use of SSL_CTX_load_verify_locations() in s_client
Hi, Ralf Haferkamp noticed that several programs using openssl contain some weird piece of code that seems to originate to apps/s_client.c: if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,error setting default verify locations\n); */ ERR_print_errors(bio_err); /* goto end; */ } SSL_CTX_load_verify_locations() returns zero on failure or if both arguments are NULL. Therefore SSL_CTX_set_default_verify_paths() actually only gets called if SSL_CTX_load_verify_locations() succeeds which doesn't make much sense. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: use of SSL_CTX_load_verify_locations() in s_client
Ludwig Nussel wrote: if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) { /* BIO_printf(bio_err,error setting default verify locations\n); */ ERR_print_errors(bio_err); /* goto end; */ } SSL_CTX_load_verify_locations() returns zero on failure or if both arguments are NULL. Therefore SSL_CTX_set_default_verify_paths() actually only gets called if SSL_CTX_load_verify_locations() succeeds which doesn't make much sense. Here's a patch for that: Index: apps/s_client.c === RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v retrieving revision 1.130 diff -u -r1.130 s_client.c --- apps/s_client.c 16 Dec 2009 20:25:58 - 1.130 +++ apps/s_client.c 26 Feb 2010 14:20:09 - @@ -904,12 +904,19 @@ if (!set_cert_key_stuff(ctx,cert,key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) + if (CAfile || CApath) { - /* BIO_printf(bio_err,error setting default verify locations\n); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) + { + BIO_printf(bio_err,error setting verify locations\n); + ERR_print_errors(bio_err); + goto end; + } + } + else + { + BIO_printf(bio_c_out,using default CA certificates\n); + SSL_CTX_set_default_verify_paths(ctx); } #ifndef OPENSSL_NO_TLSEXT cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: We want to add a switch to openssl's zlib compression methord
Thor Lancelot Simon wrote: On Tue, Jun 07, 2011 at 10:58:20PM -0600, Guan Jun He wrote: Hi, Openssl Developpers: We have a platform with cryptographic hardware,and we try to take advantage of the platform's hardware cryptographic features.But openSSL compresses data before the encryption, having a massive performance impact(throughput decrease, CPU load increase) on platforms with cryptographic hardware. There are probably two methords to work-around it: * environment variable, the attached patch is written for this methord. it's produced against oepnssl version 0.9.8, it other versions also need the patch,we are glad to submit it. * add an item to configure file openssl.cnf. What do you think about this? Again, I think this should be configured via an option on the SSL_CTX. There is no way to set the default context options via config file though, right? So every application would need to be patched. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: We want to add a switch to openssl's zlib compression methord
Thor Lancelot Simon wrote: On Thu, Jun 09, 2011 at 05:08:30PM +0200, Ludwig Nussel wrote: Thor Lancelot Simon wrote: Again, I think this should be configured via an option on the SSL_CTX. There is no way to set the default context options via config file though, right? So every application would need to be patched. If that's wanted, just rebuild OpenSSL without zlib support, no? Well, that's not really a viable solution for a distribution. We prefer to have one binary package rather every setting :-) A way to set default context options via config file would be nice for other settings too. If applications could rely on a sane default config provided by the distro/admin the individual calls to SSL_CTX_set_options, SSL_CTX_set_cipher_list, SSL_CTX_set_default_verify_paths/SSL_CTX_load_verify_locations, etc in each and every applications were no longer be necessary. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1 and rumors about TLS 1.0 attacks
Richard Könning wrote: Am 20.09.2011 13:19, schrieb Hanno Böck: It seems some rumors are spreading about an attack presented later this week against sslv3/tlsv1.0: http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ Whatever this attack looks like in detail, all news one can find at the moment suggest that only sslv3/tls 1.0 is affected and going to tls 1.1 or 1.2 should fix it. AFAIK, openssl current release 1.0.0 has no tls 1.2, but the planned openssl 1.0.1 should have. Which leads to the question: Is there a planned timeline for a 1.0.1 release and could this be accelerated if the issue turns out to be serious? Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You then see that the problem is already addressed in OpenSSL 0.9.6d, over seven years ago. See also http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887rep=rep1type=pdf, section 6, subsection OpenSSL and the Empty Message. Unfortunately SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and many applications set SSL_OP_ALL. So I guess in practice the workaround is not widely used. Does anyone know if there are still 'some broken SSL/TLS implementations' out there that choke if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is not set? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 released
Dr. Stephen Henson wrote: On Wed, Mar 14, 2012, Mike Frysinger wrote: i'm not looking for downstream workarounds here but rather the right answer. is openssl-1.0.1 expected to be ABI compatible with openssl-1.0.0 ? Yes. In brief the versioning scheme introduced with 1.0.0 is: Changes to last letter: security and bugfix only, no new features. E.g. 1.0.0-1.0.0a Changes to last number: new ABI compatible features. E.g. 1.0.0-1.0.1 Changes to middle number: major release, ABI compatibility not guaranteed. E.g. 1.0.0-1.1.0 btw, are there any plans to use symbol versioning on systems that support it? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2203] [PATCH] fix fallback to default verify paths
--- apps/s_client.c | 17 - 1 files changed, 12 insertions(+), 5 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 484d009..3f57a5d 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -904,12 +904,19 @@ bad: if (!set_cert_key_stuff(ctx,cert,key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) + if (CAfile || CApath) { - /* BIO_printf(bio_err,error setting default verify locations\n); */ - ERR_print_errors(bio_err); - /* goto end; */ + if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) + { + BIO_printf(bio_err,error setting verify locations\n); + ERR_print_errors(bio_err); + goto end; + } + } + else + { + BIO_printf(bio_c_out,using default CA certificates\n); + SSL_CTX_set_default_verify_paths(ctx); } #ifndef OPENSSL_NO_TLSEXT -- 1.6.4.2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org