Connection getting terminated after OCSP Resonse is send my OCSP Responder.

[deepak.kathuria]

Hi, 
I am using openssl OCSP utility as OCSP Responder in linux platform. Once
OCSP Responder receives OCSP Request it will send OCSP Response and
terminate the TCP connection by sending FIN for TCP Connection. Why OCSP
responder trying to close the connection? Is there any way by whcih OCSP
Responder is configured to retain the connection. 

OCSP Request packet has Connection filed as Keep-Alive in HTTP header while
response packet from OCSP Responder does not have any Connection filed in
HTTP header (OCSP Response is generated by OCSP Responder using openssl ocsp
utility). Is there Any way to set  Connection filed as Keep-Alive in HTTP
header in OCSP Responder message?




--
View this message in context: 
http://openssl.6102.n7.nabble.com/Connection-getting-terminated-after-OCSP-Resonse-is-send-my-OCSP-Responder-tp45836.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OSCP request

[redpath]

I see that OPENSSL provides a command for a OSCP and need to create an OSCP
request as a POST or GET.
What source code file creates this request and makes a connection.


Basically an OCSP REQUEST contains the following  fields
documented in RFC6960
   - protocol version  (I assume this is 0 for RFC6960)
   - service request  (seems left open and known by the server you have
implemented)
   - target certificate identifier  (the serial number or an ID)
   - optional extensions, which MAY be processed by the OCSP responder (the
server)

But how is this information formatted for the POST request?

Any pointers to source code would be appreciated. Well not a directory more
or less a
file that actually formats the request. The RFC is not much help other than
the fields known.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OSCP-request-tp45835.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

openssl-users@openssl.org

[Dave Thompson]

>From: owner-openssl-us...@openssl.org On Behalf Of Pedro Alexandre
>Sent: Friday, 05 July, 2013 10:56

>I' m Looking for a solution to create a hash key type Sha1 signed and
encoded Base64.
>In openssl is done by executing in CMD:

>'openssl dgst sha1-sign Fileprivatekey.pem out Filemessage.sha1 message'
[YM -sha1 (not run together) -sign and -out. And no quotemarks around.]
>and thain [YM then]
>'Openssl enc -base64 -in Filemessage.sha1 -out FileMsgb64 -A'

That signs (and base64's) a hash, specifically a SHA1 hash.
There is no "hash key"; there is a concept of a "keyed hash"
in modern crypto but that's not what you're doing here.

>I can do runshell() openssl but I wanted to avoid using external 
>exes and not install openssl on customers PCs.
>Any body can show a small sample that does this type of commands 
>and obtain the some result, from Libeay32.dll?

runshell() is not a standard C (or C++) function, nor a WinAPI 
call; what/where is it? The only two plausible hits google finds 
for me are winbatch and xbase, and I don't know if those can 
call C functions. You can call C functions in a library like 
openssl if you are programming in C, or C++, or (perhaps less 
easily) in a language that can make C (not "managed" C# or VBD) 
calls, sometimes called "foreign".

libeay32.dll (and ssleay32.dll) is part of openssl just as much 
as openssl.exe is. Perhaps you want to link with a static lib 
(not a dll) and then you don't need to install openssl but you do 
need to update & reinstall your program(s) if you need any fixes 
or features in a new openssl (likely never for this limited use).
On Windows (and most(?) other OSes) openssl can be built either 
to link dynamically (dll, so, sl, etc) or statically; the 
convenient ShiningLight package does both for (MS)VC.

If your goal is avoid a separate exe (and launches of it) and 
you can call C, you can do the above with calls to functions 
in libeay32 (equivalent to Unix -lcrypto), for most of which 
man pages are available on Unix; if you have only Windows install 
you can use the copy online under http://www.openssl.org/docs/ 
or you can try to make sense of the pod-format source (there's 
probably several suitable perl modules out of the 2-zillion 
floating about perlspace; try cpan.org if you have time to spend)

- (general setup) SSL_library_init or similar, 
SSL_load_error_strings

- PEM_read_PrivateKey using stdio or file-BIO as convenient.
For Windows DLL you need applink in the exe; if you can't 
or prefer not to do that, read into memory yourself and 
then PEM_read from a mem-BIO.

