 23/10/2020 14:10, Brett Stahlman wrote: > It seems that the CAPI engine is breaking the server verification somehow. > Note that the only reason I'm using the ca-bundle.crt is that I couldn't > figure out how to get CAPI to load the Windows "ROOT" certificate > store,?which contains the requisite CA certs. Ideally, server > authentication would use the CA certs in the Windows "ROOT" store, and > client authentication would use the certs in the Windows "MY" store, but > CAPI doesn't appear to be loading either one. This is probably the following issue: https://github.com/openssl/openssl/issues/8872 Matt From jb-openssl at wisemo.com Fri Oct 23 15:33:53 2020 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Fri, 23 Oct 2020 17:33:53 +0200 Subject: CAPI engine seems to break server validation In-Reply-To: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> References: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> Message-ID: On 2020-10-23 15:45, Matt Caswell wrote: > > On 23/10/2020 14:10, Brett Stahlman wrote: >> It seems that the CAPI engine is breaking the server verification somehow. >> Note that the only reason I'm using the ca-bundle.crt is that I couldn't >> figure out how to get CAPI to load the Windows "ROOT" certificate >> store,?which contains the requisite CA certs. Ideally, server >> authentication would use the CA certs in the Windows "ROOT" store, and >> client authentication would use the certs in the Windows "MY" store, but >> CAPI doesn't appear to be loading either one. > This is probably the following issue: > > https://github.com/openssl/openssl/issues/8872 > > Matt Looking at the brutal wontfixing of that bug, maybe reconsider if the existing engine interface can do PSS by simply having the CAPI/CAPIng engine export the generic PKEY type for PSS-capable RSA keys.? Also, maybe use a compatible stronger CAPI "provider" (their engines) to do stronger hashes etc. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From ceztko at gmail.com Sat Oct 24 10:05:41 2020 From: ceztko at gmail.com (Francesco Pretto) Date: Sat, 24 Oct 2020 12:05:41 +0200 Subject: How to plug an external encryption to CMS_SignerInfo signing? Message-ID: Hello, I'm trying to create a CMS context for subsequent export using CMS_sign(). I add a signer using CMS_add1_signer() that allows me to specify a X509 certificate and a hash function. I would like the CMS context to perform hash computation and ANS1 structure filling, but I want to delegate encryption to an external service, for example an hardware encryption token (I'm assuming this is a very common use case). At this point I'm in a stalemate since CMS_add1_signer() asks me for a private EVP_PKEY that is compatible with the public key present in the X509 certificate. No other function seems to exist to create a CMS_SignerInfo by providing an external mechanism for encryption. My hacky solution was to add a signer CMS_add1_signer() supplying the public key stored in the X509 certificate in the place of the private one. This passes internal checks of the function and allows me to subsequently handle (manually) all the ANS1 structure filling and hash computations. This is barely doable with public openssl API and still requires a big rip-off of private openssl code (attached as a standalone C++ class, if it can be useful for someone). My question is: is there an easier mechanism to plug a separate encryption method when creating the CMS_SignerInfo structure and have openssl do all the other dirty work for me? If so, is it possible to do with openssl 1.1.0/1.1.1? Cheers, Francesco -------------- next part -------------- ?#pragma once #include #include #include #include #include namespace en { using EncryptionService = std::function(std::string_view)>; class CmsContext { public: /** Load 12 certificate + private key from file */ CmsContext(const std::string_view& certfile, const std::string_view& password); /** Load P12 certificate + private key from buffer */ CmsContext(const char* certbytes, size_t size, const std::string_view& password); /** Load X509 certificate and provide an external encryption service */ CmsContext(const std::string_view &cert, const EncryptionService& encrypt); ~CmsContext(); public: void AppendData(const std::string_view& data); std::vector EncodeCMS(); void Reset(); private: enum class CertType { X509Buffer, P12File, P12Buffer, }; private: CmsContext(CertType type, const std::string_view& cert, const std::string_view& password, const EncryptionService& signer); void loadP12FromFile(const std::string_view& certfile, const std::string_view& password); void loadP12FromBuffer(const std::string_view& buffer, const std::string_view& password); void loadX509Certificate(const std::string_view& cert); void clearSignature(); void reset(); private: X509* m_cert; EVP_PKEY* m_privKey; EncryptionService m_encrypt; CMS_ContentInfo* m_cms; BIO* m_databio; BIO* m_out; }; } -------------- next part -------------- ?#include "CmsContext.h" #include #include #include #include using namespace std; using namespace en; // The following flags allow for streaming and editing of the attributes #define CMS_FLAGS CMS_DETACHED | CMS_BINARY | CMS_PARTIAL | CMS_STREAM // The following is using for reordering attributes during serialization // in the signining operation DECLARE_ASN1_ITEM(CMS_Attributes_Sign); // This is a recreation of X509_SIG structure struct X509_Signature { X509_ALGOR* algor; ASN1_OCTET_STRING* digest; }; static const ASN1_OBJECT* GetASN1Object(X509_ALGOR* alg); static X509_ALGOR* GetDigestAlgorithm(CMS_SignerInfo* si); static STACK_OF(X509_ATTRIBUTE)* GetSignedAttributesCopy(CMS_SignerInfo* si); // All the following static functions include software developed by // the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/) // License: https://www.openssl.org/source/license-openssl-ssleay.txt static void cms_SignedData_final(CMS_ContentInfo* cms, BIO* chain, const EncryptionService& encrypt); static void cms_SignerInfo_content_sign(CMS_ContentInfo* cms, CMS_SignerInfo* si, BIO* chain, const EncryptionService& signer); static void CMS_SignerInfo_sign2(CMS_SignerInfo* si, const EncryptionService& encrypt); static int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX* mctx, BIO* chain, X509_ALGOR* mdalg); static int cms_add1_signingTime(CMS_SignerInfo* si, ASN1_TIME* t); static void encode_pkcs1(X509_ALGOR* digestAlg, const unsigned char* m, unsigned int m_len, unsigned char** out, unsigned int* out_len); static const ASN1_ITEM* X509_Signature_it(); CmsContext::CmsContext(const std::string_view& certfile, const std::string_view& password) : CmsContext(CertType::P12File, certfile, password, { }) { } CmsContext::CmsContext(const char* certbytes, size_t size, const std::string_view& password) : CmsContext(CertType::P12Buffer, { certbytes, size }, password, { }) { } CmsContext::CmsContext(const string_view& cert, const EncryptionService& signer) : CmsContext(CertType::X509Buffer, cert, { }, signer) { } CmsContext::CmsContext(CertType type, const std::string_view& cert, const std::string_view& password, const EncryptionService& signer) : m_cert(nullptr), m_privKey(nullptr), m_encrypt(signer), m_cms(nullptr), m_databio(nullptr), m_out(nullptr) { try { switch (type) { case CertType::X509Buffer: loadX509Certificate(cert); break; case CertType::P12File: loadP12FromFile(cert, password); break; case CertType::P12Buffer: loadP12FromBuffer(cert, password); break; default: throw runtime_error("Unsupported"); } reset(); } catch (...) { this->~CmsContext(); throw; } } CmsContext::~CmsContext() { if (m_privKey != nullptr) { EVP_PKEY_free(m_privKey); m_privKey = nullptr; } if (m_cert != nullptr) { X509_free(m_cert); m_cert = nullptr; } clearSignature(); } void CmsContext::AppendData(const string_view& data) { if (m_out != nullptr) throw runtime_error("The signer must be reset before appening new data"); auto mem = BIO_new_mem_buf(data.data(), (int)data.length()); if (mem == nullptr) throw runtime_error("Out of memory"); // Append data to the internal CMS buffer and elaborate // See also CMS_final implementation for reference if (!SMIME_crlf_copy(mem, m_databio, CMS_FLAGS)) throw runtime_error("SMIME_crlf_copy"); (void)BIO_flush(m_databio); } vector CmsContext::EncodeCMS() { if (m_out != nullptr) goto exit; if (m_privKey == nullptr) cms_SignedData_final(m_cms, m_databio, m_encrypt); // Sign with external encryption else CMS_dataFinal(m_cms, m_databio); m_out = BIO_new(BIO_s_mem()); if (m_out == nullptr) throw runtime_error("BIO_new: Out of memory"); // Output CMS as DER format i2d_CMS_bio(m_out, m_cms); exit: char* sign; size_t length = (size_t)BIO_get_mem_data(m_out, &sign); return vector(sign, sign + length); } void CmsContext::Reset() { clearSignature(); reset(); } void CmsContext::loadP12FromFile(const string_view& filename, const string_view& password) { int rc; PKCS12* p12 = nullptr; STACK_OF(X509)* ca = nullptr; FILE* fp = nullptr; auto clean = [&]() { fclose(fp); PKCS12_free(p12); sk_X509_pop_free(ca, X509_free); }; try { fp = fopen(filename.data(), "rb"); if (fp == NULL) throw runtime_error("Can't open file"); p12 = d2i_PKCS12_fp(fp, NULL); if (p12 == NULL) { fclose(fp); throw runtime_error("Can't create PKCS12 certificate"); } rc = PKCS12_parse(p12, password.data(), &m_privKey, &m_cert, &ca); if (!rc) throw runtime_error("Can't parse PKCS12 certificate"); } catch (...) { clean(); return; } clean(); } void CmsContext::loadP12FromBuffer(const string_view& buffer, const string_view& password) { int rc; PKCS12* p12 = nullptr; STACK_OF(X509)* ca = nullptr; BIO* mem = nullptr; auto clean = [&]() { sk_X509_pop_free(ca, X509_free); PKCS12_free(p12); BIO_free(mem); }; try { mem = BIO_new_mem_buf(buffer.data(), (int)buffer.size()); if (mem == nullptr) throw runtime_error("Out of memory"); auto p12 = d2i_PKCS12_bio(mem, NULL); if (p12 == NULL) throw runtime_error("Can't create PKCS12 certificate"); rc = PKCS12_parse(p12, password.data(), &m_privKey, &m_cert, &ca); if (!rc) throw runtime_error("Can't parse PKCS12 certificate"); } catch (...) { clean(); return; } clean(); } void CmsContext::loadX509Certificate(const string_view& cert) { auto in = (const unsigned char*)cert.data(); m_cert = d2i_X509(nullptr, &in, (int)cert.length()); if (m_cert == nullptr) throw runtime_error("Out of memory"); } void CmsContext::clearSignature() { if (m_cms != nullptr) { CMS_ContentInfo_free(m_cms); m_cms = nullptr; } if (m_databio != nullptr) { BIO_free(m_databio); m_databio = nullptr; } if (m_out != nullptr) { BIO_free(m_out); m_out = nullptr; } } void CmsContext::reset() { // By default CMS_sign uses SHA1, so create a partial context with streaming enabled m_cms = CMS_sign(nullptr, nullptr, nullptr, nullptr, CMS_FLAGS); if (m_cms == nullptr) throw runtime_error("Out of memory"); // Set a signer with a SHA56 digest. Since CMS_PARTIAL is *not* passed, // the CMS structure is sealed // TODO: Add configurable hash function, sha256-384-512 auto sign_md = EVP_get_digestbyname("sha256"); CMS_SignerInfo* signer; if (m_privKey == nullptr) { // Fake private key using public key from certificate // This allows to pass internal checks of CMS_add1_signer // since parameter "pk" can't be nullptr auto pubKey = X509_get0_pubkey(m_cert); signer = CMS_add1_signer(m_cms, m_cert, pubKey, sign_md, 0); } else { signer = CMS_add1_signer(m_cms, m_cert, m_privKey, sign_md, 0); } if (signer == nullptr) throw runtime_error("CMS_add1_signer"); if (false) { // TODO: Add configurable date setting struct tm timeinfo { }; auto time = mktime(&timeinfo); auto ans1time = X509_time_adj(nullptr, 0, &time); cms_add1_signingTime(signer, ans1time); } // Initialize the internal cms buffer for streaming // See also CMS_final implementation for reference m_databio = CMS_dataInit(m_cms, nullptr); if (m_databio == nullptr) throw runtime_error("CMS_dataInit"); } // Ripped from cms_DigestAlgorithm_find_ctx in crypto/cms/cms_lib.c int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX* mctx, BIO* chain, X509_ALGOR* mdalg) { int nid; auto mdoid = GetASN1Object(mdalg); nid = OBJ_obj2nid(mdoid); // Look for digest type to match signature for (;;) { EVP_MD_CTX* mtmp; chain = BIO_find_type(chain, BIO_TYPE_MD); if (chain == nullptr) throw runtime_error("CMS_NO_MATCHING_DIGEST"); BIO_get_md_ctx(chain, &mtmp); if (EVP_MD_CTX_type(mtmp) == nid // Workaround for broken implementations that use signature // algorithm OID instead of digest. || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) { return EVP_MD_CTX_copy_ex(mctx, mtmp); } chain = BIO_next(chain); } } // Ripped from cms_SignedData_final in crypto/cms/cms_lib.c void cms_SignedData_final(CMS_ContentInfo* cms, BIO* chain, const EncryptionService& encrypt) { STACK_OF(CMS_SignerInfo)* sinfos; CMS_SignerInfo* si; int i; sinfos = CMS_get0_SignerInfos(cms); for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { si = sk_CMS_SignerInfo_value(sinfos, i); cms_SignerInfo_content_sign(cms, si, chain, encrypt); } } // Ripped from cms_SignerInfo_content_sign in crypto/cms/cms_sd.c void cms_SignerInfo_content_sign(CMS_ContentInfo* cms, CMS_SignerInfo* si, BIO* chain, const EncryptionService& encrypt) { EVP_MD_CTX* mctx = EVP_MD_CTX_new(); if (!cms_DigestAlgorithm_find_ctx(mctx, chain, GetDigestAlgorithm(si))) goto err; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int hashlen; if (EVP_DigestFinal_ex(mctx, hash, &hashlen) <= 0) goto err; if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, V_ASN1_OCTET_STRING, hash, hashlen)) goto err; ASN1_OBJECT* ctype = OBJ_nid2obj(NID_pkcs7_data); if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType, V_ASN1_OBJECT, ctype, -1) <= 0) goto err; CMS_SignerInfo_sign2(si, encrypt); return; err: throw runtime_error("Error while computing the MessageDigest"); } // Ripped from CMS_SignerInfo_sign in crypto/cms/cms_sd.c void CMS_SignerInfo_sign2(CMS_SignerInfo* si, const EncryptionService& encrypt) { EVP_MD_CTX* mctx = CMS_SignerInfo_get0_md_ctx(si); STACK_OF(X509_ATTRIBUTE)* signedAttrs = nullptr; unsigned char* buf = nullptr; unsigned len; unsigned encodedLen; unsigned char hash[EVP_MAX_MD_SIZE]; vector signedhash; if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) { if (!cms_add1_signingTime(si, nullptr)) goto err; } auto sign_md = EVP_get_digestbyname("sha256"); if (EVP_DigestInit(mctx, sign_md) <= 0) goto err; // Prepare the DER structure to sign, reordering attributes signedAttrs = GetSignedAttributesCopy(si); len = (unsigned)ASN1_item_i2d((ASN1_VALUE*)signedAttrs, &buf, ASN1_ITEM_rptr(CMS_Attributes_Sign)); sk_X509_ATTRIBUTE_free(signedAttrs); if (!buf) goto err; // Compute the hash to be signed if (EVP_DigestUpdate(mctx, buf, len) <= 0) goto err; if (EVP_DigestFinal(mctx, hash, &len) <= 0) goto err; EVP_MD_CTX_reset(mctx); // We also need to encode the digest in ANS1 structure OPENSSL_free(buf); encode_pkcs1(GetDigestAlgorithm(si), hash, len, &buf, &encodedLen); // Encrypt the hash with the external encryption service signedhash = encrypt({(const char *)buf, encodedLen }); OPENSSL_free(buf); buf = (unsigned char*)OPENSSL_malloc(signedhash.size()); if (buf == nullptr) goto err; std::memcpy(buf, signedhash.data(), signedhash.size()); auto signature = CMS_SignerInfo_get0_signature(si); ASN1_STRING_set0(signature, buf, (int)signedhash.size()); return; err: OPENSSL_free(buf); EVP_MD_CTX_reset(mctx); throw runtime_error("Error while computing the MessageDigest"); } // Ripped from cms_add1_signingTime in crypto/cms/cms_sd.c int cms_add1_signingTime(CMS_SignerInfo* si, ASN1_TIME* t) { ASN1_TIME* tt; int r = 0; if (t != nullptr) tt = t; else tt = X509_gmtime_adj(nullptr, 0); if (tt == nullptr) goto merr; if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime, tt->type, tt, -1) <= 0) goto merr; r = 1; merr: if (t == nullptr) ASN1_TIME_free(tt); return r; } /* Ripped from crypto/rsa/rsa_sign.c * encode_pkcs1 encodes a DigestInfo prefix of hash |type| and digest |m|, as * described in EMSA-PKCS1-v1_5-ENCODE, RFC 3447 section 9.2 step 2. This * encodes the DigestInfo (T and tLen) but does not add the padding. * * On success, it returns one and sets |*out| to a newly allocated buffer * containing the result and |*out_len| to its length. The caller must free * |*out| with |OPENSSL_free|. Otherwise, it returns zero. */ void encode_pkcs1(X509_ALGOR* digestAlg, const unsigned char* m, unsigned m_len, unsigned char** out, unsigned* out_len) { X509_Signature sig; X509_ALGOR algor{ }; ASN1_TYPE parameter{ }; ASN1_OCTET_STRING digest{ }; unsigned char* buf = nullptr; int len; sig.algor = digestAlg; sig.algor = &algor; sig.algor->algorithm = (ASN1_OBJECT*)GetASN1Object(digestAlg); parameter.type = V_ASN1_NULL; parameter.value.ptr = NULL; sig.algor->parameter = ¶meter; sig.digest = &digest; sig.digest->data = (unsigned char*)m; sig.digest->length = m_len; // This is the expansion of IMPLEMENT_ASN1_FUNCTIONS // NOTE: buf must be a local null pointer otherwise // the function will try to reuse the memory len = ASN1_item_i2d((ASN1_VALUE*)&sig, &buf, ASN1_ITEM_rptr(X509_Signature)); if (len < 0) throw runtime_error("EncodeDigestPKCS1: Out of memory"); *out = buf; *out_len = (unsigned)len; } const ASN1_OBJECT* GetASN1Object(X509_ALGOR* alg) { const ASN1_OBJECT* obj; X509_ALGOR_get0(&obj, nullptr, nullptr, alg); return obj; } X509_ALGOR* GetDigestAlgorithm(CMS_SignerInfo* si) { EVP_PKEY* pkey; X509* cert; X509_ALGOR* digestAlgorithm; X509_ALGOR* signingAlgorithm; CMS_SignerInfo_get0_algs(si, &pkey, &cert, &digestAlgorithm, &signingAlgorithm); return digestAlgorithm; } STACK_OF(X509_ATTRIBUTE)* GetSignedAttributesCopy(CMS_SignerInfo* si) { STACK_OF(X509_ATTRIBUTE)* ret = nullptr; int count = CMS_signed_get_attr_count(si); for (int i = 0; i < count; i++) { auto attr = CMS_signed_get_attr(si, i); if (X509at_add1_attr(&ret, attr) == nullptr) goto Error; } return ret; Error: sk_X509_ATTRIBUTE_free(ret); throw runtime_error("GetSignedAttributes: Out of memory"); } // Used for reordering of signed attributes in ANS1 serialization ASN1_ITEM_TEMPLATE(CMS_Attributes_Sign) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_ORDER, 0, CMS_ATTRIBUTES, X509_ATTRIBUTE) ASN1_ITEM_TEMPLATE_END(CMS_Attributes_Sign) // Used for the serialization of a digest for signing ASN1_SEQUENCE(X509_Signature) = { ASN1_SIMPLE(X509_Signature, algor, X509_ALGOR), ASN1_SIMPLE(X509_Signature, digest, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(X509_Signature); From beldmit at gmail.com Sat Oct 24 10:12:04 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Sat, 24 Oct 2020 13:12:04 +0300 Subject: How to plug an external encryption to CMS_SignerInfo signing? In-Reply-To: References: Message-ID: Dear Francesco, On Sat, Oct 24, 2020 at 1:06 PM Francesco Pretto wrote: > Hello, > > I'm trying to create a CMS context for subsequent export using > CMS_sign(). I add a signer using CMS_add1_signer() that allows me to > specify a X509 certificate and a hash function. I would like the CMS > context to perform hash computation and ANS1 structure filling, but I > want to delegate encryption to an external service, for example an > hardware encryption token (I'm assuming this is a very common use > case). At this point I'm in a stalemate since CMS_add1_signer() asks > me for a private EVP_PKEY that is compatible with the public key > present in the X509 certificate. No other function seems to exist to > create a CMS_SignerInfo by providing an external mechanism for > encryption. > > My hacky solution was to add a signer CMS_add1_signer() supplying the > public key stored in the X509 certificate in the place of the private > one. This passes internal checks of the function and allows me to > subsequently handle (manually) all the ANS1 structure filling and hash > computations. This is barely doable with public openssl API and still > requires a big rip-off of private openssl code (attached as a > standalone C++ class, if it can be useful for someone). > > My question is: is there an easier mechanism to plug a separate > encryption method when creating the CMS_SignerInfo structure and have > openssl do all the other dirty work for me? If so, is it possible to > do with openssl 1.1.0/1.1.1? > Engines allow operating by private keys in such a manner. You have to reimplement all the callbacks dealing with private keys. Also, it's possible you have to write some wrappers for the functions dealing with public keys. For 3.0, the providers should do the same trick, I think. -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From ceztko at gmail.com Sat Oct 24 10:45:26 2020 From: ceztko at gmail.com (Francesco Pretto) Date: Sat, 24 Oct 2020 12:45:26 +0200 Subject: How to plug an external encryption to CMS_SignerInfo signing? In-Reply-To: References: Message-ID: Hi Dmitry, thank you for the prompt answer. Are you able to provide me with a link to an example of creating such engines that will fit this use case? On my searches I was able to find staff like EVP_PKEY_METHOD[1] but I wasn't able to use them for my purpose. Not assuming how stuff works today, ideally for me such engine should work like this: - I prepare an engine that is able to deal with private keys only, and just for encryption; - I create a fake EVP_PKEY* that will use this engine; - I supply this private key to CMS_add1_signer(), together with the usual/regular X509 certificate, parsed for example from DER/PEM. Even if CMS_add1_signer()[2] is currently performing a validation of the EVP_PKEY passed, it shouldn't be hard to patch to avoid doing such a check, for example by supplying a newly created flag that specifies to not do it. If engines can't be operated this way, then I'm afraid they will still require more boilerplate code than really necessary. Cheers, Francesco [1] https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_METHOD.html [2] https://github.com/openssl/openssl/blob/d1fb6b481b1d70932a1435f83eae10cc68edbe36/crypto/cms/cms_sd.c#L269 On Sat, 24 Oct 2020 at 12:12, Dmitry Belyavsky wrote: > > Dear Francesco, > > On Sat, Oct 24, 2020 at 1:06 PM Francesco Pretto wrote: >> >> Hello, >> >> I'm trying to create a CMS context for subsequent export using >> CMS_sign(). I add a signer using CMS_add1_signer() that allows me to >> specify a X509 certificate and a hash function. I would like the CMS >> context to perform hash computation and ANS1 structure filling, but I >> want to delegate encryption to an external service, for example an >> hardware encryption token (I'm assuming this is a very common use >> case). At this point I'm in a stalemate since CMS_add1_signer() asks >> me for a private EVP_PKEY that is compatible with the public key >> present in the X509 certificate. No other function seems to exist to >> create a CMS_SignerInfo by providing an external mechanism for >> encryption. >> >> My hacky solution was to add a signer CMS_add1_signer() supplying the >> public key stored in the X509 certificate in the place of the private >> one. This passes internal checks of the function and allows me to >> subsequently handle (manually) all the ANS1 structure filling and hash >> computations. This is barely doable with public openssl API and still >> requires a big rip-off of private openssl code (attached as a >> standalone C++ class, if it can be useful for someone). >> >> My question is: is there an easier mechanism to plug a separate >> encryption method when creating the CMS_SignerInfo structure and have >> openssl do all the other dirty work for me? If so, is it possible to >> do with openssl 1.1.0/1.1.1? > > > Engines allow operating by private keys in such a manner. > You have to reimplement all the callbacks dealing with private keys. Also, it's possible you have to write some wrappers for the functions dealing with public keys. > > For 3.0, the providers should do the same trick, I think. > > -- > SY, Dmitry Belyavsky From beldmit at gmail.com Sat Oct 24 11:56:04 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Sat, 24 Oct 2020 14:56:04 +0300 Subject: How to plug an external encryption to CMS_SignerInfo signing? In-Reply-To: References: Message-ID: Dear Francesco, I think this link is relevant: https://github.com/OpenSC/libp11/blob/master/src/eng_front.c On Sat, Oct 24, 2020 at 1:45 PM Francesco Pretto wrote: > Hi Dmitry, > > thank you for the prompt answer. Are you able to provide me with a > link to an example of creating such engines that will fit this use > case? On my searches I was able to find staff like EVP_PKEY_METHOD[1] > but I wasn't able to use them for my purpose. Not assuming how stuff > works today, ideally for me such engine should work like this: > - I prepare an engine that is able to deal with private keys only, and > just for encryption; > - I create a fake EVP_PKEY* that will use this engine; > - I supply this private key to CMS_add1_signer(), together with the > usual/regular X509 certificate, parsed for example from DER/PEM. > > Even if CMS_add1_signer()[2] is currently performing a validation of > the EVP_PKEY passed, it shouldn't be hard to patch to avoid doing such > a check, for example by supplying a newly created flag that specifies > to not do it. > > If engines can't be operated this way, then I'm afraid they will still > require more boilerplate code than really necessary. > > Cheers, > Francesco > > [1] https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_METHOD.html > [2] > https://github.com/openssl/openssl/blob/d1fb6b481b1d70932a1435f83eae10cc68edbe36/crypto/cms/cms_sd.c#L269 > > > On Sat, 24 Oct 2020 at 12:12, Dmitry Belyavsky wrote: > > > > Dear Francesco, > > > > On Sat, Oct 24, 2020 at 1:06 PM Francesco Pretto > wrote: > >> > >> Hello, > >> > >> I'm trying to create a CMS context for subsequent export using > >> CMS_sign(). I add a signer using CMS_add1_signer() that allows me to > >> specify a X509 certificate and a hash function. I would like the CMS > >> context to perform hash computation and ANS1 structure filling, but I > >> want to delegate encryption to an external service, for example an > >> hardware encryption token (I'm assuming this is a very common use > >> case). At this point I'm in a stalemate since CMS_add1_signer() asks > >> me for a private EVP_PKEY that is compatible with the public key > >> present in the X509 certificate. No other function seems to exist to > >> create a CMS_SignerInfo by providing an external mechanism for > >> encryption. > >> > >> My hacky solution was to add a signer CMS_add1_signer() supplying the > >> public key stored in the X509 certificate in the place of the private > >> one. This passes internal checks of the function and allows me to > >> subsequently handle (manually) all the ANS1 structure filling and hash > >> computations. This is barely doable with public openssl API and still > >> requires a big rip-off of private openssl code (attached as a > >> standalone C++ class, if it can be useful for someone). > >> > >> My question is: is there an easier mechanism to plug a separate > >> encryption method when creating the CMS_SignerInfo structure and have > >> openssl do all the other dirty work for me? If so, is it possible to > >> do with openssl 1.1.0/1.1.1? > > > > > > Engines allow operating by private keys in such a manner. > > You have to reimplement all the callbacks dealing with private keys. > Also, it's possible you have to write some wrappers for the functions > dealing with public keys. > > > > For 3.0, the providers should do the same trick, I think. > > > > -- > > SY, Dmitry Belyavsky > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From brettstahlman at gmail.com Sat Oct 24 14:09:11 2020 From: brettstahlman at gmail.com (Brett Stahlman) Date: Sat, 24 Oct 2020 10:09:11 -0400 Subject: CAPI engine seems to break server validation In-Reply-To: References: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> Message-ID: Jakob, I don't really understand why the engine *needs* to do PSS. Neither of the badssl certificates seem to use it for signatures. (I'm assuming the fact that a cert was signed with RSA-PSS would show up in the Windows certificate viewer...) If you could give a short summary of the problem as you understand it, perhaps it would help me narrow in on a workaround. I'd be happy with even an ugly patch at this point. Given that server verification works fine with a ca-bundle file, I wonder whether it would be possible to have the capi engine handle only the client authentication. As you understand it, would the problem breaking server verification also preclude client authentication with the capi engine? Thanks, Brett S. On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users < openssl-users at openssl.org> wrote: > On 2020-10-23 15:45, Matt Caswell wrote: > > > > On 23/10/2020 14:10, Brett Stahlman wrote: > >> It seems that the CAPI engine is breaking the server verification > somehow. > >> Note that the only reason I'm using the ca-bundle.crt is that I couldn't > >> figure out how to get CAPI to load the Windows "ROOT" certificate > >> store, which contains the requisite CA certs. Ideally, server > >> authentication would use the CA certs in the Windows "ROOT" store, and > >> client authentication would use the certs in the Windows "MY" store, but > >> CAPI doesn't appear to be loading either one. > > This is probably the following issue: > > > > https://github.com/openssl/openssl/issues/8872 > > > > Matt > Looking at the brutal wontfixing of that bug, maybe reconsider if the > existing engine interface can do PSS by simply having the CAPI/CAPIng > engine export the generic PKEY type for PSS-capable RSA keys. Also, > maybe use a compatible stronger CAPI "provider" (their engines) to do > stronger hashes etc. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From brettstahlman at gmail.com Sat Oct 24 16:23:13 2020 From: brettstahlman at gmail.com (Brett Stahlman) Date: Sat, 24 Oct 2020 12:23:13 -0400 Subject: CAPI engine seems to break server validation In-Reply-To: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> References: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> Message-ID: Btw, how do you build the CAPI engine in versions of openssl that don't have the enable-capieng configure argument (e.g., 1.0.2u)? I tried -D__COMPILE_CAPIENG, but e_capi.c isn't even being compiled. Thanks, Brett S. On Fri, Oct 23, 2020 at 9:45 AM Matt Caswell wrote: > > > On 23/10/2020 14:10, Brett Stahlman wrote: > > It seems that the CAPI engine is breaking the server verification > somehow. > > Note that the only reason I'm using the ca-bundle.crt is that I couldn't > > figure out how to get CAPI to load the Windows "ROOT" certificate > > store, which contains the requisite CA certs. Ideally, server > > authentication would use the CA certs in the Windows "ROOT" store, and > > client authentication would use the certs in the Windows "MY" store, but > > CAPI doesn't appear to be loading either one. > > This is probably the following issue: > > https://github.com/openssl/openssl/issues/8872 > > Matt > -------------- next part -------------- An HTML attachment was scrubbed... URL: From satyam226 at gmail.com Sun Oct 25 07:27:00 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Sun, 25 Oct 2020 12:57:00 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation Message-ID: Hello Everyone, I have just joined the openssl users community. My requirement is to have the SSLv3 and weak ciphers enable with openssl installation . I have a query regarding enabling SSLv3 protocol and weak ciphers with openssl-1.1.1h installation I have followed the below steps 1) *./config -enable-weak-ssl-ciphers* *2) The Makefile looks as below* *===============================* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ## ## Makefile for OpenSSL ## ## WARNING: do not edit! ## Generated by Configure from Configurations/common0.tmpl, Configurations/unix-Makefile.tmpl, Configurations/common.tmpl PLATFORM=linux-x86_64 OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan no-unit-test no-zlib no-zlib-dynamic CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") SRCDIR=. BLDDIR=. VERSION=1.1.1h MAJOR=1 MINOR=1.1 SHLIB_VERSION_NUMBER=1.1 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=1 SHLIB_MINOR=1 SHLIB_TARGET=linux-shared SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) SHLIB_EXT_SIMPLE=.so SHLIB_EXT_IMPORT= LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" ENGINES=engines/afalg.so engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so @ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ if i do any openssl operations it gives error ( core dumped ) *./openssl ciphers -V* * Segmentation fault (core dumped)* *Can someone help me in resolving this issue ?* If i don't use option* "**-enable-weak-ssl-ciphers " *then the above issue is not seen but SSLv3 and weak ciphers do not get enable. Thanks Satyam -------------- next part -------------- An HTML attachment was scrubbed... URL: From satyam226 at gmail.com Mon Oct 26 06:33:37 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Mon, 26 Oct 2020 12:03:37 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Hello, Any Suggestions on how this can be done ? why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers ,* also what is the location of the crash file. Thanks Satyam On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra wrote: > Hello Everyone, > > I have just joined the openssl users community. > My requirement is to have the SSLv3 and weak ciphers enable with openssl > installation . > I have a query regarding enabling SSLv3 protocol and weak ciphers with > openssl-1.1.1h installation > > I have followed the below steps > > 1) *./config -enable-weak-ssl-ciphers* > > > *2) The Makefile looks as below* > > *===============================* > > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > ## > > ## Makefile for OpenSSL > > ## > > ## WARNING: do not edit! > > ## Generated by Configure from Configurations/common0.tmpl, > Configurations/unix-Makefile.tmpl, Configurations/common.tmpl > > > PLATFORM=linux-x86_64 > > OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ no-crypto-mdebug > no-crypto-mdebug-backtrace no-devcryptoeng no-ec_nistp_64_gcc_128 no-egd > no-external-tests no-fuzz-afl no-fuzz-libfuzzer no-heartbeats no-md2 > no-msan no-rc5 no-sctp no-ubsan no-unit-test no-zlib no-zlib-dynamic > > CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") > > SRCDIR=. > > BLDDIR=. > > > VERSION=1.1.1h > > MAJOR=1 > > MINOR=1.1 > > SHLIB_VERSION_NUMBER=1.1 > > SHLIB_VERSION_HISTORY= > > SHLIB_MAJOR=1 > > SHLIB_MINOR=1 > > SHLIB_TARGET=linux-shared > > SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) > > SHLIB_EXT_SIMPLE=.so > > SHLIB_EXT_IMPORT= > > > LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a > > SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) > > SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" > "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" > > ENGINES=engines/afalg.so engines/capi.so engines/dasync.so > engines/ossltest.so engines/padlock.so > > @ > > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > > > if i do any openssl operations it gives error ( core dumped ) > > > *./openssl ciphers -V* > > * Segmentation fault (core dumped)* > > > *Can someone help me in resolving this issue ?* > > > If i don't use option* "**-enable-weak-ssl-ciphers " *then the above > issue is not seen but SSLv3 and weak ciphers do not get enable. > > > Thanks > > Satyam > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 06:46:06 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 09:46:06 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: If you have just built the openssl, try to set the LD_LIBRARY_PATH environment variable pointing to freshly built libcrypto/libssl On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra wrote: > Hello, > > Any Suggestions on how this can be done ? > why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers > ,* also what is the location of the crash file. > > Thanks > Satyam > > On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra wrote: > >> Hello Everyone, >> >> I have just joined the openssl users community. >> My requirement is to have the SSLv3 and weak ciphers enable with openssl >> installation . >> I have a query regarding enabling SSLv3 protocol and weak ciphers with >> openssl-1.1.1h installation >> >> I have followed the below steps >> >> 1) *./config -enable-weak-ssl-ciphers* >> >> >> *2) The Makefile looks as below* >> >> *===============================* >> >> >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> >> ## >> >> ## Makefile for OpenSSL >> >> ## >> >> ## WARNING: do not edit! >> >> ## Generated by Configure from Configurations/common0.tmpl, >> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >> >> >> PLATFORM=linux-x86_64 >> >> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >> no-unit-test no-zlib no-zlib-dynamic >> >> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >> >> SRCDIR=. >> >> BLDDIR=. >> >> >> VERSION=1.1.1h >> >> MAJOR=1 >> >> MINOR=1.1 >> >> SHLIB_VERSION_NUMBER=1.1 >> >> SHLIB_VERSION_HISTORY= >> >> SHLIB_MAJOR=1 >> >> SHLIB_MINOR=1 >> >> SHLIB_TARGET=linux-shared >> >> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >> >> SHLIB_EXT_SIMPLE=.so >> >> SHLIB_EXT_IMPORT= >> >> >> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >> >> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >> >> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >> >> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >> engines/ossltest.so engines/padlock.so >> >> @ >> >> >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> >> if i do any openssl operations it gives error ( core dumped ) >> >> >> *./openssl ciphers -V* >> >> * Segmentation fault (core dumped)* >> >> >> *Can someone help me in resolving this issue ?* >> >> >> If i don't use option* "**-enable-weak-ssl-ciphers " *then the above >> issue is not seen but SSLv3 and weak ciphers do not get enable. >> >> >> Thanks >> >> Satyam >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From satyam226 at gmail.com Mon Oct 26 08:34:09 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Mon, 26 Oct 2020 14:04:09 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Hi Dmitry, >>If you have just built the openssl, try to set the LD_LIBRARY_PATH environment variable pointing to freshly built libcrypto/libssl I try setting the LD_LIBRARY_PATH but it is still crashing *which openssl* * /usr/local/bin/openssl* *export LD_LIBRARY_PATH=/usr/local/lib64/* ls -lhrt total 11M drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> libcrypto.so.1.1 lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> libssl.so.1.1 drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 *openssl ciphers -V* * Segmentation fault* *gdb ./openssl core.3370 * GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols found)...done. [New LWP 3370] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `openssl ciphers -V'. Program terminated with signal 11, Segmentation fault. #0 0x000000000041c53d in do_body.isra.3 () (gdb) bt #0 0x000000000041c53d in do_body.isra.3 () (gdb) Thanks Satyam On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky wrote: > If you have just built the openssl, try to set the LD_LIBRARY_PATH > environment variable pointing to freshly built libcrypto/libssl > > On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra > wrote: > >> Hello, >> >> Any Suggestions on how this can be done ? >> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >> ,* also what is the location of the crash file. >> >> Thanks >> Satyam >> >> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >> wrote: >> >>> Hello Everyone, >>> >>> I have just joined the openssl users community. >>> My requirement is to have the SSLv3 and weak ciphers enable with >>> openssl installation . >>> I have a query regarding enabling SSLv3 protocol and weak ciphers with >>> openssl-1.1.1h installation >>> >>> I have followed the below steps >>> >>> 1) *./config -enable-weak-ssl-ciphers* >>> >>> >>> *2) The Makefile looks as below* >>> >>> *===============================* >>> >>> >>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> >>> >>> ## >>> >>> ## Makefile for OpenSSL >>> >>> ## >>> >>> ## WARNING: do not edit! >>> >>> ## Generated by Configure from Configurations/common0.tmpl, >>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>> >>> >>> PLATFORM=linux-x86_64 >>> >>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>> no-unit-test no-zlib no-zlib-dynamic >>> >>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>> >>> SRCDIR=. >>> >>> BLDDIR=. >>> >>> >>> VERSION=1.1.1h >>> >>> MAJOR=1 >>> >>> MINOR=1.1 >>> >>> SHLIB_VERSION_NUMBER=1.1 >>> >>> SHLIB_VERSION_HISTORY= >>> >>> SHLIB_MAJOR=1 >>> >>> SHLIB_MINOR=1 >>> >>> SHLIB_TARGET=linux-shared >>> >>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>> >>> SHLIB_EXT_SIMPLE=.so >>> >>> SHLIB_EXT_IMPORT= >>> >>> >>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>> >>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>> >>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>> >>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>> engines/ossltest.so engines/padlock.so >>> >>> @ >>> >>> >>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>> >>> >>> if i do any openssl operations it gives error ( core dumped ) >>> >>> >>> *./openssl ciphers -V* >>> >>> * Segmentation fault (core dumped)* >>> >>> >>> *Can someone help me in resolving this issue ?* >>> >>> >>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the above >>> issue is not seen but SSLv3 and weak ciphers do not get enable. >>> >>> >>> Thanks >>> >>> Satyam >>> >> > > -- > SY, Dmitry Belyavsky > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 12:20:42 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 15:20:42 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Dear Satyam, First of all, I'll suggest checking whether the libcrypto/libssl are those you've built. It can be done, e.g., via running strace. I also suggest building openssl with -ggdb (./config -ggdb should do the trick). On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra wrote: > Hi Dmitry, > > >>If you have just built the openssl, try to set the LD_LIBRARY_PATH > environment variable pointing to freshly built libcrypto/libssl > > I try setting the LD_LIBRARY_PATH but it is still crashing > > *which openssl* > > * /usr/local/bin/openssl* > > > *export LD_LIBRARY_PATH=/usr/local/lib64/* > > > ls -lhrt > > total 11M > > drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig > > -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 > > -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 > > -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a > > -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a > > lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> > libcrypto.so.1.1 > > lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> > libssl.so.1.1 > > drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 > > > > *openssl ciphers -V* > > * Segmentation fault* > > > *gdb ./openssl core.3370 * > > > GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 > > Copyright (C) 2013 Free Software Foundation, Inc. > > License GPLv3+: GNU GPL version 3 or later < > http://gnu.org/licenses/gpl.html> > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > > and "show warranty" for details. > > This GDB was configured as "x86_64-redhat-linux-gnu". > > For bug reporting instructions, please see: > > ... > > Reading symbols from > /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols > found)...done. > > [New LWP 3370] > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib64/libthread_db.so.1". > > Core was generated by `openssl ciphers -V'. > > Program terminated with signal 11, Segmentation fault. > > #0 0x000000000041c53d in do_body.isra.3 () > > (gdb) bt > > #0 0x000000000041c53d in do_body.isra.3 () > > (gdb) > > > > > Thanks > > Satyam > > > > > On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky wrote: > >> If you have just built the openssl, try to set the LD_LIBRARY_PATH >> environment variable pointing to freshly built libcrypto/libssl >> >> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra >> wrote: >> >>> Hello, >>> >>> Any Suggestions on how this can be done ? >>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>> ,* also what is the location of the crash file. >>> >>> Thanks >>> Satyam >>> >>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>> wrote: >>> >>>> Hello Everyone, >>>> >>>> I have just joined the openssl users community. >>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>> openssl installation . >>>> I have a query regarding enabling SSLv3 protocol and weak ciphers with >>>> openssl-1.1.1h installation >>>> >>>> I have followed the below steps >>>> >>>> 1) *./config -enable-weak-ssl-ciphers* >>>> >>>> >>>> *2) The Makefile looks as below* >>>> >>>> *===============================* >>>> >>>> >>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>> >>>> >>>> ## >>>> >>>> ## Makefile for OpenSSL >>>> >>>> ## >>>> >>>> ## WARNING: do not edit! >>>> >>>> ## Generated by Configure from Configurations/common0.tmpl, >>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>> >>>> >>>> PLATFORM=linux-x86_64 >>>> >>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>> no-unit-test no-zlib no-zlib-dynamic >>>> >>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>> >>>> SRCDIR=. >>>> >>>> BLDDIR=. >>>> >>>> >>>> VERSION=1.1.1h >>>> >>>> MAJOR=1 >>>> >>>> MINOR=1.1 >>>> >>>> SHLIB_VERSION_NUMBER=1.1 >>>> >>>> SHLIB_VERSION_HISTORY= >>>> >>>> SHLIB_MAJOR=1 >>>> >>>> SHLIB_MINOR=1 >>>> >>>> SHLIB_TARGET=linux-shared >>>> >>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>> >>>> SHLIB_EXT_SIMPLE=.so >>>> >>>> SHLIB_EXT_IMPORT= >>>> >>>> >>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>> >>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>> >>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>> >>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>> engines/ossltest.so engines/padlock.so >>>> >>>> @ >>>> >>>> >>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>> >>>> >>>> if i do any openssl operations it gives error ( core dumped ) >>>> >>>> >>>> *./openssl ciphers -V* >>>> >>>> * Segmentation fault (core dumped)* >>>> >>>> >>>> *Can someone help me in resolving this issue ?* >>>> >>>> >>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the above >>>> issue is not seen but SSLv3 and weak ciphers do not get enable. >>>> >>>> >>>> Thanks >>>> >>>> Satyam >>>> >>> >> >> -- >> SY, Dmitry Belyavsky >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From jb-openssl at wisemo.com Mon Oct 26 13:35:14 2020 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Mon, 26 Oct 2020 14:35:14 +0100 Subject: CAPI engine seems to break server validation In-Reply-To: References: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> Message-ID: <7be76775-b1de-7fb8-47f8-eb9ba8250c7a@wisemo.com> On 2020-10-24 16:09, Brett Stahlman wrote: > Jakob, > I don't really understand why the engine *needs* to do PSS. Neither of > the badssl certificates seem to use it for signatures. (I'm assuming the > fact that a cert was signed with RSA-PSS would show up in the Windows > certificate viewer...) If you could give a short summary of the problem > as you understand it, perhaps it would help me narrow in on a > workaround. I'd be happy with even an ugly patch at this point. Given > that server verification works fine with a ca-bundle file, I wonder > whether it would be possible to have the capi engine handle only the > client authentication. As you understand it, would the problem breaking > server verification also preclude client authentication with the capi > engine? > From the content of your mails, I inferred that whatever you tried to do caused OpenSSL to attempt to generate PSS signatures, but failing to pass that job to the CAPI engine. I was commenting on how that might be made to work. > On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users > > wrote: > > On 2020-10-23 15:45, Matt Caswell wrote: > > > > On 23/10/2020 14:10, Brett Stahlman wrote: > >> It seems that the CAPI engine is breaking the server > verification somehow. > >> Note that the only reason I'm using the ca-bundle.crt is that I > couldn't > >> figure out how to get CAPI to load the Windows "ROOT" certificate > >> store,?which contains the requisite CA certs. Ideally, server > >> authentication would use the CA certs in the Windows "ROOT" > store, and > >> client authentication would use the certs in the Windows "MY" > store, but > >> CAPI doesn't appear to be loading either one. > > This is probably the following issue: > > > > https://github.com/openssl/openssl/issues/8872 > > > > Matt > Looking at the brutal wontfixing of that bug, maybe reconsider if the > existing engine interface can do PSS by simply having the CAPI/CAPIng > engine export the generic PKEY type for PSS-capable RSA keys.? Also, > maybe use a compatible stronger CAPI "provider" (their engines) to do > stronger hashes etc. > > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From satyam226 at gmail.com Mon Oct 26 13:54:17 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Mon, 26 Oct 2020 19:24:17 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Dear Dmitry, As suggested i have build the openssl with -ggdb ( ./config -ggdb -enable-weak-ssl-ciphers ) and after building i did make install as well. The strace output is as below ============================== *strace ./openssl* execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 brk(NULL) = 0x1b4f000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046813000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 close(3) = 0 open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3046354000 mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 close(3) = 0 open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046809000 mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045e68000 mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045c64000 mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 close(3) = 0 open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045a48000 mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f304567a000 mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046808000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046806000 arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 mprotect(0x7f3046322000, 176128, PROT_READ) = 0 mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 mprotect(0x692000, 4096, PROT_READ) = 0 mprotect(0x7f3046814000, 4096, PROT_READ) = 0 munmap(0x7f304680a000, 35929) = 0 set_tid_address(0x7f3046806a10) = 47865 set_robust_list(0x7f3046806a20, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- +++ killed by SIGSEGV (core dumped) +++ Segmentation fault *Thanks* *Satyam* On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky wrote: > Dear Satyam, > > First of all, I'll suggest checking whether the libcrypto/libssl are those > you've built. It can be done, e.g., via running strace. > > I also suggest building openssl with -ggdb (./config -ggdb should do the > trick). > > On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra > wrote: > >> Hi Dmitry, >> >> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH >> environment variable pointing to freshly built libcrypto/libssl >> >> I try setting the LD_LIBRARY_PATH but it is still crashing >> >> *which openssl* >> >> * /usr/local/bin/openssl* >> >> >> *export LD_LIBRARY_PATH=/usr/local/lib64/* >> >> >> ls -lhrt >> >> total 11M >> >> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >> >> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >> >> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >> >> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >> >> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >> >> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >> libcrypto.so.1.1 >> >> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >> libssl.so.1.1 >> >> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >> >> >> >> *openssl ciphers -V* >> >> * Segmentation fault* >> >> >> *gdb ./openssl core.3370 * >> >> >> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >> >> Copyright (C) 2013 Free Software Foundation, Inc. >> >> License GPLv3+: GNU GPL version 3 or later < >> http://gnu.org/licenses/gpl.html> >> >> This is free software: you are free to change and redistribute it. >> >> There is NO WARRANTY, to the extent permitted by law. Type "show >> copying" >> >> and "show warranty" for details. >> >> This GDB was configured as "x86_64-redhat-linux-gnu". >> >> For bug reporting instructions, please see: >> >> ... >> >> Reading symbols from >> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >> found)...done. >> >> [New LWP 3370] >> >> [Thread debugging using libthread_db enabled] >> >> Using host libthread_db library "/lib64/libthread_db.so.1". >> >> Core was generated by `openssl ciphers -V'. >> >> Program terminated with signal 11, Segmentation fault. >> >> #0 0x000000000041c53d in do_body.isra.3 () >> >> (gdb) bt >> >> #0 0x000000000041c53d in do_body.isra.3 () >> >> (gdb) >> >> >> >> >> Thanks >> >> Satyam >> >> >> >> >> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky wrote: >> >>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>> environment variable pointing to freshly built libcrypto/libssl >>> >>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra >>> wrote: >>> >>>> Hello, >>>> >>>> Any Suggestions on how this can be done ? >>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>> ,* also what is the location of the crash file. >>>> >>>> Thanks >>>> Satyam >>>> >>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>>> wrote: >>>> >>>>> Hello Everyone, >>>>> >>>>> I have just joined the openssl users community. >>>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>>> openssl installation . >>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers with >>>>> openssl-1.1.1h installation >>>>> >>>>> I have followed the below steps >>>>> >>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>> >>>>> >>>>> *2) The Makefile looks as below* >>>>> >>>>> *===============================* >>>>> >>>>> >>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>> >>>>> >>>>> ## >>>>> >>>>> ## Makefile for OpenSSL >>>>> >>>>> ## >>>>> >>>>> ## WARNING: do not edit! >>>>> >>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>> >>>>> >>>>> PLATFORM=linux-x86_64 >>>>> >>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>> no-unit-test no-zlib no-zlib-dynamic >>>>> >>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>> >>>>> SRCDIR=. >>>>> >>>>> BLDDIR=. >>>>> >>>>> >>>>> VERSION=1.1.1h >>>>> >>>>> MAJOR=1 >>>>> >>>>> MINOR=1.1 >>>>> >>>>> SHLIB_VERSION_NUMBER=1.1 >>>>> >>>>> SHLIB_VERSION_HISTORY= >>>>> >>>>> SHLIB_MAJOR=1 >>>>> >>>>> SHLIB_MINOR=1 >>>>> >>>>> SHLIB_TARGET=linux-shared >>>>> >>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>> >>>>> SHLIB_EXT_SIMPLE=.so >>>>> >>>>> SHLIB_EXT_IMPORT= >>>>> >>>>> >>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>> >>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>> >>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>> >>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>> engines/ossltest.so engines/padlock.so >>>>> >>>>> @ >>>>> >>>>> >>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>> >>>>> >>>>> if i do any openssl operations it gives error ( core dumped ) >>>>> >>>>> >>>>> *./openssl ciphers -V* >>>>> >>>>> * Segmentation fault (core dumped)* >>>>> >>>>> >>>>> *Can someone help me in resolving this issue ?