Create openssl key from key elements
Hello! If I have an generated key and write openssl rsa -pubout -in private_key.pem -out public_key.pem I will get the contents of the key listing modulus, publicExponent, privateExponent, prime12 and Exponent12. I wonder how I do the reverse operation, that is from the 7 parameters create the .pem file. Can I do that with openssl or do I have to to it manually. Thanks, Amanda
Setting Log level
hi,How do we configure debug level / log level in openssl ? is there any way by setting which i can get more information in the logs ? Thanks Anil
Re: Question about GOST engine in Openssl 1.0
On 2009.05.07 at 09:26:34 +0400, Andrey Koltsov wrote: And one remark. This file engines/ccgost/readme.gost has an example configuration for GOST engine [gost_section] engine_id = gost dynamic_path = /usr/lib/ssl/engines/libgost.so default_algorithms = ALL crypt_params = id-Gost28147-89-CryptoPro-A-ParamSet The last line doesn't work in Linux and Windows. It should read CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet Oh, this is undoubtely typo. CRYPT_PARAMS should be written in captital letters. This should be fixed. Hopefully Steve or somebody else with commit rights into OpenSSL CVS would read this and fix this sooner than standard workflow of request tracker would proceed. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Does AES_cbc_encrypt remove PKCS5 padding
I use that function, and it does not remove padding. 1 - How would it even know what is padding and what is your data? 2 - Why do you think it removes the padding? The function does not return a length. Here's a really wild guess: Are you perhaps padding your data with zeros and then using strlen() to determine the length of the result? owner-openssl-us...@openssl.org wrote on 05/06/2009 05:53:27 PM: AngelWarrior srikanth.bemin...@gmail.com But I am experimenting with the code which is actually removing the padding by calling AES_cbc_encrypt(unsigned char*)input, (unsigned char*)(output), (const unsigned long)(length), ks, (unsigned char*)ivec, AES_DECRYPT). What is EVP layer? On Wed, May 6, 2009 at 3:45 PM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 06, 2009, AngelWarrior wrote: Hi, Does AES_cbc_encrypt add or remove the padding, if I provide an un-padded data in the multiples of 16 bytes? I wrote a piece code where I am manually adding the padding but when I decrypt using AES_cbc_encrypt the padding is automatically removed. None of the low level cipher routines including AES_cbc_encrypt() add or remove padding. That is handled in the EVP layer.
RE: SSL_connect() fails after upgrade from OpenSSL 0.9.7d to OpenSSL 0.9.8j
Hi David OpenSSL-users, We did compile against the new header files. I checked this a little more on the Server side. On the Server side, I use IIS 6.0. It looks like even before it hits my Server side code, Windows may be cutting the TCP connection. The Server has Windows Server 2003, Enterprise Edition, Service Pack 2 v.4354 as the Operating System. There is an error logged in Windows Event Viewer, with the following description on the Server machine when the client tries to connect to it. And the surprising part is that this Error is not logged again in Event Viewer, for subsequent client connect requests, although from the client side the error remains the same. This would continue until I reboot my server, which would then again log the error in Event Viewer for the first client connection request. The Event Viewer Error is:- * Event Type: Error Event Source: Schannel Event Category: None Event ID: 36874 Date: 5/7/2009 Time: 12:03:59 AM User: N/A Computer: CISCO80 Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp http://go.microsoft.com/fwlink/events.asp . * I also found a potential problem which may be causing the issue here. My client side application uses the following SSL_set_cipher_list( ) function call before calling the SSL_connect( ). *** SSL_set_cipher_list(m_ssl,TLS_RSA_WITH_AES_128_CBC_SHA -- AES128-SHA); SSL_set_fd(m_ssl, m_socket); SSL_set_connect_state(m_ssl); result = SSL_connect(m_ssl); *** Commenting out SSL_set_cipher_list( ) on the client side, lets the client connect successfully to the Server. Which means if the client is allowed to make use of the default cipher suite during SSL handshake, then