RE: slow https conenctions
Hi, Thanks for the input guys, however the 15 second pause exists even if i explicitly disable reverse lookups in apache 'Hostnamelookups Off' in httpd.conf and my server is operating on an internal network in a company so although i cant say for sure i doubt there is much IPV6 stuff around. Does anyone how how i would establish if there was a DNS related delay ? some tool that could test DNS and name lookup speeds ? i am a software guy trying to use SVN not a network guy regards Matthew J Fletcher -Original Message- From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: 26 April 2011 23:05 To: openssl-users@openssl.org Cc: Matthew Fletcher Subject: Re: slow https conenctions Hi, On 04/26/11 3:06 AM, Matthew Fletcher wrote: I've come to this list in search of help with slow https conenctions (via the subversion, apache and finally mod_ssl lits). There is a 15 second ish delay whenever a client connects using https, 15 seconds sounds to *me* like a DNS related timeout. perhaps the server is doing a reverse lookup on the client? ...or is getting a record, trying to connect to that IPv6 addressand failing, then falling back to IPv4 alan ** Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK A company registered in England Reg. No. 4353634 Tel: +44 (0) 24 7630 5050 Fax: +44 (0) 24 7630 2437 Web: www.serck-controls.com Admin: p...@serck-controls.co.uk A subsidiary of Schneider Electric. ** This email and files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the above. Any views or opinions presented are those of the author and do not necessarily represent those of Serck Controls Ltd. This message has been scanned for malware by Mailcontrol. www.Mailcontrol.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: issue with p12 creation and network solutions EV SSL
On Tuesday 26 Apr 2011 19:35:48 Mounir IDRASSI wrote: Hi James, I got the the correct certificate chain from my Windows 7 box. Microsoft tends to update its trusted CA certificates store more quickly and regularly than Mozilla or Linux distros: the latest update was last month on March 23rd 2011. It is sad that even Network Solutions guys are not aware of this update...This issue should not have existed at the first place! Mounir, I don't think Microsoft's March 23rd Auto Root Update is actually relevant here. It didn't change any Root Certificates that NetSol's cert chains use, AFAIK. Your Windows 7 box was able to build the chain because CryptoAPI chases AIA- caIssuers URLs. Firefox doesn't do this. If it did, James wouldn't have noticed any problem in the first place. James, I see that your server is now sending the correct chain. A tip: you don't have to send the self-signed Root Certificate (Subject and Issuer = AddTrust External CA Root). Each client either already trusts it (in which case there's no point sending it) or it doesn't already trust it (in which case there's no point sending it, because sending it won't make it magically become trusted). Good luck, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 4/26/2011 7:07 PM, James Chase wrote: You've got the wrong chain file. I understand that NetSol switched to a new EV Issuing CA a few months ago. Are you definitely using the chain file that they supplied with your latest site cert? I am using the chain file that they suggest downloading which already has the intermediate files concatenated into a file -- but apparently it is wrong. I checked the .crt file that they include with my site certificate and they are the same certs that are in the chain file they have precompiled. I can't believe how much time I have spent on this issue and could the root of the issue be that they are not packaging the right files with my new certificate? wtf Mounir, where did you get those certificates?? The only cert that you used that came with my certificate is the last one, AddTrustExternalCARoot -- the other two are NOT included and are not in NetSol's precompiled chain file. Your chain file works when I test with apache, and I have just created a p12 from those chain files and that works too! Halellujah. But seriously, how did you synthesize that chain file? And how would I be expected to create that on my own?? I spent an hour and a half on the phone with NetSol telling them their was something wrong with their files and they just kept saying it was my fault and they will bill me $120/hour to fix it. On Tue, Apr 26, 2011 at 8:19 AM, James Chase chase1...@gmail.com mailto:chase1...@gmail.com wrote: Well my results are quite different, and I guess point to my p12 not being correctly created. Strangely, the p12 I am running this test on works in production and doesn't produce a warning (I re-created last years certificate as a new p12 using the same process I am trying with this years). I also tried running this on my test apache site, where I am just using the plain old certificate, key and network solutions supplied chain file -- and the openssl s_client command returns better output but I still get a warning! [me@myserver ~]$ openssl s_client -connect www.example.com:443 http://www.example.com:443 CONNECTED(0003) depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset ts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset ts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International Ltd verify error:num=27:certificate not trusted verify return:1 depth=0 /serialNumber=03-11- 1975/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Massachuset ts/1 .3.6.1.4.1.311.60.2.1.1=A City/2.5.4.15 http://2.5.4.15=V1.0, Clause 5.(b)/C=US/postalCode=05767/ST=MA/L=A City/streetAddress=One Park St/O=A Company International
