Re: Renegotiation behavior in 0.9.8l
Hi! I did some more testing with 1.0.0beta4 and current 0.9.8-stable CVS branch to hopefully answer some of my questions. On Mon, 9 Nov 2009 10:00:01 +0100 Tomas Hoger tho...@redhat.com wrote: Following cn18794 changed that however. After receiving Client Hello, server sends no reply to the client, calls SSL_clear and read-block in an attempt to read Hello. So both client and server are trying to read from the connection and neither detects the connection is not usable any more. ... - Is that intended behavior? Is server not sending alert on purpose? 0.9.8-stable does send an alert and tears down connection immediately. So the behavior in 0.9.8l was not really intended. - Is SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION going to stay or disappear with the addition of reneg extension? My bad, cn18804 answers that already: Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). - Will all renegotiations remain banned by default even in versions with reneg extension implemented? This is unclear, they are banned in 0.9.8-stable, but 1.0.0beta4 seems to allow all, even those without an extension. - In 0.9.8l, when server calls SSL_renegotiate / SSL_do_handshake, no Hello Request is sent. Will this behavior remain the same in future versions? 0.9.8-stable does send Hello Request. th. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2097] OpenSSL 1.0.0 beta4 - Microsoft Windows
That's caused by broken IPv6 headers. If possible you should upgrade the platform SDK (which may not be possible on VC6). The alternative is to forcibly disable IPV6 with: perl Configure VC-WIN32 -DOPENSSL_USE_IPV6=0 on the command line. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Test of disabled renegotiation in 0.9.8l
Greetings, I am testing the behaviour of 0.9.8l with respect to client renegotiation. The build is httpd-2.2.14 with openssl-0.9.8l on Solaris 10. I do: $ openssl s_client -connect wibble:443 ... GET / HTTP/1.1 Host:wibble R RENEGOTIATING Then the connection hangs and I get no further data back from the server. On http://wibble/server-status, I see: 6-0 17718 0/1/1 R 0.14 31 90 0.0 0.00 0.00 ? ? ..reading.. This stays like this until I kill the session. Is this the intended behaviour? I thought it was supposed to drop the connection? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2098] [PATCH] util/cygwin.sh: Build with zlib by default
Hi, could the below patch be applied to util/cygwin.sh before openssl-1.0.0 gets released, please? The only change is that zlib is added to the build options so that the default build will always include zlib compression support now. Thanks, Corinna Index: util/cygwin.sh === RCS file: /home/cvs/cvsroot/src/openssl/util/cygwin.sh,v retrieving revision 1.8 diff -u -p -r1.8 cygwin.sh --- util/cygwin.sh 23 Jun 2005 20:55:38 - 1.8 +++ util/cygwin.sh 11 Nov 2009 11:47:23 - @@ -7,7 +7,7 @@ # Uncomment when debugging #set -x -CONFIG_OPTIONS=--prefix=/usr shared no-idea no-rc5 no-mdc2 +CONFIG_OPTIONS=--prefix=/usr shared zlib no-idea no-rc5 no-mdc2 INSTALL_PREFIX=/tmp/install VERSION= -- Corinna Vinschen Cygwin Project Co-Leader Red Hat __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Renegotiation behavior in 0.9.8l
On Wed, Nov 11, 2009, Tomas Hoger wrote: This is unclear, they are banned in 0.9.8-stable, but 1.0.0beta4 seems to allow all, even those without an extension. Sorry about that, the port I did to 1.0.0 was broken and missed out several changes, should be fixed by tomorrows snapshot. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
problem with creating cert with openssl x509
I am trying to create a certificate with specific starting and ending dates. I
searched around and it seems the parameter for -startdate from x509 is
YYMMDDHHMMSSZ but when i tried to put the parameter:
-startdate 091119111506Z i get unknown option 091119111506Z error. The
statement in the script is something like:
openssl x509 -req -sha1 ${DAYSTILLEXPIRE} ${STARTDATE} ..
