Re: [openssl-users] Delete a post to openssl-user mailing list
What is the security risk? Management ? :) There could be a perceived problem that the world now knows that company X has problems with OpenSSL, and a competitor could even try to make mischievous use of this information - it happened to me once (with another technology). Death of developer mailing lists predicted; film at 11. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] NULL EVP_PKEY
On Tue, Apr 21, 2015, Vollaro, John wrote: It does not work using the openssl command-line tool. I suspect that the .pem file I have only has the public key. It would help if you indicated what error you got from the openssl utility. If the file only contains a public key it should exit immediately if it has a private key and is encrypted it will prompt you for a passphrase. Other problems (e.g. corrupted key) may result in ASN.1 parsing errors. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
What is the security risk? Management ? :) -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57670.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
Am cross compiling the FIPS enabled version for Android; In Android, some apps are having trouble loading their bundled libcrypto library when the binary is named as *.so.1.0.0 instead of libcrypto.so as platform library. - Original Message - From: Viktor Dukhovni openssl-us...@dukhovni.org To: openssl-users@openssl.org Cc: Sent: Tuesday, April 21, 2015 11:47 PM Subject: Re: [openssl-users] Building libcrypto/libssl without symbolic link On Wed, Apr 22, 2015 at 12:12:45AM +, Shanku Roy wrote: lrw-r--r-- root root 2015-04-10 02:33 libcrypto.so - libcrypto.so.1.0.0 -rw-r--r-- root root 1988088 2015-04-10 02:27 libcrypto.so.1.0.0 Is there any configure option in OpenSSL build scripts to not generate the symbolic links and rather generate actual binary as libcrypto.so/libssl.so from the build process like following: The library soname is part of the ABI. What platform are you building for where it would not be appropriate to encode the ABI compatibility name into the library name? -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
Bonjour, The password pwd1234 is obviously a test one, as is the file path c:/work/mypemfile.pem. Knowing that you're using OpenSSL 1.0.2a shouldn't be a problem either. What is the security risk? -- Erwann ABALEA Le 22/04/2015 15:55, Vollaro, John a écrit : Can a message be removed by the system administrator of the openssl-user email forum? My original post about NULL EVP_PKEY was flag by my company as a security risk. The data in the post was fake. I have been directed to remove the post if possible. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Tuesday, April 21, 2015 8:13 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Delete a post to openssl-user mailing list On Tue, Apr 21, 2015 at 09:21:47PM +, Vollaro, John wrote: Is it possible to remove a message I posted to the openssl-user email forum? No. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
Can a message be removed by the system administrator of the openssl-user email forum? There are several places that archive openssl mailing lists. My original post about NULL EVP_PKEY was flag by my company as a security risk. That seems erroneous to me. I have been directed to remove the post if possible. Not really possible. You can try to track down all the archive sites (some are listed on www.openssl.org, but probably not all). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
Are you packaging libcrypto.so into the APK yourself? The Android OS comes with it's own resident copy of libcrypto. You can leverage this from your app without having to package libcrypto into your application. This assumes the version of libcrypto that comes with Android meets your needs. Given the various flavors of Android out in the wild, this may limit what your application can do with libcrypto. If you're packaging libcrypto into your APK, one problem I've seen in Android is the System.LoadLibrary() call will use the host resident copy of libcrypto instead of the one packaged in the APK. One way to get around this is to hack the linker step in the OpenSSL makefile to rename libcrypto to something different. You'll need to make sure the -soname option on the linker step is consistent with whatever you name the library. For instance, you can name it libcryptoX.so, and pass in this same name to the -soname option. Confirm that it works using objdump to view the ELF header. The soname will be in the ELF header. Then package libcryptoX.so into your APK and use this name with the System.LoadLibrary() call. On 04/22/2015 09:41 AM, Shanku Roy wrote: Am cross compiling the FIPS enabled version for Android; In Android, some apps are having trouble loading their bundled libcrypto library when the binary is named as *.so.1.0.0 instead of libcrypto.so as platform library. - Original Message - From: Viktor Dukhovni openssl-us...