[openssl-users] FIPS 186-4 RSA CAVS
Dear All, I am working on doing CAVS algorithm testing for RSA, FIPS 186-4. Able to make up the 186-4 patches for RSA key generation from Fedora, SuSe patches. The new API to generate RSA key based on 186-4 is "fips_rsa_builtin_keygen". But I suspect if this has CAVS support as well. In the fips_rsagtest, above API is not invoked at all. I see the fips_rsagtest invokes only the old "RSA_X931_derive_ex". Please share if any patch available for CAVS algorithm test support for RSA 186-4. Thanks, Murugesh P. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Openssl DTLS performance
Hi all, We are building VPN using OpenSSL 1.1.0e. VPN can work with TLS and DTLS. The test server is Linux Ubuntu 16.04 and client windows 7/10. We tested using dummy net with different parameters like 0.1/0.2 /.5% packet drop and 20 ms delay. In this scenario, DTLS shows marginal 5 to 7% poor performance than TLS under different network conditions. We are using async socket. epoll on linux and select on the windows side. Do we know any known performance limitation with DTLS in existing OpenSSL lib? Thanks in advanceAnand-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Graham Leggett > Sent: Wednesday, November 08, 2017 20:11 > To: openssl-users@openssl.org > Subject: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL > routines:ssl23_write:ssl handshake failure:s23_lib.c:177: > > - What is the significance of "no peer certificate available”? You can get this message from s_client even if the handshake failed for other reasons. I've seen it when there are no common cipher suites, for example. One case I recently observed: A stock OpenSSL 1.0.2j s_client talking to an older IIS. IIS negotiated TLSv1.2 but didn't actually support any of the TLSv1.2 suites. s_client reported the negotiated suite was 0 (i.e. none), but it also gave me the "no peer certificate" diagnostic. (In this case, forcing TLSv1.1 got the connection working, and since this was for an internal demo I didn't bother beating IIS into submission.) > New, (NONE), Cipher is (NONE) > SSL-Session: > Protocol : TLSv1.2 > Cipher: Yeah. TLSv1.2, no cipher. My guess is the server is allowing the 1.2 protocol level but not supporting any of the 1.2 suites. > ssldump confirms that it is the client side - that’s openssl - that’s > rejecting the > handshake and returning unknown ca: > > New TCP connection #42: 172.29.231.43(33116) <-> 172.29.228.240(5432) > 42 1 0.0038 (0.0038) C>SV3.1(300) Handshake > ClientHello > Version 3.3 > random[32]= > 80 cf 99 66 b3 07 55 c2 3f cf b2 61 13 39 89 c1 > 33 37 f4 77 21 a3 fd 2e f9 fa 9b 65 4e b5 bd 24 > cipher suites > Unknown value 0xc030 > Unknown value 0xc02c > Unknown value 0xc028 > Unknown value 0xc024 > Unknown value 0xc014 > Unknown value 0xc00a > Unknown value 0xa5 > Unknown value 0xa3 > Unknown value 0xa1 > Unknown value 0x9f > Unknown value 0x6b > Unknown value 0x6a > Unknown value 0x69 > Unknown value 0x68 > TLS_DHE_RSA_WITH_AES_256_CBC_SHA > TLS_DHE_DSS_WITH_AES_256_CBC_SHA > TLS_DH_RSA_WITH_AES_256_CBC_SHA > TLS_DH_DSS_WITH_AES_256_CBC_SHA > Unknown value 0x88 > Unknown value 0x87 > Unknown value 0x86 > Unknown value 0x85 > Unknown value 0xc032 > Unknown value 0xc02e > Unknown value 0xc02a > Unknown value 0xc026 > Unknown value 0xc00f > Unknown value 0xc005 > Unknown value 0x9d > Unknown value 0x3d > TLS_RSA_WITH_AES_256_CBC_SHA > Unknown value 0x84 > Unknown value 0xc02f > Unknown value 0xc02b > Unknown value 0xc027 > Unknown value 0xc023 > Unknown value 0xc013 > Unknown value 0xc009 > Unknown value 0xa4 > Unknown value 0xa2 > Unknown value 0xa0 > Unknown value 0x9e > TLS_DHE_DSS_WITH_NULL_SHA > Unknown value 0x40 > Unknown value 0x3f > Unknown value 0x3e > TLS_DHE_RSA_WITH_AES_128_CBC_SHA > TLS_DHE_DSS_WITH_AES_128_CBC_SHA > TLS_DH_RSA_WITH_AES_128_CBC_SHA > TLS_DH_DSS_WITH_AES_128_CBC_SHA > Unknown value 0x9a > Unknown value 0x99 > Unknown value 0x98 > Unknown value 0x97 > Unknown value 0x45 > Unknown value 0x44 > Unknown value 0x43 > Unknown value 0x42 > Unknown value 0xc031 > Unknown value 0xc02d > Unknown value 0xc029 > Unknown value 0xc025 > Unknown value 0xc00e > Unknown value 0xc004 > Unknown value 0x9c > Unknown value 0x3c > TLS_RSA_WITH_AES_128_CBC_SHA > Unknown value 0x96 > Unknown value 