Hi All, Thank you for all for providing the information. I suspect we are using " SSL_MODE_SEND_FALLBACK_SCSV " and that might be causing the issue. The team is looking into this issue now with the provided information.
One doubt that came during our investigation is : " If client has highest version of TLS1.3 and server has support for TLS1.2 and SLV3 only. How the handshake will proceed ? " I am not sure if this question should go to a new thread ? Thanks and Regards, Ram Krushna On Wed, Oct 24, 2018 at 11:47 AM <openssl-users-requ...@openssl.org> wrote: > Send openssl-users mailing list submissions to > openssl-users@openssl.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mta.openssl.org/mailman/listinfo/openssl-users > or, via email, send a message with subject or body 'help' to > openssl-users-requ...@openssl.org > > You can reach the person managing the list at > openssl-users-ow...@openssl.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssl-users digest..." > > > Today's Topics: > > 1. Re: CAPI-Engine doc (Selva Nair) > 2. Re: CAPI-Engine doc (Michael Wojcik) > 3. Re: Reg issue in alert message (Michael Wojcik) > 4. Re: CAPI-Engine doc (Jakob Bohm) > 5. Re: Openssl Build Error- module unsafe for SAFESEH > image/Unable to generate SAFESEH image (sakdev) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 23 Oct 2018 11:22:04 -0400 > From: Selva Nair <selva.n...@gmail.com> > To: richard.oehlin...@adbsafegate.com, openssl-users@openssl.org > Subject: Re: [openssl-users] CAPI-Engine doc > Message-ID: > <CAKuzo_iqEBP-QG19Hsg5dFVoUG+2q-5O= > vfg_ntzajsqj+d...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users > <openssl-users@openssl.org> wrote: > > > > Hi! > > > > I'm trying to get a handle on the CAPI engine, because I need to have a > > secure Keystore on Windows. Furthermore I need it to work with Qt's > > QSslKey, which fortunately can be constructed by EVP_PKEY *. > > > > So far so good. The key is found, but when I try to use it in a SSL > > connection i get following error: > > > > error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object, > > error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib > > Which version of OpenSSL? > > > Trace Output is: > > > > Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt > > Opening certificate store MY > > capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C}, > > provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1 > > Called CAPI_rsa_sign() > > This CSP cannot do SHA2 hashes so won't work unless you restrict > signature algorithms or set TLS version to 1.1. I believe OpenSSL > 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which > can handle SHA2 and may work. I say "may" because, if the key store is > a legacy hardware token, it also depends on signature algorithms supported > by the token and may be necessary to downgrade to TLS 1.1. > > Selva > > > ------------------------------ > > Message: 2 > Date: Tue, 23 Oct 2018 15:37:24 +0000 > From: Michael Wojcik <michael.woj...@microfocus.com> > To: "openssl-users@openssl.org" <openssl-users@openssl.org> > Subject: Re: [openssl-users] CAPI-Engine doc > Message-ID: > < > dm5pr18mb1324455050cc00bd3a2dd70ff9...@dm5pr18mb1324.namprd18.prod.outlook.com > > > > Content-Type: text/plain; charset="Windows-1252" > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > > Of Richard Oehlinger via openssl-users > > Sent: Tuesday, October 23, 2018 10:38 > > > > I'm trying to get a handle on the CAPI engine, because I need to have a > > secure Keystore on Windows. Furthermore I need it to work with Qt's > > QSslKey, which fortunately can be constructed by EVP_PKEY *. > > What OpenSSL version are you using? Please remember to include this > informtion in every question. (And, normally, we'd ask for the platform as > well, but since CAPI is Windows-specific, we know that in this case.) > > > So far so good. The key is found, but when I try to use it in a SSL > > connection i get following error: > > > > error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object, > > error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib > > > > I use a current Windows 10. Do I need to use a different Algorithm in > > order to work? Some googeling is indicating the provider might be wrong. > > I haven't looked at the CAPI engine code since 1.0.1j. At that time, I > needed CAPI support and discovered there were various issues with the > extant CAPI code, so I forked and rewrote it. That was some time back, > obviously, and I'm afraid I never got around to pushing the changes back to > openssl.org. (In fact, it was sufficiently long ago that I believe the > organization was still reluctant to take contributions from people in the > US at the time.) > > The biggest issue was with provider handling. CAPI is something of a > braindead API in many ways - Microsoft's replacement, CNG, is somewhat > better - and the provider stuff is one of them. When a key (including a > "key" which is actually just a reference to a key contained in an HSM) is > imported into one of the Windows key stores, it has to be associated with a > provider, and that provider has to accommodate that type and size of key; > otherwise the key is unusable. Then, when you try to use the key in CAPI, > you have to specify the same provider - CAPI isn't smart enough to figure > it out on its own. > > So my version of the CAPI engine has code to look up the key's provider > and silently correct the provider type information in the engine's context > structure if it's a mismatch. > > Beyond that, it appears that my changes included: > > - Support for building all the necessary functionality when using > Microsoft Windows SDK 6.0A, which was one of my requirements at the time. > > - Supporting hashes other than SHA-1 for DSA. We have US Federal customers > who needed fairly comprehensive DSA support. For most people this is likely > a non-issue. > > - Forcing stack probes on for the callback functions, because my engine > was being built outside the OpenSSL build process, but needed to match the > calling convention of OpenSSL, which (at least in 1.0.1j) included > stack-probe support. > > - A fix suggested by Steven Henson years ago on the mailing list to > capi_get_key, but never (at least by 1.0.1j) picked up in the source code: > If CryptGetUserKey returns NTE_NO_KEY, xor keyspec with 3 to flip the key > type and try CryptGetUesrKey again. > > I think that's it, though it's possible I tweaked some other things and > didn't call them out in the comments. > > I suppose I should check what the CAPI engine source looks like in 1.1.1, > merge my changes in if feasible, and submit a PR. One of these days... > > Really, though, what we need is a new engine written to use CNG rather > than CAPI. Though that would have the disadvantage of not supporting > ancient Windows OS and SDK versions which, while unsupported by Microsoft, > are still used in far too many places. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > > ------------------------------ > > Message: 3 > Date: Tue, 23 Oct 2018 15:37:25 +0000 > From: Michael Wojcik <michael.woj...@microfocus.com> > To: "openssl-users@openssl.org" <openssl-users@openssl.org> > Subject: Re: [openssl-users] Reg issue in alert message > Message-ID: > < > dm5pr18mb13246f528fb866508d8e9267f9...@dm5pr18mb1324.namprd18.prod.outlook.com > > > > Content-Type: text/plain; charset="Windows-1252" > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > > Of Viktor Dukhovni > > Sent: Tuesday, October 23, 2018 10:02 > > > > On Tue, Oct 23, 2018 at 01:29:27PM +0100, Matt Caswell wrote: > > > > > > So, I think client have set TLS_FALLBACK_SCSV in cipher suite list in > > > > client hello. > > > > > > This suggests there is a bug in the client application. This can only > > > happen if the client application calls SSL_CTX_set_mode() or > > > SSL_set_mode() to set the SSL_MODE_SEND_FALLBACK_SCSV mode. > > > > I have a somewhat plausible, if dicey hunch: > > > > Perhaps some application developers got confused between > > the similar functions SSL_CTX_set_session_cache_mode(3) > > and SSL_CTX_set_mode(3) and called the wrong one? > > Certainly possible, but I wouldn't discount the possibility that someone > simply thought setting SSL_MODE_SEND_FALLBACK_SCSV was the Right Thing. > There was a fair bit of confusion around the Fallback SCSV when it first > appeared (we had questions from customers that indicated they didn't > understand it, and I had to read the ID to make sure I did). And, of > course, TLS is mightly confusing in general. > > It is interesting to note that those two options happen to have the same > value, though, particularly given the similarity of the two function names. > > This is one of those cases where C's weak type system is a problem. Though > it would be nice if OpenSSL used enums rather than macros for these things. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > > > ------------------------------ > > Message: 4 > Date: Tue, 23 Oct 2018 17:42:56 +0200 > From: Jakob Bohm <jb-open...@wisemo.com> > To: openssl-users@openssl.org > Subject: Re: [openssl-users] CAPI-Engine doc > Message-ID: <fc161e84-bf5f-f61b-0f1d-3bfa5641e...@wisemo.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > On 23/10/2018 17:22, Selva Nair wrote: > > On Tue, Oct 23, 2018 at 10:38 AM Richard Oehlinger via openssl-users > > <openssl-users@openssl.org> wrote: > >> Hi! > >> > >> I'm trying to get a handle on the CAPI engine, because I need to have a > >> secure Keystore on Windows. Furthermore I need it to work with Qt's > >> QSslKey, which fortunately can be constructed by EVP_PKEY *. > >> > >> So far so good. The key is found, but when I try to use it in a SSL > >> connection i get following error: > >> > >> error:80070063:lib(128):CAPI_RSA_SIGN:cant create hash object, > >> error:1409B006:SSL routines:ssl3_send_server_key_exchange:EVP lib > > Which version of OpenSSL? > > > >> Trace Output is: > >> > >> Setting debug file to C:\Users\user\AppData\Local\Temp\engine.txt > >> Opening certificate store MY > >> capi_get_key, contname={4EBA52A8-AB4B-47DB-B777-2B26351F324C}, > >> provname=Microsoft Enhanced Cryptographic Provider v1.0, type=1 > >> Called CAPI_rsa_sign() > > This CSP cannot do SHA2 hashes so won't work unless you restrict > > signature algorithms or set TLS version to 1.1. I believe OpenSSL > > 1.1.0 will try to load The ".. Enhanced RSA AES .. Provider" which > > can handle SHA2 and may work. I say "may" because, if the key store is > > a legacy hardware token, it also depends on signature algorithms > supported > > by the token and may be necessary to downgrade to TLS 1.1. > > > The above limitations are less severe in CNG ("CryptoAPI Next Generation") > on Windows 6.00 and later, where the old API and CSP names are actually > emulations on top of a new structure with much smaller "KSP" providers. > At the same time, the CNG emulation of the classic CryptoAPI functions > are limited to what was available in Windows 5.01 SP2 and 5.02 SP2, thus > much of the SHA-2 functionality is available only by calling the CNG > APIs directly on Windows >= 6.00, but the older APIs with a reference > to newer enum values introduced in Windows 5.01 SP3 or 5.02 SP2+Hotfix. > > Put another way, Microsoft forked their crypto source tree sometime in > 2004 or 2005, and anything added later was implemented differently in > the 5.0x and 6.0x code bases. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > > > ------------------------------ > > Message: 5 > Date: Tue, 23 Oct 2018 23:16:13 -0700 (MST) > From: sakdev <best.sakt...@gmail.com> > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Openssl Build Error- module unsafe for > SAFESEH image/Unable to generate SAFESEH image > Message-ID: <1540361773425-0.p...@n7.nabble.com> > Content-Type: text/plain; charset=us-ascii > > Added "/safeseh" in assembler flags and problem got solved. Thank you very > much. > > > > -- > Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > openssl-users mailing list > openssl-users@openssl.org > https://mta.openssl.org/mailman/listinfo/openssl-users > > > ------------------------------ > > End of openssl-users Digest, Vol 47, Issue 45 > ********************************************* >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
