Can I determine which of the built-in ECC curves are being used, just by
looking at the SSL structure? Tnx.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
neither /dev/null nor 21 file nor 21 /dev/null, let this line
disappear
Redirections happen left-to-right. So do this:
/dev/null 21
Or the simpler
2/dev/null
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Until someone breaks the website, spoofs it, buys out the owner, etc.
Q2.4: Are the numbers available in a secure fashion?
Yes, since April 2007 you can access the server via https://www.random.org/
I should probably note that while fetching the numbers via secure HTTP would
protect them from
Can you be a bit more specific about what you mean by being used? By default
OpenSSL can use any built in ECC curve though it can be limited in range by
those of the peer.
Support for retrieving the curves used is very limited in released versions of
OpenSSL. This has been addressed in HEAD
Thanks for the detailed response, Dave.
As the authenticator you know your own cert already. As the verifier you can
get the cert and look at it.
... You should be able to know what you configured.
In general, yes. But in the context of a large proxy server fronting hundreds
of servers and
If you haven't wrapped the OpenSSL struct(s) with your own and you want to
remember something(s) about an SSL connection, that's what
SSL_{set,get}_ex_data are for.
Yes, thanks. I might do that if there's no other option, but a EC_get_NID
seems a reasonable thing to want and, if I read
There are a few places these things are specified -- in the names given to the
OID arcs, which means looking in SSL, TLS, CMS, S/MIME, etc. OpenSSL has a
pretty complete list of those. Another source is in the URI's for things like
XMLDSig and XMLEncryption.
Your approach of having an 'alias
True. But HSM claims performance, correctness and security.
Jeffrey's point is that you need whole-system security, not just faster crypto.
(And your original note didn't say HSM, but implied just an accelerator card.)
For example, how do you make sure that only authentic and authorized
I have one question in this. What did you mean by Suite B Algorithms ?
Google crypto suite b Or heck, even just suite b
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
Reading (writing) over an SSL connection may result in the transport writing
(reading).
Concurrent use of the same SSL structure will cause things to break.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Is it possible to serialize/deserialize the current SSL state so that the
receiver can continue to handle the connection without the other side
noticing?
Yes it's possible. Two places to look are the session ticket code within
OpenSSL, and the serialize function in Apache module modssl.
I think either you mis-read the web page, or the author is confused.
Looking at RFC 2253, it quotes X.501 which says:
DistinguishedName ::= RDNSequence
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET SIZE (1..MAX) OF
AttributeTypeAndValue
I realise that the eNULL/NULL ciphers add no encryption, but do they just
transmit the data as is, or is there some steganography used?
If you truly realized they add no encryption, you'd realize the answer to your
question. :)
/r$
--
Principal Security Engineer
Akamai Technology
Since my goal is a running system with no known security vulnerabilities ...
I have a habit of wanting to use the 'latest everything' as I check versions
of software on my server once every few weeks.
These two items contradict each other. If you want a secure system, you should
only
I need to locate the response that is relevant for the certificate of
interest Is the usual method
to parse each response and match the cert serial number to find the index to
the correct ocsp response?
Yes.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø Hypothetically, what if i have TWO key pairs (PubKey1, PrivKey1, PubKey2,
PrivKey2). First thing
Ø i do is move PrivKey1 to another place. Is there a way where I can use
PubKey1 to make the CSR
Ø (Without access to PrivKey1), but sign it with PrivKey2 to preserve
integrity?
If you can
Hi John!
Looking at apps/req.c, it seems you want to use the -utf8 flag (or put utf8:
yes in your conf file [req] section) and not prefix the string with an
identifier.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø I guess I need to know what to research to make all of these guys sort of
use the same cert. is this what chaining could do for me?
Not sure why you need or want a single cert, but if you do then one cert with
multiple subjectAltName extensions should do it.
