RE: HTTPS connection hangs during SSL handshake

2012-09-11 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de
Almeida
> Sent: Tuesday, 11 September, 2012 10:08
> To: openssl-users@openssl.org

> For any SSL connection, you have to assure that:
> 
> 1- The cpu's can reach each other (the hostname 
> "test.mydomain.com" must be also resolved). You may use ping, 
> HTTP, FTP to check it out;

More exactly, the TCP stacks must be able to connect.
That requires slightly more than IP reachability -- 
not much more, but enough to be a problem in rare cases.
But "CONNECTED(fd)" from s_client means they *did* TCP 
connect, so that's not the problem here.

> 2- Certificates or CA chain from each endpoint must be 
> inserted in the opposite side as trust cert; 

A problem here would cause a handshake error not a hang.

> 3- The both sides must have at least one cipher in common;

A problem here would cause a handshake error not a hang.

> 4- No NAT or Firewall is filtering the messages.  
> 
Yes, or possibly other middlebox, see below.

> I have never made a connection by openssl command line, so, I 
> can't tell you how to check it out . 
> 
> I advice you to use some sniffer in at least one side, then 
> you can reach the error, eg. where handshake is failuring, 
> get the error code, etc... Using this you might be able to 
> solve your problemm.
> 
Maybe both sides, see below.

> As I saw your logs, perhaps one side doesn't trust in the 
> opposite cert received. That may happen for many reasons. 
> I've already got some cases that the hostname (in your case 
> "test.mydomain.com") must match with certificate common name (CN).
> 
According to the log posted, his host is www.mydomain.com and 
the cert is for *.mydomain.com . That is a valid wildcard match, 
and should be acceptable to any conforming client. But openssl 
library and s_client doesn't do hostname matching at all.
(*Apps* using openssl normally should, and at least some do.)

I don't know if "mydomain" is supposedly real or munged for posting.
mydomain.com is a real company and test.mydomain.com doesn't 
resolve publicly and the cert chain used for {www.,}mydomain.com 
publicly is wholly different from the OP's log.

OP's s_client fails to verify the received chain because it 
(apparently) doesn't have the ValiCert root in its truststore.
Official openssl does not distribute any default trusted roots,
although custom packages of it may, as may apps using it.
OP probably didn't install a default truststore (or possibly 
is using a build that has the default truststore wrong).

But failure to verify should cause a real app to reject the 
connection, and s_client as a test tool overrides the verify 
error and continues. Neither of these is a hang.

In the other direction, s_client doesn't do client authentication 
and send a client cert unless explicitly specified, which the OP 
didn't. If the server wants client-auth and client doesn't provide 
it or provides a cert (chain) which server doesn't trust, that will 
give a handshake error, not a hang.

> -Mensagem original-
> De: owner-openssl-us...@openssl.org 
> [mailto:owner-openssl-us...@openssl.org] Em nome de Supratik Goswami
> Enviada em: terça-feira, 11 de setembro de 2012 10:15
> Para: openssl-users@openssl.org
> Assunto: Re: HTTPS connection hangs during SSL handshake
> 
> Is there no one in the community who can help me to find the cause of
> the problem ?
> 
> On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami
>  wrote:
> > I am using OpenSSL version : openssl-1.0.0j in our production.
> >
> > I am facing a strange problem where the SSL connection simply hangs
> > during initial handshake when requested from our office IP address.
> > When I run the same command from another IP address it works fine.
> >
> > From office IP (Unsuccessful connection):
> >
> > [root@gateway ]# openssl s_client -connect test.mydomain.com:443
> > CONNECTED(0003)
> >
Use s_client with at least -state and preferably -debug or -msg 
(you don't need both) to see how far it's getting in the handshake.

If you receive some handshake messages but not all, it practically 
must be the server; talk to the server operator(s). It would be 
unusual, but not impossible, for the server to mishandle connections 
from one IP while it works for another. If you receive no message 
at all, it might be server (try them) or it might be network 
weirdness as (Mr?) de Almeida suggests; try a sniffer on your client 
machine or near it (same LAN), and if that looks okay also try one 
on or near the server (you may need server operator(s) to do that).

