RE: HTTPS connection hangs during SSL handshake
> From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de Almeida > Sent: Tuesday, 11 September, 2012 10:08 > To: openssl-users@openssl.org > For any SSL connection, you have to assure that: > > 1- The cpu's can reach each other (the hostname > "test.mydomain.com" must be also resolved). You may use ping, > HTTP, FTP to check it out; More exactly, the TCP stacks must be able to connect. That requires slightly more than IP reachability -- not much more, but enough to be a problem in rare cases. But "CONNECTED(fd)" from s_client means they *did* TCP connect, so that's not the problem here. > 2- Certificates or CA chain from each endpoint must be > inserted in the opposite side as trust cert; A problem here would cause a handshake error not a hang. > 3- The both sides must have at least one cipher in common; A problem here would cause a handshake error not a hang. > 4- No NAT or Firewall is filtering the messages. > Yes, or possibly other middlebox, see below. > I have never made a connection by openssl command line, so, I > can't tell you how to check it out . > > I advice you to use some sniffer in at least one side, then > you can reach the error, eg. where handshake is failuring, > get the error code, etc... Using this you might be able to > solve your problemm. > Maybe both sides, see below. > As I saw your logs, perhaps one side doesn't trust in the > opposite cert received. That may happen for many reasons. > I've already got some cases that the hostname (in your case > "test.mydomain.com") must match with certificate common name (CN). > According to the log posted, his host is www.mydomain.com and the cert is for *.mydomain.com . That is a valid wildcard match, and should be acceptable to any conforming client. But openssl library and s_client doesn't do hostname matching at all. (*Apps* using openssl normally should, and at least some do.) I don't know if "mydomain" is supposedly real or munged for posting. mydomain.com is a real company and test.mydomain.com doesn't resolve publicly and the cert chain used for {www.,}mydomain.com publicly is wholly different from the OP's log. OP's s_client fails to verify the received chain because it (apparently) doesn't have the ValiCert root in its truststore. Official openssl does not distribute any default trusted roots, although custom packages of it may, as may apps using it. OP probably didn't install a default truststore (or possibly is using a build that has the default truststore wrong). But failure to verify should cause a real app to reject the connection, and s_client as a test tool overrides the verify error and continues. Neither of these is a hang. In the other direction, s_client doesn't do client authentication and send a client cert unless explicitly specified, which the OP didn't. If the server wants client-auth and client doesn't provide it or provides a cert (chain) which server doesn't trust, that will give a handshake error, not a hang. > -Mensagem original- > De: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] Em nome de Supratik Goswami > Enviada em: terça-feira, 11 de setembro de 2012 10:15 > Para: openssl-users@openssl.org > Assunto: Re: HTTPS connection hangs during SSL handshake > > Is there no one in the community who can help me to find the cause of > the problem ? > > On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami > wrote: > > I am using OpenSSL version : openssl-1.0.0j in our production. > > > > I am facing a strange problem where the SSL connection simply hangs > > during initial handshake when requested from our office IP address. > > When I run the same command from another IP address it works fine. > > > > From office IP (Unsuccessful connection): > > > > [root@gateway ]# openssl s_client -connect test.mydomain.com:443 > > CONNECTED(0003) > > Use s_client with at least -state and preferably -debug or -msg (you don't need both) to see how far it's getting in the handshake. If you receive some handshake messages but not all, it practically must be the server; talk to the server operator(s). It would be unusual, but not impossible, for the server to mishandle connections from one IP while it works for another. If you receive no message at all, it might be server (try them) or it might be network weirdness as (Mr?) de Almeida suggests; try a sniffer on your client machine or near it (same LAN), and if that looks okay also try one on or near the server (you may need server operator(s) to do that). For Windows or Mac, I recommend www.wireshark.org . Very capable, easy to install and use, well maintained. I don't know an equally good solution for Linux, but there may be one, or at minimum you can capture with tcpdump and if it's anything more complicated than no-response you can copy the capture and decode with wireshark. One possibility -- some servers want to lookup in DNS the address of the client who connects
RE: Enabling Logging in OpenSSL
