Openssl default_ca values while using HSM - LunaCA3

2012-12-12 Thread simon charles 
Sorry for the duplicate post - was not signed up with the forum and might have 
missed a response to my question . Please resend your answers if you have 
already replied to my query.


All , 
  What would the default_ca section look like while using 
LunaCA3 HSM for storing CA private key. Openssl looks for certificate 
and private_key on disk - how do i make openssl ca routine aware of 
private keys on the HSM ( LunaCA3 )
Thanks. 




- Simon Charles -

NIST Special Publication 800-56A Compliance

2012-12-12 Thread John Corbin 
Is there a document that lists the appropriate 800-56a standards the
OpenSSL FIPS module conforms to and for each applicable section listed in
the 800-56a standard as conforming, is there a listing for all statements
that are not "shall" (that is, "shall not", "should", and "should not")? If
the included functionality is indicated as "shall not" or "should not" in
the 800-56a standard, then is there a document providing rationale for why
this will not adversely affect the security policy implemented by the
OpenSSL FIPS module. Is any omission of functionality related to "shall" or
“should” statements described?

I have looked at the document OpenSSL FIPS Object Module Version 2.0.2 and
looked at table 4a but did not find a detailed discussion on how it
satisfies the 800-56a standard.

Thanks,
John Corbin

RE: extensions in certifications

2012-12-12 Thread Jaquez Jr, Hector L. 
Got it working .. The issue was in creating the cert via the CA

Thanks,

Hector L. Jaquez Jr.
Data Security Analyst II
HQ AAFES, Information Technology Governance
W 214-312-4449
BB 214-794-3641

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Jaquez Jr, Hector L.
Sent: Wednesday, December 12, 2012 1:11 PM
To: openssl-users@openssl.org
Subject: RE: extensions in certifications

Hey Michael Mueller,
do you think I can work with you to get this resolved?  I am my own CA as well 
and have made all of the changes mentioned by the group members.

Thanks,

Hector L. Jaquez Jr.
Data Security Analyst II
HQ AAFES, Information Technology Governance
W 214-312-4449
BB 214-794-3641

From: owner-openssl-us...@openssl.org 
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Michael Mueller
Sent: Wednesday, December 12, 2012 7:40 AM
To: openssl-users@openssl.org
Subject: Re: extensions in certifications

On Tue, Dec 11, 2012 at 7:10 PM, Michael Mueller 
mailto:abaci@gmail.com>> wrote:
On Tue, Dec 11, 2012 at 6:10 PM, Dave Thompson 
mailto:dthomp...@prinpay.com>> wrote:
>From: owner-openssl-us...@openssl.org 
>On Behalf Of Michael Mueller
>Sent: Tuesday, 11 December, 2012 15:45

>Could I get a nudge. I'd like to get the SANs to show up in my certs.


If you are the CA, and you are using openssl 'ca' commandline,
configure copy_extensions as per the man page (and read the warning).
If you don't have man pages on your system e.g. Windows
http://www.openssl.org/docs/apps/ca.html


It worked:

[ ca ]
default_ca  = exampleca

[ exampleca ]
copy_extensions = copy  # copy extensions from request

[ certificate_extensions ]
basicConstraints= CA:false # per WARNING

Thanks again

Re: Set up the protocol

2012-12-12 Thread Alex Chen 

Thanks for the reply Florian,

Can't I just call SSL_CTX_set_options on the current SSL context I am 
using before I initiate the connection?
Another question is how to enforce the 'server' side preference of the 
cipher suite selection?  Is it also part of the SSL_CTX_set_options() API?



On 12/11/2012 2:30 AM, Florian Weimer wrote:

On 12/11/2012 02:44 AM, Alex Chen wrote:

I want to set up SSL so it does not use SSL v2 or older, just like that
Apache has in its httpd-ssl.conf
SSLProtocol all -SSLv2
What is the equivalent API to do this?