@dukhovni.org To: openssl-users@openssl.org Cc: Sent: Tuesday, April 21, 2015 11:47 PM Subject: Re: [openssl-users] Building libcrypto/libssl without symbolic link On Wed, Apr 22, 2015 at 12:12:45AM +, Shanku Roy wrote: lrw-r--r-- root root 2015-04-10 02:33 libcrypto.so - libcrypto.so.1.0.0 -rw-r--r-- root root 1988088 2015-04-10 02:27 libcrypto.so.1.0.0 Is there any configure option in OpenSSL build scripts to not generate the symbolic links and rather generate actual binary as libcrypto.so/libssl.so from the build process like following: The library soname is part of the ABI. What platform are you building for where it would not be appropriate to encode the ABI compatibility name into the library name? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Vollaro, John Sent: Wednesday, April 22, 2015 09:56 To: openssl-users@openssl.org Subject: Re: [openssl-users] Delete a post to openssl-user mailing list Can a message be removed by the system administrator of the openssl-user email forum? No. It's a mailing list. When your message was accepted by the list server, the server sent copies of it to every subscriber. That means (nearly) every subscriber had a copy at some point; most probably still have one or more, in a deleted items mail folder, in backups, etc. Some of those subscribers are actually robots - often gateways and archives like Gmane, which forwarded your message on and/or saved a copy in some repository that can be queried later. So, for example, your original message is also available from the Gmane web interface: http://article.gmane.org/gmane.comp.encryption.openssl.user/54716 And that means it's been indexed and cached by Google and other web spiders. You'll never track down all the copies. Even if you did, you'll never get everyone who has one to delete it. I'm afraid that cat is not only out of the bag, but no longer visible from the bag with the naked eye and receeding at high speed. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
(Top posting because some other posters did so). Please note the following problems with the so naming defaults in version 1.0.2a: 1. On Android, developers are (or were until recently) officially told *not* to rely on the system copy of OpenSSL, since it is not part of the official API. Thus packaging your own copy or relying on the botched version of Java JCE implemented on top of the system OpenSSL are the only officially supported options. 2. On many systems that install OpenSSL 1.0.1 (any patch level) as libcrypto.so.1.0.0, installing OpenSSL 1.0.2a as libcrypto.so.1.0.0 will instantly break system software linked against the 1.0.1 under the same ABI name. So much for binary compatibility. Thus for Android, you would want to link it as libcom_yourdomain_yourapp_crypto.so (file name must match lib*.so for theapk to unpack correctly), or as a static PIC library, making the system think it has nothing to do with any well-known or other app's copy of OpenSSL. Be sure to release new versions of your app whenever an OpenSSL security update affects something you actually use from the library. For parallel installation of OpenSSL 1.0.2a and the OS supplied OpenSSL 1.0.1 (with patches equivalent to the latest release), modify SHLIB_VERSION_NUMBER from 1.0.0 to 1.0.2 in the folliwing files from the tarball: crypto/opensslv.h Makefile Makefile.bak I have pasted the patch I use at the end of this mail (nothing cryptographic, soI think I can post that without extra red tape). On 22/04/2015 16:26, John Foley wrote: Are you packaging libcrypto.so into the APK yourself? The Android OS comes with it's own resident copy of libcrypto. You can leverage this from your app without having to package libcrypto into your application. This assumes the version of libcrypto that comes with Android meets your needs. Given the various flavors of Android out in the wild, this may limit what your application can do with libcrypto. If you're packaging libcrypto into your APK, one problem I've seen in Android is the System.LoadLibrary() call will use the host resident copy of libcrypto instead of the one packaged in the APK. One way to get around this is to hack the linker step in the OpenSSL makefile to rename libcrypto to something different. You'll need to make sure the -soname option on the linker step is consistent with whatever you name the library. For instance, you can name it libcryptoX.so, and pass in this same name to the -soname option. Confirm that it works using objdump to view the ELF header. The soname will be in the ELF header. Then package libcryptoX.so into your APK and use this name with the System.LoadLibrary() call. On 04/22/2015 09:41 AM, Shanku Roy wrote: Am cross compiling the FIPS enabled version for Android; In Android, some apps are having trouble loading their bundled libcrypto library when the binary is named as *.so.1.0.0 instead of libcrypto.so as platform library. - Original Message - From: Viktor Dukhovni openssl-us...