cross compiled openssl error on the target
Hi, I have added AES_CCM cipher suite support to the openssl and tested with curl client with Nginx web server . It works well when I tested on the PC , then I cross compiled openssl and curl for ARM and tried to run curl client application from the target , but I get the below error . **Peer certificate cannot be authenticated with given CA certificates** .. I am using the same certificates which I used on the PC .. Now my my set-up is : Running web server(nginx included with openssl on ubuntu pc) and curl(https with openssl ) on my arm target board . I need some help to figure out the exact problem . Rgds Indra
RE: OCSP and self signed
The short answers is no. An OCSP response has to be signed by the issuer (or a delegate of the issuer) and a self-signed cert is issued by itself. As a general rule certs can't revoke themselves so there is no need to get a revocation response for a self-signed cert. Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of redpath Sent: Tuesday, July 23, 2013 10:27 AM To: openssl-users@openssl.org Subject: OCSP and self signed I was wondering about self signed certs. If I run the test OCSP it needs to know the CA cert but there is no CA cert. So can a OCSP responder work for self signed certs. -- View this message in context: http://openssl.6102.n7.nabble.com/OCSP-and-self-signed-tp45918.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
RE: OSCP server does not update status
Hi Patrick, Both you and Dr. Henson have made it clear that the OCSP server implementation is only to be used for testing. With that in mind, the server implementation does act as a server and responds to inbound requests via http in version 0.9x, but that functionality stopped working in version 1.0. From what I can gather from spending way too much time searching the web is it has something to do with how v1.0 processes ipv6 instead of ipv4 and I'm curious if you or anyone else has come up with a sharable work-around for being able to use v1.x as an OCSP server? Thanks, Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Thursday, July 18, 2013 9:35 AM To: openssl-users@openssl.org Subject: Re: OSCP server does not update status Hi there, One thing that, I think, the OCSP man page makes very clear is that the OCSP server implementation is to be used for testing only, and not to be used for any sort of real-life scenario. To get real-time updating based on changes in the index.txt file from the CA, you'd have to write your own OCSP server implementation. Other things that you have noticed (lack of concurrency, etc.) are also only achievable if you write your own server. In short - the behaviour that you are seeing is exactly as is to be expected from a tool that exists only for testing purposes. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: I am testing some simple scenarios for the OSCP server. I have to stop and start the Server to know I revoked a cert. Here is my scenario. *I start the OSCP server* ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey ocspsign.key -CA ./demoCA/cacert.pem -text *I check a cert* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem *and its GOOD* *Then from a terminal I revoke a certificate* openssl ca -revoke ./demoCA/newcerts/1009.pem Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Revoking Certificate 1009. Data Base Updated *I check it again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: good This Update: Jul 18 16:13:02 2013 GMT *Not correct, it is revoked I looked at the index.txt. I stop and start the OSCP server again* *I check again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: revoked This Update: Jul 18 16:13:34 2013 GMT Revocation Time: Jul 18 16:12:18 2013 GMT *And results are expected REVOKED.* *So what is the best practice to get the OSCP server to update?* -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-t p45877.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
RFC in OpenSSL
Hello, I am looking for a SSL/TLS stack for a project based on CVP2 and I need to know if the following RFCs (which are required by CVP2) are fully/partially implemented in OpenSSL. RFC 4680 - TLS Handshake Messages for Supplemental Data RFC 5878 - TLS Authorization Extensions RFC - Authentication Credential Exchange Using TLS Supplemental Data The last one is still a draft, but perhaps have you foreseen to implement it in a near future. Regards, Lionel *** DISCLAIMER *** This message, including attachments, is intended solely for the addressee indicated in this message and is strictly confidential or otherwise privileged. If you are not the intended recipient (or responsible for delivery of the message to such person) : - (1) please immediately (i) notify the sender by reply email and (ii) delete this message and attachments, - (2) any use, copy or dissemination of this transmission is strictly prohibited. If you or your employer does not consent to Internet email messages of this kind, please advise Myriad Group AG by reply e-mail immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by Myriad Group AG unless otherwise indicated by an authorized representative independent of this message.