DAYSTILLEXPIRE is -days 10 and that works fine but it doesnt like the
parameters i put for STARTDATE anyone can help me out? thanks!
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: problem with creating cert with openssl x509
Don't know that it will help, but can commiserate a little...(!)
We recently ran into a similar issue, ours related to notAfter:
In recent testing, we were able to issue a certificate with a notAfter field
without error, but
(this was against a PostgreSQL server, if it helps):
LOG: could not accept SSL connection: no certificate returned
So, in verifying the cert, bingo!
$ openssl verify (etc)
error 14 at 0 depth lookup:format error in certificate's notAfter field
(same test was OK on server, so is this an OpenSSL version issue?)
- Original Message -
From: Al shase...@yahoo.com
To: openssl-dev@openssl.org
Sent: Wednesday, November 11, 2009 10:56:48 AM GMT -05:00 US/Canada Eastern
Subject: problem with creating cert with openssl x509
I am trying to create a certificate with specific starting and ending dates. I
searched around and it seems the parameter for -startdate from x509 is
YYMMDDHHMMSSZ but when i tried to put the parameter:
-startdate 091119111506Z i get unknown option 091119111506Z error. The
statement in the script is something like:
openssl x509 -req -sha1 ${DAYSTILLEXPIRE} ${STARTDATE} ..
DAYSTILLEXPIRE is -days 10 and that works fine but it doesnt like the
parameters i put for STARTDATE anyone can help me out? thanks!
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: Test of disabled renegotiation in 0.9.8l
On Wed, 11 Nov 2009 13:00:09 +0100 Boyle Owen owen.bo...@six-group.com wrote: This stays like this until I kill the session. Is this the intended behaviour? I thought it was supposed to drop the connection? Probably not intended, at least behavior of current 0.9.8-stable CVS is different now. See my mail with quite similar question: http://marc.info/?l=openssl-devm=125792743829558w=2 Not an official answer, but hope it helps a bit. th. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2098] [PATCH] util/cygwin.sh: Build with zlib by default
Hi Steve, On Nov 11 16:21, Stephen Henson via RT wrote: Yes, I can do that. Do you still want the no-mdc2 swictch? The patent has now expired and it is enabled by default in OpenSSL now. Steve. thanks for asking, I missed that. I just did a testrun to verify that mdc2 works fine on Cygwin, so, yes, it would be nice if you could drop the no-mdc2 switch as well. Thank you, Corinna -- Corinna Vinschen Cygwin Project Co-Leader Red Hat __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2097] OpenSSL 1.0.0 beta4 - Microsoft Windows
Stephen Henson via RT schrieb: That's caused by broken IPv6 headers. If possible you should upgrade the platform SDK (which may not be possible on VC6). It is possible with VC6, but you need to take an older PSK from Feb. 2003: http://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdk-full.htm this should be latest which works with MSVC6 ... Gün. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: problem with creating cert with openssl x509
is the date format correct then? the x509 doesnt seem to give me the exact
format for datesetting and i used YYMMDDHHMMSSZ. I tried other formats but all
no good. How did you set yours?
--- On Wed, 11/11/09, Lou Picciano loupicci...@comcast.net wrote:
From: Lou Picciano loupicci...@comcast.net
Subject: Re: problem with creating cert with openssl x509
To: openssl-dev@openssl.org
Date: Wednesday, November 11, 2009, 11:13 AM
#yiv965433757 p
{margin:0;}Don't
know that it will help, but can commiserate a
little...(!)
We recently ran into a similar issue, ours related to
notAfter:
In recent testing, we were able to issue a certificate with
a notAfter field without error, but
(this was against a PostgreSQL server, if it helps):
LOG: could not accept SSL connection: no certificate
returned
So, in verifying the cert, bingo!
$ openssl verify (etc)
error 14 at 0 depth lookup:format error in
certificate's notAfter field
(same test was OK on server, so is this an OpenSSL
version issue?)
