certificate verification problem

2014-10-30 Thread thomas 
Hi,

trying to build a valid certificate chain, I came across the following 
problem:

I have two certificates. The first one, contained in file root_ca.pem, 
is a self-signed root CA, intended to sign intermediate CA's with. The 
second
one, contained in host_ca.pem, is such an intermediate CA, it is signed 
with root_ca.pem. I would expect the two to form a valid chain. And indeed,
verification succeeds:

[thomas@sarkovy openssl-test]$ openssl verify -CAfile root_ca.pem 
host_ca.pem
host_ca.pem: OK

However, if I add -issuer_checks to the command line, I get errors:

[thomas@sarkovy openssl-test]$ openssl verify -CAfile root_ca.pem 
-issuer_checks host_ca.pem
host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, 
OU = Network Administration, CN = K\C3\B6ller Family Host Signing 
Certificate
error 29 at 0 depth lookup:subject issuer mismatch
C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
OK

Next, I look at the subject and issuer fields of both certificates, and 
find them to be matching:

[thomas@sarkovy openssl-test]$ openssl x509 -in root_ca.pem -noout 
-subject -subject_hash -nameopt oneline,-esc_msb
subject= C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing Certificate
f610372b
[thomas@sarkovy openssl-test]$ openssl x509 -in host_ca.pem -noout 
-issuer -issuer_hash -nameopt oneline,-esc_msb
issuer= C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = 
Network Administration, CN = Köller Family Root Signing Certificate
f610372b

Am I wrong to expect the verify command to succeed without errors in 
this case, even with -issuer_checks? I am attaching the two certificates,
in case someone wants to investigate the problem.

My openssl has been installed from the Fedora 20 package repository:

Name: openssl
Arch: x86_64
Epoch   : 1
Version : 1.0.1e
Release : 40.fc20



Thomas



-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.

host_ca.pem
Description: application/x509-ca-cert


root_ca.pem
Description: application/x509-ca-cert

Re: Make depend issue in Openssl-1.0.1j/ssl

2014-10-30 Thread Jay Foster 
I ran into this as well, but fixed it. The issue for me was my build 
environment was for a cross compilation.  It had some extra 
compiler/linker options that caused the  compiler to search the sysroot 
path header files before the ones specified by -I statements.  The 
result was the compiler was using the OpenSSL header files from my tool 
chain instead of the ones in the (latest) source.  The tool chain had 
the previous version installed, so was missing the TLS_MAX_VERSION 
definition.


Normally, -I include directives will get searched first, before 
any normal system search paths.  This will get the correct header files 
from the source tree.  If you do something like '-nostdinc 
-I${SYSROOT}/usr/include -I', then the reverse will happen.  Ref 
https://gcc.gnu.org/onlinedocs/cpp/Search-Path.html.


Jay
On 10/30/2014 12:40 PM, Philip Bellino wrote:


Hello,

I am running in the following issue when I do a “make depend (after 
the “./config shared no-ssl3”):


making depend in ssl...

make[3]: Entering directory '.../openssl-1.0.1j/ssl'

s3_lib.c:3370:4: #error Code needs update for SSLv23_method() support 
beyond TLS1_2_VERSION.


d1_lib.c:274:4: #error Code needs update for DTLS_method() support 
beyond DTLS1_VERSION.


make[3]: *** [depend] Error 1

In  ssl/s3_lib.c, there is a new case statement in openssl-1.0.1j:

   case SSL_CTRL_CHECK_PROTO_VERSION:

 /* For library-internal use; checks that the current 
protocol


  * is the highest enabled version (according to

s->ctx->method,

  * as version negotiation may have changed s->method). */

 if (s->version == s->ctx->method->version)

 return 1;

 /* Apparently we're using a version-flexible SSL_METHOD

  * (not at its highest protocol version). */

 if (s->ctx->method->version == SSLv23_method()->version)