Re: RFC in OpenSSL
Thus wrote Lionel Estrade (lionel.estr...@myriadgroup.com): I am looking for a SSL/TLS stack for a project based on CVP2 and I need to know if the following RFCs (which are required by CVP2) are fully/partially implemented in OpenSSL. RFC 4680 - TLS Handshake Messages for Supplemental Data RFC 5878 - TLS Authorization Extensions RFC - Authentication Credential Exchange Using TLS Supplemental Data The last one is still a draft, but perhaps have you foreseen to implement it in a near future. there's a file doc/standards.txt in the source tree that lists all the implemented RFCs. I'm not sure if it's up to date... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Issue with compiling FIPS 2.0.5 with openssl 1.0.1e
On Tue, Jul 23, 2013, Stacy Devino wrote: Hello All, I modified the exports to build the FIPS module correctly. Using Android NDK 8e, building for API14 using the arm-linux-androideabi It builds the FIPs modules correctly and places them in my Home Directory, which is where I told it to Export in the make install INSTALLTOP No issue there. Then when Transferring to the Openssl1.0.1e dir: ./config fips shared --with-fipsdir=/home/stacy/AndroBuild/../fips ^ With or with the -t results in the same issues listed below It recognizes everything correctly and config's without issue (same exports - android. Operating system: armv7l-whatever-android Then, I run the make depend No problems there. The Issue is when I run the final make with the FIPS module (running make without the FIPS runs no issue). This is what I receive as the output: /home/stacy/AndroBuild/../fips/lib/fipscanister.o: file not recognized: File format not recognized collect2: ld returned 1 exit status make[2]: *** [fips_premain_dso] Error 1 make[2]: Leaving directory `/home/stacy/AndroBuild/openssl-1.0.1e' make[1]: *** [shared] Error 2 make[1]: Leaving directory `/home/stacy/AndroBuild/openssl-1.0.1e/crypto' make: *** [build_crypto] Error 1 Can anyone help with with what is going wrong here? Sounds like you haven't set the FIPS_SIG environment variable. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Password callback functions per SSL_use_PrivateKey_file
On Tue, Jul 23, 2013, Karthik Krishnamurthy wrote: OpenSSL provides multiple SSL objects to be created from a single SSL_CTX object and each SSL object can use a different privatekey file (SSL_use_PrivateKey_file). Given this flexibility, I don't see an option to have a password callback function per SSL object. The callbacks are provided only on the SSL_CTX object. Is there a work around to this other than creating an SSL_CTX object for every privatekey file that needs to be added in the application. You can use whatever method you want to obtain the EVP_PKEY structure itself, e.g. the PEM functions. Then you can pass that key using SSL_use_PrivateKey() Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OSCP server does not update status
Hi Steve, On 2013-07-23, at 6:13 PM, Steven Madwin wrote: Hi Patrick, Both you and Dr. Henson have made it clear that the OCSP server implementation is only to be used for testing. With that in mind, the server implementation does act as a server and responds to inbound requests via http in version 0.9x, but that functionality stopped working in version 1.0. From what I can gather from spending way too much time searching the web is it has something to do with how v1.0 processes ipv6 instead of ipv4 and I'm curious if you or anyone else has come up with a sharable work-around for being able to use v1.x as an OCSP server? Well, the work around that we came up with was that we followed the advice in the man page, and, for anything beyond prototyping, we wrote our own OCSP server that works reliably, and handles all of the various cases that are found in the real world. Cheers, Patrick. Thanks, Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson Sent: Thursday, July 18, 2013 9:35 AM To: openssl-users@openssl.org Subject: Re: OSCP server does not update status Hi there, One thing that, I think, the OCSP man page makes very clear is that the OCSP server implementation is to be used for testing only, and not to be used for any sort of real-life scenario. To get real-time updating based on changes in the index.txt file from the CA, you'd have to write your own OCSP server implementation. Other things that you have noticed (lack of concurrency, etc.) are also only achievable if you write your own server. In short - the behaviour that you are seeing is exactly as is to be expected from a tool that exists only for testing purposes. Have fun. Patrick. On 2013-07-18, at 12:19 PM, redpath wrote: I am testing some simple scenarios for the OSCP server. I have to stop and start the Server to know I revoked a cert. Here is my scenario. *I start the OSCP server* ocsp -index ./demoCA/index.txt -port 8082 -rsigner authocspsign.crt -rkey ocspsign.key -CA ./demoCA/cacert.pem -text *I check a cert* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem *and its GOOD* *Then from a terminal I revoke a certificate* openssl ca -revoke ./demoCA/newcerts/1009.pem Using configuration from /usr/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Revoking Certificate 1009. Data Base Updated *I check it again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: good This Update: Jul 18 16:13:02 2013 GMT *Not correct, it is revoked I looked at the index.txt. I stop and start the OSCP server again* *I check again* openssl ocsp -issuer ./demoCA/cacert.pem -serial 0x1009 -text -url http://127.0.0.1:8082 -CAfile cacert.pem Response verify OK 0x1009: revoked This Update: Jul 18 16:13:34 2013 GMT Revocation Time: Jul 18 16:12:18 2013 GMT *And results are expected REVOKED.* *So what is the best practice to get the OSCP server to update?* -- View this message in context: http://openssl.6102.n7.nabble.com/OSCP-server-does-not-update-status-t p45877.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: set client trusted certificates
