Re: FIPS fail
Okay. Let's see if I can piece together everything I've learned about the FIPS experience so far... FIPS-1.1.2 only generates a static fipscanister, which can only be used to generate a static library. (except on Windows, where it can be built into a shared library.) This version will only work with OpenSSL mainline 0.9.7. FIPS-1.2.0 will allow generation of a static fipscanister which can be used to generate a dynamic library, on all platforms that support dynamic libraries. This version will work with OpenSSL mainline 0.9.8. FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is currently submitted for review, but there is no timeframe (other than 'it could take until the end of the next ice age') for its validation. If you want to test the functionality of FIPS-1.2.0, you need to download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz from the same location. If you want a currently-validated solution, you need openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. Anyone got any comments on whether I've gotten this right? -Kyle H On Thu, Oct 9, 2008 at 2:45 AM, joshi chandran [EMAIL PROTECTED] wrote: Is this means windows can generate shared library of openssl 9.7m with openssl fips 1.1.2 but i was not able to make the shared library of openssl 9.7m when i am compiled with openssl fips 1.1.2 object module in Unix(AIX) system .Does it means the coming fips version 1.2 will allow shared library generation of openssl 9.8 version Thanks Joshi On Fri, Oct 3, 2008 at 6:45 PM, Thomas J. Hruska [EMAIL PROTECTED] wrote: Dr. Stephen Henson wrote: On Thu, Oct 02, 2008, Thomas J. Hruska wrote: Thomas J. Hruska wrote: Needless to say, given the lack of response and further web searching reveals issues with older VC++ linkers core dumping(?) against the latest MinGW and I've already put forth 30+ hours (not counting the preparation time of several months!), two CD-Rs, and who knows how much money into an attempted production of a default OpenSSL FIPS 140-2 compliant binary build for Windows (complete with fancy installer), I'm going to simply hold off until 1.2.0 becomes available and then try again at that time. Mixing together binaries from two totally different compilers is not only a bad idea, it is a horrifically terrible idea. The fact that this supposedly works at all for some people is a miracle. The 1.1.2 module (which I only became involved with towards the end) was designed round a Unix build system. For the 1.1.2 module it was a choice of mixing compilers or not having any Windows build at all. It was decided that was better than nothing. What version of gcc do you have with MSYS? There are issues with some versions of gcc. $ gcc --version gcc.exe (GCC) 3.4.5 (mingw-vista special r3) Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Not that it really matters... Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers. That should significantly clean things up. Assuming, of course, not mixing compilers allows the use of VC++. If I have to use MinGW, I will be very annoyed. I'm also hoping I can compile against 0.9.8x instead of 0.9.7m. The 1.2 module (which I was involved with from the start) has Windows as a standard platform. It can be built using VC++ only. Steve. Excellent. I'll just wait for the 1.2 module then. I know that it could be a long wait of many months since FIPS validation takes a while. BTW, during the FIPS creation process that I used (a set of steps that I plan on using for all releases), I noticed that the 'MD5', 'SHA1', and 'PGP sign' links next to the source code download links at: https://www.openssl.org/source/ Are broken (not really 'broken' per se, but blank). I had to go out to the FTP site to get the signatures. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Regards Joshi Chandran __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
On Wed, Oct 08, 2008, Andrej Podzimek wrote: Are any intermediate CA certificates involved? No. The CA is home-made, created using OpenSSL. It has a self-signed certificate. This command will dump all certificates received: openssl s_client -connect hostname:portnum -showcerts [EMAIL PROTECTED] ~]$ openssl s_client -connect my.server.address:5432 -showcerts CONNECTED(0003) 4386:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Hmmm Is that the right port for SSL/TLS if it is it looks like it isn't just a a case of connecting to the right port to get an SSL/TLS connection. Might be some STARTTLS equivalent but I'm not sure what it is for that application. As for the dates, I store all my certificates with the human-readable preamble (the -text option used with x509). Dates are OK in all of them. I dumped them again and got the same result. It looks like an expired certificate is somehow being used. How isn't clear at this stage. If you have CA certificates in directories or files make sure an old one isn't in there. The best I can suggest at this point is modifying OpenSSL or the application to dump out any expired certificates to a temp file so you can see which one(s) it is complaining about. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS fail
Is this means windows can generate shared library of openssl 9.7m with openssl fips 1.1.2 but i was not able to make the shared library of openssl 9.7m when i am compiled with openssl fips 1.1.2 object module in Unix(AIX) system .Does it means the coming fips version 1.2 will allow shared library generation of openssl 9.8 version Thanks Joshi On Fri, Oct 3, 2008 at 6:45 PM, Thomas J. Hruska [EMAIL PROTECTED] wrote: Dr. Stephen Henson wrote: On Thu, Oct 02, 2008, Thomas J. Hruska wrote: Thomas J. Hruska wrote: Needless to say, given the lack of response and further web searching reveals issues with older VC++ linkers core dumping(?) against the latest MinGW and I've already put forth 30+ hours (not counting the preparation time of several months!), two CD-Rs, and who knows how much money into an attempted production of a default OpenSSL FIPS 140-2 compliant binary build for Windows (complete with fancy installer), I'm going to simply hold off until 1.2.0 becomes available and then try again at that time. Mixing together binaries from two totally different compilers is not only a bad idea, it is a horrifically terrible idea. The fact that this supposedly works at all for some people is a miracle. The 1.1.2 module (which I only became involved with towards the end) was designed round a Unix build system. For the 1.1.2 module it was a choice of mixing compilers or not having any Windows build at all. It was decided that was better than nothing. What version of gcc do you have with MSYS? There are issues with some versions of gcc. $ gcc --version gcc.exe (GCC) 3.4.5 (mingw-vista special r3) Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Not that it really matters... Supposedly, from what I've read, 1.2.0 doesn't require mixing compilers. That should significantly clean things up. Assuming, of course, not mixing compilers allows the use of VC++. If I have to use MinGW, I will be very annoyed. I'm also hoping I can compile against 0.9.8x instead of 0.9.7m. The 1.2 module (which I was involved with from the start) has Windows as a standard platform. It can be built using VC++ only. Steve. Excellent. I'll just wait for the 1.2 module then. I know that it could be a long wait of many months since FIPS validation takes a while. BTW, during the FIPS creation process that I used (a set of steps that I plan on using for all releases), I noticed that the 'MD5', 'SHA1', and 'PGP sign' links next to the source code download links at: https://www.openssl.org/source/ Are broken (not really 'broken' per se, but blank). I had to go out to the FTP site to get the signatures. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Regards Joshi Chandran
