Re: [openssl-users] Msys doesn't handle forward slashes in makefile

[Fiodar Stryzhniou via openssl-users]

I need in autogenerated files headers, asm, others. Project will migrate to 
Symbian build system then.
Fiodar Stryzhniou

исходное сбщ
Тема: Re: [openssl-users] Msys doesn't handle forward slashes in makefile
От: Jakob Bohm 
Дата: 28.11.2016 23.29

On 28/11/2016 11:44, Fiodar Stryzhniou via openssl-users wrote:
> Hi! I use Configure under Msys with crosscompiler arm-none-symbianelf. I edit 
> accordingly Configure script of course. When I run make it prints "_some 
> string_ path not found". I found this string and replace forward slashes to 
> backslashes. I got same error for another string.
> I try "ls path2 file" from error message and got error "not found error". I 
> change slashes and vise versa.
>   How can tell configure to generate makefile with backslashes? May be 
> another solutions exists?
> Fiodar Stryzhniou
>
Hmm, maybe run perl -pe "s/\//\\/sg" on the Makefile as part of
your higher level build script?
I found recipe on stack overflow "sed -i s/\//\\/g Makefile". Paths can have 
back and forward slashes at one time in makefile, lol. I don't use build script 
except Configure.

But how do you run the code after the signing service was shut
down at the Microsoft takeover?
I hack my phone and forget about it. Also I saw in internet how make own 
devcert.
Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Disabling Client-Initiated TLS renegotiation

[Sashank Mullapudi (samullap)]

Resending this hoping for a response from someone who has information on 
disabling TLS renegotiation from the Client side.

Thanks,
Sashank

From: samullap >
Date: Tuesday, 22 November 2016 at 12:21 PM
To: "openssl-users@openssl.org" 
>
Cc: "Ram Mohan R (rmohanr)" >, 
"Anil Kumar (anilkum)" >, "Nikhil 
Mittal (nimittal)" >
Subject: Disabling Client-Initiated TLS renegotiation

Hi,

As part of securing our web interfaces, we wanted to disable client-initiated 
TLS renegotiation.

The reasoning for this requirement is as follows- Generally, renegotiation of 
TLS sessions is much more resource-intensive for the server than the client, 
and should therefore not be performed at will to avoid degrading performance. 
Disabling client from renegotiating secures the server from undergoing a DoS 
attack due to continuous renegotiation requests.

I see that there is an option SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, but 
that is to secure the renegotiation, not disable it.

I wanted to check if there is a patch or flag available to disable any 
negotiation initiated from the client side.

Thanks and Regards,
Sashank
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to produce a nested CMS / PKCS#7 structure?

[Wim Lewis]

On Nov 25, 2016, at 12:43 PM, Dr. Stephen Henson  wrote:
> Something like that did happen for PKCS#7 but the  OCTET STRING encapsulation
> is correct for CMS.

Aha, and this difference is called out in RFC5652 [5.2.1]. Thanks, that 
clarifies things for me a little. So typically it's only the outermost 
ContentInfo that directly embeds a CMS object without an intervening OCTET 
STRING, and other structures use EncapsulatedContentInfo instead of ContentInfo.

However, I think the other half of my problem remains: if I'm putting another 
CMS object into a SignedData, AuthEnvelopedData, or other kind of wrapper, the 
OCTET STRING should contain the encoding of that object's structure (e.g. a 
BER-encoded AuthEnvelopedData, SignedData, ContentWithAttributes, etc. 
structure), not a ContentInfo *containing* that structure, right? How do I get 
OpenSSL to give me that encoded object without an enclosing ContentInfo?



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

[Viktor Dukhovni]

On Mon, Nov 28, 2016 at 04:06:33PM -0500, Ken Goldman wrote:
> On 11/28/2016 3:40 PM, Salz, Rich wrote:
> >Perhaps I didn't understand the original question.  If all you want
> >to do is compare 1.0.2 and 1.1.0, then look at
> >OPENSSL_VERSION_NUMBER; if defined at it's 0x10101000L or greater,
> >then you;'re on the 1.1.x branch, otherwise you are not and therefore
> >on 1.0.2 or earlier.
> 
> I want to compare pre 1.1 (typically 1.0) and 1.1 and up.
> 
> My 1.0 has
> 
> ./opensslv.h:#define OPENSSL_VERSION_NUMBER   0x1000105fL
> 
> My 1.1 has
> 
> ./openssl/opensslv.h:# define OPENSSL_VERSION_NUMBER  0x1010003fL
> 
> Neither agree with your example, but would comparing to 0x1010  work?