>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar >Sent: Tuesday, 11 September, 2012 02:10 >On Tue, Sep 11, 2012 at 8:08 AM, Dave Thompson wrote: > I didn't notice before, but 1433 on Windows is usually SQLServer. > If so, SQLServer doesn't start in SSL; it starts in a SQLServer protocol > (TDS) and optionally switches to SSL. If you connect to 1433 and just start > an SSL handshake, SQLServer will consider this a violation of TDS protocol. >And in fact on my elderly SQLServer2005 Express, connecting to 1433 > and starting -ssl3 handshake does exactly as you report, with an event logged: > source=MSSQLSERVER eventid=17836 > Length specified in network packet payload did not match number of bytes read; > the connection has been closed. Please contact the vendor of the client library. > [CLIENT: 127.0.0.1] > whereas a (default) ssl2 clienthello hangs (at least 1minute). > In this case, you must implement the TDS protocol, or at least the part > of it that starts SSL. > jtds.sourceforge.net is a Java port of freetds that I do use okay, > and Java's SSL implementation (JSSE) has the feature that (fairly > verbose) logging can be turned on by a sysprop >Mithun>>I am trying to connect to SQLServer which by default starts in TDS. >you said " And in fact on my elderly SQLServer2005 Express, connecting to 1433 >and starting -ssl3 handshake does exactly as you report, with an event logged: >source=MSSQLSERVER eventid=17836" >Did you get the events logged in SQLServer Log's? Can you please elaborate >so that i can confirm what i am seeing? I found it in the Windows application eventlog because that's quicker for me to use, but it is also in the SQLServer ERRORLOG. There was exactly one event for the one ssl3 handshake attempt. >JSSE tracing indeed gives in detail log on the handshake , Unfortunately >i am not sure how to enable the same on SQLServer !!! I don't know about any SSL or other connection logging in SQLServer. But do you need to? If there is no network problem in between, the messages sent and received by the client, here jtds, are the same as the messages received and sent by the server. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl on a home LAN
Charlie, Frankly, you condescending manner is starting to annoy me, considerably. Furthermore, your name is not on this page as one of the moderators of this group: http://www.openssl.org/about/. Moreover, I don't believe I need your permission to "hang out here". You need to read the link I provided you all the way to the end, it says that this group is for 1. Developers 2. OpenSSL usage 3. Installation problems Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2 above, well I think that makes my asking it a legitimate question for this group. If you don't like it, you can just learn to use your reading program and ignore me. Thank you very much. J John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 3:22 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Right. Are you an application developer? In other words, do you write computer programs? Does the following mean anything to you? int main(int argc, char *argv[]) { printf("hello world\n"); return 0; } Or alternatively, are you a Web site operator? Do you host a Web site that others access? If the answer to both of these questions is No, then you are welcome to hang out here but the answer to your original question, "whether there is any point in using openssl" is No. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:07 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL "under the covers," but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
RE: Parsing X509 certificate subjectAltName
Thanks! Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, September 11, 2012 3:46 PM To: openssl-users@openssl.org Subject: Re: Parsing X509 certificate subjectAltName On Tue, Sep 11, 2012, Charles Mills wrote: > > { > > case GEN_DNS: > > case GEN_URI: > > case GEN_IPADD: > > > ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5); > > b = > isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName); > > Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING representing the IP address in a format described by RFC3280 et al. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Parsing X509 certificate subjectAltName
On Tue, Sep 11, 2012, Charles Mills wrote: > > { > > case GEN_DNS: > > case GEN_URI: > > case GEN_IPADD: > > > ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5); > > b = > isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName); > > Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING representing the IP address in a format described by RFC3280 et al. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why is the OpenSSL documentation incomplete?
On Wed, 2012-09-12 at 00:28 +0300, farmdve data.bg wrote: > I have seen a lot of applications that utilize the OpenSSL library, > however I see that the majority of the documentation is incomplete. > > > In particular, I need some documentation for the EC package in the > 'crypto' sub-folder, I mean, it's not possible for application > developers to generate Elliptic Curve keys without first understanding > how to use it,in what order and how to initialize it. > > > Any help on this? Please see this patch which I submitted some while ago, but unfortunately is still showing as "new" :-( http://rt.openssl.org/Ticket/Display.html?id=2799 This is my attempt at adding documentation for the EC library. Matt PS Apologies if you have received this twice. Problem between chair and keyboard on first sending attempt! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl on a home LAN
You don't "use OpenSSL" on a home LAN, you use applications or OS layers that might use OpenSSL in their implementation. In general OpenSSL is a toolkit that provides cryptography and SSL/TLS implementations. I think you have to be more specific about what you mean by phrases like "connect Windows with Linux". Do you mean file sharing? Remote desktop? Backup solutions? Remote command prompts? Each usage will use some sort of enabling technology that you would have to research to determine its security, and many of these solutions might just as well already be using OpenSSL. Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:36 PM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Why is the OpenSSL documentation incomplete?