Re: Binding outgoing SSL connection to certain IP address
Hi all, I've been looking for a way to bind the openssl s_client command line tool to a certain outgoing IP on a multi-IP host and all I've found was a thread on how to do that using the library: http://marc.info/?l=openssl-usersm=127166957110771w=2 Is there maybe some obscure bind option the likes of netcat -s 192.168.5.1 mx.example.com 25 to accomplish this? What I'm trying to do is check the TLS cert on mx.example.com where this MX only accepts connections from a secondary IP of the host I'm coming from, as I would by saying openssl s_client -showcerts -CApath /etc/postfix/tls/cacerts.d/ -starttls smtp -connect mx.example.com:25 I was hoping for was an option such as openssl s_client -s 192.168.5.1 or openssl s_client -bind 192.168.5.1 but I guess not. Did I miss it? Is it just undocumented? Do I have to build a non-vanilla openssl s_client? Is there a way to connect the vanilla client through another tool? Thanks, Mike
RE: slow https conenctions
Hi, Just to test if my slowness is SSL or DNS/Network related i switched the server in http mode and got the guys to re-connect. Connection times are now sub-second. So my slowness is definatly https / SSL related. I guess that does not 100% rule out DNS/Network stuff, as SSL could be doing extra network lookups. Are there any more SSL diagnostics i can enable to try and pinpoint the problem ? regards Matthew J Fletcher ** Serck Controls Ltd, Rowley Drive, Coventry, CV3 4FH, UK A company registered in England Reg. No. 4353634 Tel: +44 (0) 24 7630 5050 Fax: +44 (0) 24 7630 2437 Web: www.serck-controls.com Admin: p...@serck-controls.co.uk A subsidiary of Schneider Electric. ** This email and files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the above. Any views or opinions presented are those of the author and do not necessarily represent those of Serck Controls Ltd. This message has been scanned for malware by Mailcontrol. www.Mailcontrol.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: slow https conenctions
* Matthew Fletcher, Wednesday, April 27, 2011 12:40 PM I guess that does not 100% rule out DNS/Network stuff, as SSL could be doing extra network lookups. Are there any more SSL diagnostics i can enable to try and pinpoint the problem ? maybe checking with strace -ttt -p ... which operation takes so long? oki, Steffen About Ingenico: Ingenico is a leading provider of payment, transaction and business solutions, with over 15 million terminals deployed in more than 125 countries. Over 3,000 employees worldwide support merchants, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: slow https conenctions
Matthew Fletcher wrote: Hi, Thanks for the input guys, however the 15 second pause exists even if i explicitly disable reverse lookups in apache 'Hostnamelookups Off' in httpd.conf and my server is operating on an internal network in a company so although i cant say for sure i doubt there is much IPV6 stuff around. Does anyone how how i would establish if there was a DNS related delay ? some tool that could test DNS and name lookup speeds ? i am a software guy trying to use SVN not a network guy tcpdump/wireshark/ethereal to watch what packets are sent, where and with what timings. The fact it works with a non-SSL connection means little, as the non-SSL connection won't be trying to do a reverse lookup to see if the certficate name matches the name bound to the IP address __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
New User Problem
Dear OpenSSL Community, I am a new user of OpenSSL and have a pretty simple question. I'm trying to create a self-signed certificate and so far has done the following. Step 1)openssl genrsa -des3 -out server1.key 1024 Step 2)This asked for a password and I made a password asdf Step 3) openssl req -key server1.key -out server1.csr Step 4)At the first prompt, I typed in asdf and pressed enter. Nothing happens. I keep pressing enter and then mash they keyboard until this message appears unable to load X509 request 6416:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem_lib.c:642:Expecting: CERTIFICATE REQUEST Step 5) I retired the above command except with the wrong password asdfg and it looks like I had a bad decrypt error message Can someone tell me if I'm doing anything wrong when creating a simple self-signed certificate so far? I am using Windows Vista as my OS with Win32 OpenSSL v1.0.0d and Visual C++ 2008 Redistributables downloaded from this site: http://www.slproweb.com/products/Win32OpenSSL.html Thank you for any help you can provide. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Compile OpenSSL with minimum modules
