Re: [openssl-users] OpenSSL outputs entire CA bundle with libcurl

2017-10-27 Thread Jakob Bohm 

On 27/10/2017 19:11, Andrew Gale wrote:

Jakob,

My responses inline :


- Is it being output to the network or to the terminal window where
   curl is used?
   
 The output occurs in the terminal window when the program is run.


- Is it being output as shown (Base64 text with ending "=" signs and
   a newline after each cert) or is it being output in another form
   that you just describe that way?
   
 It is output as shown. Base64 text ending in "=" signs, newline after

 each cert, but with no "BEGIN / END CERTIFICATE"


In that case, it looks like it is debug output.  Did you by any chance
configure or run curl with options to print lots of debug traces?

Perhaps such an option is causing something to print each trusted CA cert
as it is loaded into memory or checked.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL outputs entire CA bundle with libcurl

2017-10-27 Thread Andrew Gale 
Jakob,

My responses inline :


- Is it being output to the network or to the terminal window where
  curl is used?
  
 The output occurs in the terminal window when the program is run.

- Is it being output as shown (Base64 text with ending "=" signs and
  a newline after each cert) or is it being output in another form
  that you just describe that way?
  
 It is output as shown. Base64 text ending in "=" signs, newline after
each cert, but with no "BEGIN / END CERTIFICATE"


Thanks,
Andy
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CMS/SMIME: RSASSA-PSS, RSAES-OAEP

2017-10-27 Thread ch 

Hello!

I have an application that uses 3DES for encryption and SHA1 for signing.
It is MIME-content and so I use SMIME and CMS.

Is there a way to do RSAES-OAEP for keyencryption and RSASSA-PSS for 
signing with the commandline-tools too

or do I need to use the API?

Cheers,
Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Passing custom CFLAGS,LDFLAGS to configure ?

2017-10-27 Thread Benjamin Kaduk via openssl-users 
On 10/27/2017 07:35 AM, David Barishev wrote:
> Hello,
> I am building a custom script for building openssl for android, and i
> want to use unified headers which are enabled by default with ndk r15+.
> For this i need to pass custom CFLAGS and LDFLAGS, which i was able to
> successfully compile openssl when patching the makefile by myself.
> How to do it directly from configure ?
>

The current model is that you just pass the relevant CFLAGS and LDFLAGS
contents directly to Configure and they are "automagically" determined
to be the corresponding CFLAGS/LDFLAGS.

E.g., you could

./Configure --strict-warnings -ggdb3 -L/usr/local/lib -ltinfo
-I/opt/local/include linux-x86_64

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Passing custom CFLAGS,LDFLAGS to configure ?

2017-10-27 Thread David Barishev 
Hello,
I am building a custom script for building openssl for android, and i want
to use unified headers which are enabled by default with ndk r15+.
For this i need to pass custom CFLAGS and LDFLAGS, which i was able to
successfully compile openssl when patching the makefile by myself.
How to do it directly from configure ?

Thanks all !
-- 
*Have a nice day   David Barishev.*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL outputs entire CA bundle with libcurl

2017-10-27 Thread Jakob Bohm 

On 27/10/2017 00:47, Andrew Gale wrote:

Hello all,

First, some config info:
OpenSSL v1.0.1t

PLATFORM=arm-linux-
OPTIONS=enable-tls enable-threads enable-shared 
--cross-compile-prefix=arm-linux- -pthread --prefix=/usr/local 
no-ec_nistp_64_gcc_128 no-gmp no-idea no-jpake no-krb5 no-md2 no-mdc2 no-rc5 
no-rfc3779 no-ripemd no-sctp no-ssl2 no-store no-unit-test no-weak-ssl-ciphers 
no-zlib no-zlib-dynamic no-static-engine
CONFIGURE_ARGS=enable-tls no-zlib threads no-idea no-mdc2 no-rc5 no-ripemd 
shared --cross-compile-prefix=arm-linux- arm-linux- -pthread --prefix=/usr/local
SHLIB_TARGET=linux-shared​


When making a request every certificate in the cacert.pem bundle is output 
before the response (without the BEGIN/END):

<<< Make request >>>
MIIDdTCCAl2gAwIBAgILBAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
<<< All other certs follow >>>

POST /ftd/inform HTTP/1.1

Host: 
Authorization: Basic 
Accept: */*
Content-Type: application/json
Content-Length: 267

< HTTP/1.1 200 OK
< Server: openresty
< Date: Thu, 26 Oct 2017 18:39:48 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: no-cache, no-store
< x-trace-id: 70110f353234-275b-00013e4b
<
334 bytes retrieved


Daniel of cURL believes this is an issue with the OpenSSL lib since it's the 
only component involved that actually
knows of the entire CA cert bundle. libcurl lets the SSL library deal with it 
and never gets to know the entire thing.

Does anyone know what could be causing the CA bundle to get spewed out every 
time a request is made?
I received this library with the config already set so I'm not exactly sure if 
this is caused by one of those options.
(and this does not occur when making the same request with the curl command 
from my host machine)


Please clarify:

- Is it being output to the network or to the terminal window where
 curl is used?

- Is it being output as shown (Base64 text with ending "=" signs and
 a newline after each cert) or is it being output in another form
 that you just describe that way?


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Issue with DTLS for UDP

2017-10-27 Thread Grace Priscilla Jero 
Hi Matt,

SSL_get_error()  returns 5.
It is the same socket using which the UDP connection is established.
Could you suggest some logging that can be done for OPENSSL.

Thanks,
Grace


On Thu, Oct 26, 2017 at 9:23 PM, Matt Caswell  wrote:

>
>
> On 26/10/17 16:43, Grace Priscilla Jero wrote:
> > Thankyou for the responses.
> > We figured the issue. But now we are getting error -5 from "SSL_connect"
> > and the errno is set to 22 which means invalid argument.
> > Is there a easy way to debug or get logs for SSL_connect.
> >
> > Below is the sequence for the dtls udp connect that we are trying.
> > ssl = SSL_new(ctx)
> > bio = BIO_new_dgram(sock_id,BIO_NOCLOSE)
> > SSL_set_bio(ssl, bio, bio);
> > VI_res = SSL_connect(ssl)
>
> Do you really mean SSL_connect() returns -5? Or do you mean that after a
> negative return value from SSL_connect() you call SSL_get_error() and
> that return 5 (SSL_ERROR_SYSCALL)?
>
> If you really mean SSL_connect() returns -5 then you need to call
> SSL_get_error() as a next step.
>
> If you are getting SSL_ERROR_SYSCALL then my guess is that there is a
> problem with sock_id. How do create it?
>
> Matt
>
>
> >
> >
> >
> > Thanks,
> > Grace
> >
> > On Tue, Oct 24, 2017 at 4:07 PM, Matt Caswell  > > wrote:
> >
> >
> >
> > On 24/10/17 11:25, Grace Priscilla Jero wrote:
> > > We are using SSL_accept to accept the connection for which we see
> the
> > > failure. Please let know if you have any thoughts.
> >
> > Have you set the wbio correctly? Does SSL_get_wbio() return your wbio
> > object if you call it immediately before SSL_do_handshake()?
> >
> > Matt
> >
> > --
> > openssl-users mailing list
> > To unsubscribe:
> > https://mta.openssl.org/mailman/listinfo/openssl-users
> > 
> >
> >
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users