@dukhovni.org To: openssl-users@openssl.org Cc: Sent: Tuesday, April 21, 2015 11:47 PM Subject: Re: [openssl-users] Building libcrypto/libssl without symbolic link On Wed, Apr 22, 2015 at 12:12:45AM +, Shanku Roy wrote: lrw-r--r-- root root 2015-04-10 02:33 libcrypto.so - libcrypto.so.1.0.0 -rw-r--r-- root root 1988088 2015-04-10 02:27 libcrypto.so.1.0.0 Is there any configure option in OpenSSL build scripts to not generate the symbolic links and rather generate actual binary as libcrypto.so/libssl.so from the build process like following: The library soname is part of the ABI. What platform are you building for where it would not be appropriate to encode the ABI compatibility name into the library name? (Beware of long lines in this patch) === Cut here === diff -Naur openssl-1.0.2a.orig/crypto/opensslv.h openssl-1.0.2a/crypto/opensslv.h --- openssl-1.0.2a.orig/crypto/opensslv.h2015-03-19 14:31:16.0 +0100 +++ openssl-1.0.2a/crypto/opensslv.h2015-03-22 23:10:15.0 +0100 @@ -88,7 +88,7 @@ * should only keep the versions that are binary compatible with the current. */ # define SHLIB_VERSION_HISTORY -# define SHLIB_VERSION_NUMBER 1.0.0 +# define SHLIB_VERSION_NUMBER 1.0.2 #ifdef __cplusplus diff -Naur openssl-1.0.2a.orig/Makefile openssl-1.0.2a/Makefile --- openssl-1.0.2a.orig/Makefile2015-03-19 14:31:16.0 +0100 +++ openssl-1.0.2a/Makefile2015-03-22 23:06:50.0 +0100 @@ -7,10 +7,10 @@ VERSION=1.0.2a MAJOR=1 MINOR=0.2 -SHLIB_VERSION_NUMBER=1.0.0 +SHLIB_VERSION_NUMBER=1.0.2 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=1 -SHLIB_MINOR=0.0 +SHLIB_MINOR=0.2 SHLIB_EXT= PLATFORM=dist OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-store no-unit-test no-zlib no-zlib-dynamic static-engine diff -Naur openssl-1.0.2a.orig/Makefile.bak
Re: [openssl-users] Delete a post to openssl-user mailing list
It can be indeed easy to find out about companies in Hartford, CT but, I still do not see any threat to any existing product. 'Having problems with OpenSSL' is not good enough. In any case, when concerned, do like many people and use a pseudo from another mailing system. Employees will not gain promotion points anyways by having their real names in mailing lists. -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-users-Delete-a-post-to-openssl-user-mailing-list-tp57653p57673.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
On Wed, Apr 22, 2015 at 09:04:04PM +0200, Jakob Bohm wrote: For parallel installation of OpenSSL 1.0.2a and the OS supplied OpenSSL 1.0.1 (with patches equivalent to the latest release), modify SHLIB_VERSION_NUMBER from 1.0.0 to 1.0.2 in the folliwing files from the tarball: The ABI version really is 1.0.0. Symbol versioning is the right way to distinguish between 1.0.[012]. The Debian OpenSSL build does symbol versioning to avoid conflicts between multiple libraries that support the 1.0.0 ABI. Yes, the ABI compatibility is only backwards compatibility, so applications that link to a newer version of the library at compile time, need to use the same or newer library at run-time. Applications using a non-system library need to record a suitable RPATH (often using $ORIGIN is a good bet if the application ships a copy of the library). Ideally applications would use the system supplied library, otherwise patching becomes rather difficult... -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
On Wed, Apr 22, 2015, at 12:49 PM, Viktor Dukhovni wrote: Applications using a non-system library need to record a suitable RPATH (often using $ORIGIN is a good bet if the application ships a copy of the library). Ideally applications would use the system supplied library, otherwise patching becomes rather difficult... Along similar lines, it would be useful to get RPATH'ing *in* openssl straigthened out openssl 1.0.2 shared build's linking is not consistent - bin and libs linked to different libcrypto.so's https://marc.info/?l=openssl-usersm=142858615805070w=2 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to find patches for a particular OpenSSL version?