* >>>>> >>>>> >>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the above >>>>> issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>> >>>>> >>>>> Thanks >>>>> >>>>> Satyam >>>>> >>>> >>> >>> -- >>> SY, Dmitry Belyavsky >>> >> > > -- > SY, Dmitry Belyavsky > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 14:03:32 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 17:03:32 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Are the /usr/local/lib64/libssl.so.1.1 and /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? If yes, you should try running via gdb to get a backtrace. On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra wrote: > Dear Dmitry, > > As suggested i have build the openssl with -ggdb ( ./config -ggdb > -enable-weak-ssl-ciphers ) and after building i did make install as well. > > The strace output is as below > ============================== > > *strace ./openssl* > > > execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 > > brk(NULL) = 0x1b4f000 > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7f3046813000 > > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > directory) > > open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 > > fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 > > mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 > > close(3) = 0 > > open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 > > read(3, > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) > = 832 > > fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 > > mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7f3046354000 > > mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 > > mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 > > close(3) = 0 > > open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 > > read(3, > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = > 832 > > fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7f3046809000 > > mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7f3045e68000 > > mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 > > mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 > > mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 > > close(3) = 0 > > open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 > > read(3, > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = > 832 > > fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 > > mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7f3045c64000 > > mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 > > mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 > > close(3) = 0 > > open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 > > read(3, > "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) > = 832 > > fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 > > mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7f3045a48000 > > mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 > > mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 > > mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 > > close(3) = 0 > > open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 > > read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., > 832) = 832 > > fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 > > mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) > = 0x7f304567a000 > > mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 > > mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 > > mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 > > close(3) = 0 > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7f3046808000 > > mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = > 0x7f3046806000 > > arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 > > mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 > > mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 > > mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 > > mprotect(0x7f3046322000, 176128, PROT_READ) = 0 > > mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 > > mprotect(0x692000, 4096, PROT_READ) = 0 > > mprotect(0x7f3046814000, 4096, PROT_READ) = 0 > > munmap(0x7f304680a000, 35929) = 0 > > set_tid_address(0x7f3046806a10) = 47865 > > set_robust_list(0x7f3046806a20, 24) = 0 > > rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], > sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 > > rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], > sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, > NULL, 8) = 0 > > rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 > > getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 > > --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- > > +++ killed by SIGSEGV (core dumped) +++ > > Segmentation fault > > > > *Thanks* > > *Satyam* > > > > On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky wrote: > >> Dear Satyam, >> >> First of all, I'll suggest checking whether the libcrypto/libssl are >> those you've built. It can be done, e.g., via running strace. >> >> I also suggest building openssl with -ggdb (./config -ggdb should do the >> trick). >> >> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra >> wrote: >> >>> Hi Dmitry, >>> >>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH >>> environment variable pointing to freshly built libcrypto/libssl >>> >>> I try setting the LD_LIBRARY_PATH but it is still crashing >>> >>> *which openssl* >>> >>> * /usr/local/bin/openssl* >>> >>> >>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>> >>> >>> ls -lhrt >>> >>> total 11M >>> >>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>> >>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>> >>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>> >>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>> >>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>> >>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>> libcrypto.so.1.1 >>> >>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>> libssl.so.1.1 >>> >>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>> >>> >>> >>> *openssl ciphers -V* >>> >>> * Segmentation fault* >>> >>> >>> *gdb ./openssl core.3370 * >>> >>> >>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>> >>> Copyright (C) 2013 Free Software Foundation, Inc. >>> >>> License GPLv3+: GNU GPL version 3 or later < >>> http://gnu.org/licenses/gpl.html> >>> >>> This is free software: you are free to change and redistribute it. >>> >>> There is NO WARRANTY, to the extent permitted by law. Type "show >>> copying" >>> >>> and "show warranty" for details. >>> >>> This GDB was configured as "x86_64-redhat-linux-gnu". >>> >>> For bug reporting instructions, please see: >>> >>> ... >>> >>> Reading symbols from >>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>> found)...done. >>> >>> [New LWP 3370] >>> >>> [Thread debugging using libthread_db enabled] >>> >>> Using host libthread_db library "/lib64/libthread_db.so.1". >>> >>> Core was generated by `openssl ciphers -V'. >>> >>> Program terminated with signal 11, Segmentation fault. >>> >>> #0 0x000000000041c53d in do_body.isra.3 () >>> >>> (gdb) bt >>> >>> #0 0x000000000041c53d in do_body.isra.3 () >>> >>> (gdb) >>> >>> >>> >>> >>> Thanks >>> >>> Satyam >>> >>> >>> >>> >>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>> wrote: >>> >>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>> environment variable pointing to freshly built libcrypto/libssl >>>> >>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra >>>> wrote: >>>> >>>>> Hello, >>>>> >>>>> Any Suggestions on how this can be done ? >>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>> ,* also what is the location of the crash file. >>>>> >>>>> Thanks >>>>> Satyam >>>>> >>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>>>> wrote: >>>>> >>>>>> Hello Everyone, >>>>>> >>>>>> I have just joined the openssl users community. >>>>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>>>> openssl installation . >>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers >>>>>> with openssl-1.1.1h installation >>>>>> >>>>>> I have followed the below steps >>>>>> >>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>> >>>>>> >>>>>> *2) The Makefile looks as below* >>>>>> >>>>>> *===============================* >>>>>> >>>>>> >>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>> >>>>>> >>>>>> ## >>>>>> >>>>>> ## Makefile for OpenSSL >>>>>> >>>>>> ## >>>>>> >>>>>> ## WARNING: do not edit! >>>>>> >>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>> >>>>>> >>>>>> PLATFORM=linux-x86_64 >>>>>> >>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>> >>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>> >>>>>> SRCDIR=. >>>>>> >>>>>> BLDDIR=. >>>>>> >>>>>> >>>>>> VERSION=1.1.1h >>>>>> >>>>>> MAJOR=1 >>>>>> >>>>>> MINOR=1.1 >>>>>> >>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>> >>>>>> SHLIB_VERSION_HISTORY= >>>>>> >>>>>> SHLIB_MAJOR=1 >>>>>> >>>>>> SHLIB_MINOR=1 >>>>>> >>>>>> SHLIB_TARGET=linux-shared >>>>>> >>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>> >>>>>> SHLIB_EXT_SIMPLE=.so >>>>>> >>>>>> SHLIB_EXT_IMPORT= >>>>>> >>>>>> >>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>> >>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>> >>>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>> >>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>> engines/ossltest.so engines/padlock.so >>>>>> >>>>>> @ >>>>>> >>>>>> >>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>> >>>>>> >>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>> >>>>>> >>>>>> *./openssl ciphers -V* >>>>>> >>>>>> * Segmentation fault (core dumped)* >>>>>> >>>>>> >>>>>> *Can someone help me in resolving this issue ?* >>>>>> >>>>>> >>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the >>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>> >>>>>> >>>>>> Thanks >>>>>> >>>>>> Satyam >>>>>> >>>>> >>>> >>>> -- >>>> SY, Dmitry Belyavsky >>>> >>> >> >> -- >> SY, Dmitry Belyavsky >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From satyam226 at gmail.com Mon Oct 26 14:18:44 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Mon, 26 Oct 2020 19:48:44 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Dear Dmitry, >>Are the /usr/local/lib64/libssl.so.1.1 and /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? Yes, they are same gdb openssl core.50178 GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". For bug reporting instructions, please see: ... Reading symbols from /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. [New LWP 50178] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/bin/openssl'. Program terminated with signal 11, Segmentation fault. #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, policy=0xfffa320300000000, serial=0x7ffddd58f693, subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 "HISTSIZE=1000", enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", days=140728317048610, batch=-581372099, verbose=-581372056, req=0x7ffddd58f77b, ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, default_op=-581370182, ext_copy=-581370137, selfsign=-581370120, db=, db=) at apps/ca.c:1410 1410 row[i] = NULL; Thanks Satyam On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky wrote: > Are the /usr/local/lib64/libssl.so.1.1 and > /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? > If yes, you should try running via gdb to get a backtrace. > > On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra > wrote: > >> Dear Dmitry, >> >> As suggested i have build the openssl with -ggdb ( ./config -ggdb >> -enable-weak-ssl-ciphers ) and after building i did make install as well. >> >> The strace output is as below >> ============================== >> >> *strace ./openssl* >> >> >> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 >> >> brk(NULL) = 0x1b4f000 >> >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7f3046813000 >> >> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or >> directory) >> >> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >> >> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >> >> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >> >> close(3) = 0 >> >> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >> >> read(3, >> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >> = 832 >> >> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >> >> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) >> = 0x7f3046354000 >> >> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >> >> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >> >> close(3) = 0 >> >> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >> >> read(3, >> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >> 832 >> >> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >> >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7f3046809000 >> >> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) >> = 0x7f3045e68000 >> >> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >> >> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >> >> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >> >> close(3) = 0 >> >> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >> >> read(3, >> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >> 832 >> >> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >> >> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) >> = 0x7f3045c64000 >> >> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >> >> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >> >> close(3) = 0 >> >> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >> >> read(3, >> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >> = 832 >> >> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >> >> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) >> = 0x7f3045a48000 >> >> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >> >> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >> >> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >> >> close(3) = 0 >> >> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >> >> read(3, >> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >> 832 >> >> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >> >> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) >> = 0x7f304567a000 >> >> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >> >> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >> >> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >> >> close(3) = 0 >> >> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7f3046808000 >> >> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >> = 0x7f3046806000 >> >> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >> >> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >> >> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >> >> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >> >> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >> >> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >> >> mprotect(0x692000, 4096, PROT_READ) = 0 >> >> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >> >> munmap(0x7f304680a000, 35929) = 0 >> >> set_tid_address(0x7f3046806a10) = 47865 >> >> set_robust_list(0x7f3046806a20, 24) = 0 >> >> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >> >> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >> NULL, 8) = 0 >> >> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >> >> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = >> 0 >> >> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- >> >> +++ killed by SIGSEGV (core dumped) +++ >> >> Segmentation fault >> >> >> >> *Thanks* >> >> *Satyam* >> >> >> >> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky wrote: >> >>> Dear Satyam, >>> >>> First of all, I'll suggest checking whether the libcrypto/libssl are >>> those you've built. It can be done, e.g., via running strace. >>> >>> I also suggest building openssl with -ggdb (./config -ggdb should do the >>> trick). >>> >>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra >>> wrote: >>> >>>> Hi Dmitry, >>>> >>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>> environment variable pointing to freshly built libcrypto/libssl >>>> >>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>> >>>> *which openssl* >>>> >>>> * /usr/local/bin/openssl* >>>> >>>> >>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>> >>>> >>>> ls -lhrt >>>> >>>> total 11M >>>> >>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>> >>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>>> >>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>> >>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>> >>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>> >>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>>> libcrypto.so.1.1 >>>> >>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>> libssl.so.1.1 >>>> >>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>> >>>> >>>> >>>> *openssl ciphers -V* >>>> >>>> * Segmentation fault* >>>> >>>> >>>> *gdb ./openssl core.3370 * >>>> >>>> >>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>> >>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>> >>>> License GPLv3+: GNU GPL version 3 or later < >>>> http://gnu.org/licenses/gpl.html> >>>> >>>> This is free software: you are free to change and redistribute it. >>>> >>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>> copying" >>>> >>>> and "show warranty" for details. >>>> >>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>> >>>> For bug reporting instructions, please see: >>>> >>>> ... >>>> >>>> Reading symbols from >>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>> found)...done. >>>> >>>> [New LWP 3370] >>>> >>>> [Thread debugging using libthread_db enabled] >>>> >>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>> >>>> Core was generated by `openssl ciphers -V'. >>>> >>>> Program terminated with signal 11, Segmentation fault. >>>> >>>> #0 0x000000000041c53d in do_body.isra.3 () >>>> >>>> (gdb) bt >>>> >>>> #0 0x000000000041c53d in do_body.isra.3 () >>>> >>>> (gdb) >>>> >>>> >>>> >>>> >>>> Thanks >>>> >>>> Satyam >>>> >>>> >>>> >>>> >>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>>> wrote: >>>> >>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>> environment variable pointing to freshly built libcrypto/libssl >>>>> >>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Any Suggestions on how this can be done ? >>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>> ,* also what is the location of the crash file. >>>>>> >>>>>> Thanks >>>>>> Satyam >>>>>> >>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>>>>> wrote: >>>>>> >>>>>>> Hello Everyone, >>>>>>> >>>>>>> I have just joined the openssl users community. >>>>>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>>>>> openssl installation . >>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers >>>>>>> with openssl-1.1.1h installation >>>>>>> >>>>>>> I have followed the below steps >>>>>>> >>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>> >>>>>>> >>>>>>> *2) The Makefile looks as below* >>>>>>> >>>>>>> *===============================* >>>>>>> >>>>>>> >>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>> >>>>>>> >>>>>>> ## >>>>>>> >>>>>>> ## Makefile for OpenSSL >>>>>>> >>>>>>> ## >>>>>>> >>>>>>> ## WARNING: do not edit! >>>>>>> >>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>> >>>>>>> >>>>>>> PLATFORM=linux-x86_64 >>>>>>> >>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>> >>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>> >>>>>>> SRCDIR=. >>>>>>> >>>>>>> BLDDIR=. >>>>>>> >>>>>>> >>>>>>> VERSION=1.1.1h >>>>>>> >>>>>>> MAJOR=1 >>>>>>> >>>>>>> MINOR=1.1 >>>>>>> >>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>> >>>>>>> SHLIB_VERSION_HISTORY= >>>>>>> >>>>>>> SHLIB_MAJOR=1 >>>>>>> >>>>>>> SHLIB_MINOR=1 >>>>>>> >>>>>>> SHLIB_TARGET=linux-shared >>>>>>> >>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>> >>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>> >>>>>>> SHLIB_EXT_IMPORT= >>>>>>> >>>>>>> >>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>> >>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>> >>>>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>> >>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>> engines/ossltest.so engines/padlock.so >>>>>>> >>>>>>> @ >>>>>>> >>>>>>> >>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>> >>>>>>> >>>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>>> >>>>>>> >>>>>>> *./openssl ciphers -V* >>>>>>> >>>>>>> * Segmentation fault (core dumped)* >>>>>>> >>>>>>> >>>>>>> *Can someone help me in resolving this issue ?* >>>>>>> >>>>>>> >>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the >>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Satyam >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> SY, Dmitry Belyavsky >>>>> >>>> >>> >>> -- >>> SY, Dmitry Belyavsky >>> >> > > -- > SY, Dmitry Belyavsky > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 14:51:02 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 17:51:02 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: It has nothing to do with the ciphers command... On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra wrote: > Dear Dmitry, > > >>Are the /usr/local/lib64/libssl.so.1.1 and > /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? > Yes, they are same > > gdb openssl core.50178 > > GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 > > Copyright (C) 2013 Free Software Foundation, Inc. > > License GPLv3+: GNU GPL version 3 or later < > http://gnu.org/licenses/gpl.html> > > This is free software: you are free to change and redistribute it. > > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > > and "show warranty" for details. > > This GDB was configured as "x86_64-redhat-linux-gnu". > > For bug reporting instructions, please see: > > ... > > Reading symbols from > /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. > > [New LWP 50178] > > [Thread debugging using libthread_db enabled] > > Using host libthread_db library "/lib64/libthread_db.so.1". > > Core was generated by `/usr/local/bin/openssl'. > > Program terminated with signal 11, Segmentation fault. > > #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, > x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, > policy=0xfffa320300000000, serial=0x7ffddd58f693, > > subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, > multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 > "HISTSIZE=1000", > > enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", > days=140728317048610, batch=-581372099, verbose=-581372056, > req=0x7ffddd58f77b, > > ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", > lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, > default_op=-581370182, > > ext_copy=-581370137, selfsign=-581370120, db=, > db=) at apps/ca.c:1410 > > 1410 row[i] = NULL; > > > > Thanks > > Satyam > > > On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky wrote: > >> Are the /usr/local/lib64/libssl.so.1.1 and >> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >> If yes, you should try running via gdb to get a backtrace. >> >> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra >> wrote: >> >>> Dear Dmitry, >>> >>> As suggested i have build the openssl with -ggdb ( ./config -ggdb >>> -enable-weak-ssl-ciphers ) and after building i did make install as well. >>> >>> The strace output is as below >>> ============================== >>> >>> *strace ./openssl* >>> >>> >>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 >>> >>> brk(NULL) = 0x1b4f000 >>> >>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >>> = 0x7f3046813000 >>> >>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or >>> directory) >>> >>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >>> >>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >>> >>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >>> >>> close(3) = 0 >>> >>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>> >>> read(3, >>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >>> = 832 >>> >>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >>> >>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>> 0) = 0x7f3046354000 >>> >>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >>> >>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >>> >>> close(3) = 0 >>> >>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>> >>> read(3, >>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >>> 832 >>> >>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >>> >>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >>> = 0x7f3046809000 >>> >>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>> 0) = 0x7f3045e68000 >>> >>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >>> >>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >>> >>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >>> >>> close(3) = 0 >>> >>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >>> >>> read(3, >>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >>> 832 >>> >>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >>> >>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>> 0) = 0x7f3045c64000 >>> >>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >>> >>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >>> >>> close(3) = 0 >>> >>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >>> >>> read(3, >>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >>> = 832 >>> >>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >>> >>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>> 0) = 0x7f3045a48000 >>> >>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >>> >>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >>> >>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >>> >>> close(3) = 0 >>> >>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >>> >>> read(3, >>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >>> 832 >>> >>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >>> >>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>> 0) = 0x7f304567a000 >>> >>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >>> >>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >>> >>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >>> >>> close(3) = 0 >>> >>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >>> = 0x7f3046808000 >>> >>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) >>> = 0x7f3046806000 >>> >>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >>> >>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >>> >>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >>> >>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >>> >>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >>> >>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >>> >>> mprotect(0x692000, 4096, PROT_READ) = 0 >>> >>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >>> >>> munmap(0x7f304680a000, 35929) = 0 >>> >>> set_tid_address(0x7f3046806a10) = 47865 >>> >>> set_robust_list(0x7f3046806a20, 24) = 0 >>> >>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >>> >>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >>> NULL, 8) = 0 >>> >>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >>> >>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) >>> = 0 >>> >>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- >>> >>> +++ killed by SIGSEGV (core dumped) +++ >>> >>> Segmentation fault >>> >>> >>> >>> *Thanks* >>> >>> *Satyam* >>> >>> >>> >>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky >>> wrote: >>> >>>> Dear Satyam, >>>> >>>> First of all, I'll suggest checking whether the libcrypto/libssl are >>>> those you've built. It can be done, e.g., via running strace. >>>> >>>> I also suggest building openssl with -ggdb (./config -ggdb should do >>>> the trick). >>>> >>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra >>>> wrote: >>>> >>>>> Hi Dmitry, >>>>> >>>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>> environment variable pointing to freshly built libcrypto/libssl >>>>> >>>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>>> >>>>> *which openssl* >>>>> >>>>> * /usr/local/bin/openssl* >>>>> >>>>> >>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>>> >>>>> >>>>> ls -lhrt >>>>> >>>>> total 11M >>>>> >>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>>> >>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>>>> >>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>>> >>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>>> >>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>>> >>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>>>> libcrypto.so.1.1 >>>>> >>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>>> libssl.so.1.1 >>>>> >>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>>> >>>>> >>>>> >>>>> *openssl ciphers -V* >>>>> >>>>> * Segmentation fault* >>>>> >>>>> >>>>> *gdb ./openssl core.3370 * >>>>> >>>>> >>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>> >>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>> >>>>> License GPLv3+: GNU GPL version 3 or later < >>>>> http://gnu.org/licenses/gpl.html> >>>>> >>>>> This is free software: you are free to change and redistribute it. >>>>> >>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>> copying" >>>>> >>>>> and "show warranty" for details. >>>>> >>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>> >>>>> For bug reporting instructions, please see: >>>>> >>>>> ... >>>>> >>>>> Reading symbols from >>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>>> found)...done. >>>>> >>>>> [New LWP 3370] >>>>> >>>>> [Thread debugging using libthread_db enabled] >>>>> >>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>> >>>>> Core was generated by `openssl ciphers -V'. >>>>> >>>>> Program terminated with signal 11, Segmentation fault. >>>>> >>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>> >>>>> (gdb) bt >>>>> >>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>> >>>>> (gdb) >>>>> >>>>> >>>>> >>>>> >>>>> Thanks >>>>> >>>>> Satyam >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>>>> wrote: >>>>> >>>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>>> environment variable pointing to freshly built libcrypto/libssl >>>>>> >>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra >>>>>> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Any Suggestions on how this can be done ? >>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>>> ,* also what is the location of the crash file. >>>>>>> >>>>>>> Thanks >>>>>>> Satyam >>>>>>> >>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>>>>>> wrote: >>>>>>> >>>>>>>> Hello Everyone, >>>>>>>> >>>>>>>> I have just joined the openssl users community. >>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>>>>>> openssl installation . >>>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers >>>>>>>> with openssl-1.1.1h installation >>>>>>>> >>>>>>>> I have followed the below steps >>>>>>>> >>>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>>> >>>>>>>> >>>>>>>> *2) The Makefile looks as below* >>>>>>>> >>>>>>>> *===============================* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>> >>>>>>>> >>>>>>>> ## >>>>>>>> >>>>>>>> ## Makefile for OpenSSL >>>>>>>> >>>>>>>> ## >>>>>>>> >>>>>>>> ## WARNING: do not edit! >>>>>>>> >>>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>>> >>>>>>>> >>>>>>>> PLATFORM=linux-x86_64 >>>>>>>> >>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>>> >>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>>> >>>>>>>> SRCDIR=. >>>>>>>> >>>>>>>> BLDDIR=. >>>>>>>> >>>>>>>> >>>>>>>> VERSION=1.1.1h >>>>>>>> >>>>>>>> MAJOR=1 >>>>>>>> >>>>>>>> MINOR=1.1 >>>>>>>> >>>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>>> >>>>>>>> SHLIB_VERSION_HISTORY= >>>>>>>> >>>>>>>> SHLIB_MAJOR=1 >>>>>>>> >>>>>>>> SHLIB_MINOR=1 >>>>>>>> >>>>>>>> SHLIB_TARGET=linux-shared >>>>>>>> >>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>>> >>>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>>> >>>>>>>> SHLIB_EXT_IMPORT= >>>>>>>> >>>>>>>> >>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>>> >>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>>> >>>>>>>> SHLIB_INFO=";" "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>>> >>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>>> engines/ossltest.so engines/padlock.so >>>>>>>> >>>>>>>> @ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>> >>>>>>>> >>>>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>>>> >>>>>>>> >>>>>>>> *./openssl ciphers -V* >>>>>>>> >>>>>>>> * Segmentation fault (core dumped)* >>>>>>>> >>>>>>>> >>>>>>>> *Can someone help me in resolving this issue ?* >>>>>>>> >>>>>>>> >>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the >>>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Satyam >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> SY, Dmitry Belyavsky >>>>>> >>>>> >>>> >>>> -- >>>> SY, Dmitry Belyavsky >>>> >>> >> >> -- >> SY, Dmitry Belyavsky >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From brettstahlman at gmail.com Mon Oct 26 15:09:08 2020 From: brettstahlman at gmail.com (Brett Stahlman) Date: Mon, 26 Oct 2020 11:09:08 -0400 Subject: CAPI engine seems to break server validation In-Reply-To: <7be76775-b1de-7fb8-47f8-eb9ba8250c7a@wisemo.com> References: <4408731c-2f3f-6446-7779-dcf228493795@openssl.org> <7be76775-b1de-7fb8-47f8-eb9ba8250c7a@wisemo.com> Message-ID: On Mon, Oct 26, 2020 at 9:35 AM Jakob Bohm wrote: > On 2020-10-24 16:09, Brett Stahlman wrote: > > Jakob, > > I don't really understand why the engine *needs* to do PSS. Neither of > > the badssl certificates seem to use it for signatures. (I'm assuming the > > fact that a cert was signed with RSA-PSS would show up in the Windows > > certificate viewer...) If you could give a short summary of the problem > > as you understand it, perhaps it would help me narrow in on a > > workaround. I'd be happy with even an ugly patch at this point. Given > > that server verification works fine with a ca-bundle file, I wonder > > whether it would be possible to have the capi engine handle only the > > client authentication. As you understand it, would the problem breaking > > server verification also preclude client authentication with the capi > > engine? > > > > From the content of your mails, I inferred that whatever you tried to > do caused OpenSSL to attempt to generate PSS signatures, but failing to > pass that job to the CAPI engine. I was commenting on how that might be > made to work. > > The failure was occurring during server cert verification. Which was surprising because I'd provided a ca-bundle.crt file to be used for server authentication, and CAPI doesn't seem to get involved directly in server authentication anyways. But apparently, the presence of the CAPI engine was preventing openssl from validating the server cert the way it normally would. The error occurred in do_sigver_init (crypto/evp/m_sigver.c) at the `ERR_raise` below: ``` /* * If we couldn't find a keymgmt at all try legacy. * TODO(3.0): Once all legacy algorithms (SM2, HMAC etc) have provider * based implementations this fallback shouldn't be necessary. Either * we have an ENGINE based implementation (in which case we should have * already fallen back in the test above here), or we don't have the * provider based implementation loaded (in which case this is an * application config error) */ if (locpctx->keymgmt == NULL) goto legacy; ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; ``` I was able to get past the error simply by commenting the conditional several lines higher in the function: //if (evp_pkey_ctx_is_legacy(locpctx)) goto legacy; For some reason, the call to evp_pkey_export_to_provider() fails when the CAPI engine is in use, but forcing the jump to legacy bypasses the test altogether and permits me to use the (working) legacy logic for server cert validation. I need to debug further to understand why evp_pkey_export_to_provider() is failing, but the simple change shown above allows two-way authentication to work with the client.badssl.com test site: client auth uses a cert in my Personal "MY" store; server auth uses the CA certs in ca-bundle.cer. Any light anyone can shed on the history of the legacy fallback logic would be greatly appreciated... Thanks, Brett S. > > On Fri, Oct 23, 2020 at 11:34 AM Jakob Bohm via openssl-users > > > wrote: > > > > On 2020-10-23 15:45, Matt Caswell wrote: > > > > > > On 23/10/2020 14:10, Brett Stahlman wrote: > > >> It seems that the CAPI engine is breaking the server > > verification somehow. > > >> Note that the only reason I'm using the ca-bundle.crt is that I > > couldn't > > >> figure out how to get CAPI to load the Windows "ROOT" certificate > > >> store, which contains the requisite CA certs. Ideally, server > > >> authentication would use the CA certs in the Windows "ROOT" > > store, and > > >> client authentication would use the certs in the Windows "MY" > > store, but > > >> CAPI doesn't appear to be loading either one. > > > This is probably the following issue: > > > > > > https://github.com/openssl/openssl/issues/8872 > > > > > > Matt > > Looking at the brutal wontfixing of that bug, maybe reconsider if the > > existing engine interface can do PSS by simply having the CAPI/CAPIng > > engine export the generic PKEY type for PSS-capable RSA keys. Also, > > maybe use a compatible stronger CAPI "provider" (their engines) to do > > stronger hashes etc. > > > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > -------------- next part -------------- An HTML attachment was scrubbed... URL: From satyam226 at gmail.com Mon Oct 26 16:26:41 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Mon, 26 Oct 2020 21:56:41 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Segmentation fault is not seen if i don't compile* ./config with* *-enable-weak-ssl-ciphers.* Is it something I am missing or some more options needs to be provided to ./config ? Thanks Satyam On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky wrote: > It has nothing to do with the ciphers command... > > On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra > wrote: > >> Dear Dmitry, >> >> >>Are the /usr/local/lib64/libssl.so.1.1 and >> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >> Yes, they are same >> >> gdb openssl core.50178 >> >> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >> >> Copyright (C) 2013 Free Software Foundation, Inc. >> >> License GPLv3+: GNU GPL version 3 or later < >> http://gnu.org/licenses/gpl.html> >> >> This is free software: you are free to change and redistribute it. >> >> There is NO WARRANTY, to the extent permitted by law. Type "show >> copying" >> >> and "show warranty" for details. >> >> This GDB was configured as "x86_64-redhat-linux-gnu". >> >> For bug reporting instructions, please see: >> >> ... >> >> Reading symbols from >> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. >> >> [New LWP 50178] >> >> [Thread debugging using libthread_db enabled] >> >> Using host libthread_db library "/lib64/libthread_db.so.1". >> >> Core was generated by `/usr/local/bin/openssl'. >> >> Program terminated with signal 11, Segmentation fault. >> >> #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, >> x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, >> policy=0xfffa320300000000, serial=0x7ffddd58f693, >> >> subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, >> multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 >> "HISTSIZE=1000", >> >> enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", >> days=140728317048610, batch=-581372099, verbose=-581372056, >> req=0x7ffddd58f77b, >> >> ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", >> lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, >> default_op=-581370182, >> >> ext_copy=-581370137, selfsign=-581370120, db=, >> db=) at apps/ca.c:1410 >> >> 1410 row[i] = NULL; >> >> >> >> Thanks >> >> Satyam >> >> >> On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky wrote: >> >>> Are the /usr/local/lib64/libssl.so.1.1 and >>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>> If yes, you should try running via gdb to get a backtrace. >>> >>> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra >>> wrote: >>> >>>> Dear Dmitry, >>>> >>>> As suggested i have build the openssl with -ggdb ( ./config -ggdb >>>> -enable-weak-ssl-ciphers ) and after building i did make install as well. >>>> >>>> The strace output is as below >>>> ============================== >>>> >>>> *strace ./openssl* >>>> >>>> >>>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 >>>> >>>> brk(NULL) = 0x1b4f000 >>>> >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>> 0) = 0x7f3046813000 >>>> >>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or >>>> directory) >>>> >>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >>>> >>>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >>>> >>>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >>>> >>>> close(3) = 0 >>>> >>>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>> >>>> read(3, >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >>>> = 832 >>>> >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >>>> >>>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>> 0) = 0x7f3046354000 >>>> >>>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >>>> >>>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >>>> >>>> close(3) = 0 >>>> >>>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>> >>>> read(3, >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >>>> 832 >>>> >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >>>> >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>> 0) = 0x7f3046809000 >>>> >>>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>> 0) = 0x7f3045e68000 >>>> >>>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >>>> >>>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >>>> >>>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >>>> >>>> close(3) = 0 >>>> >>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >>>> >>>> read(3, >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >>>> 832 >>>> >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >>>> >>>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>> 0) = 0x7f3045c64000 >>>> >>>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >>>> >>>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >>>> >>>> close(3) = 0 >>>> >>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >>>> >>>> read(3, >>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >>>> = 832 >>>> >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >>>> >>>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>> 0) = 0x7f3045a48000 >>>> >>>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >>>> >>>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >>>> >>>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >>>> >>>> close(3) = 0 >>>> >>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >>>> >>>> read(3, >>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >>>> 832 >>>> >>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >>>> >>>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>> 0) = 0x7f304567a000 >>>> >>>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >>>> >>>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >>>> >>>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >>>> >>>> close(3) = 0 >>>> >>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>> 0) = 0x7f3046808000 >>>> >>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>> 0) = 0x7f3046806000 >>>> >>>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >>>> >>>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >>>> >>>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >>>> >>>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >>>> >>>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >>>> >>>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >>>> >>>> mprotect(0x692000, 4096, PROT_READ) = 0 >>>> >>>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >>>> >>>> munmap(0x7f304680a000, 35929) = 0 >>>> >>>> set_tid_address(0x7f3046806a10) = 47865 >>>> >>>> set_robust_list(0x7f3046806a20, 24) = 0 >>>> >>>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >>>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >>>> >>>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >>>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >>>> NULL, 8) = 0 >>>> >>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >>>> >>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) >>>> = 0 >>>> >>>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- >>>> >>>> +++ killed by SIGSEGV (core dumped) +++ >>>> >>>> Segmentation fault >>>> >>>> >>>> >>>> *Thanks* >>>> >>>> *Satyam* >>>> >>>> >>>> >>>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky >>>> wrote: >>>> >>>>> Dear Satyam, >>>>> >>>>> First of all, I'll suggest checking whether the libcrypto/libssl are >>>>> those you've built. It can be done, e.g., via running strace. >>>>> >>>>> I also suggest building openssl with -ggdb (./config -ggdb should do >>>>> the trick). >>>>> >>>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra >>>>> wrote: >>>>> >>>>>> Hi Dmitry, >>>>>> >>>>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>>> environment variable pointing to freshly built libcrypto/libssl >>>>>> >>>>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>>>> >>>>>> *which openssl* >>>>>> >>>>>> * /usr/local/bin/openssl* >>>>>> >>>>>> >>>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>>>> >>>>>> >>>>>> ls -lhrt >>>>>> >>>>>> total 11M >>>>>> >>>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>>>> >>>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>>>>> >>>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>>>> >>>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>>>> >>>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>>>> >>>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>>>>> libcrypto.so.1.1 >>>>>> >>>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>>>> libssl.so.1.1 >>>>>> >>>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>>>> >>>>>> >>>>>> >>>>>> *openssl ciphers -V* >>>>>> >>>>>> * Segmentation fault* >>>>>> >>>>>> >>>>>> *gdb ./openssl core.3370 * >>>>>> >>>>>> >>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>>> >>>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>>> >>>>>> License GPLv3+: GNU GPL version 3 or later < >>>>>> http://gnu.org/licenses/gpl.html> >>>>>> >>>>>> This is free software: you are free to change and redistribute it. >>>>>> >>>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>>> copying" >>>>>> >>>>>> and "show warranty" for details. >>>>>> >>>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>>> >>>>>> For bug reporting instructions, please see: >>>>>> >>>>>> ... >>>>>> >>>>>> Reading symbols from >>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>>>> found)...done. >>>>>> >>>>>> [New LWP 3370] >>>>>> >>>>>> [Thread debugging using libthread_db enabled] >>>>>> >>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>> >>>>>> Core was generated by `openssl ciphers -V'. >>>>>> >>>>>> Program terminated with signal 11, Segmentation fault. >>>>>> >>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>> >>>>>> (gdb) bt >>>>>> >>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>> >>>>>> (gdb) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Thanks >>>>>> >>>>>> Satyam >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>>>>> wrote: >>>>>> >>>>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>>>> environment variable pointing to freshly built libcrypto/libssl >>>>>>> >>>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra >>>>>>> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> Any Suggestions on how this can be done ? >>>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>>>> ,* also what is the location of the crash file. >>>>>>>> >>>>>>>> Thanks >>>>>>>> Satyam >>>>>>>> >>>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello Everyone, >>>>>>>>> >>>>>>>>> I have just joined the openssl users community. >>>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>>>>>>> openssl installation . >>>>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers >>>>>>>>> with openssl-1.1.1h installation >>>>>>>>> >>>>>>>>> I have followed the below steps >>>>>>>>> >>>>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>>>> >>>>>>>>> >>>>>>>>> *2) The Makefile looks as below* >>>>>>>>> >>>>>>>>> *===============================* >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>> >>>>>>>>> >>>>>>>>> ## >>>>>>>>> >>>>>>>>> ## Makefile for OpenSSL >>>>>>>>> >>>>>>>>> ## >>>>>>>>> >>>>>>>>> ## WARNING: do not edit! >>>>>>>>> >>>>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>>>> >>>>>>>>> >>>>>>>>> PLATFORM=linux-x86_64 >>>>>>>>> >>>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>>>> >>>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>>>> >>>>>>>>> SRCDIR=. >>>>>>>>> >>>>>>>>> BLDDIR=. >>>>>>>>> >>>>>>>>> >>>>>>>>> VERSION=1.1.1h >>>>>>>>> >>>>>>>>> MAJOR=1 >>>>>>>>> >>>>>>>>> MINOR=1.1 >>>>>>>>> >>>>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>>>> >>>>>>>>> SHLIB_VERSION_HISTORY= >>>>>>>>> >>>>>>>>> SHLIB_MAJOR=1 >>>>>>>>> >>>>>>>>> SHLIB_MINOR=1 >>>>>>>>> >>>>>>>>> SHLIB_TARGET=linux-shared >>>>>>>>> >>>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>>>> >>>>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>>>> >>>>>>>>> SHLIB_EXT_IMPORT= >>>>>>>>> >>>>>>>>> >>>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>>>> >>>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>>>> >>>>>>>>> SHLIB_INFO=";" >>>>>>>>> "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>>>> >>>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>>>> engines/ossltest.so engines/padlock.so >>>>>>>>> >>>>>>>>> @ >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>> >>>>>>>>> >>>>>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>>>>> >>>>>>>>> >>>>>>>>> *./openssl ciphers -V* >>>>>>>>> >>>>>>>>> * Segmentation fault (core dumped)* >>>>>>>>> >>>>>>>>> >>>>>>>>> *Can someone help me in resolving this issue ?* >>>>>>>>> >>>>>>>>> >>>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the >>>>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Satyam >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> SY, Dmitry Belyavsky >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> SY, Dmitry Belyavsky >>>>> >>>> >>> >>> -- >>> SY, Dmitry Belyavsky >>> >> > > -- > SY, Dmitry Belyavsky > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 16:29:37 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 19:29:37 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Dear Satyam, Do I correctly understand that - you built openssl-1.1.1h from scratch with -enable-weak-ssl-ciphers - installed it -run some command? Which one(s)? Initially, you were speaking about 'ciphers', but the stack trace is from the 'ca'. On Mon, Oct 26, 2020 at 7:26 PM Satyam Mehrotra wrote: > Segmentation fault is not seen if i don't compile* ./config with* > *-enable-weak-ssl-ciphers.* > > Is it something I am missing or some more options needs to be provided to > ./config ? > > Thanks > Satyam > > On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky wrote: > >> It has nothing to do with the ciphers command... >> >> On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra >> wrote: >> >>> Dear Dmitry, >>> >>> >>Are the /usr/local/lib64/libssl.so.1.1 and >>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>> Yes, they are same >>> >>> gdb openssl core.50178 >>> >>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>> >>> Copyright (C) 2013 Free Software Foundation, Inc. >>> >>> License GPLv3+: GNU GPL version 3 or later < >>> http://gnu.org/licenses/gpl.html> >>> >>> This is free software: you are free to change and redistribute it. >>> >>> There is NO WARRANTY, to the extent permitted by law. Type "show >>> copying" >>> >>> and "show warranty" for details. >>> >>> This GDB was configured as "x86_64-redhat-linux-gnu". >>> >>> For bug reporting instructions, please see: >>> >>> ... >>> >>> Reading symbols from >>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. >>> >>> [New LWP 50178] >>> >>> [Thread debugging using libthread_db enabled] >>> >>> Using host libthread_db library "/lib64/libthread_db.so.1". >>> >>> Core was generated by `/usr/local/bin/openssl'. >>> >>> Program terminated with signal 11, Segmentation fault. >>> >>> #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, >>> x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, >>> policy=0xfffa320300000000, serial=0x7ffddd58f693, >>> >>> subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, >>> multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 >>> "HISTSIZE=1000", >>> >>> enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", >>> days=140728317048610, batch=-581372099, verbose=-581372056, >>> req=0x7ffddd58f77b, >>> >>> ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", >>> lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, >>> default_op=-581370182, >>> >>> ext_copy=-581370137, selfsign=-581370120, db=, >>> db=) at apps/ca.c:1410 >>> >>> 1410 row[i] = NULL; >>> >>> >>> >>> Thanks >>> >>> Satyam >>> >>> >>> On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky >>> wrote: >>> >>>> Are the /usr/local/lib64/libssl.so.1.1 and >>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>> If yes, you should try running via gdb to get a backtrace. >>>> >>>> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra >>>> wrote: >>>> >>>>> Dear Dmitry, >>>>> >>>>> As suggested i have build the openssl with -ggdb ( ./config -ggdb >>>>> -enable-weak-ssl-ciphers ) and after building i did make install as well. >>>>> >>>>> The strace output is as below >>>>> ============================== >>>>> >>>>> *strace ./openssl* >>>>> >>>>> >>>>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 >>>>> >>>>> brk(NULL) = 0x1b4f000 >>>>> >>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>> 0) = 0x7f3046813000 >>>>> >>>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or >>>>> directory) >>>>> >>>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >>>>> >>>>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >>>>> >>>>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >>>>> >>>>> close(3) = 0 >>>>> >>>>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>> >>>>> read(3, >>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >>>>> = 832 >>>>> >>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >>>>> >>>>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>>> 0) = 0x7f3046354000 >>>>> >>>>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >>>>> >>>>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >>>>> >>>>> close(3) = 0 >>>>> >>>>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>> >>>>> read(3, >>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >>>>> 832 >>>>> >>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >>>>> >>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>> 0) = 0x7f3046809000 >>>>> >>>>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>>> 0) = 0x7f3045e68000 >>>>> >>>>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >>>>> >>>>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >>>>> >>>>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >>>>> >>>>> close(3) = 0 >>>>> >>>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >>>>> >>>>> read(3, >>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >>>>> 832 >>>>> >>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >>>>> >>>>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>>> 0) = 0x7f3045c64000 >>>>> >>>>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >>>>> >>>>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >>>>> >>>>> close(3) = 0 >>>>> >>>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >>>>> >>>>> read(3, >>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >>>>> = 832 >>>>> >>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >>>>> >>>>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>>> 0) = 0x7f3045a48000 >>>>> >>>>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >>>>> >>>>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >>>>> >>>>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >>>>> >>>>> close(3) = 0 >>>>> >>>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >>>>> >>>>> read(3, >>>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >>>>> 832 >>>>> >>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >>>>> >>>>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, >>>>> 0) = 0x7f304567a000 >>>>> >>>>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >>>>> >>>>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >>>>> >>>>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >>>>> >>>>> close(3) = 0 >>>>> >>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>> 0) = 0x7f3046808000 >>>>> >>>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>> 0) = 0x7f3046806000 >>>>> >>>>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >>>>> >>>>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >>>>> >>>>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >>>>> >>>>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >>>>> >>>>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >>>>> >>>>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >>>>> >>>>> mprotect(0x692000, 4096, PROT_READ) = 0 >>>>> >>>>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >>>>> >>>>> munmap(0x7f304680a000, 35929) = 0 >>>>> >>>>> set_tid_address(0x7f3046806a10) = 47865 >>>>> >>>>> set_robust_list(0x7f3046806a20, 24) = 0 >>>>> >>>>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >>>>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >>>>> >>>>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >>>>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >>>>> NULL, 8) = 0 >>>>> >>>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >>>>> >>>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, >>>>> rlim_max=RLIM64_INFINITY}) = 0 >>>>> >>>>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- >>>>> >>>>> +++ killed by SIGSEGV (core dumped) +++ >>>>> >>>>> Segmentation fault >>>>> >>>>> >>>>> >>>>> *Thanks* >>>>> >>>>> *Satyam* >>>>> >>>>> >>>>> >>>>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky >>>>> wrote: >>>>> >>>>>> Dear Satyam, >>>>>> >>>>>> First of all, I'll suggest checking whether the libcrypto/libssl are >>>>>> those you've built. It can be done, e.g., via running strace. >>>>>> >>>>>> I also suggest building openssl with -ggdb (./config -ggdb should do >>>>>> the trick). >>>>>> >>>>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra >>>>>> wrote: >>>>>> >>>>>>> Hi Dmitry, >>>>>>> >>>>>>> >>If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>>>> environment variable pointing to freshly built libcrypto/libssl >>>>>>> >>>>>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>>>>> >>>>>>> *which openssl* >>>>>>> >>>>>>> * /usr/local/bin/openssl* >>>>>>> >>>>>>> >>>>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>>>>> >>>>>>> >>>>>>> ls -lhrt >>>>>>> >>>>>>> total 11M >>>>>>> >>>>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>>>>> >>>>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>>>>>> >>>>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>>>>> >>>>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>>>>> >>>>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>>>>> >>>>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>>>>>> libcrypto.so.1.1 >>>>>>> >>>>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>>>>> libssl.so.1.1 >>>>>>> >>>>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> *openssl ciphers -V* >>>>>>> >>>>>>> * Segmentation fault* >>>>>>> >>>>>>> >>>>>>> *gdb ./openssl core.3370 * >>>>>>> >>>>>>> >>>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>>>> >>>>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>>>> >>>>>>> License GPLv3+: GNU GPL version 3 or later < >>>>>>> http://gnu.org/licenses/gpl.html> >>>>>>> >>>>>>> This is free software: you are free to change and redistribute it. >>>>>>> >>>>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>>>> copying" >>>>>>> >>>>>>> and "show warranty" for details. >>>>>>> >>>>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>>>> >>>>>>> For bug reporting instructions, please see: >>>>>>> >>>>>>> ... >>>>>>> >>>>>>> Reading symbols from >>>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>>>>> found)...done. >>>>>>> >>>>>>> [New LWP 3370] >>>>>>> >>>>>>> [Thread debugging using libthread_db enabled] >>>>>>> >>>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>>> >>>>>>> Core was generated by `openssl ciphers -V'. >>>>>>> >>>>>>> Program terminated with signal 11, Segmentation fault. >>>>>>> >>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>> >>>>>>> (gdb) bt >>>>>>> >>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>> >>>>>>> (gdb) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Satyam >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>>>>>> wrote: >>>>>>> >>>>>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>>>>> environment variable pointing to freshly built libcrypto/libssl >>>>>>>> >>>>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra < >>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Any Suggestions on how this can be done ? >>>>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>>>>> ,* also what is the location of the crash file. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> Satyam >>>>>>>>> >>>>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hello Everyone, >>>>>>>>>> >>>>>>>>>> I have just joined the openssl users community. >>>>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable with >>>>>>>>>> openssl installation . >>>>>>>>>> I have a query regarding enabling SSLv3 protocol and weak ciphers >>>>>>>>>> with openssl-1.1.1h installation >>>>>>>>>> >>>>>>>>>> I have followed the below steps >>>>>>>>>> >>>>>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *2) The Makefile looks as below* >>>>>>>>>> >>>>>>>>>> *===============================* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ## >>>>>>>>>> >>>>>>>>>> ## Makefile for OpenSSL >>>>>>>>>> >>>>>>>>>> ## >>>>>>>>>> >>>>>>>>>> ## WARNING: do not edit! >>>>>>>>>> >>>>>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> PLATFORM=linux-x86_64 >>>>>>>>>> >>>>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>>>>> >>>>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>>>>> >>>>>>>>>> SRCDIR=. >>>>>>>>>> >>>>>>>>>> BLDDIR=. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> VERSION=1.1.1h >>>>>>>>>> >>>>>>>>>> MAJOR=1 >>>>>>>>>> >>>>>>>>>> MINOR=1.1 >>>>>>>>>> >>>>>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>>>>> >>>>>>>>>> SHLIB_VERSION_HISTORY= >>>>>>>>>> >>>>>>>>>> SHLIB_MAJOR=1 >>>>>>>>>> >>>>>>>>>> SHLIB_MINOR=1 >>>>>>>>>> >>>>>>>>>> SHLIB_TARGET=linux-shared >>>>>>>>>> >>>>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>>>>> >>>>>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>>>>> >>>>>>>>>> SHLIB_EXT_IMPORT= >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>>>>> >>>>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>>>>> >>>>>>>>>> SHLIB_INFO=";" >>>>>>>>>> "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>>>>> >>>>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>>>>> engines/ossltest.so engines/padlock.so >>>>>>>>>> >>>>>>>>>> @ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *./openssl ciphers -V* >>>>>>>>>> >>>>>>>>>> * Segmentation fault (core dumped)* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Can someone help me in resolving this issue ?* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the >>>>>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> Satyam >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> SY, Dmitry Belyavsky >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> SY, Dmitry Belyavsky >>>>>> >>>>> >>>> >>>> -- >>>> SY, Dmitry Belyavsky >>>> >>> >> >> -- >> SY, Dmitry Belyavsky >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From satyam226 at gmail.com Mon Oct 26 17:10:11 2020 From: satyam226 at gmail.com (Satyam Mehrotra) Date: Mon, 26 Oct 2020 22:40:11 +0530 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Dear Dmitry, The below is the process i have followed - Downloaded the openssl-1.1.1h from the official OpenSSL site - ./config -ggdb -enable-weak-ssl-ciphers - make - make install - Execute openSSL command ( Looks like any openSSL command the binary is crashing ) openssl version Segmentation fault (core dumped) openssl ciphers -V Segmentation fault (core dumped) openssl Segmentation fault (core dumped) Thanks Satyam On Mon, 26 Oct 2020 at 21:59, Dmitry Belyavsky wrote: > Dear Satyam, > > Do I correctly understand that > - you built openssl-1.1.1h from scratch with -enable-weak-ssl-ciphers > - installed it > -run some command? Which one(s)? Initially, you were speaking about > 'ciphers', but the stack trace is from the 'ca'. > > On Mon, Oct 26, 2020 at 7:26 PM Satyam Mehrotra > wrote: > >> Segmentation fault is not seen if i don't compile* ./config with* >> *-enable-weak-ssl-ciphers.* >> >> Is it something I am missing or some more options needs to be provided to >> ./config ? >> >> Thanks >> Satyam >> >> On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky wrote: >> >>> It has nothing to do with the ciphers command... >>> >>> On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra >>> wrote: >>> >>>> Dear Dmitry, >>>> >>>> >>Are the /usr/local/lib64/libssl.so.1.1 and >>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>> Yes, they are same >>>> >>>> gdb openssl core.50178 >>>> >>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>> >>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>> >>>> License GPLv3+: GNU GPL version 3 or later < >>>> http://gnu.org/licenses/gpl.html> >>>> >>>> This is free software: you are free to change and redistribute it. >>>> >>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>> copying" >>>> >>>> and "show warranty" for details. >>>> >>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>> >>>> For bug reporting instructions, please see: >>>> >>>> ... >>>> >>>> Reading symbols from >>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. >>>> >>>> [New LWP 50178] >>>> >>>> [Thread debugging using libthread_db enabled] >>>> >>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>> >>>> Core was generated by `/usr/local/bin/openssl'. >>>> >>>> Program terminated with signal 11, Segmentation fault. >>>> >>>> #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, >>>> x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, >>>> policy=0xfffa320300000000, serial=0x7ffddd58f693, >>>> >>>> subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, >>>> multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 >>>> "HISTSIZE=1000", >>>> >>>> enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", >>>> days=140728317048610, batch=-581372099, verbose=-581372056, >>>> req=0x7ffddd58f77b, >>>> >>>> ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", >>>> lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, >>>> default_op=-581370182, >>>> >>>> ext_copy=-581370137, selfsign=-581370120, db=, >>>> db=) at apps/ca.c:1410 >>>> >>>> 1410 row[i] = NULL; >>>> >>>> >>>> >>>> Thanks >>>> >>>> Satyam >>>> >>>> >>>> On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky >>>> wrote: >>>> >>>>> Are the /usr/local/lib64/libssl.so.1.1 and >>>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>>> If yes, you should try running via gdb to get a backtrace. >>>>> >>>>> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra >>>>> wrote: >>>>> >>>>>> Dear Dmitry, >>>>>> >>>>>> As suggested i have build the openssl with -ggdb ( ./config -ggdb >>>>>> -enable-weak-ssl-ciphers ) and after building i did make install as well. >>>>>> >>>>>> The strace output is as below >>>>>> ============================== >>>>>> >>>>>> *strace ./openssl* >>>>>> >>>>>> >>>>>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 >>>>>> >>>>>> brk(NULL) = 0x1b4f000 >>>>>> >>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>>> 0) = 0x7f3046813000 >>>>>> >>>>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or >>>>>> directory) >>>>>> >>>>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >>>>>> >>>>>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >>>>>> >>>>>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >>>>>> >>>>>> close(3) = 0 >>>>>> >>>>>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>>> >>>>>> read(3, >>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >>>>>> = 832 >>>>>> >>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >>>>>> >>>>>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>> 3, 0) = 0x7f3046354000 >>>>>> >>>>>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >>>>>> >>>>>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >>>>>> >>>>>> close(3) = 0 >>>>>> >>>>>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>>> >>>>>> read(3, >>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >>>>>> 832 >>>>>> >>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >>>>>> >>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>>> 0) = 0x7f3046809000 >>>>>> >>>>>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>> 3, 0) = 0x7f3045e68000 >>>>>> >>>>>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >>>>>> >>>>>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >>>>>> >>>>>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >>>>>> >>>>>> close(3) = 0 >>>>>> >>>>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >>>>>> >>>>>> read(3, >>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >>>>>> 832 >>>>>> >>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >>>>>> >>>>>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>> 3, 0) = 0x7f3045c64000 >>>>>> >>>>>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >>>>>> >>>>>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >>>>>> >>>>>> close(3) = 0 >>>>>> >>>>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >>>>>> >>>>>> read(3, >>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >>>>>> = 832 >>>>>> >>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >>>>>> >>>>>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>> 3, 0) = 0x7f3045a48000 >>>>>> >>>>>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >>>>>> >>>>>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >>>>>> >>>>>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >>>>>> >>>>>> close(3) = 0 >>>>>> >>>>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >>>>>> >>>>>> read(3, >>>>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >>>>>> 832 >>>>>> >>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >>>>>> >>>>>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>> 3, 0) = 0x7f304567a000 >>>>>> >>>>>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >>>>>> >>>>>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >>>>>> >>>>>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >>>>>> >>>>>> close(3) = 0 >>>>>> >>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>>> 0) = 0x7f3046808000 >>>>>> >>>>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, >>>>>> 0) = 0x7f3046806000 >>>>>> >>>>>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >>>>>> >>>>>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >>>>>> >>>>>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >>>>>> >>>>>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >>>>>> >>>>>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >>>>>> >>>>>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >>>>>> >>>>>> mprotect(0x692000, 4096, PROT_READ) = 0 >>>>>> >>>>>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >>>>>> >>>>>> munmap(0x7f304680a000, 35929) = 0 >>>>>> >>>>>> set_tid_address(0x7f3046806a10) = 47865 >>>>>> >>>>>> set_robust_list(0x7f3046806a20, 24) = 0 >>>>>> >>>>>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >>>>>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >>>>>> >>>>>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >>>>>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >>>>>> NULL, 8) = 0 >>>>>> >>>>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >>>>>> >>>>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, >>>>>> rlim_max=RLIM64_INFINITY}) = 0 >>>>>> >>>>>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- >>>>>> >>>>>> +++ killed by SIGSEGV (core dumped) +++ >>>>>> >>>>>> Segmentation fault >>>>>> >>>>>> >>>>>> >>>>>> *Thanks* >>>>>> >>>>>> *Satyam* >>>>>> >>>>>> >>>>>> >>>>>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky >>>>>> wrote: >>>>>> >>>>>>> Dear Satyam, >>>>>>> >>>>>>> First of all, I'll suggest checking whether the libcrypto/libssl are >>>>>>> those you've built. It can be done, e.g., via running strace. >>>>>>> >>>>>>> I also suggest building openssl with -ggdb (./config -ggdb should do >>>>>>> the trick). >>>>>>> >>>>>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra < >>>>>>> satyam226 at gmail.com> wrote: >>>>>>> >>>>>>>> Hi Dmitry, >>>>>>>> >>>>>>>> >>If you have just built the openssl, try to set the >>>>>>>> LD_LIBRARY_PATH environment variable pointing to freshly built >>>>>>>> libcrypto/libssl >>>>>>>> >>>>>>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>>>>>> >>>>>>>> *which openssl* >>>>>>>> >>>>>>>> * /usr/local/bin/openssl* >>>>>>>> >>>>>>>> >>>>>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>>>>>> >>>>>>>> >>>>>>>> ls -lhrt >>>>>>>> >>>>>>>> total 11M >>>>>>>> >>>>>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>>>>>> >>>>>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>>>>>>> >>>>>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>>>>>> >>>>>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>>>>>> >>>>>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>>>>>> >>>>>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>>>>>>> libcrypto.so.1.1 >>>>>>>> >>>>>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>>>>>> libssl.so.1.1 >>>>>>>> >>>>>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *openssl ciphers -V* >>>>>>>> >>>>>>>> * Segmentation fault* >>>>>>>> >>>>>>>> >>>>>>>> *gdb ./openssl core.3370 * >>>>>>>> >>>>>>>> >>>>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>>>>> >>>>>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>>>>> >>>>>>>> License GPLv3+: GNU GPL version 3 or later < >>>>>>>> http://gnu.org/licenses/gpl.html> >>>>>>>> >>>>>>>> This is free software: you are free to change and redistribute it. >>>>>>>> >>>>>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>>>>> copying" >>>>>>>> >>>>>>>> and "show warranty" for details. >>>>>>>> >>>>>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>>>>> >>>>>>>> For bug reporting instructions, please see: >>>>>>>> >>>>>>>> ... >>>>>>>> >>>>>>>> Reading symbols from >>>>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>>>>>> found)...done. >>>>>>>> >>>>>>>> [New LWP 3370] >>>>>>>> >>>>>>>> [Thread debugging using libthread_db enabled] >>>>>>>> >>>>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>>>> >>>>>>>> Core was generated by `openssl ciphers -V'. >>>>>>>> >>>>>>>> Program terminated with signal 11, Segmentation fault. >>>>>>>> >>>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>>> >>>>>>>> (gdb) bt >>>>>>>> >>>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>>> >>>>>>>> (gdb) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Satyam >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>>>>>>> wrote: >>>>>>>> >>>>>>>>> If you have just built the openssl, try to set the LD_LIBRARY_PATH >>>>>>>>> environment variable pointing to freshly built libcrypto/libssl >>>>>>>>> >>>>>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra < >>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> Any Suggestions on how this can be done ? >>>>>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>>>>>> ,* also what is the location of the crash file. >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> Satyam >>>>>>>>>> >>>>>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra < >>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hello Everyone, >>>>>>>>>>> >>>>>>>>>>> I have just joined the openssl users community. >>>>>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable >>>>>>>>>>> with openssl installation . >>>>>>>>>>> I have a query regarding enabling SSLv3 protocol and weak >>>>>>>>>>> ciphers with openssl-1.1.1h installation >>>>>>>>>>> >>>>>>>>>>> I have followed the below steps >>>>>>>>>>> >>>>>>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *2) The Makefile looks as below* >>>>>>>>>>> >>>>>>>>>>> *===============================* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ## >>>>>>>>>>> >>>>>>>>>>> ## Makefile for OpenSSL >>>>>>>>>>> >>>>>>>>>>> ## >>>>>>>>>>> >>>>>>>>>>> ## WARNING: do not edit! >>>>>>>>>>> >>>>>>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> PLATFORM=linux-x86_64 >>>>>>>>>>> >>>>>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>>>>>> >>>>>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>>>>>> >>>>>>>>>>> SRCDIR=. >>>>>>>>>>> >>>>>>>>>>> BLDDIR=. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> VERSION=1.1.1h >>>>>>>>>>> >>>>>>>>>>> MAJOR=1 >>>>>>>>>>> >>>>>>>>>>> MINOR=1.1 >>>>>>>>>>> >>>>>>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>>>>>> >>>>>>>>>>> SHLIB_VERSION_HISTORY= >>>>>>>>>>> >>>>>>>>>>> SHLIB_MAJOR=1 >>>>>>>>>>> >>>>>>>>>>> SHLIB_MINOR=1 >>>>>>>>>>> >>>>>>>>>>> SHLIB_TARGET=linux-shared >>>>>>>>>>> >>>>>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>>>>>> >>>>>>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>>>>>> >>>>>>>>>>> SHLIB_EXT_IMPORT= >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>>>>>> >>>>>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>>>>>> >>>>>>>>>>> SHLIB_INFO=";" >>>>>>>>>>> "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>>>>>> >>>>>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>>>>>> engines/ossltest.so engines/padlock.so >>>>>>>>>>> >>>>>>>>>>> @ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *./openssl ciphers -V* >>>>>>>>>>> >>>>>>>>>>> * Segmentation fault (core dumped)* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *Can someone help me in resolving this issue ?* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then the >>>>>>>>>>> above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> >>>>>>>>>>> Satyam >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> SY, Dmitry Belyavsky >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> SY, Dmitry Belyavsky >>>>>>> >>>>>> >>>>> >>>>> -- >>>>> SY, Dmitry Belyavsky >>>>> >>>> >>> >>> -- >>> SY, Dmitry Belyavsky >>> >> > > -- > SY, Dmitry Belyavsky > -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 17:40:26 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 20:40:26 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Dear Satyam, It looks like a compiler bug for me. When configured via ./config -ggdb -O0 -enable-weak-ssl-ciphers, I get the code working. The same happens when -O1 is in use. When I either omit optimization (which implies -O3) or specify -O2, I get a segfault. On Mon, Oct 26, 2020 at 8:09 PM Satyam Mehrotra wrote: > Dear Dmitry, > > The below is the process i have followed > - Downloaded the openssl-1.1.1h from the official OpenSSL site > - ./config -ggdb -enable-weak-ssl-ciphers > - make > - make install > - Execute openSSL command ( Looks like any openSSL command the binary > is crashing ) > openssl version > > Segmentation fault (core dumped) > > > openssl ciphers -V > > Segmentation fault (core dumped) > > > openssl > > Segmentation fault (core dumped) > > > Thanks > > Satyam > > On Mon, 26 Oct 2020 at 21:59, Dmitry Belyavsky wrote: > >> Dear Satyam, >> >> Do I correctly understand that >> - you built openssl-1.1.1h from scratch with -enable-weak-ssl-ciphers >> - installed it >> -run some command? Which one(s)? Initially, you were speaking about >> 'ciphers', but the stack trace is from the 'ca'. >> >> On Mon, Oct 26, 2020 at 7:26 PM Satyam Mehrotra >> wrote: >> >>> Segmentation fault is not seen if i don't compile* ./config with* >>> *-enable-weak-ssl-ciphers.