For Windows or Mac, I recommend www.wireshark.org . Very capable, 
easy to install and use, well maintained. I don't know an equally 
good solution for Linux, but there may be one, or at minimum you can 
capture with tcpdump and if it's anything more complicated than 
no-response you can copy the capture and decode with wireshark.

One possibility -- some servers want to lookup in DNS the address 
of the client who connects

RE: Enabling Logging in OpenSSL

2012-09-11 Thread Dave Thompson
>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
>Sent: Tuesday, 11 September, 2012 02:10

>On Tue, Sep 11, 2012 at 8:08 AM, Dave Thompson 
wrote:

>   I didn't notice before, but 1433 on Windows is usually SQLServer.
>   If so, SQLServer doesn't start in SSL; it starts in a SQLServer
protocol
>   (TDS) and optionally switches to SSL. If you connect to 1433 and
just start
>   an SSL handshake, SQLServer will consider this a violation of TDS
protocol.
>And in fact on my elderly SQLServer2005 Express, connecting
to 1433
>   and starting -ssl3 handshake does exactly as you report, with an
event logged:
>   source=MSSQLSERVER eventid=17836
>   Length specified in network packet payload did not match number of
bytes read;
>   the connection has been closed. Please contact the vendor of the
client  library.
>   [CLIENT: 127.0.0.1]
>   whereas a (default) ssl2 clienthello hangs (at least 1minute).


>   In this case, you must implement the TDS protocol, or at least the
part
>   of it that starts SSL. 
>   jtds.sourceforge.net is a Java port of freetds that I do use okay,
>   and Java's SSL implementation (JSSE) has the feature that (fairly
>   verbose) logging can be turned on by a sysprop 

>Mithun>>I am trying to connect to SQLServer which by default starts in TDS.

>you said " And in fact on my elderly SQLServer2005 Express, connecting to
1433 
>and starting -ssl3 handshake does exactly as you report, with an event
logged:
>source=MSSQLSERVER eventid=17836"

>Did you get the events logged in SQLServer Log's? Can you please elaborate 
>so that i can confirm what i am seeing?

I found it in the Windows application eventlog because that's 
quicker for me to use, but it is also in the SQLServer ERRORLOG.
There was exactly one event for the one ssl3 handshake attempt.

>JSSE tracing indeed gives in detail log on the handshake , Unfortunately 
>i am not sure how to enable the same on SQLServer !!!

I don't know about any SSL or other connection logging in SQLServer.
But do you need to? If there is no network problem in between, 
the messages sent and received by the client, here jtds, are the 
same as the messages received and sent by the server.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


RE: openssl on a home LAN

2012-09-11 Thread John A. Wallace
Charlie, 

 

Frankly, you condescending manner is starting to annoy me, considerably.
Furthermore, your name is not on this page as one of the moderators of this
group:   http://www.openssl.org/about/.  

 

Moreover, I don't believe I need your permission to "hang out here".  You
need to read the link I provided you all the way to the end, it says that
this group is for 

 

1.   Developers

2.   OpenSSL usage

3.   Installation problems

 

Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2
above, well I think that makes my asking it a legitimate question for this
group. If you don't like it, you can just learn to use your reading program
and ignore me. Thank you very much.   J

 

John

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 3:22 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Right. Are you an application developer? In other words, do you write
computer programs? Does the following mean anything to you?

 

int main(int argc, char *argv[])

{

printf("hello world\n");

return 0;

}

 

Or alternatively, are you a Web site operator? Do you host a Web site that
others access?

 

If the answer to both of these questions is No, then you are welcome to hang
out here but the answer to your original question, "whether there is any
point in using openssl" is No.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 12:07 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Hi.  I am not trying to be mean or something, but you may want to take a
look at this page:

 

http://www.openssl.org/support/community.html

 

Focusing on the part that describes this list, one can read this about its
purpose:

 

Application Development, OpenSSL Usage, Installation Problems, etc.

 

That looks clear to me in that this list would provide support for the type
of question I just asked, or did I misunderstand you? J

 

Thanks.

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 12:52 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Do you write computer programs, or are you a home user of personal
computers?

 

If you don't write computer programs, then using OpenSSL at the level
addressed by this mailing list is not what you are looking for.

 

Some of the products you might buy might use OpenSSL "under the covers," but
you would get support generally directly from the companies that produce
those products, not this mailing list.

