Cipher Suite
Hi All, The cipher-spec string - 'HIGH:!ADH:!MD5' when I executed, it gives cipher suites as follows: ./openssl ciphers -v 'HIGH:!ADH:!MD5' 1. DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 2. DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 3. AES256-SHASSLv3 Kx=RSAAu=RSA Enc=AES(256) Mac=SHA1 4. DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 5. DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 6. AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 7. EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DHAu=RSA Enc=3DES(168) Mac=SHA1 8. EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 9. DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 When I took individual cipher suites from this result to test further. I found some of them failing. ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher DHE-DSS-AES256-SHA -state CONNECTED(0004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 22893:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher DHE-DSS-AES128-SHA -state CONNECTED(0004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 23059:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher EDH-DSS-DES-CBC3-SHA -state CONNECTED(0004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 23084:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Can somebody help me on this or is there something that should be happening behind the scenes that I'm missing. Regards, Rajat - This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities.
Re: Cipher Suite
Hi Rajat: On Tuesday 29 January 2008 01:46:39 [EMAIL PROTECTED] wrote: Hi All, snip ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher DHE-DSS-AES256-SHA -state CONNECTED(0004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 22893:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher DHE-DSS-AES128-SHA -state CONNECTED(0004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 23059:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher EDH-DSS-DES-CBC3-SHA -state CONNECTED(0004) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 23084:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:562: Can somebody help me on this or is there something that should be happening behind the scenes that I'm missing. From the above, the ciphers that are failing are ones that use DSA keys. Does your server understand and have DSA keys configured? If not, that would probably be why it is failing. Cheers. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OCSP sample
Hi all, I'm looking for some code examples to realise a X.509 certificate verification over OCSP with C++. Is there something to find in the Open SSL package? Or are there other places were I can find something? Thanks in advance. Frank Wockenfuß __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OCSP sample
Wockenfuß schrieb: Hi all, I'm looking for some code examples to realise a X.509 certificate verification over OCSP with C++. Is there something to find in the Open SSL package? Or are there other places were I can find something? I would expect such code in the apps/ocsp.c file of the OpenSSL source code (http://www.openssl.org/source/openssl-0.9.8g.tar.gz), though I don't know whether every special case is covered there. But surely it is a place to start. Thanks in advance. Frank Wockenfuß Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Will the AES-CCM/GCM patch be integrated in openssl?
Hello, Will the IBM patch for AES-CCM and AES-GCM be included in openssl? If so, in what 'branch' can it be expected to be included, 0.9.8, 0.9.9 or something else? And when? Regards Roger _ Trött på krångliga mejladresser? Skaffa en live.se-adress här! http://get.live.com/mail/options__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RSA verify fails if compiled with -g
Hi guys, I was doing some testing and I got this strange behavior: running openssl speed rsa, it fails on rsa verify (follows the log); is it possible it is due to the -g option I compiled OpenSSL with? -- Log -- $ ./openssl speed rsa Doing 512 bit private rsa's for 10s: 27495 512 bit private RSA's in 9.54s Doing 512 bit public rsa's for 10s: RSA verify failure 23583:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 23583:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 1 512 bit public RSA's in 1.64s Doing 1024 bit private rsa's for 10s: 4977 1024 bit private RSA's in 9.95s Doing 1024 bit public rsa's for 10s: RSA verify failure 23583:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 