Hi, I need to compile OpenSSL only with support for Symmetric encryption - only 3DES support. How I can remove all unneeded stuff? Can you give an advice what to remove and how to remove it? Regards Peter
Re: slow https conenctions
Hi, Thanks for the input guys, however the 15 second pause exists even if i explicitly disable reverse lookups in apache 'Hostnamelookups Off' in httpd.conf and my server is operating on an internal network in a company so although i cant say for sure i doubt there is much IPV6 stuff around. the debug will probably show you this - but I dont think its a server issue per se - its an issue at the client end. check the behaviour and environment of the end client alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Setting x509 Certificate algorithm
I am creating a self signed x509 certificate using code based on the mkcert.c sample code included in the OpenSSL demo sources. I need to set the algorithm to sha256WithRSAEncryption and I cannot figure out how to do this with the APIs. I always end up with sha1WithRSAEncryption. Am I trying to do the impossible here? Thanks, Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Compile OpenSSL with minimum modules
On 04/27/11 12:39 PM, derleader mail wrote: Hi, I need to compile OpenSSL only with support for Symmetric encryption - only 3DES support. How I can remove all unneeded stuff? Can you give an advice what to remove and how to remove it? I suppose one approach would be to run a test suite that does just what you need (and everything you need) with a debug build of openssl, and run it under a code profiler (such as Intel's VTune), iterate this sufficiently to get adequate code coverage, then seen what big chunks DONT get touched, and add #IF's around them to block them out, rebuild, and iterate until it meets your requirements. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Compile OpenSSL with minimum modules
Hi, I need to compile OpenSSL only with support for Symmetric encryption - only 3DES support. How I can remove all unneeded stuff? Can you give an advice what to remove and how to remove it? I suppose one approach would be to run a test suite that does just what you need (and everything you need) with a debug build of openssl, and run it under a code profiler (such as Intel's VTune), iterate this sufficiently to get adequate code coverage, then seen what big chunks DONT get touched, and add #IF's around them to block them out, rebuild, and iterate until it meets your requirements. Thank you for the reply! Unfortunately I'm working with C from several weels. Can you explain me this in more details how to do this? Regards Peter
Re: slow https conenctions
I suspect client behavior is incorrect. It could have to do with 1.1 HTTP, especially if client is PHP (because of 100 continue problems). There are several other documented delays including a 15 second default keep alive. There is also a cURL problem that can cause this on the client side. http://curl.haxx.se/mail/curlphp-2005-01/0011.html http://php.net/manual/en/function.file-get-contents.php Eric At 03:06 AM 4/26/2011, Matthew Fletcher wrote: Hi, I've come to this list in search of help with slow https conenctions (via the subversion, apache and finally mod_ssl lits). There is a 15 second ish delay whenever a client connects using https, i've tracked this down in the logs to the snippet shown. -- snip -- [Thu Apr 21 11:21:49 2011] [info] Connection: Client IP: 127.0.0.1, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) [Thu Apr 21 11:22:07 2011] [debug] ssl_engine_io.c(1889): OpenSSL: read 5/5 bytes from BIO#c99cd0 [mem: ca14b0] (BIO dump follows) -- end -- But i really dont know how to get any further. This machine is pretty powerful, quad 3ghz xeon etc. Full log from startup bellow,.. any help / ideas much appreciated. [Thu Apr 21 11:21:16 2011] [info] Init: Initializing (virtual) servers for SSL [Thu Apr 21 11:21:16 2011] [info] Configuring server for SSL protocol [Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(465): Creating new SSL context (protocols: SSLv3, TLSv1) [Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(661): Configuring permitted SSL ciphers [ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM] [Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(420): Configuring TLS extension handling [Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(792): Configuring RSA server certificate [Thu Apr 21 11:21:16 2011] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Thu Apr 21 11:21:16 2011] [debug] ssl_engine_init.c(831): Configuring RSA server private key [Thu Apr 21 11:21:16 2011] [info] mod_ssl/2.2.17 compiled against Server: Apache/2.2.17, Library: OpenSSL/0.9.8r [Thu Apr 21 11:21:16 2011] [notice] Child 3268: Child process is running [Thu Apr 21 11:21:16 