 

Not trying to be mean or off-putting. If I have missed the mark please let
me know.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 9:36 AM
To: openssl-users@openssl.org
Subject: openssl on a home LAN

 

I am trying to figure out whether there is any point in using openssl on a
home LAN between two computers. Would that improve on security in any way?
Would I be limited in the types of OS connections? I mean, could I connect
Windows with Linux? Also, if I want to make such a connection between two OS
running in virtual machines, could that be done too? Thanks.



RE: Parsing X509 certificate subjectAltName

2012-09-11 Thread Charles Mills
Thanks!

Charles

-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Tuesday, September 11, 2012 3:46 PM
To: openssl-users@openssl.org
Subject: Re: Parsing X509 certificate subjectAltName

On Tue, Sep 11, 2012, Charles Mills wrote:

> 
> {
> 
> case GEN_DNS:
> 
> case GEN_URI:
> 
> case GEN_IPADD:
> 
>  
> ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5);
> 
> b = 
> isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName);
> 
>  

Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING
representing the IP address in a format described by RFC3280 et al.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Parsing X509 certificate subjectAltName

2012-09-11 Thread Dr. Stephen Henson
On Tue, Sep 11, 2012, Charles Mills wrote:

> 
> {
> 
> case GEN_DNS:
> 
> case GEN_URI:
> 
> case GEN_IPADD:
> 
>  
> ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5);
> 
> b =
> isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName);
> 
>  

Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING
representing the IP address in a format described by RFC3280 et al.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Why is the OpenSSL documentation incomplete?

2012-09-11 Thread Matt Caswell (fr...@baggins.org)
On Wed, 2012-09-12 at 00:28 +0300, farmdve data.bg wrote:
> I have seen a lot of applications that utilize the OpenSSL library,
> however I see that the majority of the documentation is incomplete.
> 
> 
> In particular, I need some documentation for the EC package in the
> 'crypto' sub-folder, I mean, it's not possible for application
> developers to generate Elliptic Curve keys without first understanding
> how to use it,in what order and how to initialize it.
> 
> 
> Any help on this?


Please see this patch which I submitted some while ago, but
unfortunately is still showing as "new" :-(

http://rt.openssl.org/Ticket/Display.html?id=2799

This is my attempt at adding documentation for the EC library.

Matt

PS Apologies if you have received this twice. Problem between chair and
keyboard on first sending attempt!


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


RE: openssl on a home LAN

2012-09-11 Thread Erik Tkal
You don't "use OpenSSL" on a home LAN, you use applications or OS layers that 
might use OpenSSL in their implementation.  In general OpenSSL is a toolkit 
that provides cryptography and SSL/TLS implementations.

I think you have to be more specific about what you mean by phrases like 
"connect Windows with Linux".  Do you mean file sharing?  Remote desktop?  
Backup solutions?  Remote command prompts?  Each usage will use some sort of 
enabling technology that you would have to research to determine its security, 
and many of these solutions might just as well already be using OpenSSL.


Erik Tkal
Juniper OAC/UAC/Pulse Development


From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 12:36 PM
To: openssl-users@openssl.org
Subject: openssl on a home LAN


I am trying to figure out whether there is any point in using openssl on a home 
LAN between two computers. Would that improve on security in any way?  Would I 
be limited in the types of OS connections? I mean, could I connect Windows with 
Linux? Also, if I want to make such a connection between two OS running in 
virtual machines, could that be done too? Thanks.


Why is the OpenSSL documentation incomplete?

2012-09-11 Thread farmdve data.bg
I have seen a lot of applications that utilize the OpenSSL library, however
I see that the majority of the documentation is incomplete.

In particular, I need some documentation for the EC package in the
'crypto' sub-folder, I mean, it's not possible for application developers
to generate Elliptic Curve keys without first understanding how to use
it,in what order and how to initialize it.

Any help on this?


