Re: FIPS Compile on Windows
On 12/20/07 9:16 PM, "Ben Sandee" <[EMAIL PROTECTED]> wrote: > On Dec 20, 2007 9:47 PM, Jacob Barrett <[EMAIL PROTECTED]> wrote: >> Following the instructions in the FIPS users guide I can build the FIPS >> Object Module just fine. What I can't get to work is the Windows DLL build >> of OpenSLL with the FIPS module. I can build that static libraries with FIPS >> and the DLL without FIPS. When I try to build the dll with FIPS though I get >> the following on both VS 2003 and VS 2005. Is there a particular version of >> VS/VC++ I should be using? > > Jacob, > > I'm assuming you are using either OpenSSL FIPS 1.1.1 or 1.1.2 and not the 1.2 > test, so you are using MSYS/MinGW. Yeah, I wish I could wait for 1.2, but we can't. > I've just been through this (and am still battling it on other platforms). I > found that you cannot use the most current MinGW packages. I used the > packages that were available when the certification effort was ongoing (April > 2007ish). In particular, I believe an earlier version of mingw-runtime was > necessary, I think maybe 3.10. The 3.13 release from this past August did not > work. I had MSYS 3.10. I re-installed MinGW 5.1.3 but this time selected "previous version" during the wizard. It works! You rock! Thanks! -Jake __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS Compile on Windows
On Dec 20, 2007 9:47 PM, Jacob Barrett <[EMAIL PROTECTED]> wrote: > Following the instructions in the FIPS users guide I can build the FIPS > Object Module just fine. What I can't get to work is the Windows DLL build > of OpenSLL with the FIPS module. I can build that static libraries with > FIPS > and the DLL without FIPS. When I try to build the dll with FIPS though I > get > the following on both VS 2003 and VS 2005. Is there a particular version > of > VS/VC++ I should be using? > Jacob, I'm assuming you are using either OpenSSL FIPS 1.1.1 or 1.1.2 and not the 1.2 test, so you are using MSYS/MinGW. I've just been through this (and am still battling it on other platforms). I found that you cannot use the most current MinGW packages. I used the packages that were available when the certification effort was ongoing (April 2007ish). In particular, I believe an earlier version of mingw-runtime was necessary, I think maybe 3.10. The 3.13 release from this past August did not work. I was able to get OpenSSL DLL's built successfully using these configuration changes. By the way, these internal linker errors seem to happen on all versions of VC++ (I used 6.0, you tried both VS 2003 and VS 2005). I think it's a bad interaction of MSYS/MinGW so I am glad that MSYS/MinGW is no longer needed in the 1.2 FIPS release. Cheers, Ben
FIPS Compile on Windows
Following the instructions in the FIPS users guide I can build the FIPS Object Module just fine. What I can't get to work is the Windows DLL build of OpenSLL with the FIPS module. I can build that static libraries with FIPS and the DLL without FIPS. When I try to build the dll with FIPS though I get the following on both VS 2003 and VS 2005. Is there a particular version of VS/VC++ I should be using? . cl /Fotmp32dll\krb5_asn.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN - DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32dll -D OPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypt o\krb5\krb5_asn.c krb5_asn.c cl /Fotmp32dll\fips_premain_dso.obj -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc 32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_C RT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c .\fips-1.0\fips_premain.c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /out:out32dll\fip s_premain_dso.exe @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm1BD.tmp SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_ MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECA TE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe SET FIPS_SHA1_EXE=out32dll\fips_standalone_sha1.exe SET FIPS_TARGET=out32dll\libeay32.dll SET FIPSLIB_D=C:\msys\1.0\local\ssl\lib/ perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME ~1\ADMINI~1\LOCALS~1\Temp\nm1BF.tmp Integrity check OK cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_ WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENS SL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c C:\msys\1.0\local\ssl\lib//fips_premain. c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out :out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ nm1BF.