After reviewing existing documentation and code, I came up with this:

  // Configure a client connection context.  Send a hendshake for the
  // highest supported TLS version, and disable compression.
  const SSL_METHOD *const req_method = SSLv23_client_method();
  SSL_CTX *const ctx = SSL_CTX_new(req_method);
  if (ctx == NULL) {
ERR_print_errors(bio_err);
exit(1);
  }
  SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);

(Error handling is only exploratory, of course.)

With version 1.0.0j, this sends a TLS 1.0 hello, and with 1.0.1c, a 
TLS 1.2 hello.




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: extensions in certifications

2012-12-12 Thread Jaquez Jr, Hector L. 
Hey Michael Mueller,
do you think I can work with you to get this resolved?  I am my own CA as well 
and have made all of the changes mentioned by the group members.

Thanks,

Hector L. Jaquez Jr.
Data Security Analyst II
HQ AAFES, Information Technology Governance
W 214-312-4449
BB 214-794-3641

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Michael Mueller
Sent: Wednesday, December 12, 2012 7:40 AM
To: openssl-users@openssl.org
Subject: Re: extensions in certifications

On Tue, Dec 11, 2012 at 7:10 PM, Michael Mueller 
mailto:abaci@gmail.com>> wrote:
On Tue, Dec 11, 2012 at 6:10 PM, Dave Thompson 
mailto:dthomp...@prinpay.com>> wrote:
>From: owner-openssl-us...@openssl.org 
>On Behalf Of Michael Mueller
>Sent: Tuesday, 11 December, 2012 15:45

>Could I get a nudge. I'd like to get the SANs to show up in my certs.


If you are the CA, and you are using openssl 'ca' commandline,
configure copy_extensions as per the man page (and read the warning).
If you don't have man pages on your system e.g. Windows
http://www.openssl.org/docs/apps/ca.html


It worked:

[ ca ]
default_ca  = exampleca

[ exampleca ]
copy_extensions = copy  # copy extensions from request

[ certificate_extensions ]
basicConstraints= CA:false # per WARNING

Thanks again

Re: genrsa question how secure is the random creation

2012-12-12 Thread dj 
> On Tue, Dec 11, 2012 at 6:27 PM, redpath  wrote:
>> When using this command
>>
>> openssl genrsa -out test.pem  2048
>>
>> an RSA pair is created. Its not so much I want to know how a pair is
>> randomly selected
>> but how secure is that random selection.
> It depends. In theory, the way entropy is gathered and managed is enough.
>

Current versions of openssl take advantage of RdRand when present in the
CPU. So on intel gen3 and beyond (Ivy Bridge i5, i7 and every later chip)
openssl will have and use a robust source of entropy on chip.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: genrsa question how secure is the random creation

2012-12-12 Thread Jeffrey Walton 
On Wed, Dec 12, 2012 at 12:39 PM, Salz, Rich  wrote:
> Until someone breaks the website, spoofs it, buys out the owner, etc.
>
> Q2.4: Are the numbers available in a secure fashion?
>
> Yes, since April 2007 you can access the server via https://www.random.org/
>
> I should probably note that while fetching the numbers via secure HTTP would 
> protect them from being observed while in transit, anyone genuinely concerned 
> with security should not trust anyone else (including RANDOM.ORG) to generate 
> their cryptographic keys.
>
Yeah, we need a fingerpaint program for all those mobile devices
(seriously!). Upon first boot (or after reset), the user has to finger
paint something to get the RNG/PRNG some entropy.
(http://groups.google.com/group/android-security-discuss/browse_thread/thread/71c6ab0081c70e9c)

Also relevant: "When Good Randomness Goes Bad: Virtual Machine Reset
Vulnerabilities and Hedging Deployed Cryptography,"
www.isoc.org/isoc/conferences/ndss/10/pdf/15.pdf. Hedging extracts
entropy from the peer during key exchange and uses the extracted
entropy to improve the localhost's state.

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: genrsa question how secure is the random creation

2012-12-12 Thread Salz, Rich 
Until someone breaks the website, spoofs it, buys out the owner, etc.

Q2.4: Are the numbers available in a secure fashion?