RE: Parsing X509 certificate subjectAltName

2012-09-11 Thread Charles Mills
bool Comm::isAltNameMatch(X509 *certificate, const char *nodeName)

{

// there is alternative code on page 136 of O'Reilly OpenSSL

 

unsigned char *pBuffer = NULL;

int length = 0;

GENERAL_NAMES *subjectAltNames;

bool b;

subjectAltNames = (GENERAL_NAMES*)
X509_get_ext_d2i(certificate, NID_subject_alt_name, NULL, NULL);

 

if ( subjectAltNames )

{

int numberOfAlts;

int i;

// get number of names. Supposed to be at
least one, but don't count on it

 

numberOfAlts = sk_GENERAL_NAME_num
(subjectAltNames);

// loop through all of the alternate names

for ( i = 0; i < numberOfAlts; i++)

{

// get a handle to
alternative name  i 

const GENERAL_NAME *pName =
sk_GENERAL_NAME_value (subjectAltNames, i);

// what did we get?

switch (pName->type)

{

case GEN_DNS:

case GEN_URI:

case GEN_IPADD:

 
ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5);

b =
isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName);

 
OPENSSL_free(pBuffer);

if ( b )
return true;

break;

case GEN_OTHERNAME:

case GEN_EMAIL:

case GEN_X400:

case GEN_DIRNAME:

case GEN_EDIPARTY:

case GEN_RID:

default:

break;

}

   }

}

 

// fall through or no alt names

return false;

}

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Kenneth Goldman
Sent: Tuesday, September 11, 2012 2:14 PM
To: openssl-users@openssl.org
Subject: Parsing X509 certificate subjectAltName

 

I'm 90% deep into parsing an X509 certificate, but I can't find sample code
for the last piece. 

I found the extension, and located the ASN1_OBJECT with nid 85, OID
2.5.29.17, the subjectAltName.  From the dumpasn output, I see that this is
an octet string of a sequence, etc. 

I have to pull out the three OIDs   '2.23.133.2. [1, 2, and 3]' which are
presumably in the ASN1_OBJECT.   

Can anyone point me to sample code or a hint? 

~~ 

515   3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17) 
   : . . . . . . (X.509 extension) 
<01 01 FF> 
520   1: . . . . . BOOLEAN TRUE 
<04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64
3A> 
523  74: . . . . . OCTET STRING, encapsulates { 
<30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35
37> 
525  72: . . . . . . SEQUENCE { 
 
527  70: . . . . . . . [4] { 
<30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34
33> 
529  68: . . . . . . . . SEQUENCE { 
<31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30
30> 
531  66: . . . . . . . . . SET { 
<30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 
533  20: . . . . . . . . . . SEQUENCE { 
<06 05 67 81 05 02 01> 
535   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1' 
<13 0B 69 64 3A 35 37 34 35 34 33 30 30> 
542  11: . . . . . . . . . . . PrintableString 'id:57454300' 
   : . . . . . . . . . . . } 
<30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54
35> 
555  24: . . . . . . . . . . SEQUENCE { 
<06 05 67 81 05 02 02> 
557   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2' 
<13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78> 
564  15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x' 
   : . . . . . . . . . . . } 
<30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31> 
581  16: . . . . . . . . . . SEQUENCE { 
<06 05 67 81 05 02 03> 
583   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3' 
<13 07 69 64 3A 30 33 39 31> 
590   7: . . . . . . . . . . . PrintableString 'id:0391' 
   : . . . . . . .

Parsing X509 certificate subjectAltName

2012-09-11 Thread Kenneth Goldman
I'm 90% deep into parsing an X509 certificate, but I can't find sample 
code for the last piece.

I found the extension, and located the ASN1_OBJECT with nid 85, OID 
2.5.29.17, the subjectAltName.  From the dumpasn output, I see that this 
is an octet string of a sequence, etc.

I have to pull out the three OIDs   '2.23.133.2. [1, 2, and 3]' which are 
presumably in the ASN1_OBJECT. 

Can anyone point me to sample code or a hint? 

~~

515   3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   : . . . . . . (X.509 extension)
<01 01 FF>
520   1: . . . . . BOOLEAN TRUE
<04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 
3A>
523  74: . . . . . OCTET STRING, encapsulates {
<30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 
37>
525  72: . . . . . . SEQUENCE {