- Original Message -
From: Al shase...@yahoo.com
To: openssl-dev@openssl.org
Sent: Wednesday, November 11, 2009 10:56:48 AM GMT -05:00
US/Canada Eastern
Subject: problem with creating cert with openssl x509
I am trying to create a certificate with specific starting
and ending dates. I searched around and it seems the
parameter for -startdate from x509 is YYMMDDHHMMSSZ but when
i tried to put the parameter:
-startdate 091119111506Z i get unknown option
091119111506Z error. The statement in the script is
something like:
openssl x509 -req -sha1 ${DAYSTILLEXPIRE} ${STARTDATE}
..
DAYSTILLEXPIRE is -days 10 and that works fine
but it doesnt like the parameters i put for STARTDATE
anyone can help me out? thanks!
__
OpenSSL Project
http://www.openssl.org
Development Mailing List
openssl-dev@openssl.org
Automated List Manager
majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #2097] OpenSSL 1.0.0 beta4 - Microsoft Windows
Steve, Stephen Henson via RT schrieb: That's caused by broken IPv6 headers. If possible you should upgrade the platform SDK (which may not be possible on VC6). The alternative is to forcibly disable IPV6 with: perl Configure VC-WIN32 -DOPENSSL_USE_IPV6=0 on the command line. we see these problems with other projects too, f.e libcurl, and we have added a section about MSVC6 in our INSTALL (see 'MSVC 6 caveats'): http://curl.haxx.se/cvs.cgi/curl/docs/INSTALL?revision=1.113view=markup I'd suggest to add same also to OpenSSL's README.WIN32 ... Gün. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
DTLS ClientHello exchange broken by renegotiation patch in 0.9.8l
Hi all, The patch that disable renegotiation has broken DTLS's ClientHello exchange in 0.9.8l. Server sends an Alert together with HelloVerifyRequest... Thanks, Alex. alexl-lnx2:~/openssl-098l/openssl/apps ./openssl s_server -dtls1 -debug Using default temp DH parameters Using default temp ECDH parameters ACCEPT read from 0x6ca6e0 [0x6cfd10] (18437 bytes = 99 (0x63)) - 16 fe ff 00 00 00 00 00-00 00 00 00 56 01 00 00 V... 0010 - 4a 00 00 00 00 00 00 00-4a fe ff 4a fb 13 fd 30 J...J..J...0 0020 - ba 23 a9 1c 33 79 70 82-63 e1 2f a8 c4 3e 52 49 .#..3yp.c./..RI 0030 - 09 0f 31 ff e6 08 20 96-31 c3 26 00 00 00 22 00 ..1... .1. 0040 - 39 00 38 00 35 00 16 00-13 00 0a 00 33 00 32 00 9.8.5...3.2. 0050 - 2f 00 07 00 15 00 12 00-09 00 14 00 11 00 08 00 /... 0060 - 06 01 .. 0063 - SPACES/NULS write to 0x6ca6e0 [0x6d9f00] (28 bytes = 28 (0x1C)) - 16 fe ff 00 00 00 00 00-00 00 00 00 0f 03 00 00 0010 - 03 00 00 00 00 00 00 00-03 fe ff ... 001c - SPACES/NULS write to 0x6ca6e0 [0x6d9f00] (15 bytes = 15 (0xF)) - 15 fe ff 00 00 00 00 00-00 00 01 00 02 02 28 ..