Re: openssl 3 alpha 1 test failures on AIX
I would have to build a new perl from source, but the perl I'm using meets the requirements. I built the current version (5.24.0) from a source a while back when openssl started requiring at least 5.10.0. Tests pass on the same machine with openssl 1.1.1 . On 5/6/2020 5:33 PM, Benjamin Kaduk wrote: On Wed, May 06, 2020 at 05:22:17PM -0700, Norm Green wrote: All tests on AIX fail like this. Is this a known issue? What debugging information is needed? Should I open an issue on github? Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get the tests to run at all. normg@sky>gmake test make depend && make _tests ( SRCTOP=. BLDTOP=. PERL="/export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl" EXE_EXT= /export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl ./test/run_tests.pl ) 01-test_abort.t # The results of this test will end up in test-runs/test_abort 1..1 Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Unmatched ) in regex; marked by <-- HERE in m/ '') <-- HERE eq '' && -d ../../util/../engines; = ../../util/../providers if ( / at ../../util/wrap.pl line 14. ../../util/wrap.pl ../../test/aborttest => 255 ok 1 - Testing that abort is caught correctly ok 01-test_sanity.t ... # The results of this test will end up in test-runs/test_sanity 1..1 Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Unmatched ) in regex; marked by <-- HERE in m/ '') <-- HERE eq '' && -d ../../util/../engines; That looks like your perl is unhappy about something; do you have other versions of perl available to try? Thanks, Ben
Re: openssl 3 alpha 1 test failures on AIX
On Wed, May 06, 2020 at 05:22:17PM -0700, Norm Green wrote: > All tests on AIX fail like this. Is this a known issue? What debugging > information is needed? Should I open an issue on github? > > Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get the > tests to run at all. > > > > > > normg@sky>gmake test > make depend && make _tests > ( SRCTOP=. BLDTOP=. > PERL="/export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl" EXE_EXT= > /export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl ./test/run_tests.pl ) > 01-test_abort.t > # The results of this test will end up in test-runs/test_abort > 1..1 > Use of uninitialized value in concatenation (.) or string at > ../../util/wrap.pl line 14. > Use of uninitialized value in concatenation (.) or string at > ../../util/wrap.pl line 14. > Unmatched ) in regex; marked by <-- HERE in m/ '') <-- HERE eq '' && -d > ../../util/../engines; > = ../../util/../providers > if ( / at ../../util/wrap.pl line 14. > ../../util/wrap.pl ../../test/aborttest => 255 > ok 1 - Testing that abort is caught correctly > ok > 01-test_sanity.t ... > # The results of this test will end up in test-runs/test_sanity > 1..1 > Use of uninitialized value in concatenation (.) or string at > ../../util/wrap.pl line 14. > Use of uninitialized value in concatenation (.) or string at > ../../util/wrap.pl line 14. > Unmatched ) in regex; marked by <-- HERE in m/ '') <-- HERE eq '' && -d > ../../util/../engines; That looks like your perl is unhappy about something; do you have other versions of perl available to try? Thanks, Ben
openssl 3 alpha 1 test failures on AIX
All tests on AIX fail like this. Is this a known issue? What debugging information is needed? Should I open an issue on github? Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get the tests to run at all. normg@sky>gmake test make depend && make _tests ( SRCTOP=. BLDTOP=. PERL="/export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl" EXE_EXT= /export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl ./test/run_tests.pl ) 01-test_abort.t # The results of this test will end up in test-runs/test_abort 1..1 Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Unmatched ) in regex; marked by <-- HERE in m/ '') <-- HERE eq '' && -d ../../util/../engines; = ../../util/../providers if ( / at ../../util/wrap.pl line 14. ../../util/wrap.pl ../../test/aborttest => 255 