Openssl
Hi Openssl Developer, I'm Budi Mulyana newbie for XAMPP user. I just want to know, how to enable/disable OpenSSL on XAMPP for Windows? Thanks, Budi Mulyana --
[openssl.org #3485] Windows mingw test failure 20140805
Hello On the branch openssl-SNAP-20140805 Configuring for mingw no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-store[experimental] OPENSSL_NO_STORE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [default] IsMK1MF=0 CC=gcc CFLAG =-DOPENSSL_THREADS -D_MT -DDSO_WIN32 -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -fomit-frame-pointer -O3 -march=i486 -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM EX_LIBS =-lws2_32 -lgdi32 -lcrypt32 CPUID_OBJ =x86cpuid.o BN_ASM=bn-586.o co-586.o x86-mont.o x86-gf2m.o DES_ENC =des-586.o crypt586.o AES_ENC =aes-586.o vpaes-x86.o aesni-x86.o BF_ENC=bf-586.o CAST_ENC =cast-586.o RC4_ENC =rc4-586.o RC5_ENC =rc5-586.o MD5_OBJ_ASM =md5-586.o SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o RMD160_OBJ_ASM=rmd-586.o CMLL_ENC =cmll-x86.o MODES_OBJ =ghash-x86.o ENGINES_OBJ =e_padlock-x86.o PROCESSOR = RANLIB=true ARFLAGS = PERL =perl THIRTY_TWO_BIT mode DES_PTR used DES_RISC1 used DES_UNROLL used BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined make ok Test failure : Generate and certify a test certificate make a certificate request using 'req' rsa ../util/shlib_wrap.sh: line 96: /d/LogicielDeBaseQcr/Jenkins/jobs/qcr-maven-plugin-testsunitaires-qcr4cpp-openssl-daily-de-base-windows/workspace/openssl-SNAP-20140805/test/../apps/openssl.exe: Bad file number ../util/shlib_wrap.sh: line 96: /d/LogicielDeBaseQcr/Jenkins/jobs/qcr-maven-plugin-testsunitaires-qcr4cpp-openssl-daily-de-base-windows/workspace/openssl-SNAP-20140805/test/../apps/openssl.exe: error 0 error using 'req' to generate a certificate request make[1]: *** [test_ss] Error 1 make[1]: Leaving directory `/d/LogicielDeBaseQcr/Jenkins/jobs/qcr-maven-plugin-testsunitaires-qcr4cpp-openssl-daily-de-base-windows/workspace/openssl-SNAP-20140805/test' make: *** [tests] Error 2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1979] Add uClibc support
On Tue 01 Jul 2014 08:53:56 Tim Hudson wrote: On 30/06/2014 10:23 PM, Salz, Rich wrote: On Tue, Jul 01, 2014 at 12:25:00AM +0200, Rich Salz via RT wrote: Unsupported platform. Not having read the ticket, uClibc and newlib might be useful to support if possible since they're popular for embedded devices. They are actively used - but with a case that old and known current usage (one of the FIPS140 validated platforms is indeed uClibc based) so closing the ticket in my view is the right approach. If there is a specific issue with current releases those impacted should raise a new issue ... The specific suggested Makefile included in the RT item is also somewhat rather specific to the snapgear distribution layout ... yeah, that patch makes no sense to include. Gentoo actively builds the latest openssl on uClibc, so it's not clear to me if any changes are needed at all. i know hat openssl on nommu/Linux (which uses uClibc) has troubles with some apps because they use fork(), but that patch doesn't help there. -mike signature.asc Description: This is a digitally signed message part.
