On 12 November 2010 15:20, Dr. Stephen Henson <st...@openssl.org> wrote: > On Fri, Nov 12, 2010, Andrey Kulikov wrote: > >> Hello, >> >> I'm trying to make s_server and s_client work with GOST encryption >> using ccgost engine and certificates with GOST algos. >> But it unable to work, complaining to bad mac computing. >> (If I use RSA-based certificates, everything works just fine.) >> > > Please try a recent 1.0.0 snapshot and see if you still have this problem. > > Steve.
I check with ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20101112.tar.gz Visible behaviour is the same. Commands output is the same. Test procedure the same as described in original message: Modify openssl.cnf export OPENSSL_CONF=<path to >/openssl.cnf ./apps/openssl genpkey -engine gost -algorithm gost2001 -pkeyopt paramset:A -out botkey.p8 ./apps/openssl req -config ./apps/openssl.cnf -x509 -days 1095 -subj '/C=RU/CN=csp_srv/o=lapu...@mail.ru' -engine gost -new -key botkey.p8 -out botcert.pem ./apps/openssl s_server -www -engine gost -accept 4333 -state -cert botcert.pem -key botkey.p8 ./apps/openssl s_client -engine gost -ssl3 -connect localhost:4333 s_client output (truncated): ================== ~/comt_area/openssl-1.0.1-stable-SNAP-20101112# ./apps/openssl s_client -engine gost -ssl3 -connect localhost:4333 engine "gost" set. CONNECTED(00000003) depth=0 C = RU, CN = csp_srv, O = lapu...@mail.ru verify error:num=18:self signed certificate verify return:1 depth=0 C = RU, CN = csp_srv, O = lapu...@mail.ru verify return:1 3076486796:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076486796:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076486796:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1212:SSL alert number 20 3076486796:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591: --- Certificate chain 0 s:/C=RU/CN=csp_srv/o=lapu...@mail.ru i:/C=RU/CN=csp_srv/o=lapu...@mail.ru --- ================== s_server output (truncated) ================== :~/comt_area/openssl-1.0.1-stable-SNAP-20101112# ./apps/openssl s_server -www -engine gost -accept 4333 -state -cert botcert.pem -key botkey.p8 engine "gost" set. Using default temp DH parameters Using default temp ECDH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL_accept:SSLv3 read client key exchange A SSL3 alert write:fatal:bad record mac SSL_accept:error in SSLv3 read certificate verify A SSL_accept:error in SSLv3 read certificate verify A 3076945548:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076945548:error:1411D144:SSL routines:ssl3_handshake_mac:digest requred for handshake isn't computed:s3_enc.c:668: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:8808C074:lib(136):GOST_IMIT_FINAL:mac key not set:gost_crypt.c:564: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:88073074:lib(136):GOST_IMIT_UPDATE:mac key not set:gost_crypt.c:527: 3076945548:error:8808C074:lib(136):GOST_IMIT_FINAL:mac key not set:gost_crypt.c:564: 3076945548:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:479: ==================== ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org