Re: [openssl-users] troubleshooting a puzzling issue
In message <8df59ee9-2677-47d3-b9f6-69904b3ea...@inria.fr> on Fri, 13 Jan 2017 16:46:59 +0100, Thierry Parmentelatsaid: thierry.parmentelat> so I do see md5 in the list of digests Ok thierry.parmentelat> thierry.parmentelat> what else should I be looking at ? thierry.parmentelat> is there a way to get some sort of error code or something that would at least hint at a direction.. I found that M2Crypto has an Err package, so add this to your script: if v <= 0: print(M2Crypto.Err.get_error()); else: print("v = {}".format(v)) -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
; it explains it all :) Thanks so much for your time looking into this, it is very helpful — Thierry > On 13 Jan 2017, at 16:47, Viktor Dukhovniwrote: > > On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote: > >> Thanks Viktor for your feedback >> >> Well, the 2 certificates are embedded in the python code as PEM; I am >> attaching them again here as plain files if that helps > > The leaf certificate is signed with RSA+MD5: > >$ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:' >Certificate: > Data: > Version: 3 (0x2) > Serial Number: 3 (0x3) > Signature Algorithm: md5WithRSAEncryption > Issuer: CN=onelab.inria > Validity > Not Before: Aug 18 13:30:49 2014 GMT > Not After : Aug 17 13:30:49 2019 GMT > Subject: CN=onelab.inria.thierry_parmentelat > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (1024 bit) > Modulus: > Exponent: 35 (0x23) > X509v3 extensions: > X509v3 Basic Constraints: critical > X509v3 Subject Alternative Name: > URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, > URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a > Signature Algorithm: md5WithRSAEncryption > >> In terms of versioning, on one box that exhibits the issue of returning -1, >> I have this: >> >> # cat /etc/fedora-release >> Fedora release 24 (Twenty Four) > > Redhat is removing support for MD5 signatures from their OpenSSL > builds. From a recent email from them to the OpenSSL team: > >We (Red Hat Enterprise Linux developers) decided to disable >support for verification of signatures with MD4, MD5, and SHA0 >hashes in openssl library in Red Hat Enterprise Linux 6 and >newer and in Fedora. ... > > Your 5 year MD5 certificate is getting stale, time to use something > a bit more current. Also its rather small exponent (35) is very > unwise. While not quite as bad as 3, it may be open to attack. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
On Fri, Jan 13, 2017 at 04:17:14PM +0100, Thierry Parmentelat wrote: > Thanks Viktor for your feedback > > Well, the 2 certificates are embedded in the python code as PEM; I am > attaching them again here as plain files if that helps The leaf certificate is signed with RSA+MD5: $ openssl x509 -in /tmp/p1 -noout -text | egrep -v '^ *..:' Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: md5WithRSAEncryption Issuer: CN=onelab.inria Validity Not Before: Aug 18 13:30:49 2014 GMT Not After : Aug 17 13:30:49 2019 GMT Subject: CN=onelab.inria.thierry_parmentelat Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: Exponent: 35 (0x23) X509v3 extensions: X509v3 Basic Constraints: critical X509v3 Subject Alternative Name: URI:urn:publicid:IDN+onelab:inria+user+thierry_parmentelat, URI:urn:uuid:8ee5aabe-5a16-4ac5-a18f-7ca145af285a Signature Algorithm: md5WithRSAEncryption > In terms of versioning, on one box that exhibits the issue of returning -1, I > have this: > > # cat /etc/fedora-release > Fedora release 24 (Twenty Four) Redhat is removing support for MD5 signatures from their OpenSSL builds. From a recent email from them to the OpenSSL team: We (Red Hat Enterprise Linux developers) decided to disable support for verification of signatures with MD4, MD5, and SHA0 hashes in openssl library in Red Hat Enterprise Linux 6 and newer and in Fedora. ... Your 5 year MD5 certificate is getting stale, time to use something a bit more current. Also its rather small exponent (35) is very unwise. While not quite as bad as 3, it may be open to attack. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
Hey Richard here’s what I see # openssl help openssl:Error: 'help' is an invalid command. Standard commands asn1parse caciphers cms crl crl2pkcs7 dgst dh dhparam dsa dsaparam ec ecparam enc engineerrstr gendh gendsagenpkey genrsa nseq ocsp passwdpkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand req rsa rsautls_client s_server s_timesess_id smime speed spkac tsverifyversion x509 Message Digest commands (see the `dgst' command for more details) md2 md4 md5 rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64bf bf-cbcbf-cfbbf-ecbbf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbcrc2-64-cbcrc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb seed seed-cbc seed-cfb seed-ecb seed-ofb zlib so I do see md5 in the list of digests what else should I be looking at ? is there a way to get some sort of error code or something that would at least hint at a direction.. thanks — Thierry > On 13 Jan 2017, at 16:37, Richard Levittewrote: > > In message <41a36a7f-ff5d-4190-9178-e9ff11aff...