To test for 1.1.0 and up:

#if OPENSSL_VERSION_NUMBER > 0x1010
...
#endif

(testing for equality is not needed, that would be a a dev release
that predates all the betas).

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

[Ken Goldman]

On 11/28/2016 3:40 PM, Salz, Rich wrote:

Perhaps I didn't understand the original question.  If all you want
to do is compare 1.0.2 and 1.1.0, then look at
OPENSSL_VERSION_NUMBER; if defined at it's 0x10101000L or greater,
then you;'re on the 1.1.x branch, otherwise you are not and therefore
on 1.0.2 or earlier.


I want to compare pre 1.1 (typically 1.0) and 1.1 and up.

My 1.0 has

./opensslv.h:#define OPENSSL_VERSION_NUMBER 0x1000105fL

My 1.1 has

./openssl/opensslv.h:# define OPENSSL_VERSION_NUMBER  0x1010003fL

Neither agree with your example, but would comparing to 0x1010  work?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

[Viktor Dukhovni]

> On Nov 28, 2016, at 3:40 PM, Salz, Rich  wrote:
> 
> Perhaps I didn't understand the original question.  If all you want to do is 
> compare 1.0.2 and 1.1.0, then look at OPENSSL_VERSION_NUMBER; if defined at 
> it's 0x10101000L or greater, then you;'re on the 1.1.x branch, otherwise you 
> are not and therefore on 1.0.2 or earlier.

The OPENSSL_VERSION_NUMBER macro dates back to some of the earliest
OpenSSL releases, and is therefore always defined.  Postfix has the
following comment in src/tls/tls_misc.c which covers the relevant
history:

/*
 * OPENSSL_VERSION_NUMBER(3):
 *
 * OPENSSL_VERSION_NUMBER is a numeric release version identifier:
 *
 * MMNNFFPPS: major minor fix patch status
 *
 * The status nibble has one of the values 0 for development, 1 to e for
 * betas 1 to 14, and f for release. Parsed OpenSSL version number. for
 * example
 *
 * 0x000906000 == 0.9.6 dev 0x000906023 == 0.9.6b beta 3 0x00090605f ==
 * 0.9.6e release
 *
 * Versions prior to 0.9.3 have identifiers < 0x0930.  Versions between
 * 0.9.3 and 0.9.5 had a version identifier with this interpretation:
 *
 * MMNNFFRBB major minor fix final beta/patch
 *
 * for example
 *
 * 0x000904100 == 0.9.4 release 0x000905000 == 0.9.5 dev
 *
 * Version 0.9.5a had an interim interpretation that is like the current
 * one, except the patch level got the highest bit set, to keep continu-
 * ity.  The number was therefore 0x0090581f.
 */

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

[Salz, Rich]

Perhaps I didn't understand the original question.  If all you want to do is 
compare 1.0.2 and 1.1.0, then look at OPENSSL_VERSION_NUMBER; if defined at 
it's 0x10101000L or greater, then you;'re on the 1.1.x branch, otherwise you 
are not and therefore on 1.0.2 or earlier.

--  
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Any advice/recommendation for watching TLS version negotiation

[Ludwig, Mark]

> From: Wall, Stephen, Monday, November 28, 2016 6:52 AM
> 
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> > Behalf Of Ludwig, Mark
> >
> > A customer claims to have configured the web (app) server to only allow
> > TLS 1.2
> > (by disallowing up through TLS 1.1), and says that the client code
> > (which we
> > know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS
> > 1.1.  We
> > are setting up a similar environment internally to diagnose what's
> > happening,
> > and I wonder if anyone has any advice on the "best" tool for "watching"
> > the TLS
> > version negotiation when the connection is being established.
> 
> I've typically used Wireshark for this type of thing.  If you are using RSA 
> and have
> a copy of the server key, you can also examine the encrypted channel content.

Yes, thanks, a colleague today enlightened me that Wireshark will read the 
captured data from snoop.  Voila!

I didn't bother to get the key -- not sure it's RSA -- because I'm not 
interested 
in the encrypted data.  I only want to see the TLS handshake, which Wireshark 
decodes nicely.