/r$
--
Encrypted data is not a text string, it is an array of binary octets. You will
have to do something like base64 encode/decode when treating it as a text
string.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø what is the best way to store keys that will be used by openssl
You will find a great many examples of how to do things by reading and
understanding the code in the apps directory.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
1) Put a base64-encoded key (the normal one generated by openssl command line
tools) into a header file
Avoid a step. Base64 decode and using something like od put a binary
bytestream into your source. Like
unsigned char der_key[] = { 3, 12, 253, }
2) Compile code with this
Ø PLZ can someone provide a solution -- to store encrypted text in a database
- SQLite??
You might have gotten all the help that the volunteers who read this list are
going to give you. If you look through the archives, you might see that people
here generally do not post complete source code
read -sp Enter path to key: key
read -sp Enter IV: iv
openssl enc -e -aes256 -K $key -iv $iv -in ... -out ...
That doesn't help; the key is STILL in the argv list and can be seen by doing a
ps.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Wow, that's a lot of output :)
First of all, you need -lssl and -lcrypto. Where did you install the OpenSSL
libraries, are they in a common place that your compiler can find? If not,
you'll need to add -L/ where is the path to the place where the
libraries (libssl.a for example) can
One of our developers here has noticed a change in behavior.
This pair of commands used to work as expected, but in 1.0.0 and later the
resulting cert is self-signed, and not signed by the CA key.
openssl req -x509 -days 999 -keyout req.key -out req.pem \
-subj /CN=testme -nodes
No sane Base64 decoder should care. But the code in crypto/evp/bio_b64.c
seems to be stupidly line oriented
with small line buffers in an overcomplicated state, when a streaming Base64
encoder/decoder should be able
to get away with a few unsigned ints and a state machine.
The current behavior
OpenSSL does nothing about this. It's an interesting question. As for as
TLS/SSL is concerned, it is only using the certificate at the time the
connection is initially established, and therefore expiration (or revocation)
during the application's use of the certificate is up to the
First poster:
We are currently analyzing and understanding the security strength of
the openSSL internal implementation to certify the products.
In version 0.9.8d, TLSv1.0 alone is supported. Can you please answer
the following or provide me with the documentation reference
1. Does
The base64 encoding within the PEM lines is the entire certificate not just
the signature.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
It should not be surprising that both keypairs worked. Unless you're doing
mutual authentication, the SSL server will never see the client certificate,
and so it will not be able to see the keyUsage attribute, or the
extendedKeyUsage attribute. Those two attributes specify how a keypair is
I have a self-signed certificate (new.crt) that I want to sign with the x509
app and the keypair that is in ca.pem.
I can send those files if desired; if sent as attachments the openssl.org
server complains.
In an older openssl, what I expect happens:
; openssl version
OpenSSL 0.9.8k 25 Mar
Of Salz, Rich
Sent: Wednesday, 01 May, 2013 15:11
To: openssl-users@openssl.org; r...@openssl.org
I have a self-signed certificate (new.crt) that I want to sign with the
x509 app and the keypair that is in ca.pem.
snip
With the latest, it looks like the only thing output is the new
signature L
snip
The bug was in X509_sign_ctx which didn't set the modified flag while the
regular X509_sign did.
Thanks!
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
Same fix needed in X509CRL_sign_ctx?
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
How can this individual verify the x.509? I certainly do not want the
receiving site to have private key; they are not the creator of such
documents but simply the receiver for data. An excerpt of code would be most
beneficial.
The certificate is signed with the PRIVATE key and verified
4) But the life of me cannot find how to set the public and verify?
Look for one of the openssl command-line programs that does what you want, and
then look at that code. In this case apps/verify.c might be useful.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
What is the difference between SSL_CTX_SET_cipher_list and
SSL_CTX_set_preferred_cipher_list ? When and why would I use the preferred
version? I promise to turn any answers I got into a POD manpage for future
inclusion :)
And why is there an SSL_set_cipher_list function, but the (misnamed?)
Would there be any interest (and support) from the dev team for patches that
completely remove SSLv2 API's?
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
I guess I was confused, expecting to see the ssl23 stuff removed as well, but
I guess it's okay to leave it.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
What is the difference between SSL_CTX_SET_cipher_list and
SSL_CTX_set_preferred_cipher_list?
Which version of OpenSSL has the preferred version? I don't see this in
master.