I have seen a lot of applications that utilize the OpenSSL library, however I see that the majority of the documentation is incomplete. In particular, I need some documentation for the EC package in the 'crypto' sub-folder, I mean, it's not possible for application developers to generate Elliptic Curve keys without first understanding how to use it,in what order and how to initialize it. Any help on this?
RE: Parsing X509 certificate subjectAltName
bool Comm::isAltNameMatch(X509 *certificate, const char *nodeName) { // there is alternative code on page 136 of O'Reilly OpenSSL unsigned char *pBuffer = NULL; int length = 0; GENERAL_NAMES *subjectAltNames; bool b; subjectAltNames = (GENERAL_NAMES*) X509_get_ext_d2i(certificate, NID_subject_alt_name, NULL, NULL); if ( subjectAltNames ) { int numberOfAlts; int i; // get number of names. Supposed to be at least one, but don't count on it numberOfAlts = sk_GENERAL_NAME_num (subjectAltNames); // loop through all of the alternate names for ( i = 0; i < numberOfAlts; i++) { // get a handle to alternative name i const GENERAL_NAME *pName = sk_GENERAL_NAME_value (subjectAltNames, i); // what did we get? switch (pName->type) { case GEN_DNS: case GEN_URI: case GEN_IPADD: ASN1_STRING_to_UTF8(&pBuffer, pName->d.ia5); b = isWildcardedCNcompare(reinterpret_cast(pBuffer), nodeName); OPENSSL_free(pBuffer); if ( b ) return true; break; case GEN_OTHERNAME: case GEN_EMAIL: case GEN_X400: case GEN_DIRNAME: case GEN_EDIPARTY: case GEN_RID: default: break; } } } // fall through or no alt names return false; } Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kenneth Goldman Sent: Tuesday, September 11, 2012 2:14 PM To: openssl-users@openssl.org Subject: Parsing X509 certificate subjectAltName I'm 90% deep into parsing an X509 certificate, but I can't find sample code for the last piece. I found the extension, and located the ASN1_OBJECT with nid 85, OID 2.5.29.17, the subjectAltName. From the dumpasn output, I see that this is an octet string of a sequence, etc. I have to pull out the three OIDs '2.23.133.2. [1, 2, and 3]' which are presumably in the ASN1_OBJECT. Can anyone point me to sample code or a hint? ~~ 515 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17) : . . . . . . (X.509 extension) <01 01 FF> 520 1: . . . . . BOOLEAN TRUE <04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A> 523 74: . . . . . OCTET STRING, encapsulates { <30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37> 525 72: . . . . . . SEQUENCE { 527 70: . . . . . . . [4] { <30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33> 529 68: . . . . . . . . SEQUENCE { <31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 531 66: . . . . . . . . . SET { <30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 533 20: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 01> 535 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1' <13 0B 69 64 3A 35 37 34 35 34 33 30 30> 542 11: . . . . . . . . . . . PrintableString 'id:57454300' : . . . . . . . . . . . } <30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35> 555 24: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 02> 557 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2' <13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78> 564 15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x' : . . . . . . . . . . . } <30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31> 581 16: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 03> 583 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3' <13 07 69 64 3A 30 33 39 31> 590 7: . . . . . . . . . . . PrintableString 'id:0391' : . . . . . . .
