Re: Linux Openssl, Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) '
On Sat, Jul 7, 2012 at 9:14 AM, Giuseppe Barbieri elec...@gmail.com wrote: I am using OpenSSL for a cuda project. I just imported all the project from win to linux (Eclipse) I solved all the dependencies except this annoying error: Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) ' for this line: BN_set_word(two, 2); and the function itself says in the bn.h intBN_set_word(BIGNUM *a, BN_ULONG w); Where BN_ULONG is defined as: #define BN_ULONGunsigned long Neither it works if I do something like unsigned long q = 2; BN_set_word(two, q); Because it returns Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) ' or BN_ULONG q = 2; BN_set_word(two, q); that gives Type 'BN_ULONG' could not be resolved What is the problem? Try casting 2 to BN_ULONG. I think its an int by C/C++ rules: BN_set_word(two, (BN_ULONG)2); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 2:27 PM, pro...@secure-mail.biz wrote: Hello, is it possible to sign a foreign SSL public key without having CSR/private key? Background: Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd like to pin a SSL certificate from a website I have no control over. (Therefore I no access the the private key and can subsequently also not create a CSR.) Pin the SSL cert by using a local self signed CA. Don't forget MD5 signatures and the nuances of Flame (chosen collision attack, Microsoft's profile, and lack of key usage enforcement). Also, other infrastructure problems, such as DNS, are remediated. You pin a certificate by whitelisting expected server certificates (possibly thumbprints). There's usually no need to sign another's key or certificate (I've never done it that way, and never seen it done that way). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 4:02 PM, pro...@secure-mail.biz wrote: noloa...@gmail.com wrote: You pin a certificate by whitelisting expected server certificates (possibly thumbprints). How to do that? My bad. You usually do it pragmatically in an On Connect callback or delegate. I don't have any OpenSSL code handy, but but below is some .Net/C# code. Cocoa/CocoaTouch and Objective C would do it in NSURLConnection and the NSURLConnectionDelegate (https://developer.apple.com/library/mac/#documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html); and you would do it in Android with HttpsURLConnection and X509TrustManager (http://stackoverflow.com/questions/11337726/android-httpsurlconnection-and-pinset-example). public static void Main(string[] args) { ServicePointManager.ServerCertificateValidationCallback = PinCertificate; // C1956DC8A7DFB2A5A56934DA09778E3A11023358 // WebRequest wr = WebRequest.Create(https://www.google.com/;); // 8FC079E814777F688BA4C807D9BD67D62AF71AEB WebRequest wr = WebRequest.Create(https://encrypted.google.com/;); wr.GetResponse(); } public static bool PinCertificate(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) { if (certificate == null) return false; if (chain == null) return false; byte[] cb = certificate.GetCertHash(); StringBuilder sb = new StringBuilder(cb.Length * 2); foreach (byte b in cb) sb.AppendFormat({0:X2}, b); // Verify against known SHA1 thumb print of the certificate String hash = sb.ToString(); if (hash != C1956DC8A7DFB2A5A56934DA09778E3A11023358) return false; return true; } There's usually no need to sign another's key or certificate (I've never done it that way, and never seen it done that way). A little more background... Stories like the diginotar compromise [1] may happen again, anytime. Yes, agreed. I have no love or trust for the public CA hierarchy, and I am still pissed off about what happened to the folks in Iran who were probably tortured and killed due to Diginotar's failure. I am developing an anonymous operating system [2]. We use wget to download Tor Browser from torproject.org and to access check.torproject.org. (Not available over secure apt.) Wget does offer ca pinning, but does not support certificate pinning [3]. Unfortunately, I'm not familiar with wget (other than executing what I'm told). So my original question was how do I get wget to verify the torproject.org fingerprint [4] without depending on root CA's? The only possible solution I saw was downloading the torproject.org SSL public key, run a local CA, sign the certificate and run wget with the --ca-certificate switch. That's why I posted the question Sign public key without having CSR or private key? here. If there are any suggestions for this situation I am all ears. Perhaps wget needs to be modified so that it allows you to supply expected thumbrints of a server's certificate. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 4:02 PM, pro...@secure-mail.biz wrote: noloa...@gmail.com wrote: You pin a certificate by whitelisting expected server certificates (possibly thumbprints). [SNIP] So my original question was how do I get wget to verify the torproject.org fingerprint [4] without depending on root CA's? The only possible solution I saw was downloading the torproject.org SSL public key, run a local CA, sign the certificate and run wget with the --ca-certificate switch. That's why I posted the question Sign public key without having CSR or private key?. If there are any suggestions for this situation I am all ears. Come to think of it, you could use OpenSSL's s_client to do the pinning, and then use wget if everything is OK. Its does set up a small breeding ground for a TOCTOU (http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf), but I believe the risk is small. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 2:27 PM, pro...@secure-mail.biz wrote: Hello, is it possible to sign a foreign SSL public key without having CSR/private key? Background: Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd like to pin a SSL certificate from a website I have no control over. (Therefore I no access the the private key and can subsequently also not create a CSR.) Pin the SSL cert by using a local self signed CA. Sorry to dig up an old topic. From Hacker Bypasses Apple's iOS In-App Purchases, http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-app-purchases.html: Essentially, this circumvention technique relies on installing certificates for a fake in-app purchase server as well as a custom DNS server, writes ZDNet's Emil Protalinski. The latter's IP address is then mapped to the former, which in turn allows all 'purchases' to go through. PKI and DNS are complicit here, also. I'm not sure if Apple exposes any pinning functionality in their StoreKit API. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma aunt.joma...@yahoo.com wrote: Sorry if this is duplicate, but I had an issue with the mailer, and not sure if this went... I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using ndk-r8. I am doing cross-compile on Mac OSX. However, I cannot pass FIPS_mode_set(1). I get the following error: FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match I am using the incore script provided from openssl-fips-2.0/util/incore. My setup is as follows: # Edit this to wherever you unpacked the NDK export ANDROID_NDK=/home/android-ndk-r8 # Edit to wherever you put incore script export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; export PATH export MACHINE=armv7l export RELEASE=2.6.32.GMU export SYSTEM=android export ARCH=arm export CROSS_COMPILE=arm-linux-androideabi- export ANDROID_DEV=$ANDROID_NDK/platforms/android-14/arch-arm/usr export HOSTCC=gcc Any ideas why I cannot pass incore fingerprint validation? Do I need anything special wrt incore on cross-compile? What Android OS is being used on the device? Android 4.1 recently achieved full ASLR. ASLR might be the problem since randomizing shared objects and program load adresses is diametrically opposed to the FIPS check. A thread on recent platform security changes can be found at http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS: Incore fingerprint check fails on Android?
On Wed, Jul 18, 2012 at 3:24 PM, AJ aunt.joma...@yahoo.com wrote: I'm running on 4.0.4 and 2.3.4, with same results on both. Android 4.0 got most of ASLR in place (Android 4.1 finished the randomization and fixed a kernel mis-configuration): http://source.android.com/tech/security/index.html#memory-management-security-enhancements and https://blog.duosecurity.com/2012/02/a-look-at-aslr-in-android-ice-cream-sandwich-4-0/. I suspect ASLR is giving you problems (presuming OpenSSL is working as intended). What load address did fipsld use? What address is the executable being loaded at? Jeff - Original Message - From: Jeffrey Walton noloa...@gmail.com To: openssl-users@openssl.org Cc: Sent: Wednesday, July 18, 2012 2:27 PM Subject: Re: FIPS: Incore fingerprint check fails on Android? On Wed, Jul 18, 2012 at 11:15 AM, Aunt Jomamma aunt.joma...@yahoo.com wrote: Sorry if this is duplicate, but I had an issue with the mailer, and not sure if this went... I have successfully built openssl-fips-2.0 + openssl-1.0.1c for Android using ndk-r8. I am doing cross-compile on Mac OSX. However, I cannot pass FIPS_mode_set(1). I get the following error: FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match I am using the incore script provided from openssl-fips-2.0/util/incore. My setup is as follows: # Edit this to wherever you unpacked the NDK export ANDROID_NDK=/home/android-ndk-r8 # Edit to wherever you put incore script export FIPS_SIG=$PWD/openssl-fips-2.0/util/incore PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin:$PATH; export PATH export MACHINE=armv7l export RELEASE=2.6.32.GMU export SYSTEM=android export ARCH=arm export CROSS_COMPILE=arm-linux-androideabi- export ANDROID_DEV=$ANDROID_NDK/platforms/android-14/arch-arm/usr export HOSTCC=gcc Any ideas why I cannot pass incore fingerprint validation? Do I need anything special wrt incore on cross-compile? What Android OS is being used on the device? Android 4.1 recently achieved full ASLR. ASLR might be the problem since randomizing shared objects and program load adresses is diametrically opposed to the FIPS check. A thread on recent platform security changes can be found at http://groups.google.com/group/android-security-discuss/browse_thread/thread/d585aa8062964673. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS Startup Code and Random Number Generator
Hi All, I was asked the details of OpenSSL's FIPS generator. Looking at fips.{h|c} and fips_rand.{h|c} from OpenSSL's 1.0.x, is see its still X9.31 using AES (I believe TDEA was used in the past). What I can't seem to follow is how `static FIPS_PRNG_CTX sctx` is initialized, so I can't tell if its AES128/AES192/AES256. Following fips_rand_prng_reset, it appears to be called by FIPS_x931_reset. But neither initialize the static `FIPS_PRNG_CTX sctx` structure, so I can't see the parameters for the structure's `AES_KEY ks;` From a higher level, I also can't see where functions from fips.{h|c} initialize the generator, including fips_set_mode and FIPS_module_mode. Could anyone point out what I seem to be missing? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: create certificate request programmatically using OpenSSL API
On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo xidex...@yahoo.com wrote: Hi all! The last problem is how to create GOST key pair for certificate. It is clear how to create RSA keys. Sample is here : http://www.openssl.org/docs/crypto/EVP_PKEY_keygen.html #include openssl/evp.h #include openssl/rsa.h EVP_PKEY_CTX *ctx; EVP_PKEY *pkey = NULL; ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) = 0) /* Error */ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) = 0) /* Error */ /* Generate key */ if (EVP_PKEY_keygen(ctx, pkey) = 0) /* Error */ Unfortunately there is no EVP_PKEY_GOST constant and I can't create EVP_PKEY containing GOST key pair. Does anybody know how to create GOST key pair? GOST is a block cipher. It uses a symmetric key, not public/private keys. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Padding check failed and program crash with SIGABRT.
On Sat, Jul 28, 2012 at 6:12 PM, Tayade, Nilesh nilesh.tay...@netscout.com wrote: Hi, I have developed the utility to decrypt the packets coming on wire. I take the server private key and go on decrypting packets which are received through the .pcap file. But the utility is crashing in decrypting a trace file (Please see the snapshot attached. Terminal didn't allow me to copy/paste, so the screen shot). It receives SIGABRT. I have compiled debug version of openssl-1.0.0g libraries and received this back trace. I see that the error it is trying to give is related to Padding check failure. 1. How to decide the padding? By default I keep it to RSA_PKCS1_PADDING always in RSA_private_decrypt(). 2. Is there no graceful way to give such error than crashing? 3. What could be the cause of padding check failed? On searching, I found some discussions mentioning about key-certificate mismatch. But in my case it decrypts few of the initial packets. Somewhat related: you should be using OAEP, not PKCS1 padding. Matt Greene has a nice write-up at http://blog.cryptographyengineering.com/2012/06/bad-couple-of-years-for-cryptographic.html. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: create certificate request programmatically using OpenSSL API
On Mon, Jul 30, 2012 at 5:15 AM, Erwann Abalea erwann.aba...@keynectis.com wrote: GOST is not a block cipher, it's the acronym for GOsudarstvennyi STandard, which means State Standard. It's not dedicated to cryptography. My apologies. I thought you were referring to the GOST block cipher. (I've never used it, but knew its been part of Crypto++ for some time: http://www.cryptopp.com/docs/ref/class_g_o_s_t.html). Jeff Le 28/07/2012 21:31, Jeffrey Walton a écrit : On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo xidex...@yahoo.com wrote: Hi all! The last problem is how to create GOST key pair for certificate. It is clear how to create RSA keys. Sample is here : http://www.openssl.org/docs/crypto/EVP_PKEY_keygen.html #include openssl/evp.h #include openssl/rsa.h EVP_PKEY_CTX *ctx; EVP_PKEY *pkey = NULL; ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) = 0) /* Error */ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) = 0) /* Error */ /* Generate key */ if (EVP_PKEY_keygen(ctx, pkey) = 0) /* Error */ Unfortunately there is no EVP_PKEY_GOST constant and I can't create EVP_PKEY containing GOST key pair. Does anybody know how to create GOST key pair? GOST is a block cipher. It uses a symmetric key, not public/private keys. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: suite B crypto in what version?