( ERROR 5875:error:1408A044:SSL routines:SSL3_GET_CLIENT_HELLO:internal error:s3_srvr.c: 725: shutting down SSL CONNECTION CLOSED ACCEPT read from 0x6ca6e0 [0x6cfd10] (18437 bytes = 99 (0x63)) - 16 fe ff 00 00 00 00 00-00 00 01 00 56 01 00 00 V... 0010 - 4a 00 01 00 00 00 00 00-4a fe ff 4a fb 13 fd 30 J...J..J...0 0020 - ba 23 a9 1c 33 79 70 82-63 e1 2f a8 c4 3e 52 49 .#..3yp.c./..RI 0030 - 09 0f 31 ff e6 08 20 96-31 c3 26 00 00 00 22 00 ..1... .1. 0040 - 39 00 38 00 35 00 16 00-13 00 0a 00 33 00 32 00 9.8.5...3.2. 0050 - 2f 00 07 00 15 00 12 00-09 00 14 00 11 00 08 00 /... 0060 - 06 01 .. 0063 - SPACES/NULS === alexl-lnx2:~/openssl-098l/openssl/apps ./openssl s_client -dtls1 -debug CONNECTED(0003) write to 0x6ca8a0 [0x6d46e0] (99 bytes = 99 (0x63)) - 16 fe ff 00 00 00 00 00-00 00 00 00 56 01 00 00 V... 0010 - 4a 00 00 00 00 00 00 00-4a fe ff 4a fb 13 fd 30 J...J..J...0 0020 - ba 23 a9 1c 33 79 70 82-63 e1 2f a8 c4 3e 52 49 .#..3yp.c./..RI 0030 - 09 0f 31 ff e6 08 20 96-31 c3 26 00 00 00 22 00 ..1... .1. 0040 - 39 00 38 00 35 00 16 00-13 00 0a 00 33 00 32 00 9.8.5...3.2. 0050 - 2f 00 07 00 15 00 12 00-09 00 14 00 11 00 08 00 /... 0060 - 06 01 .. 0063 - SPACES/NULS read from 0x6ca8a0 [0x6cfed0] (18437 bytes = 28 (0x1C)) - 16 fe ff 00 00 00 00 00-00 00 00 00 0f 03 00 00 0010 - 03 00 00 00 00 00 00 00-03 fe ff ... 001c - SPACES/NULS write to 0x6ca8a0 [0x6da0c0] (99 bytes = 99 (0x63)) - 16 fe ff 00 00 00 00 00-00 00 01 00 56 01 00 00 V... 0010 - 4a 00 01 00 00 00 00 00-4a fe ff 4a fb 13 fd 30 J...J..J...0 0020 - ba 23 a9 1c 33 79 70 82-63 e1 2f a8 c4 3e 52 49 .#..3yp.c./..RI 0030 - 09 0f 31 ff e6 08 20 96-31 c3 26 00 00 00 22 00 ..1... .1. 0040 - 39 00 38 00 35 00 16 00-13 00 0a 00 33 00 32 00 9.8.5...3.2. 0050 - 2f 00 07 00 15 00 12 00-09 00 14 00 11 00 08 00 /... 0060 - 06 01 .. 0063 - SPACES/NULS read from 0x6ca8a0 [0x6cfed0] (18437 bytes = 15 (0xF)) - 15 fe ff 00 00 00 00 00-00 00 01 00 02 02 28 ..( 5876:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake failure:d1_pkt.c:963:SSL alert number 40 5876:error:1410C0E5:SSL routines:DTLS1_WRITE_APP_DATA_BYTES:ssl handshake failure:d1_pkt.c:1153: alexl-lnx2:~/openssl-HOB/openssl-098l/openssl/apps
Re: OpenSSL 1.0.0 beta4 release
From: open...@master.openssl.org (OpenSSL) OpenSSL version 1.0.0 Beta 4 [...] Since the third beta, the following has happened: [...] - Build system fixes including VMS. [...] Not entirely successful. Around here: ALP $ cc /version HP C V7.3-009 on OpenVMS Alpha V8.3 I tried: @ makevms.com ALL NODEBUG DECC TCPIP @ [.test]tests.com ALP $ gdiff -u makevms.com_orig makevms.com --- makevms.com_orig2009-08-25 02:30:02 -0500 +++ makevms.com 2009-11-11 13:21:47 -0600 @@ -349,7 +349,7 @@ $! $! There are many places where this is needed. $! -$ WRITE H_FILE #define _XOPEN_SOURCE_EXTENDED +$!!! WRITE H_FILE #define _XOPEN_SOURCE_EXTENDED $! $! Close the [.CRYPTO.ARCH]OPENSSLCONF.H file $! What, too many things were working correctly? This _seriously_ breaks the build. Why was this added? is needed