How to disable weak/export ciphers
Hi: I am doing some development work with openssl. My application is a server and will support SSL v3 protocol. I want to disable those weak/export ciphers during the SSL handshake session key generation. Unfortunately I don't find how to do it with openssl. The information found in internet are all about how to disable them with other SW, like apache. Could anyone please help me on this point? Best Regards _ Sheng Liang
Re:How to disable weak/export ciphers
HI, Sheng Liang You may reference the following APIs: intSSL_CTX_set_cipher_list(SSL_CTX *,const char *str); intSSL_set_cipher_list(SSL *s, const char *str); These two functions use a cipher list string to customize ciphers during the handshake.The default is as follows: #define SSL_DEFAULT_CIPHER_LISTAES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH /* low priority for RC4 */ There are some rules about it.You may see the documentation for more details. doc ref: http://www.openssl.org/docs/apps/ciphers.html# At 2012-01-31 17:27:35,Sheng Liang sheng.li...@ericsson.com wrote: Hi: I am doing some development work with openssl. My application is a server and will support SSL v3 protocol. I want to disable those weak/export ciphers during the SSL handshake session key generation. Unfortunately I don't find how to do it with openssl. The information found in internet are all about how to disable them with other SW, like apache. Could anyone please help me on this point? Best Regards _ Sheng Liang
RE: Renegotiation question
My apologies for accidently spamming the list with this message, my web based email was having issues. I am still unable to successfully rehandshake in the scenario below, and was wondering if anyone might have some ideas. Is this the proper list for this email? Thanks. From: jetso...@hotmail.com To: openssl-users@openssl.org Subject: Renegotiation question Date: Fri, 27 Jan 2012 15:33:36 + I have implemented a server using OpenSSL 0.9.8r. If I use s_client to open a connection to a listenening SSL port on the server, and use the R commend to initiate a rehandshake, the rehandshake completes successfully(as expected). I have verified this using both SSL 3.0 and TLS 1.0. Another client(non-OpenSSL) opens a connection to my server with a successful initial handshake as well. The client is basically an FTP client, and it then initiates a data transfer with a get, so my server is sending data to the client. During this transfer, the client sends a Client Hello to renegotiate. My server, using poll() to look for activated sockets, ends up calling SSL_read() and reads in the Client Hello. However, OpenSSL gets an error, “SSL3_WRITE_PENDING:bad write retry”. I’ve dug around a little in the OpenSSL code and added some debug code to try to follow what is happening. From what I can tell, the following is taking place: - Client and server establish a connection and my server is sending data with repeated calls to SSL_write() - While server is writing data, client initiates a renegotiation, and sends a Client Hello - SSL_write() on the server returns -1 with SSL_ERROR_WANT_READ, presumably after the Client Hello comes in - Server calls SSL_read() and reads in the Client Hello (I have info_cb functionality implemented that dump out handshake messages, the message looks OK) - OpenSSL calls ssl3_get_client_hello(); I added a syslog() when the state changes to SSL3_ST_SR_CLNT_HELLO_B - ssl3_get_client_hello() returns successfully; I added a syslog when the state gets changed to SSL3_ST_SW_SRVR_HELLO_A to verify this. - ssl3_send_server_hello() is called - The ssl3_send_server_hello() will lead to calls to the following functions, in order: ssl3_write_bytes(), do_ssl3_write(), and ssl3_write_pending(). - Meanwhile, the previous calls to SSL_write have data left to send and a call to ssl3_write_pending() is being made from do_ssl3_write(). I’m not sure of the code path from the server calling SSL_write() to do_ssl3_write()/ssl3_write_pending(), but I see do_ssl3_write() calling ssl3_write_pending() several times during the file transfer. Does this scenario sound like it should be working? I’m not sure what my server could be doing wrong? A couple notes, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is not set on my server. I’m not sure that it should or needs to be, I did notice in the code that that mode is one of the conditions that is checked for when throwing the SSL_R_BAD_WRITE_RETRY error. From what I’ve read, the SSL3_WRITE_PENDING error is caused by calling SSL_write() after getting SSL_ERROR_WANT_READ/WRITE with a different buffer than before. However, my server is not calling SSL_write() after it gets the SSL_ERROR_WANT_READ error when the Client Hello comes in. So it seems to me the error is being thrown because OpenSSL is internally calling ssl3_write_pending() incorrectly. I have some traces of the scenario but I did not include them, they may make things more confusing. They exists in two different places, logging in my server before/after SSL_read and SSL_write calls(SSL_get_error()/ERR_error_string() calls) as well as info_cb and msg_cb message that display the SSL records coming in and going out. A separate trace exists of some syslog() calls I added to the OpenSSL code. I know there is a way to build OpenSSL in debug mode, but I haven’t taken the time to do this yet. Please advise if I should look at doing that, or include the logging I do have. Thanks in advance.