Hi Doctor Henson, On Mon, Aug 6, 2012 at 11:33 AM, Dr. Stephen Henson st...@openssl.org wrote: On Mon, Aug 06, 2012, Jakob Bohm wrote: Much (maybe all, I don't know) of suite B is probable in OpenSSL 1.0.1 too, but I don't have an algorithm by algorithm breakdown of inclusion status, others on this list probably have such a list. All the required suite B algorithms are supported in OpenSSL 1.0.1. Some of the suite B standards (e.g. RFC 6460) include additional requirements which aren't currently enforced by OpenSSL. Out of curiousity, what is OpenSSL using in place of MQV? A hardened version (HMQV or FHMQV)? Or is it speciifed in one of the other documents? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Size of ephemeral DH keys
On Tue, Aug 14, 2012 at 12:23 PM, no_spam...@yahoo.com wrote: Is there a correlation between the strength (size) of the asymmetric keys used to do the authentication and the strength (size) of the ephemeral DH keys generated/used to protect the session key (during the key exchange)? Yes, there is. On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() function is only ever passed keylength == [512, 1024] - the result of the SSL_C_EXPORT_PKEYLENGTH() macro. And a DH key of length 1024-bits is roughly equivalent to a 80-bit symmetric key. It seems strange that it would be using a 80-bit key to protect the exchange of a 128- or 256-bit symmetric session key. That's a classic Security Level mismatch. I'm probably missing something in the OpenSSL implementation. The documentation for SSL_CTX_set_tmp_dh_callback() says that the tmp_dh_callback is called with the keylength needed... But surely this can't be only 512 or 1024...? Is it up to the application to decide to use a larger key size based on the information from the SSL structure passed in? No, OpenSSL is doing things per the standards. The standards are the problem here. More generally, is there a standard that defines or set of best practices that recommends the strength of ephemeral DH keys based on the cipher suite, strength (size) of the keys used for authentication, etc.? Yes, FIPS, ECRYPT, NESSIE, etc: * SP800-57, Part 1, Recommendation for Key Management, Section 5.6.1 * SP 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths * ECRYPT2 Yearly Report on Algorithms and Keysizes (2010) Also see http://www.cryptopp.com/wiki/Security_Level. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Size of ephemeral DH keys
On Tue, Aug 14, 2012 at 3:00 PM, no_spam...@yahoo.com wrote: Thank you for the information and links. [stuff deleted] I'm probably missing something in the OpenSSL implementation. The documentation for SSL_CTX_set_tmp_dh_callback() says that the tmp_dh_callback is called with the keylength needed... But surely this can't be only 512 or 1024...? Is it up to the application to decide to use a larger key size based on the information from the SSL structure passed in? No, OpenSSL is doing things per the standards. The standards are the problem here. I don't understand this comment. Are you suggesting that my application ONLY use what OpenSSL supplies as the value of the keylength parameter? And NOT use larger-than-1024-bit DH key sizes? Don't the standards and/or research suggest that larger key sizes SHOULD be used when appropriate? The standards are sufficiently vague, and often [mildly] offends all parties. OAuth 2.0 editor resigns and takes name off spec, http://www.h-online.com/open/news/item/OAuth-2-0-editor-resigns-and-takes-name-off-spec-1654984.html. I guess what I'm asking is: what is the proper method for using larger ephemeral DH key sizes in OpenSSL? Ah, my bad. I'm not sure how to configure it on the client or the server. What I'm envisioning is something like the following: if the cipher suite and authentication key size info contained in the SSL structure require something stronger than 1024-bit ephemeral DH keys, use something bigger. And perhaps have an application override that can force the tmp_dh_callback to use 1024-bit for backwards compatibility. Does this make any sense? Yes. Or is the right answer not to use ephemeral DH cipher suites? The trade off being the lack of PFS for a more consistent security level. No, DHE is good since it ensures forward secrecy. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl bug database?
On Fri, Aug 17, 2012 at 5:19 PM, Cassie Helms cassie.he...@hp.com wrote: Actually, my real question was, where can I see a list of bugs that are already reported for openssl, so I can anticipate certain openssl functions failing? I wish I could contribute more to the source by reporting bugs, but I have so many of my own already...and would like to be able to see where they are going to happen next, if that's possible. http://lmgtfy.com/?q=openssl+bug+report __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Compiling for debug
On Mon, Aug 20, 2012 at 4:54 PM, Ken Goldman kgold...@us.ibm.com wrote: I'm trying to compile openssl for: Linux, 32-bit on a 64-bit machine, shared libraries, and debug. The closest I found was: ./Configure linux-elf -m32 -shared -g but this still does -O3, and the optimizer doesn't work well with the source level debugger. Any clues for changing -O3 to -O0? For debug builds, you will likely want -g3 -ggdb -O0. You should also define -DDEBUG=1 (and make sure -DNDEBUG=1 is *not* defined). -g3 provides maximum debugging information. For example, symbolic constants through #define's will be available. -ggdb provides gdb extension. I don't believe there are any at the moment, but I got into the habit of using it (in case they show up in the future). NDEBUG is Posix C and used for Release builds, so it should be undefined. Some libraries/implementation sneak in additional code when DEBUG is defined, so I define it. Sorry about not answering your original question :( Jeff
Re: OpenSSL on beagleboard
On Thu, Aug 23, 2012 at 9:06 PM, Paulo Roberto bad_boy_...@hotmail.com wrote: Hello, I am using the package libssl-dev on ubuntu in my beagleboard xm, and I have to run two C algorithms using the openSSL library.. Although I can't compile using the command: gcc test.c -lssl -o test. It seems the compiler isn't recognizing the -lssl command. Does someone know how to solve this? Do I have to set some path, or something like that? You specify linker commands (such as libraries) at the very end of the compiler drive command. From the g++ man pages (around line 25): ...the placement of the -l option is significant. gcc test.c -o test -lssl You might also want to add -Wl,-Bstatic unless you want to do the shared object thing. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OT: Microsoft Security Advisory: Update for minimum certificate key length
This is somewhat off topic, and I apologize for the noise. I imagine it could interop problems on occasion. http://support.microsoft.com/kb/2661254 ... The strength of public-key-based cryptographic algorithms is determined by the time that it takes to derive the private key by using brute-force methods. The algorithm is considered to be strong enough when the time that it takes to derive private key is prohibitive enough by using the computing power at disposal. The threat landscape continues to evolve. Therefore, Microsoft is further hardening the criteria for the RSA algorithm with key lengths that are less than 1024 bits long. After the update is applied, only certificate chains that are built by using the CertGetCertificateChain function are affected. The CryptoAPI builds a certificate trust chain and validates that chain by using time validity, certificate revocation, and certificate policies (such as intended purposes). The update implements an additional check to make sure that no certificate in the chain has an RSA key length of less than 1024 bits. ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
NIST Selects Winner of Secure Hash Algorithm (SHA-3) Competition
http://www.nist.gov/itl/csd/sha-100212.cfm he National Institute of Standards and Technology (NIST) today announced the winner of its five-year competition to select a new cryptographic hash algorithm, one of the fundamental tools of modern information security. The winning algorithm, Keccak (pronounced “catch-ack”), was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. The team’s entry beat out 63 other submissions that NIST received after its open call for candidate algorithms in 2007, when it was thought that SHA-2, the standard secure hash algorithm, might be threatened. Keccak will now become NIST’s SHA-3 hash algorithm. ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: seed/$RANDFILE confusion
On Fri, Oct 5, 2012 at 6:42 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 10/5/2012 9:54 AM, int0...@safe-mail.net wrote: On computers that don't have a good /dev/*random, the randomness used by OpenSSL comes only from things happening on the computer during the few moments when the openssl tool is running. To gather up more randomness, the openssl tool tries to accumulate randomness over multiple runs as follows: 1. At the end of each run that used the random number generator, write a file of random bits (computed so they have a lot of entropy but do not reveal any of the random numbers already generated). 2. At the start of each such run, read in that file and use it as an initial pool of random bits to be mixed with any random system activity observed during the run. Thanks for the explanation, that clarified things! How does the OpenSSL tools know if /dev/{random,urandom} is good? Basically it is a compile time decision. The code assumes that there is a usable /dev/*random with a specific name (such as /dev/random) when compiled for certain operating systems and that there is not on others. So the seed written to ${HOME}/.rnd is supposed to stay around until the next time you run the openssl tool, and reveals very little about keys you alredy created. But it may reveal something about the next key you create, which is why the file is/should be written with permissions so only you can read it. I saw some people getting their randomness from /dev/random via dd if=/dev/random of=/root/.rnd... and using the -rand parameter to give the seed to openssl. If I got you right, that is a redundant step, since OpenSSL takes its randomness from /dev/random as well. Using -rand would only be necessary if one has a hardware random number generator (for example). Is that right? If the OpenSSL version they used assumed that /dev/random was not working on that platform,then this step is an elegant workaround. So my to go would be: Set $RANDFILE to /root/.rnd and leave it up to openssl to use the file, without filling it myself. I only need to make sure the permissions are set correctly. Is that right? Setting it to ${HOME}/.rnd would be better as it would work for non-root users. Now why OpenSSL keeps doing this on platforms with a good OS random source (such as non-historic Linux versions, some BSDs, recent Solaris versions, non-historic Windows versions) is a mystery to me. Can somone else bring some light into this? Also be careful of virtual environments, especially if the platform does not have drivers to push seeds to the VM through a mechanism such are virtio_rng. I seem to recall Debian or Ubuntu did not have a driver out of the box (or had a misconfigured driver). I think the short of it is an application should take a defensive position and try and acquire seed material from the following (for seeding an approved, in-app generator): * random * urandom * virtio_rng * hw_random I'm only aware of two papers on the subject (perhaps there is more now). The proposed solution was using the network to acquire additional entropy though a remote host's public key and SSL/TLS algorithm parameters (IIRC). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Best practice for client cert name checking
On Sat, Oct 6, 2012 at 9:52 AM, Charles Mills charl...@mcn.org wrote: I have recently written a product that incorporates SSL/TLS server code that processes client certificates. I designed what I thought made sense at the time but now I am wondering if what I did was best. In the product's configuration file the sysadmin may optionally include a whitelist of client names. If the sysadmin does so, then the server requests a client certificate. At least one of the names (subject O= and Alternative names, including wildcards) in the certificate must match one of the names in the whitelist or I reject the session. Something I saw recently got me to wondering whether I should have made some sort of provision for checking IP addresses: perhaps verifying that the client IP address appeared in the Alternative names in the client certificate as well as in the whitelist? Or perhaps that the IP address matched an alternative name and the subject name appeared in the whitelist? You have a pre-existing relationship. There is no need to confer trust to a third party (the CAs). There's no need to use naming and location services (DNS) since its a weak assurance at best. To improve the security posture, pin the certificate or public keys. Because the relationship already exists, you already know what the public keys are. No need to trust a third party, and no need to depend upon DNS, no need to tolerate other infrastructure failures. Problems with PKI in general: www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf History of PKI and CA failures: http://wiki.cacert.org/Risk/History Reasons to Pin in mobile: http://lists.owasp.org/pipermail/owasp-mobile-security-project/2012-August/000345.html Google also Pins their public keys on the desktop. Its the reason Chrome did not suffer Diginotar's failure. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Best practice for client cert name checking
On Sat, Oct 6, 2012 at 5:41 PM, Charles Mills charl...@mcn.org wrote: Thanks. I'm a relative newbie to this whole topic. Can you point me to a resource that describes pin in the sense you use it below? The word is too common for the Google to be much help. If you are using RSA, then the public key is {e,n}. When a client connects to a server, the client ensures the {e,n} in the server's certificate is expected. You can usually find it at certificate[0]. In essence, you have white listed the {e,n} pair for the host in question. If using ECC, you have two items to verify: the [public] point and domain parameters. For prime fields, the public key is the point, Q (or (qx, qy)), and the domain parameters are {p, a, b, G, n, h} (G is a base point and sometimes denoted as (gx,gy) pair). Again, its a whitelist of expected values for the host. If you are using ephemeral key exchanges, then certificate[0] will be a temporary, throw away key. Ephemeral is good because it provides forward secrecy. In this case, the server's certificate/public key is used for authentication, and the public key of interest can be found at certificate[1]. certificate[1] must sign certificate[0] (some hand waiving since certificates can't sign one another). Jeff -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Saturday, October 06, 2012 4:40 PM To: openssl-users@openssl.org Subject: Re: Best practice for client cert name checking On Sat, Oct 6, 2012 at 9:52 AM, Charles Mills charl...@mcn.org wrote: I have recently written a product that incorporates SSL/TLS server code that processes client certificates. I designed what I thought made sense at the time but now I am wondering if what I did was best. In the product's configuration file the sysadmin may optionally include a whitelist of client names. If the sysadmin does so, then the server requests a client certificate. At least one of the names (subject O= and Alternative names, including wildcards) in the certificate must match one of the names in the whitelist or I reject the session. Something I saw recently got me to wondering whether I should have made some sort of provision for checking IP addresses: perhaps verifying that the client IP address appeared in the Alternative names in the client certificate as well as in the whitelist? Or perhaps that the IP address matched an alternative name and the subject name appeared in the whitelist? You have a pre-existing relationship. There is no need to confer trust to a third party (the CAs). There's no need to use naming and location services (DNS) since its a weak assurance at best. To improve the security posture, pin the certificate or public keys. Because the relationship already exists, you already know what the public keys are. No need to trust a third party, and no need to depend upon DNS, no need to tolerate other infrastructure failures. Problems with PKI in general: www.cs.auckland.ac.nz/~pgut001/pubs/pkitutorial.pdf History of PKI and CA failures: http://wiki.cacert.org/Risk/History Reasons to Pin in mobile: http://lists.owasp.org/pipermail/owasp-mobile-security-project/2012-August/000345.html Google also Pins their public keys on the desktop. Its the reason Chrome did not suffer Diginotar's failure. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Best practice for client cert name checking
On Mon, Oct 8, 2012 at 9:25 AM, Mark H. Wood mw...@iupui.edu wrote: On Mon, Oct 08, 2012 at 07:42:04AM +, Marco Molteni (mmolteni) wrote: try searching for certificate pinning. If you are familiar with ssh, it is the same concept of the StrictHostKeyChecking option (although obviously SSH and TLS are completely distinct protocols and by default SSH doesn't use X.509 certs). The idea is: with a standard TLS connection, acting as TLS client, you connect to an host for the first time and you receive its certificate. The standard TLS verifications are successful (meaning: the certificate really belongs to the host and it has been issued by a CA you trust). When the connection is closed, a normal TLS client will forget the certificate. On the other hand, certificate pinning remembers the certificate. Pinning means storing locally such certificate and associate it to the hostname you connected to. If the next time you connect the certificate has changed, a system supporting certificate pinning will warn you. I believe this is what the Certificate Patrol plugin for Firefox is doing, if you want to see it in action. This plug-in pins certificates (not public keys), and creates a lot of spurious noise on some sites (for example, Google and Gmail). It desensitizes the user. I've been running experiments on Google and Gmail for the last couple of years. If you are pinning for those sites, you definitely want to pin public keys. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Best practice for client cert name checking
On Mon, Oct 8, 2012 at 3:49 PM, Charles Mills charl...@mcn.org wrote: Aren't you talking here about the client's validation of the server's credentials? That's useful information, but my question was about server validation of client certificates ... It cuts both ways. Both the client and server can perform the additional validations. Jeff -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Monday, October 08, 2012 11:13 AM To: OpenSSL Users List Subject: Re: Best practice for client cert name checking On Mon, Oct 8, 2012 at 9:25 AM, Mark H. Wood mw...@iupui.edu wrote: On Mon, Oct 08, 2012 at 07:42:04AM +, Marco Molteni (mmolteni) wrote: try searching for certificate pinning. If you are familiar with ssh, it is the same concept of the StrictHostKeyChecking option (although obviously SSH and TLS are completely distinct protocols and by default SSH doesn't use X.509 certs). The idea is: with a standard TLS connection, acting as TLS client, you connect to an host for the first time and you receive its certificate. The standard TLS verifications are successful (meaning: the certificate really belongs to the host and it has been issued by a CA you trust). When the connection is closed, a normal TLS client will forget the certificate. On the other hand, certificate pinning remembers the certificate. Pinning means storing locally such certificate and associate it to the hostname you connected to. If the next time you connect the certificate has changed, a system supporting certificate pinning will warn you. I believe this is what the Certificate Patrol plugin for Firefox is doing, if you want to see it in action. This plug-in pins certificates (not public keys), and creates a lot of spurious noise on some sites (for example, Google and Gmail). It desensitizes the user. I've been running experiments on Google and Gmail for the last couple of years. If you are pinning for those sites, you definitely want to pin public keys. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
BN_clear_free and BN_CTX_free deprecated?