527  70: . . . . . . . [4] {
<30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 
33>
529  68: . . . . . . . . SEQUENCE {
<31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 
30>
531  66: . . . . . . . . . SET {
<30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30>
533  20: . . . . . . . . . . SEQUENCE {
<06 05 67 81 05 02 01>
535   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1'
<13 0B 69 64 3A 35 37 34 35 34 33 30 30>
542  11: . . . . . . . . . . . PrintableString 'id:57454300'
   : . . . . . . . . . . . }
<30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 
35>
555  24: . . . . . . . . . . SEQUENCE {
<06 05 67 81 05 02 02>
557   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2'
<13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78>
564  15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x'
   : . . . . . . . . . . . }
<30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31>
581  16: . . . . . . . . . . SEQUENCE {
<06 05 67 81 05 02 03>
583   5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3'
<13 07 69 64 3A 30 33 39 31>
590   7: . . . . . . . . . . . PrintableString 'id:0391'
   : . . . . . . . . . . . }
   : . . . . . . . . . . }
   : . . . . . . . . . }
   : . . . . . . . . }
   : . . . . . . . }
   : . . . . . . }
   : . . . . . }

--
Ken Goldman   kgold...@us.ibm.com 
914-945-2415 (862-2415)


RE: openssl on a home LAN

2012-09-11 Thread Charles Mills
Right. Are you an application developer? In other words, do you write
computer programs? Does the following mean anything to you?

 

int main(int argc, char *argv[])

{

printf("hello world\n");

return 0;

}

 

Or alternatively, are you a Web site operator? Do you host a Web site that
others access?

 

If the answer to both of these questions is No, then you are welcome to hang
out here but the answer to your original question, "whether there is any
point in using openssl" is No.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 12:07 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Hi.  I am not trying to be mean or something, but you may want to take a
look at this page:

 

http://www.openssl.org/support/community.html

 

Focusing on the part that describes this list, one can read this about its
purpose:

 

Application Development, OpenSSL Usage, Installation Problems, etc.

 

That looks clear to me in that this list would provide support for the type
of question I just asked, or did I misunderstand you? J

 

Thanks.

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 12:52 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Do you write computer programs, or are you a home user of personal
computers?

 

If you don't write computer programs, then using OpenSSL at the level
addressed by this mailing list is not what you are looking for.

 

Some of the products you might buy might use OpenSSL "under the covers," but
you would get support generally directly from the companies that produce
those products, not this mailing list.

 

Not trying to be mean or off-putting. If I have missed the mark please let
me know.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 9:36 AM
To: openssl-users@openssl.org
Subject: openssl on a home LAN

 

I am trying to figure out whether there is any point in using openssl on a
home LAN between two computers. Would that improve on security in any way?
Would I be limited in the types of OS connections? I mean, could I connect
Windows with Linux? Also, if I want to make such a connection between two OS
running in virtual machines, could that be done too? Thanks.



RE: openssl on a home LAN

2012-09-11 Thread John A. Wallace
Hi, Ted.

 

What you said makes good sense and answers my question completely. I
appreciate your help. Thank you.

 

John

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Ted Byers
Sent: Tuesday, September 11, 2012 1:35 PM
To: openssl-users@openssl.org
Subject: Re: openssl on a home LAN

 

 

On Tue, Sep 11, 2012 at 12:36 PM, John A. Wallace 
wrote:

I am trying to figure out whether there is any point in using openssl on a
home LAN between two computers. Would that improve on security in any way?
Would I be limited in the types of OS connections? I mean, could I connect
Windows with Linux? Also, if I want to make such a connection between two OS
running in virtual machines, could that be done too? Thanks.

openssl, almost certainly not.  That is, unless you're planning on doing
some web development and/or hosting a website on your home LAN.  In that
case, you'd use openssl to make the certificates and keys necessary to
support HTTPS on your web server or application server, as well as to create
the CSR when it comes time to buy your domain name and then a more useful
certificate signed by one fo the commercial CAs.

But, if you use wireless connections between your computers and your
router/modem (whatever your ISP provided), then it is sufficient to secure
that connection, which is itself just a matter of properly configuring your
router and computers.  Your router probably came with instructions that tell
you how to secure wireless connections between your computers and the
router; possibly for Windows only, and possibly for Windows, and Linux,
depending on the quality of your ISP.  

If all your computers can browse the web using your modem, it is possible to
get them to connect to each other also; but that falls into the realm of
knowing how to use your computers; especially how to configure them to work
together.  For information about that, Google is your friend, and apart from
that, your best line of support will be the support provided by whoever
distributes your OS (usually mail lists supported by whichever Linux
distribution you're using, and their FAQs).

Unless you're a web application programmer, you really don't need anything
other than the services of the operating systems you're using.