Re: FIPS fail
Kyle Hamilton wrote: Okay. Let's see if I can piece together everything I've learned about the FIPS experience so far... FIPS-1.1.2 only generates a static fipscanister, which can only be used to generate a static library. (except on Windows, where it can be built into a shared library.) The fipscanister.o for v1.1.2 is generated with position independent code or not depending on the default build options borrowed from the 0.9.7 baseline at the time. On Windows it happens that position independent code is generated automatically, hence that object module can be incorporated in shared code. On Linux and some other platforms that isn't the case. Note we were originally going to test both shared and non-shared builds, but ran out of money for the test lab fees (each such platform variation drives up the price). For v1.2 we decided to just force position independent code generation universally. ... FIPS-1.1.2 is the most recent validated fipscanister. 1.2.0 is currently submitted for review, but there is no timeframe (other than 'it could take until the end of the next ice age') for its validation. The latest info I've heard is that there is a new reviewer (new hire) who has decided to revisit the entire history of the original validation from the beginning, i.e. effectively second guessing the CMVP reviewers of those prior validations. That first validation took five years, an Internet ice age indeed. If you want to test the functionality of FIPS-1.2.0, you need to download the latest openssl-0.9.8-fips-test-SNAP-[date].tar.gz from the snapshots/ directory, as well as openssl-fips-test-1.2.0.tar.gz from the same location. If you want a currently-validated solution, you need openssl-0.9.7m.tar.gz and openssl-fips-1.1.2.tar.gz. Anyone got any comments on whether I've gotten this right? You did. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
Hmmm Is that the right port for SSL/TLS if it is it looks like it isn't just a a case of connecting to the right port to get an SSL/TLS connection. Might be some STARTTLS equivalent but I'm not sure what it is for that application. PostgreSQL always listens on one port. This is the only port I ever used for TCP/IP connections. So there must be something like STARTTLS, as it can handle both encrypted and unencrypted connections. [EMAIL PROTECTED] ~]# netstat -atpn | grep postgres | grep LISTEN tcp0 0 10.84.53.1:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 10.84.55.1:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 217.112.173.73:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 2002:d970:ad49:2:::5432 :::* LISTEN 9808/postgres tcp0 0 2002:d970:ad49:1:::5432 :::* LISTEN 9808/postgres tcp0 0 2002:d970:ad49::1:5432 :::* LISTEN 9808/postgres tcp0 0 ::1:5432:::* LISTEN 9808/postgres It looks like an expired certificate is somehow being used. How isn't clear at this stage. If you have CA certificates in directories or files make sure an old one isn't in there. I only have one directory and one CA certificate. That makes the task simple. On the client: [EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text | grep Not Not Before: Mar 25 12:00:00 2008 GMT Not After : Mar 25 12:00:00 2009 GMT [EMAIL PROTECTED] .postgresql]$ openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT On the server: [EMAIL PROTECTED] data]# openssl x509 -in server.crt -text | grep Not Not Before: Jul 23 09:20:00 2008 GMT Not After : Jul 23 09:20:00 2009 GMT [EMAIL PROTECTED] data]# openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT The best I can suggest at this point is modifying OpenSSL or the application to dump out any expired certificates to a temp file so you can see which one(s) it is complaining about. That would be helpful. But how could I do that? What file should I change? Is there a patch/howto? Two more remarks: 1) Downgraded to h and restarted PostgreSQL today. (Grrr...) Still the same error. 2) Just a wild guess, a shot in the dark: Could this be a locale-related issue? Does OpenSSL use/parse text representations of dates and times? If so, getting (for example) '9. říj 15.12' instead of 'Oct 9 15:12' could result in a comparison failure if not handled properly. (But this is probably not the case. Presumably, a binary representation (such as epoch) is used...) Andrej __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Install problems with a Slackware 10.2 version of Linux
I am having trouble installing the current openssl on an older slackware 10.2 linux distribution. As indicated below it came with a /lib/libcrypt-2.3.5.so dated 2005-09-10 I downloaded and tried to install openssl-0.9.8i.tar.gz As indicated by the directory listings below only part of it seems to build and install, although I see no error messages anywhere. I've looked at the other postings, and no one seems to be having any issues like this. Am I doing something really stupid? Below are some directory listings of what's installed after I running ./config, make, and INSTALL The instructions said I should replace the /usr/include/openssl/*.h with the new ones. Actually I think it said delete them, but they didn't get installed so I copied them in manually. If you look at the stuff below, what I have is the originally distributed 2005 and 2006 files still in place for libcrypt* Conversely the /usr/local/ssl directory which didn't exist before was created and populated, but libcrypto.so.0.9.8 doesn't seem to exist althought there is a link to it! My man pages for openssl and libcrypto after the install do not reflect the new version. What is going on? ls -l /lib/libcry* -rwxr-xr-x 1 root root 25168 2005-09-10 18:05 /lib/libcrypt-2.3.5.so* lrwxrwxrwx 1 root root17 2006-03-18 06:49 /lib/libcrypt.so.1 - libcrypt-2.3.5.so* ls -l /usr/lib/libcry* -rw-r--r-- 1 root root 22400 2005-09-10 18:05 /usr/lib/libcrypt.a lrwxrwxrwx 1 root root 23 2006-03-18 06:49 /usr/lib/libcrypt.so - ../../lib/libcrypt.so.1* -rw-r--r-- 1 root root 22850 2005-09-10 18:05 /usr/lib/libcrypt_p.a -rw-r--r-- 1 root root 1965202 2005-06-13 00:14 /usr/lib/libcrypto.a lrwxrwxrwx 