Hi All, I'm revisiting some code I wrote a few years ago. During compilation on a MacBook, I got a number of warnings due to deprecation: SRPCommon.cpp: In destructor ‘virtual BigNumCleanup::~BigNumCleanup()’: SRPCommon.cpp:52: warning: ‘BN_clear_free’ is deprecated (declared at /usr/include/openssl/bn.h:419) SRPCommon.cpp:52: warning: ‘BN_clear_free’ is deprecated (declared at /usr/include/openssl/bn.h:419) SRPCommon.cpp: In destructor ‘virtual BigNumCtxCleanup::~BigNumCtxCleanup()’: SRPCommon.cpp:66: warning: ‘BN_CTX_free’ is deprecated (declared at /usr/include/openssl/bn.h:407) SRPCommon.cpp:66: warning: ‘BN_CTX_free’ is deprecated (declared at /usr/include/openssl/bn.h:407) Has OpenSSL deprecated these functions? I don't see it mentioned in the documents (http://www.openssl.org/docs/crypto/BN_new.html). Or is this more crap from Cupertino? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Best practice for client cert name checking
On Thu, Oct 11, 2012 at 6:47 PM, Charles Mills charl...@mcn.org wrote: Thanks. My boss is not technical. I am the CTO of this product. Our customers are your basic commercial customers. Yes, I picture that they would be their own CA. Why pay Verisign if you don't have a bunch of people sitting at their PCs trying to buy widgets from your Web site, and wondering if they can trust it. Yes, I support a local CRL file. I would explain this to you from a risk acceptance point of view, but I don't want to hijack your thread again [SNIP] Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Inconsistent behavior between FIPS and non-FIPS AES
Hi aunt.jomamma, You have ignored every return value. You should probably start by checking all return values. If you check all return values *and* assert all the checks, you will have self debugging code. I find self debugging code the best code of all, but I'm kind of lazy. 2) Is there purposely a difference in behavior between the FIPS and non-FIPS versions,... Did FIPS_mode_set succeed? It returns 1 on success. Jeff On Fri, Oct 12, 2012 at 4:40 PM, AJ aunt.joma...@yahoo.com wrote: Hi, I've noticed an inconsistency between the behavior of AES_CTR in FIPS and non-FIPS modes. I am using openssl-1.0.1c and openssl-fips-2.0. The following code demonstrates the issue: 1 #include stdio.h 2 #include string.h 3 #include openssl/evp.h 4 5 #define MSG_SIZE 14 6 const unsigned char *key = (unsigned char *)1234567890123456; 7 const unsigned char *iv = (unsigned char *)0101010101010101; 8 9 int main(void) { 10 11 unsigned char in_1[MSG_SIZE]; 12 unsigned char in_2[MSG_SIZE]; 13 unsigned char out_1[MSG_SIZE]; 14 unsigned char out_2[MSG_SIZE]; 15 int out_len_1, out_len_2; 16 17 EVP_CIPHER_CTX ctx_1, ctx_2; 18 19 memset ( in_1, 0, MSG_SIZE ); 20 memset ( in_2, 0, MSG_SIZE ); 21 22 EVP_CIPHER_CTX_init( ctx_1 ); 23 EVP_EncryptInit( ctx_1, EVP_aes_128_ctr(), key, iv ); 24 EVP_EncryptUpdate( ctx_1, out_1, out_len_1, in_1, MSG_SIZE ); 25 EVP_EncryptInit( ctx_1, NULL, NULL, iv ); 26 EVP_EncryptUpdate( ctx_1, out_1, out_len_1, in_1, MSG_SIZE ); 27 28 FIPS_mode_set(1); /* Enable FIPS mode */ 29 30 EVP_CIPHER_CTX_init( ctx_2 ); 31 EVP_EncryptInit( ctx_2, EVP_aes_128_ctr(), key, iv ); 32 EVP_EncryptUpdate( ctx_2, out_2, out_len_2, in_2, MSG_SIZE ); 33 EVP_EncryptInit( ctx_2, NULL, NULL, iv ); 34 EVP_EncryptUpdate( ctx_2, out_2, out_len_2, in_2, MSG_SIZE ); 35 36 if ( memcmp( out_1, out_2, MSG_SIZE ) == 0 ) { 37 printf(Buffers are equal.\n\n); 38 } else { 39 printf(Buffers are not equal.\n\n); 40 } 41 42 return 0; 43 } The reason for the difference outputs is that there is a difference in the EVP_EncryptInit code (lines 25 and 33) for the 2 modes. In the non-FIPS mode, line 25 will reset the ctx_1-num to zero. This is done in EVP_CipherInit_ex(), line 240: 239 case EVP_CIPH_CTR_MODE: 240 ctx-num = 0; 241 /* Don't reuse IV for CTR mode */ 242 if(iv) 243 memcpy(ctx-iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); 244 break; 245 However, in FIPS mode, the equivalent line does not reset ctx_2-num. This is from FIPS_cipherinit(), lines 210-215: 210 case EVP_CIPH_CTR_MODE: 211 /* Don't reuse IV for CTR mode */ 212 if(iv) 213 memcpy(ctx-iv, iv, M_EVP_CIPHER_CTX_iv_length(ctx)); 214 break; 215 I can make my program work if I change line 33 from: EVP_EncryptInit( ctx_2, NULL, NULL, iv ); to: EVP_EncryptInit( ctx_2, EVP_aes_128_ctr(), key, iv ); This explicitly specifies the cipher and key again. From the docs, it appears that I should be able to set them to NULL and have it work, if they don't need to be updated, and that is how it works in the non-FIPS mode. Questions: 1) Should I need to explicitly specifies the cipher and key again in EVP_EncryptInit(), if I am only updating the IV? (i.e. should I be able to put NULL for key and cipher). 2) Is there purposely a difference in behavior between the FIPS and non-FIPS versions, or is this a bug? My understanding was that they *should* work interchangeably. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building an exportable OpenSSL application
On Tue, Oct 16, 2012 at 10:25 AM, Charles Mills charl...@mcn.org wrote: I have a Windows-only OpenSSL application developed in VS 2010. I have now been tasked with creating parallel regular and exportable (from the US) distributions of the application. There's no need for two versions. Its all exportable from the US, except to countries and individuals on the banned list. You can get an exception from the Department of State and export to the banned countries, too (IIRC). In this case, both the Department of Commerce and State Department share joint jurisdiction. You can find more information on the Department of Commerce's website: http://www.bis.doc.gov/encryption/encfaqs6_17_02.html and http://www.bis.doc.gov/encryption/enc_faqs.html. If you want to talk to a live person: US Department of Commerce, Bureau of Industry and Security, Office of Exporter Services, Encryption Division. If you need the phone number and names of the folks in the office, email me offlist. I UNDERSTAND YOU CAN'T GIVE LEGAL ADVICE. I'M ONLY LOOKING FOR TECHNICAL INPUT HERE. This is not legal advice, they are facts of the matter. I've been through the process three times. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wild card SSL; use on multiple Apache servers
On Wed, Oct 24, 2012 at 2:59 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. Don't do it. It violates the principle of least privilege. Why should a user be asked to trust the receptionist's machine in the lobby or a developer's machine with lord knows what installed? Use Server Name Indication (SNI) instead. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wild card SSL; use on multiple Apache servers
On Wed, Oct 24, 2012 at 2:37 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey Sent: Wednesday, 24 October, 2012 03:00 To: aurfal...@gmail.com; openssl-users@openssl.org Subject: Re: Wild card SSL; use on multiple Apache servers The wildcard is for a particular domain (* is value for any host within it) . If your other server is in a different domain, then it won't work. Right. Because the CA only verified your control of the domain that it issued the cert for; if you get a cert for fredsmith.com and could use it on a server that impersonates www.amazon.com you could steal billions of dollars from millions of people. I believe you can go to TrustWave and get certificates for domains outside your control (http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html). Mozilla rewarded their bad behavior by continuing their inclusion (https://bugzilla.mozilla.org/show_bug.cgi?id=724929). So much for Trust as a commodity Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Reference material on how to do certificate validation with OpenSSL
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] Most applications only have to connect to one or a few application ] servers. Therefore, the trust store should only contain the CA ] certificates needed to connect to those servers. Restricting the list ] of trusted CA certificate in such way is a security practice called ] certificate pinning. I don't believe this is correct. One does not pin a CA's certificate when using SSL/TLS (and VPN) with a Public CA Hierarchy. Suppose you are pinning a CA that gets compromised. The bad guy can the (1) generate spurious certificate for a legitimate site, and (2) sign with the compromised CA. Your program would accept the site's certificates as valid. Or suppose a CA decides to issue a Subordinate CA to allow SSL/TLS traffic interception. Again, your program would chose to accept. We've already seen these things happen with Diginotar (http://en.wikipedia.org/wiki/DigiNotar) and Trustwave (http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html and https://bugzilla.mozilla.org/show_bug.cgi?id=724929).). When discussing pinning with a public ca hierarchy, one pins either (1) the host's public key, or (2) the host's X509 certificate. Pinning a host's public key is nearly the same as StrictHostKeyChecking in SSH. Note: Google rotates its certificates regularly, but does not rotate its public keys. So you would definetly wnt to pin public keys (rather than certificates) for encrypted.google.com, gmail.com, etc. Pinning the public key (or certificate) leverages the pre-exsiting relationship to identify the host in question (this is all about identity). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Reference material on how to do certificate validation with OpenSSL
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] Applications that need to be able to connect to any server on ] the Internet (such as browsers) could instead rely on Mozilla's ] list of root certificates used in Firefox. Mozilla cannot be trusted. When Trustwave issued a Subordinate CA to perform traffic interception on sites not under the operator's control, Mozilla rewarded their bad behavior by continuing their inclusion in the Root CA list. (http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html and https://bugzilla.mozilla.org/show_bug.cgi?id=724929). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Reference material on how to do certificate validation with OpenSSL
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] int validate_hostname(char *hostname, X509 *server_cert) { ] int hostname_matched = HOSTNAME_VALIDATION_ERR; ] if((hostname == NULL) || (server_cert == NULL)) ] goto error; ] ... ] error: ] return hostname_matched; ] } You failed open rather than closed. Its not a good choice of strategies for high integrity software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Reference material on how to do certificate validation with OpenSSL
On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] Supporting wildcard certificates requires manually parsing ] the name to find the wildcard character, ensuring that it is ] in a valid location within the domain, and then trying to ] match the pattern with the server's expected hostname. Don''t do it because it violates the Principal of Least Privilege. Why should users be asked to trust the receptionist's machine in the lobby or a developer's machine with nearly anything installed? If you are in a multi-domain environment (such as Apache with virtual hosts), use multiple certificates or Server Name Indication (SNI). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need inputs/suggestions on SSL/TLS protocol version fallback mechanism.