Cheers

Ted



RE: openssl on a home LAN

2012-09-11 Thread John A. Wallace
Hi.  I am not trying to be mean or something, but you may want to take a
look at this page:

 

http://www.openssl.org/support/community.html

 

Focusing on the part that describes this list, one can read this about its
purpose:

 

Application Development, OpenSSL Usage, Installation Problems, etc.

 

That looks clear to me in that this list would provide support for the type
of question I just asked, or did I misunderstand you? J

 

Thanks.

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 12:52 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Do you write computer programs, or are you a home user of personal
computers?

 

If you don't write computer programs, then using OpenSSL at the level
addressed by this mailing list is not what you are looking for.

 

Some of the products you might buy might use OpenSSL "under the covers," but
you would get support generally directly from the companies that produce
those products, not this mailing list.

 

Not trying to be mean or off-putting. If I have missed the mark please let
me know.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 9:36 AM
To: openssl-users@openssl.org
Subject: openssl on a home LAN

 

I am trying to figure out whether there is any point in using openssl on a
home LAN between two computers. Would that improve on security in any way?
Would I be limited in the types of OS connections? I mean, could I connect
Windows with Linux? Also, if I want to make such a connection between two OS
running in virtual machines, could that be done too? Thanks.



Re: openssl on a home LAN

2012-09-11 Thread Ted Byers
On Tue, Sep 11, 2012 at 12:36 PM, John A. Wallace wrote:

> **
>
> I am trying to figure out whether there is any point in using openssl on
> a home LAN between two computers. Would that improve on security in any
> way?  Would I be limited in the types of OS connections? I mean, could 
> Iconnect Windows with Linux? Also, if
> I want to make such a connection between two OS running in virtual
> machines, could that be done too? Thanks.
>
>  openssl, almost certainly not.  That is, unless you're planning on doing
some web development and/or hosting a website on your home LAN.  In that
case, you'd use openssl to make the certificates and keys necessary to
support HTTPS on your web server or application server, as well as to
create the CSR when it comes time to buy your domain name and then a more
useful certificate signed by one fo the commercial CAs.

But, if you use wireless connections between your computers and your
router/modem (whatever your ISP provided), then it is sufficient to secure
that connection, which is itself just a matter of properly configuring your
router and computers.  Your router probably came with instructions that
tell you how to secure wireless connections between your computers and the
router; possibly for Windows only, and possibly for Windows, and Linux,
depending on the quality of your ISP.

If all your computers can browse the web using your modem, it is possible
to get them to connect to each other also; but that falls into the realm of
knowing how to use your computers; especially how to configure them to work
together.  For information about that, Google is your friend, and apart
from that, your best line of support will be the support provided by
whoever distributes your OS (usually mail lists supported by whichever
Linux distribution you're using, and their FAQs).

Unless you're a web application programmer, you really don't need anything
other than the services of the operating systems you're using.

Cheers

Ted


RE: openssl on a home LAN

2012-09-11 Thread Charles Mills
Do you write computer programs, or are you a home user of personal
computers?

 

If you don't write computer programs, then using OpenSSL at the level
addressed by this mailing list is not what you are looking for.

 

Some of the products you might buy might use OpenSSL "under the covers," but
you would get support generally directly from the companies that produce
those products, not this mailing list.

 

Not trying to be mean or off-putting. If I have missed the mark please let
me know.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 9:36 AM
To: openssl-users@openssl.org
Subject: openssl on a home LAN

 

I am trying to figure out whether there is any point in using openssl on a
home LAN between two computers. Would that improve on security in any way?
Would I be limited in the types of OS connections? I mean, could I connect
Windows with Linux? Also, if I want to make such a connection between two OS
running in virtual machines, could that be done too? Thanks.