there is no problem. That brings me to my next question. Were there any specific changes made around SSL_set_cipher_list( ) function that could be causing an issue with the new OpenSSL library 0.9.8j? The same code has been working perfectly with 0.9.7d earlier. Any thoughts on how we get around or fix this issue? Or whether I may have missed out something during my compilation of OpenSSL? Thanks in advance. Regards, Vivek P.S. - I have already checked the Microsoft website for an update on Schannel.dll, where there have added support for clients making use of TLS_RSA_WITH_AES_128_CBC_SHA -- AES128-SHA. http://support.microsoft.com/kb/948963 However, with the same environment, all works fine with my client side compiled against the old OpenSSL libs. --- Hi Srinivas, We compiled our code with the new version of lib files from openssl-0.9.8j version and replaced the new client dll's. Is any specific step has to be followed? Regards, Sweta Did you compile against the new header files? The client is saying the server cut the TCP connection. What does the server say? DS
RE: SSL_connect() fails after upgrade from OpenSSL 0.9.7d to OpenSSL 0.9.8j
Hi David OpenSSL-users, We did compile against the new header files. I checked this a little more on the Server side. On the Server side, I use IIS 6.0. It looks like even before it hits my Server side code, Windows may be cutting the TCP connection. The Server has Windows Server 2003, Enterprise Edition, Service Pack 2 v.4354 as the Operating System. There is an error logged in Windows Event Viewer, with the following description on the Server machine when the client tries to connect to it. And the surprising part is that this Error is not logged again in Event Viewer, for subsequent client connect requests, although from the client side the error remains the same. This would continue until I reboot my server, which would then again log the error in Event Viewer for the first client connection request. The Event Viewer Error is:- * Event Type: Error Event Source: Schannel Event Category: None Event ID: 36874 Date: 5/7/2009 Time: 12:03:59 AM User: N/A Computer: CISCO80 Description: An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp http://go.microsoft.com/fwlink/events.asp . * I also found a potential problem which may be causing the issue here. My client side application uses the following SSL_set_cipher_list( ) function call before calling the SSL_connect( ). *** SSL_set_cipher_list(m_ssl,TLS_RSA_WITH_AES_128_CBC_SHA -- AES128-SHA); SSL_set_fd(m_ssl, m_socket); SSL_set_connect_state(m_ssl); result = SSL_connect(m_ssl); *** Commenting out SSL_set_cipher_list( ) on the client side, lets the client connect successfully to the Server. Which means if the client is allowed to make use of the default cipher suite during SSL handshake, then there is no problem. That brings me to my next question. Were there any specific changes made around SSL_set_cipher_list( ) function that could be causing an issue with the new OpenSSL library 0.9.8j? The same code has been working perfectly with 0.9.7d earlier. Any thoughts on how we get around or fix this issue? Or whether I may have missed out something during my compilation of OpenSSL? Thanks in advance. Regards, Vivek P.S. - I have already checked the Microsoft website for an update on Schannel.dll, where there have added support for clients making use of TLS_RSA_WITH_AES_128_CBC_SHA -- AES128-SHA. http://support.microsoft.com/kb/948963 However, with the same environment, all works fine with my client side compiled against the old OpenSSL libs. --- Hi Srinivas, We compiled our code with the new version of lib files from openssl-0.9.8j version and replaced the new client dll's. Is any specific step has to be followed? Regards, Sweta Did you compile against the new header files? The client is saying the server cut the TCP connection. What does the server say? DS
Error in openssl-1.0.0 beta release 20090507
In engines/e_padlock.c Somewhere you need to add an #endif . I did so above the last 2 but I could be wrong. -- Member - Liberal International This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca God, Queen and country! Beware Anti-Christ rising! Never Satan President Republic! 12 May BC vote Liberal and remember the NDP scandals like Mulroney! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl Memory leak