Thanks for your reply. I also generated self signed ssl certificate for my server. My server is in .Net platform and my client is using openssl API. My client also does not give any error with my self-signed server certificate. Connection is establishing successfully. I think my client is not validating server ssl certificate. Am i missing some configuration? Thanks. On Tue, Jul 23, 2013 at 10:46 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of 133mmx runner Sent: Monday, 22 July, 2013 07:37 I am trying to set a SSL connection with double side certificated. Client has a SSL certificate and server has a SSL certificate. I have established connection successfully and done data transmission successfully. At client side i want to be sure that the server SSL certificate is given from a specific Root. So i move the /etc/ssl/certs folder to clear all trusted certs. But there is no problem at SSL connection. I continue establishing connection successfully. What is the client? Some client programs can configure their own truststore, and a client that handles client-auth often does. If it does use the default, are you sure that's in /etc/ssl/certs? The compiled default differs on different OSes and sometimes builds (check openssl version -a) and can be overridden by envvars. After i see the SSL connection fails, i want to place my specified root to /etc/ssl/certs folder. If that (or any) dir is used as CApath put your root cert as a PEM file named or linked fromthe cert's subject hash plus .0. If a *file in it* is used as CAfile just put the cert in PEM in the file. man verify. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RFC in OpenSSL
On 24 July 2013 08:57, Lionel Estrade lionel.estr...@myriadgroup.com wrote: Hello, I am looking for a SSL/TLS stack for a project based on CVP2 and I need to know if the following RFCs (which are required by CVP2) are fully/partially implemented in OpenSSL. RFC 4680 - TLS Handshake Messages for Supplemental Data RFC 5878 - TLS Authorization Extensions 5878 and 4680 are not consistent - I have errata against 5878. There is partial support for it, though. I expect to update it at some point. RFC - Authentication Credential Exchange Using TLS Supplemental Data The last one is still a draft, but perhaps have you foreseen to implement it in a near future. Regards, Lionel *** DISCLAIMER *** This message, including attachments, is intended solely for the addressee indicated in this message and is strictly confidential or otherwise privileged. If you are not the intended recipient (or responsible for delivery of the message to such person) : - (1) please immediately (i) notify the sender by reply email and (ii) delete this message and attachments, - (2) any use, copy or dissemination of this transmission is strictly prohibited. If you or your employer does not consent to Internet email messages of this kind, please advise Myriad Group AG by reply e-mail immediately. Opinions, conclusions and other information expressed in this message are not given or endorsed by Myriad Group AG unless otherwise indicated by an authorized representative independent of this message. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
connection problem with the version 1.0.1e
Hi, I had been struggling for couple of days to figure out why requests to one of our API provider simply do not work in Debian Wheezy while it does in Squeeze. I am really not sure if the real problem is about the server it tries to connect or a bug in openssl. However, it simply works fine with 0.9.8o but 1.0.1e. https://emea.webservices.travelport.com/B2BGateway/service/XMLSelect?WSDL $ curl -XGET -vI https://emea.webservices.travelport.com/B2BGateway/service/XMLSelect?WSDL * About to connect() to emea.webservices.travelport.com port 443 (#0) * Trying 216.113.156.104... * connected * Connected to emea.webservices.travelport.com (216.113.156.104) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): ### waits here long long time... * Unknown SSL protocol error in connection to emea.webservices.travelport.com:443 * Closing connection #0 curl: (35) Unknown SSL protocol error in connection to emea.webservices.travelport.com:443 We really want to go for version 1.x.x for many reasons. So, any help is appreciated. Roy
Re: Issue with compiling FIPS 2.0.5 with openssl 1.0.1e