1 root root 14 2006-03-18 06:52 /usr/lib/libcrypto.so - libcrypto.so.0* lrwxrwxrwx 1 root root 18 2006-03-18 06:52 /usr/lib/libcrypto.so.0 - libcrypto.so.0.9.7* -r-xr-xr-x 1 root root 1047016 2005-06-13 00:14 /usr/lib/libcrypto.so.0.9.7* ls -l /usr/local/ssl/lib drwxr-xr-x 2 root root4096 2008-10-05 16:25 engines/ -rw-r--r-- 1 root root 2229400 2008-10-05 16:25 libcrypto.a lrwxrwxrwx 1 root root 18 2008-10-05 16:25 libcrypto.so - libcrypto.so.0.9.8 -rw-r--r-- 1 root root 370796 2008-10-05 16:25 libssl.a lrwxrwxrwx 1 root root 15 2008-10-05 16:25 libssl.so - libssl.so.0.9.8* -r-xr-xr-x 1 root root 1305706 2008-10-05 16:25 libssl.so.0.9.8* drwxr-xr-x 2 root root4096 2008-10-05 13:45 pkgconfig/ similarly in my build directory I have the link to libcrypto.so.0.9.8 but the file itself doesn't seem to exist. ls -l /usr/src/openssl libcry* -rw-r--r-- 1 root root 2229400 2008-10-05 15:55 /usr/src/openssl-0.9.8i/libcrypto.a -rw-r--r-- 1 root root 250 2008-10-05 16:00 /usr/src/openssl-0.9.8i/libcrypto.pc lrwxrwxrwx 1 root root 18 2008-10-05 16:23 /usr/src/openssl-0.9.8i/libcrypto.so - libcrypto.so.0.9.8 total 3840 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
On Thu, Oct 09, 2008 at 04:39:06PM +0200, Andrej Podzimek wrote: I only have one directory and one CA certificate. That makes the task simple. On the client: [EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text | grep Not Not Before: Mar 25 12:00:00 2008 GMT Not After : Mar 25 12:00:00 2009 GMT [EMAIL PROTECTED] .postgresql]$ openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT On the server: [EMAIL PROTECTED] data]# openssl x509 -in server.crt -text | grep Not Not Before: Jul 23 09:20:00 2008 GMT Not After : Jul 23 09:20:00 2009 GMT [EMAIL PROTECTED] data]# openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT When a PEM file holds multiple certificates (a chain), this command only shows the first one. You need to break each of the .crt files into separate files for each certificate, and look at those. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to enable debug mode of openssl
You would probably need a FIPS_mode_set(1) somewhere after the openssl library initialization, and it would be a good thing to never keep any keys in the clear. As well, it would need to statically link to openssl 0.9.7m built with the fipscanister module. (If it uses features specific to openssl 0.9.8, you cannot create a FIPS-validated version at this time.) This is not an openssh support list, and I have not looked at the openssh sources to see what else would need to be changed. You must ALWAYS follow the FIPS security policy when dealing with anything FIPS. If the security policy says that some constraint must be met, that constraint must be met -- no matter how it impacts the function or even possibility of doing what you want. -Kyle H 2008/10/9 joshi chandran [EMAIL PROTECTED]: Hi All, I am trying to make openssh compatible with the fips enabled openssl . can anybody tell me what all changes i have make in openssh Please help Thanks Joshi problem was solved by updating openssl to the latest release 0.9.8i (the one I used was 0.9.8a.) But I still don't know the root cause of that aborting. Anyway, it works now. Thanks, Elven Date: Wed, 8 Oct 2008 01:21:08 -0700 Subject: Re: how to enable debug mode of openssl From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi Elven, I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ ERR_print_errors.html#) to get an idea of what error you are getting. You can call it right after your call to PEM_read_bio_X509. It is most likely to be a problem with the certificate data that you are feeding to OpenSSL. Have you tried verifying that the data is valid? --- Kah On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: I am using openssl in arm embedded platform. I want to support https, so it will use openssl. But I have encouterd some problem. The application aborted for some unknown reason. I tried to trace the problem and found the it aborted on call PEM_read_bio_X509 (ssl_rsa.c). And I can't t race deep more. So is there any way to enable debug mode of openssl so that I can trace more deeply to find out the problem? Thanks. Elven _ 一点即聊,MSN推出新功能点我!http://im.live.cn/click/ MSN上小游戏,工作休闲两不误! 马上就开始玩! -- Regards Joshi Chandran
cipher or hash unavailable
Hi All, I am using openssl-0.9.8i with curl. When I try to access a secure site (https) my app dies with the error: TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable I should also say that I am using pthreads and have implemented the necessary callback functions for locking/unlocking. Any help would be great. Thanks Glenn
Re: Install problems with a Slackware 10.2 version of Linux
On Thu October 9 2008, [EMAIL PROTECTED] wrote: I am having trouble installing the current openssl on an older slackware 10.2 linux distribution. As indicated below it came with a /lib/libcrypt-2.3.5.so dated 2005-09-10 I downloaded and tried to install openssl-0.9.8i.tar.gz As indicated by the directory listings below only part of it seems to build and install, although I see no error messages anywhere. I've looked at the other postings, and no one seems to be having any issues like this. Am I doing something really stupid? What version of the system C library are you running? It is also an executable, just execute it, it will tell you. You should be able to find it in /lib Something like: wolf466:~# /lib/libc-2.7.so GNU C Library stable release version 2.7, by Roland McGrath et al. Copyright (C) 2007 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 4.3.1. Compiled on a Linux 2.6.25.10 system on 2008-07-29. Available extensions: crypt add-on version 2.1 by Michael Glad and others GNU Libidn by Simon Josefsson Native POSIX Threads Library by Ulrich Drepper et al BIND-8.2.3-T5B For bug reporting instructions, please see: http://www.gnu.org/software/libc/bugs.html. There have been some basic changes made since 2005 Mike Below are some directory listings of what's installed after I running ./config, make, and INSTALL The instructions said I should replace the /usr/include/openssl/*.h with the new ones. Actually I think it said delete them, but they didn't get installed so I copied them in manually. If you look at the stuff below, what I have is the originally distributed 2005 and 2006 files still in place for libcrypt* Conversely the /usr/local/ssl directory which didn't exist before was created and populated, but libcrypto.so.0.9.8 doesn't seem to exist althought there is a link to it! My man pages for openssl and libcrypto after the install do not reflect the new version. What is going on? ls -l /lib/libcry* -rwxr-xr-x 1 root root 25168 2005-09-10 18:05 /lib/libcrypt-2.3.5.so* lrwxrwxrwx 1 root root17 2006-03-18 06:49 /lib/libcrypt.so.1 - libcrypt-2.3.5.so* ls -l /usr/lib/libcry* -rw-r--r-- 1 root root 22400 2005-09-10 18:05 /usr/lib/libcrypt.a lrwxrwxrwx 1 root root 23 2006-03-18 06:49 /usr/lib/libcrypt.so - ../../lib/libcrypt.so.1* -rw-r--r-- 1 root root 22850 2005-09-10 18:05 /usr/lib/libcrypt_p.a -rw-r--r-- 1 root root 1965202 2005-06-13 00:14 /usr/lib/libcrypto.a lrwxrwxrwx 1 root root 14 2006-03-18 06:52 /usr/lib/libcrypto.so - libcrypto.so.0* lrwxrwxrwx 1 root root 18 2006-03-18 06:52 /usr/lib/libcrypto.so.0 - libcrypto.so.0.9.7* -r-xr-xr-x 1 root root 1047016 2005-06-13 00:14 /usr/lib/libcrypto.so.0.9.7* ls -l /usr/local/ssl/lib drwxr-xr-x 2 root root4096 2008-10-05 16:25 engines/ -rw-r--r-- 1 root root 2229400 2008-10-05 16:25 libcrypto.a lrwxrwxrwx 1 root root 18 2008-10-05 16:25 libcrypto.so - libcrypto.so.0.9.8 -rw-r--r-- 1 root root 370796 2008-10-05 16:25 libssl.a lrwxrwxrwx 1 root root 15 2008-10-05 16:25 libssl.so - libssl.so.0.9.8* -r-xr-xr-x 1 root root 1305706 2008-10-05 16:25 libssl.so.0.9.8* drwxr-xr-x 2 root root4096 2008-10-05 13:45 pkgconfig/ similarly in my build directory I have the link to libcrypto.so.0.9.8 but the file itself doesn't seem to exist. ls -l /usr/src/openssl libcry* -rw-r--r-- 1 root root 2229400 2008-10-05 15:55 /usr/src/openssl-0.9.8i/libcrypto.a -rw-r--r-- 1 root root 250 2008-10-05 16:00 /usr/src/openssl-0.9.8i/libcrypto.pc lrwxrwxrwx 1 root root 18 2008-10-05 16:23 /usr/src/openssl-0.9.8i/libcrypto.so - libcrypto.so.0.9.8 total 3840 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to enable debug mode of openssl
Hi All, I am trying to make openssh compatible with the fips enabled openssl . can anybody tell me what all changes i have make in openssh Please help Thanks Joshi problem was solved by updating openssl to the latest release 0.9.8i (the one I used was 0.9.8a.) But I still don't know the root cause of that aborting. Anyway, it works now. Thanks, Elven Date: Wed, 8 Oct 2008 01:21:08 -0700 Subject: Re: how to enable debug mode of openssl From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hi Elven, I suggest try using ERR_print_errors (http://openssl.org/docs/crypto/ ERR_print_errors.html#) to get an idea of what error you are getting. You can call it right after your call to PEM_read_bio_X509. It is most likely to be a problem with the certificate data that you are feeding to OpenSSL. Have you tried verifying that the data is valid? --- Kah On Oct 8, 2:46 pm, [EMAIL PROTECTED] (曹飞) wrote: I am using openssl in arm embedded platform. I want to support https, so it will use openssl. But I have encouterd some problem. The application aborted for some unknown reason. I tried to trace the problem and found the it aborted on call PEM_read_bio_X509 (ssl_rsa.c). And I can't t race deep more. So is there any way to enable debug mode of openssl so that I can trace more deeply to find out the problem? Thanks. Elven _ 一点即聊,MSN推出新功能点我!http://im.live.cn/click/ -- MSN上小游戏,工作休闲两不误! 马上就开始玩! http://im.live.cn/minigame -- Regards Joshi Chandran
Re: Install problems with a Slackware 10.2 version of Linux
[EMAIL PROTECTED] wrote: I am having trouble installing the current openssl on an older slackware 10.2 linux distribution. As indicated below it came with a /lib/libcrypt-2.3.5.so dated 2005-09-10 I downloaded and tried to install openssl-0.9.8i.tar.gz As indicated by the directory listings below only part of it seems to build and install, although I see no error messages anywhere. Have you looked at the slackbuild script for the openssl package? Both the 10.2 and current versions apply some patches to the openssl source, one of which appears to do something with naming of the .so files. I'd download the slackware-current sources for the openssl package (it on 0.9.7h, so there'll be some change you need to make for 0.9.7i) and work from that. Scott __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: cipher or hash unavailable
Ok, so I did a openssl ciphers -v on the the installed version (0.9.7a - CentOS4) and the version I compiled (0.9.8i - CeontOS4) and the list of ciphers on 0.9.8i is much smaller than 0.9.7a. Can someone point me to a document that describes how to compile with all the ciphers? Thanks Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn MacGregor Sent: Thursday, October 09, 2008 11:13 AM To: openssl-users@openssl.org Subject: cipher or hash unavailable Hi All, I am using openssl-0.9.8i with curl. When I try to access a secure site (https) my app dies with the error: TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable I should also say that I am using pthreads and have implemented the necessary callback functions for locking/unlocking. Any help would be great. Thanks Glenn
Re: Valid certificate reported as expired
On Thu, Oct 09, 2008 at 04:39:06PM +0200, Andrej Podzimek wrote: I only have one directory and one CA certificate. That makes the task simple. On the client: [EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text | grep Not Not Before: Mar 25 12:00:00 2008 GMT Not After : Mar 25 12:00:00 2009 GMT [EMAIL PROTECTED] .postgresql]$ openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT On the server: [EMAIL PROTECTED] data]# openssl x509 -in server.crt -text | grep Not Not Before: Jul 23 09:20:00 2008 GMT Not After : Jul 23 09:20:00 2009 GMT [EMAIL PROTECTED] data]# openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT When a PEM file holds multiple certificates (a chain), this command only shows the first one. You need to break each of the .crt files into separate files for each certificate, and look at those. The root.crt file holds exactly one self-signed CA certificate. This CA was then used to create postgresql.crt and server.crt. Each file contains exactly one certificate. There are no chains. There is only one block like this in each file: -BEGIN CERTIFICATE- ... -END CERTIFICATE- Should I try to append the CA certificate to the server and client certificate files? Some apps require this, but PostgreSQL worked just fine without it till the beginning of October. Andrej __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Install problems with a Slackware 10.2 version of Linux
