Query on SSL client version to SSL server version
Hello Openssl users, I have a basic query that Lets say my SSL client is capable of versions SSL3.0 and SSL3.1. And my SSL server is capable of versions TLS1.0, TLS1.1 and TLS1.2 Now SSL client has sent a client hello with version SSL3.0. Since, SSL server doesn't have this version present, it returns version mismatch error. In this case, what should be the ideal scenario? Does SSL Client need to resend client hello with TLS1.0? Like on Server, does SSL client also will have fall back/up mechanisms in order to avoid version mismatch errors? Please clarify? Thanks, Rajeswari.
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
On Wed, Nov 05, 2014, neil carter wrote: I just ran the commands again, adding the no-ipv6 to the 'perl Configure' line and received the exact same errors. OpenSSL tries to autodetect IPv6 support at compile time. Sometimes due to broken or incomplete headers it gets this wrong. You can override the default with -DOPENSSL_USE_IPV6=0 to force it not to use IPv6. You need to pass this to Configure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Query: Disabling SSLv3
On 05.11.2014 17:00, Viktor Dukhovni wrote: On Wed, Nov 05, 2014 at 12:18:05PM +, Philip Bellino wrote: Jeffrey, May I ask why you included no-ssl2 as an option to config? Is only adding no-ssl3 not sufficient enough to fully disable SSLv3? No. If you leave SSLv2 enabled, and disable SSLv3, then in many cases you always get SSLv2! SSL/TLS clients advertise a range of protocols (min, max) not a list. If the min is SSLv2 and SSLv3 is disabled then the max is also SSLv2, unless explicitly disabled by the application, or use extensions forces SSLv3 or later. Well, the ClientHello message only allows to advertise the highest protocol version the client speaks, it is expected that the client speaks also all lower versions. Therefore, when a client isn't able or doesn't want to speak e.g. SSLv2, it has to wait for the ServerHello and to end the connection when the server selects an unwanted protocol version. Ciao, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Query on SSL client version to SSL server version
On 06.11.2014 10:02, Rajeswari K wrote: Hello Openssl users, I have a basic query that Lets say my SSL client is capable of versions SSL3.0 and SSL3.1. And my SSL server is capable of versions TLS1.0, TLS1.1 and TLS1.2 Now SSL client has sent a client hello with version SSL3.0. Since, SSL server doesn't have this version present, it returns version mismatch error. In this case, what should be the ideal scenario? Does SSL Client need to resend client hello with TLS1.0? Like on Server, does SSL client also will have fall back/up mechanisms in order to avoid version mismatch errors? Please clarify? SSL3.1 is the political incorrect name for TLS1.0 ;-), with this your example contains a client capable of versions SSLv3 and TLSv1 which should advertise TLSv1 right from the beginning which leads then to the server selecting TLSv1 as the highest/only common protocol version and no problem occurs. Best regards, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
That worked!! Thank you!! So, next is to remove/disable SSL2 and SSL3 from the build, my original intent. If I simply add the no-ssl2 and no-ssl3 options to the 'perl Configure' line, it returns this: link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~ 1\ncarter\LOCALS~1\Temp\1\nma04028. Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp IF EXIST out32dll\libeay32.dll.manifest mt -nologo -manifest out32dll\libeay32.dll.manifest -outputresource:out3 2dll\libeay32.dll;2 link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\ssleay32.dll /def:ms/SSLEAY32.def @C:\DOCUME~ 1\ncarter\LOCALS~1\Temp\1\nmb04028. LINK : warning LNK4001: no object files specified; libraries used LINK : warning LNK4068: /MACHINE not specified; defaulting to IX86 LINK : warning LNK4001: no object files specified; libraries used SSLEAY32.def : error LNK2001: unresolved external symbol BIO_f_ssl SSLEAY32.def : error LNK2001: unresolved external symbol BIO_new_buffer_ssl_connect SSLEAY32.def : error LNK2001: unresolved external symbol BIO_new_ssl SSLEAY32.def : error LNK2001: unresolved external symbol BIO_new_ssl_connect SSLEAY32.def : error LNK2001: unresolved external symbol BIO_ssl_copy_session_id SSLEAY32.def : error LNK2001: unresolved external symbol BIO_ssl_shutdown So, I changed the options to '-DOPENSSL_USE_IPV6=0 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3', but now get this: link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\ssleay32.dll /def:ms/SSLEAY32.def @C:\DOCUME~ 1\ncarter\LOCALS~1\Temp\1\nmb01440. SSLEAY32.def : error LNK2001: unresolved external symbol SSLv2_client_method SSLEAY32.def : error LNK2001: unresolved external symbol SSLv2_method SSLEAY32.def : error LNK2001: unresolved external symbol SSLv2_server_method out32dll\ssleay32.lib : fatal error LNK1120: 3 unresolved externals LINK : fatal error LNK1141: failure during build of exports file NMAKE : fatal error U1077: 'link' : return code '0x475' Stop. This is making me start to think there's no decent way to compile 1.0.1j on Windows while disabling SSL2 and SSL3. I did see another post, by an Arthur Ramsey on 2014.10.16 which was similar. Further suggestions? A huge THANKS! to everyone's assistance thus far!!! On 11/6/2014 6:49 AM, Dr. Stephen Henson wrote: On Wed, Nov 05, 2014, neil carter wrote: I just ran the commands again, adding the no-ipv6 to the 'perl Configure' line and received the exact same errors. OpenSSL tries to autodetect IPv6 support at compile time. Sometimes due to broken or incomplete headers it gets this wrong. You can override the default with -DOPENSSL_USE_IPV6=0 to force it not to use IPv6. You need to pass this to Configure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Query: Disabling SSLv3
On Thu, Nov 06, 2014 at 03:31:10PM +0100, Richard K?nning wrote: Well, the ClientHello message only allows to advertise the highest protocol version the client speaks, it is expected that the client speaks also all lower versions. The client uses the lowest supported version at the *record layer*, and sends the highest at the *handshake layer*. The server chooses something in that *range*. Therefore, when a client isn't able or doesn't want to speak e.g. SSLv2, it has to wait for the ServerHello and to end the connection when the server selects an unwanted protocol version. I believe you're simply wrong about that. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Query: Disabling SSLv3
On 06.11.2014 16:35, Viktor Dukhovni wrote: On Thu, Nov 06, 2014 at 03:31:10PM +0100, Richard K?nning wrote: Well, the ClientHello message only allows to advertise the highest protocol version the client speaks, it is expected that the client speaks also all lower versions. The client uses the lowest supported version at the *record layer*, and sends the highest at the *handshake layer*. The server chooses something in that *range*. Therefore, when a client isn't able or doesn't want to speak e.g. SSLv2, it has to wait for the ServerHello and to end the connection when the server selects an unwanted protocol version. I believe you're simply wrong about that. Having now read Appendix E of RFC 2246 i now know you are right :-). Ciao, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
S/MIME mime type application/octet-stream
Hello, i found that the file command detects S/MIME attachment (smime.p7s) within a signed email as an application/octet-stream insted of application/pkcs7. Author of the file tool tells that it's impossible to detect application/pkcs7. Does anybody knows why? Thank you Jan smime.p7s Description: Elektronicky podpis S/MIME
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
On Thu, Nov 06, 2014, neil carter wrote: That worked!! Thank you!! So, next is to remove/disable SSL2 and SSL3 from the build, my original intent. If I simply add the no-ssl2 and no-ssl3 options to the 'perl Configure' line, it returns this: There are a few problems with that in released versions. I'd suggest you try a recent 1.0.1 snapshot. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] S/MIME mime type application/octet-stream
This is my first attempt ever at magic(5) voodoo: 0 byte 0x30 0x01 byte 0x80 0x02 string \x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02 Indefinite length pkcs7-signedData !:mime application/pkcs7 0x02 string \x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x03 Indefinite length pkcs7-envelopedData !:mime application/pkcs7 0x03 search/10 \x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02 Definite length pkcs7-signedData !:mime application/pkcs7 0x03 search/10 \x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x03 Definite length pkcs7-envelopedData !:mime application/pkcs7 I'm pretty sure it's ugly, suboptimal, and whatever. It WORKSFORME, on an