[openssl.org #3486] Bug Report: Openssl 1.0.1h | RHEL-6 | x86_64 | Crash in lh_retrieve
Hello, We have a client and server which communicates using SSL with NULL encryption. The client when it connects to the server sends a Certificate signing request, the server responds by sending the server certificate. All works fine during test and even under load using openssl version 0.9.8 and also 1.0.1f I believe, but we are experiencing crash with version 1.0.1h under load setup (Once every day). The simulator which we use to simulate a client disconnects and connects back to the server many times, each time asking for the certificate from the server. The crash was seen just once the entire day. So I dont think its anywhere close to broken functionality. Looks like more of a race issue. Similar references: http://openssl.6102.n7.nabble.com/Crash-in-libcrypto-so-1-0-0-td42043.html Also, I have verified the data sent by the client from the core dump using a test program. Also from openssl command: openssl req -inform DER -in filebin -verify verify OK -BEGIN CERTIFICATE REQUEST- MIIC3jCCAcYCADCBmTEZMBcGA1UEAxMQbG9hZC10ZXN0LWNsaWVudDEsMCoGA1UE CxMjU3RlZWxIZWFkIE1vYmlsZSBzcG9ydCBpZCAxMjM0NjAwMDAxITAfBgNVBAoT GFJpdmVyYmVkIFRlY2hub2xvZ3kgSW5jLjEWMBQGA1UEBxMNU2FuIEZyYW5jaXNj bzETMBEGA1UECBMKQ2FsaWZvcm5pYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKM2SEhLwq3TjpoIUAdn7jRoY+Rz5MnOL+Yt3DksTn+Hqwpd+9tWEhiG EbhU2oYx+LqhKjTopqxI0Vn48SIstEM4dA6QVXxS96gz0fZkrS4ggQmNjQCQZuUS 1/LC6pBgjZ+faCTX15yjgDtEBR0FCBRbYY65XS5W49ZUpsMQDdPcpSqKxw3WHJSv J3ofyglgnaHqXMOC1ktQFOqF7l0jFcqAkSzk3AS2N6l4OueOZkETpn/ILdRaeoGm 9/dAwd97ClZz4W/y1T/M52YeNBBkz4DHxU6ka1s9pIjPVUUIMwh/TR1DpDB+dWm2 g+xxy1sPVP+P6r5pLsxLW7VuWpCkuQUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB AQA/6JMbpnMTgWP2IDeLmnb4CiL0vUXoYQnCRHu85DvxZOJnGX311lojHLadB8fJ quRzyt/kcONK4NWQO8QU4LOnJXbr56Q96ub3p+GOmyg/EG7ipM5iH0D5XnMBS73S 4dRM/T6TIskJNFUZ81XWOOwRuqX69PWwIbDe14u9N/B5ssiW19CjraB7TZd+IULP 43NADyNnsyJeLicF9McnGxpnjXj+3/BpALqnHQBKOZg1nWxg9BfdlADd13YkplG2 mITQb0/X2A8EZQxOFhHcl2IzHQ4c6+9fJZib4FGg5RBMoQzaAFV+cCOF/O6ONxZJ KKCcv5qPA9rAj+Q0voK2RwYC -END CERTIFICATE REQUEST- This is the stack trace we get (Top half only): Thread 1 (Thread 0x7fa62851d700 (LWP 19528)): #0 0x7fa62657f2d6 in __strcmp_sse42 () from /lib64/libc.so.6 #1 0x7fa6276f5b4a in ?? () from /usr/lib64/libcrypto.so.10 #2 0x7fa6276f5b8c in lh_retrieve () from /usr/lib64/libcrypto.so.10 #3 0x7fa62767c758 in OBJ_NAME_get () from /usr/lib64/libcrypto.so.10 #4 0x7fa62770d49d in ASN1_item_verify () from /usr/lib64/libcrypto.so.10 #5 0x008a1fd7 in ca::CA::process_cert_request(unsigned char const*, unsigned long, std::vectorunsigned char, std::allocatorunsigned char *) () This looks like an issue to me. Thanks. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.1i released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1i released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1i of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1i.tar.gz Size: 4422117 MD5 checksum: c8dc151a671b9b92ff3e4c118b174972 SHA1 checksum: 74eed314fa2c93006df8d26cd9fc630a101abd76 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1i.tar.gz openssl sha1 openssl-1.0.1i.