Renegotiation question (one more try)
My apologies again, my posts were somehow got attached to an earlier conversation. Posting one more time to place the message at the top of the list: I have implemented a server using OpenSSL 0.9.8r. If I use s_client to open a connection to a listenening SSL port on the server, and use the R commend to initiate a rehandshake, the rehandshake completes successfully(as expected). I have verified this using both SSL 3.0 and TLS 1.0. Another client(non-OpenSSL) opens a connection to my server with a successful initial handshake as well. The client is basically an FTP client, and it then initiates a data transfer with a get, so my server is sending data to the client. During this transfer, the client sends a Client Hello to renegotiate. My server, using poll() to look for activated sockets, ends up calling SSL_read() and reads in the Client Hello. However, OpenSSL gets an error, “SSL3_WRITE_PENDING:bad write retry”. I’ve dug around a little in the OpenSSL code and added some debug code to try to follow what is happening. From what I can tell, the following is taking place: - Client and server establish a connection and my server is sending data with repeated calls to SSL_write() - While server is writing data, client initiates a renegotiation, and sends a Client Hello - SSL_write() on the server returns -1 with SSL_ERROR_WANT_READ, presumably after the Client Hello comes in - Server calls SSL_read() and reads in the Client Hello (I have info_cb functionality implemented that dump out handshake messages, the message looks OK) - OpenSSL calls ssl3_get_client_hello(); I added a syslog() when the state changes to SSL3_ST_SR_CLNT_HELLO_B - ssl3_get_client_hello() returns successfully; I added a syslog when the state gets changed to SSL3_ST_SW_SRVR_HELLO_A to verify this. - ssl3_send_server_hello() is called - The ssl3_send_server_hello() will lead to calls to the following functions, in order: ssl3_write_bytes(), do_ssl3_write(), and ssl3_write_pending(). - Meanwhile, the previous calls to SSL_write have data left to send and a call to ssl3_write_pending() is being made from do_ssl3_write(). I’m not sure of the code path from the server calling SSL_write() to do_ssl3_write()/ssl3_write_pending(), but I see do_ssl3_write() calling ssl3_write_pending() several times during the file transfer. Does this scenario sound like it should be working? I’m not sure what my server could be doing wrong? A couple notes, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is not set on my server. I’m not sure that it should or needs to be, I did notice in the code that that mode is one of the conditions that is checked for when throwing the SSL_R_BAD_WRITE_RETRY error. From what I’ve read, the SSL3_WRITE_PENDING error is caused by calling SSL_write() after getting SSL_ERROR_WANT_READ/WRITE with a different buffer than before. However, my server is not calling SSL_write() after it gets the SSL_ERROR_WANT_READ error when the Client Hello comes in. So it seems to me the error is being thrown because OpenSSL is internally calling ssl3_write_pending() incorrectly. I have some traces of the scenario but I did not include them, they may make things more confusing. They exists in two different places, logging in my server before/after SSL_read and SSL_write calls(SSL_get_error()/ERR_error_string() calls) as well as info_cb and msg_cb message that display the SSL records coming in and going out. A separate trace exists of some syslog() calls I added to the OpenSSL code. I know there is a way to build OpenSSL in debug mode, but I haven’t taken the time to do this yet. Please advise if I should look at doing that, or include the logging I do have. Thanks in advance.
Support for certificates other than the X509 standard Reg.
Hi, I understand that X509 is the preferred ITU-T standard for PKI. But what would be the other certificate standards which are available and those which a PKI solution needs to support? First question would be whether there are any certificates which do not belong to the X509 standard? Also, what all standards of certificates does the openSSL implementation support? Regds, Ashok
Re: [openssl-users] Support for certificates other than the X509 standard Reg.
