[openssl-users] OpenSSL - unable to get certificate CRL

2016-10-11 Thread Juergen Edner 
Hi,
I hope you can help me to understand why OpenSSL doesn't act as expected
when I try to verify a certificate chain.
On my server the certificate files are stored in the following
directory structure:

/usr/local/ssl/certs -> certificate files
  /crl   -> CRL files
  /csr   ...
  ...

In both directories symbolic hash links are pointing to the
original files (.0 for certificates, .r0 for CRLs)

When I now execute the following command an "error 3 at 0 depth
lookup:unable to get certificate CRL" error is displayed.

# openssl verify -verbose -CApath /usr/local/ssl/certs -purpose any
-crl_check /usr/local/ssl/certs/cert-to-check.pem

Due to the fact that I couldn't explain this behaviour I used strace
for a deeper analysis and found out the the program searches the CRL
file in the ../certs directory instead of the ../crl one.

...
stat64("/usr/local/ssl/certs/95f6ee89.r0", 0xbfc2f3ac) = -1 ENOENT
(No such file or directory)
..

For test purposes I've created the symbolic link to the CRL at the
given location and the verification succeed and shows "OK".

Can anyone tell me if this is the normal behaviour or how I could
force OpenSSL to search the CRLs in the right directory?  Is there
any entry in the openssl.cnf file missing?

Thanks
Juergen
-- 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Porting to OpenSSL 1.1

2016-10-11 Thread Dr. Stephen Henson 
On Tue, Oct 11, 2016, Bernhard Rosenkraenzer wrote:

> 
> 
> Also from Qt 5.7:
> rsa = RSA_new();
> memcpy(rsa, EVP_PKEY_get1_RSA(pkey), sizeof(RSA));
> [breaks because sizeof(RSA) is no longer known]
> for EC, there's EC_KEY_dup -- for RSA and DSA, not so much.
> 

That wouldn't work because the RSA structure contains pointers and you just
end up copying the "top level". Well it might appear to work but you could end
up accessing freed memory or leaking when the parent structure is freed.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Building an application with OpenSSL and FIPS support.

2016-10-11 Thread Dr. Stephen Henson 
On Mon, Oct 10, 2016, Matthew Heimlich wrote:

> $openssl version
> 
> returns:
> 
> OpenSSL 1.0.2j-fips
> 
> My FIPS module version is openssl-fips-2.0.13
> 
> $OPENSSL_FIPS=1 openssl md5 /dev/null
> 
> returns:
> 
> Error setting digest md5
> 140066569107136:error:060A80A3:digital envelope 
> routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
> 
> $OPENSSL_FIPS=1 openssl sha1 /dev/null
> 
> returns:
> 
> SHA1(/dev/null)= da39a3ee5e6b4b0d3255bfef95601890afd80709
> 
> Do that appears to be working correctly.
> 

Can you give more details of the steps you are using to link your application?

If you're linking to the OpenSSL shared libraries then you don't need to use
fipsld at all. I'd suggest you try that as a first step and see if your
application works.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] socket change with SSL_set_fd

2016-10-11 Thread Salz, Rich 

> Sorry for bumping/reposting, but does have anyone experience with
> changing SSL object's socket on the background?

Is the new socket connected to the exact same process, library, and state on 
the other side?  Then it will probably work (but why)

If you're talking about moving the TLS connection somewhere else, no.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Questions on internal-buffers being used

2016-10-11 Thread Ajay Garg 
Hi All.


a)
In the call,

  int BIO_new_bio_pair(BIO **bio1, size_t
writebuf1, BIO **bio2, size_t writebuf2);

are internal-buffers malloc'ed for each of "bio1" and "bio2"?

If yes, is there a way to pass buffers from the application-layer?
I ask this, because not all systems possess dynamic-memory allocation
(or at least "malloc" is not available on all systems).

b)
Irrespective of the values of "writebuf1" and "writebuf2" in a), I see
that everything works perfect.
So, there's got to be some internal-buffer that manages the complete
ssl-packet, most probably instantiated via the call

  BIO* BIO_new(BIO_f_ssl());

Here too, is it possible to pass the buffer from application-layer
(because of same reasons as above)?


Will be grateful for pointers.

Thanks and Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Questions on internal-buffers being used

2016-10-11 Thread Benjamin Kaduk 
On 10/11/2016 02:06 PM, Ajay Garg wrote:
> Hi All.
>
>
> a)
> In the call,
> int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, BIO **bio2, size_t
> writebuf2); are internal-buffers malloc'ed for each of "bio1" and "bio2"?
> If yes, is there a way to pass buffers from the application-layer? I
> ask this, because not all systems possess dynamic-memory allocation
> (or at least "malloc" is not available on all systems).
> b) Irrespective of the values of "writebuf1" and "writebuf2" in a), I
> see that everything works perfect. So, there's got to be some
> internal-buffer that manages the complete ssl-packet, most probably
> instantiated via the call BIO* BIO_new(BIO_f_ssl());
> Here too, is it possible to pass the buffer from application-layer
> (because of same reasons as above)?


You should be able to produce the desired effect with BIO_new_mem_buf()
(twice) and attaching the resulting BIOs to each other with
BIO_make_bio_pair().

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Is there any tool for verification of cryptography?

2016-10-11 Thread Keonho Lee 
Hi All,

I'd like to verify all of cryptographic algorithms on OpenSSL.
But I could not get any way like tool.
Do you have any tools for this?

BR,
KH.Lee.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] socket change with SSL_set_fd

2016-10-11 Thread Ales Stibal 
Sorry for bumping/reposting, but does have anyone experience with 
changing SSL object's socket on the background?

I would appreciate any feedback.

Thanks,
 Ales

On 7.10.2016 11:05, Ales Stibal wrote:

Hi folks,
I have a small, but important question which affects my project design.

May I change underlying socket for SSL with SSL_set_fd when socket was 
already set and used before?


I believe it should not be problem, since in theory it's just the 
transport channel for OpenSSL where to write, or read from.

Am I correct?

Many thanks,
  Ales



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] socket change with SSL_set_fd

2016-10-11 Thread Viktor Dukhovni 

> On Oct 11, 2016, at 1:56 AM, Ales Stibal  wrote:
> 
> Sorry for bumping/reposting, but does have anyone experience with changing 
> SSL object's socket on the background?
> I would appreciate any feedback.

If it is not documented to work, then you can't rely on it working,
even if it happens to work at present.  If you need a flexible
interface between the SSL layer and the underlying network, consider
the bio pair approach discussed in a recent thread.

It is true that OpenSSL documentation has not been, and still is not,
as comprehensive as it should be.  Nevertheless one should depend only
on documented behaviour.  Where it is clear that the documentation
is failing to describe essential features of the API, please file a
documentation issue on Github, or better yet, where the intent is
clear, contribute a documentation patch (pull-request).

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Porting to OpenSSL 1.1

2016-10-11 Thread Richard Moore 
Hi Bero,

Just based on the questions it sounds like you might be trying to port Qt.
I've already done this, and the branch is here:
https://github.com/richmoore/qtbase/commits/openssl11

It'll be added as a new backend once the configure changes that are
underway are completed. See
https://wiki.qt.io/Qt_Network_Workshop_2016#OpenSSL for a road map (or ask!)

Regards

Rich.


On 10 October 2016 at 23:56, Bernhard Rosenkraenzer  wrote:

> Hi,
> I'm porting some code to OpenSSL 1.1 -- for the most part, it's going
> well, but there's some things I'm not sure about:
>
> - What replaces a direct access to "sha1_hash" in an X509? (found in Qt
> 5.7)
>
> So far, haven't come up with a proper alternative to this. Should the code
> be refactored to use X509_issuer_and_serial_hash (which isn't quite the
> same, but should still give a unique hash)?
> [this is from qHash -- so the purpose really is to get a unique hash of
> the contents]
>
> - What's the best way to copy an EVP_PKEY?
>
> Also from Qt 5.7:
> rsa = RSA_new();
> memcpy(rsa, EVP_PKEY_get1_RSA(pkey), sizeof(RSA));
> [breaks because sizeof(RSA) is no longer known]
> for EC, there's EC_KEY_dup -- for RSA and DSA, not so much.
>
> - What's the proper successor to NETSCAPE_X509? (from kdelibs4support)
> I presume this (the method KSSLCertificate::toNetscape()) can just be
> deleted because nothing should be using Netscape x509 anymore?
>
>
> Outside of those, all problems I've run into so far were fairly easy to
> solve.
>
> ttyl
> bero
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users