Re: s_client -reconnect with DTLS
Hi again, I am not sure if someone can help confirming that the -reconnect option is broken with the dtls implementation? Please refer to my email below. Looking forward for your support. Regards, Nadhem From: N. J. nadh...@yahoo.com To: openssl-dev@openssl.org Sent: Wed, April 20, 2011 1:12:11 AM Subject: s_client -reconnect with DTLS Hi there, I have been trying to get the s_client -reconnect option working with my s_server but had no luck when using DTLS, -dtls1. I could not find any information why it is not working so I wonder if this is broken in openssl 1.0.0a. If so, is there any fix? Thanks in advance, Nadhem
Re: Please Help I am looking for openssl-fips-1.2.2.tar.gz for Windows 64 Bit
On 04/22/2011 05:20 AM, Bhaskar Raju Penumatsa wrote: Dear Steve Thanks for your reply. Actually I am new to OPENSSL. Currently I am using OpenSSL 1.0.0d. I would like to ask you whether it is FIPS enabled version? There is currently no validated OpenSSL FIPS Object Module compatible with any OpenSSL 1.0.0+ distributions, and OpenSSL 1.0.0+ is not FIPS enabled. We hope to have both available at the end of this year. I am using this OPENSSL for encryption and decryption of Data files using 3DES algorithm from the command prompt. Recently I came across http://www.openssl.org/source/openssl-fips-1.2.2.tar.gz version which I am not able to Install on Win 64 bit OS. And also I come across some blogs saying that I need to enable FIPS by FIPS_MODE_SET() to True. And some blogs say that I need to link the OPENSSL 1.2.2 to the version I am Using. For the FIPS capable OpenSSL 0.9.8+ and the OpenSSL FIPS Object Module v1.2.2 (your only current option), see the User Guide at http://www.openssl.org/docs/fips/UserGuide.pdf. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
Re: s_client -reconnect with DTLS
Hello, I'm sure you'll get help faster, if you describe: 1. What are you doing exactly. 2. What do you see. 3. What do you expect to see. This is absolutelly necessary steps, as all telepathist is on vacation now. On 22 April 2011 15:50, N. J. nadh...@yahoo.com wrote: Hi again, I am not sure if someone can help confirming that the -reconnect option is broken with the dtls implementation? Please refer to my email below. Looking forward for your support. Regards, Nadhem -- ** Hi there, I have been trying to get the s_client -reconnect option working with my s_server but had no luck when using DTLS, -dtls1. I could not find any information why it is not working so I wonder if this is broken in openssl 1.0.0a. If so, is there any fix? Thanks in advance, Nadhem
Re: s_client -reconnect with DTLS
Thanks for the reply Andy, Please find hereafter the full description. I hope it is more clear. 1. What are you doing exactly: N I am testing the session resumption feature available with OpenSSL using s_client. My setup has a machine running s_client and another one running s_server. I am using OpenSSL 1.0.0a. I am testing with both, TLS and DTLS, and I uses the -reconnect handler to test the session resumption feature. For example: openssl s_client -connect 10.1.1.1:4443 -dtls1 -reconnect -reconnect- Drop and re-make the connection with the same Session-ID 3. What do you expect to see. N I expect to see the following in accordance to the documentation of OpenSSL: The client reconnects to the same server 5 times using the same session ID 2. What do you see. N With TLS all good, I can see the session getting resumed as per the OpenSSL's documentaton. I can see the client sending the session resumption hellos and the server replying back and both finishing the session resumption cycle multiple times. When I use DTLS instead, with the -dtls1 handler, I can see the client and server getting initially connected. However, when the client tries to reconnect by sending a session resumption client hello, the server never respond. Thanks, Nadhem From: Andrey Kulikov amde...@gmail.com To: openssl-dev@openssl.org Sent: Fri, April 22, 2011 3:26:56 PM Subject: Re: s_client -reconnect with DTLS Hello, I'm sure you'll get help faster, if you describe: 1. What are you doing exactly. 2. What do you see. 3. What do you expect to see. This is absolutelly necessary steps, as all telepathist is on vacation now. On 22 April 2011 15:50, N. J. nadh...@yahoo.com wrote: Hi again, I am not sure if someone can help confirming that the -reconnect option is broken with the dtls implementation? Please refer to my email below. Looking forward for your support. Regards, Nadhem Hi there, I have been trying to get the s_client -reconnect option working with my s_server but had no luck when using DTLS, -dtls1. I could not find any information why it is not working so I wonder if this is broken in openssl 1.0.0a. If so, is there any fix? Thanks in advance, Nadhem
OPEN SSL in FIPS Mode - Help
Hi Team, We are using OpenSSL-Win32 (OpenSSL 1.0.0d) . We downloaded *openssl-fips-1.2.2.tar.gz*http://www.openssl.org/source/openssl-fips-1.2.2.tar.gz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Why OpenSSL may keep received/written data in memory?