0x41 > Unknown value 0xc011 > Unknown value 0xc007 > Unknown value 0xc00c > Unknown value 0xc002 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_RC4_128_MD5 > Unknown value 0xc012 > Unknown value 0xc008 > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA > Unknown value 0xc00d > Unknown value 0xc003 > TLS_RSA_WITH_3DES_EDE_CBC_SHA > Unknown value 0xff > compression methods > NULL > 42 2 0.0056 (0.0017) S>CV3.3(62) Handshake > ServerHello > Version 3.3 > random[32]= > f9 4d fa 63 ee d5 65 6d ba dd 58 de 51 00 8e ac > 9f 45 24 43 e2 17 88 07 41 9a 8d aa 7f 95 2a 13 > session_id[0]= > > cipherSuite Unknown value 0xc030 Hmm. This claims they agreed on TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Maybe no ECC curves in common for ECDHE Kx? > compressionMethod NULL > 42 3 0.0056 (0.) S>CV3.3(3345) Handshake > Certificate >
[openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
Hi all, I am having quite a time trying to get postgresql v9.5 to talk over SSL on Ubuntu Xenial, running openssl v1.0.1f. Previously my setup was Ubuntu Trusty, and this works fine. The questions I have based on the info below: - It is the openssl s_client side that is triggering the handshake failure. Is there a way to get openssl to log why the handshake failed in the returned error message? Verification depth issue? No path to requested target? Something else? - What is the significance of "no peer certificate available”? A tcpdump and the ssldump shows that three certificates are sent by the postgresql server, why would openssl claim no certificates were sent? - The same certificates work fine in Ubuntu Trusty, they don’t work in Ubuntu Xenial. The certs are SHA256 certs, and consist of a root, two intermediates and a leaf cert. The postgresql server provides the two intermediates and the leaf cert, and the root as passed in -CAfile. - Are there any known incompatibility issues with openssl on Xenial? When I attempt to connect to postgresql using openssl s_client, I get this: postgres@sql02:~$ openssl s_client -verify 10 -CAfile .postgresql/root.crt -key .postgresql/postgresql.key -cert .postgresql/postgresql.crt -connect sql01:5432 -servername sql01 verify depth is 10 CONNECTED(0003) 139930468939416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 379 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1510188432 Timeout : 300 (sec) Verify return code: 0 (ok) — ssldump confirms that it is the client side - that’s openssl - that’s rejecting the handshake and returning unknown ca: New TCP connection #42: 172.29.231.43(33116) <-> 172.29.228.240(5432) 42 1 0.0038 (0.0038) C>SV3.1(300) Handshake ClientHello Version 3.3 random[32]= 80 cf 99 66 b3 07 55 c2 3f cf b2 61 13 39 89 c1 33 37 f4 77 21 a3 fd 2e f9 fa 9b 65 4e b5 bd 24 cipher suites Unknown value 0xc030 Unknown value 0xc02c Unknown value 0xc028 Unknown value 0xc024 Unknown value 0xc014 Unknown value 0xc00a Unknown value 0xa5 Unknown value 0xa3 Unknown value 0xa1 Unknown value 0x9f Unknown value 0x6b Unknown value 0x6a Unknown value 0x69 Unknown value 0x68 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA Unknown value 0x88 Unknown value 0x87 Unknown value 0x86 Unknown value 0x85 Unknown value 0xc032 Unknown value 0xc02e Unknown value 0xc02a Unknown value 0xc026 Unknown value 0xc00f Unknown value 0xc005 Unknown value 0x9d Unknown value 0x3d TLS_RSA_WITH_AES_256_CBC_SHA Unknown value 0x84 Unknown value 0xc02f Unknown value 0xc02b Unknown value 0xc027 Unknown value 0xc023 Unknown value 0xc013 Unknown value 0xc009 Unknown value 0xa4 Unknown value 0xa2 Unknown value 0xa0 Unknown value 0x9e TLS_DHE_DSS_WITH_NULL_SHA Unknown value 0x40 Unknown value 0x3f Unknown value 0x3e TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x98 Unknown value 0x97 Unknown value 0x45 Unknown value 0x44 Unknown value 0x43 Unknown value 0x42 Unknown value 0xc031 Unknown value 0xc02d Unknown value 0xc029 Unknown value 0xc025 Unknown value 0xc00e Unknown value 0xc004 Unknown value 0x9c Unknown value 0x3c TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 Unknown value 0x41 Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xc012 Unknown value 0xc008 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xff
Re: [openssl-users] Help compiling on HPUX