- (the new preferred way) EVP_DigestSign{Init,Update,Final} 
or (the older way works for SHA1withBlah but not all valid 
hash+PK combinations) EVP_Sign{Init/Init_ex,Update,Final}
or even (the low-level way not recommended for most use) 
SHA1_{Init,Update,Final} plus {RSA,DSA,ECDSA}_sign 

- to base64 you can create and write to a BIO_f_base64 
with FLAGS_BASE64_NO_NL (equivalent of commandline enc -A) 
pushed on either a BIO_s_mem or BIO_s_file as convenient; 
or for this minimal case you can just call the undocumented 
but long-stable EVP_EncodeBlock; or you can write your own 
just-base64 encoder in about 10 lines of C (or pretty much 
any sane programming language, even(?) javascript).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: openssl can't connect from a single host

[Dave Thompson]

> From: owner-openssl-us...@openssl.org On Behalf Of Daniel Black
> Sent: Sunday, 14 July, 2013 02:02
> To: openssl-users@openssl.org
> Subject: Re: openssl can't connect from a single host
> 
> On 11/07/13 19:20, Ben Schmidt wrote:
> > Hello everyone,
> > 
> > I got a problem that I don't understand. When I try to check the Cert of
> > a website from a single specific host I get:
> > ###
> > $ openssl s_client -connect www.example.com:443


That extra URL wasn't in the OPost.

> > CONNECTED(0003)
> > --- wait
> > ^C
> > ###
> 
> looks like it connected to me.
> 
"CONNECTED" is the TCP connection. It hasn't completed 
the SSL/TLS handshake. That would show the server cert 
(as the OP wants, for suites that use a server cert) 
and the session parameters (negotiation results, 
master secret, session-id, ticket if used, etc).

CONNECTED does rule out routing/firewall and DNS problems,
except some weird and arcane ones, FWTW.

> Try typing "GET /" after the CONNECTED. It is a openssl does a SSL
> connection but it doesn't do http.
> 
OP doesn't want to do HTTPS, only the handshake.

(*s_client* doesn't do HTTP. s_server and ocsp do a little.
And library of course can be used to do whatever you code.)

> Failing that there is -debug, -showcerts and -msg options 
> that can show
> progress a bit more.

-debug OR -msg (no need for both) shows progress of handshake,
but -state shows summary progress more nicely. -showcerts only 
matters after the handshake completes successfully, and then 
shows the full chain instead of only the leaf cert, which is 
useful in some cases almost completely unlike this one.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to specify timeout for openssl s_client ?

[Nayna Jain]

Hi,

It takes some time for my server to respond to openssl s_client connection
request.

However, openssl s_client timesout before the response.

Is there some way to give a timeout argument to s_client command for
waiting for response ?


Thanks & Regards,
Nayna Jain

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

sha1_block_data_order_avx() zeroes XMM11-XMM15 (non-volatile) registers

[Petr Filipský]

Hello,

first of all I would like to thank you for a great piece of software.

Now I would like to ask you for help or advice with a problem I am trying
to solve.
In our software there were mysterious cases when a 2D floating point origin
did not get restored properly. The problem demonstrated only at highest
optimization levels and only on some kinds of Intel CPUs.

