RE: UAC related errors on windows 7 64-bit with Application Verifier
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of mswarna Sent: Friday, 31 January, 2014 08:43 We would like to go for windows app certification/Microsoft client logo certification. One of the requirements for this is running a tool called Application Verifier that comes along with the certification kit. When the application is ran under this tool with luaPriv(UAC) related tests, 2 errors related to UAC were thrown. This basically tests when the user runs application with LUA priviliges(as standard user). I've removed the stack trace because it's misleading (for reasons unclear to me). As you note below, the Windows API NetStatisticsGet is not called from EVP_EncodeBlock, as the trace claims, but from RAND_poll in rand_win.c. After going through the openssl code, root cause maybe use of LanmanServer and LanmanWorkstation services in netstatisticsget call as since windows vista they have UAC concept coming in. More precisely, NetStatisticsGet is now reserved to administrative users. An application running under UAC with asInvoker will not have administrative privileges, and consequently cannot successfully invoke NetStatisticsGet. I think the correct fix for this is to skip the two calls to NetStatisticsGet in RAND_poll if the calling thread does not have the Administrators SID in its token. There's sample code in the MSDN documentation for the CheckTokenMembership API showing how to make that test. RAND_poll treats the output of the two NetStatisticsGet calls as contributing 62 bytes of entropy to the pool, but since the calls fail for non-administrative users anyway, they're already not getting that entropy. (And the existing code does check for failure.) Since RAND_poll doesn't depend on NetStatisticsGet succeeding, I believe the only consequence of this issue is the complaint from Application Verifier. So it may not be a high priority for OpenSSL developers. Therefore, you may want to implement the check yourself, or simply remove the calls to NetStatisticsGet in your own OpenSSL build. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Using AF_ALG with openssl
Dear All, i am trying to built the AF_ALG API to access kernel cryptographic API on an ubuntu machine. I donwloaded the aF_ALG open SOurce code and followed the instructions to compile it. I then copied the shared library in the openssl engine path. But I have the following error when I tried to test the the lib. Here the error : openssl speed -evp aes-128-cbc -engine af Error configuring OpenSSL 716306368:error:260BC095:engine routines:INT_ENGINE_CONFIGURE:engine section error:eng_cnf.c:112: 716306368:error:0E07606D:configuration file routines:MODULE_RUN:module initialization error:conf_mod.c:235:module=engines, value=openssl_engines, retcode=-1 Can someone throw some light as to what is it indicating me? thanks, Tera
RE: bac record mac alert with openssl 1.0.1e
2014-02-03
Thread
Sairam Rangaswamy -X (sairanga - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco)
Hi, Any help on this is greatly appreciated. I have not seen any reply to this issue so far, on even how to debug or workaround this issue. Thanks, R. Sairam From: Sairam Rangaswamy -X (sairanga - ARICENT TECHNOLOGIES MAURIITIUS LIMITED at Cisco) Sent: 02 February 2014 14:18 To: 'openssl-users@openssl.org' Subject: bac record mac alert with openssl 1.0.1e Hi, I am using openssl 1.0.1e based statically linked libraries on a Vxworks based platform. We recently upgraded to fom 4.1 from fom 3.0 along with openssl 1.0.1e. The embedded node is running this vxworks based library and has a java based application packaged On the node. We connect to the node from browser(IE or Firefox) and it downloads the jar files from The node and executes on the desktop. Initially it is a https connection, and jar files get downloaded and launched on the desktop. The app Itself then sets up an SSL connection to the node and the app is used for managing the node. We get random bad record mac errors (both in wire shark capture and reported by the browser or java console) In any of the stages. I went through the bugs and mailing list archieves and found couple of issues and applied those patches. But it is still giving random bad record MAC errors. http://rt.openssl.org/Ticket/Display.html?id=3002user=guestpass=guest - Later I realized we are not executing on a AES-NI supported platform and this patch only applies to AESNI capable x86/amd platforms. Then, I followed another thread that discussed a prolem in s3_cbc.c and baced out that patch also. Please see https://mailman.archlinux.org/pipermail/arch-commits/2013-February/187691.html But still I am facing random bad record mac errors and connection terminates. Sometimes, I am not able To connect to the node from any desktop browser. Sometimes, other machines connect and only the machine From where I see the problem does not connect. The behaviour is completely random and sometimes it works fine Without any SSL alerts. I enabled the Err_put_error macro on FIPS (FOM 4.1) and I see these two errors on the node console: : rsa_pk1.c: 192rsa_eay.c: 671. Even with these errors, the SSL is successful sometimes and the node is working fine. From the code, I see this returns -1, and could result in bad record macs? But this is during RSA_private_decrypt and Not during message decrypt. The ciphers we use are TLS 1.1 RSA_AES_128 and RSA_AES_256 ciphers. Another input Is this problem is seen only when FIPS mode is enabled on the node. Any help on this is appreciated. We are in a critical release phase and hit this problem at the last minute. Thanks, R. Sairam
SSL_CTX_set_tlsext_servername_callback not being called?
I've set a servername callback using SSL_CTX_set_tlsext_servername_callback. SSL_CTX_set_tmp_dh_callback(ctx, edh_cb); SSL_CTX_set_tlsext_servername_callback(ctx, servername_cb); I verified the callback was set in the context object: gdb p *server_ctx ... client_cert_engine = 0x0, tlsext_servername_callback = 0x40e787 servername_cb(SSL*, int*, void*), tlsext_servername_arg = 0x0, ... I perform the the following to connect to the server: openssl s_client -tls1 -servername localhost -connect localhost:8443 The server accepts, but the callback is not invoked when the server breaks from accept. Any ideas what I might be doing wrong? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Forcing an application to use SHA512
Hi, I am trying to write a cli-ser app and in that I want to force SHA512 to be used. I am always seeing SHA1 being used. Is there a way to force that in the application? Thanks in advance!