Parsing X509 certificate subjectAltName
I'm 90% deep into parsing an X509 certificate, but I can't find sample code for the last piece. I found the extension, and located the ASN1_OBJECT with nid 85, OID 2.5.29.17, the subjectAltName. From the dumpasn output, I see that this is an octet string of a sequence, etc. I have to pull out the three OIDs '2.23.133.2. [1, 2, and 3]' which are presumably in the ASN1_OBJECT. Can anyone point me to sample code or a hint? ~~ 515 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17) : . . . . . . (X.509 extension) <01 01 FF> 520 1: . . . . . BOOLEAN TRUE <04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A> 523 74: . . . . . OCTET STRING, encapsulates { <30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37> 525 72: . . . . . . SEQUENCE { 527 70: . . . . . . . [4] { <30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33> 529 68: . . . . . . . . SEQUENCE { <31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 531 66: . . . . . . . . . SET { <30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30> 533 20: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 01> 535 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1' <13 0B 69 64 3A 35 37 34 35 34 33 30 30> 542 11: . . . . . . . . . . . PrintableString 'id:57454300' : . . . . . . . . . . . } <30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35> 555 24: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 02> 557 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2' <13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78> 564 15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x' : . . . . . . . . . . . } <30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31> 581 16: . . . . . . . . . . SEQUENCE { <06 05 67 81 05 02 03> 583 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3' <13 07 69 64 3A 30 33 39 31> 590 7: . . . . . . . . . . . PrintableString 'id:0391' : . . . . . . . . . . . } : . . . . . . . . . . } : . . . . . . . . . } : . . . . . . . . } : . . . . . . . } : . . . . . . } : . . . . . } -- Ken Goldman kgold...@us.ibm.com 914-945-2415 (862-2415)
RE: openssl on a home LAN
Right. Are you an application developer? In other words, do you write computer programs? Does the following mean anything to you? int main(int argc, char *argv[]) { printf("hello world\n"); return 0; } Or alternatively, are you a Web site operator? Do you host a Web site that others access? If the answer to both of these questions is No, then you are welcome to hang out here but the answer to your original question, "whether there is any point in using openssl" is No. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:07 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL "under the covers," but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
RE: openssl on a home LAN
Hi, Ted. What you said makes good sense and answers my question completely. I appreciate your help. Thank you. John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ted Byers Sent: Tuesday, September 11, 2012 1:35 PM To: openssl-users@openssl.org Subject: Re: openssl on a home LAN On Tue, Sep 11, 2012 at 12:36 PM, John A. Wallace wrote: I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks. openssl, almost certainly not. That is, unless you're planning on doing some web development and/or hosting a website on your home LAN. In that case, you'd use openssl to make the certificates and keys necessary to support HTTPS on your web server or application server, as well as to create the CSR when it comes time to buy your domain name and then a more useful certificate signed by one fo the commercial CAs. But, if you use wireless connections between your computers and your router/modem (whatever your ISP provided), then it is sufficient to secure that connection, which is itself just a matter of properly configuring your router and computers. Your router probably came with instructions that tell you how to secure wireless connections between your computers and the router; possibly for Windows only, and possibly for Windows, and Linux, depending on the quality of your ISP. If all your computers can browse the web using your modem, it is possible to get them to connect to each other also; but that falls into the realm of knowing how to use your computers; especially how to configure them to work together. For information about that, Google is your friend, and apart from that, your best line of support will be the support provided by whoever distributes your OS (usually mail lists supported by whichever Linux distribution you're using, and their FAQs). Unless you're a web application programmer, you really don't need anything other than the services of the operating systems you're using. Cheers Ted
RE: openssl on a home LAN
Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL "under the covers," but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Re: openssl on a home LAN