Hello OpenSSL developers, I'm trying to ensure that sensitive data (passwords, ...) are not kept in clear-text in process memory and I have found that all data sent to or received from OpenSSL is kept in memory... This is a problem as data sent or received from an SSL connection may contain sensitive information that we don't want to keep in process memory. Notes: - This is only the case when using SSLv3 or TLSv1. When using SSLv2, data is not kept in memory. - I am using version 0.9.8k-7ubuntu8.6 from Ubuntu Lucid. If this is related to a security fix, I think it is up to date. Reproduction is easy: - Use 'openssl client -tls1 -connect hostname:443' to connect to an SSL server - Send data in TLS connection - Force generation of core file (kill -SEGV for example) - Inspect core file, received and sent data will be present Is there a reason for which OpenSSL may need to keep that data? Is there an option to alter its behavior? [ http://stackoverflow.com/questions/5746343/why-openssl-may-keep-received-written-data-in-memory] -- Math
Re: Please Help I am looking for openssl-fips-1.2.2.tar.gz for Windows 64 Bit
Dear Steve Thanks for your reply. Actually I am new to OPENSSL. Currently I am using OpenSSL 1.0.0d. I would like to ask you whether it is FIPS enabled version? I am using this OPENSSL for encryption and decryption of Data files using 3DES algorithm from the command prompt. Recently I came across http://www.openssl.org/source/openssl-fips-1.2.2.tar.gz version which I am not able to Install on Win 64 bit OS. And also I come across some blogs saying that I need to enable FIPS by FIPS_MODE_SET() to True. And some blogs say that I need to link the OPENSSL 1.2.2 to the version I am Using. Really I am confused by this. Can you help me in getting an OPENSSL with FIPS enabled software where I can use the 3DES or ASE algorithms for my Encryption and Decryption using the Command prompt. Regards, Bhaskar Raju On Fri, Apr 22, 2011 at 5:05 AM, Steve Marquess marqu...@opensslfoundation.com wrote: On 04/21/2011 10:33 AM, Bhaskar Raju Penumatsa wrote: Dear Openssl Dev, I am using OPENSSL for Encryption/Decryption of Data in my project. I am looking for openssl-fips-1.2.2.tar.gz for Windows 64 Bit. Can you please help me in getting it. Your responce will be very much usefull. Regards, Bhaskar Raju It's the same for all platforms: http://www.openssl.org/source/openssl-fips-1.2.2.tar.gz -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
Re: s_client -reconnect with DTLS
On Apr 22, 2011, at 2:56 PM, N. J. wrote: Thanks for the reply Andy, Please find hereafter the full description. I hope it is more clear. 1. What are you doing exactly: N I am testing the session resumption feature available with OpenSSL using s_client. My setup has a machine running s_client and another one running s_server. I am using OpenSSL 1.0.0a. I am testing with both, TLS and DTLS, and I uses the -reconnect handler to test the session resumption feature. For example: openssl s_client -connect 10.1.1.1:4443 -dtls1 -reconnect -reconnect- Drop and re-make the connection with the same Session-ID 3. What do you expect to see. N I expect to see the following in accordance to the documentation of OpenSSL: The client reconnects to the same server 5 times using the same session ID 2. What do you see. N With TLS all good, I can see the session getting resumed as per the OpenSSL's documentaton. I can see the client sending the session resumption hellos and the server replying back and both finishing the session resumption cycle multiple times. When I use DTLS instead, with the -dtls1 handler, I can see the client and server getting initially connected. However, when the client tries to reconnect by sending a session resumption client hello, the server never respond. Dear all, Robin Seggelmann and myself have verified that there is some issue using DTLS. He will look into this as soon as time permits... Best regards Michael Thanks, Nadhem From: Andrey Kulikov amde...