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for th e target platform; ignored Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp LINK : fatal error LNK1000: Internal error during BuildImage Version 7.10.6030 ExceptionCode= C005 ExceptionFlags = ExceptionAddress = 0045ABE5 (0040) "C:\Program Files\Microsoft Vis ual Studio .NET 2003\VC7\BIN\link.exe" NumberParameters = 0002 ExceptionInformation[ 0] = ExceptionInformation[ 1] = 0008 CONTEXT: Eax= 0006 Esp= 0012F2D4 Ebx= 02DB01C8 Ebp= Ecx= 0006 Esi= 000EBE6A Edx= 000E8E70 Edi= Eip= 0045ABE5 EFlags = 00010206 SegCs = 001B SegDs = 0023 SegSs = 0023 SegEs = 0023 SegFs = 003B SegGs = Dr0= 0012F2D4 Dr3= 02DB01C8 Dr1= Dr6= 0006 Dr2= Dr7= First stage Link failure at util\fipslink.pl line 42. NMAKE : fatal error U1077: 'perl' : return code '0x9' Stop. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CDP and IDP v3 extensions
On Thu, Dec 20, 2007 at 11:02:03PM +0100, Damir Dzeko wrote: > On Thu, Dec 20, 2007 at 02:54:58AM +0100, Dr. Stephen Henson wrote: > > On Thu, Dec 20, 2007, Damir Dzeko wrote: > > > > > > I'm using debian package of Version: 0.9.8g-3 (libssl0.9.8), and > > > version string reported is: OpenSSL 0.9.8g 19 Oct 2007. Arch is i386. > > > > > > I have read the http://www.openssl.org/docs/apps/x509v3_config.html > > > where (apart from that the document lacks any date, author, revision) > > > it states that it could be accomplished using something like: > > > > > > > Note that that document refers to the HEAD which will be 0.9.9 which hasn't > > been released. Some options in there aren't supported in 0.9.8. Check your > > installed docs for details. > > Thanks, but -- humph?!? No mention in HEAD block of the release number > or version number of any kind. At least I have not found it. :-) > > >
Re: CDP and IDP v3 extensions
On Thu, Dec 20, 2007 at 02:54:58AM +0100, Dr. Stephen Henson wrote: > On Thu, Dec 20, 2007, Damir Dzeko wrote: > > > > I'm using debian package of Version: 0.9.8g-3 (libssl0.9.8), and > > version string reported is: OpenSSL 0.9.8g 19 Oct 2007. Arch is i386. > > > > I have read the http://www.openssl.org/docs/apps/x509v3_config.html > > where (apart from that the document lacks any date, author, revision) > > it states that it could be accomplished using something like: > > > > Note that that document refers to the HEAD which will be 0.9.9 which hasn't > been released. Some options in there aren't supported in 0.9.8. Check your > installed docs for details. Thanks, but -- humph?!? No mention in HEAD block of the release number or version number of any kind. At least I have not found it. :-) http://www.openssl.org/";> OpenSSL: Documents, x509v3_config(5) ... The only thing I could use is the "Modified" date that is exactly one month newer than the release date of 0.9.8g. Damir __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
FIPS Mode and SSLv3
Is there anyway to allow SSLv3 on some SSL_CTXs? I realize that FIPS only allows TLS, but I don't need all my services to use FIPS to satisfy my requirements, so it would be nice to allow some to run with lowered standards, like SSLv3. Any chance that is a special method to allow this? Thanks, Jake __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS#7 streaming in smime utility
Hello, I've read the following in the latest CHANGES file of the openSSL 0.9.9 snapshot 20071220: *) Add option -stream to use PKCS#7 streaming in smime utility. New function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() to output in BER and PEM format. Does this work for all smime functions now? (-encrypt, -decrypt, - sign and -verify)? Regards, Harald __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Do I need to do anything special to get certificate validation to use a CDP?
