Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Michael Sierchio 
"Since the HMAC is only 96 bits long, even a generic collision requires
only about 248 HMAC computations"

But a sequence/call-flow diagram is on the page Sandeep referenced:
http://www.mitls.org/pages/attacks/SLOTH

- M
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Michael Sierchio 
2^48. Which is larger than 248, which was a cut-and-paste error. ;-)

On Fri, Jan 8, 2016 at 11:00 AM, Michael Sierchio 
wrote:

> "Since the HMAC is only 96 bits long, even a generic collision requires
> only about 248 HMAC computations"
>
> But a sequence/call-flow diagram is on the page Sandeep referenced:
> http://www.mitls.org/pages/attacks/SLOTH
>
> - M
>
>
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Salz, Rich 
Are you going to keep posting and posting until you get a response? :(

Master branch, 1.1, is not released but will not be vulnerable (may already be 
fixed)
1.0.2 is not vulnerable.
1.0.1f and later are not vulnerable.
1.0.0 might be, and is end of life anyway so you should move of that.
0.9.8 is also end of life, but does not do TLS 1.2 so is not vulnerable.

--  
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Difference in the methods for listing the FIPS ciphers

2016-01-08 Thread jonetsu 
Hello,

Using 1.0.1e running FIPS module 2.0.9, the following two
commands for querying the ciphers do not yield the same results.
There are more ciphers declared in the 'string' version.

The 'environment variable' version:

% OPENSSL_FIPS=1 openssl ciphers -v |

The 'string' version:

% openssl ciphers -v 'FIPS'

In the 'string' version only:
 

Is the 'environment variable' usage broken ?

Thanks.





--
View this message in context: 
http://openssl.6102.n7.nabble.com/Difference-in-the-methods-for-listing-the-FIPS-ciphers-tp62089.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] stunnel 5.29 released

2016-01-08 Thread Michał Trojnara 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Users,

I have released version 5.29 of stunnel.

The ChangeLog entry:

Version 5.29, 2016.01.08, urgency: LOW
* New features
  - New WIN32 icons.
  - Performance improvement: rwlocks used for locking with pthreads.
* Bugfixes
  - Compilation fix for *BSD.
  - Fixed configuration file reload for relative stunnel.conf path
on Unix.
  - Fixed ignoring CRLfile unless CAfile was also specified (thx
to Strukov Petr).

Home page: https://www.stunnel.org/
Download:  https://www.stunnel.org/downloads.html

SHA-256 hashes:
43909625403ea634fa7cb8399d58faf8e7f11c1b7b29097491469951f56df551
stunnel-5.29.tar.gz
c92ccc98cc9eb0c5d95d9550af39ab502e7ea45ed4d9ccc821aa261856f958b1
stunnel-5.29-installer.exe
f9db8676e8e2ec6db355bae41eb625eb8ebd45a836ad8cbf06ce60a3c305fde2
stunnel-5.29-android.zip

Best regards,
Mike
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJWkFGaAAoJEC78f/DUFuAUGocQAMgblKTHppSpRurlkCZtjNDh
p/M7IqxzfqCczIUuG1zdPVyk7lcW3jhFHXsfjTcch56YH6FtMcezUv8Wa8LojNjY
iY1uSbWyAmdsV5ye+Z4SWybwOfS53i5IK9Fnb3UE1CmcETxsI56AWzVLG0w8jsGH
HwRB3+J/aVS+VqOeNO4VW53yzvT73k3tvPDAKu7NFRrmhvJ9vk7BkgL/WJ/1oK5D
480eLHoT0phe/Xl2cMaOJDXBnU0dAfDieM5IWwL+jAqWhsEeTgK8n92FbAqFB6T6
GkhJGfgc0olSlQkCo7Iz3Q8mh65NpEYNoZGIT2VelalXOM2lyeL4vuwfbGiomalW
N3Mt1xNXuneX77E0rOM2rlnzoaG9FulcDHp/Ie9plOyO6OyimFMKU1Xg9lJSCU2B
iTu6F0FvptduPU3e6rE1FSxMII0lzMo6oDHFggK5YlitJJKPOoGLfW2T4SjYlsmw
BirrEO9j/OvOqLT5ovMCJUVLXZrrjKkoCQoZI7p8r1rPJlsdC4QeRb0p9wJAGdAJ
pS3w1HEgcXMUf/xS130nM2euftu0Td3Qi1tqXnDgtbSkwEN1T0tP3xiD1D++BzMf
TzMivlWyerjOEuBMCRwcKMsrIr8+seSdLzUIISJ8EwCGWUq0p1l4KXYs5EofNJKI
gIZdYXEX46WlR+dl7aZC
=IchS
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Jeffrey Walton 
On Fri, Jan 8, 2016 at 2:00 PM, Michael Sierchio  wrote:
> 2^48. Which is larger than 248, which was a cut-and-paste error. ;-)

Right The bad guy should *not* be able to compute a MAC to perform
the forgery within TCP's 2MSL bound and TLS timers. However, there's a
keep alive the authors used in the past to basically make their attack
windows unbounded in time. From the earlier paper on Logjam
(http://weakdh.org/imperfect-forward-secrecy-ccs15.pdf):

TLS warning alerts. Web browsers tend to have shorter timeouts,
but we can keep their connections alive by sending TLS warning
alerts, which are ignored by the browser but reset the handshake
timer.

As far as I know, there's no interest in fixing it in the TLS working group.

Jeff
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] New opensssl sources with some missing files released on 2015-Dec-03

2016-01-08 Thread Matt Caswell 
On 08/01/16 09:44, Pal, Kamal Kishor wrote:
> Hi,
> 
> Any update on packaging errors mentioned in my previous mail..
> 
>  
> 
> Further we notice the extracted openssl source “include” directory does
> not have the header files as well.
> 
>  
> 
> Any plan from Openssl team to re-package and release again?