On Tue, Sep 11, 2012 at 12:36 PM, John A. Wallace wrote: > ** > > I am trying to figure out whether there is any point in using openssl on > a home LAN between two computers. Would that improve on security in any > way? Would I be limited in the types of OS connections? I mean, could > Iconnect Windows with Linux? Also, if > I want to make such a connection between two OS running in virtual > machines, could that be done too? Thanks. > > openssl, almost certainly not. That is, unless you're planning on doing some web development and/or hosting a website on your home LAN. In that case, you'd use openssl to make the certificates and keys necessary to support HTTPS on your web server or application server, as well as to create the CSR when it comes time to buy your domain name and then a more useful certificate signed by one fo the commercial CAs. But, if you use wireless connections between your computers and your router/modem (whatever your ISP provided), then it is sufficient to secure that connection, which is itself just a matter of properly configuring your router and computers. Your router probably came with instructions that tell you how to secure wireless connections between your computers and the router; possibly for Windows only, and possibly for Windows, and Linux, depending on the quality of your ISP. If all your computers can browse the web using your modem, it is possible to get them to connect to each other also; but that falls into the realm of knowing how to use your computers; especially how to configure them to work together. For information about that, Google is your friend, and apart from that, your best line of support will be the support provided by whoever distributes your OS (usually mail lists supported by whichever Linux distribution you're using, and their FAQs). Unless you're a web application programmer, you really don't need anything other than the services of the operating systems you're using. Cheers Ted
RE: openssl on a home LAN
Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL "under the covers," but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Re: openssl on a home LAN
unless somebody is gonna tap your LAN connection, I don't see a point in using SSL. Generally its useful only when you want to send secure application data over the internet. Intranets are safe esp ur 2 home computers :). thanks --Gayathri On Tue, Sep 11, 2012 at 11:36 AM, John A. Wallace wrote: > ** > > I am trying to figure out whether there is any point in using openssl on > a home LAN between two computers. Would that improve on security in any > way? Would I be limited in the types of OS connections? I mean, could > Iconnect Windows with Linux? Also, if > I want to make such a connection between two OS running in virtual > machines, could that be done too? Thanks. > >
openssl on a home LAN
I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
RES: HTTPS connection hangs during SSL handshake
For any SSL connection, you have to assure that: 1- The cpu's can reach each other (the hostname "test.mydomain.com" must be also resolved). You may use ping, HTTP, FTP to check it out; 2- Certificates or CA chain from each endpoint must be inserted in the opposite side as trust cert; 3- The both sides must have at least one cipher in common; 4- No NAT or Firewall is filtering the messages. I have never made a connection by openssl command line, so, I can't tell you how to check it out . I advice you to use some sniffer in at least one side, then you can reach the error, eg. where handshake is failuring, get the error code, etc... Using this you might be able to solve your problemm. As I saw your logs, perhaps one side doesn't trust in the opposite cert received. That may happen for many reasons. I've already got some cases that the hostname (in your case "test.mydomain.com") must match with certificate common name (CN). I hope it helps. Leonardo -Mensagem original- De: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Em nome de Supratik Goswami Enviada em: terça-feira, 11 de setembro de 2012 10:15 Para: openssl-users@openssl.org Assunto: Re: HTTPS connection hangs during SSL handshake Is there no one in the community who can help me to find the cause of the problem ? On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami wrote: > I am using OpenSSL version : openssl-1.0.0j in our production. > > I am facing a strange problem where the SSL connection simply hangs > during initial handshake when requested from our office IP address. > When I run the same command from another IP address it works fine. > > From office IP (Unsuccessful connection): > > [root@gateway ]# openssl s_client -connect test.mydomain.com:443 > CONNECTED(0003) > > > From a different IP (Successful connection): > > ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect > test.mydomain.com:443 > CONNECTED(0003) > depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert > Class 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com >i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 >i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > Certification Authority > 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > Certification Authority >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > --- > Server certificate > -BEGIN CERTIFICATE- > > REMOVED FOR SECURITY REASON > > -END CERTIFICATE- > subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com > issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > --- > No client certificate CA names sent > --- > SSL handshake has read 4827 bytes and written 435 bytes > --- > New, TLSv1/SSLv3, Cipher is RC4-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher: RC4-SHA > Session-ID: > 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 > Session-ID-ctx: > Master-Key: > 22B470A67XXXB50ED6237BE9 > Key-Arg : None > Start Time: 1346765613 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain > > > > Any ideas ? > > > -- > Warm Regards > > Supratik -- Warm Regards Supratik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automa