After some investigation I've figured out that the memory leak isn't caused by running Openssl in threads. However, after about 200 connections, may vary, the used memory increases with around 70 kb. Is this normal? I guessed it's allocated by the openssl library 2009/5/6 Fabian Bergmark fabian.bergm...@gmail.com Okey. Now i got no more memory leaks when I put the SSL code in main. However, if i try to put the exact same code in a thread the memory leak is back. Here is the essential code I'm using; void lcserver::start() { SSL_library_init(); SSL_load_error_strings(); method = SSLv23_server_method(); ctx = SSL_CTX_new(method); Some windows socket code... while(acceptsocket = accept(listensocket,(sockaddr*)sin,len)) { struct clientinfo *client; client = new struct clientinfo(acceptsocket,sin.sin_addr.s_addr,clientid++,this,rooms[0]-getthis(),ctx); client-M1(); } } void clientinfo::M1() { CreateThread(0,0,(LPTHREAD_START_ROUTINE)M2,(LPVOID)this,0,0); } void clientinfo::M2(LPVOID param) { clientinfo* Call = (clientinfo*)param; Call-listenfor(); delete Call; return; } void clientinfo::listenfor() { SSL_set_bio(ssl,bio,bio); SSL_accept(ssl); while(SSL_shutdown(ssl) == 0) ; SSL_free(ssl); ERR_remove_state(0); } Just running this code which shouldn't leave any allocated memory, about 12 kb ram is still allocated. 2009/5/5 Nikos Balkanas nbalka...@gmail.com Hi, Check the return value of SSL_shutdown(ssl). Sometimes it needs up to 4 iterations to complete due to internal state machine. It completes when the value != 0. Hope it helps. BR, Nikos - Original Message - *From:* Fabian Bergmark fabian.bergm...@gmail.com *To:* openssl-users@openssl.org *Sent:* Tuesday, May 05, 2009 9:13 PM *Subject:* Openssl Memory leak Hi I am currently writing a Chat application using the Openssl library for encryption. It's a multi-thread application and every client is managed by a different thread. However, ever since I implemented Openssl there seams to be a memory leak of around 10 kb. My openssl-code code is looking like following: SSL_set_bio(ssl,bio,bio); SSL_accept(ssl); SSL_shutdown(ssl); SSL_free(ssl); where bio and ssl is class objects where BIO is set like bio = BIO_new_socket(s,BIO_NOCLOSE) The increased memory does not occur before SSL_accept(ssl). The first time a client connect about a 100 kb is allocated, which I suppose is due to some initialising function. For each new client about 0-20 kb are still allocated after SSL_shutdown(ssl); SSL_free(ssl); is issued. Is there some cleanup functions im forgetting? I am using windows btw.
Re: Openssl Memory leak
70 KB is nothing nowadays. Besides each thread has its memory requirements, and memory is supposed to increase the more threads you use. Even if the threads reduce (lower load) memory may not go all the way back, because of global structures that have grown due to the load. But after several cycles, memory should stabilize when releasing threads. Best way is to put it through valgrind, but I expect that this is already been done by the developers in the group. BR, Nikos - Original Message - From: Fabian Bergmark To: openssl-users@openssl.org Sent: Thursday, May 07, 2009 4:49 PM Subject: Re: Openssl Memory leak After some investigation I've figured out that the memory leak isn't caused by running Openssl in threads. However, after about 200 connections, may vary, the used memory increases with around 70 kb. Is this normal? I guessed it's allocated by the openssl library 2009/5/6 Fabian Bergmark fabian.bergm...@gmail.com Okey. Now i got no more memory leaks when I put the SSL code in main. However, if i try to put the exact same code in a thread the memory leak is back. Here is the essential code I'm using; void lcserver::start() { SSL_library_init(); SSL_load_error_strings(); method = SSLv23_server_method(); ctx = SSL_CTX_new(method); Some windows socket code... while(acceptsocket = accept(listensocket,(sockaddr*)sin,len)) { struct clientinfo *client; client = new struct clientinfo(acceptsocket,sin.sin_addr.s_addr,clientid++,this,rooms[0]-getthis(),ctx); client-M1(); } } void clientinfo::M1() { CreateThread(0,0,(LPTHREAD_START_ROUTINE)M2,(LPVOID)this,0,0); } void clientinfo::M2(LPVOID param) { clientinfo* Call = (clientinfo*)param; Call-listenfor(); delete Call; return; } void clientinfo::listenfor() { SSL_set_bio(ssl,bio,bio); SSL_accept(ssl); while(SSL_shutdown(ssl) == 0) ; SSL_free(ssl); ERR_remove_state(0); } Just running this code which shouldn't leave any allocated memory, about 12 kb ram is still allocated. 