There is no plan to re-package. The missing files and links are not
necessary to successfully compile and install OpenSSL. They are
recreated when running "Configure" and "make depend".

Matt

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] New opensssl sources with some missing files released on 2015-Dec-03

2016-01-08 Thread Pal, Kamal Kishor 
Hi,
Any update on packaging errors mentioned in my previous mail..

Further we notice the extracted openssl source "include" directory does not 
have the header files as well.

Any plan from Openssl team to re-package and release again?

Regards,
Kamal

From: Pal, Kamal Kishor
Sent: Tuesday, December 29, 2015 1:20 PM
To: 'openssl-users@openssl.org'
Cc: Pal, Kamal Kishor
Subject: [openssl-users] New opensssl sources with some missing files released 
on 2015-Dec-03

Hi,
It seems the new openssl version source tar files released on 2015-Dec-03 has 
some missing files giving errors while untarring and compiling our application 
code.

We tried using "openssl-0.9.8zh" and "openssl-1.0.1q" version and observed 
following:

A.  
openssl-0.9.8zh.tar.gz

* Untarring the source tar with Winrar in Windows7 gives 88 errors for 
44 missing files.

* Untarring on Linus also shows symbolic links of same 44 missing files.

* Our Application build fails with new source files.

B.  
openssl-1.0.1q.tar.gz

* Untarring the source tar with Winrar in Windows7 gives 76 errors for 
38 missing files.

Please refer the attachments for error details.

Links used for downloads are as under:
https://www.openssl.org/source/
ftp://ftp.openssl.org/source/

We are actually blocked with openssl upgrade to "openssl-0.9.8zh" due to 
erroneous packages released.
Could you please check the new openssl version packages of  
"openssl-0.9.8zh.tar.gz" 
and update the packages or suggest us alternatives, if any.

Regards,
Kamal


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Blumenthal, Uri - 0553 - MITLL 
What is the problem with truncated 96-bit HMAC value?

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
From: Jakob Bohm
Sent: Thursday, January 7, 2016 19:25
To: openssl-users@openssl.org
Reply To: openssl-users@openssl.org
Subject: Re: [openssl-users] openSSL and SLOTH attack

On 07/01/2016 23:06, jonetsu wrote:
Does this mean that running 1.01e in FIPS mode is protected regarding this
SLOTH attack ?
Does FIPS mode prevent use of MD5: Yes.

Does FIPS mode prevent insecure uses of SHA-1 (a FIPS 
algorithm): No.

Does FIPS mode prevent the SSL/TLS handshake from using 
96 bit truncated HMAC values: Probably not.

Does FIPS mode prevent use of the insecurely designed 
'tls-unique' feature: Probably not.


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread jonetsu 
> Does FIPS mode prevent use of MD5: Yes.

> Does FIPS mode prevent insecure uses of SHA-1 (a FIPS
> algorithm): No.

> Does FIPS mode prevent the SSL/TLS handshake from using 96 bit
> truncated HMAC values: Probably not.

> Does FIPS mode prevent use of the insecurely designed
> 'tls-unique' feature: Probably not.

This is what I read so far, thanks for the confirmation.  1.01f though, will
be good, will it, FIPS mode or not ?




--
View this message in context: 
http://openssl.6102.n7.nabble.com/openSSL-and-SLOTH-attack-tp62055p62080.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openSSL and SLOTH attack

2016-01-08 Thread Miriam Celi 
Hello again OpenSSL users,

I'm still trying to find out if the 1.0.2 and 1.0.0 branches are affected,
and if so which versions and if there are versions with fixes available.

Based on the changelog for the 1.0.2 branch
(http://openssl.org/news/cl102.txt), version 1.0.1f which contains the fix
was released (Jan 2014) prior to OpenSSL 1.0.2 (Jan 2015), so 1.0.2d should
contain the fix for this, but we are not sure about this and would like
confirmation on this. 

Based on the changelog for the 1.0.1
(https://www.openssl.org/news/cl101.txt) and 1.0.0
(http://openssl.org/news/cl100.txt) branches, version 1.0.1f was released
prior to 1.0.0r (Mar 2015), so 1.0.0r should contain the fix for this, but
again we are not sure and would like confirmation.

The detailed technical paper
(http://www.mitls.org/downloads/transcript-collisions.pdf) that was
published with the attack disclosure, describes a vector for an MD5 based
attack against TLS 1.0 and TLS 1.1. So, there's a possibility for an OpenSSL
1.0.0 version to be vulnerable.

Thanks for any additional information you can provide on this.

Regards,
Miriam 
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Firefox problems with two way SSL auth

2016-01-08 Thread David Balažic 
Hi!

I encounter this issue when using Firefox to access tomcat (that is
using openssl) with client cert authentication.

After a certain timeout, the web application does not "see" the
clients certificate in requests.

The problem happens on different operating systems (Window,s Linux)
and browsers.

I reported it to tomcat and Firefox, with not much response.

There is a simple test case in comment 1 of the tomcat bug (see below).

Could someone assist in finding the cause of the problem?
I also have pcap traces (somewhere) of working and non working network traffic.


Latest tested configuration:
tomcat 8.0.30, using OpenSSL 1.0.1m 19 Mar 2015
Firefox 43.0.4
OS: Windows 7 Pro SP1 64bit

The tomcat bug with much details:

https://bz.apache.org/bugzilla/show_bug.cgi?id=58244

Firefox bug report (not much details):
https://bugzilla.mozilla.org/show_bug.cgi?id=1231406

Regards,
David Balažic
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users