subject:"Re\: \[openssl\-users\] troubleshooting a puzzling issue"

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Richard Levitte

In message <8df59ee9-2677-47d3-b9f6-69904b3ea...@inria.fr> on Fri, 13 Jan 2017 
16:46:59 +0100, Thierry Parmentelat  said:

thierry.parmentelat> so I do see md5 in the list of digests

Ok

thierry.parmentelat> 
thierry.parmentelat> what else should I be looking at ? 
thierry.parmentelat> is there a way to get some sort of error code or something 
that would at least hint at a direction..

I found that M2Crypto has an Err package, so add this to your script:

if v <= 0:
print(M2Crypto.Err.get_error());
else:
print("v = {}".format(v))

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Thierry Parmentelat

; it explains it all :)

Thanks so much for your time looking into this, it is very helpful — Thierry 


> On 13 Jan 2017, at 16:47, Viktor Dukhovni  wrote:
> 
> On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote:
> 
>> Thanks Viktor for your feedback
>> 
>> Well, the 2 certificates are embedded in the python code as PEM; I am
>> attaching them again here as plain files if that helps
> 
> The leaf certificate is signed with RSA+MD5:
> 
>$ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:'
>Certificate:
>   Data:
>   Version: 3 (0x2)
>   Serial Number: 3 (0x3)
>   Signature Algorithm: md5WithRSAEncryption
>   Issuer: CN=onelab.inria
>   Validity
>   Not Before: Aug 18 13:30:49 2014 GMT
>   Not After : Aug 17 13:30:49 2019 GMT
>   Subject: CN=onelab.inria.thierry_parmentelat
>   Subject Public Key Info:
>   Public Key Algorithm: rsaEncryption
>   Public-Key: (1024 bit)
>   Modulus:
>   Exponent: 35 (0x23)
>   X509v3 extensions:
>   X509v3 Basic Constraints: critical
>   X509v3 Subject Alternative Name:
>   URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, 
> URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a
>   Signature Algorithm: md5WithRSAEncryption
> 
>> In terms of versioning, on one box that exhibits the issue of returning -1, 
>> I have this:
>> 
>> # cat /etc/fedora-release
>> Fedora release 24 (Twenty Four)
> 
> Redhat is removing support for MD5 signatures from their OpenSSL
> builds.  From a recent email from them to the OpenSSL team:
> 
>We (Red Hat Enterprise Linux developers) decided to disable
>support for verification of signatures with MD4, MD5, and SHA0
>hashes in openssl library in Red Hat Enterprise Linux 6 and
>newer and in Fedora. ...
> 
> Your 5 year MD5 certificate is getting stale, time to use something
> a bit more current.  Also its rather small exponent (35) is very
> unwise.  While not quite as bad as 3, it may be open to attack.
> 
> -- 
>   Viktor.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Viktor Dukhovni

On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote:

> Thanks Viktor for your feedback
> 
> Well, the 2 certificates are embedded in the python code as PEM; I am
> attaching them again here as plain files if that helps

The leaf certificate is signed with RSA+MD5:

$ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:'
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=onelab.inria
Validity
Not Before: Aug 18 13:30:49 2014 GMT
Not After : Aug 17 13:30:49 2019 GMT
Subject: CN=onelab.inria.thierry_parmentelat
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
Exponent: 35 (0x23)
X509v3 extensions:
X509v3 Basic Constraints: critical
X509v3 Subject Alternative Name:
URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, 
URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a
Signature Algorithm: md5WithRSAEncryption

> In terms of versioning, on one box that exhibits the issue of returning -1, I 
> have this:
> 
> # cat /etc/fedora-release
> Fedora release 24 (Twenty Four)

Redhat is removing support for MD5 signatures from their OpenSSL
builds.  From a recent email from them to the OpenSSL team:

We (Red Hat Enterprise Linux developers) decided to disable
support for verification of signatures with MD4, MD5, and SHA0
hashes in openssl library in Red Hat Enterprise Linux 6 and
newer and in Fedora. ...