2009/5/5 Nikos Balkanas nbalka...@gmail.com Hi, Check the return value of SSL_shutdown(ssl). Sometimes it needs up to 4 iterations to complete due to internal state machine. It completes when the value != 0. Hope it helps. BR, Nikos - Original Message - From: Fabian Bergmark To: openssl-users@openssl.org Sent: Tuesday, May 05, 2009 9:13 PM Subject: Openssl Memory leak Hi I am currently writing a Chat application using the Openssl library for encryption. It's a multi-thread application and every client is managed by a different thread. However, ever since I implemented Openssl there seams to be a memory leak of around 10 kb. My openssl-code code is looking like following: SSL_set_bio(ssl,bio,bio); SSL_accept(ssl); SSL_shutdown(ssl); SSL_free(ssl); where bio and ssl is class objects where BIO is set like bio = BIO_new_socket(s,BIO_NOCLOSE) The increased memory does not occur before SSL_accept(ssl). The first time a client connect about a 100 kb is allocated, which I suppose is due to some initialising function. For each new client about 0-20 kb are still allocated after SSL_shutdown(ssl); SSL_free(ssl); is issued. Is there some cleanup functions im forgetting? I am using windows btw.
SHA-1 vs. SHA-2
How does openssl decide which SHA function to use if we simply uses ssl connection, i.e. what control the use of different SHA function? Is there a way users can select it? Alex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SHA-1 vs. SHA-2
At 10:54 AM 5/7/2009, you wrote: How does openssl decide which SHA function to use if we simply uses ssl connection, i.e. what control the use of different SHA function? Is there a way users can select it? Alex The crypto suite used by SSL is negotiated between the parties, I think. See below for list of available options. http://docs.sun.com/source/816-6156-10/contents.htm The job of deciding which is almost always decided by the server, since it tends to have the important information it's trying to protect. But, maybethat isn't what you asked. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SHA-1 vs. SHA-2
On Thu, May 07, 2009 at 10:54:50AM -0700, Alex Chen wrote: How does openssl decide which SHA function to use if we simply uses ssl connection, i.e. what control the use of different SHA function? There are no SHA-2 cipher-suites in TLS 1.0 and TLS 1.1. TLS 1.2 is very new, and not yet implemented by OpenSSL. If you enable all algorithms rather than all ssl algorithms, you will be able to verify certificates signed with SHA-2 with the current OpenSSL release but the SSL cipher-suite will still use a SHA-1 HMAC. This said, most clients and servers will break with SHA-2 certificates, so you can only use these in closed systems, not on the public Internet. TLS 1.2 supports negotiation of certificate signature algorithms, but it will be a long time before systems are able to make use of SHA-2 certs... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
relationship between FIPS module and OpenSSL
Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: relationship between FIPS module and OpenSSL
OpenSSL FIPS is used essentially as a crypto engine, except that it's not called through the standard engine interface. The FIPS module is validated to perform its advertised functions; if it's in FIPS mode, OpenSSL will use its linked-in OpenSSL FIPS module to perform all of its cryptographic operations (and should be used in preference to engines, as well, since a FIPS operational environment requires all cryptographic operations to be performed within the bounds of a validated cryptographic canister). If the OpenSSL library is not in FIPS mode, then it's essentially ignored. -Kyle H On Thu, May 7, 2009 at 1:31 PM, carlyo...@keycomm.co.uk wrote: Hi, Could someone please explain to me in simple terms the relationship between the OpenSSL FIPS module and OpenSSL itself? Is the FIPS module used by OpenSSL as a crypto engine or such like or am I way off base here? Thanks for any assistance or pointers. Thanks, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org