Re: openssl on a home LAN

2012-09-11 Thread Gayathri Sundar
unless somebody is gonna tap your LAN connection, I don't see a point in
using SSL. Generally its useful only when you want to send secure
application data over the internet. Intranets are safe esp ur 2 home
computers :).

thanks
--Gayathri

On Tue, Sep 11, 2012 at 11:36 AM, John A. Wallace wrote:

> **
>
> I am trying to figure out whether there is any point in using openssl on
> a home LAN between two computers. Would that improve on security in any
> way?  Would I be limited in the types of OS connections? I mean, could 
> Iconnect Windows with Linux? Also, if
> I want to make such a connection between two OS running in virtual
> machines, could that be done too? Thanks.
>
>


openssl on a home LAN

2012-09-11 Thread John A. Wallace
I am trying to figure out whether there is any point in using openssl on a
home LAN between two computers. Would that improve on security in any way?
Would I be limited in the types of OS connections? I mean, could I connect
Windows with Linux? Also, if I want to make such a connection between two OS
running in virtual machines, could that be done too? Thanks.




RES: HTTPS connection hangs during SSL handshake

2012-09-11 Thread Leonardo Laface de Almeida
For any SSL connection, you have to assure that:

1- The cpu's can reach each other (the hostname "test.mydomain.com" must be 
also resolved). You may use ping, HTTP, FTP to check it out;
2- Certificates or CA chain from each endpoint must be inserted in the opposite 
side as trust cert; 
3- The both sides must have at least one cipher in common;
4- No NAT or Firewall is filtering the messages.  

I have never made a connection by openssl command line, so, I can't tell you 
how to check it out . 

I advice you to use some sniffer in at least one side, then you can reach the 
error, eg. where handshake is failuring, get the error code, etc... Using this 
you might be able to solve your problemm.

As I saw your logs, perhaps one side doesn't trust in the opposite cert 
received. That may happen for many reasons. I've already got some cases that 
the hostname (in your case "test.mydomain.com") must match with certificate 
common name (CN).

I hope it helps.
Leonardo


-Mensagem original-
De: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Em 
nome de Supratik Goswami
Enviada em: terça-feira, 11 de setembro de 2012 10:15
Para: openssl-users@openssl.org
Assunto: Re: HTTPS connection hangs during SSL handshake

Is there no one in the community who can help me to find the cause of
the problem ?

On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami
 wrote:
> I am using OpenSSL version : openssl-1.0.0j in our production.
>
> I am facing a strange problem where the SSL connection simply hangs
> during initial handshake when requested from our office IP address.
> When I run the same command from another IP address it works fine.
>
> From office IP (Unsuccessful connection):
>
> [root@gateway ]# openssl s_client -connect test.mydomain.com:443
> CONNECTED(0003)
>
>
> From a different IP (Successful connection):
>
> ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect
> test.mydomain.com:443
> CONNECTED(0003)
> depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
> Class 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
>i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
>  1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
>i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
> Certification Authority
>  2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
> Certification Authority
>i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
> 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
>  3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
> 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
>i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
> 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
> ---
> Server certificate
> -BEGIN CERTIFICATE-
>
> REMOVED FOR SECURITY REASON
>
> -END CERTIFICATE-
> subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
> issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4827 bytes and written 435 bytes
> ---
> New, TLSv1/SSLv3, Cipher is RC4-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1
> Cipher: RC4-SHA
> Session-ID: 
> 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533
> Session-ID-ctx:
> Master-Key:
> 22B470A67XXXB50ED6237BE9
> Key-Arg   : None
> Start Time: 1346765613
> Timeout   : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain
>
>
>
> Any ideas ?
>
>
> --
> Warm Regards
>
> Supratik



-- 
Warm Regards

Supratik
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automa

Re: FIPS linking a shared object

2012-09-11 Thread Jason Todd
Found my own answer on an earlier thread. You need the option "-Wl,-Bsymbolic"
to link a shared libary (that has static linked ssl-fips) correctly

On Mon, Sep 10, 2012 at 5:43 PM, Jason Todd  wrote:

> So I can build a fips compliant executable and turn fips on/off (this is
> on linux).
>
> But when I try to statically link the fips enabled openssl into a shared
> object, the signature that it generates at runtime gets hosed.
>
> For example, here is my library:
>
>
>
> #include "FIPSTest.h"
> #include 
> #include 
> #include 
> #include 
> #include 
> #include 
>
>
>
> extern const void *FIPS_text_start(),  *FIPS_text_end();
> extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[];
> extern unsigned char   FIPS_signature[20];
> extern unsigned intFIPS_incore_fingerprint(unsigned char
> *,unsigned int);
>
>
>
> void doFipsTest() {
>  unsigned char sig[EVP_MAX_MD_SIZE];
>  unsigned int len,len2;
>  unsigned int i;
>
>
> len=FIPS_incore_fingerprint(sig,sizeof(sig));
>
> printf("FIPS_witness::%d\n",len);
> printf("current FIPS_MODE: %ld\n",FIPS_mode());
>
> printf(".text:%p+%d=%p\n",FIPS_text_start(),
> (int)((size_t)FIPS_text_end()-(size_t)FIPS_text_start()),
> FIPS_text_end());
> printf(".rodata:%p+%d=%p\n",FIPS_rodata_start,
> (int)((size_t)FIPS_rodata_end-(size_t)FIPS_rodata_start),
> FIPS_rodata_end);
>
>
> printf("sig:");
> for (i=0;i  printf("%02x",sig[i]);
> }
> printf("\n");
>printf("fips_sig:");
> for (i=0;i<(unsigned int)strlen((char *)FIPS_signature);i++) {
>  printf("%02x",FIPS_signature[i]);
> }
> printf("\n");
>
>
>
>
> long ret = FIPS_mode_set(1);
> if(ret) {
> printf("FIPS_MODE_set: passed : %ld\n",FIPS_mode());
> } else {
> printf("FIPS_MODE_set: failed: %ld\n",FIPS_mode());
> ERR_load_crypto_strings();
> ERR_print_errors_fp(stderr);
> exit(1);
> }
>
>
> fprintf(stderr,"current FIPS_MODE: %ld\n",FIPS_mode());
>
> }
>
>
> That compiles into a shared library:
> FIPSLIBDIR=/usr/local/ssl/fips-2.0/lib  FIPSLD_CC=gcc fipsld  -o
> libblahtest.so FIPSTest.c -fPIC -shared -I../target/include/
> -L../target/lib -lcrypto -ldl
>
> And then link that to just a shell main that calls the test:
>
> gcc -o libTest main.c -lblahtest -L.
>
>
>  But the signatures don't match during runtime:
>
> 3086362252:error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not
> match:fips.c:229:
> FIPS_witness::20
> current FIPS_MODE: 0
> .text:0x461c84+323712=0x4b0d04
> .rodata:0x551d60+54144=0x55f0e0
> sig:75f0a9bf86f62839419e238afcee6e3e11f6de20
> fips_sig:063541af4498ccf10d68cdd24d285c2cc4019207
> FIPS_MODE_set: failed: 0
>
>
> However if i collapse that into just one executable, it will work.
>
>
> Any ideas?
>
>
>
>
>
>
>
>
>
>


Re: HTTPS connection hangs during SSL handshake

2012-09-11 Thread Supratik Goswami
Is there no one in the community who can help me to find the cause of
the problem ?

On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami
 wrote:
> I am using OpenSSL version : openssl-1.0.0j in our production.
>
> I am facing a strange problem where the SSL connection simply hangs
> during initial handshake when requested from our office IP address.
> When I run the same command from another IP address it works fine.
>
> From office IP (Unsuccessful connection):
>
> [root@gateway ]# openssl s_client -connect test.mydomain.com:443
> CONNECTED(0003)
>
>
> From a different IP (Successful connection):
>
> ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect
> test.mydomain.com:443
> CONNECTED(0003)
> depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert
> Class 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
>i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
>  1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
>i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
> Certification Authority
>  2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2
> Certification Authority
>i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
> 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
>  3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
> 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
>i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class
> 2 Policy Validation
> Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com
> ---
> Server certificate
> -BEGIN CERTIFICATE-
>
> REMOVED FOR SECURITY REASON
>
> -END CERTIFICATE-
> subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com
> issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
> Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure
> Certification Authority/serialNumber=07969287
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 4827 bytes and written 435 bytes
> ---
> New, TLSv1/SSLv3, Cipher is RC4-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol  : TLSv1
> Cipher: RC4-SHA
> Session-ID: 
> 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533
> Session-ID-ctx:
> Master-Key:
> 22B470A67XXXB50ED6237BE9
> Key-Arg   : None
> Start Time: 1346765613
> Timeout   : 300 (sec)
> Verify return code: 19 (self signed certificate in certificate chain
>
>
>
> Any ideas ?
>
>
> --
> Warm Regards
>
> Supratik



-- 
Warm Regards

Supratik
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org