RE: Issue with 1.0.1

2012-12-09 Thread Dave Thompson 
> From: owner-openssl-us...@openssl.org On Behalf Of Baker, Darryl
> Sent: Friday, 07 December, 2012 11:30

> > Dave Thompson said:
> > 
> > The problem is not in accepting the cert, the problem is 
> you received no response (serverhello) at all, much less a cert.
> > When I try with vanilla 1.0.1c it works, but only TLSv1.0.
> >
> > There have been reports of some server software failing 
> because the clienthello for 1.2 is longer than in earlier versions 

> I have not yet tried looking at the packets yet but the 
> options for openssl you suggested both -no_tls1_2 and -tls1 
> return the similar results as before though -tls1 does 
> generate a slightly different error. 
> 
> -no_tls1_2:   3077863048:error:140790E5:SSL 
> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> -tls1:3078067848:error:1409E0E5:SSL 
> routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592:
> Neither:  3078428296:error:140790E5:SSL 
> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> 
And "handshake has read 0 bytes and written  bytes" in all cases?
If so, then it doesn't look like the ClientHello-too-long issue.

I don't recall if you said, but some browser(s?) and 1.0.0 
work okay *from the same client machine* where 1.0. fails? 
If not, it might be something about your machine the server 
doesn't like (probably not too likely) -- or something else 
in the network doesn't like (more and more common nowadays).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl rsa command

2012-12-09 Thread Alex Chen 
Thanks to Mr. Hohnstaedt and Dr. Henson for answering my questions.  It 
was very useful.


Alex
On 12/6/2012 4:38 AM, Dr. Stephen Henson wrote:

On Thu, Dec 06, 2012, Christian Hohnstaedt wrote:


On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote:

I am trying to change the password of a private key with 'openssl rsa'
command.  The original key file, server.key.enc has the following format:
-BEGIN ENCRYPTED PRIVATE KEY-

-END ENCRYPTED PRIVATE KEY-

This is a private key in PKCS#8 format.


When I used the command "openssl rsa -in server.key.enc -passin
pass:old_password -out server.key", a new decrypted key file is
generated with the following format:
-BEGIN RSA PRIVATE KEY-
...
-END RSA PRIVATE KEY-

But when I use the command "openssl rsa -in server.key.enc -passin
pass:old_password -out server.key -passout pass:new_password", hoping
the new key file will be encrypted with the new password, I still get
the same decrypted key file below
-BEGIN RSA PRIVATE KEY-
...
-END RSA PRIVATE KEY-

You must use one of the -des, -aes128, -aes192, -aes256 options
to get an encrypted RSA key. It then looks like:

-BEGIN RSA PRIVATE KEY-
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,B9A804CC6B6B2B3B

fpz9643saAI47PWga4Or3xcBY372owuck/9jGO19rBbrfW6NSyUvJevHRWvcHNGM
.
-END RSA PRIVATE KEY-

However, this format is an OpenSSL specific extension.
To get the key in the same format (PKCS#8) as before,
just with a changed password, use:

openssl pkcs8 -topk8 -in server.key.enc -passin pass:old_password \
   -out server.key -passout pass:new_password"


In OpenSSL 1.0.0 and later it's rather easier. You can for example:

openssl pkey -in old.pem -out new.pem -aes256

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to free RSA correctly

2012-12-09 Thread Ralf Ramsauer 
Hi!

I'm using openssl in a project for cryptographic purposes.
Everything works fine except of some memory leaks...
I tried to reconstruct those in a smaller example.
Look at this:
==
#include 
#include 

int main(void)
{
OpenSSL_add_all_algorithms();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();

FILE *fp;
fp = fopen("foo.pub","r");
if(fp==NULL)
{
  printf("couldnt open...\n");
  goto out;
}

RSA *rsa;
rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
if(rsa == NULL)
{
printf("Pem read failed...\n");
goto out;
}

RSA_free(rsa);

fclose(fp);
printf("All ok\n");
out:
EVP_cleanup();
return 0;
}
==
Compiled with gcc -o test test.c -lssl -lcrypto

This is a snippet of valgrind's output:
==6722== HEAP SUMMARY:
==6722== in use at exit: 528 bytes in 10 blocks
==6722==   total heap usage: 863 allocs, 853 frees, 27,551 bytes allocated

foo.pub was generated with:
openssl genrsa -out foo.pem 512
openssl rsa -pubout -in foo.pem -out foo.pub

When I comment out from RSA *rsa to RSA_free then valgrind says that
everything was freed correctly:
==6808== HEAP SUMMARY:
==6808== in use at exit: 0 bytes in 0 blocks
==6808==   total heap usage: 833 allocs, 833 frees, 24,536 bytes allocated

When I add the line CRYPTO_cleanup_all_ex_data() everything works fine, too.
But according to http://www.openssl.org/support/faq.html#PROG13 this is
a thread-unsafe and "Brutal" method.