 {

#if TLS_MAX_VERSION != TLS1_2_VERSION

#  error Code needs update for SSLv23_method() support beyond 
TLS1_2_VERSION.


#endif

 if (!(s->options & SSL_OP_NO_TLSv1_2))

 return s->version == TLS1_2_VERSION;

 if (!(s->options & SSL_OP_NO_TLSv1_1))

 return s->version == TLS1_1_VERSION;

 if (!(s->options & SSL_OP_NO_TLSv1))

 return s->version == TLS1_VERSION;

 if (!(s->options & SSL_OP_NO_SSLv3))

 return s->version == SSL3_VERSION;

 if (!(s->options & SSL_OP_NO_SSLv2))

 return s->version == SSL2_VERSION;

 }

 return 0; /* Unexpected state; fail closed

--

A grep -ri TLS_MAX_VERSION *

include/openssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

ssl/s23_clnt.c:/* ensure that TLS_MAX_VERSION is up-to-date */

ssl/s23_clnt.c: OPENSSL_assert(s->version <= TLS_MAX_VERSION);

ssl/s3_lib.c:#if TLS_MAX_VERSION != TLS1_2_VERSION

ssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

and a  grep -ri  DTLS_MAX_VERSION  *

include/openssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/d1_lib.c:#if DTLS_MAX_VERSION != DTLS1_VERSION

ssl/d1_lib.c:return s->version == DTLS_MAX_VERSION;

This leads me to believe that the code should never have the above 
error conditions occur, but in fact it is.


Any help would be most appreciated and I apologize if I am missing 
something in my analysis.


Thanks,

Phil

*Phil Bellino*

*Principal Software Engineer| **MRV Communications Inc.*

300 Apollo Drive *| *Chelmsford, MA 01824

Phone: 978-674-6870*| *Fax: 978-674-6799

www.mrv.com

MRV-email

E-Banner 



The contents of this message, together with any attachments, are 
intended only for the use of the person(s) to whom they are addressed 
and may contain confidential and/or privileged information. If you are 
not the intended recipient, immediately advise the sender, delete this 
message and any attachments and note that any distribution, or copying 
of this message, or any attachment, is prohibited.

RE: Make depend issue in Openssl-1.0.1j/ssl

2014-10-30 Thread Jeremy Farrell 
Suggest you try again starting from a new download (or after checking the 
digest of your current download). This works fine for me, and many people must 
have done similar builds without reporting this.

 

If that doesn't work, you'll need to specify the platform you're trying to 
build on and the compiler and other build tools and versions you are using.

 

Regards,

  jjf

 

From: Philip Bellino [mailto:pbell...@mrv.com] 
Sent: Thursday, October 30, 2014 7:41 PM



Hello,

I am running in the following issue when I do a "make depend (after the 
"./config shared no-ssl3"):

 

making depend in ssl...

make[3]: Entering directory '.../openssl-1.0.1j/ssl'

s3_lib.c:3370:4: #error Code needs update for SSLv23_method() support beyond 
TLS1_2_VERSION.

d1_lib.c:274:4: #error Code needs update for DTLS_method() support beyond 
DTLS1_VERSION.

make[3]: *** [depend] Error 1

 

In  ssl/s3_lib.c, there is a new case statement in openssl-1.0.1j:

 

   case SSL_CTRL_CHECK_PROTO_VERSION:

 /* For library-internal use; checks that the current protocol

  * is the highest enabled version (according to 

s->ctx->method,

  * as version negotiation may have changed s->method). */

 if (s->version == s->ctx->method->version)

 return 1;

 /* Apparently we're using a version-flexible SSL_METHOD

  * (not at its highest protocol version). */

 if (s->ctx->method->version == SSLv23_method()->version)