SSL_CTX_set_options, should I indicate protocols using this function?. Before you do that, please realize TLS 1.0 is the least broken of the protocols you are trying to enable. You really want all TLS 1.2 clients, but its not widely implemented in clients and servers. I can tell you that a number of organizations will not want an SSL2/SSL3 clients accessing their corporate data. Differences Between SSLv2, SSLv3, and TLS, www.yaksman.org/~lweith/ssl.pdf Analysis of the SSL 3.0 Protocol, www.schneier.com/paper-ssl.html. Jeff On Mon, Oct 29, 2012 at 10:27 AM, Bhat, Jayalakshmi Manjunath jayalakshmi.b...@hp.com wrote: Hi Charles, Thank you for the reply. I am not setting any option using SSL_CTX_set_options, should I indicate protocols using this function?. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Monday, October 29, 2012 7:40 PM To: openssl-users@openssl.org Subject: RE: Need inputs/suggestions on SSL/TLS protocol version fallback mechanism. Do you call SSL_CTX_set_options() with bit flags (SSL_OP_ALL, SSL_OP_NO_SSLv3, etc.) to indicate the protocols you are willing to accept? BTW, openssl-users (not –dev) is the proper forum for this sort of questions. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bhat, Jayalakshmi Manjunath Sent: Monday, October 29, 2012 5:27 AM To: openssl-...@openssl.org; openssl-users@openssl.org Subject: Need inputs/suggestions on SSL/TLS protocol version fallback mechanism. I have a client application that uses SSL23_client_method(). When the client is getting connected to server that supports TLS 1.0 there are no issues. When the client is getting connected to server that supports only SSLv3.0, connection is getting aborted with protocol number error. I have couple of question around this issue. 1. If I like to support the fallback mechanism, I need to implement the same in the client application. SSL client state machine in OpenSSL does not implement any fallback. 2. I did not see any recommendation in SSL/TLS RFC to implement the fallback mechanism. I wanted to know are there any side effects in OpenSSL library if fallback mechanism is implemented. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 11:04 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 10/27/2012 10:58 PM, Jeffrey Walton wrote: On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] Supporting wildcard certificates requires manually parsing ] the name to find the wildcard character, ensuring that it is ] in a valid location within the domain, and then trying to ] match the pattern with the server's expected hostname. Don''t do it because it violates the Principal of Least Privilege. Why should users be asked to trust the receptionist's machine in the lobby or a developer's machine with nearly anything installed? If you are in a multi-domain environment (such as Apache with virtual hosts), use multiple certificates or Server Name Indication (SNI). You obviously don't understand the proper uses and necessity of wildcard certificates: Actually, I do. Its not a risk I am willing to accept. As a security architect, I am more than happy to kick software that follows the practice. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea erwann.aba...@keynectis.com wrote: Where's the failure here? hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in case of a NULL hostname or certificate it is returned by the function, unmodified. HOSTNAME_VALIDATION_ERR is not mentioned in https://github.com/iSECPartners/ssl-conservatory/raw/master/everything-you-wanted-to-know-about-openssl.pdf. Jeff Le 27/10/2012 21:00, Jeffrey Walton a écrit : On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] int validate_hostname(char *hostname, X509 *server_cert) { ] int hostname_matched = HOSTNAME_VALIDATION_ERR; ] if((hostname == NULL) || (server_cert == NULL)) ] goto error; ] ... ] error: ] return hostname_matched; ] } You failed open rather than closed. Its not a good choice of strategies for high integrity software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: Reference material on how to do certificate validation with OpenSSL
On Mon, Oct 29, 2012 at 4:02 PM, Erwann Abalea erwann.aba...@keynectis.com wrote: Where's the failure here? hostname_matched is set to HOSTNAME_VALIDATION_ERR at initialization, and in case of a NULL hostname or certificate it is returned by the function, unmodified. My bad - you were right. I fetched the document again and some parts were rewritten. The re-written document did not include the function with HOSTNAME_VALIDATION_ERR. I'm not sure how I missed hostname_matched was a return variable (I think I zero'd in on the name, which implied a match). Jeff Le 27/10/2012 21:00, Jeffrey Walton a écrit : On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] int validate_hostname(char *hostname, X509 *server_cert) { ] int hostname_matched = HOSTNAME_VALIDATION_ERR; ] if((hostname == NULL) || (server_cert == NULL)) ] goto error; ] ... ] error: ] return hostname_matched; ] } You failed open rather than closed. Its not a good choice of strategies for high integrity software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Reference material on how to do certificate validation with OpenSSL
On Tue, Oct 30, 2012 at 10:03 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 10/29/2012 7:05 PM, Jeffrey Walton wrote: On Mon, Oct 29, 2012 at 11:04 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 10/27/2012 10:58 PM, Jeffrey Walton wrote: On Sat, Oct 27, 2012 at 11:00 AM, Alban D. blan...@gmail.com wrote: Hi everyone, iSEC Partners just released a paper that provides detailed guidelines and sample code on how to properly do certificate validation with OpenSSL: http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html It is not trivial and so I thought this reference material could be useful to people on this mailing list. ] Supporting wildcard certificates requires manually parsing ] the name to find the wildcard character, ensuring that it is ] in a valid location within the domain, and then trying to ] match the pattern with the server's expected hostname. Don''t do it because it violates the Principal of Least Privilege. Why should users be asked to trust the receptionist's machine in the lobby or a developer's machine with nearly anything installed? If you are in a multi-domain environment (such as Apache with virtual hosts), use multiple certificates or Server Name Indication (SNI). You obviously don't understand the proper uses and necessity of wildcard certificates: Actually, I do. Its not a risk I am willing to accept. As a security architect, I am more than happy to kick software that follows the practice. If you truly understand the part of my post that you removed (especially item 3), then your beliefs about its insecurity and your insistence on blocking it on behalf of others not so deluded are pure security theater. I will repeat my item 3 here for reference: 3. Being covered by a wildcard certificates name match does not give a computer access to the private key needed to actually use that certificate. The security model is that the wildcard cert identifies the organization, and the organization only installs the private key on trusted servers Put another way, a wildcard certificate identifies a person or organization, not a particular computer. The person/org decides which computers are trusted to represent them at the relevant level of assurance. It is the closest available approximation of giving the person/org a path-constrained intermediary CA, with the path constraint enforced for the DNS path, not the X.400 path. I've been in a shop where the development team set up a game server on a development box.The box was then put on the internet. The private key was not in an HSM, it was ripped the filesystem of an Apaches server. Its not just small shops that abuse things. Diginotar's private key was compromised too. So big shops which get audited also fail. I really don't care how the bad guy gets the private key. I expect it to happen. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. Jeff On 11/2/2012 9:06 PM, Abhiram Shandilya wrote: I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Sun, Nov 4, 2012 at 7:15 PM, jb-open...@wisemo.com wrote: On 02-11-2012 21:46, Jeffrey Walton wrote: On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. I am aware of the general principle, but that is not my point at all. My point is that the very specific math of DSA signatures may enable specific attacks if the same key pair is used as a static DH key. Information on this possibility (or its absence) is obscured by replies like yours (and by similar general statements in official Government materials from NIST etc.). My apologies. I was not aware I was obscuring results. It was not my intention. The OpenSSL list is a good list, but its OpenSSL implementation oriented. As such, its not the best place to ask number theoretic questions. To get your question answered, I would encourage you to ask on an appropriate list; or visit a university and talk to someone in the math department or teaching cryptography. (I still keep in touch with my former crypto instructor, so I would simply send an email). As far as I know, there are three such lists. First you can ask on Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see David Wagner patrolling sic.crypt on occasion. Both of these lists will require you to wade though copious amounts of spam. Third, you can try Jack Llyod's Cryptography mailing list at http://lists.randombit.net/mailman/listinfo. Jack is the author of Botan, and a lot of first class crypto folks are active on his list, such as Jon Callas and Peter Guttman. I have omitted a number of influential and helpful folks, so please don't take offense if I did not name your favorite cryptographer. For what its worth, I don't think this is a conspiracy or a concerted effort to suppress your knowledge. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 1:34 PM, Sanford Staab sanfo...@gmail.com wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool OpenSSL has a book by Viega, Messier, and Chandra (though its a bit dated). It will get you through most of the basics when using the API set. Its what I used years ago. If its any consolation, NSS's documentation is even worse. I banned NSS's use in code under my purview because I could not ensure it was being used correctly (that's how shitty their docs were at the time). Its a shame that Mozilla makes millions being Google's whore and it could not even hire a technical writer to produce a decent set of documents (perhaps that's changed now). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 1:51 PM, Magosányi, Árpád m4g...@gmail.com wrote: On 11/13/2012 07:34 PM, Sanford Staab wrote: Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. You might have overlooked the fact that openssl is an open source project. Feel free to contribute the needed documentation or finance the creation thereof if your knowledge is lacking to do so. I have to call bulshit on this one. The project does not appear to be interested in outside help (and I'm tired of folks making these statements). Confer: * IBM submitted patches for CCM and GCM nearly 10 years ago [1]. Not incorporated. * Thomas Wu submitted patches for SRP nearly 5 years ago [2]. Not incorporated. * I submitted patches (to try the waters) [3]. Not incorporated * Others have submitted documentation patches [4]. Not incorporated. Jeff [1] http://rt.openssl.org/Ticket/Display.html?id=782user=guestpass=guest [2] http://rt.openssl.org/Ticket/Display.html?id=1794user=guestpass=guest [3] http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=2402 [4] http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=2401 [5] http://rt.openssl.org/Ticket/Display.html?id=2697user=guestpass=guest __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl FIPS and Boost
On Wed, Nov 14, 2012 at 12:32 PM, Nou Dadoun ndad...@teradici.com wrote: Hi folks, We have several projects that use openssl in both FIPS-mode and non-FIPS-mode; one of the projects that we have that does not use FIPS-mode is one that uses the Boost ASIO library in which we can reach done into the openssl properties to get properties and operations that aren't provided directly by Boost. This project currently uses openssl 0.9.8x. We're interested in moving this project to run in FIPS-mode (with a corresponding openssl version upgrade) and I was wondering if anyone here had experience in setting up a Boost project to run in FIPS-mode. Any general comments? ... N On Windows, you will likely have problems with Boost. I could not get Boost to compile properly due to problems with their preprocessor macros (“Mixing a dll boost library with a static runtime is a really bad idea…”, http://stackoverflow.com/questions/9527713/mixing-a-dll-boost-library-with-a-static-runtime-is-a-really-bad-idea). Boost also lacks thread safety, so I'm skeptical about ASIO reaching into OpenSSL (for which you provide locks). Boost does have threading support, which is almost completely broken the last time I checked (I actually audited it about a year ago). Its full of Comp Sci 101 mistakes. The library did not validate parameters and ignored return values on critical code paths. Don't believe all the Fan Boi chatter about quality as Boost seems to lack a QA process. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions
On Wed, Nov 14, 2012 at 3:25 PM, mclellan, dave dave.mclel...@emc.com wrote: ... We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1) and I’d like to test out this set of assumptions (or maybe they are ‘assertions’) - In the context of OpenSSL, FIPS compliance is all about algorithm choice. In FIPS mode (FIPS_mode_set() returns success), weaker algorithms are disabled and OpenSSL returns an error if use of them is attempted in FIPS mode. - As long as one side of the connection insists that FIPS-approved algorithms be used, and as long as the other side is capable and agrees, then the two negotiate only a FIPS-approved algorithm. This is not entirely correct. Its algorithm and application. For example, MD5 is withdrawn so its no longer a FIPS approved algorithm per se. However, its still allowed in SSL/TLS where its used as a PRF (without the need for collision resistance). The MD5 and SSL/TLS exemption is stated in NIST Special Publication 800-90. The TLS 1.0 and 1.1 KDF is approved when the following conditions are satisfied: (1) The TLS 1.0 and 1.1 KDF is performed in the context of the TLS protocol. (2) SHA-1 and HMAC are as specified in FIPS 180-3 and 198-1, respectively. Note that MD5 and HMAC-MD5 shall not be used as a general hash function or HMAC function, respectively. FIPS compliance/acceptance testing is another can of worms. I've been in shops where the folks claim to be FIPS based on OpenSSL, yet they don't even bother to build fipscanister.o. Sigh Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions
On Wed, Nov 14, 2012 at 4:21 PM, mclellan, dave dave.mclel...@emc.com wrote: Thanks for that clarification. It's not so cut and dry, I see. About this: ... and don't even bother to build fipscanister.o... Then on what grounds could they claim FIPS compliance? Exactly ;) And the more important question: how we test that we got what we paid for? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Wednesday, November 14, 2012 3:57 PM To: openssl-users@openssl.org Subject: Re: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions On Wed, Nov 14, 2012 at 3:25 PM, mclellan, dave dave.mclel...@emc.com wrote: ... We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1) and I’d like to test out this set of assumptions (or maybe they are ‘assertions’) - In the context of OpenSSL, FIPS compliance is all about algorithm choice. In FIPS mode (FIPS_mode_set() returns success), weaker algorithms are disabled and OpenSSL returns an error if use of them is attempted in FIPS mode. - As long as one side of the connection insists that FIPS-approved algorithms be used, and as long as the other side is capable and agrees, then the two negotiate only a FIPS-approved algorithm. This is not entirely correct. Its algorithm and application. For example, MD5 is withdrawn so its no longer a FIPS approved algorithm per se. However, its still allowed in SSL/TLS where its used as a PRF (without the need for collision resistance). The MD5 and SSL/TLS exemption is stated in NIST Special Publication 800-90. The TLS 1.0 and 1.1 KDF is approved when the following conditions are satisfied: (1) The TLS 1.0 and 1.1 KDF is performed in the context of the TLS protocol. (2) SHA-1 and HMAC are as specified in FIPS 180-3 and 198-1, respectively. Note that MD5 and HMAC-MD5 shall not be used as a general hash function or HMAC function, respectively. FIPS compliance/acceptance testing is another can of worms. I've been in shops where the folks claim to be FIPS based on OpenSSL, yet they don't even bother to build fipscanister.o. Sigh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL/FIPS Object Module and FIPS compliance - testing some assertions
On Tue, Nov 13, 2012 at 4:26 PM, mclellan, dave dave.mclel...@emc.com wrote: We are starting our FIPS implementation soon (FIPS OM 2.0 and OpenSSL 1.0.1) and I’d like to test out this set of assumptions (or maybe they are ‘assertions’) - In the context of OpenSSL, FIPS compliance is all about algorithm choice. In FIPS mode (FIPS_mode_set() returns success), weaker algorithms are disabled and OpenSSL returns an error if use of them is attempted in FIPS mode. - As long as one side of the connection insists that FIPS-approved algorithms be used, and as long as the other side is capable and agrees, then the two negotiate only a FIPS-approved algorithm. o Both sides might be implemented with OpenSSL, but only one of them has to be running in FIPS mode for the negotiation to choose a FIPS algorithm. o If one side is not implemented with OpenSSL, the same is still true: as long as it can negotiate a shared cipher with an process running in FIPS-mode, FIPS compliance is still achieved. - Technically the phrase ‘FIPS compliant’ refers to the software capability; it does not describe the quality of an end-to-end connection. That is, if a running program is ‘FIPS-compliant’ it will insure that a safe connection will be negotiated, where ‘safe connection’ means ‘a connection using a FIPS-approved algorithm’. Having written these, they now seem like dumb questions, but I’d rather have affirmation of assertions and appear dumb than do the wrong thing based on a wrong assumption. Steve Marquess makes it look easy. Don't be fooled. I often email him for a sidebar on FIPS questions. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need input for Certificate generation
On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: Hi, At one place, we are using following logic for generating self-signed certificate: #define SEED_SIZE 128 k = RAND_status(); while(k == 0) { // custom logic for getting random numbers from system variables ... CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS Hugh? What's wrong with /dev/{u}rand, /dev/hwrand, and vritio_prng? //RAND_seed(buf, SEED_SIZE); RAND_add(buf, SEED_SIZE, (20/100) * SEED_SIZE); k = RAND_status(); } I'm not sure 20% effective entropy is a good estimate here. If its coming from the OS, its likely higher. If its coming from an Entrop Key or other hardware device, I would estimate it nearly 100% (if not 100%) Plus, there may be a bug there. Perform a cast to a double before the divide: ((double)20/100) * SEED_SIZE RSA_generate_key(2048, RSA_F4, NULL, NULL); Reasonable. Even though RAND_status() always return 1 (OK), our analysis shows that the certificates generated using this logic is not having enough entropy. Also tried another approach of calling RAND_seed / RAND_add, without checking for RAND_status(), but even that doesn’t help. Citation, please. Is this a headless server? Or being run in virtualized environment? Can anybody please help me in understanding the limitation of this logic or suggest any other approach? Add entropy via an Entropy Key, fetch bytes from random.org (be sure to pin the certificate), or do some key agreements and feed the peer's pubic key back into OpenSSL's PRNG (see paper below). When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography, www.isoc.org/isoc/conferences/ndss/10/pdf/15.pdf. I actually use their techniques (hedging) on everything, even mobile devices. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