Are there any better methods for freeing?

Tanks in advance!

Ralf
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Help Needed

2012-12-09 Thread Katta, Srinivasa CTR 
Hi OpenSSL Folks,


Good Morning.

I was seeing following  error message in the apache log file 
/usr/local/apache/logs/error_log,When I try to start the httpd daemon.

[Fri Dec 07 16:45:14 2012] [emerg] FIPS mode failed
[Fri Dec 07 16:45:14 2012] [emerg] SSL Library Error: 755413103 
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not 
match

Could you please advice me,How I can start apache server and also me advice 
me,If I done any mistakes.

Please find the openssl,openssh and httpd information below.

Thanks,

Srinivas




Here is the server information;

root@hqd-unixtst-s2 #> uname -a
SunOS hqd-unixtst-s2 5.10 Generic_147441-24 i86pc i386 i86pc
root@hqd-unixtst-s2 #>

Here is the openssl information;

root@hqd-unixtst-s2 #> /usr/local/ssl/bin/openssl
OpenSSL> version
OpenSSL 1.0.1c-fips 10 May 2012
OpenSSL>

Here is the openssh information;

root@hqd-unixtst-s2 #> sshd -v
sshd: illegal option -- v
OpenSSH_6.1p1, OpenSSL 1.0.1c-fips 10 May 2012
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-f config_file] [-g login_grace_time] [-h host_key_file]
[-k key_gen_time] [-o option] [-p port] [-u len]
root@hqd-unixtst-s2 #>

Here is the apache httpd version information;

root@hqd-unixtst-s2 #> ./httpd -v
Server version: Apache/2.2.23 (Unix)
Server built:   Dec  7 2012 15:38:35
root@hqd-unixtst-s2 #>

Here is the httpd build configure options;


#! /bin/sh
#
# Created by configure

"./configure" \
"--prefix=/usr/local/apache" \
"--enable-mime-magic" \
"--enable-info" \
"--enable-imagemap" \
"--enable-speling" \
"--enable-rewrite" \
"--enable-authz-host" \
"--enable-authn-anon" \
"--enable-authn-dbm" \
"--enable-auth-digest" \
"--enable-cern-meta" \
"--enable-expires" \
"--enable-headers" \
"--enable-unique_id" \
"--enable-so" \
"--enable-ssl" \
"--with-ssl=/usr/local/ssl" \
"--with-included-apr" \
"$@" 
-


I added SSLFips On  option in the httpd-ssl.conf file and right now,I do not 
have key files,So,I commented the following lines in the httpd-ssl.conf file;

#SSLCertificateFile "/usr/local/apache/conf/server.crt"
#SSLCertificateKeyFile "/usr/local/apache/conf/server.key"


Srinivasa Rao Katta (Contractor)
Unix Administrator
URS Federal Services, Inc
Desk (202)-326-3170
Cell (571)-276-1846
SCSA,SCNA,RHCT
(Sun Certified System and Network Administrator)
(Redhat Certified Technician)
---

FIPS and Symbol Renaming (OpenSSL FIPS Object Module v2.0)

2012-12-09 Thread Jeffrey Walton 
Hi All,

On page 133 of the User Guide 2.0 for the OpenSSL FIPS Object Module
v2.0, the document (book?) talks about symbol renaming. The discussion
occurs in "Appendix I, API Entry Points by Source File," and the text
is below.

Why does symbol renaming occur?

Jeff

Symbol renaming: Some symbol names as defined in the source code are
dynamically redefined at build time. This API documentation shows both
the original (source code) and build time (object code) symbol names,
for instance:

 FIPS_bn_bn2bin (renames BN_bn2bin) in file
./crypto/bn/bn_lib.[o|c]

which indicates that the FIPS_bn_bn2bin() function as seen in the
compiled code (./crypto/bn/bn_lib.o) is found in the source code as
function BN_bn2bin() in source file ./crypto/bn/bn_lib.c.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org