Yes, since April 2007 you can access the server via https://www.random.org/

I should probably note that while fetching the numbers via secure HTTP would 
protect them from being observed while in transit, anyone genuinely concerned 
with security should not trust anyone else (including RANDOM.ORG) to generate 
their cryptographic keys.


--  
Principal Security Engineer
Akamai Technology
Cambridge, MA

:��I"Ϯ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

Re: genrsa question how secure is the random creation

2012-12-12 Thread Jeffrey Walton 
On Tue, Dec 11, 2012 at 6:27 PM, redpath  wrote:
> When using this command
>
> openssl genrsa -out test.pem  2048
>
> an RSA pair is created. Its not so much I want to know how a pair is
> randomly selected
> but how secure is that random selection.
It depends. In theory, the way entropy is gathered and managed is enough.

In practice, there are practical problems:
"Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network
Devices," https://factorable.net/paper.html

The authors then went on to break secure channels between traffic
reporting systems and cell phones:
"Traffic sensor flaw that could allow driver tracking fixed,"
http://www.csoonline.com/article/723229/traffic-sensor-flaw-that-could-allow-driver-tracking-fixed

> Random number generators are a series
> and this selection could be followed for brute force deciphering.
There are ways other than brute forcing. I would bet Nadia Heninger,
Zakir Durumeric, Eric Wustrow, and Alex Halderman did not brute force
their break of the traffic system.

Linux 3.x kernels have entropy starvation issues due to decisions to
stop using IRQ interrupts (removal of the IRQF_SAMPLE_RANDOM flag,
without an alternative to gather entropy). The 2.x kernels start weak,
but improve over time.

Bottom line: use an Entropy Key (http://www.entropykey.co.uk/), HSM or
other hardware to get your RNG/PRNG in good working order quickly. You
can go to random.org and it will likely be an improvement.

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl AES decrypt problem

2012-12-12 Thread engineereeyore 
The problem is that aes_cbc is a block cipher and works on 16-byte blocks,
typically.  By default, any data block that is less than this size is
padded, as is the case for you.  Since you're only sending in 10 bytes, your
10 bytes are being padded with zeros to make the block 16 bytes.

So, to answer your question, you can do one of two things.  First, you can
set the length parameter on the decrypt operation to be 16 which will
provide you with a result that is your original 10 bytes plus 6 bytes of
zeros, which you can then remove.  The better approach would be to specify
"no padding" in your structure.  This can be done using the function
EVP_CIPHER_CTX_set_padding.  Set the padding parameter to zero and your
output should always be the same length as your inputs.

Hope that helps.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/openssl-AES-decrypt-problem-tp42667p42668.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: blowfish-cbc: what to save?

2012-12-12 Thread Markus Wernig 
Hi all

Thanks for the swift replies.

On 12/11/2012 11:51 AM, Jakob Bohm wrote:

>>
>> - With a given key being reused for all encrypted files, the IV from my
>> understanding is central to the strength of the encryption. So a unique
>> random IV needs to be used for each file. Does this mean that for every
>> file I have to record the IV in order to decrypt it later? Or is my
>> understanding wrong?
>>
> Yes, you need to know the IV to decrypt correctly, and it should not be
> predictable by anyone without the key, but it does not need to be secret.

Is that also true after encryption? So I can just store the IV in plain
together with the encrypted file and it will not lessen the encryption's
strength? My gut feeling (very uneducated ;-) tells me that this could
allow an attack on the crypttext to somebody with access to the files.

thx again
Markus


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

2012-12-12 Thread Salz, Rich 
> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line  
> "disappear"

Redirections happen left-to-right.  So do this:
>/dev/null 2>&1
Or the simpler
   2>/dev/null

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL OCSP Responder used in a CGI Skript - I found the bug

2012-12-12 Thread Dr. Stephen Henson 
On Wed, Dec 12, 2012, Walter H. wrote:

> Hello,
> 
> when using
> 
> openssl ocsp ...
> 
> in a CGI skript, you must use -noverify
> because without, this creates the line
> 
> Response verify OK
> 
> neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line
> "disappear"
> 
> so this shoots either a 500 page or an invalid OCSP response is
> sent, which results in Firefox either in:
> 
> The OCSP server returned unexpected/invalid HTTP data.
> (Error code: sec_error_ocsp_bad_http_response)
> 
> or in:
> 
> The response from the OCSP server was corrupted or improperly formed.
> (Error code: sec_error_ocsp_malformed_response)
> 
> Wireshark was a good help to find out;
> 

My guess from that is you're using it as a responder: there isn't much
point in having it verify its own responses: what command line options are you
using?