@inria.fr> on Fri, 13 Jan > 2017 11:28:40 +0100, Thierry Parmentelat said: > > thierry.parmentelat> I am facing a problem that I have narrowed down to this: > thierry.parmentelat> > thierry.parmentelat> I have two certificates, one being signed by the other > thierry.parmentelat> the attached code is a python code that uses M2Crypto to > check for that fact > thierry.parmentelat> > thierry.parmentelat> and it turns out, on some boxes x509_verify() returns 1 > as expected, while on some others I am getting -1 > thierry.parmentelat> > thierry.parmentelat> > thierry.parmentelat> --- > thierry.parmentelat> I apologize that I am not able to write a pure C code > that would reproduce the issue (I’m afraid that me trying to achieve that > would just lead to more artificial problems than be actually helpful in any > way :) > thierry.parmentelat> > thierry.parmentelat> the m2crypto guys tell me they are essentially just > passing stuff along to openssl’s function > thierry.parmentelat> X509_verify > thierry.parmentelat> as described here > thierry.parmentelat> > https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html > > Considering both certs in the attached script use the signature > algorithm md5WithRSAEncryption, you could get that kind of error with > an OpenSSL installation where MD5 has been disabled. 'openssl help' > will show you what's enabled, or 'openssl list -disabled' (with > OpenSSL 1.1.0) to see what's disabled. > > There are other things that can give you a -1 as well... > > Cheers, > Richard > > -- > Richard Levitte levi...@openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
In messageon Fri, 13 Jan 2017 09:26:35 -0500, Viktor Dukhovni said: openssl-users> openssl-users> > On Jan 13, 2017, at 5:28 AM, Thierry Parmentelat wrote: openssl-users> > openssl-users> > I have two certificates, one being signed by the other openssl-users> > the attached code is a python code that uses M2Crypto to check for that fact openssl-users> openssl-users> Your current problem is failure to post the two certificates along with openssl-users> the anecdotal description. You're also not reporting which versions of openssl-users> the various O/S distributions you were using, and more importantly which openssl-users> versions of OpenSSL were linked into Python's M2Crypto. openssl-users> openssl-users> Real answers require real data. E... there's a script attached to the original post. It contains all the data you need, including two certs. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
In message <41a36a7f-ff5d-4190-9178-e9ff11aff...@inria.fr> on Fri, 13 Jan 2017 11:28:40 +0100, Thierry Parmentelatsaid: thierry.parmentelat> I am facing a problem that I have narrowed down to this: thierry.parmentelat> thierry.parmentelat> I have two certificates, one being signed by the other thierry.parmentelat> the attached code is a python code that uses M2Crypto to check for that fact thierry.parmentelat> thierry.parmentelat> and it turns out, on some boxes x509_verify() returns 1 as expected, while on some others I am getting -1 thierry.parmentelat> thierry.parmentelat> thierry.parmentelat> --- thierry.parmentelat> I apologize that I am not able to write a pure C code that would reproduce the issue (I’m afraid that me trying to achieve that would just lead to more artificial problems than be actually helpful in any way :) thierry.parmentelat> thierry.parmentelat> the m2crypto guys tell me they are essentially just passing stuff along to openssl’s function thierry.parmentelat> X509_verify thierry.parmentelat> as described here thierry.parmentelat> https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html Considering both certs in the attached script use the signature algorithm md5WithRSAEncryption, you could get that kind of error with an OpenSSL installation where MD5 has been disabled. 'openssl help' will show you what's enabled, or 'openssl list -disabled' (with OpenSSL 1.1.0) to see what's disabled. There are other things that can give you a -1 as well... Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
Thanks Viktor for your feedback Well, the 2 certificates are embedded in the python code as PEM; I am attaching them again here as plain files if that helps p1 Description: Binary data p2 Description: Binary data In terms of versioning, on one box that exhibits the issue of returning -1, I have this: # cat /etc/fedora-release Fedora release 24 (Twenty Four) both openssl and m2crypto installed from fedora’s stock repos: # rpm -q m2crypto openssl-libs m2crypto-0.23.0-2.fc24.x86_64 openssl-libs-1.0.2j-3.fc24.x86_64 # uname -a Linux r2labsfa.pl.sophia.inria.fr 4.8.15-300.fc25.x86_64 #1 SMP Thu Dec 15 23:10:23 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux I hope it clarifies — thanks for looking into this — Thierry > On 13 Jan 2017, at 15:26, Viktor Dukhovniwrote: > > >> On Jan 13, 2017, at 5:28 AM, Thierry Parmentelat >> wrote: >> >> I have two certificates, one being signed by the other >> the attached code is a python code that uses M2Crypto to check for that fact > > Your current problem is failure to post the two certificates along with > the anecdotal description. You're also not reporting which versions of > the various O/S distributions you were using, and more importantly which > versions of OpenSSL were linked into Python's M2Crypto. > > Real answers require real data. > > -- > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] troubleshooting a puzzling issue
> On Jan 13, 2017, at 5:28 AM, Thierry Parmentelat >wrote: > > I have two certificates, one being signed by the other > the attached code is a python code that uses M2Crypto to check for that fact Your current problem is failure to post the two certificates along with the anecdotal description. You're also not reporting which versions of the various O/S distributions you were using, and more importantly which versions of OpenSSL were linked into Python's M2Crypto. Real answers require real data. -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users