from:"Ludwig Nussel"

use of SSL_CTX_load_verify_locations() in s_client

2010-02-23 Thread Ludwig Nussel

Hi,

Ralf Haferkamp noticed that several programs using openssl contain
some weird piece of code that seems to originate to apps/s_client.c:

if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
{
/* BIO_printf(bio_err,error setting default verify locations\n); */
ERR_print_errors(bio_err);
/* goto end; */
}

SSL_CTX_load_verify_locations() returns zero on failure or if both
arguments are NULL. Therefore SSL_CTX_set_default_verify_paths()
actually only gets called if SSL_CTX_load_verify_locations()
succeeds which doesn't make much sense.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: use of SSL_CTX_load_verify_locations() in s_client

2010-02-26 Thread Ludwig Nussel

Ludwig Nussel wrote:
 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
   (!SSL_CTX_set_default_verify_paths(ctx)))
   {
   /* BIO_printf(bio_err,error setting default verify locations\n); */
   ERR_print_errors(bio_err);
   /* goto end; */
   }
 
 SSL_CTX_load_verify_locations() returns zero on failure or if both
 arguments are NULL. Therefore SSL_CTX_set_default_verify_paths()
 actually only gets called if SSL_CTX_load_verify_locations()
 succeeds which doesn't make much sense.

Here's a patch for that:

Index: apps/s_client.c
===
RCS file: /v/openssl/cvs/openssl/apps/s_client.c,v
retrieving revision 1.130
diff -u -r1.130 s_client.c
--- apps/s_client.c 16 Dec 2009 20:25:58 -  1.130
+++ apps/s_client.c 26 Feb 2010 14:20:09 -
@@ -904,12 +904,19 @@
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
 
-   if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-   (!SSL_CTX_set_default_verify_paths(ctx)))
+   if (CAfile || CApath)
{
-   /* BIO_printf(bio_err,error setting default verify 
locations\n); */
-   ERR_print_errors(bio_err);
-   /* goto end; */
+   if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+   {
+   BIO_printf(bio_err,error setting verify locations\n);
+   ERR_print_errors(bio_err);
+   goto end;
+   }
+   }
+   else
+   {
+   BIO_printf(bio_c_out,using default CA certificates\n);
+   SSL_CTX_set_default_verify_paths(ctx);
}
 
 #ifndef OPENSSL_NO_TLSEXT

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: We want to add a switch to openssl's zlib compression methord

2011-06-09 Thread Ludwig Nussel

Thor Lancelot Simon wrote:
 On Tue, Jun 07, 2011 at 10:58:20PM -0600, Guan Jun He wrote:
  Hi, Openssl Developpers:
  
We have a platform with cryptographic hardware,and we try to take 
  advantage 
  of the platform's hardware cryptographic features.But openSSL compresses 
  data 
  before the encryption, having a massive performance impact(throughput 
  decrease, 
  CPU load increase) on platforms with cryptographic hardware.
   
   There are probably two methords to work-around it:
  * environment variable, the attached patch is written for this methord.
it's produced against oepnssl version 0.9.8, it other versions also need 
  the 
patch,we are glad to submit it.
  * add an item to configure file openssl.cnf.
  
  What do you think about this?
 
 Again, I think this should be configured via an option on the SSL_CTX.

There is no way to set the default context options via config file
though, right? So every application would need to be patched.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 
16746 (AG Nürnberg) 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: We want to add a switch to openssl's zlib compression methord

2011-06-10 Thread Ludwig Nussel

Thor Lancelot Simon wrote:
 On Thu, Jun 09, 2011 at 05:08:30PM +0200, Ludwig Nussel wrote:
  Thor Lancelot Simon wrote:
   
   Again, I think this should be configured via an option on the SSL_CTX.
  
  There is no way to set the default context options via config file
  though, right? So every application would need to be patched.
 
 If that's wanted, just rebuild OpenSSL without zlib support, no?