I am currently using openssl 1.0.1e (compiling from source), and I was wondering whether I needed to put in any patch files with it as well. Does anybody know? Let's assume I can't just use a later version's tarball. There are no patch files. Letter releases, 1.0.1f, 1.0.1g, etc., are only bugfixes. You could read through the commit log, find which changes fixed bugs that you care about, get those commits, and apply them by hand. Ugh. That's going to take a very long time. You should reconsider your assumption. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Delete a post to openssl-user mailing list
Can a message be removed by the system administrator of the openssl-user email forum? My original post about NULL EVP_PKEY was flag by my company as a security risk. The data in the post was fake. I have been directed to remove the post if possible. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Tuesday, April 21, 2015 8:13 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Delete a post to openssl-user mailing list On Tue, Apr 21, 2015 at 09:21:47PM +, Vollaro, John wrote: Is it possible to remove a message I posted to the openssl-user email forum? No. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
On 22/04/2015 21:49, Viktor Dukhovni wrote: On Wed, Apr 22, 2015 at 09:04:04PM +0200, Jakob Bohm wrote: For parallel installation of OpenSSL 1.0.2a and the OS supplied OpenSSL 1.0.1 (with patches equivalent to the latest release), modify SHLIB_VERSION_NUMBER from 1.0.0 to 1.0.2 in the folliwing files from the tarball: The ABI version really is 1.0.0. Symbol versioning is the right way to distinguish between 1.0.[012]. The Debian OpenSSL build does symbol versioning to avoid conflicts between multiple libraries that support the 1.0.0 ABI. Yes, the ABI compatibility is only backwards compatibility, so applications that link to a newer version of the library at compile time, need to use the same or newer library at run-time. Applications using a non-system library need to record a suitable RPATH (often using $ORIGIN is a good bet if the application ships a copy of the library). Ideally applications would use the system supplied library, otherwise patching becomes rather difficult... My observations were actually made on Debian. And I seem to recall itwas the system daemons that failed, not my newly recompiled daemons,though I may of cause be mistaken. As for symbol versioning, if that is not in the upstream tarball, any suchthings added by vendor compiles is just going to break the ABI, in factthe absence of symbol versioning in my vanilla compile may be whatcaused the problems for all the installed packages. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to find patches for a particular OpenSSL version?
Hi all, I am currently using openssl 1.0.1e (compiling from source), and I was wondering whether I needed to put in any patch files with it as well. Does anybody know? Let's assume I can't just use a later version's tarball. In general I wanted to know how I could reliably find out what patches I need to apply for a particular OpenSSL version. Thanks, Pratyush Parimal. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Building libcrypto/libssl without symbolic link
Not sure what platform the other person is using, but, for the record the soname 1.0.0 causes big problems on Solaris 11 and up. Solaris 11 ships an OpenSSL 1.0.0 version in standard library locations, if anyone just builds anything higher than that, and do NOT modify build to add -R runtime load paths, you will see the libssl built link with Solaris 11 libcrypto which is not good. There are functions in 1.0.1 that do not exist in 1.0.0 I have seen a change in version naming strategy in main branch, so hopefully this will soon be not an issue. FYI, changing LD_LIBRARY_PATH using crle, is a bad idea on Solaris 11, made my boot environment un-bootable. For Solaris at least, I think its a good idea to modify makefiles to always provide the -R option to the linker. I have used that for a very long time, and avoided any collisions with standard Solaris versions. -- Original Message -- On Wed, Apr 22, 2015 at 12:12:45AM +, Shanku Roy wrote: lrw-r--r-- root root 2015-04-10 02:33 libcrypto.so - libcrypto.so.1.0.0 -rw-r--r-- root root 1988088 2015-04-10 02:27 libcrypto.so.1.0.0 Is there any configure option in OpenSSL build scripts to not generate the symbolic links and rather generate actual binary as libcrypto.so/libssl.so from the build process like following: The library soname is part of the ABI. What platform are you building for where it would not be appropriate to encode the ABI compatibility name into the library name? -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] evp test for CTR mode
Hi, I played with autotest offered by openssl, more precisely /test/evp_test. Is there a way to test vectors tests from NIST SP800-38A for CTR mode (only vectors from RFC 3686 are taillable in evptests.txt). I add the vectors in the files but the results are not the expected results. Is there a link with endianess? I read in the code (extract from /crypto/modes/ctr128.c) : /* NOTE: the IV/counter CTR mode is big-endian. The code itself * is endian-neutral. */ Maybe i have to modified IV before passing it to openssl? Thanks ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] evp test for CTR mode
Hi, I played with autotest offered by openssl, more precisely /test/evp_test. Is there a way to test vectors tests from NIST SP800-38A for CTR mode (only vectors from RFC 3686 are taillable in evptests.txt). I add the vectors in the files but the results are not the expected results. Is there a link with endianess? I read in the code (extract from /crypto/modes/ctr128.c) : /* NOTE: the IV/counter CTR mode is big-endian. The code itself * is endian-neutral. */ Maybe i have to modified IV before passing it to openssl? Thanks ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users