ok 1 - Testing that abort is caught correctly ok 01-test_sanity.t ... # The results of this test will end up in test-runs/test_sanity 1..1 Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Use of uninitialized value in concatenation (.) or string at ../../util/wrap.pl line 14. Unmatched ) in regex; marked by <-- HERE in m/ '') <-- HERE eq '' && -d ../../util/../engines; = ../../util/../providers if ( / at ../../util/wrap.pl line 14. ../../util/wrap.pl ../../test/sanitytest => 255 not ok 1 - running sanitytest Also: normg@sky>/export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl configdata.pm --dump Command line (with current working directory = .): /export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl ./Configure threads shared no-zlib --prefix=/sky2/users/normg/gs360-openssl-300/slow9/openssl/install9 --openssldir=/usr/local/ssl debug-aix64-cc Perl information: /export/localnew/RISC6000.AIX/perl-5.24.0/bin/perl 5.24.0 for aix-thread-multi-64int Enabled features: aria asm async autoalginit autoerrinit autoload-config bf blake2 camellia capieng cast chacha cmac cmp cms comp ct deprecated des dgram dh dsa dso dtls dynamic-engine ec ec2m ecdh ecdsa engine err filenames fips gost idea legacy makedepend md4 mdc2 module multiblock nextprotoneg pinshared ocb ocsp padlockeng pic poly1305 posix-io psk rc2 rc4 rdrand rfc3779 rmd160 scrypt secure-memory seed shared siphash siv sm2 sm3 sm4 sock srp srtp sse2 ssl static-engine stdio tests threads tls ts ui-console whirlpool tls1 tls1-method tls1_1 tls1_1-method tls1_2 tls1_2-method tls1_3 dtls1 dtls1-method dtls1_2 dtls1_2-method Disabled features: afalgeng [not-linux] OPENSSL_NO_AFALGENG asan [default] OPENSSL_NO_ASAN buildtest-c++ [default] crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG devcryptoeng [default] OPENSSL_NO_DEVCRYPTOENG ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 egd [default] OPENSSL_NO_EGD external-tests [default] OPENSSL_NO_EXTERNAL_TESTS fuzz-libfuzzer [default] OPENSSL_NO_FUZZ_LIBFUZZER fuzz-afl [default] OPENSSL_NO_FUZZ_AFL ktls [default] OPENSSL_NO_KTLS md2 [default] OPENSSL_NO_MD2 (skip crypto/md2) msan [default] OPENSSL_NO_MSAN rc5 [default] OPENSSL_NO_RC5 (skip crypto/rc5) sctp [default] OPENSSL_NO_SCTP ssl-trace [default] OPENSSL_NO_SSL_TRACE trace [default] OPENSSL_NO_TRACE ubsan [default] OPENSSL_NO_UBSAN unit-test [default] OPENSSL_NO_UNIT_TEST uplink [no uplink_arch] OPENSSL_NO_UPLINK weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS zlib [option] zlib-dynamic [default] ssl3 [default] OPENSSL_NO_SSL3 ssl3-method [default] OPENSSL_NO_SSL3_METHOD Config target attributes: AR => "ar -X64", ARFLAGS => "r", CC => "cc", CFLAGS => "-O0 -g", HASHBANGPERL => "/usr/bin/env perl", RANLIB => "ranlib -X64", RC => "windres", asm_arch => "ppc64", bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR", build_file => "Makefile", build_scheme => [ "unified", "unix" ], cflags => "-q64 -qmaxmem=16384 -qro -qroconst -qthreaded", cppflags => "-D_THREAD_SAFE", defines => [ "OPENSSL_BUILDING_OPENSSL" ], disable => [ ], dso_scheme
RE: mutual-TLS / mTLS Example with certificate problem
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Andreas Tengicki > Sent: Wednesday, May 06, 2020 12:45 > To: openssl-users@openssl.org > Subject: mutual-TLS / mTLS Example with certificate problem > > I can not find a working mutual-TLS server/client example on github or > the whole internet. By "mutual-TLS" I assume you mean "TLS with mutual authentication". I don't know about open-source examples off the top of my head, but all the products I work on support mutual authentication. Oh, wait, of course I know of an open-source example. It's OpenSSL, which supports mutual authentication in the s_server and s_client apps. > SSL_CTX_use_certificate_chain_file(srvCtx->ctx, > "../certs/server/ca.crt"); > SSL_CTX_use_certificate_file(srvCtx->ctx, > "../certs/server/server.crt", SSL_FILETYPE_PEM); This is very likely wrong. SSL(_CTX)_use_certificate_chain_file sets the entity certificate