indefinite length signature as well as the corresponding definite one recreated by OpenSSL. I haven't contempted the idea of parsing ASN.1/BER in magic(5) parlance. -- Erwann ABALEA Le 06/11/2014 17:24, Jan Hejl a écrit : Hello, i found that the file command detects S/MIME attachment (smime.p7s) within a signed email as an application/octet-stream insted of application/pkcs7. Author of the file tool tells that it's impossible to detect application/pkcs7. Does anybody knows why? Thank you Jan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Ok, so I downloaded and attempted the same build process on the openssl-1.0.1-stable-SNAP-20141106.tar.gz and get the exact same errors. The process: 1.perl Configure VC-WIN32 --prefix=c:\openssl -DOPENSSL_USE_IPV6=0 -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 2.ms\do_nasm.bat 3.nmake -f ms\ntdll.mak Items (1) and (2) run clean. Item (3) returns the following, eventually: link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\ssleay32.dll /def:ms/SSLEAY32.def @C:\DOCUME~1\ncarter\LOCALS~1\Temp\1\nmb01812. SSLEAY32.def : error LNK2001: unresolved external symbol SSLv2_client_method SSLEAY32.def : error LNK2001: unresolved external symbol SSLv2_method SSLEAY32.def : error LNK2001: unresolved external symbol SSLv2_server_method out32dll\ssleay32.lib : fatal error LNK1120: 3 unresolved externals LINK : fatal error LNK1141: failure during build of exports file NMAKE : fatal error U1077: 'link' : return code '0x475' Stop. I can provide the entire run and it's output if anyone wants to see it. Thanks!! On 11/6/2014 10:34 AM, Dr. Stephen Henson wrote: On Thu, Nov 06, 2014, neil carter wrote: That worked!! Thank you!! So, next is to remove/disable SSL2 and SSL3 from the build, my original intent. If I simply add the no-ssl2 and no-ssl3 options to the 'perl Configure' line, it returns this: There are a few problems with that in released versions. I'd suggest you try a recent 1.0.1 snapshot. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
On Thu, Nov 06, 2014, neil carter wrote: Ok, so I downloaded and attempted the same build process on the openssl-1.0.1-stable-SNAP-20141106.tar.gz and get the exact same errors. For that you should use no-ssl2 no-ssl3. Some of the build scripts need to pick up those options. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Worked!! Odd, I thought I'd tried it that way previously, but I'm not picky. Thanks, very much!! Neil On 11/6/2014 12:07 PM, Dr. Stephen Henson wrote: On Thu, Nov 06, 2014, neil carter wrote: Ok, so I downloaded and attempted the same build process on the openssl-1.0.1-stable-SNAP-20141106.tar.gz and get the exact same errors. For that you should use no-ssl2 no-ssl3. Some of the build scripts need to pick up those options. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
On 05/11/2014 20:55, neil carter wrote: Okay, so what magic script is this? Is it available in MS VS 6.0? Sorry, not a developer so part of what everyone is saying is beyond me. I ran the VCVARS32.bat script. Previously that's all I've had to do to prepare the environment for installing OpenSSL. That would be a script included with the relevant old platform SDK (usually named SetEnv.Bat), or a set of options set in the registry when installing that SDK. Again, this all worked with 1.0.1g and that also included IPv6 support, didn't it? I'm trying to understand this. Thanks! On 11/5/2014 1:23 PM, Jakob Bohm wrote: Maybe you forgot to run the batch file that sets the INCLUDE and LIB environmentvariables to prepend later VC 6.0 compatible SDK headers before,such as those in the July 2002 Platform SDK. The copyright message quoted by Walter H. is just that, acopyright message acknowledging that some of the linesin that file were obtained from an old BSD. That acknowledgement is still present in the June 2014 version of winsock2.h. Just like theSSLeay copyright message in most OpenSSL files referto that original SSL2/3 library by EAY and TJH. On 05/11/2014 19:53, neil carter wrote: So then why was 1.0.1g able to compile without these errors? On 11/5/2014 12:48 PM, Walter H. wrote: On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the internet system, * Per RFC 790, September 1981, taken from the BSD file netinet/in.h. */ by the way: Visual C++ is from 1998, also an old ancient compiler we have 2014 ;-) Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S.http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