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT4pu4AAoJENnE0m0OYESR5EoIAKZ/2u7QKuaW3bKVMGeUfM0A 7er31QvpHBuy0ZqrzoeATy/AMF9gypGPaNxtOfVW/O1e+DrTHnGBlDK6W94ecRro 3GMVMF3N3v8a7w8dWAml+PFd1cC9T6caleGg2+cFlfO6YJBWU17cbyPeQ0cPsHOp S2AQNrdw9pnGx4AnCXRcjng8QGpkulBog/gjEgfhXGQR5AlaKCoNbNJLEUCF5g2G y0Szo+5JGlJN/e6aUo8zNHQY34GmtM+hopX8Ruhsu46HgEi/syaIS9tYo/ehBV3I dMOZWgv3lJKow7cD4rK3o1hHdNCapwrKnsu8G1sb+KHb/h9qqiGqy/EiTzXXKmk= =l21w -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 1.0.0n released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0n released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0n of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0n is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0n.tar.gz Size: 3994771 MD5 checksum: 7d4c7a0462e32b0ec1e37216e4ca6178 SHA1 checksum: 2d0d95d52dc93e4a0d80b1bf45d67e5e9849d819 The checksums were calculated using the following commands: openssl md5 openssl-1.0.0n.tar.gz openssl sha1 openssl-1.0.0n.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT4p0kAAoJENnE0m0OYESR2TUH/AjrNKfkat3zr2Tg9gT8vcs4 VWhjNrshyk+By8EaQD+cWv90KbAkdYv/bFF2ube4w1YbhzFM3fJ1vCDOP7fFacxY URsXkq664afCF7+UXWpwmFOdz/GhbZeuFCH4NU8FhkXnBiLtqri9TlUvN+e7gtUz 0r9alejK8HqUXvIGEoKugMflCNzUzCdnPIdh04DvHKLRJO8n1ZuRM8TZ5nBC7faz heVjZbC0dedDLbEsEiotLSveTmZ10McOwNpkBJocEYIlHnWxlMowDQn/GALccIgB nPEtXzrdWNTOoj7lTy/qtF56Ck0Ge18WkIX4C23NGjUJGAVmIslWVPmM/UOEQvY= =yz7j -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL version 0.9.8zb released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zb released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zb of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zb is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zb.tar.gz Size: 3727934 MD5 checksum: 65c5f42734f8ecd58990b12a9afa6453 SHA1 checksum: 4f0079d4d924ab618d5f846cb91f413184bf8dea The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zb.tar.gz openssl sha1 openssl-0.9.8zb.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJT4p4yAAoJENnE0m0OYESRbLQH/iV7JquY+VLmnKbv0HaOZA/4 qwK3AJH2iq0CofbtNdLu82bEowzPCW2FYMewkBdMfmjiauGvlJZ+kF+9cJguXhOM 3nLJtursQPhjACYuBfqRJBmGepquPDF3g9m7X8+f6drY7OHAyUxRGCb3prarx5Fu 070ElVF/bsMjpXM9Cy5izA9oGgfVnegB6lJGUQh+fxwIrLK8A4+NFd3qgwpjBSdr DXtIZkXCyR4h06gGPDiE3sAndsZ1Mg5nfZKMjKP32PXe/lwnhcRO38cuC3Me4b0Y lW9BvtdvKTLkD6fdgOzQkRnh14hl6rpI4TsrVAIromvEtsJcP6agPmP/8Yspku0= =R39x -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [6 Aug 2014] Information leak in pretty printing functions (CVE-2014-3508) = A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected. OpenSSL 0.9.8 users should upgrade to 0.9.8zb OpenSSL 1.0.0 users should upgrade to 1.0.0n. OpenSSL 1.0.1 users should upgrade to 1.0.1i. Thanks to Ivan Fratric (Google) for discovering this issue. This issue was reported to OpenSSL on 19th June 2014. The fix was developed by Emilia Käsper and Stephen Henson of the OpenSSL development team. Crash with SRP ciphersuite in Server Hello message (CVE-2014-5139) == The issue affects OpenSSL clients and allows a malicious server to crash the client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack. OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i. Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering and researching this issue. This issue was reported to OpenSSL on 2nd July 2014. The fix was developed by Stephen Henson of the OpenSSL core team. Race condition in ssl_parse_serverhello_tlsext (CVE-2014-3509) == If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. OpenSSL 1.0.0 SSL/TLS client users should upgrade to 1.0.0n. OpenSSL 1.0.1 SSL/TLS client users should upgrade to 1.0.1i. Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this issue. This issue was reported to OpenSSL on 8th July 2014. The fix was developed by Gabor Tyukasz. Double Free when processing DTLS packets (CVE-2014-3505) An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i. Thanks to Adam Langley and Wan-Teh Chang (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 6th June 2014. The fix was developed by Adam Langley. DTLS memory exhaustion (CVE-2014-3506) == An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i. Thanks to Adam Langley (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 6th June 2014. The fix was developed by Adam Langley. DTLS memory leak from zero-length fragments (CVE-2014-3507) === By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1i. Thanks to Adam Langley (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 6th June 2014. The fix was developed by Adam Langley. OpenSSL DTLS anonymous EC(DH) denial of service (CVE-2014-3510) === OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. OpenSSL 0.9.8 DTLS client users should upgrade to 0.9.8zb OpenSSL 1.0.0 DTLS client users should upgrade to 1.0.0n. OpenSSL 1.0.1 DTLS client users should upgrade to 1.0.1i. Thanks to Felix Gröbert (Google) for discovering and researching this issue. This issue was reported to OpenSSL on 18th July 2014. The fix was developed by Emilia Käsper of the OpenSSL development team. OpenSSL TLS protocol downgrade attack (CVE-2014-3511) = A flaw in the OpenSSL SSL/TLS server code causes the server to
Openssl 1.0.1h | RHEL-6 | x86_64 | Crash in lh_retrieve
Hello Folks, I am experiencing a hard to debug crash in openssl crypto library within our process. We have a client and server which communicates using SSL with NULL encryption. The client when it connects to the server sends a Certificate signing request, the server responds by sending the server certificate. All works fine during test and even under load using openssl version 0.9.8 and also 1.0.1f I believe, but we are experiencing crash with version 1.0.1h under load setup (Once every day). The simulator which we use to simulate a client disconnects and connects back to the server many times, each time asking for the certificate from the server. The crash was seen just once the entire day. So I dont think its anywhere close to broken functionality. Looks like more of a race issue. Similar references: http://openssl.6102.n7.nabble.com/Crash-in-libcrypto-so-1-0-0-td42043.html Also, I have verified the data sent by the client from the core dump using a test program. Also from openssl command: openssl req -inform DER -in filebin -verify verify OK ... So it is not that the client is sending corrupt data, even if it was sending, it should have failed in d2i_X509_REQ which we call before calling X509_REQ_verify. This is the stack trace we get (Top half only): Thread 1 (Thread 0x7fa62851d700 (LWP 19528)): #0 0x7fa62657f2d6 in __strcmp_sse42 () from /lib64/libc.so.6 #1 0x7fa6276f5b4a in ?? () from /usr/lib64/libcrypto.so.10 #2 0x7fa6276f5b8c in lh_retrieve () from /usr/lib64/libcrypto.so.10 #3 0x7fa62767c758 in OBJ_NAME_get () from /usr/lib64/libcrypto.so.10 #4 0x7fa62770d49d in ASN1_item_verify () from /usr/lib64/libcrypto.so.10 #5 0x008a1fd7 in ca::CA::process_cert_request(unsigned char const*, unsigned long, std::vectorunsigned char, std::allocatorunsigned char *) () Hardware Info: 4 core Genuine Intel(R) CPU flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 x2apic popcnt aes xsave avx lahf_lm arat epb xsaveopt pln pts tpr_shadow vnmi flexpriority ept vpid Per processor: cpu MHz : 2500.172 cache size : 8192 KB Any help on debugging this would be appreciated. -- View this message in context: http://openssl.6102.n7.nabble.com/Openssl-1-0-1h-RHEL-6-x86-64-Crash-in-lh-retrieve-tp52523.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org