The code demonstrating the issue and corresponding assembly looks as
follows:

driver.adjustOrigin( p.x, p.y );
mov rax,qword ptr [rsi]
movapd  xmm2,xmm12
movapd  xmm1,xmm11
mov rcx,rsi
callqword ptr [rax+0B8h]
driver.render( *this );
mov r11,qword ptr [rsi]
mov rdx,rbx
mov rcx,rsi
callqword ptr [r11+1D8h]
driver.adjustOrigin( -p.x, -p.y );
mov r11,qword ptr [rsi]
mov rcx,rsi
xorpd   xmm12,xmm6
xorpd   xmm11,xmm6
movapd  xmm2,xmm12
movapd  xmm1,xmm11
callqword ptr [r11+0B8h]

The problem was that on some processors the XMM11 and XMM12 registers lost
their value (were zeroed) during the driver.render( *this ) method call.
Such behavior was weird as the XMM6 to XMM15 registers are specified as
Non-volatile in ABI Win64 convention
(see Win64 ABI Register
usage
 or Software consequences of extending XMM to
YMM).

Other weird thing was that the problem demonstrated just on Intel® Xeon®
Processor E5-1607  (AVX extension
set),
but not on an older Intel® Xeon® Processor
E5530 (no
AVX extension).

After some digging deeper I realized that the Sha1_Update() openSSL
function zeroed the registers.

More specifically - the code zeroing the registers was in the
HASH_BLOCK_DATA_ORDER macro:

sha1_block_data_order_avx()
movaps  xmmword ptr [rsp+40h],xmm6
movaps  xmmword ptr [rsp+50h],xmm7
movaps  xmmword ptr [rsp+60h],xmm8
movaps  xmmword ptr [rsp+70h],xmm9
movaps  xmmword ptr [rsp+80h],xmm10
mov r8,rdi
mov r9,rsi
mov r10,rdx
vzeroall

The VZEROALL instruction zeroes all XMM registers up to 15 while only
XMM6-XMM10 are stored to stack (and restored later on).
On CPUs without the AVX support the sha1_block_data_order_ssse3() gets
called instead and all works with no problems.
I realized that *Andy Polyakov* recently added the AVX2+BMI code
path
which
uses the VZEROUPPER instruction instead of VZEROALL.
The question is whether the VZEROUPPER instruction should not be used
instead in the AVX code path as well.

As stated in "Calling conventions for different C++ compilers and operating
systems ":

> Functions that use YMM registers should issue the instruction VZEROUPPER
>  or VZEROALL before calling any ABI compliant function and before
> returning to any ABI compliant function. VZEROUPPER is used if the ABI
> specifies that some of theXMM registers must be preserved (64-bit
> Windows) or if an XMM register is used for parameter transfer or return
> value. VZEROALL can optionally be used instead of VZEROUPPER in other
> cases.

My knowledge of assembly language and CPU architecture is very limited, so
please, sorry for possibly stupid questions or any wrong conclusions I have
made.

Could you, please, look comment it, or possibly advice some workaround
(something like the "no-sse2" config option)?

Thank you very much.

Kind regards,
Petr Filipsky

sha1_block_data_order_avx() zeroes XMM11-XMM15 (non-volatile) registers

[Petr Filipský]

Hello,

first of all I would like to thank you for a great piece of software.

Now I would like to ask you for help or advice with a problem I am trying
to solve.
In our software there were mysterious cases when a 2D floating point origin
did not get restored properly. The problem demonstrated only at highest
optimization levels and only on some kinds of Intel CPUs.

The code demonstrating the issue and corresponding assembly looks as
follows:

driver.adjustOrigin( p.x, p.y );
mov rax,qword ptr [rsi]
movapd  xmm2,xmm12
movapd  xmm1,xmm11
mov rcx,rsi
callqword ptr [rax+0B8h]
driver.render( *this );
mov r11,qword ptr [rsi]
mov rdx,rbx
mov rcx,rsi
callqword ptr [r11+1D8h]
driver.adjustOrigin( -p.x, -p.y );
mov r11,qword ptr [rsi]
mov rcx,rsi
xorpd   xmm12,xmm6
xorpd   xmm11,xmm6
movapd  xmm2,xmm12
movapd  xmm1,xmm11
callqword ptr [r11+0B8h]

The problem was that on some processors the XMM11 and XMM12 registers lost
their value (were zeroed) during the driver.render( *this ) method call.
Such behavior was weird as the XMM6 to XMM15 registers are specified as
Non-volatile in ABI Win64 convention
(see Win64 ABI Register
usage
 or Software consequences of extending XMM to
YMM).