Best,
Mark
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Msys doesn't handle forward slashes in makefile

[Jakob Bohm]

On 28/11/2016 11:44, Fiodar Stryzhniou via openssl-users wrote:

Hi! I use Configure under Msys with crosscompiler arm-none-symbianelf. I edit accordingly 
Configure script of course. When I run make it prints "_some string_ path not 
found". I found this string and replace forward slashes to backslashes. I got same 
error for another string.
I try "ls path2 file" from error message and got error "not found error". I 
change slashes and vise versa.
  How can tell configure to generate makefile with backslashes? May be another 
solutions exists?
Fiodar Stryzhniou


Hmm, maybe run perl -pe "s/\//\\/sg" on the Makefile as part of
your higher level build script?

But how do you run the code after the signing service was shut
down at the Microsoft takeover?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-1.1.0b : Getting keys from TPM

[Ken Goldman]

To read a public key, use the TPM2_ReadPublic command.  I have an open 
source utility (tpm2pem) that converts that TPM format key to PEM.


If you need the private key, you will have to "duplicate" it to a key 
you know and then use that key to decrypt it.  It's possible.  However, 
it defeats the purpose of using the TPM as a hardware key store.  It 
would be better to use the TPM to do the private key operations.


For a TSS, I offer this, which has an ever expanding set of utilities 
and sample programs.  Let me know what you need for sample code.


https://sourceforge.net/projects/ibmtpm20tss/?source=navbar

I also suggest debugging with a SW TPM.

https://sourceforge.net/projects/ibmswtpm2/

The tpm2pem utility currently comes with the attestation client and server:

https://sourceforge.net/projects/ibmtpm20acs/

On 11/3/2016 12:02 PM, Zvi Vered wrote:

Hi Ken,

1. I mean: read from TPM

2. In order to create an SSL session with the server, should I need also
the private key ?

3. I want to use TPM 2.0


On 11/2/2016 11:06 PM, Zvi Vered wrote:


I want to use openssl in order to send\receive encrypted
messages to a
server.

My Target has TPM.

Can you please explain how to configure the openssl library to take
public+private keys from TPM ?

Should I use a specific TPM library ?



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

[Ken Goldman]

I'd like an answer to this one also.  I could not find that define.  I 
did find about 10 variations, all uncommented.


Could someone simply post the definitive answer?

On 11/23/2016 8:50 AM, Salz, Rich wrote:

Look at the OPENSSL version define.






--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Query on BIO_do_accept in openssl server.

[ravi shankar]

Hi All,
I am new to openssl and I am trying to achieve server client communication
using Openssl with BIO interfaces.
 As per my understanding on the man page of BIO_do_accept(BIO *abio), first
call to it will set's up accept BIO and Second call to the same is a
blocking call and wait for incoming connections. In my server, i am being
blocked at first call to BIO_do_accept. What all scenarios will make my
call a blocking call?. Thanks for your help.

a part of my Openssl server:

if(BIO_do_accept(server) <= 0)  /* place the underlying socket into
listening mode */
{
  cout<<" Error setting up accept\n"<

Re: [openssl-users] Any advice/recommendation for watching TLS version negotiation

[Wall, Stephen]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Ludwig, Mark
> 
> A customer claims to have configured the web (app) server to only allow
> TLS 1.2
> (by disallowing up through TLS 1.1), and says that the client code
> (which we
> know is based on OpenSSL 1.0.2j) is nevertheless connecting using TLS
> 1.1.  We
> are setting up a similar environment internally to diagnose what's
> happening,
> and I wonder if anyone has any advice on the "best" tool for "watching"
> the TLS
> version negotiation when the connection is being established.

I've typically used Wireshark for this type of thing.  If you are using RSA and 
have a copy of the server key, you can also examine the encrypted channel 
content.

-Steve Wall
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Msys doesn't handle forward slashes in makefile

[Fiodar Stryzhniou via openssl-users]

Hi! I use Configure under Msys with crosscompiler arm-none-symbianelf. I edit 
accordingly Configure script of course. When I run make it prints "_some 
string_ path not found". I found this string and replace forward slashes to 
backslashes. I got same error for another string.
I try "ls path2 file" from error message and got error "not found error". I 
change slashes and vise versa.
 How can tell configure to generate makefile with backslashes? May be another 
solutions exists?
Fiodar Stryzhniou

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users