and its (partial) chain. So when you call SSL_CTX_use_certificate_file you're overwriting the entity certificate set by use_certificate_chain_file. Get rid of the call to use_certificate_file and put everything the server should be sending into the chain file, in the order described in the OpenSSL documentation: entity certificate, certificate for its issuer, and so on up to and including the root. (I've just noticed the docs don't say whether use_certificate_chain_file specifies SSL_BUILD_CHAIN_FLAG_NO_ROOT when it calls add1_chain_cert, so offhand I don't know whether this will cause the root to be included in the chain the server sends. But that shouldn't really matter.) > ca.crt: Version: 3 (0x2) > Serial Number: > 5a:fc:74:e6:28:28:0e:df:5b:7a:50:9e:a8:18:e6:04:42:f0:fd:8d > Signature Algorithm: sha256WithRSAEncryption > Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA > Validity Not Before: May 6 09:21:23 2020 GMT Not After : May 6 > 09:21:23 2022 GMT > Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN > = 42CA Not enough information. We don't know what the Basic Constraints are for this certificate, or EKU, or whether it's actually the certificate that signed your server's entity certificate. More importantly, if this is the only certificate in ca.crt, which was what you passed to use_certificate_chain_file, then this was stored in the context as the entity cert, and no certificates were added to the chain. Then you overwrote the entity cert with use_certificate_file, and you still have no chain. (At least I believe that's what will happen; I haven't actually tried it.) > server.crt: Version: 1 (0x0) X.509v1? PKIX moved to v3 in, what, 2002 (with RFC 3280)? I mean, X.509v1 ought to still work, but it's hardly good practice. > Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = > debiandevdesktop01.sdctec.lokal > > debiandevdesktop01.sdctec.lokal is the FQDN of the development server And is that exactly what the client is specifying when it tries to verify the server's certificate? > SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt"); > SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", > SSL_FILETYPE_PEM); Same problem as above. > If the client connects the server there are the following errors: > > server: > 139918902234240:error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify > failed:../ssl/statem/statem_clnt.c:1915: Is that the whole OpenSSL error stack? When reporting an OpenSSL error (from your application), you should always make sure to dump the whole stack. Also, a piece of advice: A good place to start when diagnosing issues like this is to swap out the server for openssl s_server, or the client for openssl s_client. s_client can give you a whole bunch of information about what the server is sending, and would have shown the chain is just the entity certificate in this case. -- Michael Wojcik Distinguished Engineer, Micro Focus
Re: mutual-TLS / mTLS Example with certificate problem
On Wed, May 06, 2020 at 08:44:57PM +0200, Andreas Tengicki wrote: > SSL_CTX_load_verify_locations(srvCtx->ctx,NULL,"../certs"); // Have you run "c_rehash" on "../certs" (not keen on relative file names here myself). > Client Side > = > > SSL_CTX_set_ecdh_auto(ctx, 1); > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); > SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt"); > SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", > SSL_FILETYPE_PEM); > SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key", > SSL_FILETYPE_PEM); What is the client doing for "verify_locations"? -- Viktor.
Re: mutual-TLS / mTLS Example with certificate problem
On Wed, May 06, 2020 at 08:44:57PM +0200, Andreas Tengicki wrote:
> I can not find a working mutual-TLS server/client example on github or
> the whole internet. Only some example for pieces of code. Communication
> via socket without and with encryption (openSSL) is working, but with
> mTLS not. I believe that I theoretical understand mTLS, but the practice
> will not work.