WORKING EXAMPLES would be REAL cool. You kind of have it with the source code to openssl.exe. Crypto++ had the same way back when (its a C++ crypto library, and its not nearly as popular as OpenSSL). Users did not check cryptest.exe for API usage (cryptest.exe is the equivalent of openssl.exe). In addition, it was terse C++ code and hard to understand. We fixed most of the How do I questions by adding a wiki and providing code examples. It drastically reduced the number of questions. When there is a question on basic usage, I just provide a link to the wiki. For example: http://www.cryptopp.com/wiki/3des, http://www.cryptopp.com/wiki/Cbc_Mode and http://www.cryptopp.com/wiki/Rsa. As Wei Dai (the author of Crypto++) answers design questions or questions that require insight, I make sure it goes in the wiki for those who RTFM. For example at http://www.cryptopp.com/wiki/Elliptic_Curve_Cryptography: Taking from Wei Dai on the Crypto++ mailing list: To minimize the size of public and private keys, what you need to do is encode only the private exponent of the private key, and the public point of the public key. We then provide a code sample. The wiki started out bad - it was sloppy and incomplete. Over time, the crowd converged on the right answer. Its a property of the crowd. Jeff On Thu, Nov 15, 2012 at 9:52 AM, Sanford Staab(Gmail) sanfo...@gmail.com wrote: In the case of openssl, a big gain would be to simply document the command line interface better and create a doc centric forum for people to add their lessons learned filed around the particular feature area of openssl. WORKING EXAMPLES would be REAL cool. Does anyone on this alias want to let me or others know how we can update the docs somehow? -Original Message- From: Carlo Wood Sent: Thursday, November 15, 2012 8:31 AM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On Tue, 13 Nov 2012 14:11:17 -0700 t...@terralogic.net wrote: This is just a NORMAL way for a programmer to work IMHO. I HATE comming into undocumented code years after its been written and IMHO its a big booby trap because its very easy to miss something and that creates hard to find bugs. Really criptic error messages don't help this. I've looked in the OOS community and there are attempts to put together systems and one I looked at was OXYGEN. I concur. When I was 12, I wrote compact code with only single character variables and no documentation. For some reason I was able to have thousands of code lines all in my head at once and I had no idea why I'd need to add documentation. When I got older, I started to use more descriptive variable and function names, mostly for the purpose of being able to 'grep' (reg.exp) them in large code. At some point I completely did away with abbreviations and only used complete English words, discovering that code is incredibly better to understand when the variable names express exactly what they mean (to the point that it avoids bugs). I still didn't see the point in documentation however: the code explained itself as if it was English. Only when my memory started to get worse and I couldn't remember Megabytes of code anymore, especially when my code became so complex that I had to use Object Orientation because it was impossible to keep an overview, I started to document code. The funny thing is: I did this mostly because I knew that a year later I wouldn't be able to understand it myself anymore if I didn't; not because I thought that anyone else might need it. Now, after more than 30 years of coding experience I have reached the same conclusion as terra wrote: Code is only as useful as it's documentation. Don't bother to write code without good COMPLETE documentation as it's worthless: only you, the developer (with a good memory on top of that) will think it's trivial and usable. Everyone else will not be able to use it. http://www.stack.nl/~dimitri/doxygen/ I have no idea at this time how useful this would be. Perhaps the best we might be able to do on the user side is a wiki and perhaps one exists. I did a google search on this. https://help.ubuntu.com/community/OpenSSL ^ I did find this and I did not look very hard. Maybe there is something better. If there is then it doesn't come up in the 1st hits google finds. So I think we can do much better. Just my 2 cents. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need input for Certificate generation
On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS Speaking of poor documentation. I looked at the header and the source. They are different style sheets applied to the same file (I expected to see the H file, and the C file). Neither had comments. Confer http://apr.apache.org/docs/apr/0.9/apr__general_8h-source.html and http://apr.apache.org/docs/apr/0.9/group__apr__random.html. I'll reproduce it here without the markup: apr_status_t apr_generate_random_bytes( unsigned char * buf, int length ) So, there are a few problems here. First is no documentation. Verbum sapienti sat. Second, you don't know what conditions need to be satisfied to define APR_HAS_RANDOM (did you even know it was there?). This could be fixed with documentation, but APR chose otherwise. Third, you don't know what the function returns on success. Is there a apr_succes? Or apr_true? This could be fixed with documentation, but APR chose otherwise. Fourth, the API tells you a negative length is acceptable. This could be fixed with documentation, but APR chose otherwise. A negative length makes no sense whatsoever (I know, its not limited to APR). I would encourage you to write a few negative self-tests and submit it to the project: send in a NULL`buf`, a zero `length`, and a negative `length`. See how the library handles it. Since they botched the API design, I would not be surprised if they SIGABRT on you (that's how *not* to build a resilient system). Fifth, there is probably some internal state, but we don't know that for sure. This could be fixed with documentation, but APR chose otherwise. If there is state, you don't know where it came from or its quality. Did they limit themselves to (1) Time of Day, (2) Mac address, (3) /dev/{u}rand, (4) the kernel's hwrand, or (5) virtio gear? Perhaps some other clever combination? Are they constantly hedging (probably not)? If there is no state, they have already broken you (that's how *not* to build a resilient system). This is a bit more personal taste, but I require PRNGs to be thread safe. So Sixth, is the library thread safe? Is the call to apr_generate_random_bytes() thread safe? I would definitely write a multithreaded self test and try to break it. I can email you a set if you need a canned test that spins up 64 threads (hit me off list). Headless servers, entropy starvation, and rollbacks are a concern in modern environments. OpenSSL and other entropy gathers, such as EDG, don't account for the later. Its best to take the bull by the horns and do it yourself. At minimum, you need to call RAND_add() with entropy external to /dev/{u}rand. The following may also be useful to you: * Analysis of the Linux Random Number Generator, eprint.iacr.org/2006/086.pdf * Cryptanalysis of the Random Number Generator of the Windows Operating System, eprint.iacr.org/2007/419.pdf Most recent analysis of Linux RNG (AFAIK): * Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, https://factorable.net/paper.html Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need input for Certificate generation
On Fri, Nov 16, 2012 at 9:17 AM, Graham Leggett minf...@sharp.fm wrote: On 16 Nov 2012, at 4:36 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote: CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS apr_generate_random_bytes(buf, SEED_SIZE); // On Linux OS Speaking of poor documentation….. Why are you discussing APR on the openssl list? Surely if you had a problem with the APR documentation this would be a matter for the APR lists instead? Poor documentation was a recent thread on the list. I don't use APR, and I don't care about it. I won't be taking any time to join their mailing list or report bugs. For what its worth, I think its great that you did. I was more concerned with his use of a possibly defective PRNG. That's why I took the time to explain the problems with the PRNG. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need input for Certificate generation
Hi Jacob, On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 11/16/2012 3:36 AM, Jeffrey Walton wrote: ... Headless servers, entropy starvation, and rollbacks are a concern in modern environments. OpenSSL and other entropy gathers, such as EDG, don't account for the later. Its best to take the bull by the horns and do it yourself. At minimum, you need to call RAND_add() with entropy external to /dev/{u}rand. Would you care to elaborate on the following points: 1. What do you mean by rollback Virtual Machine rollback attacks. 2. What RNG/PRNG are you referring to as EDG EDG is Entropy Gatering Daemon. I was talking to John Steven about it over the summer (John is CTO of Cigital, OWASP member, and part of the project). EDG does not take measure to mitigate rollback attacks. 3. What exactly makes /dev/{u,}random in current (not ancient) Linux kernelsinsecure given an appropriate supply of entropy? Note that the two papers you site on the Linux kernel PRNG are: I. A 6 year old document, presumably not applicable to the code in currentkernel versions. I don't believe this is correct. For example, the Linux generator still lacks forward secrecy. II. A document about the consequences of using any PRNG without sufficient entropy input, with the Linux kernel PRNG as a common example. This would presumably be irrelevant if feeding the kernel plenty of external entropy e.g. by getting it from a hardware RNG hooked up to a trusted server (under your own control of course). The trusted server is a problem. First some background. The Linux kernel folks *disabled* feeding data into the generator based on interrupts because the attacker may control it. For example, the arrival of a network packet. There's a real problem of starvation, especially in headless servers and mobile devices. The problem was highlighted (again) in a recent paper: Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, https://factorable.net/paper.html. See Section 5 where the analysis occurs and 5.1, Weak entropy and the Linux RNG. If I go to https://www.wisemo.com, I initiated that connection so its not under control of an attacker). The exchange contains some random (but public) data - namely, Wisemo's public key. A passive attacker on the public internet may be able to observe the exchange. So we can improve entropy in the generator at the cost of leaking information about state input. If the server is within my logical security boundary (for example, my LAN/MAN segment), the attacker probably cannot observe the exchange. In this case, I can improve entropy in the generator without the side effect of leaking information about state input. Later, when the machine goes out on the internet, its quality of random numbers will be improved. You should join us over at the cryptography mailing list (http://lists.randombit.net/mailman/listinfo/cryptography). e.g. by getting it from a hardware RNG I personally use an Entropy Key when I need to ensure I have sufficient bits to generate a long term key (http://www.entropykey.co.uk). I carry it with me in my laptop bag. I know of a number of medium and large size enterprises that don't use hardware, and rely on the software generator provided by the OS. Those enterprises include financial institutions in New York. This is a true story. I'm a security architect, and this got pushed to the team for risk acceptance. One financial institution was having problems with entropy depletion in a virtual environment. The appliance was apparently running out, and could not push sufficient entropy to its hosts (it was blocking in calls to /dev/random, if I recall correctly). The vendor stated we should delete /dev/random and then link it to /dev/urandom (or vice versa), so the generator would not block. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need input for Certificate generation
On Sat, Nov 17, 2012 at 10:56 PM, jb-open...@wisemo.com wrote: On 16-11-2012 19:57, Jeffrey Walton wrote: Hi Jacob, On Fri, Nov 16, 2012 at 1:22 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 11/16/2012 3:36 AM, Jeffrey Walton wrote: ... Headless servers, entropy starvation, and rollbacks are a concern in modern environments. OpenSSL and other entropy gathers, such as EDG, don't account for the later. Its best to take the bull by the horns and do it yourself. At minimum, you need to call RAND_add() with entropy external to /dev/{u}rand. Would you care to elaborate on the following points: 1. What do you mean by rollback Virtual Machine rollback attacks. And how would an attacker rollback the victims VM?, an attacker with that level of control is already presumably able to access the VMs data, storage and execution state directly. It could happen accidentally by the folks in the data center. 2. What RNG/PRNG are you referring to as EDG EDG is Entropy Gatering Daemon. I was talking to John Steven about it over the summer (John is CTO of Cigital, OWASP member, and part of the project). EDG does not take measure to mitigate rollback attacks. Ah, I thought that was called EGD My bad... ... If I go to https://www.wisemo.com, I initiated that connection so its not under control of an attacker). The exchange contains some random (but public) data - namely, Wisemo's public key. A passive attacker on the public internet may be able to observe the exchange. So we can improve entropy in the generator at the cost of leaking information about state input. And what if (hypothetically speaking) I had doctored that public key to negatively affect the entropy of some well known PRNG when used with some well known hedging software (I haven't, but you have to take my word for it). Point taken, but the attacker is not going to control *that* many machines. Or at least I don't believe he/she can. ... I know of a number of medium and large size enterprises that don't use hardware, and rely on the software generator provided by the OS. Those enterprises include financial institutions in New York. This is a true story. I'm a security architect, and this got pushed to the team for risk acceptance. One financial institution was having problems with entropy depletion in a virtual environment. The appliance was apparently running out, and could not push sufficient entropy to its hosts (it was blocking in calls to /dev/random, if I recall correctly). The vendor stated we should delete /dev/random and then link it to /dev/urandom (or vice versa), so the generator would not block. Yeah, typical incompetent support, and or management forcing the engineers to provide a quick fix even if only a slower fix is possible. Happens all the time to safety measures much more important than this. I caught a lot of heat for pointing it out (the folks in engineering had their heart's set on using it), and calling bullshit on the recommendation. I think it was my presentation Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Sun, Nov 18, 2012 at 11:19 PM, Thomas J. Hruska shineli...@shininglightpro.com wrote: On 11/13/2012 11:34 AM, Sanford Staab wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. The OpenSSL dev team consists of fairly old-school *NIX folks. It is a low-level library and certificate generation and manipulation tool that has gained significant notoriety for its reliability, stability, and security. The primary documentation is manpages. This is an outdated method of documenting software and, as I've found, the primary source of many complaints. In this regard, it is time to move on. I can't remember the last time I had to fire up 'man'. I'm much more apt to just run a Google search. [SNIP] It is approaching six months since the last OpenSSL update. We're probably due for a new set of source releases any time now. So now is the ideal time to talk it up about getting better documentation on the dev team's schedule while they begin the planning stages of the next release. If you succeed at this, you'll be my hero of the month because I've been wanting this for ages. You might want to approach the devs though with a little more respect/tact. Saying the documentation sucks is a great way to get ignored. Their time is valuable. You can lead them to water, but you can;t make them drink: http://rt.openssl.org/Ticket/Display.html?id=2697user=guestpass=guest. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about exporting user certificate files to .pfx
On Mon, Nov 19, 2012 at 10:53 AM, Deeztek.com Support supp...@deeztek.com wrote: I fixed the command and it created the end user .pfx file. It imported successfully into windows but I get this message when I looked at the certification chain for the intermediate ca: This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. Any idea why I would get this? or would it affect anything? http://lmgtfy.com/?q=This+certification+authority+is+not+allowed+to+issue+certificates+or+cannot+be+used+as+an+end-entity+certificate. On 11/19/2012 10:47 AM, Dr. Stephen Henson wrote: On Mon, Nov 19, 2012, Deeztek.com Support wrote: Nevermind the last message, you said *concatenate* the CA certificate together. So, this is what i did: Root cert: cat ca.crt cachain.pem Int-ca cert: cat int-ca.crt cachain.pem Ran the following but it didn't work: openssl pkcs12 -export -out someone.pfx -inkey someone.key -in someone.crt -certfile cachain.pem -passout:somepassword If you used that exact command the -possout syntax is incorrect. It should be -passout pass:somepassword __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Newsreader (was: Question about exporting user certificate files to .pfx)
On Tue, Nov 20, 2012 at 11:56 AM, jw72...@verizon.net wrote: it would be swell if I could get my email address removed from the list without removing my subscription too. This way I could just use my newsreader to get the messages without having my email box cluttered every day with this high-volume list. Is such a think outside the realm of conceivable possibilities for anyone here? Who here after all is in control (for lack of a better word) of this list? :)Thanks. Google Groups mirrors this list. No need for a subscription/ http://groups.google.com/group/mailing.openssl.users. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Undefined reference to 'FIPS_text_start()'
On Tue, Nov 20, 2012 at 6:16 PM, Santhosh Kokala santhosh.kok...@riverbed.com wrote: Hi, I am trying to build an application with the FIPS Object module. I followed the build instructions mentioned in FIPS User Guide 2.0. FIPS Object Module: ./config Make make install Open SSL: ./config fips make depend Make My Application: export FIPSLD_CC=g++ export CC=gcc export CXX=/usr/local/ssl/fips-2.0/bin/fipsld Build Errors: /tmp/cczHeW7i.o: In function `FINGERPRINT_premain()': /usr/local/ssl/fips-2.0/bin/../lib/fips_premain.c:103: undefined reference to `FIPS_text_start()' /usr/local/ssl/fips-2.0/bin/../lib/fips_premain.c:116: undefined reference to `FIPS_incore_fingerprint(unsigned char*, unsigned int)' Add fipscanister.o to the link phase/ Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is PKCS5_PBKDF2_HMAC() thread safe?