Bonjour, Out of my head, there's ISO7816-6 certificates, used at least in eID projects (EAC passports). One can also mention PGP/GPG (which can now include X.509), with a marginal use (in corporate/business world). OpenSSL has a great support for X.509, of course, but since it also includes complete ASN.1 and crypto API, you can easily work with ISO7816-6 certificates. I haven't used PGP/GPG since a few years so I don't really know if there's an ASN.1 description, but the crypto is the same, for sure. Le 31/01/2012 17:07, Ashok C a écrit : I understand that X509 is the preferred ITU-T standard for PKI. But what would be the other certificate standards which are available and those which a PKI solution needs to support? First question would be whether there are any certificates which do not belong to the X509 standard? Also, what all standards of certificates does the openSSL implementation support? -- Erwann ABALEA - Depuis ce matin, j'ai une IP en 213.@@@.@@@ et des plumes. C'est devenu apparement une IP statique. Mon contrat me donne droit à une IP dynamique.. -+- TW inhttp://neuneu.mine.nu : Neuneu se fixe -+- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Safari and application/x-x509-user-cert
Hi all, I have some openssl code that creates a certificate based on a SPKAC, and then attempts to send the certificate back to the browser. This works fine in Firefox, but doesn't working in Safari, or at least it does work, except that Safari doesn't recognise the MIME type of the certificate, and tries to download the certificate and save it to the downloads folder instead. I am struggling with the lack of documentation on this stuff, what is the expected certificate format when delivering a certificate as application/x-x509-user-cert? Most specifically, is this code correct: BIO *b = BIO_new(BIO_s_mem()); char buf[LEN]; int len; set_content_type(r, application/x-x509-user-cert); i2d_X509_bio(b, cert); while ((len = BIO_gets(b, buf, sizeof(buf))) 0) { // write buf } BIO_free(b); Or should I be using something other than i2d_X509_bio()? Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Facing issue while compiling openssl-1.0.0c on MIPS 64 big endian architectur
Hi Team, I have picked openssl tar from http://cblfs.cross-lfs.org/index.php/OpenSSL#Note_2; url and compiled after applying patched mentioned on this url. But I am unable to compile as I following error is encountered. making all in crypto/ts... make[2]: Entering directory `/root/depend_resolv/openssl-1.0.0c/crypto/ts' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/root/depend_resolv/openssl-1.0.0c/crypto/ts' if [ -n libcrypto libssl ]; then \ (cd ..; make libcrypto); \ fi make[2]: Entering directory `/root/depend_resolv/openssl-1.0.0c' make[3]: Entering directory `/root/depend_resolv/openssl-1.0.0c' make[4]: Entering directory `/root/depend_resolv/openssl-1.0.0c' make[4]: *** No rule to make target `link_a..so.1.0.0'. Stop. make[4]: Leaving directory `/root/depend_resolv/openssl-1.0.0c' make[3]: *** [do_.so.1.0.0] Error 2 make[3]: Leaving directory `/root/depend_resolv/openssl-1.0.0c' make[2]: *** [libcrypto] Error 2 make[2]: Leaving directory `/root/depend_resolv/openssl-1.0.0c' make[1]: *** [shared] Error 2 make[1]: Leaving directory `/root/depend_resolv/openssl-1.0.0c/crypto' make: *** [build_crypto] Error 1 Your help will be highly appreciated. As this issue is show stopper for us. Regards Shivam Agrawal === Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===
fips-capable libcrypto.so build in netbsd
Using FIPS module and FIPS capable OpenSSL (2.0/1.0.1) on a NetBSD platform. I build FIPS module by hand to follow the build instructions, and copy it into a tips sub-directory in openssl directory. I would like to build the libcrypto.so library as part of the NetBSD cross-compile build (i.e., launched from src/lib/libcrypto/Makefile), so it can be built as needed for different processors. NetBSD uses its own makefile approach using perl scripts to launch builds, and using generic src/share/mk/bsd.*.mk makefiles. I was thinking I could modify only the lib/libcrypto/Makefile file and leave the generic makefiles alone, but am struggling with the final linking step rules using fipsld. Has anyone else done this in NetBSD builds? Alternatively, I could also build the library by hand and coax the main build into just installing libcrypto.so instead of building it. Suggestions welcome! I've searched but cannot find any sign of anyone coping with similar issues. Kevin
symbol lookup error libssl.so.4 undefined symbol: krb5_cc_get_principal
Hello, I am getting an error while trying to use a self-signed certificate. Server: RedHat Ent 4, 2.6.9-5.ELsmp PWD: /usr/share/ssl/certs Server-side: # openssl s_server -key test-cert.pem -cert test-cert.pem -accept 9000 -www Using default temp DH parameters ACCEPT 19087:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:180: Client-side: # openssl s_client -showcerts -connect localhost:9000 CONNECTED(0003) openssl: symbol lookup error: /lib/libssl.so.4: undefined symbol: krb5_cc_get_principal Installed rpms: openssl-0.9.7a-43.1 openssl-devel-0.9.7a-43.1 krb5-workstation-1.3.4-9 krb5-libs-1.2.7-8 krb5-libs-1.3.4-9 krb5-devel-1.3.4-9 Cert-gen process used: # openssl req -x509 -nodes -days 365 -newkey rsa -keyout test-cert.pem -out test-cert.pem I am at a loss. This same processed worked on two other RedHat Ent4 servers, one with the exact same rpms architecture but here I am getting the symbol error. Any help would be appreciated greatly. Marlee Kovacs __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org