Postfix uses an "ask_ccert" configuration boolean to solicit client
certificates. The associated server-side code (with the SNI ctx
side-effects elided) is:
if (props->ask_ccert)
verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
SSL_CTX_set_verify(server_ctx, verify_flags,
tls_verify_certificate_callback);
if (props->ask_ccert && *props->CAfile) {
STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(props->CAfile);
if (calist == 0) {
/* Not generally critical */
msg_warn("error loading client CA names from: %s",
props->CAfile);
tls_print_errors();
}
SSL_CTX_set_client_CA_list(server_ctx, calist);
}
Some clients will not send a certificate unless the server-side client
CA list is non-empty and includes the root CA that issued the client's
cert.
> SSL_CTX_set_ecdh_auto(ctx, 1);
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
> SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt");
> SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt",
> SSL_FILETYPE_PEM);
> SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key",
> SSL_FILETYPE_PEM);
You SHOULD NOT specify both a certificate chain file and certificate
file. The ..._chain_file() function loads the leaf cert, and then the
rest of the chain.
>
> server:
> 139918902234240:error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed:../ssl/statem/statem_clnt.c:1915:
Your trust stores don't contain the requisite CAs and/or the chain files
are missing required intermediate certs.
--
Viktor.
mutual-TLS / mTLS Example with certificate problem
Hello, I can not find a working mutual-TLS server/client example on github or the whole internet. Only some example for pieces of code. Communication via socket without and with encryption (openSSL) is working, but with mTLS not. I believe that I theoretical understand mTLS, but the practice will not work. The whole (small) project is here: https://github.com/deckard-rick/mTLS-example Server Side = I initialize the SSL-context without errors with (sample, error handling is not in this email) SSL_CTX_set_ecdh_auto(srvCtx->ctx, 1); SSL_CTX_set_verify(srvCtx->ctx, SSL_VERIFY_PEER or SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_load_verify_locations(srvCtx->ctx,NULL,"../certs"); // SSL_CTX_use_certificate_chain_file(srvCtx->ctx, "../certs/server/ca.crt"); SSL_CTX_use_certificate_file(srvCtx->ctx, "../certs/server/server.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(srvCtx->ctx, "../certs/server/server.key", SSL_FILETYPE_PEM); SSL_CTX_check_private_key(srvCtx->ctx); the certificates are: ca.crt: Version: 3 (0x2) Serial Number: 5a:fc:74:e6:28:28:0e:df:5b:7a:50:9e:a8:18:e6:04:42:f0:fd:8d Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA Validity Not Before: May 6 09:21:23 2020 GMT Not After : May 6 09:21:23 2022 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA server.crt: Version: 1 (0x0) Serial Number: 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:23 Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA Validity Not Before: May 6 09:30:23 2020 GMT Not After : May 6 09:30:23 2021 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = debiandevdesktop01.sdctec.lokal debiandevdesktop01.sdctec.lokal is the FQDN of the development server Client Side = SSL_CTX_set_ecdh_auto(ctx, 1); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); SSL_CTX_use_certificate_chain_file(ctx, "../certs/client/ca.crt"); SSL_CTX_use_certificate_file(ctx, "../certs/client/client.crt", SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, "../certs/client/client.key", SSL_FILETYPE_PEM); ca.crt: (see server) client.crt: Version: 1 (0x0) Serial Number: 5f:6f:44:b5:27:47:f2:d2:fe:2b:21:5b:38:7d:e5:f6:e5:d9:c1:24 Signature Algorithm: sha256WithRSAEncryption Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = 42CA Validity Not Before: May 6 09:35:51 2020 GMT Not After : May 6 09:35:51 2021 GMT Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CLIENT001 Error: = If the client connects the server there are the following errors: server: 139918902234240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: client: 139918902234240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1915: I think, there is a problem with the certificates. But where is the problem and why? The statement to create the certificates are in the project ./certs/read.me Thanks for any help, I'm looking since days for a solution and I believe it is only a small bug. Best regards Andreas
Re: AW: openssl-1.1.1g cygwin make errors
ucontext.h existed in 2017 in Cygwin, and still exists. Maybe you have a very old Cygwin (you can update with setup.exe).