Hi, I have an TLS/SSL client I wrote using openssl and I was wondering if I have to do anything special to verify if a certificate was revoked in one of the CRLs taken from one of the CDPs? Is there special code or calls I need to make in the verify_callback() that is installed by SSL_CTX_set_verify()? Is this handled automatically by openssl? If so then how long is the CRL cached? This may seem like a simple question, but I have been unable to find the code that actually does this. I found the CRL_DIST_POINTS type in crypto/x509v3/x509.h, but I don't seem to be able to find any code that looks like it is talking to the CDP to get the CRLs using this CRL_DIST_POINTS. I am using 0.9.8g. Thanks, Bruce
Re: ECC signature validation failure
I found post http://www.mail-archive.com/openssl-users@openssl.org/msg48477.html So I try to do: ERR_load_EC_strings(); X509 *x = NULL; int type = 0; EVP_PKEY *key = NULL; int len = 0; EC_KEY *ec = NULL; int ret = 0; char *er; d2i_X509(&x, (const unsigned char**)&pCert->pbCertEncoded, pCert->cbCertEncoded); key = X509_PUBKEY_get(x->cert_info->key); ec = EVP_PKEY_get1_EC_KEY(key); if(ec){ ECDSA_SIG *sig = ECDSA_SIG_new(); sig->r = BN_bin2bn(pbSignature,dwSigLen/2,NULL); sig->s = BN_bin2bn(pbSignature + dwSigLen/2,dwSigLen/2,NULL); er = ERR_error_string(ERR_get_error(),NULL); ret = ECDSA_do_verify(pbyHash,dwHashLen,sig,ec); } Now it is return 0. But signature must be valid. -- View this message in context: http://www.nabble.com/ECC-signature-validation-failure-tp14437540p14439032.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ECC signature validation failure
Hello! I have ECC certificate: /// Subject Public Key Info: Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 04:e0:fd:c3:07:be:0e:db:35:9c:05:c8:d7:82:36: fd:0d:97:a7:30:8f:73:89:e3:9e:66:ae:9b:f7:cf: 8a:d1:e5:78:17:f8:94:57:ed:68:6d:85:fe:57:3f: 4c:73:eb:6d ASN1 OID: prime192v1 /// and signed hash, with smart card private key. Some commercial soft validate signature correctly. If I try use openssl: /// ERR_load_EC_strings(); X509 *x = NULL; int type = 0; EVP_PKEY *key = NULL; int len = 0; EC_KEY *ec = NULL; int ret = 0; char *er; d2i_X509(&x, (const unsigned char**)&pCert->pbCertEncoded, pCert->cbCertEncoded); key = X509_PUBKEY_get(x->cert_info->key); ec = EVP_PKEY_get1_EC_KEY(key); if(ec){ ret = ECDSA_verify(0,pbyHash,dwHashLen,pbSignature,dwSigLen,ec); er = ERR_error_string(ERR_get_error(),NULL); } /// I have error "error:0D07209B:asn1 encoding routines:func(114):reason(155)" :confused: Hash - SHA1, dwHashLen = 20, dwSigLen = 48. What is wrong? -- View this message in context: http://www.nabble.com/ECC-signature-validation-failure-tp14437540p14437540.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to get ECC signature size by public key?
Hello! I have x509 asn1_decode - ed ECC certificate, and trying to parse public key: EC_KEY *key = NULL; key = o2i_ECPublicKey(NULL, &pk.value, pk.len); return error. :( but if I use similar fuction for RSA public key: RSA *rsa = NULL; rsa = d2i_RSAPublicKey(NULL,&pk.value, pk.len); return ok What is wrong? And second question, all manipulations I need for getting signature size for corresponding ECC public key. Maybe is it other way to recognize signature size for this key? For example, maybe public key size and signature size is a dependent quantities. OpenSSL 0.9.8e 23 Feb 2007 ECC asn1_decode - ed public key: 04 e0 fd c3 07 be 0e db 35 9c 05 c8 d7 82 36 fd 0d 97 a7 30 8f 73 89 e3 9e 66 ae 9b f7 cf 8a d1 e5 78 17 f8 94 57 ed 68 6d 85 fe 57 3f 4c 73 eb 6d __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Configuring ssl on apache and Leopard Mac OS 10.5.1
On Thu, 2007-12-20 at 09:38 -0500, Ben assis wrote: > Hi Marek > > > I thing you,re right ; my port 8083 is closed by my ISP. When I send > the following command > telnet localhost 8083 > I receive : > bash-3.2# telnet localhost 8083 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1.. . > telnet: connect to address 127.0.0.1: Connection refused > telnet: Unable to connect to remote host > > > That port was opened three weeks ago when I migrated to Leopard! > Now, I don't know how to know which port would be opened. 8080 is > still open but I don't know one I could use for ssl. Is there a > software or terrminal command (maybe) which could list all my opened > ports ? I can't try each port number with telnet... :-( On Linux you may use nmap. But you are connecting to localhost, this is your local network (on host) and ISP can not block this. This network (historically) can be used to test network connections on computers without network card. Now you do not have httpd daemon listening on 8083 port. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Configuring ssl on apache and Leopard Mac OS 10.5.1