I can confirm that I can compile with no-asm. That’s a good thing. I cannot however get any level of optimizations to compile correctly. This may not be a problem for my use case, but it may be for others. If I update Configurations/10-main.conf for hpux64-ia64-cc to use +O0, +O1, or +O2 (+O3 was the default) it will trigger the issue. "hpux64-ia64-cc" => { inherit_from => [ "BASE_unix", asm("ia64_asm") ], cc => "cc", cflags => combine(picker(default => "-Ae +DD64 +Olit=all -z -DB_ENDIAN", debug => "+O0 +d -g", release => "+O0"), I changed the value here! This is also shown in the CFLAGS in the summary output from Configure: Configuring for hpux64-ia64-cc CC=cc CFLAG =-Ae +DD64 +Olit=all -z -DB_ENDIAN +O0 -D_REENTRANT While I can proceed with my project using no-asm, I am willing to try other changes to help the OpenSSL project out to see if the problem is just around one function that cannot be optimized, etc if anyone has any suggestions. I'm not sure if the git-hub bug moderators are on this list, so I'll update the bug report there with this new info. -Dan On 11/8/17, 7:33 AM, "openssl-users on behalf of Ludwig, Mark"wrote: > From: Michael Wojcik, Wednesday, November 08, 2017 7:03 AM > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Help compiling on HPUX > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Dan Freed > > Sent: Tuesday, November 07, 2017 19:14 > > To: openssl-users@openssl.org > > Subject: [openssl-users] Help compiling on HPUX > > > I see that there are a few posts about compiling openssl on HP-UX, so I’m > hopeful that someone can help me out. > > My initial suspect is the assembly modules. I suggest configuring with no-asm, > and if that works and you really want the assembly code for performance, then > investigate further. > > Another possibility is optimization. We had issues building OpenSSL for HP-UX > (PA-RISC and Itanium) with +O4, which is what Configure specifies for at least > some HP-UX builds. We backed it off to +O1 (by editing Configure; we actually > use our own Configure script, and merge in changes from the official one each > time we update to a new OpenSSL release). Dan, you did not specify the platform. I have not built on RISC since OpenSSL 0.9.8. I have built OpenSSL 1.0.2k on Itanium as follows. I mostly agree with Michael, but have not backed off optimization quite as far. Note that my use cases do not include encrypting/decrypting large payloads, so can get away with reduced performance to get correct results (i.e., pass the tests). I had to edit util/selftest.pl for the compiler's identification output and because the ar(1) command will not accept /dev/null as an input file. I also eliminated a lot of the tests in test/cms-tests, because we do not use the modules being tested. (They were failing.) I can believe these might work with lower optimization such as Michael recommends. Below is the Configure output. Hope this helps. Configuring for hpux64-ia64-cc no-asm [option] OPENSSL_NO_ASM no-dso [option] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-libunbound [experimental] OPENSSL_NO_LIBUNBOUND (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl2 [default] OPENSSL_NO_SSL2 (skip dir) no-store[experimental] OPENSSL_NO_STORE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=cc CFLAG =+Z -DOPENSSL_PIC -DOPENSSL_THREADS -Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN -D_REENTRANT EX_LIBS =-ldl CPUID_OBJ =mem_clr.o BN_ASM=bn_asm.o EC_ASM= DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC
Re: [openssl-users] Help compiling on HPUX
Thanks! I am compiling on Itanium (ia64). I've not had these issues compiling OpenSSL 1.0.1 version, but this is the first time I'm attempting to move to the 1.1.0 version. I'm attempting a no-asm compile right now, to see if I can get past the error. Then I'll play the optimizations to see if I can get it to compile with the assembly optimizations or not. -Dan On 11/8/17, 7:33 AM, "openssl-users on behalf of Ludwig, Mark"wrote: > From: Michael Wojcik, Wednesday, November 08, 2017 7:03 AM > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Help compiling on HPUX > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Dan Freed > > Sent: Tuesday, November 07, 2017 19:14 > > To: openssl-users@openssl.org > > Subject: [openssl-users] Help compiling on HPUX > > > I see that there are a few posts about compiling openssl on HP-UX, so I’m > hopeful that someone can help me out. > > My initial suspect is the assembly modules. I suggest configuring with no-asm, > and if that works and you really want the assembly code for performance, then > investigate further. > > Another possibility is optimization. We had issues building OpenSSL for HP-UX > (PA-RISC and Itanium) with +O4, which is what Configure specifies for at least > some HP-UX builds. We backed it off to +O1 (by editing Configure; we actually > use our own Configure script, and merge in changes from the official one each > time we update to a new OpenSSL release). Dan, you did not specify the platform. I have not built on RISC since OpenSSL 0.9.8. I have built OpenSSL 1.0.2k on Itanium as follows. I mostly agree with Michael, but have not backed off optimization quite as far. Note that my use cases do not include encrypting/decrypting large payloads, so can get away with reduced performance to get correct results (i.e., pass the tests). I had to edit util/selftest.pl for the compiler's identification output and because the ar(1) command will not accept /dev/null as an input file. I also eliminated a lot of the tests in test/cms-tests, because we do not use the modules being tested. (They were failing.) I can believe these might work with lower optimization such as Michael recommends. Below is the Configure output. Hope this helps. Configuring for hpux64-ia64-cc no-asm [option] OPENSSL_NO_ASM no-dso [option] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-libunbound [experimental] OPENSSL_NO_LIBUNBOUND (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl2 [default] OPENSSL_NO_SSL2 (skip dir) no-store[experimental] OPENSSL_NO_STORE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=cc CFLAG =+Z -DOPENSSL_PIC -DOPENSSL_THREADS -Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN -D_REENTRANT EX_LIBS =-ldl CPUID_OBJ =mem_clr.o BN_ASM=bn_asm.o EC_ASM= DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ = ENGINES_OBJ = PROCESSOR = RANLIB=/usr/ccs/bin/ranlib ARFLAGS = PERL =/usr/local/smd/bin/perl SIXTY_FOUR_BIT_LONG mode DES_RISC1 used DES_UNROLL used DES_INT used RC4_INDEX mode RC4_CHUNK is undefined MD2 uses uchar > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help compiling on HPUX
> From: Michael Wojcik, Wednesday, November 08, 2017 7:03 AM > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Help compiling on HPUX > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Dan Freed > > Sent: Tuesday, November 07, 2017 19:14 > > To: openssl-users@openssl.org > > Subject: [openssl-users] Help compiling on HPUX > > > I see that there are a few posts about compiling openssl on HP-UX, so I’m > hopeful that someone can help me out. > > My initial suspect is the assembly modules. I suggest configuring with no-asm, > and if that works and you really want the assembly code for performance, then > investigate further. > > Another possibility is optimization. We had issues building OpenSSL for HP-UX > (PA-RISC and Itanium) with +O4, which is what Configure specifies for at least > some HP-UX builds. We backed it off to +O1 (by editing Configure; we actually > use our own Configure script, and merge in changes from the official one each > time we update to a new OpenSSL release). Dan, you did not specify the platform. I have not built on RISC since OpenSSL 0.9.8. I have built OpenSSL 1.0.2k on Itanium as follows. I mostly agree with Michael, but have not backed off optimization quite as far. Note that my use cases do not include encrypting/decrypting large payloads, so can get away with reduced performance to get correct results (i.e., pass the tests). I had to edit util/selftest.pl for the compiler's identification output and because the ar(1) command will not accept /dev/null as an input file. I also eliminated a lot of the tests in test/cms-tests, because we do not use the modules being tested. (They were failing.) I can believe these might work with lower optimization such as Michael recommends. Below is the Configure output. Hope this helps. Configuring for hpux64-ia64-cc no-asm [option] OPENSSL_NO_ASM no-dso [option] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-libunbound [experimental] OPENSSL_NO_LIBUNBOUND (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl2 [default] OPENSSL_NO_SSL2 (skip dir) no-store[experimental] OPENSSL_NO_STORE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=cc CFLAG =+Z -DOPENSSL_PIC -DOPENSSL_THREADS -Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN -D_REENTRANT EX_LIBS =-ldl CPUID_OBJ =mem_clr.o BN_ASM=bn_asm.o EC_ASM= DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ = ENGINES_OBJ = PROCESSOR = RANLIB=/usr/ccs/bin/ranlib ARFLAGS = PERL =/usr/local/smd/bin/perl SIXTY_FOUR_BIT_LONG mode DES_RISC1 used DES_UNROLL used DES_INT used RC4_INDEX mode RC4_CHUNK is undefined MD2 uses uchar > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Help compiling on HPUX
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Dan Freed > Sent: Tuesday, November 07, 2017 19:14 > To: openssl-users@openssl.org > Subject: [openssl-users] Help compiling on HPUX > I see that there are a few posts about compiling openssl on HP-UX, so I’m > hopeful that someone can help me out. My initial suspect is the assembly modules. I suggest configuring with no-asm, and if that works and you really want the assembly code for performance, then investigate further. Another possibility is optimization. We had issues building OpenSSL for HP-UX (PA-RISC and Itanium) with +O4, which is what Configure specifies for at least some HP-UX builds. We backed it off to +O1 (by editing Configure; we actually use our own Configure script, and merge in changes from the official one each time we update to a new OpenSSL release). -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Potential memory leak in RSA_private_decrypt
Thanks again, Rich. >>>There is something strange with the RSA private key or it’s BN_CONT object. >>>Are you sure that you are properly releasing all OpenSSL objecdts in your code? My application is a server. When it is initialized it calls RSA_new() to allocate a RSA object. When the server is running, it keeps accepting concurrent connection requests from many clients. When handling a connection request it calls RSA_private_decrypt() to decrypt the encrypted password. What a client does is to connect to the server and then disconnect at once. Hence it takes very little time for each client. The RSA object is not released until the server is shutdown. Regards, Wang -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Potential memory leak in RSA_private_decrypt
On 08/11/17 09:47, Wang wrote: > Hello Matt, > > Thank you for trying to help. > Is this the "bottom" of the OpenSSL stack? i.e. your application calls RSA_private_decrypt() directly? > Yes, it does. > Do you share a single RSA object across multiple threads? > Yes, my application shares a single RSA object across many concurrent > threads. Namely RSA_private_decrypt() is called with the same RSA object > concurrently across many threads. > > Does this cause any issue? I checked OpenSSL document, but didn't find > anything related to this kind of restriction > (https://www.openssl.org/docs/manmaster/man3/RSA_public_encrypt.html). Or > this restriction is undocumented? https://www.openssl.org/docs/faq.html#PROG1 >From the FAQ: "1. Is OpenSSL thread-safe? Yes but with some limitations; for example, an SSL connection cannot be used concurrently by multiple threads. This is true for most OpenSSL objects. ..." This is also true for the RSA object. Temporary, thread specific blinding state is held in the RSA object so it cannot be shared across multiple threads. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Potential memory leak in RSA_private_decrypt
Hello Matt, Thank you for trying to help. >>>Is this the "bottom" of the OpenSSL stack? i.e. your application calls >>>RSA_private_decrypt() directly? Yes, it does. >>>Do you share a single RSA object across multiple threads? Yes, my application shares a single RSA object across many concurrent threads. Namely RSA_private_decrypt() is called with the same RSA object concurrently across many threads. Does this cause any issue? I checked OpenSSL document, but didn't find anything related to this kind of restriction (https://www.openssl.org/docs/manmaster/man3/RSA_public_encrypt.html). Or this restriction is undocumented? Regards, Wang -- Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users