Also that message is sent to stderr so you should be able to redirect it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl AES decrypt problem

2012-12-12 Thread Ken Goldman 

A typical method is to use PKCS#7 padding.

On 12/12/2012 9:07 AM, Hailei Hu wrote:

Hi, everyone!
 I am testing openssl AES encrypt and decrypt using AES_cbc_encrypt.
 for example, I have a file which has 10 bytes, after using
AES_cbc_encrypt, the encrypted file become 16 bytes. But when I use
anohter program to decrypt this encrypted file using AES_cbc_encrypt,
How could I know the correct decrypted file size? Because according to
the declaration of AES_cbc_encrypt:

void AES_cbc_encrypt
(const unsigned char *in,
unsigned char *out,
const unsigned long length,
const AES_KEY *key, /* it will be changed during the encrypt&decrypt
process, so it required to be reset each time */
unsigned char *ivec, /* salt, it will be changed during the
encrypt&decrypt process, so it required to be reset each time */
const int enc /*AES_ENCRYPT for encrypt and other values for descrypt*/
);

when I call this function, param "length" is the encrypted file size.
But I think the decrypted  file size should be less than "param length".
So How could I know how many bytes I should read from "out" to write to
a decrypted file ?



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OpenSSL OCSP Responder used in a CGI Skript - I found the bug

2012-12-12 Thread Walter H. 

Hello,

when using

openssl ocsp ...

in a CGI skript, you must use -noverify
because without, this creates the line

Response verify OK

neither >/dev/null nor 2>&1 >file nor 2>&1 >/dev/null, let this line 
"disappear"


so this shoots either a 500 page or an invalid OCSP response is sent, 
which results in Firefox either in:


The OCSP server returned unexpected/invalid HTTP data.
(Error code: sec_error_ocsp_bad_http_response)

or in:

The response from the OCSP server was corrupted or improperly formed.
(Error code: sec_error_ocsp_malformed_response)

Wireshark was a good help to find out;

Greetings from Austria,
Walter Höhlhubmer




smime.p7s
Description: S/MIME Cryptographic Signature

Re: extensions in certifications

2012-12-12 Thread Peter Sylvester 

On 12/11/2012 09:45 PM, Michael Mueller wrote:

Could I get a nudge. I'd like to get the SANs to show up in my certs.

in my request:

Requested Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:ossvirt4, DNS:gws001

these are not dns names. you should review what your client
hosts have as a default domain, etc. It is not obvious whether
browsers will accept this

regarding the hint (and solution) about copying the extension,
you should check what you receive as a cert request, e.g.
whether someone wants a CA cert for example.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: extensions in certifications

2012-12-12 Thread Michael Mueller 
On Tue, Dec 11, 2012 at 7:10 PM, Michael Mueller wrote:

> On Tue, Dec 11, 2012 at 6:10 PM, Dave Thompson wrote:
>
>> >From: owner-openssl-us...@openssl.org On Behalf Of Michael Mueller
>> >Sent: Tuesday, 11 December, 2012 15:45
>>
>> >Could I get a nudge. I'd like to get the SANs to show up in my certs.
>>
>> 
>>
>

> If you are the CA, and you are using openssl 'ca' commandline,
>> configure copy_extensions as per the man page (and read the warning).
>> If you don't have man pages on your system e.g. Windows
>> http://www.openssl.org/docs/apps/ca.html
>>
>> 
>
>
It worked:

[ ca ]
default_ca  = exampleca

[ exampleca ]
copy_extensions = copy  # copy extensions from request

[ certificate_extensions ]
basicConstraints= CA:false # per WARNING

Thanks again