Mike: If its inappropriate to reply directly, I apologize! But I couldn't resist inquiring if you really think some things have changed since 2005? Just because the entire banking system has failed is no reason to think linux would change :-) Truthfully that kernel and distribution has done everything I need to date. I'm mainly curious why it didn't install. If its a library problem I will post to the newsgroup. I haven't checked yet. But if that were the case I would expect errors during the build. That's what confuses me, it says it builds and installs cleanly I believe it came with a set of tests that all ran successfully also. Perplexing. Will On Thu October 9 2008, [EMAIL PROTECTED] wrote: I am having trouble installing the current openssl on an older slackware 10.2 linux distribution. As indicated below it came with a /lib/libcrypt-2.3.5.so dated 2005-09-10 I downloaded and tried to install openssl-0.9.8i.tar.gz As indicated by the directory listings below only part of it seems to build and install, although I see no error messages anywhere. I've looked at the other postings, and no one seems to be having any issues like this. Am I doing something really stupid? What version of the system C library are you running? It is also an executable, just execute it, it will tell you. You should be able to find it in /lib Something like: wolf466:~# /lib/libc-2.7.so GNU C Library stable release version 2.7, by Roland McGrath et al. Copyright (C) 2007 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 4.3.1. Compiled on a Linux 2.6.25.10 system on 2008-07-29. Available extensions: crypt add-on version 2.1 by Michael Glad and others GNU Libidn by Simon Josefsson Native POSIX Threads Library by Ulrich Drepper et al BIND-8.2.3-T5B For bug reporting instructions, please see: http://www.gnu.org/software/libc/bugs.html. There have been some basic changes made since 2005 Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Install problems with a Slackware 10.2 version of Linux
On Thu October 9 2008, [EMAIL PROTECTED] wrote: Mike: If its inappropriate to reply directly, I apologize! But I couldn't resist inquiring if you really think some things have changed since 2005? Just because the entire banking system has failed is no reason to think linux would change :-) Two things that I had in mind when I wrote that. . . Most distributions where introducing libraries with TLS (Thread Local Storage) and still carrying compatibility layers to support both thread libraries. I never followed Slackware, so I don't know where they stood in these two library transitions - - But I have seen problems with clean compile and link VS run time problems during that period. Just self testing it runs it against what it was built with (which had better work) But it is a library - that does not mean what links to it will not have funky behavior. So I was hoping to eliminate all of those possibilities by learning where your 2005 library stood in the past mix. You might have one of those multiple compatibility library installs in Slackware of 2005. Mike Truthfully that kernel and distribution has done everything I need to date. I'm mainly curious why it didn't install. If its a library problem I will post to the newsgroup. I haven't checked yet. But if that were the case I would expect errors during the build. That's what confuses me, it says it builds and installs cleanly I believe it came with a set of tests that all ran successfully also. Perplexing. Will On Thu October 9 2008, [EMAIL PROTECTED] wrote: I am having trouble installing the current openssl on an older slackware 10.2 linux distribution. As indicated below it came with a /lib/libcrypt-2.3.5.so dated 2005-09-10 I downloaded and tried to install openssl-0.9.8i.tar.gz As indicated by the directory listings below only part of it seems to build and install, although I see no error messages anywhere. I've looked at the other postings, and no one seems to be having any issues like this. Am I doing something really stupid? What version of the system C library are you running? It is also an executable, just execute it, it will tell you. You should be able to find it in /lib Something like: wolf466:~# /lib/libc-2.7.so GNU C Library stable release version 2.7, by Roland McGrath et al. Copyright (C) 2007 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 4.3.1. Compiled on a Linux 2.6.25.10 system on 2008-07-29. Available extensions: crypt add-on version 2.1 by Michael Glad and others GNU Libidn by Simon Josefsson Native POSIX Threads Library by Ulrich Drepper et al BIND-8.2.3-T5B For bug reporting instructions, please see: http://www.gnu.org/software/libc/bugs.html. There have been some basic changes made since 2005 Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL 0.9.7m Link Failure w/FIPS
I'm getting the following error after following the steps in the FIPS users guide to compile on Windows at this link: http://openssl.org/docs/fips/UserGuide-1.1.1.pdf. I'm using FIPS 1.1.2 with OpenSSL 0.9.7m. I do ms\do_ms (tried with ms\do_nasm as well), then nmake -f ms\ntdll.mak. The contents of out32dll are as follows after the failure. If I do the compile again, it can successfully build ssleay32.dll, but libeay32.dll is corrupted when trying to add in the manifest. Any ideas why this failed? Directory of C:\downloads\OpenSSL\openssl-0.9.7m\out32dll 10/09/2008 11:28 AMDIR . 10/09/2008 11:28 AMDIR .. 10/09/2008 11:27 AM 651,264 fips_premain_dso.exe 10/09/2008 11:27 AM 380 fips_premain_dso.exe.manifest 10/09/2008 11:27 AM29,696 fips_standalone_sha1.exe 10/09/2008 11:27 AM 380 fips_standalone_sha1.exe.manifest 10/09/2008 11:28 AM 2,097,152 libeay32.dll 10/09/2008 11:28 AM 380 libeay32.dll.manifest 10/09/2008 11:28 AM 343,847 libeay32.exp 10/09/2008 11:28 AM 566,392 libeay32.lib cl /Fotmp32dll\fips_premain_dso.obj -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc 32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_C RT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c .\fips-1.0\fips_premain.c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /out:out32dll\fip s_premain_dso.exe @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm50D.tmp SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_ MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECA TE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe SET FIPS_SHA1_EXE=out32dll\fips_standalone_sha1.exe SET FIPS_TARGET=out32dll\libeay32.dll SET FIPSLIB_D=c:\downloads\openssl_fips/ perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME ~1\ADMINI~1\LOCALS~1\Temp\nm50F.tmp Integrity check OK cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_ WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENS SL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c c:\downloads\openssl_fips//fips_premain. c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out :out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ nm50F.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for th e target platform; ignored Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp LINK : fatal error LNK1000: Internal error during IMAGE::BuildImage Version 8.00.50727.42 ExceptionCode= C005 ExceptionFlags = ExceptionAddress = 0046563C (0040) c:\PROGRA~1\MID05A~1\VC\bin\li nk.exe NumberParameters = 0002 ExceptionInformation[ 0] = 0001 ExceptionInformation[ 1] = 0008 CONTEXT: Eax= 0008 Esp= 0012EEA8 Ebx= Ebp= 0111B008 Ecx= Esi= 015B002C Edx= 000EC028 Edi= 015AFFF0 Eip= 0046563C EFlags = 00010202 SegCs = 001B SegDs = 0023 SegSs = 0023 SegEs = 0023 SegFs = 003B SegGs = Dr0= Dr3= Dr1= Dr6= Dr2= Dr7= First stage Link failure at util\fipslink.pl line 42. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x9' Stop. -- View this message in context: http://www.nabble.com/OpenSSL-0.9.7m-Link-Failure-w-FIPS-tp19902596p19902596.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