23583:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 1 1024 bit public RSA's in 2.40s Doing 2048 bit private rsa's for 10s: 755 2048 bit private RSA's in 9.65s Doing 2048 bit public rsa's for 10s: RSA verify failure 23583:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 23583:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 1 2048 bit public RSA's in 5.60s Doing 4096 bit private rsa's for 10s: 112 4096 bit private RSA's in 9.62s Doing 4096 bit public rsa's for 10s: RSA verify failure 23583:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 23583:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699: 1 4096 bit public RSA's in 5.06s OpenSSL 0.9.9-dev XX xxx built on: Wed Jan 30 17:04:22 CET 2008 options:bn(64,32) md2(int) rc4(4x,int) des(ptr,risc1,16,long) aes(partial) idea(int) blowfish(idx) compiler: gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -g signverifysign/s verify/s rsa 512 bits 0.000347s 1.64s 2882.1 0.6 rsa 1024 bits 0.001999s 2.40s500.2 0.4 rsa 2048 bits 0.012781s 5.60s 78.2 0.2 rsa 4096 bits 0.085893s 5.06s 11.6 0.2 -- Davide smime.p7s Description: S/MIME cryptographic signature
Re: About the fips openssl testsuite
施威 wrote: Hi Openssl FIPS Team: I have successfully built the fips openssl on a HPUX box, and did a make test, all the cases passed. but it seems to me that only 2 or 3 fips spicific testcases had been tested. so i checked the test/Makefile, and i didnt find any fips specific testing rules in the Makefile. and i tried to add some rule in the Makefile to test the other fips specific cases: alltests: \ fips_test_desmovs fips_test_aes fips_test_dsatest fips_test_dssvs test_des test_idea test_sha test_md4 test_md5 test_hmac \ test_md2 test_mdc2 \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_aes \ test_rand test_bn test_ec test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ test_ss test_ca test_engine test_evp test_ssl but it failed because it couldnt find the fips_aes_data/list : no such file . and i tried to run the other fips cases, most of them need req files. so it is really hard to test them. could you help me about it ? and i also wanna ask the following 3 questions: 1). In openssl-fips-1.1.2/test/Makefile, it tested all the fips specific cases or not? 2). if it didn't, how can i test them? Is there a new version of testsuite for fips? 3). where can i get the test enssential data like: fips_aes_data/list and so on. looking forward to hearing from you. thanks very much!! Please see http://www.openssl.org/docs/fips/ for the User Guide (appendix B in particular) and sample test vectors. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Compiling Openssl for Mobile 5 / 6
Hi, I followed the INSTALL.WCE directions. What resulted was the Crypto stuff works fine. The SSL stuff does not seem to hand shake correctly. I am using TLSv1. I am able to load my Cert and private key, but I keep getting a SYS_ERROR_SYSCALL error on the SSL_Connect. As described below from the man pages, it seems that the WinCE socket code is returning an EOF on the SSL_Connect. ___ SSL_ERROR_SYSCALL Some I/O error occurred. The OpenSSL error queue may contain more information on the error. If the error queue is empty (i.e. ERR_get_error() returns 0), ret can be used to find out more about the error: If ret == 0, an EOF was observed that violates the protocol. If ret == -1, the underlying BIO reported an I/O error. (For socket I/O on Unix systems, consult errno.) ___ I am a little concerned with the WCE build instuctions. First the WCE instructions seem to be for Pocket PC 2003, which really are not compatible with Mobile 5/6 ( I could be wrong ). Questions: Is there a different/easier way to build openssl for mobile 5/6? If so How. Is there a work around for my problem described above? If so How. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RSA_verify problem
Hello, I am still having a problem running RSA_verify which returns 'Data too large for modulus' errors. If I check the big number value of the 'signatureValue' and 'Modulus' they are 268628280 and 268628488 respectively which obviously explains the error I am receiving. Not exactly, modulus is 1024 bit integer so number 268628280 does not look as RSA modulus from 1024 bit key. Suppose this is only printing error and your conversion routine works good, you should check that your signature is made with private key with the same modulus as your public key - this numbers must be equal. If this keys differ then there may be situation where signed data is bigger then public key modulus. Best regards, -- Marek Marcola [EMAIL PROTECTED]