I figured it out late last night. The instructions on the documentation area of the site were a bit lacking. (I have made my notes and instruction augmentations). On Wed, Jul 24, 2013 at 7:12 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Tue, Jul 23, 2013, Stacy Devino wrote: Hello All, I modified the exports to build the FIPS module correctly. Using Android NDK 8e, building for API14 using the arm-linux-androideabi It builds the FIPs modules correctly and places them in my Home Directory, which is where I told it to Export in the make install INSTALLTOP No issue there. Then when Transferring to the Openssl1.0.1e dir: ./config fips shared --with-fipsdir=/home/stacy/AndroBuild/../fips ^ With or with the -t results in the same issues listed below It recognizes everything correctly and config's without issue (same exports - android. Operating system: armv7l-whatever-android Then, I run the make depend No problems there. The Issue is when I run the final make with the FIPS module (running make without the FIPS runs no issue). This is what I receive as the output: /home/stacy/AndroBuild/../fips/lib/fipscanister.o: file not recognized: File format not recognized collect2: ld returned 1 exit status make[2]: *** [fips_premain_dso] Error 1 make[2]: Leaving directory `/home/stacy/AndroBuild/openssl-1.0.1e' make[1]: *** [shared] Error 2 make[1]: Leaving directory `/home/stacy/AndroBuild/openssl-1.0.1e/crypto' make: *** [build_crypto] Error 1 Can anyone help with with what is going wrong here? Sounds like you haven't set the FIPS_SIG environment variable. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Stacy Devino StacyDevino.com KF5NQI Mobile, Web, Audio, Hardware
Re: connection problem with the version 1.0.1e
On Wed, Jul 24, 2013 at 9:30 PM, kirpit kir...@gmail.com wrote: Hi, I had been struggling for couple of days to figure out why requests to one of our API provider simply do not work in Debian Wheezy while it does in Squeeze. I am really not sure if the real problem is about the server it tries to connect or a bug in openssl. However, it simply works fine with 0.9.8o but 1.0.1e. https://emea.webservices.travelport.com/B2BGateway/service/XMLSelect?WSDL The server doesn't seem to care to respond to clients supporting TLS 1.2 ok: openssl s_client -tls1 -connect emea.webservices.travelport.com:443 no reply: openssl s_client -tls1_2 -connect emea.webservices.travelport.com:443 such servers should be beaten to pulp.
RE: connection problem with the version 1.0.1e
From: owner-openssl-us...@openssl.org On Behalf Of Rajesh Malepati Sent: Wednesday, 24 July, 2013 13:03 On Wed, Jul 24, 2013 at 9:30 PM, kirpit kir...@gmail.com wrote: ... requests to one of our API provider ... works fine with 0.9.8o but 1.0.1e. The server doesn't seem to care to respond to clients supporting TLS 1.2 ok: openssl s_client -tls1 -connect emea.webservices.travelport.com:443 no reply: openssl s_client -tls1_2 -connect emea.webservices.travelport.com:443 More exactly, it appears to be one of the several servers that fail for the longer ClientHello used in TLS1.2 by default: -ssl3 or -tls1 uses a shorter hello and works. -no_tls1_2 ditto and works negotiating 1.0. -tls1_1 ditto gets 1.0 response which s_client rejects. -tls1_2 -cipher (shortlist) ditto ditto. (default) -cipher (shortlist) ditto gets 1.0 response and works. such servers should be beaten to pulp. Agreed, but in the meantime, according to curl.haxx.se, curl has options to specify TLS1(.0?), SSL3, and/or cipherlist, which should allow a workaround. -1 or -3 looks easier than figuring out a good cipherlist for the (each?) host. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: set client trusted certificates
From: owner-openssl-us...@openssl.org On Behalf Of 133mmx runner Sent: Wednesday, 24 July, 2013 10:04 I also generated self signed ssl certificate for my server. My server is in .Net platform and my client is using openssl API. That means the client is code you wrote? My client also does not give any error with my self-signed server certificate. Connection is establishing successfully. I think my client is not validating server ssl certificate. Am i missing some configuration? libssl by default does not validate and does not have a truststore. Does your client code call SSL_CTX_set_verify to other than ..NONE before SSL_new, or SSL_set_verify before SSL_connect (or autoconnect), and either SSL_CTX_load_verify_locations or _default_verify_paths ? snip previous __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Password callback functions per SSL_use_PrivateKey_file
Steve, Thanks much for the reply. I did not realize that EVP_PKEY structures can have their own callbacks. It's a few extra hoops, but worth it! Thanks, Karthik On Wed, Jul 24, 2013 at 8:15 AM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Jul 23, 2013, Karthik Krishnamurthy wrote: OpenSSL provides multiple SSL objects to be created from a single SSL_CTX object and each SSL object can use a different privatekey file (SSL_use_PrivateKey_file). Given this flexibility, I don't see an option to have a password callback function per SSL object. The callbacks are provided only on the SSL_CTX object. Is there a work around to this other than creating an SSL_CTX object for every privatekey file that needs to be added in the application. You can use whatever method you want to obtain the EVP_PKEY structure itself, e.g. the PEM functions. Then you can pass that key using SSL_use_PrivateKey() Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org