On Thu, Oct 09, 2008 at 05:43:15PM +0200, Andrej Podzimek wrote: When a PEM file holds multiple certificates (a chain), this command only shows the first one. You need to break each of the .crt files into separate files for each certificate, and look at those. The root.crt file holds exactly one self-signed CA certificate. This CA was then used to create postgresql.crt and server.crt. Each file contains exactly one certificate. There are no chains. There is only one block like this in each file: -BEGIN CERTIFICATE- ... -END CERTIFICATE- Should I try to append the CA certificate to the server and client certificate files? Some apps require this, but PostgreSQL worked just fine without it till the beginning of October. If the client and server's certificate files are fresh, the only other certs that can be stale are the client or server's copies of the root CA cert in CAfile or CApath. Running ssldump or wireshark on a capture of the session will reveal which certs are exchanged on the wire, and which side initiates the alert, but it will not reveal which side has the stale root CA cert. Do check your CAfile and CApath settings on both sides, ... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
On Thu, Oct 09, 2008, Andrej Podzimek wrote: Hmmm Is that the right port for SSL/TLS if it is it looks like it isn't just a a case of connecting to the right port to get an SSL/TLS connection. Might be some STARTTLS equivalent but I'm not sure what it is for that application. PostgreSQL always listens on one port. This is the only port I ever used for TCP/IP connections. So there must be something like STARTTLS, as it can handle both encrypted and unencrypted connections. [EMAIL PROTECTED] ~]# netstat -atpn | grep postgres | grep LISTEN tcp0 0 10.84.53.1:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 10.84.55.1:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 217.112.173.73:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 9808/postgres tcp0 0 2002:d970:ad49:2:::5432 :::* LISTEN 9808/postgres tcp0 0 2002:d970:ad49:1:::5432 :::* LISTEN 9808/postgres tcp0 0 2002:d970:ad49::1:5432 :::* LISTEN 9808/postgres tcp0 0 ::1:5432:::* LISTEN 9808/postgres It looks like an expired certificate is somehow being used. How isn't clear at this stage. If you have CA certificates in directories or files make sure an old one isn't in there. I only have one directory and one CA certificate. That makes the task simple. On the client: [EMAIL PROTECTED] .postgresql]$ openssl x509 -in postgresql.crt -text | grep Not Not Before: Mar 25 12:00:00 2008 GMT Not After : Mar 25 12:00:00 2009 GMT [EMAIL PROTECTED] .postgresql]$ openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT On the server: [EMAIL PROTECTED] data]# openssl x509 -in server.crt -text | grep Not Not Before: Jul 23 09:20:00 2008 GMT Not After : Jul 23 09:20:00 2009 GMT [EMAIL PROTECTED] data]# openssl x509 -in root.crt -text | grep Not Not Before: Nov 12 16:03:00 2006 GMT Not After : Nov 11 16:03:00 2011 GMT Then I suggest you run the following command on those systems too: openssl verify -CAfile root.crt other.crt Where other.crt is the EE certificate, server.crt or posgresql.crt The best I can suggest at this point is modifying OpenSSL or the application to dump out any expired certificates to a temp file so you can see which one(s) it is complaining about. That would be helpful. But how could I do that? What file should I change? Is there a patch/howto? In crypto/x509/x509_vfy.c the function check_cert_time() is the one you need. Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it thinks has expired x. Suggest you dump that out to a temp file using PEM_write_X509() Two more remarks: 1) Downgraded to h and restarted PostgreSQL today. (Grrr...) Still the same error. 2) Just a wild guess, a shot in the dark: Could this be a locale-related issue? Does OpenSSL use/parse text representations of dates and times? If so, getting (for example) '9. ??íj 15.12' instead of 'Oct 9 15:12' could result in a comparison failure if not handled properly. (But this is probably not the case. Presumably, a binary representation (such as epoch) is used...) OpenSSL just uses time() and gmtime_r() (or equivalent) and relies on the contents of struct tm. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
Then I suggest you run the following command on those systems too: openssl verify -CAfile root.crt other.crt Where other.crt is the EE certificate, server.crt or posgresql.crt Says OK on both machines. In crypto/x509/x509_vfy.c the function check_cert_time() is the one you need. Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it thinks has expired x. Suggest you dump that out to a temp file using PEM_write_X509() Tried that. Added #includeopenssl/pem.h and modified the appropriate part of check_cert_time() as follows: if (i 0) { + FILE * f; + f = fopen( /tmp/CERTDUMP_EXPIRED, w ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_HAS_EXPIRED; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } The four lines I added did *not* execute at all on errors. I tried that multiple times and restarted PostgreSQL to make sure libraries get reloaded. Wrote a dummy program that could really open the file for writing. OpenSSL did not even touch the file. Checked twice, compiled twice... I even tried to recompile PostgreSQL (!) to make sure there is no static linking and the like. Nothing of that kind. It still didn't work. So I modified the whole function like this: static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; + FILE * f; + f = fopen( /tmp/CERTDUMP_EXPIRED, w ); if (ctx-param-flags X509_V_FLAG_USE_CHECK_TIME) ptime = ctx-param-check_time; else ptime = NULL; + fputs( Before comparison., f ); i=X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { + fputs( BEFORE FIELD ERROR, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } if (i 0) { + fputs( NOT_YET failure, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_NOT_YET_VALID; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } i=X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { + fputs( AFTER FIELD ERROR, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } if (i 0) { + fputs( EXPIRED failure, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_HAS_EXPIRED; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } return 1; } The result was surprising: The file /tmp/CERTDUMP_EXPIRED contained *only* 'Before comparison.'. This means that *none* of the further branches could run! (In such case, even fclose() did not run, but 'Before comparison.' was probably flushed automatically when the process exited.) So it seems that timestamp evaluation is OK. The function probably reached its end and returned 1. Bud where does the error message come from? Is there anything I am doing wrong? There are thousands of PostgreSQL users. Most of them probably need SSL. But there are no similar reports, AFAIK. :-( Andrej __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