Gaak. Sorry for the confusion. Looking at some decade-old local patches. :(
/r$
--
Principal
Many people find the four-letter word at the start of your domain name
offensive.
I'm assuming you know English well enough to know that, and chose it
deliberately.
That's reading beyond the cover.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Viktor gave some excellent advice. I'd tweak it by removing 'export' as
something to support. And perhaps use weak, good, strong -- whatever, keep the
number of choices very small. I'd suggest to not use default since folks will
get upset if it changes. They are more accepting if the
@openssl.org
Subject: Re: FIPS Capable Ciphers List
On Tue, May 14, 2013 at 09:42:08PM -0500, Salz, Rich wrote:
Viktor gave some excellent advice. I'd tweak it by removing 'export'
as something to support. And perhaps use weak, good, strong --
whatever, keep the number of choices very small
As a knowledgeable user, I despise user interfaces like that
As a knowledgeable user, you are in the minority and it is certainly your right
to complain if your choices are restricted.
and tend to recommend against such products even for novices.
I firmly believe this is wrong.
A good user
I was talking about a user interface to specify settings without requiring a
rebuild of the applications.
And on this, we completely agree :)
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL
The s_server program reads stdin and sends is to the client; it reads from the
client and sends it to stdout. It doesn't implement any protocol.
But you can use that code as a basis for your homework :)
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Is there a way with openssl to create a key/csr with SN attribute?
As I can see, only CN, O, OU etc are available. If not with openssl, does
anyone know another tool to create this with?
You can do it. The 'trick' is that you have to have a default value, so put
SN=unknown in the global
Ø I would like to know if it is possible to assign pre-defines bufs(addresses)
to OpenSSL which it can use to store plaintext/cipher text during AES
computation.
You mean force all AES encryptions during a TLS session to use fixed buffers?
No, that is not possible without code changes.
The | command don't work for me in OpenSSL. Is it a shell thing?
Not enough details (heck not any) to answer. But yes, pipes are implemented by
the shell.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
Windows doesn't do pipes; you have to use temp files.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
➢ If there is compatibility issue, then it seems we have to recompile our
application with latest openssl library. Please suggest if you have any other
or better solutions.
There is no other solution.
0.9.8 and 1.xxx aren’t binary compatible. For more details, see the FAQ,
The printf command appends a newline to the data so it's different from what
your program has.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
Ø No new line added. As I already suggested, it's an implicit NULL terminator
in the C string literal in the C program.
Of rats, of course you're right. The proper thing to do is sizeof ... -1
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø By the way, I would NOT recommend add a in-house probably unprotected CA as
a trusted one. The exception is much better to deal with such cases.
If it's a work machine, then absolutely trust the in-house CA, no matter how it
is managed and protected.
/r$
--
Principal
Ø because from a workstation people may access external websites too. Like
banks
And perhaps they shouldn't. Have you seen the size of the built-in browser CA
trust lists recently?
And really, which is more likely: an in-house CA leads you astray, or you bring
some external malware from
Ø I want to really understand certificates, pki, etc; so forgive me if these
questions are elementary.
Google around for PKI introductions.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
echo foo | openssl s_client -connect uri.com:443 cert.txt
Or perhaps simpler
openssl s_client -connect uri.com:443 cert.txt /dev/null
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
There are no examples other than openssl commands, I have a program on a
device and need to programmatically check x509 periodically.
That is generally true of most openssl-based applications
You'll have to start by reading and learning apps/ocsp.c
/r$
--
Principal Security
Is there a standard to revoke a cert with a request to an OCSP.
Nothing part of OCSP. There are various other standards around (e.g., XKMS
from W3C, KMIP from OASIS) but they're nowhere near as widely used.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
This is not possible according to PKIX. RFC5280 states The trust anchor for
the certification path [of the crl] MUST be the same as the trust anchor used
to validate the target certificate.
The root certificate creates a crl-signing cert. The root certificate includes
a cRLDistributionPoint
Wouldn't it be just as good to have a cRLDistributionPoint which does not
restrict the available ReasonFlags and then put cACompromise in the CRL
if/when that disaster happens?