* >>> >>> Is it something I am missing or some more options needs to be provided >>> to ./config ? >>> >>> Thanks >>> Satyam >>> >>> On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky >>> wrote: >>> >>>> It has nothing to do with the ciphers command... >>>> >>>> On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra >>>> wrote: >>>> >>>>> Dear Dmitry, >>>>> >>>>> >>Are the /usr/local/lib64/libssl.so.1.1 and >>>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>>> Yes, they are same >>>>> >>>>> gdb openssl core.50178 >>>>> >>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>> >>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>> >>>>> License GPLv3+: GNU GPL version 3 or later < >>>>> http://gnu.org/licenses/gpl.html> >>>>> >>>>> This is free software: you are free to change and redistribute it. >>>>> >>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>> copying" >>>>> >>>>> and "show warranty" for details. >>>>> >>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>> >>>>> For bug reporting instructions, please see: >>>>> >>>>> ... >>>>> >>>>> Reading symbols from >>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. >>>>> >>>>> [New LWP 50178] >>>>> >>>>> [Thread debugging using libthread_db enabled] >>>>> >>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>> >>>>> Core was generated by `/usr/local/bin/openssl'. >>>>> >>>>> Program terminated with signal 11, Segmentation fault. >>>>> >>>>> #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, >>>>> x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, >>>>> policy=0xfffa320300000000, serial=0x7ffddd58f693, >>>>> >>>>> subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", chtype=140728317048503, >>>>> multirdn=-581372209, email_dn=-581372189, startdate=0x7ffddd58f6f3 >>>>> "HISTSIZE=1000", >>>>> >>>>> enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", >>>>> days=140728317048610, batch=-581372099, verbose=-581372056, >>>>> req=0x7ffddd58f77b, >>>>> >>>>> ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", >>>>> lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, >>>>> default_op=-581370182, >>>>> >>>>> ext_copy=-581370137, selfsign=-581370120, db=, >>>>> db=) at apps/ca.c:1410 >>>>> >>>>> 1410 row[i] = NULL; >>>>> >>>>> >>>>> >>>>> Thanks >>>>> >>>>> Satyam >>>>> >>>>> >>>>> On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky >>>>> wrote: >>>>> >>>>>> Are the /usr/local/lib64/libssl.so.1.1 and >>>>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>>>> If yes, you should try running via gdb to get a backtrace. >>>>>> >>>>>> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra >>>>>> wrote: >>>>>> >>>>>>> Dear Dmitry, >>>>>>> >>>>>>> As suggested i have build the openssl with -ggdb ( ./config -ggdb >>>>>>> -enable-weak-ssl-ciphers ) and after building i did make install as well. >>>>>>> >>>>>>> The strace output is as below >>>>>>> ============================== >>>>>>> >>>>>>> *strace ./openssl* >>>>>>> >>>>>>> >>>>>>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) = 0 >>>>>>> >>>>>>> brk(NULL) = 0x1b4f000 >>>>>>> >>>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, >>>>>>> -1, 0) = 0x7f3046813000 >>>>>>> >>>>>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file >>>>>>> or directory) >>>>>>> >>>>>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >>>>>>> >>>>>>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >>>>>>> >>>>>>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >>>>>>> >>>>>>> close(3) = 0 >>>>>>> >>>>>>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>>>> >>>>>>> read(3, >>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >>>>>>> = 832 >>>>>>> >>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >>>>>>> >>>>>>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>>> 3, 0) = 0x7f3046354000 >>>>>>> >>>>>>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >>>>>>> >>>>>>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >>>>>>> >>>>>>> close(3) = 0 >>>>>>> >>>>>>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>>>> >>>>>>> read(3, >>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >>>>>>> 832 >>>>>>> >>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >>>>>>> >>>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, >>>>>>> -1, 0) = 0x7f3046809000 >>>>>>> >>>>>>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>>> 3, 0) = 0x7f3045e68000 >>>>>>> >>>>>>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >>>>>>> >>>>>>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >>>>>>> >>>>>>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >>>>>>> >>>>>>> close(3) = 0 >>>>>>> >>>>>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >>>>>>> >>>>>>> read(3, >>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >>>>>>> 832 >>>>>>> >>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >>>>>>> >>>>>>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>>> 3, 0) = 0x7f3045c64000 >>>>>>> >>>>>>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >>>>>>> >>>>>>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >>>>>>> >>>>>>> close(3) = 0 >>>>>>> >>>>>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >>>>>>> >>>>>>> read(3, >>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >>>>>>> = 832 >>>>>>> >>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >>>>>>> >>>>>>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>>> 3, 0) = 0x7f3045a48000 >>>>>>> >>>>>>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >>>>>>> >>>>>>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >>>>>>> >>>>>>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >>>>>>> >>>>>>> close(3) = 0 >>>>>>> >>>>>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >>>>>>> >>>>>>> read(3, >>>>>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >>>>>>> 832 >>>>>>> >>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >>>>>>> >>>>>>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, >>>>>>> 3, 0) = 0x7f304567a000 >>>>>>> >>>>>>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >>>>>>> >>>>>>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >>>>>>> >>>>>>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >>>>>>> >>>>>>> close(3) = 0 >>>>>>> >>>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, >>>>>>> -1, 0) = 0x7f3046808000 >>>>>>> >>>>>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, >>>>>>> -1, 0) = 0x7f3046806000 >>>>>>> >>>>>>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >>>>>>> >>>>>>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >>>>>>> >>>>>>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >>>>>>> >>>>>>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >>>>>>> >>>>>>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >>>>>>> >>>>>>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >>>>>>> >>>>>>> mprotect(0x692000, 4096, PROT_READ) = 0 >>>>>>> >>>>>>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >>>>>>> >>>>>>> munmap(0x7f304680a000, 35929) = 0 >>>>>>> >>>>>>> set_tid_address(0x7f3046806a10) = 47865 >>>>>>> >>>>>>> set_robust_list(0x7f3046806a20, 24) = 0 >>>>>>> >>>>>>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >>>>>>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >>>>>>> >>>>>>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >>>>>>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >>>>>>> NULL, 8) = 0 >>>>>>> >>>>>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >>>>>>> >>>>>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, >>>>>>> rlim_max=RLIM64_INFINITY}) = 0 >>>>>>> >>>>>>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} --- >>>>>>> >>>>>>> +++ killed by SIGSEGV (core dumped) +++ >>>>>>> >>>>>>> Segmentation fault >>>>>>> >>>>>>> >>>>>>> >>>>>>> *Thanks* >>>>>>> >>>>>>> *Satyam* >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky >>>>>>> wrote: >>>>>>> >>>>>>>> Dear Satyam, >>>>>>>> >>>>>>>> First of all, I'll suggest checking whether the libcrypto/libssl >>>>>>>> are those you've built. It can be done, e.g., via running strace. >>>>>>>> >>>>>>>> I also suggest building openssl with -ggdb (./config -ggdb should >>>>>>>> do the trick). >>>>>>>> >>>>>>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra < >>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi Dmitry, >>>>>>>>> >>>>>>>>> >>If you have just built the openssl, try to set the >>>>>>>>> LD_LIBRARY_PATH environment variable pointing to freshly built >>>>>>>>> libcrypto/libssl >>>>>>>>> >>>>>>>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>>>>>>> >>>>>>>>> *which openssl* >>>>>>>>> >>>>>>>>> * /usr/local/bin/openssl* >>>>>>>>> >>>>>>>>> >>>>>>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>>>>>>> >>>>>>>>> >>>>>>>>> ls -lhrt >>>>>>>>> >>>>>>>>> total 11M >>>>>>>>> >>>>>>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>>>>>>> >>>>>>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 libcrypto.so.1.1 >>>>>>>>> >>>>>>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>>>>>>> >>>>>>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>>>>>>> >>>>>>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>>>>>>> >>>>>>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so -> >>>>>>>>> libcrypto.so.1.1 >>>>>>>>> >>>>>>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>>>>>>> libssl.so.1.1 >>>>>>>>> >>>>>>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> *openssl ciphers -V* >>>>>>>>> >>>>>>>>> * Segmentation fault* >>>>>>>>> >>>>>>>>> >>>>>>>>> *gdb ./openssl core.3370 * >>>>>>>>> >>>>>>>>> >>>>>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>>>>>> >>>>>>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>>>>>> >>>>>>>>> License GPLv3+: GNU GPL version 3 or later < >>>>>>>>> http://gnu.org/licenses/gpl.html> >>>>>>>>> >>>>>>>>> This is free software: you are free to change and redistribute it. >>>>>>>>> >>>>>>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>>>>>> copying" >>>>>>>>> >>>>>>>>> and "show warranty" for details. >>>>>>>>> >>>>>>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>>>>>> >>>>>>>>> For bug reporting instructions, please see: >>>>>>>>> >>>>>>>>> ... >>>>>>>>> >>>>>>>>> Reading symbols from >>>>>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>>>>>>> found)...done. >>>>>>>>> >>>>>>>>> [New LWP 3370] >>>>>>>>> >>>>>>>>> [Thread debugging using libthread_db enabled] >>>>>>>>> >>>>>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>>>>> >>>>>>>>> Core was generated by `openssl ciphers -V'. >>>>>>>>> >>>>>>>>> Program terminated with signal 11, Segmentation fault. >>>>>>>>> >>>>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>>>> >>>>>>>>> (gdb) bt >>>>>>>>> >>>>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>>>> >>>>>>>>> (gdb) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Satyam >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> If you have just built the openssl, try to set the >>>>>>>>>> LD_LIBRARY_PATH environment variable pointing to freshly built >>>>>>>>>> libcrypto/libssl >>>>>>>>>> >>>>>>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra < >>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> Any Suggestions on how this can be done ? >>>>>>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>>>>>>> ,* also what is the location of the crash file. >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> Satyam >>>>>>>>>>> >>>>>>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra < >>>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hello Everyone, >>>>>>>>>>>> >>>>>>>>>>>> I have just joined the openssl users community. >>>>>>>>>>>> My requirement is to have the SSLv3 and weak ciphers enable >>>>>>>>>>>> with openssl installation . >>>>>>>>>>>> I have a query regarding enabling SSLv3 protocol and weak >>>>>>>>>>>> ciphers with openssl-1.1.1h installation >>>>>>>>>>>> >>>>>>>>>>>> I have followed the below steps >>>>>>>>>>>> >>>>>>>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *2) The Makefile looks as below* >>>>>>>>>>>> >>>>>>>>>>>> *===============================* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ## >>>>>>>>>>>> >>>>>>>>>>>> ## Makefile for OpenSSL >>>>>>>>>>>> >>>>>>>>>>>> ## >>>>>>>>>>>> >>>>>>>>>>>> ## WARNING: do not edit! >>>>>>>>>>>> >>>>>>>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> PLATFORM=linux-x86_64 >>>>>>>>>>>> >>>>>>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>>>>>>> >>>>>>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>>>>>>> >>>>>>>>>>>> SRCDIR=. >>>>>>>>>>>> >>>>>>>>>>>> BLDDIR=. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> VERSION=1.1.1h >>>>>>>>>>>> >>>>>>>>>>>> MAJOR=1 >>>>>>>>>>>> >>>>>>>>>>>> MINOR=1.1 >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_VERSION_HISTORY= >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_MAJOR=1 >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_MINOR=1 >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_TARGET=linux-shared >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_EXT_IMPORT= >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>>>>>>> >>>>>>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>>>>>>> >>>>>>>>>>>> SHLIB_INFO=";" >>>>>>>>>>>> "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>>>>>>> >>>>>>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>>>>>>> engines/ossltest.so engines/padlock.so >>>>>>>>>>>> >>>>>>>>>>>> @ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> if i do any openssl operations it gives error ( core dumped ) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *./openssl ciphers -V* >>>>>>>>>>>> >>>>>>>>>>>> * Segmentation fault (core dumped)* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *Can someone help me in resolving this issue ?* >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then >>>>>>>>>>>> the above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> >>>>>>>>>>>> Satyam >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> SY, Dmitry Belyavsky >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> SY, Dmitry Belyavsky >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> SY, Dmitry Belyavsky >>>>>> >>>>> >>>> >>>> -- >>>> SY, Dmitry Belyavsky >>>> >>> >> >> -- >> SY, Dmitry Belyavsky >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From brettstahlman at gmail.com Mon Oct 26 19:01:28 2020 From: brettstahlman at gmail.com (Brett Stahlman) Date: Mon, 26 Oct 2020 15:01:28 -0400 Subject: Static vs dynamic engine configuration Message-ID: Hello, I noticed that although the docs generally refer to the capi engine as "builtin", it doesn't appear to be linked statically with openssl, and is actually being loaded by the dynamic engine mechanism. I believe this is because the OPENSSL_NO_STATIC_ENGINE flag is being set by Configure. The only way I see to disable this flag is to pass disable-dynamic-engine to Configure. Is this the correct way to get the builtin engines linked statically? Do I understand correctly that dynamic loading of the builtin engines is now the default? Thanks, Brett S. -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Mon Oct 26 19:37:19 2020 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 26 Oct 2020 22:37:19 +0300 Subject: How to Enable Weak Ciphers OpenSSL 1.1.1h installation In-Reply-To: References: Message-ID: Wow! I was unattentive :( The leading minus before enable-weak-ssl-ciphers was the problem. Many thanks Satyam! On Mon, Oct 26, 2020 at 8:41 PM Satyam Mehrotra wrote: > I think i have resolved it . if you use the following option and then do a > make , the openssl binary don't crash > > ./config -ggdb enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method > no-shared > > > What is the significance of no-shared ? why we have to use this option > > > Thanks > > Satyam > > On Mon, 26 Oct 2020 at 22:59, Dmitry Belyavsky wrote: > >> Many thanks! >> >> I could reproduce the bug. >> >> On Mon, Oct 26, 2020 at 8:10 PM Satyam Mehrotra >> wrote: >> >>> No Worries Dmitry !! >>> I have send the sequence in the main mail thread. >>> >>> Thanks >>> Satyam >>> >>> On Mon, 26 Oct 2020 at 22:10, Dmitry Belyavsky >>> wrote: >>> >>>> Dear Satyam, >>>> >>>> Sorry, but no. If you send the way to reproduce the bug, I'll take a >>>> look at it. >>>> >>>> On Mon, Oct 26, 2020 at 7:38 PM Satyam Mehrotra >>>> wrote: >>>> >>>>> Dear Dmitry, >>>>> >>>>> Is it possible to have meeting on GoToMeeting? >>>>> I can send the invite and then i can share my screen. >>>>> Probably, that will be faster and quick to resolve. >>>>> >>>>> Thanks >>>>> Satyam >>>>> >>>>> On Mon, 26 Oct 2020 at 21:59, Dmitry Belyavsky >>>>> wrote: >>>>> >>>>>> Dear Satyam, >>>>>> >>>>>> Do I correctly understand that >>>>>> - you built openssl-1.1.1h from scratch with -enable-weak-ssl-ciphers >>>>>> - installed it >>>>>> -run some command? Which one(s)? Initially, you were speaking about >>>>>> 'ciphers', but the stack trace is from the 'ca'. >>>>>> >>>>>> On Mon, Oct 26, 2020 at 7:26 PM Satyam Mehrotra >>>>>> wrote: >>>>>> >>>>>>> Segmentation fault is not seen if i don't compile* ./config with* >>>>>>> *-enable-weak-ssl-ciphers.* >>>>>>> >>>>>>> Is it something I am missing or some more options needs to be >>>>>>> provided to ./config ? >>>>>>> >>>>>>> Thanks >>>>>>> Satyam >>>>>>> >>>>>>> On Mon, 26 Oct 2020 at 20:21, Dmitry Belyavsky >>>>>>> wrote: >>>>>>> >>>>>>>> It has nothing to do with the ciphers command... >>>>>>>> >>>>>>>> On Mon, Oct 26, 2020 at 5:18 PM Satyam Mehrotra < >>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>> >>>>>>>>> Dear Dmitry, >>>>>>>>> >>>>>>>>> >>Are the /usr/local/lib64/libssl.so.1.1 and >>>>>>>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>>>>>>> Yes, they are same >>>>>>>>> >>>>>>>>> gdb openssl core.50178 >>>>>>>>> >>>>>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>>>>>> >>>>>>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>>>>>> >>>>>>>>> License GPLv3+: GNU GPL version 3 or later < >>>>>>>>> http://gnu.org/licenses/gpl.html> >>>>>>>>> >>>>>>>>> This is free software: you are free to change and redistribute it. >>>>>>>>> >>>>>>>>> There is NO WARRANTY, to the extent permitted by law. Type "show >>>>>>>>> copying" >>>>>>>>> >>>>>>>>> and "show warranty" for details. >>>>>>>>> >>>>>>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>>>>>> >>>>>>>>> For bug reporting instructions, please see: >>>>>>>>> >>>>>>>>> ... >>>>>>>>> >>>>>>>>> Reading symbols from >>>>>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...done. >>>>>>>>> >>>>>>>>> [New LWP 50178] >>>>>>>>> >>>>>>>>> [Thread debugging using libthread_db enabled] >>>>>>>>> >>>>>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>>>>> >>>>>>>>> Core was generated by `/usr/local/bin/openssl'. >>>>>>>>> >>>>>>>>> Program terminated with signal 11, Segmentation fault. >>>>>>>>> >>>>>>>>> #0 do_body (xret=0x7f2bc6a6dcf0, pkey=0x7ffddd58d888, >>>>>>>>> x509=0x7f2bc6a7de80 <_dl_fini>, dgst=0x7f2bc6a8af5a, sigopts=0x0, >>>>>>>>> policy=0xfffa320300000000, serial=0x7ffddd58f693, >>>>>>>>> >>>>>>>>> subj=0x7ffddd58f6a6 "HOSTNAME=CentOS7", >>>>>>>>> chtype=140728317048503, multirdn=-581372209, email_dn=-581372189, >>>>>>>>> startdate=0x7ffddd58f6f3 "HISTSIZE=1000", >>>>>>>>> >>>>>>>>> enddate=0x7ffddd58f701 "SSH_CLIENT=10.101.14.61 17471 22", >>>>>>>>> days=140728317048610, batch=-581372099, verbose=-581372056, >>>>>>>>> req=0x7ffddd58f77b, >>>>>>>>> >>>>>>>>> ext_sect=0x7ffddd58f785 "LD_LIBRARY_PATH=/usr/local/lib64/", >>>>>>>>> lconf=0x7ffddd58f7a7, certopt=140728317050463, nameopt=140728317050489, >>>>>>>>> default_op=-581370182, >>>>>>>>> >>>>>>>>> ext_copy=-581370137, selfsign=-581370120, db=, >>>>>>>>> db=) at apps/ca.c:1410 >>>>>>>>> >>>>>>>>> 1410 row[i] = NULL; >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> >>>>>>>>> Satyam >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, 26 Oct 2020 at 19:34, Dmitry Belyavsky >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Are the /usr/local/lib64/libssl.so.1.1 and >>>>>>>>>> /usr/local/lib64/libcrypto.so.1.1 the same libraries that were built by you? >>>>>>>>>> If yes, you should try running via gdb to get a backtrace. >>>>>>>>>> >>>>>>>>>> On Mon, Oct 26, 2020 at 4:54 PM Satyam Mehrotra < >>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Dear Dmitry, >>>>>>>>>>> >>>>>>>>>>> As suggested i have build the openssl with -ggdb ( ./config >>>>>>>>>>> -ggdb -enable-weak-ssl-ciphers ) and after building i did make install as >>>>>>>>>>> well. >>>>>>>>>>> >>>>>>>>>>> The strace output is as below >>>>>>>>>>> ============================== >>>>>>>>>>> >>>>>>>>>>> *strace ./openssl* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> execve("./openssl", ["./openssl"], 0x7ffc8151b3d0 /* 27 vars */) >>>>>>>>>>> = 0 >>>>>>>>>>> >>>>>>>>>>> brk(NULL) = 0x1b4f000 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046813000 >>>>>>>>>>> >>>>>>>>>>> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such >>>>>>>>>>> file or directory) >>>>>>>>>>> >>>>>>>>>>> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 >>>>>>>>>>> >>>>>>>>>>> fstat(3, {st_mode=S_IFREG|0644, st_size=35929, ...}) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 35929, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f304680a000 >>>>>>>>>>> >>>>>>>>>>> close(3) = 0 >>>>>>>>>>> >>>>>>>>>>> open("/usr/local/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>>>>>>>> >>>>>>>>>>> read(3, >>>>>>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\24\2\0\0\0\0\0"..., 832) >>>>>>>>>>> = 832 >>>>>>>>>>> >>>>>>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=742664, ...}) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 2748352, PROT_READ|PROT_EXEC, >>>>>>>>>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3046354000 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f30463e4000, 2097152, PROT_NONE) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f30465e4000, 61440, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x90000) = 0x7f30465e4000 >>>>>>>>>>> >>>>>>>>>>> close(3) = 0 >>>>>>>>>>> >>>>>>>>>>> open("/usr/local/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3 >>>>>>>>>>> >>>>>>>>>>> read(3, >>>>>>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0p\7\0\0\0\0\0"..., 832) = >>>>>>>>>>> 832 >>>>>>>>>>> >>>>>>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=3397280, ...}) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046809000 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 5158840, PROT_READ|PROT_EXEC, >>>>>>>>>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045e68000 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3046122000, 2097152, PROT_NONE) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3046322000, 188416, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2ba000) = 0x7f3046322000 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3046350000, 14264, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3046350000 >>>>>>>>>>> >>>>>>>>>>> close(3) = 0 >>>>>>>>>>> >>>>>>>>>>> open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 >>>>>>>>>>> >>>>>>>>>>> read(3, >>>>>>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = >>>>>>>>>>> 832 >>>>>>>>>>> >>>>>>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 2109744, PROT_READ|PROT_EXEC, >>>>>>>>>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045c64000 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3045c66000, 2097152, PROT_NONE) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3045e66000, 8192, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f3045e66000 >>>>>>>>>>> >>>>>>>>>>> close(3) = 0 >>>>>>>>>>> >>>>>>>>>>> open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 >>>>>>>>>>> >>>>>>>>>>> read(3, >>>>>>>>>>> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) >>>>>>>>>>> = 832 >>>>>>>>>>> >>>>>>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 2208904, PROT_READ|PROT_EXEC, >>>>>>>>>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f3045a48000 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3045a5f000, 2093056, PROT_NONE) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3045c5e000, 8192, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f3045c5e000 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3045c60000, 13448, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045c60000 >>>>>>>>>>> >>>>>>>>>>> close(3) = 0 >>>>>>>>>>> >>>>>>>>>>> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 >>>>>>>>>>> >>>>>>>>>>> read(3, >>>>>>>>>>> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = >>>>>>>>>>> 832 >>>>>>>>>>> >>>>>>>>>>> fstat(3, {st_mode=S_IFREG|0755, st_size=2156240, ...}) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 3985920, PROT_READ|PROT_EXEC, >>>>>>>>>>> MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f304567a000 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f304583d000, 2097152, PROT_NONE) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3045a3d000, 24576, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f3045a3d000 >>>>>>>>>>> >>>>>>>>>>> mmap(0x7f3045a43000, 16896, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f3045a43000 >>>>>>>>>>> >>>>>>>>>>> close(3) = 0 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 4096, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046808000 >>>>>>>>>>> >>>>>>>>>>> mmap(NULL, 8192, PROT_READ|PROT_WRITE, >>>>>>>>>>> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3046806000 >>>>>>>>>>> >>>>>>>>>>> arch_prctl(ARCH_SET_FS, 0x7f3046806740) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3045a3d000, 16384, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3045c5e000, 4096, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3045e66000, 4096, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3046322000, 176128, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f30465e4000, 40960, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x692000, 4096, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> mprotect(0x7f3046814000, 4096, PROT_READ) = 0 >>>>>>>>>>> >>>>>>>>>>> munmap(0x7f304680a000, 35929) = 0 >>>>>>>>>>> >>>>>>>>>>> set_tid_address(0x7f3046806a10) = 47865 >>>>>>>>>>> >>>>>>>>>>> set_robust_list(0x7f3046806a20, 24) = 0 >>>>>>>>>>> >>>>>>>>>>> rt_sigaction(SIGRTMIN, {sa_handler=0x7f3045a4e860, sa_mask=[], >>>>>>>>>>> sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f3045a57630}, NULL, 8) = 0 >>>>>>>>>>> >>>>>>>>>>> rt_sigaction(SIGRT_1, {sa_handler=0x7f3045a4e8f0, sa_mask=[], >>>>>>>>>>> sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3045a57630}, >>>>>>>>>>> NULL, 8) = 0 >>>>>>>>>>> >>>>>>>>>>> rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 >>>>>>>>>>> >>>>>>>>>>> getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, >>>>>>>>>>> rlim_max=RLIM64_INFINITY}) = 0 >>>>>>>>>>> >>>>>>>>>>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} >>>>>>>>>>> --- >>>>>>>>>>> >>>>>>>>>>> +++ killed by SIGSEGV (core dumped) +++ >>>>>>>>>>> >>>>>>>>>>> Segmentation fault >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *Thanks* >>>>>>>>>>> >>>>>>>>>>> *Satyam* >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Mon, 26 Oct 2020 at 17:50, Dmitry Belyavsky < >>>>>>>>>>> beldmit at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Dear Satyam, >>>>>>>>>>>> >>>>>>>>>>>> First of all, I'll suggest checking whether the >>>>>>>>>>>> libcrypto/libssl are those you've built. It can be done, e.g., via running >>>>>>>>>>>> strace. >>>>>>>>>>>> >>>>>>>>>>>> I also suggest building openssl with -ggdb (./config -ggdb >>>>>>>>>>>> should do the trick). >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Oct 26, 2020 at 11:34 AM Satyam Mehrotra < >>>>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Hi Dmitry, >>>>>>>>>>>>> >>>>>>>>>>>>> >>If you have just built the openssl, try to set the >>>>>>>>>>>>> LD_LIBRARY_PATH environment variable pointing to freshly built >>>>>>>>>>>>> libcrypto/libssl >>>>>>>>>>>>> >>>>>>>>>>>>> I try setting the LD_LIBRARY_PATH but it is still crashing >>>>>>>>>>>>> >>>>>>>>>>>>> *which openssl* >>>>>>>>>>>>> >>>>>>>>>>>>> * /usr/local/bin/openssl* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> *export LD_LIBRARY_PATH=/usr/local/lib64/* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ls -lhrt >>>>>>>>>>>>> >>>>>>>>>>>>> total 11M >>>>>>>>>>>>> >>>>>>>>>>>>> drwxr-xr-x. 2 root root 61 Oct 25 16:27 pkgconfig >>>>>>>>>>>>> >>>>>>>>>>>>> -rwxr-xr-x. 1 root root 3.3M Oct 26 12:58 >>>>>>>>>>>>> libcrypto.so.1.1 >>>>>>>>>>>>> >>>>>>>>>>>>> -rwxr-xr-x. 1 root root 726K Oct 26 12:58 libssl.so.1.1 >>>>>>>>>>>>> >>>>>>>>>>>>> -rw-r--r--. 1 root root 5.4M Oct 26 12:58 libcrypto.a >>>>>>>>>>>>> >>>>>>>>>>>>> -rw-r--r--. 1 root root 1.1M Oct 26 12:58 libssl.a >>>>>>>>>>>>> >>>>>>>>>>>>> lrwxrwxrwx. 1 root root 16 Oct 26 12:58 libcrypto.so >>>>>>>>>>>>> -> libcrypto.so.1.1 >>>>>>>>>>>>> >>>>>>>>>>>>> lrwxrwxrwx. 1 root root 13 Oct 26 12:58 libssl.so -> >>>>>>>>>>>>> libssl.so.1.1 >>>>>>>>>>>>> >>>>>>>>>>>>> drwxr-xr-x. 2 root root 39 Oct 26 12:58 engines-1.1 >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> *openssl ciphers -V* >>>>>>>>>>>>> >>>>>>>>>>>>> * Segmentation fault* >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> *gdb ./openssl core.3370 * >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-119.el7 >>>>>>>>>>>>> >>>>>>>>>>>>> Copyright (C) 2013 Free Software Foundation, Inc. >>>>>>>>>>>>> >>>>>>>>>>>>> License GPLv3+: GNU GPL version 3 or later < >>>>>>>>>>>>> http://gnu.org/licenses/gpl.html> >>>>>>>>>>>>> >>>>>>>>>>>>> This is free software: you are free to change and redistribute >>>>>>>>>>>>> it. >>>>>>>>>>>>> >>>>>>>>>>>>> There is NO WARRANTY, to the extent permitted by law. Type >>>>>>>>>>>>> "show copying" >>>>>>>>>>>>> >>>>>>>>>>>>> and "show warranty" for details. >>>>>>>>>>>>> >>>>>>>>>>>>> This GDB was configured as "x86_64-redhat-linux-gnu". >>>>>>>>>>>>> >>>>>>>>>>>>> For bug reporting instructions, please see: >>>>>>>>>>>>> >>>>>>>>>>>>> ... >>>>>>>>>>>>> >>>>>>>>>>>>> Reading symbols from >>>>>>>>>>>>> /home/openssl-1.1.1h/openssl-1.1.1h/apps/openssl...(no debugging symbols >>>>>>>>>>>>> found)...done. >>>>>>>>>>>>> >>>>>>>>>>>>> [New LWP 3370] >>>>>>>>>>>>> >>>>>>>>>>>>> [Thread debugging using libthread_db enabled] >>>>>>>>>>>>> >>>>>>>>>>>>> Using host libthread_db library "/lib64/libthread_db.so.1". >>>>>>>>>>>>> >>>>>>>>>>>>> Core was generated by `openssl ciphers -V'. >>>>>>>>>>>>> >>>>>>>>>>>>> Program terminated with signal 11, Segmentation fault. >>>>>>>>>>>>> >>>>>>>>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>>>>>>>> >>>>>>>>>>>>> (gdb) bt >>>>>>>>>>>>> >>>>>>>>>>>>> #0 0x000000000041c53d in do_body.isra.3 () >>>>>>>>>>>>> >>>>>>>>>>>>> (gdb) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> >>>>>>>>>>>>> Satyam >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, 26 Oct 2020 at 12:16, Dmitry Belyavsky < >>>>>>>>>>>>> beldmit at gmail.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> If you have just built the openssl, try to set the >>>>>>>>>>>>>> LD_LIBRARY_PATH environment variable pointing to freshly built >>>>>>>>>>>>>> libcrypto/libssl >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Oct 26, 2020 at 9:33 AM Satyam Mehrotra < >>>>>>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Any Suggestions on how this can be done ? >>>>>>>>>>>>>>> why openssl binary is crashing if i am compiling it with *-enable-weak-ssl-ciphers >>>>>>>>>>>>>>> ,* also what is the location of the crash file. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>> Satyam >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Sun, 25 Oct 2020 at 12:57, Satyam Mehrotra < >>>>>>>>>>>>>>> satyam226 at gmail.com> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello Everyone, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have just joined the openssl users community. >>>>>>>>>>>>>>>> My requirement is to have the SSLv3 and weak ciphers >>>>>>>>>>>>>>>> enable with openssl installation . >>>>>>>>>>>>>>>> I have a query regarding enabling SSLv3 protocol and weak >>>>>>>>>>>>>>>> ciphers with openssl-1.1.1h installation >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I have followed the below steps >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 1) *./config -enable-weak-ssl-ciphers* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *2) The Makefile looks as below* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *===============================* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ## >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ## Makefile for OpenSSL >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ## >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ## WARNING: do not edit! >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ## Generated by Configure from Configurations/common0.tmpl, >>>>>>>>>>>>>>>> Configurations/unix-Makefile.tmpl, Configurations/common.tmpl >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> PLATFORM=linux-x86_64 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> OPTIONS=-enable-weak-ssl-ciphers no-asan no-buildtest-c++ >>>>>>>>>>>>>>>> no-crypto-mdebug no-crypto-mdebug-backtrace no-devcryptoeng >>>>>>>>>>>>>>>> no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fuzz-afl >>>>>>>>>>>>>>>> no-fuzz-libfuzzer no-heartbeats no-md2 no-msan no-rc5 no-sctp no-ubsan >>>>>>>>>>>>>>>> no-unit-test no-zlib no-zlib-dynamic >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> CONFIGURE_ARGS=("linux-x86_64", "-enable-weak-ssl-ciphers") >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SRCDIR=. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> BLDDIR=. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> VERSION=1.1.1h >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> MAJOR=1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> MINOR=1.1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_VERSION_NUMBER=1.1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_VERSION_HISTORY= >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_MAJOR=1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_MINOR=1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_TARGET=linux-shared >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_EXT=.so.$(SHLIB_VERSION_NUMBER) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_EXT_SIMPLE=.so >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_EXT_IMPORT= >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> LIBS=apps/libapps.a libcrypto.a libssl.a test/libtestutil.a >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> SHLIB_INFO=";" >>>>>>>>>>>>>>>> "libcrypto$(SHLIB_EXT);libcrypto$(SHLIB_EXT_SIMPLE)" >>>>>>>>>>>>>>>> "libssl$(SHLIB_EXT);libssl$(SHLIB_EXT_SIMPLE)" ";" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ENGINES=engines/afalg.so engines/capi.so engines/dasync.so >>>>>>>>>>>>>>>> engines/ossltest.so engines/padlock.so >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> @ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> if i do any openssl operations it gives error ( core dumped >>>>>>>>>>>>>>>> ) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *./openssl ciphers -V* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> * Segmentation fault (core dumped)* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> *Can someone help me in resolving this issue ?* >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If i don't use option* "**-enable-weak-ssl-ciphers " *then >>>>>>>>>>>>>>>> the above issue is not seen but SSLv3 and weak ciphers do not get enable. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Satyam >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> SY, Dmitry Belyavsky >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> SY, Dmitry Belyavsky >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> SY, Dmitry Belyavsky >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> SY, Dmitry Belyavsky >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> SY, Dmitry Belyavsky >>>>>> >>>>> >>>> >>>> -- >>>> SY, Dmitry Belyavsky >>>> >>> >> >> -- >> SY, Dmitry Belyavsky >> > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1986geetha at gmail.com Tue Oct 27 09:49:02 2020 From: 1986geetha at gmail.com (Geetha) Date: Tue, 27 Oct 2020 15:19:02 +0530 Subject: Help - compiling opensslnfir windows mobile (ARMV4i) Message-ID: Hello, Could anyone help me to compile the openssl static libraries under ARMV4i compiler. I have tried and spent long time, still getting error message. Winsock2.h error servent:struct type redefinition. Return code 0x2. Thanks Geetha -------------- next part -------------- An HTML attachment was scrubbed... URL: From root at c-works.net Wed Oct 28 08:46:49 2020 From: root at c-works.net (Harald Koch) Date: Wed, 28 Oct 2020 09:46:49 +0100 Subject: RFC6211 support with S/MIME Message-ID: <6884A917-B3E6-43B3-ABBD-01D9B9DBDD8C@c-works.net> Hello, I?ve been asked to support an optional feature when using S/MIME signed message transmission for (as they call it) ?Algorithm identifier protection?, which is defined in RFC6211. As I?ve found no evidence in the headers of openSSL, I?m asking you if this feature is available or planned. Actually, I?m using the latest openSSL version 1.1.1 with funtions for PKCS7 signing (PKCS7_sign, PKCS7_sign_add_signer, SMIME_write_PKCS7). Regards, Harald Koch From t.appel17 at imperial.ac.uk Wed Oct 28 08:48:37 2020 From: t.appel17 at imperial.ac.uk (Thibaut Appel) Date: Wed, 28 Oct 2020 09:48:37 +0100 Subject: make install fails as it tries to write in /tmp Message-ID: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> Dear OpenSSL users, I uncovered a potential issue affecting the installation of OpenSSL from source, in the case the user is not allowed to write in the /tmp folder. I'm trying to install on a cluster where permissions to '/tmp' is restricted. Is there an environment variable designed to tell 'make install' to NOT use /tmp? My $TMP environment variable points to a different folder. The result of: ./config --prefix=/rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h make && make install install libcrypto.a -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.a install libssl.a -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libssl.a link /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so.1.1 install libcrypto.so -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so install libcrypto.so.1.1 -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so *mkdir: cannot create directory '/tmp/ar.12361': Permission denied* make: *** [install_dev] Error 1 Is there something I'm missing? How can this be circumvented? Thanks, Thibaut -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.appel17 at imperial.ac.uk Wed Oct 28 12:13:01 2020 From: t.appel17 at imperial.ac.uk (Thibaut Appel) Date: Wed, 28 Oct 2020 13:13:01 +0100 Subject: make install fails as it tries to write in /tmp In-Reply-To: <72859398-7380-40C3-A699-4167F98108F5@c-works.net> References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> <72859398-7380-40C3-A699-4167F98108F5@c-works.net> Message-ID: <636c6f9b-8dca-60d0-209c-87236ddf5f57@imperial.ac.uk> Dear Harald, Thank you for your answer. In fact my environment variable TMPDIR was already set to an appropriate folder, in my bash environment. Did you mean it is meant to be set somewhere else at build or install time? Output of perl --version gives me: This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi I did try to change the hard-coded '/tmp' occurences in unix-Makefile.tmpl to the said folder, and it gave me something like: ar: /my/dir/lib/libcrypto.so: file format not recognized Is there anything else I can try? Thibaut On 28/10/2020 13:00, Harald Koch wrote: > > This email from root at c-works.net originates from outside Imperial. Do > not click on links and attachments unless you recognise the sender. If > you trust the sender, add them to your safe senders list > to disable email > stamping for this address. > > Hello Thibaut, > > I assume due to the name prefix ?ar? that an archive wants to be > created via program ?ar?. According to its man page, you can set the > environment variable TMPDIR to your required value. Try this. > > (from ?man ar?): > > ENVIRONMENT > ? ? ?TMPDIR ?The pathname of the directory to use when creating > temporary files. > > Regards, > Harald > >> Am 28.10.2020 um 09:48 schrieb Thibaut Appel >> >: >> >> Dear OpenSSL users, >> >> I uncovered a potential issue affecting the installation of OpenSSL >> from source, in the case the user is not allowed to write in the /tmp >> folder. >> >> I'm trying to install on a cluster where permissions to '/tmp' is >> restricted. >> >> Is there an environment variable designed to tell 'make install' to >> NOT use /tmp? >> >> My $TMP environment variable points to a different folder. The result of: >> >> ./config >> --prefix=/rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h >> make && make install >> >> install libcrypto.a -> >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.a >> install libssl.a -> >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libssl.a >> link >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so >> -> >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so.1.1 >> install libcrypto.so -> >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so >> install libcrypto.so.1.1 -> >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so >> *mkdir: cannot create directory '/tmp/ar.12361': Permission denied* >> make: *** [install_dev] Error 1 >> >> Is there something I'm missing? How can this be circumvented? >> >> Thanks, >> >> Thibaut >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From root at c-works.net Wed Oct 28 14:56:36 2020 From: root at c-works.net (Harald Koch) Date: Wed, 28 Oct 2020 15:56:36 +0100 Subject: make install fails as it tries to write in /tmp In-Reply-To: <636c6f9b-8dca-60d0-209c-87236ddf5f57@imperial.ac.uk> References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> <72859398-7380-40C3-A699-4167F98108F5@c-works.net> <636c6f9b-8dca-60d0-209c-87236ddf5f57@imperial.ac.uk> Message-ID: <551C9753-5597-44AC-A3FC-226CA1FFA7A1@c-works.net> Hi Thibaut, there must be something else in your environment: I chmod?ed my /tmp to 770, added a new user, checked that we cannot access /tmp, and successfully compiled openssl-1.1.1h on a test machine. The reason could lie somewhere else than /tmp. > Am 28.10.2020 um 13:13 schrieb Thibaut Appel : > > Dear Harald, > > Thank you for your answer. > > In fact my environment variable TMPDIR was already set to an appropriate folder, in my bash environment. > > Did you mean it is meant to be set somewhere else at build or install time? > > Output of perl --version gives me: This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi > > I did try to change the hard-coded '/tmp' occurences in unix-Makefile.tmpl to the said folder, and it gave me something like: > > ar: /my/dir/lib/libcrypto.so: file format not recognized > > Is there anything else I can try? > > > > Thibaut > > > > On 28/10/2020 13:00, Harald Koch wrote: >> >> This email from root at c-works.net originates from outside Imperial. Do not click on links and attachments unless you recognise the sender. If you trust the sender, add them to your safe senders list to disable email stamping for this address. >> >> Hello Thibaut, >> >> I assume due to the name prefix ?ar? that an archive wants to be created via program ?ar?. According to its man page, you can set the environment variable TMPDIR to your required value. Try this. >> >> (from ?man ar?): >> >> ENVIRONMENT >> TMPDIR The pathname of the directory to use when creating temporary files. >> >> Regards, >> Harald >> >>> Am 28.10.2020 um 09:48 schrieb Thibaut Appel >: >>> >>> Dear OpenSSL users, >>> >>> I uncovered a potential issue affecting the installation of OpenSSL from source, in the case the user is not allowed to write in the /tmp folder. >>> >>> I'm trying to install on a cluster where permissions to '/tmp' is restricted. >>> >>> Is there an environment variable designed to tell 'make install' to NOT use /tmp? >>> >>> My $TMP environment variable points to a different folder. The result of: >>> >>> ./config --prefix=/rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h >>> make && make install >>> >>> install libcrypto.a -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.a >>> install libssl.a -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libssl.a >>> link /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so.1.1 >>> install libcrypto.so -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so >>> install libcrypto.so.1.1 -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so >>> mkdir: cannot create directory '/tmp/ar.12361': Permission denied >>> make: *** [install_dev] Error 1 >>> >>> Is there something I'm missing? How can this be circumvented? >>> >>> Thanks, >>> >>> Thibaut >>> >>> >>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Wed Oct 28 15:08:17 2020 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 28 Oct 2020 11:08:17 -0400 Subject: make install fails as it tries to write in /tmp In-Reply-To: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> Message-ID: <20201028150817.GK34643@straasha.imrryr.org> On Wed, Oct 28, 2020 at 09:48:37AM +0100, Thibaut Appel wrote: > I uncovered a potential issue affecting the installation of OpenSSL from > source, in the case the user is not allowed to write in the /tmp folder. This build environment was not anticipated by the build system, which employs: $ git grep -A10 /tmp/ar unix-Makefile.tmpl: if [ -f "$$a" ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \ unix-Makefile.tmpl: mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \ unix-Makefile.tmpl- cp -f "$$a" "$$a.new"; \ unix-Makefile.tmpl- for so in `$(AR) t "$$a"`; do \ unix-Makefile.tmpl- $(AR) x "$$a" "$$so"; \ unix-Makefile.tmpl- chmod u+w "$$so"; \ unix-Makefile.tmpl- strip -X32_64 -e "$$so"; \ unix-Makefile.tmpl- $(AR) r "$$a.new" "$$so"; \ unix-Makefile.tmpl- done; \ unix-Makefile.tmpl- )); fi; \ unix-Makefile.tmpl- $(AR) r "$$a.new" "$$s1"; \ unix-Makefile.tmpl- mv -f "$$a.new" "$$a"; \ The hard-coded /tmp there is not essential, it could be replaced with mkdir -p .tmp/ar.$$$$, or some other appropriate path. -- Viktor. From openssl-users at dukhovni.org Wed Oct 28 15:26:29 2020 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 28 Oct 2020 11:26:29 -0400 Subject: RFC6211 support with S/MIME In-Reply-To: <6884A917-B3E6-43B3-ABBD-01D9B9DBDD8C@c-works.net> References: <6884A917-B3E6-43B3-ABBD-01D9B9DBDD8C@c-works.net> Message-ID: <20201028152629.GM34643@straasha.imrryr.org> On Wed, Oct 28, 2020 at 09:46:49AM +0100, Harald Koch wrote: > Hello, > > I?ve been asked to support an optional feature when using S/MIME > signed message transmission for (as they call it) ?Algorithm > identifier protection?, which is defined in RFC6211. As I?ve found no > evidence in the headers of openSSL, I?m asking you if this feature is > available or planned. Actually, I?m using the latest openSSL version > 1.1.1 with funtions for PKCS7 signing (PKCS7_sign, > PKCS7_sign_add_signer, SMIME_write_PKCS7). That of course looks like a CMS feature, but I don't see evidence of suppport for it in OpenSSL at this time. -- Viktor. From jb-openssl at wisemo.com Wed Oct 28 15:32:56 2020 From: jb-openssl at wisemo.com (Jakob Bohm) Date: Wed, 28 Oct 2020 16:32:56 +0100 Subject: Fencepost errors in certificate and OCSP validity Message-ID: <25705df7-98a6-2129-6086-cf31cd43eeb4@wisemo.com> Recently, the EJBCA developers publicly warned (via the Mozilla root store policy mailing list) other CA vendors that they had incorrectly implemented the handling of the "notAfter" X509 field, resulting in certificates that lasted 1 second longer than intended. Prompted by this warning, I checked what the OpenSSL code does, and it seems to be a bit more buggy: x509_vfy.c seems to be a bit ambivalent if certificate validity should be inclusive or exclusive of the time values in the certificate. apps.c seems to convert the validity duration in days as if the notAfter field is exclusive, but the notBefore field is inclusive. PKIX (RFC5280) says that both timestamps are inclusive, X.509 (10/2012) says nothing about this aspect of the interpretation of the validity structure. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded From t.appel17 at imperial.ac.uk Wed Oct 28 15:33:12 2020 From: t.appel17 at imperial.ac.uk (Thibaut Appel) Date: Wed, 28 Oct 2020 16:33:12 +0100 Subject: make install fails as it tries to write in /tmp In-Reply-To: <20201028150817.GK34643@straasha.imrryr.org> References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> <20201028150817.GK34643@straasha.imrryr.org> Message-ID: Dear Viktor, I did try to change that hard-coded /tmp. make install now fails because of link /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so.1.1 install libcrypto.so -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so install libcrypto.so.1.1 -> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so ar: /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so: file format not recognized ar: /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so.new: file format not recognized make: *** [install_dev] Error 1 and I have $ perl configdata.pm -c Command line (with current working directory = .): ??? /usr/bin/perl ./Configure linux-x86_64 --prefix=/rds/general/user/ta3616/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h Perl information: ??? /usr/bin/perl ??? 5.16.3 for x86_64-linux-thread-multi It seems https://github.com/openssl/openssl/issues/6641 was about the same issue. I found out that my Text::Template is 1.45. Maybe that's the problem Thibaut On 28/10/2020 16:08, Viktor Dukhovni wrote: > ******************* > This email originates from outside Imperial. Do not click on links and attachments unless you recognise the sender. > If you trust the sender, add them to your safe senders list https://spam.ic.ac.uk/SpamConsole/Senders.aspx to disable email stamping for this address. > ******************* > On Wed, Oct 28, 2020 at 09:48:37AM +0100, Thibaut Appel wrote: > >> I uncovered a potential issue affecting the installation of OpenSSL from >> source, in the case the user is not allowed to write in the /tmp folder. > This build environment was not anticipated by the build system, which > employs: > > $ git grep -A10 /tmp/ar > unix-Makefile.tmpl: if [ -f "$$a" ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \ > unix-Makefile.tmpl: mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \ > unix-Makefile.tmpl- cp -f "$$a" "$$a.new"; \ > unix-Makefile.tmpl- for so in `$(AR) t "$$a"`; do \ > unix-Makefile.tmpl- $(AR) x "$$a" "$$so"; \ > unix-Makefile.tmpl- chmod u+w "$$so"; \ > unix-Makefile.tmpl- strip -X32_64 -e "$$so"; \ > unix-Makefile.tmpl- $(AR) r "$$a.new" "$$so"; \ > unix-Makefile.tmpl- done; \ > unix-Makefile.tmpl- )); fi; \ > unix-Makefile.tmpl- $(AR) r "$$a.new" "$$s1"; \ > unix-Makefile.tmpl- mv -f "$$a.new" "$$a"; \ > > The hard-coded /tmp there is not essential, it could be replaced with > mkdir -p .tmp/ar.$$$$, or some other appropriate path. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at jordan.maileater.net Wed Oct 28 15:33:55 2020 From: openssl at jordan.maileater.net (Jordan Brown) Date: Wed, 28 Oct 2020 15:33:55 +0000 Subject: make install fails as it tries to write in /tmp In-Reply-To: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> Message-ID: <010101756fd81adc-96ffc329-170a-4c57-81fb-b981d58e919f-000000@us-west-2.amazonses.com> I don't know exactly what environments the OpenSSL build targets, but a writable /tmp is a POSIX requirement. https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap10.html -- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Wed Oct 28 15:40:36 2020 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 28 Oct 2020 11:40:36 -0400 Subject: make install fails as it tries to write in /tmp In-Reply-To: References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> <20201028150817.GK34643@straasha.imrryr.org> Message-ID: <20201028154036.GO34643@straasha.imrryr.org> On Wed, Oct 28, 2020 at 04:33:12PM +0100, Thibaut Appel wrote: > install libcrypto.so.1.1 -> > /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so > ar: > /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so: > file format not recognized Wild guess, you may have more than one "ar" on your system, and one of them does not like files produced by the other? I haven't had trouble building OpenSSL 1.1.1 from the upstream sources. Don't know whether "linuxbrew" introduces any additional concerns, I've never used that. -- Viktor. From openssl-users at dukhovni.org Wed Oct 28 15:44:36 2020 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 28 Oct 2020 11:44:36 -0400 Subject: Fencepost errors in certificate and OCSP validity In-Reply-To: <25705df7-98a6-2129-6086-cf31cd43eeb4@wisemo.com> References: <25705df7-98a6-2129-6086-cf31cd43eeb4@wisemo.com> Message-ID: <20201028154436.GP34643@straasha.imrryr.org> On Wed, Oct 28, 2020 at 04:32:56PM +0100, Jakob Bohm via openssl-users wrote: > Recently, the EJBCA developers publicly warned (via the Mozilla root store > policy mailing list) other CA vendors that they had incorrectly implemented > the handling of the "notAfter" X509 field, resulting in certificates that > lasted 1 second longer than intended. I think that's patently ridiculous. I'm inclined to dismiss any bug reports along these lines with prejudice. -- Viktor. From t.appel17 at imperial.ac.uk Wed Oct 28 20:04:04 2020 From: t.appel17 at imperial.ac.uk (Thibaut Appel) Date: Wed, 28 Oct 2020 21:04:04 +0100 Subject: make install fails as it tries to write in /tmp In-Reply-To: <20201028154036.GO34643@straasha.imrryr.org> References: <29b1d143-2412-f189-27db-131a319cb31d@imperial.ac.uk> <20201028150817.GK34643@straasha.imrryr.org> <20201028154036.GO34643@straasha.imrryr.org> Message-ID: <3c9dc591-b118-e0af-d762-d54b73d98527@imperial.ac.uk> |Updating 'Text::Template' from perl solved the problem, detailed in https://github.com/openssl/openssl/issues/6641| On 28/10/2020 16:40, Viktor Dukhovni wrote: > ******************* > This email originates from outside Imperial. Do not click on links and attachments unless you recognise the sender. > If you trust the sender, add them to your safe senders list https://spam.ic.ac.uk/SpamConsole/Senders.aspx to disable email stamping for this address. > ******************* > On Wed, Oct 28, 2020 at 04:33:12PM +0100, Thibaut Appel wrote: > >> install libcrypto.so.1.1 -> >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so >> ar: >> /rds/general/user/home/.linuxbrew/Cellar/openssl at 1.1/1.1.1h/lib/libcrypto.so: >> file format not recognized > Wild guess, you may have more than one "ar" on your system, and one of > them does not like files produced by the other? I haven't had trouble > building OpenSSL 1.1.1 from the upstream sources. > > Don't know whether "linuxbrew" introduces any additional concerns, I've > never used that. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas at ada.support Thu Oct 29 03:52:29 2020 From: thomas at ada.support (Thomas Antonio) Date: Wed, 28 Oct 2020 23:52:29 -0400 Subject: How is the TLS Record Layer Version Selected? Message-ID: Hello, how does openSSL determine the Record Layer Version used to initiate a ClientHello message to the server? I believe the determination is made at this level. When testing using multiple implementations (Python Requests on a Debian machine and `cURL --tlsv1.2 --tls-max 1.2` from macOS) I will seemingly at random see ClientHello messages using TLS Record Layer Version 1.0. The TLS Handshake Protocol remains correctly set at 1.2. The majority of the time the Record Layer Version is 1.2. What could be causing this change in Record Version? I realize this is a valid message format and that a well configured TLS 1.2 server will accept this. Just trying to get to the bottom of what is causing this behaviour on the client side. A post showing the Record Version and Handshake Protocol mismatch is here https://support.f5.com/csp/article/K53037818 Thomas -------------- next part -------------- An HTML attachment was scrubbed... URL: From root at c-works.net Thu Oct 29 10:19:28 2020 From: root at c-works.net (Harald Koch) Date: Thu, 29 Oct 2020 11:19:28 +0100 Subject: SMIME signed message verification Message-ID: <593A5D3A-7BA2-49B3-954A-8EF8F7C2BB36@c-works.net> Hello, my task is to sign a message in C for SMIME exchange, which works as expected and openSSL is self-fulfilling with itself in successful verification (and unsuccessful in produced errors as expected). I've tested PKCS7 SMIME functions, as well as CMS ones, leading to the same result: the reference software endpoints (both written in Java; at least one uses BuncyCastle) are unable to verify the signature. See below the BASE64 blocks of a successful reference signature, and an unsuccessful openSSL variant of the same message, both signed with the same certificate and private key. The error message extracted from the Java implementations are: - "Unable to verify content integrity: Missing data" - "The system is unable to find out the sign algorithm of the inbound message" I digged a bit deeper into the ASN1 data (?cat signature.base64 | base64 -d | openssl asn1parse -inform DER" ), leading to my assumption that the algorithm provided for signature contained differs: - openSSL indicates ?rsaEncryption" - Java indicates ?sha512WithRSAEncryption" Since message digest and signing timestamp are available in both signatures, this is my only point of difference. Is there something I can do in openSSL to change the message algorithm to be provided in a form which Java accepts? Here the two base64 encoded signatures. Reference message (which works in all directions): MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCAMIID ljCCAn6gAwIBAgICBF0wDQYJKoZIhvcNAQELBQAwgY0xEjAQBgNVBAMTCWRlZGljYXRlZDEXMBUG A1UEChMOVElIIEl0YWxpYSBTUkwxDDAKBgNVBAsTA2VkaTEPMA0GA1UEBxMGUGFkb3ZhMQ4wDAYD VQQIEwVJdGFseTELMAkGA1UEBhMCUEQxIjAgBgkqhkiG9w0BCQEWE2FzMkBkZWRpY2F0ZWQud29y bGQwHhcNMTcxMTAyMTMyNzE3WhcNMjIxMTAxMTMyNzE3WjCBjTESMBAGA1UEAxMJZGVkaWNhdGVk MRcwFQYDVQQKEw5USUggSXRhbGlhIFNSTDEMMAoGA1UECxMDZWRpMQ8wDQYDVQQHEwZQYWRvdmEx DjAMBgNVBAgTBUl0YWx5MQswCQYDVQQGEwJQRDEiMCAGCSqGSIb3DQEJARYTYXMyQGRlZGljYXRl ZC53b3JsZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZv/pezb4MuezuMVb40qyCD z20xtPzWtjchXqeJnPo6b2VPHloSr2zGQ8mG9fsyfFj/WLz6d06ErB09Fr6M53Y7UjmMmik1BThL VXFKEZThlWTtfTwlhinoIjbcZ+sr4BKsVPvUShIEE5p4E3xHEcbx/8cMovt5s1gWiIakiwB+I8XV gg0+fr2IBxf9FvzNPyZZGN65sqdhNDHEyfkl65SFZoL8iDhmIgmeCB1ebW5syccFmAS984iBx0jk RWGACZaWge5X0kP50wk1WnEaHcz/Uay+3pC/j4ZUZGVL2jw44fd1BUXelaj+XcqG341r6xN0fJlR Xc0RhwmCcKINgFECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAJGJhUUcu/LTzRb+D7xCqwVi9h4EN WTxv81uFBOtebUjdQkNSsaXD5eHOr//tvqgNti3uGVdIfJarGSbaM32RrTSzbQvo+6r9MUM+qkx5 o/KTB2GuG+yyKEYbgrRsTluxu0KcsX44t+HyZ2VJnt9u44E2e34So3ioC02B4CoTzOFtT+DsWznd EWfB5r9GsY3IEfAOHtTgMFDPjb8pDfl/fTk6Pv3c+drSK/Os8qTa1gbe3GKOwIhXh01AsG2kaIss g7tBXtHYlnZgBqoRuIJus+kmUkJ4s9VDr+HCy4sVg1Q/h0Y6voUdTkBECRWR5zK5eb6VHSZRD2i9 uJSoqQmjNQAAMYICgjCCAn4CAQEwgZQwgY0xEjAQBgNVBAMTCWRlZGljYXRlZDEXMBUGA1UEChMO VElIIEl0YWxpYSBTUkwxDDAKBgNVBAsTA2VkaTEPMA0GA1UEBxMGUGFkb3ZhMQ4wDAYDVQQIEwVJ dGFseTELMAkGA1UEBhMCUEQxIjAgBgkqhkiG9w0BCQEWE2FzMkBkZWRpY2F0ZWQud29ybGQCAgRd MA0GCWCGSAFlAwQCAwUAoIG/MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTIwMDEyNDE5NDQzNlowNAYJKoZIhvcNAQkPMScwJTAKBggqhkiG9w0DBzAOBggqhkiG9w0D AgICAIAwBwYFKw4DAgcwTwYJKoZIhvcNAQkEMUIEQEuNaTyufm0EkVoVX1YXteYJnQk+ViLhR9YL lz5P8+s8PVPtY1bOazDhEC4nL2U4Cj99zlaq+FQrKRu58uOjZ9QwDQYJKoZIhvcNAQENBQAEggEA RngLYRDUXYCYRb1Xlht8Ywl7MWawKvJqYMgH+YFJA2Wpsgi2soSrjA35TmvqOQtm1cJBJrqx8OU7 NdnE8y5rrJPNDp4QMnwzWAzWWyf6zZWGFQGGEMn729zAPjl170Ka+WqLjRbVIC9Yvq4fYktfZKpg WosLs1zvLzJYAivWeFxmbuAmaUii/FkhFlZNEp/EM3FVbAG5GlqG/2vciE6uwcuW+Jk4/D+0deh5 N8ib3Dar9vBOlqfcqwUyvIY7RJVCrIa7xuwfJY/nrG/EK2p3uzHX542AKs0sBYk9Bm5DS0cXvONe UiQl/4Cj3pOivvmGIdhy5o7N5pwCCJh6cZv14QAAAAAAAA== openSSL?s version, which is not accepted by Java applications: MIILuAYJKoZIhvcNAQcCoIILqTCCC6UCAQExDTALBglghkgBZQMEAgEwCwYJKoZI hvcNAQcBoIII0zCCCM8wggS3oAMCAQICClLgJv3GpnHBcM0wDQYJKoZIhvcNAQEL BQAwgYsxCzAJBgNVBAYTAkRFMRYwFAYDVQQHDA1Ib2x6Z2VybGluZ2VuMRUwEwYD VQQKDAxjLXdvcmtzIEdtYkgxFTATBgNVBAsMDENlcnRpZmljYXRlczERMA8GA1UE AwwIT0ZUUDIgQ0ExIzAhBgoJkiaJk/IsZAEZFhNvZnRwMmNhLmMtd29ya3MubmV0 MB4XDTE4MDQxMDEzMTQwMloXDTIwMDMxMDEzMTQwMlowcDELMAkGA1UEBhMCSVQx DzANBgNVBAcMBlBhZG92YTEdMBsGA1UECgwUZEVESWNhdGVkIEl0YWxpYSBzcmwx ETAPBgNVBAsMCEVESSBUZWFtMR4wHAYDVQQDDBVvZnRwMi5kZWRpY2F0ZWQud29y bGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBHryKO7KqVZdIPrnB ArhEjBqeNfBUFeM5n1lmSU+x5pYfAp5MYGMxPnFpH7Q4Vf+XK/6yTn3VI+hT/bcW NiealiyRBjRQEX/was7bxDzY9y/Ms+tWGqhq0H6qN5q8gJ/15H6/B3jSV5h/gOAX hdXUuh3NuC2aXubWVlF+IEWtFj9xTVf6V+6MHoEpIw+C9LCbVvTipasjxB8O8dFk N3bvFhFfHUkXA2OlPxZZxBMFa26DARibS7YO5vjoCpofwBtsonxkUEps4vn4QFu3 0klEqRohhZnNzEdj9LqW6qdKPf3ZyVIgaOQa+WMaVDve2yZ9mh/T9lypM6NEBUDV WT11AgMBAAGjggJNMIICSTAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGwDAO BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDAG CWCGSAGG+EIBDQQjFiFPRlRQMiBDZXJ0aWZpY2F0ZSBvZiBjLXdvcmtzIEdtYkgw UQYDVR0RBEowSIYWb2Z0cDovL08wMTc3WDBZTTAwMDAwMYIVb2Z0cDIuZGVkaWNh dGVkLndvcmxkgRdzdXBwb3J0QGRlZGljYXRlZC53b3JsZDAdBgNVHQ4EFgQUtcZm yFMAlxg78z9qTJsX7grfEV4wHwYDVR0jBBgwFoAU2/OITatwz/A2aA5O8GYErWWT oNwwUAYIKwYBBQUHAQEERDBCMEAGCCsGAQUFBzAChjRodHRwOi8vb2Z0cDJjYS5j LXdvcmtzLm5ldC9wa2kvcHViL2NhY2VydC9jYWNlcnQuY2VyMB4GA1UdEgQXMBWC E29mdHAyY2EuYy13b3Jrcy5uZXQwPwYJYIZIAYb4QgEEBDIWMGh0dHA6Ly9vZnRw MmNhLmMtd29ya3MubmV0L3BraS9wdWIvY3JsL2NhY3JsLmNybDA/BglghkgBhvhC AQMEMhYwaHR0cDovL29mdHAyY2EuYy13b3Jrcy5uZXQvcGtpL3B1Yi9jcmwvY2Fj cmwuY3JsMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9vZnRwMmNhLmMtd29ya3Mu bmV0L3BraS9wdWIvY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCBAEAE3KU a89sGS4Cz7EFqmC2cjawfeaKM0ryihuLqaiMlm1dhuqiUaBTDDXZyoK/Z908uHGA YQGkHsyDL50Rn7FOemf4vgkw+FJ5Jz8AVUNQ0Ai8lFNOirvbXbOjI9BjIIdWrfu+ cTrqw746ZUl+gsfeLtuneWhJLbAbvOJxQIczzRkHW/VkBSzRzgbLDoaQFEKNJyfg Gj7uZRDZBFjaVMuObyNQgDLyv167+zjwRXsjzGGk2q830nM2qxH3jsWXjBGr5h0H mtrZu4/x+ek7wXqr+i2azE9iN7cV55ni5tbcSXmQOT3bHd+8gQ+lG6ZB5a4u94pS LU4LsbNFjprQmMQJ+HvgjiWLS3cAXo6TA6Kc/ojrmRVinkPzD7fEXAg/MxROAnRI VGCYiXipMPputi9h1FdOnIakwOHxgW7mAVFh1kdhsJ4Sjv42sbbUwgPkkxww9dG0 Uk78dCALUfZCSjTFVYXpOh0OxO8SgY9CCHVPjcPQV0e7k/N3Je3erTCNw20pLXtF wINtpxp0SdCRl3NsYG+6YJ1WTK4TF4DOw9Hi8rKjnU6Fz/aYqVPD2I4IfIXter5B f26+2utLMr0VG+QV9cXkoRaYEgXZOiuEY+AmHn+tSL9/ICcRG1ya/4xRNI5USP5K mzeh5AZXIFN4R6Q8cctGn4Bl1LZqgPoIja029N8PEiqefzSFv/fcf6GMkl9GKQRy WaPCLsjRYMHUsn5IjYnb2FS34LtrVIzHAZ/W+kiG5gX/hz13B1yFMnFj4p65XFWN Bfp8UKuPgUshFMKA8CaOTDmHLsIzZDC3NMbcVJAxhFWGz8FhXoKh47x+VzR+E5oL cxnV1z3P1pTGyRn1ro+1sBqmiwPZsuyA80z3W1sfUs1XPMSeB1rDUsX0EFivGKnT ++s9nykHA/vysY1kerh5/UJ7O/72uGFCj6BB1DsXniexC1KW5Z41HmlvIlwvDA6g DopNII6Kej2kDw2VWVoCLYNFo7xV/qoRcTonS5bvGdYC/Id4PZ6XA89WT5PyvXyK Ptl1pOLd0GNLreyGGeCMhEYM6vQAXGB6yC/ugR2bhUc+MSUbkey4WXFDrXiPHqGo QWIbgiRf51Y5+fHEoUFGNWGcxAg7UMUZv7OctGEH2tx4A+7SC2ZGO6rnuGUwTe0z ack4+ypFSih6O59Y8wgeesbTCAFFZsSyzH/aggPTuydz8ARiZgN2td33iSDDw3Ec 5mhpBJf08l/H4abGKV1t3VNdQEkOFSn+N7/ksTsSXmcC24ONBDN+Ra0MwdCidO7B /yc5jz75mwHf5AKd34ToO2RivgQxCHoCnTEBUE/kt4+8cNtv0crLTS04C97ByAod 29b75rnqhnmcO6kZlzGCAqswggKnAgEBMIGaMIGLMQswCQYDVQQGEwJERTEWMBQG A1UEBwwNSG9semdlcmxpbmdlbjEVMBMGA1UECgwMYy13b3JrcyBHbWJIMRUwEwYD VQQLDAxDZXJ0aWZpY2F0ZXMxETAPBgNVBAMMCE9GVFAyIENBMSMwIQYKCZImiZPy LGQBGRYTb2Z0cDJjYS5jLXdvcmtzLm5ldAIKUuAm/camccFwzTALBglghkgBZQME AgGggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN MjAwMTI0MTkzODUzWjAvBgkqhkiG9w0BCQQxIgQgQBCQAoZud7bmLBC3cTB621kM lRfJ4pkbKN52sbAELHoweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI hvcNAQEBBQAEggEAsz2Lq/bBiX20RCodqm1k+DmNRMsNNvb2maZnL8//lcJkz73t A38rICeH53CYDXjk/5SD6T7ogfMgxBu7tdNpFaWXMgXALBrmYiE6X0vk9Mvc6bvW 4Hrqc8FY0WLgUOExMS9LJ4zqbCNxGZGJmhPCkuFGAK0cd+ycijSNCY3WbwSmNTIP Qvhhh5b+y252efMDDWcxl831JWmDBBTjsNAzk+mISDTm+asAJQjtUNbZMWIWgoQ/ rs7BhD+UKLbzlS7OyCh2yJAT472CXlJmA6Wv2ULhDCTqAC21ZXhs8JNIKNrLWoqO 1NGDfyQiKEk+91070jO28hXTvwol2wDyvvH4dg== Any input is welcome. Regards, Harald From matt at openssl.org Thu Oct 29 11:14:20 2020 From: matt at openssl.org (Matt Caswell) Date: Thu, 29 Oct 2020 11:14:20 +0000 Subject: How is the TLS Record Layer Version Selected? In-Reply-To: References: Message-ID: On 29/10/2020 03:52, Thomas Antonio via openssl-users wrote: > Hello, how does openSSL determine the Record Layer Version used to > initiate a?ClientHello message to the server? I believe?the > determination is made at this level. > > When testing using multiple implementations (Python Requests on a Debian > machine and `cURL --tlsv1.2 --tls-max 1.2` from macOS) I will seemingly > at random see?ClientHello messages using?TLS Record Layer Version 1.0. > The TLS Handshake Protocol remains correctly set at 1.2. The majority of > the time the Record Layer Version is 1.2. What could be causing this > change in Record Version? > > I realize this is a valid message format and that a well configured TLS > 1.2 server will accept this. Just trying to get to the bottom of what is > causing this behaviour on the client side. > > A post showing the Record Version and Handshake Protocol mismatch is here > https://support.f5.com/csp/article/K53037818 The logic is here: https://github.com/openssl/openssl/blob/648cf9249e6ec60e0af50d5d903e05244b837cb0/ssl/record/rec_layer_s3.c#L860-L861 And here: https://github.com/openssl/openssl/blob/648cf9249e6ec60e0af50d5d903e05244b837cb0/ssl/record/rec_layer_s3.c#L882-L891 Basically the record version is never greater than TLSv1.2. If we're in an initial ClientHello (not a renegotiation or an HRR) and the max version is > TLSv1.0 then the record version is fixed at TLSv1.0 for the ClientHello record. Matt From Tanuj.Sharma at Emerson.com Thu Oct 29 11:16:34 2020 From: Tanuj.Sharma at Emerson.com (Sharma, Tanuj [AUTOSOL/FMP/IN]) Date: Thu, 29 Oct 2020 11:16:34 +0000 Subject: Facing problems with openssl-1.1.1c & later versions In-Reply-To: References: Message-ID: Hi, There, I am new to openSSL and currently working on integrating openSSL libraries in our product which has linux-ppc platform. We have an old version of kernel in our product i.e. 2.6.37.6. I want to integrate lighttpd with openSSL for HTTPS support. When I use openSSL-1.1.1b or older version then I can connect to my device using HTTPS. But when I move to openSSL version 1.1.1c or higher, then HTTPS is not working. At this point in time, I don't think there is an issue with lighttpd package or my config file since everything is working with older version of openSSL. I want to ask how can I debug this issue? Any help will be greatly appreciated. I have spent couple of weeks now on this issue but not able to move forward. Thanks for your support in advance. Best regards, Tanuj Sharma | Micro Motion - USM Products Tanuj.Sharma at Emerson.com W: http://www.eicpune.emrsn.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From mcr at sandelman.ca Thu Oct 29 13:12:33 2020 From: mcr at sandelman.ca (Michael Richardson) Date: Thu, 29 Oct 2020 09:12:33 -0400 Subject: SMIME signed message verification In-Reply-To: <593A5D3A-7BA2-49B3-954A-8EF8F7C2BB36@c-works.net> References: <593A5D3A-7BA2-49B3-954A-8EF8F7C2BB36@c-works.net> Message-ID: <28753.1603977153@localhost> Harald Koch wrote: > my task is to sign a message in C for SMIME exchange, which works as > expected and openSSL is self-fulfilling with itself in successful > verification (and unsuccessful in produced errors as expected). I've > tested PKCS7 SMIME functions, as well as CMS ones, leading to the same > result: the reference software endpoints (both written in Java; at > least one uses BuncyCastle) are unable to verify the signature. See > below the BASE64 blocks of a successful reference signature, and an > unsuccessful openSSL variant of the same message, both signed with the > same certificate and private key. The error message extracted from the > Java implementations are: I have exchanged CMS signed artifacts with Java implementations. I have CC'ed the author of the Java code to understand if they use BouncyCastle or are using an OpenSSL wrapper in Java code. > - "Unable to verify content integrity: Missing data" > - "The system is unable to find out the sign algorithm of the inbound message" > I digged a bit deeper into the ASN1 data (?cat signature.base64 | base64 -d | openssl asn1parse -inform DER" ), leading to my assumption that the algorithm provided for signature contained differs: > - openSSL indicates ?rsaEncryption" > - Java indicates ?sha512WithRSAEncryption" The first error you got seems inconsistent with this problem. Is is possible that one of you are sending CMS structures with out-of-band content? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: From root at c-works.net Thu Oct 29 13:50:31 2020 From: root at c-works.net (Harald Koch) Date: Thu, 29 Oct 2020 14:50:31 +0100 Subject: SMIME signed message verification In-Reply-To: <28753.1603977153@localhost> References: <593A5D3A-7BA2-49B3-954A-8EF8F7C2BB36@c-works.net> <28753.1603977153@localhost> Message-ID: Dear Michael, > Am 29.10.2020 um 14:12 schrieb Michael Richardson >> - "Unable to verify content integrity: Missing data" >> - "The system is unable to find out the sign algorithm of the inbound message" > >> I digged a bit deeper into the ASN1 data (?cat signature.base64 | base64 -d | openssl asn1parse -inform DER" ), leading to my assumption that the algorithm provided for signature contained differs: >> - openSSL indicates ?rsaEncryption" >> - Java indicates ?sha512WithRSAEncryption" > > The first error you got seems inconsistent with this problem. > Is is possible that one of you are sending CMS structures with out-of-band content? Yes, the signed message is contained in a HTTP(S) multipart request with more payload and header information, sure. The only different part is the signed content, all other content has been manually checked, they are exactly the same. May it be possible that the CMS data which openSSL generates is much bigger due to unneeded certificate information, which makes the Java process stumble over the input? Regards, Harald From mcr at sandelman.ca Thu Oct 29 21:55:27 2020 From: mcr at sandelman.ca (Michael Richardson) Date: Thu, 29 Oct 2020 17:55:27 -0400 Subject: SMIME signed message verification In-Reply-To: References: <593A5D3A-7BA2-49B3-954A-8EF8F7C2BB36@c-works.net> <28753.1603977153@localhost> Message-ID: <522.1604008527@localhost> Harald Koch wrote: >> Am 29.10.2020 um 14:12 schrieb Michael Richardson >>> - "Unable to verify content integrity: Missing data" >>> - "The system is unable to find out the sign algorithm of the inbound message" >> >>> I digged a bit deeper into the ASN1 data (?cat signature.base64 | base64 -d | openssl asn1parse -inform DER" ), leading to my assumption that the algorithm provided for signature contained differs: >>> - openSSL indicates ?rsaEncryption" >>> - Java indicates ?sha512WithRSAEncryption" >> >> The first error you got seems inconsistent with this problem. >> Is is possible that one of you are sending CMS structures with >> out-of-band content? > Yes, the signed message is contained in a HTTP(S) multipart request > with more payload and header information, sure. The only different part > is the signed content, all other content has been manually checked, > they are exactly the same. May it be possible that the CMS data which > openSSL generates is much bigger due to unneeded certificate > information, which makes the Java process stumble over the input? so, do have detached content then? And MIME and HTTP is involved? My bet is that you have CRLF/LF issues, which you might not see unless you look at the raw packets --- after the TLS is removed, which is a hassle, but there is a way in openssl to get that data put somewhere, but I can't recall what it is. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 487 bytes Desc: not available URL: From root at c-works.net Fri Oct 30 07:14:42 2020 From: root at c-works.net (Harald Koch) Date: Fri, 30 Oct 2020 08:14:42 +0100 Subject: SMIME signed message verification In-Reply-To: <522.1604008527@localhost> References: <593A5D3A-7BA2-49B3-954A-8EF8F7C2BB36@c-works.net> <28753.1603977153@localhost> <522.1604008527@localhost> Message-ID: <5DF3C0F0-512C-4A56-84A3-61B7AE118A1A@c-works.net> Dear Michael, > Am 29.10.2020 um 22:55 schrieb Michael Richardson : > >> Yes, the signed message is contained in a HTTP(S) multipart request >> with more payload and header information, sure. The only different part >> is the signed content, all other content has been manually checked, >> they are exactly the same. May it be possible that the CMS data which >> openSSL generates is much bigger due to unneeded certificate >> information, which makes the Java process stumble over the input? > so, do have detached content then? Yes. > And MIME and HTTP is involved? My bet is that you have CRLF/LF issues, which > you might not see unless you look at the raw packets --- after the TLS is > removed, which is a hassle, but there is a way in openssl to get that data > put somewhere, but I can't recall what it is. The CRLF issue known to me, and the used ?vi? editor is showing them good in blue color with ?^M? at every line ending, so there is no error here (since I use the flag PKCS7_CRLFEOL / CMS_CRLFEOL for correct encoding of line endings for HTTP(S) transmission). I?ve obtained the raw message via netcat and examined it in detail, the only difference seems to be the signed content. One big difference in the contained ASN1 data is that openSSL includes much more information from the used certificate, i.e. the X509v3 extensions, which Java doesn?t do. Perhaps it?s a matter of what certificate information is included in the signed data? From mahendra.sp at gmail.com Fri Oct 30 09:18:29 2020 From: mahendra.sp at gmail.com (Mahendra SP) Date: Fri, 30 Oct 2020 14:48:29 +0530 Subject: Decrypt error when using openssl 1.1.1b during SSL handshake Message-ID: Hi All. We have upgraded openssl version to 1.1.1b With this, we are seeing decryption error during SSL handshake for the below explained scenario. Our device acts as an SSL server. We have external hardware to offload RSA private key operations using the engine. Decryption of pre-master secret is done using hardware and is successful. We compared the pre-master secret on both server and client and they match. However, we see that SSL handshake fails with "decrypt error (51)" with an alert number 21. Verifying the encrypted finish message on the server side fails. This issue does not happen with software performing RSA private key operations. Can someone help with the reason for decryption failure? Below is the compiler and processor details. It is 64 bit. arm-linux-gnueabihf-gcc -march=armv7ve -mthumb -mfpu=neon -mfloat-abi=hard Thanks Mahendra -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1986geetha at gmail.com Fri Oct 30 09:50:57 2020 From: 1986geetha at gmail.com (Geetha) Date: Fri, 30 Oct 2020 15:20:57 +0530 Subject: Openssl for wince armv4i Message-ID: Hi All, How to compile openssl for ARMV4i compiler. Please any one guide. Regards Geetha -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Fri Oct 30 10:02:18 2020 From: matt at openssl.org (Matt Caswell) Date: Fri, 30 Oct 2020 10:02:18 +0000 Subject: Decrypt error when using openssl 1.1.1b during SSL handshake In-Reply-To: References: Message-ID: <27e3795f-e587-8149-dbc3-ee4c4270b233@openssl.org> On 30/10/2020 09:18, Mahendra SP wrote: > Hi All. > > We have upgraded openssl version to 1.1.1b > > With this, we are seeing decryption error during SSL handshake for the > below explained scenario. Our device acts as an SSL server. > > We have external hardware to offload RSA private key operations using > the engine. > Decryption of pre-master secret is done using hardware and is > successful. We compared the pre-master secret on both server and client > and they match. > However, we see that SSL handshake fails with "decrypt error (51)" with > an alert number 21. Verifying the encrypted finish message on the server > side fails. > > This issue does not happen with software performing RSA private key > operations. > > Can someone help with the reason for decryption failure? Below is the > compiler and processor details. It is 64 bit. > arm-linux-gnueabihf-gcc ?-march=armv7ve -mthumb -mfpu=neon -mfloat-abi=hard Potentially this is related to the use of PSS padding in libssl which is mandated in TLSv1.3. The TLSv1.3 spec also requires its use even in TLSv1.2. The PSS padding is implemented within the EVP layer. Ultimately EVP calls the function RSA_private_encrypt() with padding set to RSA_NO_PADDING. Assuming your engine is implemented via a custom RSA_METHOD does it support RSA_private_encrypt(() with RSA_NO_PADDING? If not this is likely to be the problem. More discussion of this is here: https://github.com/openssl/openssl/issues/7968 Also related is the recent discussion on this list about the CAPI engine and this issue: https://github.com/openssl/openssl/issues/8872 Matt From mahendra.sp at gmail.com Fri Oct 30 11:22:36 2020 From: mahendra.sp at gmail.com (Mahendra SP) Date: Fri, 30 Oct 2020 16:52:36 +0530 Subject: Decrypt error when using openssl 1.1.1b during SSL handshake In-Reply-To: <27e3795f-e587-8149-dbc3-ee4c4270b233@openssl.org> References: <27e3795f-e587-8149-dbc3-ee4c4270b233@openssl.org> Message-ID: Hi Matt, Thank you for the inputs. Yes, we had encountered the padding issue initially. But we added support for RSA_NO_PADDING in our hardware. That's why we are able to successfully decrypt the premaster secret in the hardware. Hence the issue does not seem to be related to padding. We have confirmed this by comparing the premaster secret on both client and server and they are the same. We suspect in this case, verification of "encrypted handshake message" failure is happening. We understand constant_time_xx APIs get used for CBC padding validation. Will this have any dependency on the compiler optimization or asm flags? Will this issue be seen if hardware takes more time for the operation? Here is the snippet of the wireshark where our device acting as server closes the connection with decryption failure. If you need any further info, please let us know. [image: image.png] Thanks Mahendra Please suggest. On Fri, Oct 30, 2020 at 3:32 PM Matt Caswell wrote: > > > On 30/10/2020 09:18, Mahendra SP wrote: > > Hi All. > > > > We have upgraded openssl version to 1.1.1b > > > > With this, we are seeing decryption error during SSL handshake for the > > below explained scenario. Our device acts as an SSL server. > > > > We have external hardware to offload RSA private key operations using > > the engine. > > Decryption of pre-master secret is done using hardware and is > > successful. We compared the pre-master secret on both server and client > > and they match. > > However, we see that SSL handshake fails with "decrypt error (51)" with > > an alert number 21. Verifying the encrypted finish message on the server > > side fails. > > > > This issue does not happen with software performing RSA private key > > operations. > > > > Can someone help with the reason for decryption failure? Below is the > > compiler and processor details. It is 64 bit. > > arm-linux-gnueabihf-gcc -march=armv7ve -mthumb -mfpu=neon > -mfloat-abi=hard > > Potentially this is related to the use of PSS padding in libssl which is > mandated in TLSv1.3. The TLSv1.3 spec also requires its use even in > TLSv1.2. > > The PSS padding is implemented within the EVP layer. Ultimately EVP > calls the function RSA_private_encrypt() with padding set to > RSA_NO_PADDING. > > Assuming your engine is implemented via a custom RSA_METHOD does it > support RSA_private_encrypt(() with RSA_NO_PADDING? If not this is > likely to be the problem. > > More discussion of this is here: > > https://github.com/openssl/openssl/issues/7968 > > Also related is the recent discussion on this list about the CAPI engine > and this issue: > > https://github.com/openssl/openssl/issues/8872 > > Matt > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 24038 bytes Desc: not available URL: From sojulibra at gmail.com Fri Oct 30 13:51:23 2020 From: sojulibra at gmail.com (Souju TANAKA) Date: Fri, 30 Oct 2020 22:51:23 +0900 Subject: Openssl for wince armv4i In-Reply-To: References: Message-ID: <2203a30a-22e7-6020-00c4-6685897d732c@gmail.com> Hi Geetha, On 2020/10/30 18:50, Geetha wrote: > Hi All, > > > How to compile openssl for ARMV4i compiler. > > Please any one guide. > > Regards > Geetha Please have a look: https://qiita.com/souju/items/94117c024862f57459c3 I wrote it. Regards -- Souju TANAKA From matt at openssl.org Fri Oct 30 14:20:39 2020 From: matt at openssl.org (Matt Caswell) Date: Fri, 30 Oct 2020 14:20:39 +0000 Subject: Decrypt error when using openssl 1.1.1b during SSL handshake In-Reply-To: References: <27e3795f-e587-8149-dbc3-ee4c4270b233@openssl.org> Message-ID: On 30/10/2020 11:22, Mahendra SP wrote: > Hi Matt, > > Thank you for the?inputs. > Yes, we had encountered?the padding issue initially. But we added > support for RSA_NO_PADDING in our hardware. That's why we are able to > successfully decrypt the premaster secret in the hardware. > Hence the issue does not seem to be related?to padding. We have > confirmed this by comparing the premaster secret on both client and > server and they are the same. Ok, good. > > We suspect in this case, verification of "encrypted handshake?message" > failure is happening. It's possible. It would be helpful if you can get more information from the error stack on the server, e.g. by using ERR_print_errors_fp() or something similar. I'm particularly interested in identifying the source file and line number where the decrypt_error is coming from. Printing the error stack should give us that information. There are a number of places that a "decrypt error" can occur and it would be helpful to identify which one is the cause of the problem. > We understand constant_time_xx APIs get?used for CBC padding validation. > Will this have? any dependency on the compiler optimization or asm > flags? CBC padding validation is fairly independent of anything to do with RSA, so I think its unlikely to be the culprit here. Of course sometimes compiler optimization/asm issues do occur so it can't be ruled out entirely - but it's not where I would start looking. > Will this issue be seen if hardware takes more time for?the > operation? > No. Constant time here just means that we implement the code without any branching based on secret data (e.g. no "if" statements/while loops etc based on secret dependent data). It has very little to do with how long something actually takes to process. > Here is the snippet of the wireshark where?our device acting as server > closes the connection with decryption failure. Thanks. To narrow it down further I need to figure out which line of code the decrypt_error is coming from as described above. Matt > If you need any further info, please let us know.? > image.png > Thanks > Mahendra > > Please suggest. > > > > On Fri, Oct 30, 2020 at 3:32 PM Matt Caswell > wrote: > > > > On 30/10/2020 09:18, Mahendra SP wrote: > > Hi All. > > > > We have upgraded openssl version to 1.1.1b > > > > With this, we are seeing decryption error during SSL handshake for the > > below explained scenario. Our device acts as an SSL server. > > > > We have external hardware to offload RSA private key operations using > > the engine. > > Decryption of pre-master secret is done using hardware and is > > successful. We compared the pre-master secret on both server and > client > > and they match. > > However, we see that SSL handshake fails with "decrypt error (51)" > with > > an alert number 21. Verifying the encrypted finish message on the > server > > side fails. > > > > This issue does not happen with software performing RSA private key > > operations. > > > > Can someone help with the reason for decryption failure? Below is the > > compiler and processor details. It is 64 bit. > > arm-linux-gnueabihf-gcc ?-march=armv7ve -mthumb -mfpu=neon > -mfloat-abi=hard > > Potentially this is related to the use of PSS padding in libssl which is > mandated in TLSv1.3. The TLSv1.3 spec also requires its use even in > TLSv1.2. > > The PSS padding is implemented within the EVP layer. Ultimately EVP > calls the function RSA_private_encrypt() with padding set to > RSA_NO_PADDING. > > Assuming your engine is implemented via a custom RSA_METHOD does it > support RSA_private_encrypt(() with RSA_NO_PADDING? If not this is > likely to be the problem. > > More discussion of this is here: > > https://github.com/openssl/openssl/issues/7968 > > Also related is the recent discussion on this list about the CAPI engine > and this issue: > > https://github.com/openssl/openssl/issues/8872 > > Matt > From 1986geetha at gmail.com Fri Oct 30 14:28:32 2020 From: 1986geetha at gmail.com (Geetha) Date: Fri, 30 Oct 2020 19:58:32 +0530 Subject: Openssl for wince armv4i In-Reply-To: <2203a30a-22e7-6020-00c4-6685897d732c@gmail.com> References: <2203a30a-22e7-6020-00c4-6685897d732c@gmail.com> Message-ID: Thanks Souju. But in my machine I couldn't locate this below path set Path=C:\WINCE700\sdk\bin\i386\arm please help to proceed further. Thanks, Geetha On Fri, Oct 30, 2020, 7:21 PM Souju TANAKA wrote: > Hi Geetha, > > On 2020/10/30 18:50, Geetha wrote: > > Hi All, > > > > > > How to compile openssl for ARMV4i compiler. > > > > Please any one guide. > > > > Regards > > Geetha > > Please have a look: https://qiita.com/souju/items/94117c024862f57459c3 > I wrote it. > > Regards > -- > Souju TANAKA > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sojulibra at gmail.com Fri Oct 30 15:35:15 2020 From: sojulibra at gmail.com (Souju TANAKA) Date: Sat, 31 Oct 2020 00:35:15 +0900 Subject: Openssl for wince armv4i In-Reply-To: References: <2203a30a-22e7-6020-00c4-6685897d732c@gmail.com> Message-ID: <0f7f18f4-128c-7abb-b012-9c21e989c453@gmail.com> Hi Geetha, On 2020/10/30 23:28, Geetha wrote: > But in my machine I couldn't locate this below path > set Path=C:\WINCE700\sdk\bin\i386\arm If you don't have C:\WINCE700, you can use arm cross compiler in VisualStudio directory. Please try the following path instead: set Path=C:\Program Files (x86)\Microsoft Visual Studio 9.0\Common7\IDE;C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\ce\bin\x86_arm;C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin;C:\Program Files\Microsoft SDKs\Windows\v6.0A\Bin;%Path% Note: This setting is suitable for our environment (VS2008 + WEC7) and there might possibly be some differences from yours in detail. C:\WINCE700 is a directory of WEC7 Platform Builder. It contains newer version of arm compiler. -- Souju TANAKA