Your 5 year MD5 certificate is getting stale, time to use something
a bit more current.  Also its rather small exponent (35) is very
unwise.  While not quite as bad as 3, it may be open to attack.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Thierry Parmentelat

Hey Richard

here’s what I see

# openssl help
openssl:Error: 'help' is an invalid command.

Standard commands
asn1parse caciphers   cms
crl   crl2pkcs7 dgst  dh
dhparam   dsa   dsaparam  ec
ecparam   enc   engineerrstr
gendh gendsagenpkey   genrsa
nseq  ocsp  passwdpkcs12
pkcs7 pkcs8 pkey  pkeyparam
pkeyutl   prime rand  req
rsa   rsautls_client  s_server
s_timesess_id   smime speed
spkac tsverifyversion
x509

Message Digest commands (see the `dgst' command for more details)
md2   md4   md5   rmd160
sha   sha1

Cipher commands (see the `enc' command for more details)
aes-128-cbc   aes-128-ecb   aes-192-cbc   aes-192-ecb
aes-256-cbc   aes-256-ecb   base64bf
bf-cbcbf-cfbbf-ecbbf-ofb
camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  camellia-192-ecb
camellia-256-cbc  camellia-256-ecb  cast  cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des   des-cbc   des-cfb   des-ecb
des-ede   des-ede-cbc   des-ede-cfb   des-ede-ofb
des-ede3  des-ede3-cbc  des-ede3-cfb  des-ede3-ofb
des-ofb   des3  desx  idea
idea-cbc  idea-cfb  idea-ecb  idea-ofb
rc2   rc2-40-cbcrc2-64-cbcrc2-cbc
rc2-cfb   rc2-ecb   rc2-ofb   rc4
rc4-40rc5   rc5-cbc   rc5-cfb
rc5-ecb   rc5-ofb   seed  seed-cbc
seed-cfb  seed-ecb  seed-ofb  zlib


so I do see md5 in the list of digests

what else should I be looking at ? 
is there a way to get some sort of error code or something that would at least 
hint at a direction..

thanks — Thierry

> On 13 Jan 2017, at 16:37, Richard Levitte  wrote:
> 
> In message <41a36a7f-ff5d-4190-9178-e9ff11aff...@inria.fr> on Fri, 13 Jan 
> 2017 11:28:40 +0100, Thierry Parmentelat  said:
> 
> thierry.parmentelat> I am facing a problem that I have narrowed down to this:
> thierry.parmentelat> 
> thierry.parmentelat> I have two certificates, one being signed by the other
> thierry.parmentelat> the attached code is a python code that uses M2Crypto to 
> check for that fact
> thierry.parmentelat> 
> thierry.parmentelat> and it turns out, on some boxes x509_verify() returns 1 
> as expected, while on some others I am getting -1
> thierry.parmentelat> 
> thierry.parmentelat> 
> thierry.parmentelat> ---
> thierry.parmentelat> I apologize that I am not able to write a pure C code 
> that would reproduce the issue (I’m afraid that me trying to achieve that 
> would just lead to more artificial problems than be actually helpful in any 
> way :)
> thierry.parmentelat> 
> thierry.parmentelat> the m2crypto guys tell me they are essentially just 
> passing stuff along to openssl’s function
> thierry.parmentelat> X509_verify
> thierry.parmentelat> as described here
> thierry.parmentelat> 
> https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html
> 
> Considering both certs in the attached script use the signature
> algorithm md5WithRSAEncryption, you could get that kind of error with
> an OpenSSL installation where MD5 has been disabled.  'openssl help'
> will show you what's enabled, or 'openssl list -disabled' (with
> OpenSSL 1.1.0) to see what's disabled.
> 
> There are other things that can give you a -1 as well...
> 
> Cheers,
> Richard
> 
> -- 
> Richard Levitte levi...@openssl.org
> OpenSSL Project http://www.openssl.org/~levitte/

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Richard Levitte

In message  on Fri, 13 Jan 
2017 09:26:35 -0500, Viktor Dukhovni  said:

openssl-users> 
openssl-users> > On Jan 13, 2017, at 5:28 AM, Thierry Parmentelat 
 wrote:
openssl-users> > 
openssl-users> > I have two certificates, one being signed by the other
openssl-users> > the attached code is a python code that uses M2Crypto to check 
for that fact
openssl-users> 
openssl-users> Your current problem is failure to post the two certificates 
along with
openssl-users> the anecdotal description.  You're also not reporting which 
versions of
openssl-users> the various O/S distributions you were using, and more 
importantly which
openssl-users> versions of OpenSSL were linked into Python's M2Crypto.
openssl-users> 
openssl-users> Real answers require real data.