On Mon, Nov 26, 2012 at 5:59 PM, Bill Durant cipherte...@gmail.com wrote: Hello: Is PKCS5_PBKDF2_HMAC() thread safe? See the Is OpenSSL thread-safe? under the PROG section: http://www.openssl.org/support/faq.html. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: What is Secure Renegotiation and why is it used, and how to have the client adapt to it?
I need to know, first, what Secure Renegotiation is, and then, if it is a legitimate way to configure a secure server, why it is used. Secure Renegotiation is a variant of the original negotiation supplied in SSL way back when. There were two separate issues in renegotiation. First was an authentication gap, and second was a DoS by the folks at THC (the latter is disputed by libraries such as OpenSSL and NSS). The authentication gap can be found all over the web by searching for TLS Authentication Gap. Also see CVE-2009-3555 and http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html The group THC released a DoS tool. See CVE-2011-1473, CVE-2011-5094, and http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html. You can find the details of the steps taken in Secure Renegotiation at https://tools.ietf.org/rfc/rfc5246.txt. I don't allow renegotiation in code under my purview. I don't want a connection starting out secure, and then change to insecure via choice of weak/wounded ciphers. It also adds extra, useless code that has been exploited in the past. But that's just my opinion. need to know what needs to be done to have a client application adapt to it. Firefox seems to have no problem with it, but my Perl programs that actually use the server in question do appear to have a problem with it. To support it, a client needs to be compliant. Is your PERL client up to date? If so, have the PERL maintainers kept its gear up to date with the latest standard? And it isn't feasible for me to muck around with the server because I do not have that kind of access (it is owned/managed by another company). They probably told you they have a patch policy and keep their servers up to date, too. Jeff On Thu, Nov 29, 2012 at 2:24 PM, Ted Byers r.ted.by...@gmail.com wrote: Please consider the following output: C:\Workopenssl s_client -connect secure.theserver.com:443 Loading 'screen' into random state - done CONNECTED(00F0) write:errno=10054 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- The same command, getting Google's home page over SSL produces the following: C:\Workopenssl s_client -connect www.google.com:443 Loading 'screen' into random state - done CONNECTED(00F0) depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q== -END CERTIFICATE- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 2130 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-RC4-SHA Session-ID: 5930A80165EBF4CDA0199A366CB1232C54B4F70B3CEE0690561A9514AB8A27EB Session-ID-ctx: Master-Key: A107E655BBC4DC3E28B81CA9986414F2D56E942590F794822EC435D3F907C45C7E93D866DF3D082DBE3573278899648D Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: - c5 c4 5c ba a7 ff ca
Re: Issue with OpenSSL in multithreaded environment
On Thu, Nov 29, 2012 at 9:57 AM, Staneva, Yana ysten...@micros.com wrote: Help please. I have a Win32 application (service) that loads several dlls that make OpenSSL calls. Also there is a separate dll that takes care of the OpenSSL initialization (thread setup, SSL_library_init(), SSL_CTX_new() ). I’ve followed the samples online on how to do the thread setup, so I have the following: #define MUTEX_TYPEHANDLE #define MUTEX_SETUP(x)(x) = CreateMutex( NULL, FALSE, NULL ) #define MUTEX_CLEANUP(x) CloseHandle(x) #define MUTEX_LOCK(x) WaitForSingleObject( (x), INFINITE ) #define MUTEX_UNLOCK(x) ReleaseMutex(x) #define THREAD_ID GetCurrentThreadId() Don't use these macros. On Windows, you must check return values (that's non-negotiable). WaitForSingleObject is especially egregious because it could lead to corruption. For example, if you accidentally close the Mutex, WaitForSingleObject will return ERROR_INVALID_HANDLE rather than the expected WAIT_OBJECT_0. Boost is another offender. It ignores return values and suffer races in its threading gear. Be very careful if you are using that library on Windows. I can't explain all the defective code circulating. Folks must all be copy/paste'ing the same junky code. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Issue with OpenSSL in multithreaded environment
On Fri, Nov 30, 2012 at 12:24 PM, NuSkooler nuskoo...@gmail.com wrote: I think responses like this would be much more helpful without the FUD. I have no fear since I don't suffer uncertainty. The macros are broken. WaitForSingleObject() and WaitForMultipleObjects() return WAIT_ABANDONED if the mutex has been closed. WAIT_OBJECT_0 would only be expected if you didn't read the documentation. Bullshit. Write some negative tests and see what you get back. You will get everything from WAIT_FAILED to ERROR_INVALID_HANDLE. I suggest you both do so before utilizing these functions. Also, I'm not aware of any such race conditions in Boost. Perhaps in very old versions, but the threading library is solid. Again, you probably want to read the documentation before utilizing. OK. Here's a list of report numbers I filed against them last year when I was auditing Boost for inclusion in another project: 5826, 5827, 5829, 5830, 5831, 5833, 5834, 5835, 5836, 5837, 5838, 5839, 5840, 5841, 5842, 5843, 5844, and 5845. I uploaded an image for you: http://img829.imageshack.us/img829/5563/boostreport.jpg. I would be happy to reject your code too if you are practicing the same sloppy programming techniques. I don't discriminate. Jeff On Fri, Nov 30, 2012 at 9:03 AM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Nov 29, 2012 at 9:57 AM, Staneva, Yana ysten...@micros.com wrote: #define MUTEX_TYPEHANDLE #define MUTEX_SETUP(x)(x) = CreateMutex( NULL, FALSE, NULL ) #define MUTEX_CLEANUP(x) CloseHandle(x) #define MUTEX_LOCK(x) WaitForSingleObject( (x), INFINITE ) #define MUTEX_UNLOCK(x) ReleaseMutex(x) #define THREAD_ID GetCurrentThreadId() Don't use these macros. On Windows, you must check return values (that's non-negotiable). WaitForSingleObject is especially egregious because it could lead to corruption. For example, if you accidentally close the Mutex, WaitForSingleObject will return ERROR_INVALID_HANDLE rather than the expected WAIT_OBJECT_0. Boost is another offender. It ignores return values and suffer races in its threading gear. Be very careful if you are using that library on Windows. I can't explain all the defective code circulating. Folks must all be copy/paste'ing the same junky code. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Issue with OpenSSL in multithreaded environment
On Fri, Nov 30, 2012 at 1:42 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Nov 30, 2012 at 12:24 PM, NuSkooler nuskoo...@gmail.com wrote: I think responses like this would be much more helpful without the FUD. I have no fear since I don't suffer uncertainty. The macros are broken. WaitForSingleObject() and WaitForMultipleObjects() return WAIT_ABANDONED if the mutex has been closed. WAIT_OBJECT_0 would only be expected if you didn't read the documentation. Bullshit. Write some negative tests and see what you get back. You will get everything from WAIT_FAILED to ERROR_INVALID_HANDLE. #include windows.h #include stdio.h int main(int argc, char* argv[]) { HANDLE mutex = NULL; DWORD dwRet = WaitForSingleObject(mutex, INFINITE); DWORD dwErr = GetLastError(); printf(Result = %d, Error = %d\n, dwRet, dwErr); return 0; } Results in Result = -1, Error = 6. That's WAIT_FAILED and INVALID_HANDLE_VALUE. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to over-ride SSL_CTX_use_PrivateKey_file() behavior with custom engine
On Fri, Dec 7, 2012 at 5:05 AM, LN lnicu...@yahoo.com wrote: ... MS CAPI has an option to mark a private key as exportable when you create or install it, which means that the private key can then be read anyway, but I don't know if that feature is used by the OpenSSL CAPI Engine. It is almost always a good idea NOT to mark private keys as exportable. Note that whatever is decided when the private key is first stored by CAPI will be permanent (There is a 3 step workaround for making an exportable key non-exportable, but any ability to go the other way would compromise security just by being possible). Indeed, private keys are not exportable as long as they are not marked as such when the certificate is imported in the windows store. Unfortunately, I am forced to use boost::asio::ssl which (AFAIK) does not integrate with CAPI engine so I cannot ask it to sign or decrypt communication. Anyway, seems more secure, then, to have the private key in a file encrypted with a password, then keeping it in the windows store, if I want to pass it to OpenSSL (through boost::asio::ssl) :) Keys should be stored in DPAPI. See Howard and LeBlanc's Writing Secure Code, Chapter 9 (http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228). I'm afraid to ask where Boost is storing them. But I do have a morbid curiosity: would you happen to know? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS and Symbol Renaming (OpenSSL FIPS Object Module v2.0)
Hi All, On page 133 of the User Guide 2.0 for the OpenSSL FIPS Object Module v2.0, the document (book?) talks about symbol renaming. The discussion occurs in Appendix I, API Entry Points by Source File, and the text is below. Why does symbol renaming occur? Jeff Symbol renaming: Some symbol names as defined in the source code are dynamically redefined at build time. This API documentation shows both the original (source code) and build time (object code) symbol names, for instance: FIPS_bn_bn2bin (renames BN_bn2bin) in file ./crypto/bn/bn_lib.[o|c] which indicates that the FIPS_bn_bn2bin() function as seen in the compiled code (./crypto/bn/bn_lib.o) is found in the source code as function BN_bn2bin() in source file ./crypto/bn/bn_lib.c. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: genrsa question how secure is the random creation
On Tue, Dec 11, 2012 at 6:27 PM, redpath redp...@us.ibm.com wrote: When using this command openssl genrsa -out test.pem 2048 an RSA pair is created. Its not so much I want to know how a pair is randomly selected but how secure is that random selection. It depends. In theory, the way entropy is gathered and managed is enough. In practice, there are practical problems: Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices, https://factorable.net/paper.html The authors then went on to break secure channels between traffic reporting systems and cell phones: Traffic sensor flaw that could allow driver tracking fixed, http://www.csoonline.com/article/723229/traffic-sensor-flaw-that-could-allow-driver-tracking-fixed Random number generators are a series and this selection could be followed for brute force deciphering. There are ways other than brute forcing. I would bet Nadia Heninger, Zakir Durumeric, Eric Wustrow, and Alex Halderman did not brute force their break of the traffic system. Linux 3.x kernels have entropy starvation issues due to decisions to stop using IRQ interrupts (removal of the IRQF_SAMPLE_RANDOM flag, without an alternative to gather entropy). The 2.x kernels start weak, but improve over time. Bottom line: use an Entropy Key (http://www.entropykey.co.uk/), HSM or other hardware to get your RNG/PRNG in good working order quickly. You can go to random.org and it will likely be an improvement. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: genrsa question how secure is the random creation
On Wed, Dec 12, 2012 at 12:39 PM, Salz, Rich rs...@akamai.com wrote: Until someone breaks the website, spoofs it, buys out the owner, etc. Q2.4: Are the numbers available in a secure fashion? Yes, since April 2007 you can access the server via https://www.random.org/ I should probably note that while fetching the numbers via secure HTTP would protect them from being observed while in transit, anyone genuinely concerned with security should not trust anyone else (including RANDOM.ORG) to generate their cryptographic keys. Yeah, we need a fingerpaint program for all those mobile devices (seriously!). Upon first boot (or after reset), the user has to finger paint something to get the RNG/PRNG some entropy. (http://groups.google.com/group/android-security-discuss/browse_thread/thread/71c6ab0081c70e9c) Also relevant: When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography, www.isoc.org/isoc/conferences/ndss/10/pdf/15.pdf. Hedging extracts entropy from the peer during key exchange and uses the extracted entropy to improve the localhost's state. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need help in loading private key for ECDSA
On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele gangele...@gmail.com wrote: Hi i tried to load private key into 224 curve for ecdsa and I am getting below error. EC_KEY_check_key failed: error:100B1043:lib(16):func(177):reason(67). Bleow is my fun to load key. Can anybody guide me? $ openssl errstr 100B1043 error:100B1043:elliptic curve routines:EC_KEY_check_key:passed a null parameter I have not really been following this thread, so please forgive my dumb questions. Are you using a NIST curve? If I recall correctly, OpenSSL only supports some (all?) NIST curves. If you are trying to use Bernstein's Curve-25519 (or an arbitrary curve), I don't believe it will work. How did you generate the private key (the exponent) and public key (point on the curve)? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help in loading EC_KEY
On Thu, Dec 13, 2012 at 4:04 AM, jeetendra gangele gangele...@gmail.com wrote: HI, I am trying to sign the data using EC-DSA algorithm. i have the private key to sign the data and I could load using EC_KEY_set_private_key. But when check the loaded key its failing with the error code below. error:100B1043:lib(16):func(177):reason(67) EC_KEY_check_key failed: That means key not proper. I am trying to use the curve NID_secp224r1. ... 37 if(NULL == pub_key) 38 printf(pub failed); 39 40 if (!EC_KEY_check_key(pkey)) { 41 printf(EC_KEY_check_key failed:\n); 42 printf(%s\n,ERR_error_string(ERR_get_error(),NULL)); 43 } Is it pub_key or pkey? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need help in loading private key for ECDSA
On Thu, Dec 13, 2012 at 7:21 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton Sent: Thursday, 13 December, 2012 16:31 On Thu, Dec 13, 2012 at 12:34 AM, jeetendra gangele gangele...@gmail.com wrote: snip ... Nit: the primitive operation in ECC is called addition and the iterated form multiplication, so the privatekey value is called a multiplicand. Unlike RSA and DH, where multiplication in Z_n is iterated to give exponentiation. Yes, being lazy. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: blowfish-cbc: what to save?