is not a helpful explanation. --- apps/install.com_orig 2009-05-15 11:37:04 -0500 +++ apps/install.com2009-11-11 14:16:15 -0600 @@ -57,7 +57,7 @@ $ $ SET NOON $ COPY CA.COM WRK_SSLEXE:CA.COM/LOG -$ SET FILE/PROT=W:RE WRK_SSLVEXE:CA.COM +$ SET FILE/PROT=W:RE WRK_SSLEXE:CA.COM $ COPY OPENSSL-VMS.CNF WRK_SSLROOT:[00]OPENSSL.CNF/LOG $ SET FILE/PROT=W:R WRK_SSLROOT:[00]OPENSSL.CNF $ SET ON Beside being simpler and perhaps a bit faster, using COPY /PROTECTION instead of separate COPY and SET FILE /PROTECTION commands (as previously suggested) would halve the opportunities for careless errors of this type. --- crypto/crypto-lib.com_orig 2009-08-25 02:22:08 -0500 +++ crypto/crypto-lib.com 2009-11-11 10:48:40 -0600 @@ -193,7 +193,8 @@ $ LIB_SEED = seed,seed_ecb,seed_cbc,seed_cfb,seed_ofb $ LIB_MODES = cbc128,ctr128,cfb128,ofb128 $ LIB_BN_ASM = [.asm]vms.mar,vms-helper -$ IF F$TRNLNM(OPENSSL_NO_ASM) THEN LIB_BN_ASM = bn_asm +$ IF F$TRNLNM(OPENSSL_NO_ASM) .OR. ARCH .NES. VAX THEN - + LIB_BN_ASM = bn_asm $ LIB_BN = bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,+ - bn_print,bn_rand,bn_shift,bn_word,bn_blind,+ - bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,+LIB_BN_ASM+,+ - Even if MACRO32 code were faster on an Alpha, the MACRO32 compiler there won't compile vms.mar. --- crypto/symhacks.h_orig 2009-05-15 11:00:08 -0500 +++ crypto/symhacks.h 2009-11-11 10:56:52 -0600 @@ -138,6 +138,8 @@ #define X509_policy_node_get0_qualifiers X509_pcy_node_get0_qualifiers #undef X509_STORE_CTX_get_explicit_policy #define X509_STORE_CTX_get_explicit_policy X509_STORE_CTX_get_expl_policy +#undef X509_STORE_CTX_get0_current_issuer +#define X509_STORE_CTX_get0_current_issuer X509_STORE_CTX_get0_current_iss /* Hack some long CRYPTO names */ #undef CRYPTO_set_dynlock_destroy_callback Yet another %CC-W-LONGEXTERN complaint. --- util/libeay.num_orig2009-11-04 07:29:58 -0600 +++ util/libeay.num 2009-11-11 14:00:31 -0600 @@ -4168,4 +4168,5 @@ X509_STORE_set_verify_cb4543 EXIST::FUNCTION: X509_STORE_CTX_get0_current_crl 4544 EXIST::FUNCTION: X509_STORE_CTX_get0_parent_ctx 4545 EXIST::FUNCTION: -X509_STORE_CTX_get0_current_issuer 4546 EXIST::FUNCTION: +X509_STORE_CTX_get0_current_issuer 4546 EXIST:!VMS:FUNCTION: +X509_STORE_CTX_get0_current_iss 4546 EXIST:VMS:FUNCTION: See crypto/symhacks.h. test/testenc.com seems to fail. SSLROOT not defined? (If you thought that it worked, what were you testing?) Apparently, test/tests.com exits on error, so no test results after that. Are there any plans to get this stuff to work properly before the actual release? The beta kits so far have not been encouraging. I've given up on seeing several previously suggested changed adopted, but it would be nice if, for example, a simple build simply worked. Steven M. Schweda s...@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