E...  there's a script attached to the original post.  It contains
all the data you need, including two certs.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Richard Levitte

In message <41a36a7f-ff5d-4190-9178-e9ff11aff...@inria.fr> on Fri, 13 Jan 2017 
11:28:40 +0100, Thierry Parmentelat  said:

thierry.parmentelat> I am facing a problem that I have narrowed down to this:
thierry.parmentelat> 
thierry.parmentelat> I have two certificates, one being signed by the other
thierry.parmentelat> the attached code is a python code that uses M2Crypto to 
check for that fact
thierry.parmentelat> 
thierry.parmentelat> and it turns out, on some boxes x509_verify() returns 1 as 
expected, while on some others I am getting -1
thierry.parmentelat> 
thierry.parmentelat> 
thierry.parmentelat> ---
thierry.parmentelat> I apologize that I am not able to write a pure C code that 
would reproduce the issue (I’m afraid that me trying to achieve that would just 
lead to more artificial problems than be actually helpful in any way :)
thierry.parmentelat> 
thierry.parmentelat> the m2crypto guys tell me they are essentially just 
passing stuff along to openssl’s function
thierry.parmentelat> X509_verify
thierry.parmentelat> as described here
thierry.parmentelat> 
https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html

Considering both certs in the attached script use the signature
algorithm md5WithRSAEncryption, you could get that kind of error with
an OpenSSL installation where MD5 has been disabled.  'openssl help'
will show you what's enabled, or 'openssl list -disabled' (with
OpenSSL 1.1.0) to see what's disabled.

There are other things that can give you a -1 as well...

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Thierry Parmentelat

Thanks Viktor for your feedback


Well, the 2 certificates are embedded in the python code as PEM; I am attaching 
them again here as plain files if that helps



p1
Description: Binary data


p2
Description: Binary data



In terms of versioning, on one box that exhibits the issue of returning -1, I 
have this:

# cat /etc/fedora-release
Fedora release 24 (Twenty Four)

both openssl and m2crypto installed from fedora’s stock repos:

# rpm -q m2crypto openssl-libs
m2crypto-0.23.0-2.fc24.x86_64
openssl-libs-1.0.2j-3.fc24.x86_64

# uname -a
Linux r2labsfa.pl.sophia.inria.fr 4.8.15-300.fc25.x86_64 #1 SMP Thu Dec 15 
23:10:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


I hope it clarifies — thanks for looking into this — Thierry


> On 13 Jan 2017, at 15:26, Viktor Dukhovni  wrote:
> 
> 
>> On Jan 13, 2017, at 5:28 AM, Thierry Parmentelat 
>>  wrote:
>> 
>> I have two certificates, one being signed by the other
>> the attached code is a python code that uses M2Crypto to check for that fact
> 
> Your current problem is failure to post the two certificates along with
> the anecdotal description.  You're also not reporting which versions of
> the various O/S distributions you were using, and more importantly which
> versions of OpenSSL were linked into Python's M2Crypto.
> 
> Real answers require real data.
> 
> -- 
> -- 
>   Viktor.
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

2017-01-13 Thread Viktor Dukhovni

> On Jan 13, 2017, at 5:28 AM, Thierry Parmentelat 
>  wrote:
> 
> I have two certificates, one being signed by the other
> the attached code is a python code that uses M2Crypto to check for that fact

Your current problem is failure to post the two certificates along with
the anecdotal description.  You're also not reporting which versions of
the various O/S distributions you were using, and more importantly which
versions of OpenSSL were linked into Python's M2Crypto.

Real answers require real data.

-- 
-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

Re: [openssl-users] troubleshooting a puzzling issue

8 matches

Site Navigation

Mail list logo

Footer information