On Sat, Dec 15, 2012 at 12:21 PM, Markus Wernig liste...@wernig.net wrote: ... After encrypting multiple files with blowfish-cbc and distinct IV for each file, do I need to keep the IVs secret? It depends on your security posture. IVs are considered public parameters, so there is usually no need to keep them secret. Some folks argue the case of keeping them secret. Jeff On 12/12/2012 05:56 PM, Markus Wernig wrote: Hi all Thanks for the swift replies. On 12/11/2012 11:51 AM, Jakob Bohm wrote: - With a given key being reused for all encrypted files, the IV from my understanding is central to the strength of the encryption. So a unique random IV needs to be used for each file. Does this mean that for every file I have to record the IV in order to decrypt it later? Or is my understanding wrong? Yes, you need to know the IV to decrypt correctly, and it should not be predictable by anyone without the key, but it does not need to be secret. Is that also true after encryption? So I can just store the IV in plain together with the encrypted file and it will not lessen the encryption's strength? My gut feeling (very uneducated ;-) tells me that this could allow an attack on the crypttext to somebody with access to the files. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Support for 448 bit hash value generation in opnessl.
On Mon, Dec 17, 2012 at 11:16 PM, jeetendra gangele gangele...@gmail.com wrote: Hi, Do we have support for 448 bit hash value generation in openssl.? I looked into the header file and I did not find functiobn related to that. Actually I need to compute shared key for ecdh and that should be 56 Bytes long. I could genearte the 20 byte 32 bytes but I need 56 bytes only. 448 bits is 56 bytes. You will have to use a smaller hash and iterate in a KDF-like fashion; or a larger hash and truncate. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Support for 448 bit hash value generation in opnessl.
On Mon, Dec 17, 2012 at 11:50 PM, jeetendra gangele gangele...@gmail.com wrote: U mean to say I can generate 64 bytes and then I can ignore last 8 bytes? so I will get 56 bytes. This value then I have to use as secret key for ECDH https://www.google.com/#q=truncated+hash Be careful of ECDH because its anonymous or non-authenticated. NIST Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, might help guide you. Jeff On 18 December 2012 09:57, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Dec 17, 2012 at 11:16 PM, jeetendra gangele gangele...@gmail.com wrote: Hi, Do we have support for 448 bit hash value generation in openssl.? I looked into the header file and I did not find functiobn related to that. Actually I need to compute shared key for ecdh and that should be 56 Bytes long. I could genearte the 20 byte 32 bytes but I need 56 bytes only. 448 bits is 56 bytes. You will have to use a smaller hash and iterate in a KDF-like fashion; or a larger hash and truncate. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Support for 448 bit hash value generation in opnessl.
On Tue, Dec 18, 2012 at 3:24 AM, Matt Caswell (fr...@baggins.org) fr...@baggins.org wrote: On 18 December 2012 05:30, jeetendra gangele gangele...@gmail.com wrote: Ok, can you expain me how ec_compute_key work and specially this last argument. Why its need hash value to calculate the secret key. I need to generate the 56 BYtes shred key. A KDF (Key Derivation Function) is typically used to generate a secret key from some other input which does not exhibit the properties necessary for direct cryptographic use, e.g. perhaps it would not pass statistical randomness tests. If you need 56 bytes then you could use a hash function that outputs at least that many bits, e.g. SHA512 You actually have to be careful during the truncation. See, for example, Kelsey's presentation at csrc.nist.gov/groups/ST/hash/documents/Kelsey_Truncation.pdf. While collisions on truncated hashes are more of a concern for documents and signing, collisions on truncation in key derivation violate or betray the uniqueness that NIST is trying to impart into agreement protocols via domain parameters (see, for example, SP800-56). Rather than a simple hash, it might be better to use an HMAC where the truncated size is also fed into the HMAC. The HMAC acts more like a PRF (provably), and the length parameter helps remove Near Collisions and Related Hash Outputs. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: fipscanister with assembly language optimization and non-SSE2 capable processors?
On Tue, Dec 18, 2012 at 11:15 PM, Bill Durant cipherte...@gmail.com wrote: Is it not possible to build a FIPS-capable OpenSSL with assembly language optimization enabled in the fipscanister that works under non-SSE2 capable processors? On SUSE Linux Enterprise Server 10, I have built the fipscanister with assembly language optimization enabled as follows: ./config fipscanisterbuild Next I built a FIPS-capable OpenSSL using this fipscanister. And then I built a simple application that just calls FIPS_mode_set(1) to enable FIPS mode. When I run that app on a system with a processor that lacks support for the SSE2 instruction set, I get the following error: SSL: 0:755466380:fips.c:319:0:error:2D07808C:lib(45):func(120):reason(140) But when I build the fipcanister *without* assembly language optimization enabled as follows: ./config fipscanisterbuild no-asm The same app works fine and FIPS mode can be enabled. Per code inspection of the OpenSSL sources, it appears like the following code is the one that prevents FIPS enabling (in fips/fips.c): #ifdef OPENSSL_IA32_SSE2 { extern unsigned int OPENSSL_ia32cap_P[2]; if ((OPENSSL_ia32cap_P[0] (125|126)) != (125|126)) { FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,FIPS_R_UNSUPPORTED_PLATFORM); fips_selftest_fail = 1; ret = 0; goto end; } OPENSSL_ia32cap_P[0] |= (128);/* set shared cache */ OPENSSL_ia32cap_P[1] = ~(1(60-32)); /* clear AVX*/ } #endif And BTW, building the FIPS-capble OpenSSL with the no-sse2 option as follows does not fix the issue: ./config fips --prefix=$FIPSDIR no-sse2 no-idea no-mdc2 no-rc5 shared The problem is with the fipscanister itself. It needs to be built with assembly language optimization disabled in order to get into FIPS mode under non-SSE2 processors. So how to build a FIPS-capable OpenSSL with assembly language optimization enabled in the fipscanister that works under non-SSE2 capable processors? Is that not possible? No (first question); Yes (second question) (if I count questions correctly). From the User Guide 2.0 (page 24-25): Note that for x86 there are three possible optimization levels: 1. No optimization (plain C) 2. SSE2 optimization 3. AES-NI+PCLMULQDQ+SSSE3 optimization Note that other theoretically possible combinations (e.g. AES-NI only, or SSE3 only) are not enabled individually15, so that a processor which does not support all three of AES-NI, PCLMULQDQ, and SSSE3 will fall back to using only SSE2 optimization. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_private_decrypt function takes longer time.
On Mon, Dec 24, 2012 at 12:35 AM, Tayade, Nilesh nilesh.tay...@netscout.com wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, December 21, 2012 8:23 PM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt function takes longer time. On 12/21/2012 1:13 PM, Tayade, Nilesh wrote: SNIP Is the conversion supported by openssl utility (e.g. the way we convert .PEM to PKCS8 format openssl pkcs8 -topk8 -in PEM file -out PKCS8 format file)? Does openssl support PEM to CRT conversion? I did not get any direct command for this conversion. I believe you also need -inform and -outform. For example: $ openssl genrsa -out rsa-openssl.pem 3072 $ openssl pkcs8 -nocrypt -in rsa-openssl.pem -inform PEM -topk8 -outform DER -out rsa-openssl.der Folks like Jakob or David likely have a one liner. My notes are kind of old, and this always worked for me. Here's the syntax for X.509 in case you need it: $ openssl genrsa -out rsa-openssl.pem 3072 $ openssl rsa -in rsa-openssl.pem -pubout -outform DER -out rsa-openssl.der Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_private_decrypt function takes longer time.
On Mon, Dec 24, 2012 at 1:54 AM, Tayade, Nilesh nilesh.tay...@netscout.com wrote: -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Monday, December 24, 2012 11:25 AM To: openssl-users@openssl.org Subject: Re: RSA_private_decrypt function takes longer time. [...] On 12/21/2012 1:13 PM, Tayade, Nilesh wrote: SNIP Is the conversion supported by openssl utility (e.g. the way we convert .PEM to PKCS8 format openssl pkcs8 -topk8 -in PEM file -out PKCS8 format file)? Does openssl support PEM to CRT conversion? I did not get any direct command for this conversion. I believe you also need -inform and -outform. For example: $ openssl genrsa -out rsa-openssl.pem 3072 $ openssl pkcs8 -nocrypt -in rsa-openssl.pem -inform PEM -topk8 -outform DER -out rsa-openssl.der Folks like Jakob or David likely have a one liner. My notes are kind of old, and this always worked for me. Here's the syntax for X.509 in case you need it: $ openssl genrsa -out rsa-openssl.pem 3072 $ openssl rsa -in rsa-openssl.pem -pubout -outform DER -out rsa- openssl.der Sorry to contact you in person. Just to confirm, do you mean .der format is same as Chinese remainder format of private key? No problem. Taking it public again ;) Note sure. The format we use is described in PKCS #1 (IIRC). What you are referring to - CRT and dP, dQ, pInv, and qInv - are the private key Representation 2 from Section 3.2 RSA Private Key (ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.pdf). But I would not expect it to be available. Once you have a RSA Private Key, use `dumpasn1` and you will know for sure. `openssl asn1parse` will also do it, but I use Gutmann's utility. If its not representation two, then see RSA CRT key?, https://groups.google.com/d/msg/sci.crypt/0ijgmfeBZOM/1h5NC9-7ZRsJ and RSA Converter, http://rsaconverter.sourceforge.net. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: User Guide 2.0 (OPENSSLDIR )
On Mon, Dec 24, 2012 at 9:11 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi Steve, What is the expectation of OPENSSLDIR when building the FIPS Object Module and FIPS Capable OpenSSL? Users are usually allowed to modify the environment (within reason). Do users expect that OPENSSLDIR will be honored and 'properly' wired into --openssldir when configuring the FIPS gear? The User Guide 2.0 does not address the question. Motivation: should setenv-ios.sh include the following logic? # # Pick up $OPENSSLDIR if it is used and the directory exists # Tim/Steve: do we want this? #if [ -z $OPENSSLDIR ] [ -d $OPENSSLDIR ]; then # INSTALL_DIRECTORY_BASE=$OPENSSLDIR #fi Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1c, Mac OS X, -no-XXX, and [missing] make depend
Hi All, I'm having problem building on Mac OS X (2012 MBP, OS X 10.8, Xcode 4.5). The target is iOS, but this appears to be a host problem. Apple lacks DTLS, STCP, and friends, so I needed to ./config with -no-dtls. That required a `make depend` cycle. `makedepend` is missing, so that resulted in an error: openssl-1.0.1c jwalton$ make depend making depend in crypto... ../util/domd: line 30: makedepend: command not found mv: Makefile.new: No such file or directory make[1]: *** [depend] Error 127 make: *** [depend] Error 1 $ find /usr/ -name makedepend 2/dev/null $ find /bin/ -name makedepend 2/dev/null $ find /Applications/Xcode.app/ -name makedepend 2/dev/null $ man makedepend No manual entry for makedepend I fetched `makedepend` from FreeDesktop.org (http://xorg.freedesktop.org/releases/individual/util/). It would not build due to missing dependencies. Ad infinitum. INSTALL.MacOSX would be kind of funny if this wasn't a stopper for me :) How are folks building on Mac OS X? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1c, Mac OS X, -no-XXX, and [missing] make depend
On Tue, Dec 25, 2012 at 8:35 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, I'm having problem building on Mac OS X (2012 MBP, OS X 10.8, Xcode 4.5). The target is iOS, but this appears to be a host problem. Apple lacks DTLS, STCP, and friends, so I needed to ./config with -no-dtls. That required a `make depend` cycle. `makedepend` is missing, so that resulted in an error: openssl-1.0.1c jwalton$ make depend making depend in crypto... ../util/domd: line 30: makedepend: command not found mv: Makefile.new: No such file or directory make[1]: *** [depend] Error 127 make: *** [depend] Error 1 Open the Makefile generated by ./config. Its located in the root of openssl-1.0.1x. Scroll down to line 75 or so. Change MAKEDEPPROG=makedepend to: MAKEDEPPROG=$(CC) -M And some things that don't work: MAKEDEPPROG=/usr/bin/gcc -M MAKEDEPPROG=gcc -M MAKEDEPPROG=llv-gcc -M Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
User Guide 2.0 (OPENSSLDIR )
Hi Steve, What is the expectation of OPENSSLDIR when building the FIPS Object Module and FIPS Capable OpenSSL? Users are usually allowed to modify the environment (within reason). Do users expect that OPENSSLDIR will be honored and 'properly' wired into --openssldir when configuring the FIPS gear? The User Guide 2.0 does not address the question. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: User Guide 2.0 (OPENSSLDIR )
On Mon, Dec 24, 2012 at 9:12 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Dec 24, 2012 at 9:11 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi Steve, What is the expectation of OPENSSLDIR when building the FIPS Object Module and FIPS Capable OpenSSL? Users are usually allowed to modify the environment (within reason). Do users expect that OPENSSLDIR will be honored and 'properly' wired into --openssldir when configuring the FIPS gear? The User Guide 2.0 does not address the question. Motivation: should setenv-ios.sh include the following logic? # # Pick up $OPENSSLDIR if it is used and the directory exists # Tim/Steve: do we want this? #if [ -z $OPENSSLDIR ] [ -d $OPENSSLDIR ]; then # INSTALL_DIRECTORY_BASE=$OPENSSLDIR #fi Please ignore. This message was meant for Steve Marquess. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
./config and -no-zlib
Hi All, Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or is compression available through other libraries? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1c, Mac OS X, -no-XXX, and [missing] make depend
On Wed, Dec 26, 2012 at 9:57 AM, Ben Laurie b...@links.org wrote: On Tue, Dec 25, 2012 at 1:35 PM, Jeffrey Walton noloa...@gmail.com wrote: I fetched `makedepend` from FreeDesktop.org (http://xorg.freedesktop.org/releases/individual/util/). It would not build due to missing dependencies. Ad infinitum. $ port search makedepend makedepend @1.0.4 (x11, devel) Create dependencies in makefiles Ah, thanks Ben. I did not think to try MacPorts. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
'config' and -no-shared and -no-dso
Hi All, I'm trying to split hairs on the meanings of -no-shared and -no-dso. I believe -no-shared means the output of the build process does not include a shared object (*.so, *.dylib, etc). Other build process artifacts, such as static libraries (*.a) will still be produced. I believe -no-dso means OpenSSL internal calls to functions like dlopen() will always return NULL, regardless of what the real API call would return. Is that correct? If not, could someone explain it to me? Thanks, Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION which eventually results in: ... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c making depend in crypto/cmac... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c making depend in ssl... In file included from ssl_locl.h:165, from s2_meth.c:59: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_srvr.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_clnt.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_lib.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition ... [30 or 50 or so duplicate errors removed] ... command-line: error: this is the location of the previous definition make[1]: *** [depend] Error 1 make: *** [depend] Error 1 On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton noloa...@gmail.com wrote: Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or is compression available through other libraries? __ OpenSSL