Well, that's not really a viable solution for a distribution. We
prefer to have one binary package rather every setting :-)

A way to set default context options via config file would be nice
for other settings too. If applications could rely on a sane default
config provided by the distro/admin the individual calls to
SSL_CTX_set_options, SSL_CTX_set_cipher_list,
SSL_CTX_set_default_verify_paths/SSL_CTX_load_verify_locations, etc
in each and every applications were no longer be necessary.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 
16746 (AG Nürnberg) 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl 1.0.1 and rumors about TLS 1.0 attacks

2011-09-21 Thread Ludwig Nussel

Richard Könning wrote:
 Am 20.09.2011 13:19, schrieb Hanno Böck:
 It seems some rumors are spreading about an attack presented later this
 week against sslv3/tlsv1.0:
 http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

 Whatever this attack looks like in detail, all news one can find at the
 moment suggest that only sslv3/tls 1.0 is affected and going to tls
 1.1 or 1.2 should fix it.

 AFAIK, openssl current release 1.0.0 has no tls 1.2, but the
 planned openssl 1.0.1 should have.

 Which leads to the question: Is there a planned timeline for a 1.0.1
 release and could this be accelerated if the issue turns out to be
 serious?
 
 Please read http://www.openssl.org/~bodo/tls-cbc.txt, problem #2. You then 
 see that the problem is already addressed in OpenSSL 0.9.6d, over seven years 
 ago. See also 
 http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5887rep=rep1type=pdf,
  section 6, subsection OpenSSL and the Empty Message.

Unfortunately SSL_OP_ALL includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS and
many applications set SSL_OP_ALL. So I guess in practice the workaround
is not widely used.
Does anyone know if there are still 'some broken SSL/TLS
implementations' out there that choke if SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is 
not set?

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 
16746 (AG Nürnberg) 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL 1.0.1 released

2012-03-15 Thread Ludwig Nussel

Dr. Stephen Henson wrote:
 On Wed, Mar 14, 2012, Mike Frysinger wrote:
 i'm not looking for downstream workarounds here but rather the right answer. 
  
 is openssl-1.0.1 expected to be ABI compatible with openssl-1.0.0 ?
 
 Yes. In brief the versioning scheme introduced with 1.0.0 is:
 
 Changes to last letter: security and bugfix only, no new features.
 E.g.  1.0.0-1.0.0a
 Changes to last number: new ABI compatible features.
 E.g. 1.0.0-1.0.1
 Changes to middle number: major release, ABI compatibility not guaranteed.
 E.g. 1.0.0-1.1.0

btw, are there any plans to use symbol versioning on systems that
support it?

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 
16746 (AG Nürnberg) 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2203] [PATCH] fix fallback to default verify paths

2010-03-25 Thread Ludwig Nussel via RT

---
 apps/s_client.c |   17 -
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 484d009..3f57a5d 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -904,12 +904,19 @@ bad:
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
 
-   if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-   (!SSL_CTX_set_default_verify_paths(ctx)))
+   if (CAfile || CApath)
{
-   /* BIO_printf(bio_err,error setting default verify 
locations\n); */
-   ERR_print_errors(bio_err);
-   /* goto end; */
+   if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+   {
+   BIO_printf(bio_err,error setting verify locations\n);
+   ERR_print_errors(bio_err);
+   goto end;
+   }
+   }
+   else
+   {
+   BIO_printf(bio_c_out,using default CA certificates\n);
+   SSL_CTX_set_default_verify_paths(ctx);
}
 
 #ifndef OPENSSL_NO_TLSEXT
-- 
1.6.4.2

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

use of SSL_CTX_load_verify_locations() in s_client

Re: use of SSL_CTX_load_verify_locations() in s_client

Re: We want to add a switch to openssl's zlib compression methord

Re: We want to add a switch to openssl's zlib compression methord

Re: openssl 1.0.1 and rumors about TLS 1.0 attacks

Re: OpenSSL 1.0.1 released

[openssl.org #2203] [PATCH] fix fallback to default verify paths

7 matches

Site Navigation

Mail list logo

Footer information