Re: FIPS linking a shared object
Found my own answer on an earlier thread. You need the option "-Wl,-Bsymbolic" to link a shared libary (that has static linked ssl-fips) correctly On Mon, Sep 10, 2012 at 5:43 PM, Jason Todd wrote: > So I can build a fips compliant executable and turn fips on/off (this is > on linux). > > But when I try to statically link the fips enabled openssl into a shared > object, the signature that it generates at runtime gets hosed. > > For example, here is my library: > > > > #include "FIPSTest.h" > #include > #include > #include > #include > #include > #include > > > > extern const void *FIPS_text_start(), *FIPS_text_end(); > extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; > extern unsigned char FIPS_signature[20]; > extern unsigned intFIPS_incore_fingerprint(unsigned char > *,unsigned int); > > > > void doFipsTest() { > unsigned char sig[EVP_MAX_MD_SIZE]; > unsigned int len,len2; > unsigned int i; > > > len=FIPS_incore_fingerprint(sig,sizeof(sig)); > > printf("FIPS_witness::%d\n",len); > printf("current FIPS_MODE: %ld\n",FIPS_mode()); > > printf(".text:%p+%d=%p\n",FIPS_text_start(), > (int)((size_t)FIPS_text_end()-(size_t)FIPS_text_start()), > FIPS_text_end()); > printf(".rodata:%p+%d=%p\n",FIPS_rodata_start, > (int)((size_t)FIPS_rodata_end-(size_t)FIPS_rodata_start), > FIPS_rodata_end); > > > printf("sig:"); > for (i=0;i printf("%02x",sig[i]); > } > printf("\n"); >printf("fips_sig:"); > for (i=0;i<(unsigned int)strlen((char *)FIPS_signature);i++) { > printf("%02x",FIPS_signature[i]); > } > printf("\n"); > > > > > long ret = FIPS_mode_set(1); > if(ret) { > printf("FIPS_MODE_set: passed : %ld\n",FIPS_mode()); > } else { > printf("FIPS_MODE_set: failed: %ld\n",FIPS_mode()); > ERR_load_crypto_strings(); > ERR_print_errors_fp(stderr); > exit(1); > } > > > fprintf(stderr,"current FIPS_MODE: %ld\n",FIPS_mode()); > > } > > > That compiles into a shared library: > FIPSLIBDIR=/usr/local/ssl/fips-2.0/lib FIPSLD_CC=gcc fipsld -o > libblahtest.so FIPSTest.c -fPIC -shared -I../target/include/ > -L../target/lib -lcrypto -ldl > > And then link that to just a shell main that calls the test: > > gcc -o libTest main.c -lblahtest -L. > > > But the signatures don't match during runtime: > > 3086362252:error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not > match:fips.c:229: > FIPS_witness::20 > current FIPS_MODE: 0 > .text:0x461c84+323712=0x4b0d04 > .rodata:0x551d60+54144=0x55f0e0 > sig:75f0a9bf86f62839419e238afcee6e3e11f6de20 > fips_sig:063541af4498ccf10d68cdd24d285c2cc4019207 > FIPS_MODE_set: failed: 0 > > > However if i collapse that into just one executable, it will work. > > > Any ideas? > > > > > > > > > >
Re: HTTPS connection hangs during SSL handshake
Is there no one in the community who can help me to find the cause of the problem ? On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami wrote: > I am using OpenSSL version : openssl-1.0.0j in our production. > > I am facing a strange problem where the SSL connection simply hangs > during initial handshake when requested from our office IP address. > When I run the same command from another IP address it works fine. > > From office IP (Unsuccessful connection): > > [root@gateway ]# openssl s_client -connect test.mydomain.com:443 > CONNECTED(0003) > > > From a different IP (Successful connection): > > ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect > test.mydomain.com:443 > CONNECTED(0003) > depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert > Class 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com >i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 >i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > Certification Authority > 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 > Certification Authority >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com >i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class > 2 Policy Validation > Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com > --- > Server certificate > -BEGIN CERTIFICATE- > > REMOVED FOR SECURITY REASON > > -END CERTIFICATE- > subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com > issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, > Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure > Certification Authority/serialNumber=07969287 > --- > No client certificate CA names sent > --- > SSL handshake has read 4827 bytes and written 435 bytes > --- > New, TLSv1/SSLv3, Cipher is RC4-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher: RC4-SHA > Session-ID: > 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 > Session-ID-ctx: > Master-Key: > 22B470A67XXXB50ED6237BE9 > Key-Arg : None > Start Time: 1346765613 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain > > > > Any ideas ? > > > -- > Warm Regards > > Supratik -- Warm Regards Supratik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org