Re: [FWD] SSL communication error due to SSL alert 40
Hello, We are trying to communicate using https with an airline whose server ip is 57.60.20.77 wherein the ssl handshake fails stating SSL alert number 40. We have created an self signed certificate and implemented in both sides. Having googled found that it is failing to negotiate due to security parameters. Please suggest as to what the error exactly refers to and what could be the possible solution to rectify the same. Thanks in advance. openssl version - OpenSSL 0.9.8a 11 Oct 2005 Operating System Version-SUSE Linux 10 (Linux 2.6.16.46-0.12-bigsmp #1 SMP Thu May 17 14:00:09 UTC 2007 i686 i686 i386 GNU/Linux) openssl s_client -connect 57.60.20.77:443 -state -msg -ssl3 CONNECTED(0003) SSL_connect:before/connect initialization SSL 3.0 Handshake [length 005f], ClientHello 01 00 00 5b 03 00 47 9f 15 d6 4e 52 41 63 4a 95 47 d3 81 09 76 b3 d1 de 9e e1 0d e4 5f 6b fe ef 8a a7 68 39 96 6d 00 00 34 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03 01 00 SSL_connect:SSLv3 write client hello A SSL 3.0 Handshake [length 003a], ServerHello 02 00 00 36 03 00 47 9f 05 8a 13 66 43 7d a4 c7 27 b0 16 c4 61 8b 95 1e 23 60 71 61 5e ea 6d 69 25 64 c1 e1 2b 75 10 7e 43 61 a4 45 5f c1 ec 88 3d 6f bf 67 d9 db 53 00 04 00 SSL_connect:SSLv3 read server hello A SSL 3.0 Handshake [length 025a], Certificate 0b 00 02 56 00 02 53 00 02 50 30 82 02 4c 30 82 01 b5 02 04 46 2f 69 1c 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 6d 31 0b 30 09 06 03 55 04 06 13 02 53 47 31 0b 30 09 06 03 55 04 08 13 02 53 47 31 09 30 07 06 03 55 04 07 13 00 31 0b 30 09 06 03 55 04 0a 13 02 53 51 31 0b 30 09 06 03 55 04 0b 13 02 53 51 31 2c 30 2a 06 03 55 04 03 13 23 77 65 62 73 65 72 76 69 63 65 64 65 76 2e 73 69 61 2e 73 74 61 72 2d 61 6c 6c 69 61 6e 63 65 2e 6e 65 74 30 1e 17 0d 30 37 30 34 32 35 31 34 34 33 34 30 5a 17 0d 31 32 30 34 32 33 31 34 34 33 34 30 5a 30 6d 31 0b 30 09 06 03 55 04 06 13 02 53 47 31 0b 30 09 06 03 55 04 08 13 02 53 47 31 09 30 07 06 03 55 04 07 13 00 31 0b 30 09 06 03 55 04 0a 13 02 53 51 31 0b 30 09 06 03 55 04 0b 13 02 53 51 31 2c 30 2a 06 03 55 04 03 13 23 77 65 62 73 65 72 76 69 63 65 64 65 76 2e 73 69 61 2e 73 74 61 72 2d 61 6c 6c 69 61 6e 63 65 2e 6e 65 74 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 c0 84 47 70 b7 e7 52 55 83 5c 86 45 77 14 0d 69 2b 75 24 64 47 54 88 f3 dd a5 12 a5 dd c8 f0 68 da 6d 47 35 54 62 85 06 56 a8 ad 26 17 92 a1 66 f5 94 38 40 96 46 90 1b 95 71 4e 83 6a cb 2f 4b 78 86 77 ff 2d 2c ee d0 29 54 26 65 21 d3 e5 5d 86 46 8b d3 fc 8b 37 10 f9 77 eb 54 91 91 a5 7d 70 10 f6 97 e6 70 6c f6 e2 20 c3 da 34 1f 14 02 93 5d 3b b1 6e 58 7c b4 af a1 a8 cc 51 56 37 bb 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 81 81 00 0c e5 11 10 5b d0 7c a7 8c 41 4f ed 9d ed ce 28 97 40 6e cb 34 be 65 88 df cf 5f e4 92 e0 2e 05 7b c3 35 68 3f f8 19 37 d2 42 58 68 97 76 6b ce a3 f5 ab f4 ad 26 3c c1 74 77 96 ff 1d 7c b8 83 14 92 a5 26 35 0a 91 d9 ac bb 47 60 ab 5b 51 e0 f8 06 c5 64 41 88 a3 0e a1 ac b2 47 cb a7 33 af 2a 4a 05 0e 57 b2 a3 0b 7f 19 9a 85 f6 85 8e 0f 79 e0 e9 cb f9 65 f2 52 7e 04 36 b0 8d a0 0c 03 depth=0 /C=SG/ST=SG/L=/O=SQ/OU=SQ/CN=webservicedev.sia.star-alliance.net verify error:num=18:self signed certificate verify return:1 depth=0 /C=SG/ST=SG/L=/O=SQ/OU=SQ/CN=webservicedev.sia.star-alliance.net verify return:1 SSL_connect:SSLv3 read server certificate A SSL 3.0 Handshake [length 012c], CertificateRequest 0d 00 01 28 03 01 02 05 01 22 00 4a 30 48 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04 0a 13 0c 73 74 61 72 61 6c 6c 69 61 6e 63 65 31 22 30 20 06 03 55 04 03 13 19 73 68 74 77 73 73 30 31 2e 73 74 61 72 61 6c 6c 69 61 6e 63 65 2e 63 6f 6d 00 43 30 41 31 0d 30 0b 06 03 55 04 0a 13 04 53 74 61 72 31 1b 30 19 06 03 55 04 0b 13 12 54 65 63 68 6e 69 63 61 6c 52 65 73 6f 75 72 63 65 73 31 13 30 11 06 03 55 04 03 13 0a 53 74 61 72 54 65 73 74 43 41 00 4a 30 48 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 15 30 13 06 03 55 04 0a 13 0c 73 74 61 72 61 6c 6c 69 61 6e 63 65 31 22 30 20 06 03 55 04 03 13 19 73 68 74 77 73 73 30 31 2e 73 74 61 72 61 6c 6c 69 61 6e 63 65 2e 63 6f 6d 00 43 30 41 31 0d 30 0b 06 03 55 04 0a 13 04 53 74 61 72 31 1b 30 19 06 03 55 04 0b 13 12 54 65 63 68 6e 69 63 61 6c 52 65 73 6f 75 72 63 65 73 31 13 30 11 06 03 55 04 03 13 0a 53 74 61 72 54 65 73 74 43 41 SSL_connect:SSLv3 read server certificate request A SSL 3.0 Handshake [length 0004], ServerHelloDone 0e 00 00 00 SSL_connect:SSLv3 read server done A SSL 3.0 Alert