sect163k1 public keys
hello It seems that sect163k1 public keys can have two formats The first with a key lentgh of 43 bytes which seems to be the standard, the second used by openssl with length 64 bytes. Can anyone tell me where I can find informations on that and what it the impact on signature. I used a development snapshot (openssl-SNAP-20080930) of openssl Thanks for your help Bruno Vetel __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sect163k1 public keys
I suspect that the smaller one is using Certicom's patented point compression representation of the public key. Not sure on the signature part of your question. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruno Vétel Sent: October 9, 2008 4:35 PM To: openssl-users@openssl.org Subject: sect163k1 public keys hello It seems that sect163k1 public keys can have two formats The first with a key lentgh of 43 bytes which seems to be the standard, the second used by openssl with length 64 bytes. Can anyone tell me where I can find informations on that and what it the impact on signature. I used a development snapshot (openssl-SNAP-20080930) of openssl Thanks for your help Bruno Vetel __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
On Thu, Oct 09, 2008, Andrej Podzimek wrote: Then I suggest you run the following command on those systems too: openssl verify -CAfile root.crt other.crt Where other.crt is the EE certificate, server.crt or posgresql.crt Says OK on both machines. In crypto/x509/x509_vfy.c the function check_cert_time() is the one you need. Around the line with X509_V_ERR_CERT_HAS_EXPIRED is the certificate it thinks has expired x. Suggest you dump that out to a temp file using PEM_write_X509() Tried that. Added #includeopenssl/pem.h and modified the appropriate part of check_cert_time() as follows: if (i 0) { + FILE * f; + f = fopen( /tmp/CERTDUMP_EXPIRED, w ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_HAS_EXPIRED; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } The four lines I added did *not* execute at all on errors. I tried that multiple times and restarted PostgreSQL to make sure libraries get reloaded. Wrote a dummy program that could really open the file for writing. OpenSSL did not even touch the file. Checked twice, compiled twice... I even tried to recompile PostgreSQL (!) to make sure there is no static linking and the like. Nothing of that kind. It still didn't work. So I modified the whole function like this: static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; + FILE * f; + f = fopen( /tmp/CERTDUMP_EXPIRED, w ); if (ctx-param-flags X509_V_FLAG_USE_CHECK_TIME) ptime = ctx-param-check_time; else ptime = NULL; + fputs( Before comparison., f ); i=X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { + fputs( BEFORE FIELD ERROR, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } if (i 0) { + fputs( NOT_YET failure, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_NOT_YET_VALID; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } i=X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { + fputs( AFTER FIELD ERROR, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } if (i 0) { + fputs( EXPIRED failure, f ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_HAS_EXPIRED; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } return 1; } The result was surprising: The file /tmp/CERTDUMP_EXPIRED contained *only* 'Before comparison.'. This means that *none* of the further branches could run! (In such case, even fclose() did not run, but 'Before comparison.' was probably flushed automatically when the process exited.) So it seems that timestamp evaluation is OK. The function probably reached its end and returned 1. Bud where does the error message come from? Is there anything I am doing wrong? There are thousands of PostgreSQL users. Most of them probably need SSL. But there are no similar reports, AFAIK. :-( Have you enabled CRL checking too? You can also get that if the nextUpdate time in a CRL has passed. That might explain things if the CRL runs for a month or so. That error is produced in s3_both.c, see the SSL_AD_CERTIFICATE_EXPIRED stuff. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Valid certificate reported as expired
On Thu, Oct 09, 2008 at 10:19:58PM +0200, Andrej Podzimek wrote: if (i 0) { + FILE * f; + f = fopen( /tmp/CERTDUMP_EXPIRED, w ); + PEM_write_X509( f, x ); + fclose( f ); ctx-error=X509_V_ERR_CERT_HAS_EXPIRED; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } Don't open the file with mode w, open it for append. Multiple certs are checked (root and server or client) and you don't want results from later checks to clobber the contents of the file. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: sect163k1 public keys
On Thu, 2008-10-09 at 14:51 -0600, Bill Colvin wrote: I suspect that the smaller one is using Certicom's patented point compression representation of the public key. Hello Bill Thanks for your answer but I don't think so. Following this url, http://tls.secg.org/index1.php?action=certificate the uncompressed size is 43 bytes and the compressed form 22 Bruno Not sure on the signature part of your question. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruno Vétel Sent: October 9, 2008 4:35 PM To: openssl-users@openssl.org Subject: sect163k1 public keys hello It seems that sect163k1 public keys can have two formats The first with a key lentgh of 43 bytes which seems to be the standard, the second used by openssl with length 64 bytes. Can anyone tell me where I can find informations on that and what it the impact on signature. I used a development snapshot (openssl-SNAP-20080930) of openssl Thanks for your help Bruno Vetel __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificate validation problem
-Original Message- From: [EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier Sent: Wednesday, 08 October, 2008 08:14 I've a problem with validating self-signed certificates. In my use case it's possible (but unlikely) to have multiple self-signed certificates with the same commonName. More to the point, they are root CA certs -- selfsigned, AND used to sign child certs. Your problem is with child linkage, not selfsigned as such. In the used protocol the URI field in subjectAltName fulfills the purpose of distinguishing the application instances. That appears to be irrelevant. When validating a certificate using X509_verify_cert it seems that OpenSSL finds the wrong certificate in the store due to the same commonName and then the validation fails. As far as I understood the code - but I'm not sure - the problem is, that X509_check_issued() that is called indirectly by find_issuer() doesn't check the certificate serial number when searching for the issuer certificate and only looks for the commonName. This happens because no AUTHORITY_KEYID (subject-akid) is available in the subject structure. (why?) See the screenshot for details. Your screenshot came out totally illegible, at least for me. AKID is an optional extension, with several optional subformats. Do you have a copy (e.g. in a file) of the cert you want to validate i.e. the subject=child cert? If so, check the extension is present, and has (child.)AKID.keyid = parent.subjkeyid and/or (child.)AKID.(issuer+serial) = parent.(issuer+serial) . How did you obtain, or create, the child cert? (Commercial CA, inhouse CA, openssl CA.pl, openssl commandline, etc.) The certificate of course has a serial number so I want this to be checked when looking up a certificate in the store. Which cert? When you want to look up the parent you need attributes of the parent, not the child. If you want to look up the parent by issuer+serial (serial alone is not enough) (although in this case parent is selfsigned so its issuer and subject are the same), use child.AKID.(issuer+serial) as above. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Valid certificate reported as expired
