RE: Issue with 1.0.1
> From: owner-openssl-us...@openssl.org On Behalf Of Baker, Darryl > Sent: Friday, 07 December, 2012 11:30 > > Dave Thompson said: > > > > The problem is not in accepting the cert, the problem is > you received no response (serverhello) at all, much less a cert. > > When I try with vanilla 1.0.1c it works, but only TLSv1.0. > > > > There have been reports of some server software failing > because the clienthello for 1.2 is longer than in earlier versions > I have not yet tried looking at the packets yet but the > options for openssl you suggested both -no_tls1_2 and -tls1 > return the similar results as before though -tls1 does > generate a slightly different error. > > -no_tls1_2: 3077863048:error:140790E5:SSL > routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: > -tls1:3078067848:error:1409E0E5:SSL > routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592: > Neither: 3078428296:error:140790E5:SSL > routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: > And "handshake has read 0 bytes and written bytes" in all cases? If so, then it doesn't look like the ClientHello-too-long issue. I don't recall if you said, but some browser(s?) and 1.0.0 work okay *from the same client machine* where 1.0. fails? If not, it might be something about your machine the server doesn't like (probably not too likely) -- or something else in the network doesn't like (more and more common nowadays). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl rsa command
Thanks to Mr. Hohnstaedt and Dr. Henson for answering my questions. It was very useful. Alex On 12/6/2012 4:38 AM, Dr. Stephen Henson wrote: On Thu, Dec 06, 2012, Christian Hohnstaedt wrote: On Wed, Dec 05, 2012 at 10:38:59AM -0800, Alex Chen wrote: I am trying to change the password of a private key with 'openssl rsa' command. The original key file, server.key.enc has the following format: -BEGIN ENCRYPTED PRIVATE KEY- -END ENCRYPTED PRIVATE KEY- This is a private key in PKCS#8 format. When I used the command "openssl rsa -in server.key.enc -passin pass:old_password -out server.key", a new decrypted key file is generated with the following format: -BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY- But when I use the command "openssl rsa -in server.key.enc -passin pass:old_password -out server.key -passout pass:new_password", hoping the new key file will be encrypted with the new password, I still get the same decrypted key file below -BEGIN RSA PRIVATE KEY- ... -END RSA PRIVATE KEY- You must use one of the -des, -aes128, -aes192, -aes256 options to get an encrypted RSA key. It then looks like: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,B9A804CC6B6B2B3B fpz9643saAI47PWga4Or3xcBY372owuck/9jGO19rBbrfW6NSyUvJevHRWvcHNGM . -END RSA PRIVATE KEY- However, this format is an OpenSSL specific extension. To get the key in the same format (PKCS#8) as before, just with a changed password, use: openssl pkcs8 -topk8 -in server.key.enc -passin pass:old_password \ -out server.key -passout pass:new_password" In OpenSSL 1.0.0 and later it's rather easier. You can for example: openssl pkey -in old.pem -out new.pem -aes256 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to free RSA correctly
Hi! I'm using openssl in a project for cryptographic purposes. Everything works fine except of some memory leaks... I tried to reconstruct those in a smaller example. Look at this: == #include #include int main(void) { OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); FILE *fp; fp = fopen("foo.pub","r"); if(fp==NULL) { printf("couldnt open...\n"); goto out; } RSA *rsa; rsa = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL); if(rsa == NULL) { printf("Pem read failed...\n"); goto out; } RSA_free(rsa); fclose(fp); printf("All ok\n"); out: EVP_cleanup(); return 0; } == Compiled with gcc -o test test.c -lssl -lcrypto This is a snippet of valgrind's output: ==6722== HEAP SUMMARY: ==6722== in use at exit: 528 bytes in 10 blocks ==6722== total heap usage: 863 allocs, 853 frees, 27,551 bytes allocated foo.pub was generated with: openssl genrsa -out foo.pem 512 openssl rsa -pubout -in foo.pem -out foo.pub When I comment out from RSA *rsa to RSA_free then valgrind says that everything was freed correctly: ==6808== HEAP SUMMARY: ==6808== in use at exit: 0 bytes in 0 blocks ==6808== total heap usage: 833 allocs, 833 frees, 24,536 bytes allocated When I add the line CRYPTO_cleanup_all_ex_data() everything works fine, too. But according to http://www.openssl.org/support/faq.html#PROG13 this is a thread-unsafe and "Brutal" method. Are there any better methods for freeing? Tanks in advance! Ralf __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Help Needed
Hi OpenSSL Folks, Good Morning. I was seeing following error message in the apache log file /usr/local/apache/logs/error_log,When I try to start the httpd daemon. [Fri Dec 07 16:45:14 2012] [emerg] FIPS mode failed [Fri Dec 07 16:45:14 2012] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match Could you please advice me,How I can start apache server and also me advice me,If I done any mistakes. Please find the openssl,openssh and httpd information below. Thanks, Srinivas Here is the server information; root@hqd-unixtst-s2 #> uname -a SunOS hqd-unixtst-s2 5.10 Generic_147441-24 i86pc i386 i86pc root@hqd-unixtst-s2 #> Here is the openssl information; root@hqd-unixtst-s2 #> /usr/local/ssl/bin/openssl OpenSSL> version OpenSSL 1.0.1c-fips 10 May 2012 OpenSSL> Here is the openssh information; root@hqd-unixtst-s2 #> sshd -v sshd: illegal option -- v OpenSSH_6.1p1, OpenSSL 1.0.1c-fips 10 May 2012 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len] root@hqd-unixtst-s2 #> Here is the apache httpd version information; root@hqd-unixtst-s2 #> ./httpd -v Server version: Apache/2.2.23 (Unix) Server built: Dec 7 2012 15:38:35 root@hqd-unixtst-s2 #> Here is the httpd build configure options; #! /bin/sh # # Created by configure "./configure" \ "--prefix=/usr/local/apache" \ "--enable-mime-magic" \ "--enable-info" \ "--enable-imagemap" \ "--enable-speling" \ "--enable-rewrite" \ "--enable-authz-host" \ "--enable-authn-anon" \ "--enable-authn-dbm" \ "--enable-auth-digest" \ "--enable-cern-meta" \ "--enable-expires" \ "--enable-headers" \ "--enable-unique_id" \ "--enable-so" \ "--enable-ssl" \ "--with-ssl=/usr/local/ssl" \ "--with-included-apr" \ "$@" - I added SSLFips On option in the httpd-ssl.conf file and right now,I do not have key files,So,I commented the following lines in the httpd-ssl.conf file; #SSLCertificateFile "/usr/local/apache/conf/server.crt" #SSLCertificateKeyFile "/usr/local/apache/conf/server.key" Srinivasa Rao Katta (Contractor) Unix Administrator URS Federal Services, Inc Desk (202)-326-3170 Cell (571)-276-1846 SCSA,SCNA,RHCT (Sun Certified System and Network Administrator) (Redhat Certified Technician) ---
FIPS and Symbol Renaming (OpenSSL FIPS Object Module v2.0)
Hi All, On page 133 of the User Guide 2.0 for the OpenSSL FIPS Object Module v2.0, the document (book?) talks about symbol renaming. The discussion occurs in "Appendix I, API Entry Points by Source File," and the text is below. Why does symbol renaming occur? Jeff Symbol renaming: Some symbol names as defined in the source code are dynamically redefined at build time. This API documentation shows both the original (source code) and build time (object code) symbol names, for instance: FIPS_bn_bn2bin (renames BN_bn2bin) in file ./crypto/bn/bn_lib.[o|c] which indicates that the FIPS_bn_bn2bin() function as seen in the compiled code (./crypto/bn/bn_lib.o) is found in the source code as function BN_bn2bin() in source file ./crypto/bn/bn_lib.c. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org