@gmail.com To: openssl-dev@openssl.org Sent: Fri, April 22, 2011 3:26:56 PM Subject: Re: s_client -reconnect with DTLS Hello, I'm sure you'll get help faster, if you describe: 1. What are you doing exactly. 2. What do you see. 3. What do you expect to see. This is absolutelly necessary steps, as all telepathist is on vacation now. On 22 April 2011 15:50, N. J. nadh...@yahoo.com wrote: Hi again, I am not sure if someone can help confirming that the -reconnect option is broken with the dtls implementation? Please refer to my email below. Looking forward for your support. Regards, Nadhem Hi there, I have been trying to get the s_client -reconnect option working with my s_server but had no luck when using DTLS, -dtls1. I could not find any information why it is not working so I wonder if this is broken in openssl 1.0.0a. If so, is there any fix? Thanks in advance, Nadhem __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: s_client -reconnect with DTLS
Thanks Michael and Robin, I will be waiting for your response. Meanwhile, enjoy your Easter holiday. Cheers, Nadhem From: Michael Tüxen michael.tue...@lurchi.franken.de To: openssl-dev@openssl.org Cc: Andrey Kulikov amde...@gmail.com Sent: Sat, April 23, 2011 12:08:12 AM Subject: Re: s_client -reconnect with DTLS On Apr 22, 2011, at 2:56 PM, N. J. wrote: Thanks for the reply Andy, Please find hereafter the full description. I hope it is more clear. 1. What are you doing exactly: N I am testing the session resumption feature available with OpenSSL using s_client. My setup has a machine running s_client and another one running s_server. I am using OpenSSL 1.0.0a. I am testing with both, TLS and DTLS, and I uses the -reconnect handler to test the session resumption feature. For example: openssl s_client -connect 10.1.1.1:4443 -dtls1 -reconnect -reconnect- Drop and re-make the connection with the same Session-ID 3. What do you expect to see. N I expect to see the following in accordance to the documentation of OpenSSL: The client reconnects to the same server 5 times using the same session ID 2. What do you see. N With TLS all good, I can see the session getting resumed as per the OpenSSL's documentaton. I can see the client sending the session resumption hellos and the server replying back and both finishing the session resumption cycle multiple times. When I use DTLS instead, with the -dtls1 handler, I can see the client and server getting initially connected. However, when the client tries to reconnect by sending a session resumption client hello, the server never respond. Dear all, Robin Seggelmann and myself have verified that there is some issue using DTLS. He will look into this as soon as time permits... Best regards Michael Thanks, Nadhem From: Andrey Kulikov amde...@gmail.com To: openssl-dev@openssl.org Sent: Fri, April 22, 2011 3:26:56 PM Subject: Re: s_client -reconnect with DTLS Hello, I'm sure you'll get help faster, if you describe: 1. What are you doing exactly. 2. What do you see. 3. What do you expect to see. This is absolutelly necessary steps, as all telepathist is on vacation now. On 22 April 2011 15:50, N. J. nadh...@yahoo.com wrote: Hi again, I am not sure if someone can help confirming that the -reconnect option is broken with the dtls implementation? Please refer to my email below. Looking forward for your support. Regards, Nadhem Hi there, I have been trying to get the s_client -reconnect option working with my s_server but had no luck when using DTLS, -dtls1. I could not find any information why it is not working so I wonder if this is broken in openssl 1.0.0a. If so, is there any fix? Thanks in advance, Nadhem __ OpenSSL Projecthttp://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org