 {

#if TLS_MAX_VERSION != TLS1_2_VERSION

#  error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.

#endif

 if (!(s->options & SSL_OP_NO_TLSv1_2))

 return s->version == TLS1_2_VERSION;

 if (!(s->options & SSL_OP_NO_TLSv1_1))

 return s->version == TLS1_1_VERSION;

 if (!(s->options & SSL_OP_NO_TLSv1))

 return s->version == TLS1_VERSION;

 if (!(s->options & SSL_OP_NO_SSLv3))

 return s->version == SSL3_VERSION;

 if (!(s->options & SSL_OP_NO_SSLv2))

 return s->version == SSL2_VERSION;

 }

 return 0; /* Unexpected state; fail closed

--

 

A grep -ri TLS_MAX_VERSION *

 

include/openssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

ssl/s23_clnt.c:/* ensure that TLS_MAX_VERSION is up-to-date */

ssl/s23_clnt.c:OPENSSL_assert(s->version <= TLS_MAX_VERSION);

ssl/s3_lib.c:#if TLS_MAX_VERSION != TLS1_2_VERSION

ssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

 

and a  grep -ri  DTLS_MAX_VERSION  *

 

include/openssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/d1_lib.c:#if DTLS_MAX_VERSION != DTLS1_VERSION

ssl/d1_lib.c:return s->version == DTLS_MAX_VERSION;

 

This leads me to believe that the code should never have the above error 
conditions occur, but in fact it is.

 

Any help would be most appreciated and I apologize if I am missing something in 
my analysis.

Thanks,

Phil 

Phil Bellino

Principal Software Engineer | MRV Communications Inc.

300 Apollo Drive |  Chelmsford, MA 01824 

Phone: 978-674-6870  |   Fax: 978-674-6799

www.mrv.com

 

MRV-email
 

The contents of this message, together with any attachments, are intended only 
for the use of the person(s) to whom they are addressed and may contain 
confidential and/or privileged information. If you are not the intended 
recipient, immediately advise the sender, delete this message and any 
attachments and note that any distribution, or copying of this message, or any 
attachment, is prohibited.

Make depend issue in Openssl-1.0.1j/ssl

2014-10-30 Thread Philip Bellino 
Hello,
I am running in the following issue when I do a "make depend (after the 
"./config shared no-ssl3"):


making depend in ssl...

make[3]: Entering directory '.../openssl-1.0.1j/ssl'

s3_lib.c:3370:4: #error Code needs update for SSLv23_method() support beyond 
TLS1_2_VERSION.

d1_lib.c:274:4: #error Code needs update for DTLS_method() support beyond 
DTLS1_VERSION.

make[3]: *** [depend] Error 1



In  ssl/s3_lib.c, there is a new case statement in openssl-1.0.1j:



   case SSL_CTRL_CHECK_PROTO_VERSION:

 /* For library-internal use; checks that the current protocol

  * is the highest enabled version (according to

s->ctx->method,

  * as version negotiation may have changed s->method). */

 if (s->version == s->ctx->method->version)

 return 1;

 /* Apparently we're using a version-flexible SSL_METHOD

  * (not at its highest protocol version). */

 if (s->ctx->method->version == SSLv23_method()->version)

 {

#if TLS_MAX_VERSION != TLS1_2_VERSION

#  error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.

#endif

 if (!(s->options & SSL_OP_NO_TLSv1_2))

 return s->version == TLS1_2_VERSION;

 if (!(s->options & SSL_OP_NO_TLSv1_1))

 return s->version == TLS1_1_VERSION;

 if (!(s->options & SSL_OP_NO_TLSv1))

 return s->version == TLS1_VERSION;

 if (!(s->options & SSL_OP_NO_SSLv3))

 return s->version == SSL3_VERSION;

 if (!(s->options & SSL_OP_NO_SSLv2))

 return s->version == SSL2_VERSION;

 }

 return 0; /* Unexpected state; fail closed

--



A grep -ri TLS_MAX_VERSION *



include/openssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION

ssl/s23_clnt.c:/* ensure that TLS_MAX_VERSION is up-to-date */

ssl/s23_clnt.c:OPENSSL_assert(s->version <= TLS_MAX_VERSION);

ssl/s3_lib.c:#if TLS_MAX_VERSION != TLS1_2_VERSION

ssl/tls1.h:#define TLS_MAX_VERSIONTLS1_2_VERSION



and a  grep -ri  DTLS_MAX_VERSION  *



include/openssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/dtls1.h:#define DTLS_MAX_VERSIONDTLS1_VERSION

ssl/d1_lib.c:#if DTLS_MAX_VERSION != DTLS1_VERSION

ssl/d1_lib.c:return s->version == DTLS_MAX_VERSION;


This leads me to believe that the code should never have the above error 
conditions occur, but in fact it is.

Any help would be most appreciated and I apologize if I am missing something in 
my analysis.
Thanks,
Phil
Phil Bellino
Principal Software Engineer | MRV Communications Inc.
300 Apollo Drive |  Chelmsford, MA 01824
Phone: 978-674-6870  |   Fax: 978-674-6799
www.mrv.com


[MRV-email]


[E-Banner]


The contents of this message, together with any attachments, are intended only 
for the use of the person(s) to whom they are addressed and may contain 
confidential and/or privileged information. If you are not the intended 
recipient, immediately advise the sender, delete this message and any 
attachments and note that any distribution, or copying of this message, or any 
attachment, is prohibited.

Re: Expected results for testing Poodlebug using OpenSSL CLI

2014-10-30 Thread Jakob Bohm 

On 29/10/2014 21:14, Paul Konen wrote:


Hi, I found on the web a way to use your tool to test for the new 
vulnerability called Poodlebug.


The command is: opsnssl s_client –connect ip:port –ssl3

I feel that I have tomcat configured to use TLS only and this is the 
response back.


When I execute this against a box that isn’t restricted to TLS, I see 
the certificate information returned.


Is the above window showing that is was NOT able to make a SSLv3 
connection?




You are making a very fundamental mistake here:  Refusing SSLv3 is
not the only way tosecure a server against the POODLE attack (not
poodlebug, it is not a bug but an attack against known old bugs).

There are at least 3 ways:

A. Simply turning off SSLv3 connections, and loose support for
  older clients that cannot be upgraded to support TLS.  This is
  what you are testing for.

B. Support SSLv3, but implement the TLS_FALLBACK_SCSV system to
  ensure that up to date web browsers cannot be forced to use a
  lower SSL/TLS version than necessary.  This protects against
  the first half of the POODLE attack except when talking to old
  browsers that lack the new security features.

C. Support SSLv3, but limit it to RC4 only.  Continue to support
  better ciphers when the connection uses higher TLS versions
  that don't use the old RSADSI BSAFE padding that was part of
  SSLv3.  This is vulnerable to the cryptographic weakness of
  RC4, but not to any of the attacks against the SSLv3 ways of
  using   block ciphers.

Currently, OpenSSL apparently has no obvious way to configure it
to do something like solution C, but servers using other SSL/TLS
implementations might do this, so any test tool needs to accept
it as a solution.

By the way, I have yet to hear of any other SSL implementation
doing anything to release fixes that enable solution B.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: EC PrivateKey format

2014-10-30 Thread Dr. Stephen Henson 
On Thu, Oct 30, 2014, Carl Tietjen wrote:

> Hey folks,
> 
> I am trying to get (export) a raw EC private key in the PKCS#8 format.
> 
> I am using the function i2d_PrivateKey (in i2d_pr.c).  The problem is that 
> this code first checks to see if there is an old method (i.e. 
> a->ameth->old_priv_encode) and if there is, it uses that method and returns.  
> If there is not an old method, then it continues on and exports the key using 
> the a->ameth->priv_encode method, which is PKCS#8.
> 
> 1) I can't seem to find anyway (option or API) to make it so that there will 
> not be an old method. (i.e. Is there some flag I can set or some API I can 
> call to specify which method I want to be the default?)
> 
> 2) It seems that this function has the priority wrong (i.e. bug).  It seems 
> it should use the newer method first and fall back to the old method, rather 
> than what it does now, which is use the old method first and only use the 
> newer method if there is not an old method.
> 
> 

There is always a new method so if it used the new method first the old method
would never be called. The existing functionality is retained for
compatibility.

You can use i2d_PKCS8PrivateKey_bio() to export in encrypted or unencrypted
PKCS#8 form form.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

EC PrivateKey format

2014-10-30 Thread Carl Tietjen 
Hey folks,

I am trying to get (export) a raw EC private key in the PKCS#8 format.

I am using the function i2d_PrivateKey (in i2d_pr.c).  The problem is that this 
code first checks to see if there is an old method (i.e. 
a->ameth->old_priv_encode) and if there is, it uses that method and returns.  
If there is not an old method, then it continues on and exports the key using 
the a->ameth->priv_encode method, which is PKCS#8.

1) I can't seem to find anyway (option or API) to make it so that there will 
not be an old method. (i.e. Is there some flag I can set or some API I can call 
to specify which method I want to be the default?)

2) It seems that this function has the priority wrong (i.e. bug).  It seems it 
should use the newer method first and fall back to the old method, rather than 
what it does now, which is use the old method first and only use the newer 
method if there is not an old method.


Thanks in advance for any help.

Carl Tietjen
NETIQ

Re: EVP_verify APIs

2014-10-30 Thread Dr. Stephen Henson 
On Thu, Oct 30, 2014, Gayathri Manoj wrote:

> Hi Matt,
> 
> Currently I am getting the signed hash message from some other entity. So i
> can't make changes for the signing part.
> My current implementation is phone will send the signed hash message and
> our application will decrypt the signed message by using
> RSA_public_decrypt() and then we compare the resultant data  with hash
> value of the phone identity (will calculate this hash by using
> evp_digest*()  using the info supplied by phone).
> 
> Its worked fine in openssl-0.9.8l  in fips mode without any issue. I have't
> make any other changes appart from upgrading openssl-0.9.8za.  I have
> checked the source code of RSA_public_decrypt() and not found any
> difference in both versions. Please let me know what might be the reason
> and how can i rectify this. Is there any other API i can use apart from
> EVP_verify*().
> 

FIPS compliance requires that you use an approved signature scheme. If your
scheme is not compliant then there isn't much you can do about that.

Earlier versions of OpenSSL didn't enforce this and you can still override
this.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Windows and p12 files [Solved] sorta;

2014-10-30 Thread Gregory Sloop 



Gregory,
 
>> * - Windows indeed will not handle a .p12 cert+key with the PKCS5 v2 [i.e. 
>> aes-256] encryption on it. It appears to only handle 3DES. [I didn't test 
>> every possible PBE - just 3DES and AES256] 

The Microsoft Windows operating system uses Cryptographic Service Provider 
(CSP) plug-in modules to do the actual implementation of the cryptographic 
functions so that Microsoft can ship their products world-wide, including to 
countries where cryptography may be restricted. The Base CSP shipped with all 
recent versions of Microsoft Windows is most likely restricted to 
lower-strength cryptography.
 
For a more complete discussion of this concept and to find out what providers 
are available for your country, see the MSDN article here:
http://msdn.microsoft.com/en-us/library/aa386983.aspx
 
According to the MSDN article referenced; in the US, Microsoft _does_ provide 
full support for AES-256 algorithms, but it is probable that the CSP that 
provides this capability might not be loaded by default on the operating system 
baseline.
 
Apple also uses this concept of "Cryptographic Service Provider", so search 
their web site(s) using this term. you may also be able to leverage Java and 
OpenSSL as the Apple OS X is UNIX-based.
 
Java 6 SE (and above) supports this under Java Cryptographic Architecture (JCA) 
and Java Secure Sockets Extensions (JSSE),  splitting the API and 
implementations using a similar concept of Providers.
 
A good starting point for Oracle Java Cryptographic Architecture that discusses 
which Providers are available is at this URL: 
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
 
Good luck with your testing of .p12.
 
Cheers!
 
Simba
Engineering

While this, as far as I can tell, is all true - it's also somewhat misleading. 
It's true that Windows and OSX have underlying API's and functions that will 
handle AES etc - but that only helps if you're planning to code/program your 
own tools to import p12's. It won't help if you're an "end-user" or IT Admin 
person using the built-in tools [certmgr.msc] and the iOS keychain importer, 
etc. These built-in tools only understand p12's with 3DES and there's no way 
around that, as far as I can tell.

And frankly it would be insane for me to spend, probably, hundreds of hours 
[yeah, I am a lousy programmer. :)] learning the respective API's and such, 
just so I could code a way to import AES encrypted P12's into Windows. And then 
do it all over again for iOS and again for OSX.

You're not the only one to suggest this - and I really don't mean to make light 
of the suggestion, it's a valid suggestion - but it just doesn't make sense in 
the current context. 

The bigger take-home issue is: Why Microsoft and Apple haven't updated their 
PKCS import tools in so freeking long and still appear to only support 3DES 
encryption of keys? This seems really irresponsible to me. It's not like 3DES 
is so horrible - but it's really not that great with ~112bit key vs 256bit key 
for AES-256.

I'd feel a lot more secure emailing a p12 with a private key to someone with a 
good tough password and AES-256 than I would with 3DES. And in quite a number 
of cases, it's far easier to distribute them this way - a web-server, FTP, 
email... 

Just try getting a p12 to an iOS device. iTunes, email, web-browser and that's 
basically it. [But iOS and iTunes just to copy a few files!?!? - well that's 
another unhinged rant for another thread... ...]

Thanks for the suggestion though! I do appreciate the time and effort expended, 
even if it doesn't make sense for me.

-Greg

RE: How to get https web site certificate public key

2014-10-30 Thread Dave Thompson 
> From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo
> Sent: Tuesday, October 28, 2014 04:20

> Now I use i2d_RSAPublicKey() to encode on RSA* from EVP_PKEY which
> will show same as [Chrome]
 > 
> One more thing, I find use i2d_RSAPublicKey() will be get same public
> between openssl API and browser for some sites (twitter.com,
> developer.apple.com), but for www.google.com, I find that is not
> exactly same (just has same begin 30 82 01 0a 02 82 01 01 and others
> are not same).
> so why google is not same?
> 
RSA public key is a (default-tagged) SEQUENCE of two INTEGERs. 
Some of the len bytes in DER depend on the key size and pubexpt.
At the moment most servers including the three sites you name 
are using 2048-bit keys, although that was different in the past 
and may change again in the future, and the conventional 
pubexpt 65537 aka F4. For those parameters the encoding is
  30 82 01 0a # SEQUENCE 
02 82 01 01 00 (256 bytes modulus) # INTEGER modulus varies
02 03 01 00 01 # INTEGER pubexpt = 65537

Big websites like google, yahoo, twitter are not one machine.
They are maybe hundreds or machines to share the load,
often spread in locations around the world to reduce latency.
Usually they try to use the same cert&key for all of them or 
at least big chunks, but depending on who is managing what 
from where and when there is sometimes variation.

As of Tue from my network location, over about 15 minutes,
www.google.com resolves to 16 different IP addresses. 
Of these 11 are using a cert with
 - serial 04:29:2e:de:7a:09:f6:10
- validity starting 2014 oct 15 10:57:04 Z
- modulus beginning bb:cb:8a:0e
and 5 are using a cert with
- serial 1b:a9:d1:40:05:83:5c:00
- validity starting 2014 oct 22 12:57:51 Z
- modulus beginning c1:52:36:91

For twitter.com I get 11 IPs, all using the same cert.

It may be different at your location or different times.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

certificate

2014-10-30 Thread Amir Reda 
dear all
 i made a c++ code for client server the server is the CA the client sends
a request to the CA server and the server reply by a certificate then i
have tried some options

1- server can verify the certificate using function chekcert(X509 *)
2- the client can convert the certificate into int and store it in a buffer
to be used later
3-extract the serial number of the client certificate

1- my problem is the verification of the certificate fails all the time i
don't know why
(the sign of the certificate itself failed)
2- the serial number extracted is all the time constant even if i change it
3- want make sure the function CertConverter() is working well

thx allot for help


-- 
Warmest regards and best wishes for a good health,*urs sincerely *
*mero*
//
// Name: certificate.cpp
// Author  : Amir
// Version :
// Copyright   : Your copyright notice
// Description : Hello World in C++, Ansi-style
//

#include 
#include "server.h"
#include "client.h"
using namespace std;

int main()
{
	clock_t start, end;
	double msecs;

	start = clock();

	Client clientest;
Server servertest;

X509 *cert;
cert = servertest.CreateCertificate(clientest.MakeSignedCertReq());

clientest.SetCert(cert);
clientest.CertConverter();
X509 *test;
test = clientest.GetCert();
servertest.CheckCert(cert);
//int serial = 0;
//serial = clientest.ExtractCertSerial();
//cout<<"client serial is "

Re: EVP_verify APIs

2014-10-30 Thread Gayathri Manoj 
Hi Matt,

Currently I am getting the signed hash message from some other entity. So i
can't make changes for the signing part.
My current implementation is phone will send the signed hash message and
our application will decrypt the signed message by using
RSA_public_decrypt() and then we compare the resultant data  with hash
value of the phone identity (will calculate this hash by using
evp_digest*()  using the info supplied by phone).

Its worked fine in openssl-0.9.8l  in fips mode without any issue. I have't
make any other changes appart from upgrading openssl-0.9.8za.  I have
checked the source code of RSA_public_decrypt() and not found any
difference in both versions. Please let me know what might be the reason
and how can i rectify this. Is there any other API i can use apart from
EVP_verify*().


Thanks,
Gayathri

On Thu, Oct 30, 2014 at 10:26 AM, Gayathri Manoj 
wrote:

> Hi Matt,
>
>
> Sorry for the inconvenience caused by you through my mail.
>
> 1.  In RSA_public_decrypt(), the below line is added in latest version of
> the openssl. I have used the same in 0.9.8l
> #ifdef OPENSSL_FIPS
> if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
> {
> RSAerr(RSA_F_RSA_PUBLIC_
> DECRYPT,
> RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
> return 0;
> Hence my system has not thrown any error while in FIPS mode. But to
> address CVE-2014-0195 ,CVE-2014-0221  and CVE-2014-0224  i have upgraded
> my system with openssl-0.9.8.za.
> After this  I ma not able to the phones signed data.
>
> 2. I wanted to decypt the data signed private key of  phone using its
> public key. My aim is to decrypt the data which is given by phone.
> Currently I am using RSA_public_decrypt(sgnLen, signedData, dBuf,
> RSAPubKey, RSA_PKCS1_PADDING);
> Here we trying to decrypt 'signedData' using phones public key.
>
> Please let me know how to decrypt this information in FIPS mode.
>
> Thanks,
> Gayathri
>
>
>
>
>
> On Thu, Oct 30, 2014 at 5:28 AM, Matt Caswell  wrote:
>
>>
>>
>> On 29/10/14 09:03, Gayathri Manoj wrote:
>> > Hi Matt,
>> >
>> > Thanks Matt.
>> >
>> > Please let me know RSA_public_decypt() is FIPS complaint in later
>> > version (openssl 1.0.x).
>> >
>> > Currently I am using RSA_public_decypt() in openssl-0.9.8l and not found
>> > any issues in FIPS mode. To address some of the CVE, I have upgraded
>> > openssl - from 0.9.8l to openssl-0.9.8ZA and   encountered the
>> > decryption issue.
>>
>> I am slightly surprised that you are using RSA_public_decrypt in FIPS
>> mode without issues. I just checked the source code:
>>
>> int RSA_public_decrypt(int flen, const unsigned char *from, unsigned
>> char *to,
>>  RSA *rsa, int padding)
>> {
>> #ifdef OPENSSL_FIPS
>> if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
>> {
>> RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
>> RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
>> return 0;
>> }
>> #endif
>> return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
>> }
>>
>> with the flag RSA_FLAG_NON_FIPS_ALLOW defined as follows:
>> /* If this flag is set the operations normally disabled in FIPS mode are
>>  * permitted it is then the applications responsibility to ensure that the
>>  * usage is compliant.
>>  */
>>
>> #define RSA_FLAG_NON_FIPS_ALLOW 0x0400
>>
>> As you can see from the above if fips mode is set you should not be able
>> to use RSA_public_decrypt *unless* you have also set
>> RSA_FLAG_NON_FIPS_ALLOW...in which case it is up to you to ensure
>> compliance.
>>
>> The above is the code from 0.9.8...similar code exists for later
>> versions, i.e. you should not be able to call this function in FIPS mode.
>>
>> > To address some of the CVE, I have upgraded
>> > openssl - from 0.9.8l to openssl-0.9.8ZA and   encountered the
>> > decryption issue.
>>
>> Sorry, I don't understand this. What decryption issue?
>>
>> >
>> > As per you explanation, to make the system FIPS complaint in 0.9.8za, I
>> > have to
>> >1.  replace the RSA_public_decypt() with EVP_verify()
>> >EVP_VerifyInit(), EVP_VerifyUpdate() and
>> > EVP_VerifyFinal()
>> >   EVP_VerifyUpdate() - A buffer
>> > with the data to be verified. Same data in EVP_signUpdate()
>> >   EVP_VerifyFinal  - same
>> > signature which is used for EVP_SignFinal()
>> > 2. Needs to make similar changes in signing part using EVP_Sign*()
>> > EVP_SignInit(), EVP_SignUpdate() and
>> > EVP_SignFinal()
>> >EVP_SignUpdate() - should contain
>> > the data to be signed
>> >EVP_SignFinal - should contain a
>> > buffer to receive the signature
>> >
>>
>> That would be the recommended approach, yes. Although you didn't answer
>> my question about wh

Re: Expected results for testing Poodlebug using OpenSSL CLI

2014-10-30 Thread Florian Weimer 
* Paul Konen:

> Is the above window showing that is was NOT able to make a SSLv3 connection?

Yes, the output is certainly confusing, but it indicates an aborted
SSL 3.0 handshake.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Help

2014-10-30 Thread bernard Hauzeur 
You may have missed the openSSL wiki 
  which is not always obvious to 
reach when you start ….

 

Do not forget to initialize openSSL in your code as explained at 
http://wiki.openssl.org/index.php/Libcrypto_API

A good place to get a grip on the relevant functions is from 
http://wiki.openssl.org/index.php/Documentation_Index

 

Also look at examples in source code bundles under openssl\demos

 

There's an intro to EVP crypto functions at 
http://wiki.openssl.org/index.php/EVP ; they provide a higher level API over 
RSA_xxx and others (which may better match your problem context than the lower 
level use), so don't hesitate to navigate source code to see how the lower 
level functions are used…

You may also look at the openSSL command line source code to see how each RSA 
encrypt/decrypt operation is invoked…

 

I must acknowledge the documentation has its logic but puzzling when you start 
and often requires to reverse engineer source code to find the details…

 

Enjoy

 

Bernard H

 

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Fischel
Sent: Tuesday, October 28, 2014 3:32 PM
To: openssl-users@openssl.org
Cc: ffajbus...@bas.com.ar
Subject: Help

 

Hi:

Where could find some example to see how this functions are used

RSA_generate_key_ex

RSA_public_encrypt
RSA_private_decrypt

 

Thank's a lot