No because with my idea you are a priori restrict the crlDP to be only CA
revocation.
Wouldn't it be equally
From my initial reading of the spec (RFC 4279) and review of the code, it
appears that both PSK and RSA-style key exchanges can exist in both server and
client. That is:
- A server can register the PSK callbacks, identities, and keypair and
talk to clients using the PSK and RSA key
Ø This attack is compression at the application layer not ssl compression.
TLS fails to protect the application layer data.
SSL also fails to protect application layer data when the application decides
to include key material.
There are limits to what can be done.
/r$
--
But I think the structures should be thread safe as the functions
Then where and how do you propose to store the state of any ongoing computation?
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL
There should be a way.
There isn't.
There are syncronization method to keep the same structure used by many
threads at the same time, and ussually this is transaparent to developers.
Are you new to multi-threaded C programming?
--
Principal Security Engineer
Akamai Technology
Cambridge,
I don't mean the type, I mean the data
By putting EVERYTHING with __declspec(thread)? That's not right either, as it
completely prevents sharing. And the Windows DLL malloc model isn't the same
Unix/Linux.
Enough pedanticism. Most objects aren't safe to be used by multiple threads at
the
Ø Some serious bug?
Yes, but in your code:
Ø char new_filename[strlen( filename + 5 )];
char new_filename[strlen( filename) + 5];
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø Seriously - if i just use des instead of des_ede3 in works. that simple. has
got to be a bug
Run your code through something like valgrind
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
I have a requirement to encrypt files, in such a way identical files should
generate identical ciphertexts.
Identical salts(ivs) should work. No salt works as well.
This would have the effect that two files which were identical at the
beginning for the first x number of blocks
(but
Ø I have no idea wtf is up with all these bugs but i'm surprised openssl is
this glitchy
It is not. The problem is almost definitely in your code. It is also hard to
help when the code you post isn't the code you're trying to debug.
Get and run valgrind and see what it says. Compile with
You misunderstand how it's supposed to work.
OpenSSL does not prevent you from signing anything. It can't; for example, you
could use other software and generate the signature.
Instead, when the recipient gets a certificate, and verifies the chain, it
should reject the chain because the
certificate.) A pathLenConstraint of zero indicates that no non-
self-issued intermediate CA certificates may follow in a valid
certification path.
Validation of the certification path is the responsibility of the relying party
-- the recipient of data.
It is not safe to rely on the
Suppose I have a three-length chain: rootCA, interCA, userCert. If I call
X509_verify with depth 1 and only interCA in the trusted list, will that pass?
Suppose it's a four-length chain: rootCA, parentCA, childCA, userCert. Again,
I assume depth=1 and childCA in the trust list, it will oass.
Is it possible to revoke a cert by serial number?
Using the ca command? The answer is no.
I searched the form and this question is not answered.
Use the source, Luke :)
I can't see a good reason why the crl txt_db needs the subject name. It should
be reasonable to modify ca.c to take the
You can use the $ENV:xxx construct. It's a bit of a hack, but you only need
one config file and change the env var each time...
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
I can use the showcerts command on port 636 and see the certs but wheh I try
to do this on port
389 to use TLS I get the following error.
389 is the plaintext LDAP port; 636 is for LDAP over SSL/TLS so your system
is doing the right thing. If you want to force SSL/TLS, then you'll have to
Another option is to use LDAP's STARTTLS support on port 389.
It seems the config to require it is a bit obscure;
http://www.openldap.org/lists/openldap-technical/201202/msg00414.html might be
useful.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Note, the above is for enforcing STARTTLS on the server. If the
decision is left to the client, the configuration is less opaque.
And less secure. :)
If policy is to use SSL/TLS, then the server must enforce it; trusting the
clients to do the right thing is bad.
/r$
--
Principal
When you run it interactively, does it work right away or do you need to hit
TWO returns?
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Are you sure that the key exchange is not a factor? Have you measured SSL
setup times compared to post-setup transfer times?
4K RSA is computationally expensive. Are you sure that the rest of your system
is secure enough to justify that instead of 2K RSA?