-Original Message- From: [EMAIL PROTECTED] On Behalf Of Andrej Podzimek Sent: Thursday, 09 October, 2008 10:39 Might be some STARTTLS equivalent but I'm not sure what it is for that application. PostgreSQL always listens on one port. This is the only port I ever used for TCP/IP connections. So there must be something like STARTTLS, as it can handle both encrypted and unencrypted connections. That would explain why openssl s_client got handshake failure. STARTTLS logic is specific per app protocol and s_client doesn't know postgresql. The best I can suggest at this point is modifying OpenSSL or the application to dump out any expired certificates to a temp file so you can see which one(s) it is complaining about. That would be helpful. But how could I do that? What file should I change? Is there a patch/howto? Can you just run (commandline) openssl s_server on the server, listening on some port of your choice, with at least -showcerts, and openssl s_client on the client to talk to that port, ditto? And for each specifying the right cert/keyfiles, and for s_server -verify 1 since you indicate the real server requires client auth. And if the real programs use a specific protocol (2/3/tls) specify that. This should exercise the same openssl protocol logic as the real client to the real server, but with a nice display. Preferably the commandline on each system should be the same version as the library used by/in the app on that system. Two more remarks: 1) Downgraded to h and restarted PostgreSQL today. (Grrr...) Still the same error. 2) Just a wild guess, a shot in the dark: Could this be a locale-related issue? Does OpenSSL use/parse text representations of dates and times? If so, getting (for example) '9. říj 15.12' instead of 'Oct 9 15:12' could result in a comparison failure if not handled properly. (But this is probably not the case. Presumably, a binary representation (such as epoch) is used...) The representation in the certificate is the ASN.1 DER encoding, which is all digits except for a +, -, or letter Z for timezone. I wouldn't call it binary exactly -- it's NOT a C-lib time_t, for example -- but it is locale-independent. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.7m Link Failure w/FIPS
pbirk wrote: I'm getting the following error after following the steps in the FIPS users guide to compile on Windows at this link: http://openssl.org/docs/fips/UserGuide-1.1.1.pdf. I'm using FIPS 1.1.2 with OpenSSL 0.9.7m. I do ms\do_ms (tried with ms\do_nasm as well), then nmake -f ms\ntdll.mak. The contents of out32dll are as follows after the failure. If I do the compile again, it can successfully build ssleay32.dll, but libeay32.dll is corrupted when trying to add in the manifest. Any ideas why this failed? Directory of C:\downloads\OpenSSL\openssl-0.9.7m\out32dll 10/09/2008 11:28 AMDIR . 10/09/2008 11:28 AMDIR .. 10/09/2008 11:27 AM 651,264 fips_premain_dso.exe 10/09/2008 11:27 AM 380 fips_premain_dso.exe.manifest 10/09/2008 11:27 AM29,696 fips_standalone_sha1.exe 10/09/2008 11:27 AM 380 fips_standalone_sha1.exe.manifest 10/09/2008 11:28 AM 2,097,152 libeay32.dll 10/09/2008 11:28 AM 380 libeay32.dll.manifest 10/09/2008 11:28 AM 343,847 libeay32.exp 10/09/2008 11:28 AM 566,392 libeay32.lib cl /Fotmp32dll\fips_premain_dso.obj -DFINGERPRINT_PREMAIN_DSO_LOAD -Iinc 32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_C RT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c .\fips-1.0\fips_premain.c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /out:out32dll\fip s_premain_dso.exe @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm50D.tmp SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_ MEAN -DL_ENDIAN -DDSO_WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECA TE /Fdout32dll -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe SET FIPS_SHA1_EXE=out32dll\fips_standalone_sha1.exe SET FIPS_TARGET=out32dll\libeay32.dll SET FIPSLIB_D=c:\downloads\openssl_fips/ perl util\fipslink.pl /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME ~1\ADMINI~1\LOCALS~1\Temp\nm50F.tmp Integrity check OK cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_ WIN32 -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE /Fdout32dll -DOPENS SL_NO_KRB5 -DOPENSSL_FIPS -D_WINDLL -c c:\downloads\openssl_fips//fips_premain. c fips_premain.c link /nologo /subsystem:console /machine:I386 /opt:ref /dll /base:0xFB0 /out :out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ nm50F.tmp ms/LIBEAY32.def(7) : warning LNK4017: DESCRIPTION statement not supported for th e target platform; ignored Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp LINK : fatal error LNK1000: Internal error during IMAGE::BuildImage Version 8.00.50727.42 ExceptionCode= C005 ExceptionFlags = ExceptionAddress = 0046563C (0040) c:\PROGRA~1\MID05A~1\VC\bin\li nk.exe NumberParameters = 0002 ExceptionInformation[ 0] = 0001 ExceptionInformation[ 1] = 0008 CONTEXT: Eax= 0008 Esp= 0012EEA8 Ebx= Ebp= 0111B008 Ecx= Esi= 015B002C Edx= 000EC028 Edi= 015AFFF0 Eip= 0046563C EFlags = 00010202 SegCs = 001B SegDs = 0023 SegSs = 0023 SegEs = 0023 SegFs = 003B SegGs = Dr0= Dr3= Dr1= Dr6= Dr2= Dr7= First stage Link failure at util\fipslink.pl line 42. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x9' Stop. Search this list's archives. The discussion is also indexed by Google. The versions of MinGW and MSYS are apparently VERY specific. The fact the instructions work at all is a miracle. The instructions require mixing two completely different compiler suites, which is not just a bad idea, it is a horrifically terrible idea. A VERY recent discussion thread happened last week entitled FIPS fail is worth reading. I managed to get past the linking stage only to discover the output DLL was completely hosed. I'm waiting on FIPS 1.2.0, which could take a while but definitely worth the wait as it will only require ONE compiler suite. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project