2011] [debug] mpm_winnt.c(408): Child 3268: Retrieved our scoreboard from the parent. [Thu Apr 21 11:21:16 2011] [info] Parent: Duplicating socket 276 and sending it to child process 3268 [Thu Apr 21 11:21:16 2011] [debug] mpm_winnt.c(605): Parent: Sent 1 listeners to child 3268 [Thu Apr 21 11:21:16 2011] [debug] mpm_winnt.c(564): Child 3268: retrieved 1 listeners from parent [Thu Apr 21 11:21:16 2011] [notice] Child 3268: Acquired the start mutex. [Thu Apr 21 11:21:16 2011] [notice] Child 3268: Starting 64 worker threads. [Thu Apr 21 11:21:16 2011] [notice] Child 3268: Listening on port 443. [Thu Apr 21 11:21:49 2011] [info] [client 127.0.0.1] Connection to child 0 established (server pl161.serck-uk.internal:443) [Thu Apr 21 11:21:49 2011] [info] Seeding PRNG with 144 bytes of entropy [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/accept initialization [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1889): OpenSSL: read 11/11 bytes from BIO#c99cd0 [mem: ca14b0] (BIO dump follows) [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1822): +-+ [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | : 16 03 01 00 df 01 00 00-db 03 01 ... | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1867): +-+ [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1889): OpenSSL: read 217/217 bytes from BIO#c99cd0 [mem: ca14bb] (BIO dump follows) [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1822): +-+ [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | : 4d b0 05 3d 24 b5 92 40-cb c0 c7 84 df 99 b8 2f M..=$..@.../ | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0010: 1c 49 78 19 74 74 b3 0d-3f 89 d3 3d 7a 90 7c 50 .Ix.tt..?..=z.|P | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0020: 00 00 5c c0 14 c0 0a 00-39 00 38 00 88 00 87 c0 ..\\.9.8. | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0030: 0f c0 05 00 35 00 84 c0-12 c0 08 00 16 00 13 c0 5... | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0040: 0d c0 03 00 0a c0 13 c0-09 00 33 00 32 00 9a 00 ..3.2... | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0050: 99 00 45 00 44 c0 0e c0-04 00 2f 00 96 00 41 00 ..E.D./...A. | [Thu Apr 21 11:21:49 2011] [debug] ssl_engine_io.c(1861): | 0060: 07 c0 11 c0 07 c0 0c c0-02 00 05 00 04 00 15 00 | [Thu Apr 21 11:21:49 2011] [debug]
RE: openssl dgst using ecdsa-with-SHA384
Thanks for the response, using -sha384 appears to be working and verifies correctly. Mike -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Sunday, April 24, 2011 4:17 AM To: openssl-users@openssl.org Subject: Re: openssl dgst using ecdsa-with-SHA384 On Wed, Apr 20, 2011, Shelley, Mike wrote: Hi all, I'm having a problem using ecdsa with SHA 384 when creating a message digest. I will admit I'm not too familiar with openssl and digests, but I have code that works using -ecdsa-with-SHA1. I need to change that to use ecdsa-with-SHA384. I looked at the release notes to see that this should be supported with openssl version 1.1.0 and later, but I've tried that version as well as the latest 1.0.0d, and get a unknown option '-ecdsa-with-SHA384' The command I use is: /usr/local/openssl/bin/openssl dgst -ecdsa-with-SHA384 -binary -out signersCertDgst.tmp x509/public.pem This same command works when using -ecdsa-with-SHA1 I've looked at the openssl source and it appears to support the -ecdsa-with-SHA384, but it's not straight forward to trace it through the source code. Has anyone gotten this to work? Am I doing something wrong? I assume -sha384 is different than -ecdsa-with-SHA384. Actually that's how you do it use -sha384 and use an EC key to sign the result. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Setting x509 Certificate algorithm
Hi, Have you tried changing this if (!X509_sign(x,pk,EVP_sha1())) to if (!X509_sign(x,pk,EVP_sha256())) On Thu, Apr 28, 2011 at 4:13 AM, Mike Markley m...@buddytv.com wrote: I am creating a self signed x509 certificate using code based on the mkcert.c sample code included in the OpenSSL demo sources. I need to set the algorithm to sha256WithRSAEncryption and I cannot figure out how to do this with the APIs. I always end up with sha1WithRSAEncryption. Am I trying to do the impossible here? Thanks, Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Setting x509 Certificate algorithm
That did it! Thank you, I'm neck deep into code that I don't fully understand, I greatly appreciate the help. Mike On Wed, Apr 27, 2011 at 3:54 PM, re est re.est1...@gmail.com wrote: Hi, Have you tried changing this if (!X509_sign(x,pk,EVP_sha1())) to if (!X509_sign(x,pk,EVP_sha256())) On Thu, Apr 28, 2011 at 4:13 AM, Mike Markley m...@buddytv.com wrote: I am creating a self signed x509 certificate using code based on the mkcert.c sample code included in the OpenSSL demo sources. I need to set the algorithm to sha256WithRSAEncryption and I cannot figure out how to do this with the APIs. I always end up with sha1WithRSAEncryption. Am I trying to do the impossible here? Thanks, Mike m...@buddytv.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org