/r$
--
Principal
Ø (sorry for duplicating the thread, I did'nt receive any answer in my mailbox
as I expected, I only saw them through the mail archive...?)
It’s common (and many would say, the correct behavior) for mailing list replies
to go to the mailing list.
Ø I've started with a 1K key and later on
The synatx of the extension is needed too. Do you know of any specs giving
details?
Googling the OID found this which seems to imply that it's the same syntax as
NextUpdate: http://www.imc.org/ietf-pkix/old-archive-04/msg01798.html
--
Principal Security Engineer
Akamai Technology
Ø What is openssl function equivalent to openssl x509 -in test.crt -text
-noout
Look in apps/x509.c
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
You are comparing the native form to the DER encoding. You need to d2i back
and see that the data is preserved.
Not only is “the 0x00 trimmed” but those bytes at the front 03 81 80 01 are
also a clue. ☺
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
The common practice is for clients to connect in the clear, then issue a
command to turn on TLS, such as the SMTP STARTTLS command.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project
I was thinking more in a solution where the client reads the first 8 bytes
from the socket and checks if the beginning of the GoodMorning message is
there in clear text (like 220 SLNP) and if not it should handover this
buffer and the socket fd for further SSL handshake... Is this
Ø We need to send CN attribute in TeletexString format for ASN1DN Id and
certificate.
'grep -I t61 apps/*.c' might be useful.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Is there a way to see something like AES128-SHA is okay with TLSv1.2, but not
with SSLv3?
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Server side at least it would be theoretically possible: i.e. only choose a
ciphersuite if TLS v1.2 is negotiated. OpenSSL doesn't support this though.
I didn't think so, thanks. One possibility is to add a construct like
proto?cipher
to the colon-separated list. Any interest in a
NID is an internal openssl implementation detail; X509 data structures have
OID's.
Post the PEM of the cert.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
The point of posting PEM is that people can cut and paste from a mail message
and decode it to get the DER or whatever. (That's why PEM format was invented,
to survive intact through email:)
You are generating a certificate, self-signing it, and your recipient cannot
verify it. Right?
As two other people have already said, you cannot use strlen() on binary data.
BN_bin2bn(parmp,strlen(parmp), dhPar2-p);
BN_bin2bn(parmg,strlen(parmg), dhPar2-g);
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø These built-in functions do not return the size of the binary data, so how
can I get the length of the binary data?
BN_num_bytes() which you already used in your initial posting?
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Those aren't certificate types, they are encodings. (You can almost think of
them like character sets; uincode utf-8 utf-16 for example).
I'm not aware of any tests in openssl, but I could be wrong. If the file is
ascii, or has a line that starts with five - characters, or the filename ends
What happens if I never set the cipher list (in either SSL or SSL_CTX). Do I
get the value of DEFAULT? Or a zero list and failure?
Thanks.
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
Ø Is there a good way to pass the packets to/from openssl instead of using a
FD for handshakes/etc?
BIO is the openssl IO abstraction; see SSL_set_bio, for example.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
So if i go on and change the openssl code to offload ECC operations, will i
be breaking any license?
If you are buying off-the-shelf hardware, then the vendor probably has the
necessary licenses.
If you are building your own hardware, purely for your exploration and
discovery, then it is
Ø How do I determine whether or not the web servers I run are affected?
Here's a simple way:
echo B | openssl s_client -connect $HOST:$PORT
if you see heartbeating at the end, then $HOST is vulnerable.
How can you tell if private keys have been taken? You can't, really. You can
Ø I get the heartbeating message on both unpatched and patched servers.
Should that make me worry about the patched machines?
Not necessarily. If they updated to the 'g' release, then they are doing
buffer-overrun checking and you're safe. You can probably find out by
connecting to your
Can you please post a good and a bad server example. I have tested a lot
of servers, including 'akamai.com', and they all show HEARTBEATING at the end:
Look at Victor's recent post about how to patch openssl/s_client to make your
own test. That's the simplest. My example tests only for
1 - 100 of 1110 matches
Mail list logo