Other weird thing was that the problem demonstrated just on Intel® Xeon®
Processor E5-1607  (AVX extension
set),
but not on an older Intel® Xeon® Processor
E5530 (no
AVX extension).

After some digging deeper I realized that the Sha1_Update() openSSL
function zeroed the registers.

More specifically - the code zeroing the registers was in the
HASH_BLOCK_DATA_ORDER macro:

sha1_block_data_order_avx()
movaps  xmmword ptr [rsp+40h],xmm6
movaps  xmmword ptr [rsp+50h],xmm7
movaps  xmmword ptr [rsp+60h],xmm8
movaps  xmmword ptr [rsp+70h],xmm9
movaps  xmmword ptr [rsp+80h],xmm10
mov r8,rdi
mov r9,rsi
mov r10,rdx
vzeroall

The VZEROALL instruction zeroes all XMM registers up to 15 while only
XMM6-XMM10 are stored to stack (and restored later on).
On CPUs without the AVX support the sha1_block_data_order_ssse3() gets
called instead and all works with no problems.
I realized that *Andy Polyakov* recently added the AVX2+BMI code
path
which
uses the VZEROUPPER instruction instead of VZEROALL.
The question is whether the VZEROUPPER instruction should not be used
instead in the AVX code path as well.

As stated in "Calling conventions for different C++ compilers and operating
systems ":

> Functions that use YMM registers should issue the instruction VZEROUPPER
>  or VZEROALL before calling any ABI compliant function and before
> returning to any ABI compliant function. VZEROUPPER is used if the ABI
> specifies that some of theXMM registers must be preserved (64-bit
> Windows) or if an XMM register is used for parameter transfer or return
> value. VZEROALL can optionally be used instead of VZEROUPPER in other
> cases.

My knowledge of assembly language and CPU architecture is very limited, so
please, sorry for possibly stupid questions or any wrong conclusions I have
made.

Could you, please, look comment it, or possibly advice some workaround
(something like the "no-sse2" config option)?

Thank you very much.

Kind regards,
Petr Filipsky

Re: OpenSSL Wiki

[Matt Caswell]

Just to clarify,  that should say the OpenSSL wiki is NOW available! 

Matt

Steve Marquess  wrote:

>The recently created OpenSSL Wiki is not available for general access
>at
>
>  http://wiki.openssl.org/
>
>It is starting to accumulate some useful content and should continue to
>grow in the future. Note that due to persistent spam and vandalism
>we've
>been forced to disable automatic account creation, but participation
>from the OpenSSL user community is welcomed and encouraged. Just send
>an
>E-mail to wiki-ad...@opensslfoundation.com to request an account with
>edit privileges (no account is needed for read-only access, of course).
>
>-Steve M.
>
>-- 
>Steve Marquess
>OpenSSL Software Foundation, Inc.
>1829 Mount Ephraim Road
>Adamstown, MD  21710
>USA
>+1 877 673 6775 s/b
>+1 301 874 2571 direct
>marqu...@opensslfoundation.com
>marqu...@openssl.com
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing Listopenssl-users@openssl.org
>Automated List Manager   majord...@openssl.org

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

OpenSSL Wiki

[Steve Marquess]

The recently created OpenSSL Wiki is not available for general access at

  http://wiki.openssl.org/

It is starting to accumulate some useful content and should continue to
grow in the future. Note that due to persistent spam and vandalism we've
been forced to disable automatic account creation, but participation
from the OpenSSL user community is welcomed and encouraged. Just send an
E-mail to wiki-ad...@opensslfoundation.com to request an account with
edit privileges (no account is needed for read-only access, of course).

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org