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Jeff On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION which eventually results in: ... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c making depend in crypto/cmac... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c making depend in ssl... In file included from ssl_locl.h:165, from s2_meth.c:59: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_srvr.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_clnt.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line: error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_lib.c:112: ../include/openssl/ssl.h:583:1: error: SSL_OP_NO_COMPRESSION redefined command-line
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller abaci@gmail.com wrote: i compiled openssl with no-zlib ldd client linux-vdso.so.1 = (0x7fff059ff000) libssl.so.1.0.0 = /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 = /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 = /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 = /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 = /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib ldd client linux-vdso.so.1 = (0x7fff42cfa000) libssl.so.1.0.0 = /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 = /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 = /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 = /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 = /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION Doh, SSL_OP_NO_COMPRESSION is a bit masked option, not a preprocessor define. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH-algorithm using OpenSSL
On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Hello!! I am implementing DH algorithm using OpenSSL library. My scenario is - using DH key exchange algorithm for key generation and exchange between client and server. Using DSA for two way authentication. server: Could be tricky to get right, especially when you need semantic authentication over the process. I have generated DH parameters using DH_generate_parameters() I have generated the public and private keys using DH_generate_key() Don't forget to validate the key. If you don't validate a key, you cannot use it. For encryption, that means you don't apply your secret to an unvalidated key; and for signatures, you don't trust the outcome of the verification process. GnuPG is a special case. They used Lim-Lee primes and they can't be validated without obtaining the unique factorization. I would recommend asking for a key composed of a strong or safe prime or refuse to process their data (but I've always been defensive/paranoid). I am using TCP socket programming in c to send the prime generator and ... I am getting segmentation fault. That sounds like a network programming problem. Have you been through W. Richard Stevens' TCP/IP Illustrated or UNIX Network Programming? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH-algorithm using OpenSSL
On Fri, Dec 28, 2012 at 4:32 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Thanks for the reply Jeff!! The problem comes when I try to send the values of prime and publickey to peer. As I am converting BIGNUM to binary and then at the peer the other way round, The parameters are not received properly by the peer!! Use BSON to package the data. It sounds like its a presentation layer problem. Jeff On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra hemayaminiku...@email.arizona.edu wrote: Hello!! I am implementing DH algorithm using OpenSSL library. My scenario is - using DH key exchange algorithm for key generation and exchange between client and server. Using DSA for two way authentication. server: Could be tricky to get right, especially when you need semantic authentication over the process. I have generated DH parameters using DH_generate_parameters() I have generated the public and private keys using DH_generate_key() Don't forget to validate the key. If you don't validate a key, you cannot use it. For encryption, that means you don't apply your secret to an unvalidated key; and for signatures, you don't trust the outcome of the verification process. GnuPG is a special case. They used Lim-Lee primes and they can't be validated without obtaining the unique factorization. I would recommend asking for a key composed of a strong or safe prime or refuse to process their data (but I've always been defensive/paranoid). I am using TCP socket programming in c to send the prime generator and ... I am getting segmentation fault. That sounds like a network programming problem. Have you been through W. Richard Stevens' TCP/IP Illustrated or UNIX Network Programming? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 6:32 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. If you want to use zlib for other purposes (e.g. the command line option or CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the no-comp option but include zlib or zlib-dynamic. I think that's what I am looking for. -no-zlib was the proverbial cannon ball killing the fly. All of the above options apply to the OpenSSL library only: so an application needs to be linked to that version of OpenSSL to disable compression. There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable compression for SSL/TLS even if the application is linked against a version of OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL already disables SSL/TLS compression that option has no effect. Thanks Dr. Henson. I think I need to file a feature request to make SSL_OP_NO_COMPRESSION a macro too so I can use it during preprocessing :o Jeff Thanks Dr. Hesn. I think I need to file a feature request for __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl-1.0.1c and OS X
Hi All, I'm trying to work through a couple of issues on Mac OS X. The steps are below, all performed in openssl-1.0.1c/ directory. The problem with ERR_load_COMP_strings has showed up on at *least* two Apple platforms now. I've also had to fix MAKEDEPEND on two Apple platforms. Looking through the Makefile and output of the various subdirectories, it looks as if crypto/comp/Makefile is not being invoked because there are no *.o files. Can anyone advise on a course of action? Jeff $ ./Configure darwin64-x86_64-cc --openssldir=/usr/local/ssl/macosx/ -no-dtls -no-hw -no-comp -no-shared -no-dso ... [Fix Makefile: MAKEDEPEND=makedepend - MAKEDEPEND=$(CC) -M] $ make depend ... $ make ... APPNAME=openssl OBJECTS=openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o \ LIBDEPS=-Wl,-search_paths_first $LIBRARIES \ link_app.${shlib_target} ( :; LIBDEPS=${LIBDEPS:--Wl,-search_paths_first -L.. -lssl -L.. -lcrypto }; LDCMD=${LDCMD:-cc}; LDFLAGS=${LDFLAGS:--DOPENSSL_THREADS -D_REENTRANT -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM}; LIBPATH=`for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o ${LIBDEPS} ) Undefined symbols for architecture x86_64: _ERR_load_COMP_strings, referenced from: _ERR_load_crypto_strings in libcrypto.a(err_all.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[2]: *** [link_app.] Error 1 make[1]: *** [openssl] Error 2 make: *** [build_apps] Error 1 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl-1.0.1c and OS X
On Sun, Dec 30, 2012 at 8:23 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi All, I'm trying to work through a couple of issues on Mac OS X. The steps are below, all performed in openssl-1.0.1c/ directory. The problem with ERR_load_COMP_strings has showed up on at *least* two Apple platforms now. I've also had to fix MAKEDEPEND on two Apple platforms. Looking through the Makefile and output of the various subdirectories, it looks as if crypto/comp/Makefile is not being invoked because there are no *.o files. Can anyone advise on a course of action? Jeff $ ./Configure darwin64-x86_64-cc --openssldir=/usr/local/ssl/macosx/ -no-dtls -no-hw -no-comp -no-shared -no-dso ... [Fix Makefile: MAKEDEPEND=makedepend - MAKEDEPEND=$(CC) -M] $ make depend ... $ make ... ... Undefined symbols for architecture x86_64: _ERR_load_COMP_strings, referenced from: _ERR_load_crypto_strings in libcrypto.a(err_all.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[2]: *** [link_app.] Error 1 make[1]: *** [openssl] Error 2 make: *** [build_apps] Error 1 When I opened Makefile and added 'comp', it built fine (with the 'makedepend' fix): # dirs in crypto to build SDIRS= \ objects \ comp \ md4 md5 sha mdc2 hmac ripemd whrlpool \ ... I can't be the only person turning off compression due to CRIME attacks (thanks SH). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Sun, Dec 30, 2012 at 11:06 AM, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Dec 29, 2012, Dr. Stephen Henson wrote: On Fri, Dec 28, 2012, Jeffrey Walton wrote: On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller abaci@gmail.com wrote: i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. Ugh, that'll teach me not to do a make clean first. Correction: If you use no-comp it will remove the compression library from OpenSSL entirely but due to a bug (fix just committed) you'll get a linker error. Thanks Doctor. Does OpenSSL have a web front-end on its version control system so I can copy/paste the relevant changes for the commit? I'm trying avoid moving too far away from 1.0.1c proper (May 10, 2012) since it advertised on the download page (http://www.openssl.org/source/). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Conditionally Patching output of Makefile from Configure?
Hi All, While working on Apple with Mac OS X and iOS, I found I needed to patch OpenSSL 1.0.1c's Makefile. Makefile.org has the following line, and it was copied directly into Makefile by Configure: MAKEDEPPROG=makedepend When the Configure target is iphoneos (cross), iphonesimulator (cross), or macosx (native), I need a different statement: MAKEDEPPROG=$(CC) -M I've looked at Configure, but I have no clue on the best way to handle the support/additions needed. Can anyone offer some advice? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Conditionally Patching output of Makefile from Configure?
On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote: On 30-12-2012 21:01, Jeffrey Walton wrote: Hi All, While working on Apple with Mac OS X and iOS, I found I needed to patch OpenSSL 1.0.1c's Makefile. Makefile.org has the following line, and it was copied directly into Makefile by Configure: MAKEDEPPROG=makedepend When the Configure target is iphoneos (cross), iphonesimulator (cross), or macosx (native), I need a different statement: MAKEDEPPROG=$(CC) -M I've looked at Configure, but I have no clue on the best way to handle the support/additions needed. Can anyone offer some advice? I have found the script build.sh from https://github.com/st3fan/ios-openssl to work nicely for iOS builds of 1.0.1c with no patching of openssl. (Admitted, I did adapt the script for our environment) Thanks Jakob. If you run the script with an -no-xxx option, how does it perform? For example, try -no-dtls. A quick drive by did not reveal MAKEDEPEND modification. What I found (using the same tool chain): -no-xxx requires a `make depend`. 'make depend` fails on my 10.7 and 10.8 test machines because Apple removed `makedepend` at 10.7.2 or 10.7.3. So I need to cut over to `$(CC) -M`. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Conditionally Patching output of Makefile from Configure?
On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote: On 30-12-2012 21:01, Jeffrey Walton wrote: Hi All, While working on Apple with Mac OS X and iOS, I found I needed to patch OpenSSL 1.0.1c's Makefile. Makefile.org has the following line, and it was copied directly into Makefile by Configure: MAKEDEPPROG=makedepend When the Configure target is iphoneos (cross), iphonesimulator (cross), or macosx (native), I need a different statement: MAKEDEPPROG=$(CC) -M I've looked at Configure, but I have no clue on the best way to handle the support/additions needed. Can anyone offer some advice? I have found the script build.sh from https://github.com/st3fan/ios-openssl to work nicely for iOS builds of 1.0.1c with no patching of openssl. (Admitted, I did adapt the script for our environment) Thanks Jakob. I got to rest up last night and my mind is fresh (for what that's worth). So here's a more concise request. Keep in mind that Configure is a PERL script, and I have no practical PERL experience. Configure should test `makeddepend`. If 'makedepend' succeeds, do nothing. If 'makedepend' fails, it should patch the resulting Makefile with MAKEDEPEND=$(CC) -M' on Apple platforms. That's the behavior I am looking for. and the Makefile.org are available online for inspection. http://cvs.openssl.org/fileview?f=openssl/Configurev=1.621.2.37.2.32.2.11 http://cvs.openssl.org/fileview?f=openssl/Makefile.orgv=1.295.2.10.2.11.2.3 Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Conditionally Patching output of Makefile from Configure?
On Mon, Dec 31, 2012 at 8:39 AM, Jakob Bohm jb-open...@wisemo.com wrote: On 12/31/2012 12:39 PM, Jeffrey Walton wrote: On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote: On 30-12-2012 21:01, Jeffrey Walton wrote: ... Configure should test `makeddepend`. If 'makedepend' succeeds, do nothing. If 'makedepend' fails, it should patch the resulting Makefile with MAKEDEPEND=$(CC) -M' on Apple platforms. Did you read my second post from last night (the one about me not trusting the $(CC) -M option on OS/X?). Yes. The process is for OS X 10.6, 10.7, and 10.8. It is not for older versions of Apple tools chains as you indicated in the earlier response. The worse case is: the replacement of 'makedpend` with `$(CC) -M` is lateral. That is, we traded one broken system for another broken system without requiring the user to do a thing. No user intervention is good (during the swap of the known missing 'makedepend'). If that fails, I will point folks to your suggestions (seriously). I have the link save locally and will provide them with, Please see Jakob Bohm's post at That's the behavior I am looking for. and the Makefile.org are available online for inspection. http://cvs.openssl.org/fileview?f=openssl/Configurev=1.621.2.37.2.32.2.11 http://cvs.openssl.org/fileview?f=openssl/Makefile.orgv=1.295.2.10.2.11.2.3 I think this is better done by someone who is already familiar with that piece of code (./Configure) and its design/style. Agreed :) Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using OpenSSL in a makefile?
On Mon, Dec 31, 2012 at 1:58 PM, Walter H. walte...@mathemainzel.info wrote: Hello, why does the following makefile not succeed? ... I have isolated the problem: openssl crl -noout -text -in $ $@ exits with exit code 1 instead of 0, why? openssl crl -noout -text -in $ -out $@ does the same ..., exit code 1 instead of 0 I'm not sure how good a work around this will be for you (lack of deterministic behavior sucks), but you can place a dash in front of the command and make will ignore errors (or incorrect return codes): -openssl crl -noout -text -in $ $@ Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1c and configuring without documentation?
Hi All, Is it possible to configure a build that does not include documentations? I'm working on Mac OSX, and I have three targets under /usr/local/ssl/ (iphoneos, iphonesimulator, and macosx). There's no reason to install the documentation over top itself multiple times. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Conditionally Patching output of Makefile from Configure?
On Mon, Dec 31, 2012 at 7:00 AM, Ben Laurie b...@links.org wrote: On Mon, Dec 31, 2012 at 11:39 AM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Dec 30, 2012 at 3:20 PM, jb-open...@wisemo.com wrote: On 30-12-2012 21:01, Jeffrey Walton wrote: Configure should test `makeddepend`. If 'makedepend' succeeds, do nothing. If 'makedepend' fails, it should patch the resulting Makefile with MAKEDEPEND=$(CC) -M' on Apple platforms. That's the behavior I am looking for. and the Makefile.org are available online for inspection. http://cvs.openssl.org/fileview?f=openssl/Configurev=1.621.2.37.2.32.2.11 http://cvs.openssl.org/fileview?f=openssl/Makefile.orgv=1.295.2.10.2.11.2.3 According to my reading of Configure (in 1.0.1 at least) it should already change makedepend to $cc, which should be specified by the platform. Not sure why it appears not to! I'm in a cross-compile environment. Perhaps its due to grepping for ^gcc, while OS X will have llvm-gcc? Its just speculation since I did not see that in 'config' and 'Configure' when I looked. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org