Hi Marek I thing you,re right ; my port 8083 is closed by my ISP. When I send the following command telnet localhost 8083 I receive : bash-3.2# telnet localhost 8083 Trying ::1... telnet: connect to address ::1: Connection refused Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host That port was opened three weeks ago when I migrated to Leopard! Now, I don't know how to know which port would be opened. 8080 is still open but I don't know one I could use for ssl. Is there a software or terrminal command (maybe) which could list all my opened ports ? I can't try each port number with telnet... :-( Regards 2007/12/19, Marek Marcola <[EMAIL PROTECTED]>: > > On Wed, 2007-12-19 at 13:15 -0500, Ben assis wrote: > > > > > > 2007/12/19, Marek Marcola <[EMAIL PROTECTED]>: > > On Wed, 2007-12-19 at 12:31 -0500, Ben assis wrote: > > > Hi, On an imac intel dual core, I recently migrated to > > Leopard from > > > Tiger 10.4.10. On my Tiger client I had installed my own web > > server > > > using openssl and mod_ssl with Apache 1.3 server; https was > > working > > > fine. On Leopard with apache 2.2.6 and OpenSSL 0.9.7, > > configuration > > > files have significantly changed; so, I cannot set my own > > web server > > > to work with openssl under https protocol. Here are > > relevant > > > informations about my settings and error messages : When I > > comment out > > > this line in my http.conf : > > > Include /private/etc/apache2/extra/httpd-ssl.conf > > > I get this error message in my Console and apache does'nt > > restart : > > > 07-12-12 10:41:00 org.apache.httpd[48677] Syntax error on > > line 60 > > > of /private/etc/apache2/extra/httpd-ssl.conf: 07-12-12 > > 10:41:00 > > > org.apache.httpd[48677] Invalid command > > 'SSLPassPhraseDialog', perhaps > > > misspelled or defined by a module not included in the server > > > configuration > > > So, I comment line 60 in httpd-ssl.conf like this : > > > #SSLPassPhraseDialog builtin After an 'apachectl restart', > > apache > > > does'nt restart and I receive this new error message in my > > consol log: > > > 07-12-12 10:44:04 org.apache.httpd[48720] Syntax error on > > line 66 > > > of /private/etc/apache2/extra/httpd-ssl.conf: 07-12-12 > > 10:44:04 > > > org.apache.httpd[48720] Invalid command 'SSLSessionCache', > > perhaps > > > misspelled or defined by a module not included in the server > > > configuration > > > and so on with the next directives... There is no other > > module or file > > > which could interfere with my two conf files and I would be > > surprised > > > that original conf files contain such a number of syntax > > errors ! > > > > > > Other relevant information : > > > > > > > > > - In httpd-vhosts.conf I have declared 2 virtual hosts which > > works > > > fine without httpd-ssl.conf. > > > - Phpinfo() tells me that openssl 0.97l is enabled (I do not > > see any > > > enabled mod_ssl module) > > > - As my ISP blocks my port 443, I use port 8080. > > > - If I send this command in a terminal window : > > > > > > > > > bash-3.2# openssl s_client -connect localhost:8083 -state > > -debug > > > - I receive : > > > > > > > > > CONNECTED(0003) > > > SSL_connect:before/connect initialization > > > write to 0040BD60 [00139000] (118 bytes => 118 (0x76)) > > > - 80 74 01 03 01 00 4b 00-00 00 20 00 00 39 00 00 > > > .tK... ..9.. > > > 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 > > > 8..5 > > > 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00 > > > ..3..2../... > > > 0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00 > > > > > > 0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80 > > > @... > > > 0050 - 00 00 03 02 00 80 ad fc-38 5b aa e4 8a c8 16 6f > > > 8[.o > > > 0060 - 85 6e 96 be ca 41 2f ef-51 1d f1 17 a2 7b f1 d3 > > > .n...A/.Q{.. > > > 0070 - 7e 9f 21 18 cc 7b > > ~.!..{ > > > SSL_connect:SSLv2/v3 write client hello A > > > read from 0040BD60 [0013F000] (7 bytes => 7 (0x7)) > > > - 3c 21 44 4f 43 54 59 > DOCTY > > > SSL_connect:error in SSLv2/v3 read server hello A > > > 1721:
Re: Configuring ssl on apache and Leopard Mac OS 10.5.1
Ben, On Dec 19, 2007, at 9:31 AM, Ben assis wrote: On Leopard with apache 2.2.6 and OpenSSL 0.9.7, configuration files have significantly changed; so, I cannot set my own web server to work with openssl under https protocol. Are you loading the SSL module? Look for a LoadModule line in httpd.conf for the ssl_module and see if it is commented out. Unless the module is loaded, Apache will not understand any mod_ssl configuration directives. I'm not running Leopard yet, but if they stuck to a fairly plain vanilla Apache 2.2.x (as they did with 1.3 on earlier versions of the OS), the httpd-ssl.conf should work out of the box once you load the SSL module. Be sure to have your private key and certificate in the right place, or edit the SSLCertificateKeyFile and SSLCertificateFile directives. This is an Apache-specific question and might be better discussed on [EMAIL PROTECTED] S. -- Sander Temme [EMAIL PROTECTED] PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature