Why public key SHA1 is not same as Subject key Identifier
Hi All: As I know, When calculate Public key in certificate, it's SHA1 value is equal to Subject Key Identifier in certificate, and I verify this, and found that some websites are follow this. But when I go to www.google.com website, I find the leaf certificate and intermediate certificate is ok, but root CA certificate (GeoTrust Global CA) is not. For Geo Trust Global CA certificate. Public key: 30 82 01 0a 02 82 01 01 00 da cc 18 63 30 fd f4 17 23 1a 56 7e 5b df 3c 6c 38 e4 71 b7 78 91 d4 bc a1 d8 4c f8 a8 43 b6 03 e9 4d 21 07 08 88 da 58 2f 66 39 29 bd 05 78 8b 9d 38 e8 05 b7 6a 7e 71 a4 e6 c4 60 a6 b0 ef 80 e4 89 28 0f 9e 25 d6 ed 83 f3 ad a6 91 c7 98 c9 42 18 35 14 9d ad 98 46 92 2e 4f ca f1 87 43 c1 16 95 57 2d 50 ef 89 2d 80 7a 57 ad f2 ee 5f 6b d2 00 8d b9 14 f8 14 15 35 d9 c0 46 a3 7b 72 c8 91 bf c9 55 2b cd d0 97 3e 9c 26 64 cc df ce 83 19 71 ca 4e e6 d4 d5 7b a9 19 cd 55 de c8 ec d2 5e 38 53 e5 5c 4f 8c 2d fe 50 23 36 fc 66 e6 cb 8e a4 39 19 00 b7 95 02 39 91 0b 0e fe 38 2e d1 1d 05 9a f6 4d 3e 6f 0f 07 1d af 2c 1e 8f 60 39 e2 fa 36 53 13 39 d4 5e 26 2b db 3d a8 14 bd 32 eb 18 03 28 52 04 71 e5 ab 33 3d e1 38 bb 07 36 84 62 9c 79 ea 16 30 f4 5f c0 2b e8 71 6b e4 f9 02 03 01 00 01 Public Key SHA1: 00:f9:2a:c3:41:91:b6:c9:c2:b8:3e:55:f2:c0:97:11:13:a0:07:20 Subject Key Identifier: c0 7a 98 68 8d 89 fb ab 05 64 0c 11 7d aa 7d 65 b8 ca cc 4e As you can above, Public Key SHA1 is not same as Subject Key Identifier. What' wrong about this? Thanks a lot! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl IPv6 Support
Hi, Does Openssl support IPv6 officially?. Thanks Regards Darshan
Re: Openssl IPv6 Support
El día Wednesday, November 05, 2014 a las 08:28:40AM +, Mody, Darshan (Darshan) escribió: Hi, Does Openssl support IPv6 officially?. Thanks Regards Darshan Hi, We are using openssl for our application servers with IPv6. It turned out that the function BIO_set_conn_hostname() (and others may be) are not capable to deal with an IPv6 IP addr (which contains colon signs). We changed our code to create the socket the normal way: /* connect to an IPv6 server */ getaddrinfo(serverIP, connport, req, ans); sockFd = socket(ans-ai_family, ans-ai_socktype, ans-ai_protocol); connect(sockFd, ans-ai_addr, ans-ai_addrlen); and are using the created socket to bring up SSL on it with: /* build SSL context on this socket */ ctx = SSL_CTX_new(SSLv23_client_method()); bio = BIO_new_socket(sockFd, BIO_NOCLOSE); BIO_ctrl(bio, BIO_C_SSL_MODE, 1, 0); ssl = SSL_new(ctx); SSL_set_bio(ssl, bio, bio); res = SSL_connect(ssl); This works fine with IPv4 and IPv6. HIH matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X- No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl IPv6 Support
On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan) wrote: Hi, Does Openssl support IPv6 officially?. AFAIK the libssl and libcrypto libraries do not use sockets at all, these are left to the applications/libraries using them. So openssl does neither support ipv4 nor ipv6. Ciao, Marcus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is FTP impacted by POODLE
Hi Can you please let me know if FTP service can be impacted by POODLE vulnerability Thanks Regards Venkat
Re: Openssl IPv6 Support
From: owner-openssl-us...@openssl.org On Behalf Of Marcus Meissner Sent: Wednesday, November 05, 2014 04:10 On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan) wrote: Hi, Does Openssl support IPv6 officially?. AFAIK the libssl and libcrypto libraries do not use sockets at all, these are left to the applications/libraries using them. libssl requires something it can send and receive on using the BIO API that represents the connection to the peer and is normally a socket, although in principle you could write your own module to substitute something crazy like IP-over-carrier-pigeon. The BIO module in libcrypto provides a BIO_sock instance that does I/O on an OS socket and provides the BIO API to libssl (or to code that wants to use plain non-SSL sockets, FTM). BIO_sock can send and receive on any opened socket, IP4 or IP6. So if the application 'connect's or 'accept's the sockets, and then passes them to SSL_set_fd (or equivalent) it works. But last I looked, BIO_sock cannot do IP6 *connect*, and only does IP6 *accept* if you give it an already IP6 listen socket. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Why public key SHA1 is not same as Subject key Identifier
From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo Sent: Wednesday, November 05, 2014 03:11 But when I go to www.google.com website, I find the leaf certificate and intermediate certificate is ok, but root CA certificate (GeoTrust Global CA) is not. snip Public Key SHA1: 00:f9:2a:c3:41:91:b6:c9:c2:b8:3e:55:f2:c0:97:11:13:a0:07:20 Subject Key Identifier: c0 7a 98 68 8d 89 fb ab 05 64 0c 11 7d aa 7d 65 b8 ca cc 4e http://tools.ietf.org/html/rfc5280.html#section-4.2.1.2 notice the difference between MUST and SHOULD. See the referenced RFC 2119 if necessary. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: sign data and verify it
From: owner-openssl-us...@openssl.org On Behalf Of Amir Reda Sent: Wednesday, November 05, 2014 02:42 1- i generate rsa key pairs and try to print it in a pem file but when i open the file it was empty You never close or even flush the file. openssl uses C I/O and C I/O by default is usually buffered and not actually written until the file is closed, flushed, repositioned, direction changed on an update: file, or the buffer is filled. Details vary depending on your C implementation which you don't identify. For file-BIO, the generic BIO_free does the close, otherwise see the manpage. Also, you tell BIO_new_file to open in mode wb. PEM data is text not binary, and on implementations where these are different (mostly Windows) writing PEM as binary will produce a file that other tools may not handle correctly (Notepad is particularly bad) although other programs using C including those using openssl file-BIO will probably read okay and that may be enough. 2- when i use function RSA_public_encrypt () to encrypt some data it does nothing because i print the data using cout before encryption then print it after encryption it was the same You generate a key of 2048 *bits* and then try to encrypt 256 *bytes* of data. You can’t do that much; the data you encrypt plus some overhead determined by the padding must be smaller than the modulus. For RSA PKCS1 padding (actually retronymed PKCS1-v1.5 or some variant) this is 11 bytes; see rsa.h. If you checked the return code from RSA_public_encrypt you would know it had an error. When any openssl routine returns an error indication, you should call the ERR_ routines to get and usually display details about the error, usually after loading error strings, except that some SSL_ routines you should first check SSL_get_error to see if it's a real openssl error, a system call (I/O) error, or a nonblocking case like WANT_READ. See https://www.openssl.org/support/faq.html#PROG6 and https://www.openssl.org/support/faq.html#PROG7 Most real systems use hybrid encryption: the bulk data is encrypted by a symmetric cipherusing a newly generated symmetric key (and usually IV if applicable), and the symmetric key which is a fixed size always small enough is encrypted with RSA. See the PKCS7_ and CMS_ routines as one example, although these also protect the publickey with a certificate so that the encrypted data has a decent chance of actually being safe against attacks, which is usually the desired result of using cryptography. - the sign function RSA_sign () has a problem Similarly you try to sign 256 bytes, which won't work. Again real systems generate a *hash* of the data, which is a small fixed size, and RSA-sign the hash with padding, except that here the padding also includes adding (and removing/checking) an ASN.1 header that identifies the hash algorithm. The EVP_Digest{Sign,Verify} and EVP_{Seal,Open} series of routines handle these details for you and are usually better than rolling your own crypto. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Query: Disabling SSLv3
Jeffrey, May I ask why you included no-ssl2 as an option to config? Is only adding no-ssl3 not sufficient enough to fully disable SSLv3? Thanks, Phil -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Wednesday, November 05, 2014 12:45 AM To: OpenSSL Users List Subject: Re: Query: Disabling SSLv3 We are upgrading to OpenSSL 0.9.8zc on FreeBSD based OS to mitigate POODLE risk. Could you please answer our following query, Definition of a function ssl23_get_client_method() in C file 'openssl-0.9.8zc/ssl/s23_clnt.c' shows, #ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_client_method()); #endif So does this mean, 0.9.8zc needs to be built with -DOPENSSL_NO_SSL3 to block downgrading to SSLv3 in SSLv23_* functions ? If you want to disable SSLv3 at configure time, then: ./config no-ssl2 no-ssl3 ... The configure option will define OPENSSL_NO_SSL3. See http://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options for more on the options. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org [E-Banner]http://www.mrv.com/landing/mrvs-software-defined-networking-sdn-and-network-function-virtualization-nfv-products-and-architecture The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.
Re: The ascension of Matt Caswell
Thanks. I am still having issues with doing a debug. Mingw 32 with only code blocks still does not work. As best I can tell this thing is made to not look inside. Give me an idea on this. There is no way to tell how private keys are made. Dave On 11/4/2014 7:13 AM, Steve Marquess wrote: I am very pleased to report that Matt Caswell, a current part time OpenSSL team member, will be reporting for duty as a full time dedicated OpenSSL resource beginning November 10. It has taken a small eternity in tedious aggravation to make the necessary legal and accounting arrangements (which are even now not entirely complete), but we are putting the donations that came our way in the wake of the Heartbleed publicity to good use. We have calculated that the donation funding in hand, plus that promised but uncollected, plus revenue from our software support contracts, will suffice to support this new full time position and eventually one other as well. Matt is leaving a successful commercial career to join the two current full time resources, Steve Henson and Andy Polyakov, who are funded via the Linux Foundation Core Infrastructure Initiative (CII). Unlike those two CII funded positions, Matt will be entirely funded by direct donations from individual contributors, sponsors of various types, and support contract customers. The list of such supporters is a long one, and some of them have requested anonymity, but I would like to thank Smartisan, Huawei, and Akamai in particular. -Steve M. -- Dave Paxton dpax...@me.com 208 570 9755 skype: dpaxton __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Query: Disabling SSLv3
On Wed, Nov 05, 2014 at 12:18:05PM +, Philip Bellino wrote: Jeffrey, May I ask why you included no-ssl2 as an option to config? Is only adding no-ssl3 not sufficient enough to fully disable SSLv3? No. If you leave SSLv2 enabled, and disable SSLv3, then in many cases you always get SSLv2! SSL/TLS clients advertise a range of protocols (min, max) not a list. If the min is SSLv2 and SSLv3 is disabled then the max is also SSLv2, unless explicitly disabled by the application, or use extensions forces SSLv3 or later. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why public key SHA1 is not same as Subject key Identifier
On 05/11/2014 09:11, Jerry OELoo wrote: Hi All: As I know, When calculate Public key in certificate, it's SHA1 value is equal to Subject Key Identifier in certificate, and I verify this, and found that some websites are follow this. But when I go to www.google.com website, I find the leaf certificate and intermediate certificate is ok, but root CA certificate (GeoTrust Global CA) is not. For Geo Trust Global CA certificate. Public key: 30 82 01 0a 02 82 01 01 00 da cc 18 63 30 fd f4 17 23 1a 56 7e 5b df 3c 6c 38 e4 71 b7 78 91 d4 bc a1 d8 4c f8 a8 43 b6 03 e9 4d 21 07 08 88 da 58 2f 66 39 29 bd 05 78 8b 9d 38 e8 05 b7 6a 7e 71 a4 e6 c4 60 a6 b0 ef 80 e4 89 28 0f 9e 25 d6 ed 83 f3 ad a6 91 c7 98 c9 42 18 35 14 9d ad 98 46 92 2e 4f ca f1 87 43 c1 16 95 57 2d 50 ef 89 2d 80 7a 57 ad f2 ee 5f 6b d2 00 8d b9 14 f8 14 15 35 d9 c0 46 a3 7b 72 c8 91 bf c9 55 2b cd d0 97 3e 9c 26 64 cc df ce 83 19 71 ca 4e e6 d4 d5 7b a9 19 cd 55 de c8 ec d2 5e 38 53 e5 5c 4f 8c 2d fe 50 23 36 fc 66 e6 cb 8e a4 39 19 00 b7 95 02 39 91 0b 0e fe 38 2e d1 1d 05 9a f6 4d 3e 6f 0f 07 1d af 2c 1e 8f 60 39 e2 fa 36 53 13 39 d4 5e 26 2b db 3d a8 14 bd 32 eb 18 03 28 52 04 71 e5 ab 33 3d e1 38 bb 07 36 84 62 9c 79 ea 16 30 f4 5f c0 2b e8 71 6b e4 f9 02 03 01 00 01 Public Key SHA1: 00:f9:2a:c3:41:91:b6:c9:c2:b8:3e:55:f2:c0:97:11:13:a0:07:20 Subject Key Identifier: c0 7a 98 68 8d 89 fb ab 05 64 0c 11 7d aa 7d 65 b8 ca cc 4e As you can above, Public Key SHA1 is not same as Subject Key Identifier. What' wrong about this? Thanks a lot! The subject key identifier is any short value that the CA can come up with to use as a kind of alternative serial number of the certificate. It could be a checksum of the public key (using any algorithm), or it could just bea reference to an internal CA database. The only important thing is that in some cases, the certificate may bereferenced by this number and not the full subject distinguished name. Using SHA1(public key) used to be a common practice, but as use of SHA1 is being phased out in favor of new hash algorithms with longer values, CAs are going to start to use other formulas for making up unique key identifiers, andmost of them are not going to reveal their chosen formula. One formula that should work far into the future could be AES-encrypt(some-unpublished-key, concat(sequential CA id, sequential database ID)), this will fit nicely in just 16 bytes (128 bits) yet be guaranteed unique within a CA company regardless of hash collisions. Cracking that AES key would gain an attacker very little (except perhaps a way to enumerate certificates using lookup mechanisms that require knowledge of the SKI as proof of need to know). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, 'perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. I've not seen these errors when installing previous version of OpenSSL. I looked into the offending code in apps\s_cb.c, but I'm not a developer. Is this a known error for the 1.0.1j version on Windows? Has something been modified in the IPv6 code that is causing this new error? Has no one else had this problem? Any help is appreciated!
Re: Openssl IPv6 Support
--On November 5, 2014 at 10:10:26 AM +0100 Marcus Meissner meiss...@suse.de wrote: On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan) wrote: Hi, Does Openssl support IPv6 officially?. AFAIK the libssl and libcrypto libraries do not use sockets at all, these are left to the applications/libraries using them. So openssl does neither support ipv4 nor ipv6. apparently you've never used s_client, or looked at the *ancient* bug explicitly asking that IPv6 support be added for s_client s_server in OpenSSL. It even has a patch that's been widely used for years by major linux distributions. It boggles the mind that to this day that patch has not been integrated in the 5 years since the bug was opened. See http://rt.openssl.org/Ticket/Display.html?id=2051, https://bugs.debian.org/589520 --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, 'perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. I've not seen these errors when installing previous version of OpenSSL. I looked into the offending code in apps\s_cb.c, but I'm not a developer. Is this a known error for the 1.0.1j version on Windows? Has something been modified in the IPv6 code that is causing this new error? Has no one else had this problem? Any help is appreciated!
Re: Is FTP impacted by POODLE
On Wed, Nov 05, 2014 at 03:57:48PM +0530, Venkat V wrote: Hi Can you please let me know if FTP service can be impacted by POODLE vulnerability The attack depends on being able to let the client connect multiple times and have control over part of the plain text. In theory a browser could implement ftps and an attacker could then try to download files with different names. If the ftp site also requires login information and the browser has stored that, it could try and steal that information that way. So I think it is impacted. However, I'm not sure many browsers support ftps. Most seem to support ftp but not ftps for some reason. I'm also not sure how many people use their browser to log in to ftp-sites since in my expierences it's not working very well. I'm also not sure there are many ftp sites that support SSL/TLS. So my understanding is that it is theoretically possible but very unlikely. Kurt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? Haven't the IPv6 pieces of the OpenSSL code been around for a while? I know I saw posts regarding it from several years back in the list archive. Thanks! On 11/5/2014 12:13 PM, Walter H. wrote: On 05.11.2014 18:47, neil carter wrote: I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, ' perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: VCVARS21.BAT = Visual C++ 2.1? if yes, you should throw away the old ancient compiler of the early beginning of WinNT ... as of 1994; and get the new actual Platform SDK from Microsoft ... .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. this seems that you include ancient SDK headers not capable of IPv6 at all ...
RE: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
VS6 essentially became obsolete in 2002, with the release of Visual Studio 7 .NET. IIRC, IPv6 was still in its infancy. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of neil carter Sent: Wednesday, November 05, 2014 10:28 AM To: Walter H.; openssl-users@openssl.org Subject: Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr' Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? Haven't the IPv6 pieces of the OpenSSL code been around for a while? I know I saw posts regarding it from several years back in the list archive. Thanks! On 11/5/2014 12:13 PM, Walter H. wrote: On 05.11.2014 18:47, neil carter wrote: I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, ' perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: VCVARS21.BAT = Visual C++ 2.1? if yes, you should throw away the old ancient compiler of the early beginning of WinNT ... as of 1994; and get the new actual Platform SDK from Microsoft ... .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. this seems that you include ancient SDK headers not capable of IPv6 at all ...
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
On 05.11.2014 18:47, neil carter wrote: I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, ' perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: VCVARS21.BAT = Visual C++ 2.1? if yes, you should throw away the old ancient compiler of the early beginning of WinNT ... as of 1994; and get the new actual Platform SDK from Microsoft ... .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. this seems that you include ancient SDK headers not capable of IPv6 at all ... smime.p7s Description: S/MIME Cryptographic Signature
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the internet system, * Per RFC 790, September 1981, taken from the BSD file netinet/in.h. */ by the way: Visual C++ is from 1998, also an old ancient compiler we have 2014 ;-) smime.p7s Description: S/MIME Cryptographic Signature
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
So then why was 1.0.1g able to compile without these errors? On 11/5/2014 12:48 PM, Walter H. wrote: On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the internet system, * Per RFC 790, September 1981, taken from the BSD file netinet/in.h. */ by the way: Visual C++ is from 1998, also an old ancient compiler we have 2014 ;-)
RE: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
RFC 790 defines IPv4, not IPv6. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H. Sent: Wednesday, November 05, 2014 10:49 AM To: neil carter Cc: openssl-users@openssl.org Subject: Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr' On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the internet system, * Per RFC 790, September 1981, taken from the BSD file netinet/in.h. */ by the way: Visual C++ is from 1998, also an old ancient compiler we have 2014 ;-)
Re: Openssl IPv6 Support
El día Wednesday, November 05, 2014 a las 10:10:26AM +0100, Marcus Meissner escribió: On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan) wrote: Hi, Does Openssl support IPv6 officially?. AFAIK the libssl and libcrypto libraries do not use sockets at all, these are left to the applications/libraries using them. So openssl does neither support ipv4 nor ipv6. Marcus, I do not fully understand your reply. Ofc, openssl is using sockets to talk over. The question is only if openssl is capable to create an IPv6 socket behind its scene or not. And it can not do this, one has to pass a created IPv6 socket to the SSL layer routines. This should be fixed. matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X- No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Openssl IPv6 Support
It boggles the mind that to this day that patch has not been integrated in the 5 years since the bug was opened. So many things about openssl can boggle the mind :) In this particular case, I think the issue is that adding things to s_client/s_server apps isn't really enough to enable IPv6 programs. And then you have to deal with sockaddr types across platforms. Yuk. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Why public key SHA1 is not same as Subject key Identifier
Right, that’s the main point. SKI is just an opaque identifier. It “used to” “mostly” be SHA1 of the key, but there was never any requirement that it MUST be so. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Maybe you forgot to run the batch file that sets the INCLUDE and LIB environmentvariables to prepend later VC 6.0 compatible SDK headers before,such as those in the July 2002 Platform SDK. The copyright message quoted by Walter H. is just that, acopyright message acknowledging that some of the linesin that file were obtained from an old BSD. That acknowledgement is still present in the June 2014 version of winsock2.h. Just like theSSLeay copyright message in most OpenSSL files referto that original SSL2/3 library by EAY and TJH. On 05/11/2014 19:53, neil carter wrote: So then why was 1.0.1g able to compile without these errors? On 11/5/2014 12:48 PM, Walter H. wrote: On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the internet system, * Per RFC 790, September 1981, taken from the BSD file netinet/in.h. */ by the way: Visual C++ is from 1998, also an old ancient compiler we have 2014 ;-) Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Re: Openssl IPv6 Support
On Wed, Nov 05, 2014 at 02:07:16PM -0500, Salz, Rich wrote: It boggles the mind that to this day that patch has not been integrated in the 5 years since the bug was opened. So many things about openssl can boggle the mind :) In this particular case, I think the issue is that adding things to s_client/s_server apps isn't really enough to enable IPv6 programs. I've actually been working on it and it's doing much more than just s_client / s_server. But I didn't have time to actually finish the patch yet. Kurt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Openssl IPv6 Support
On Wed, Nov 05, 2014 at 08:45:55AM -0800, Quanah Gibson-Mount wrote: --On November 5, 2014 at 10:10:26 AM +0100 Marcus Meissner meiss...@suse.de wrote: On Wed, Nov 05, 2014 at 08:28:40AM +, Mody, Darshan (Darshan) wrote: Hi, Does Openssl support IPv6 officially?. AFAIK the libssl and libcrypto libraries do not use sockets at all, these are left to the applications/libraries using them. So openssl does neither support ipv4 nor ipv6. apparently you've never used s_client, or looked at the *ancient* bug explicitly asking that IPv6 support be added for s_client s_server in OpenSSL. It even has a patch that's been widely used for years by major linux distributions. The question was for the library and I was mistaken apparently. I actually also ported a IPv6 patch to the commandline tool. Without autoconf or other automatic detection I do not dare to even try to get it upstream :( CIao, Marcus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, 'perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. I've not seen these errors when installing previous version of OpenSSL. I looked into the offending code in apps\s_cb.c, but I'm not a developer. Is this a known error for the 1.0.1j version on Windows? Has something been modified in the IPv6 code that is causing this new error? Has no one else had this problem? Any help is appreciated!
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Okay, so what magic script is this? Is it available in MS VS 6.0? Sorry, not a developer so part of what everyone is saying is beyond me. I ran the VCVARS32.bat script. Previously that's all I've had to do to prepare the environment for installing OpenSSL. Again, this all worked with 1.0.1g and that also included IPv6 support, didn't it? I'm trying to understand this. Thanks! On 11/5/2014 1:23 PM, Jakob Bohm wrote: Maybe you forgot to run the batch file that sets the INCLUDE and LIB environmentvariables to prepend later VC 6.0 compatible SDK headers before,such as those in the July 2002 Platform SDK. The copyright message quoted by Walter H. is just that, acopyright message acknowledging that some of the linesin that file were obtained from an old BSD. That acknowledgement is still present in the June 2014 version of winsock2.h. Just like theSSLeay copyright message in most OpenSSL files referto that original SSL2/3 library by EAY and TJH. On 05/11/2014 19:53, neil carter wrote: So then why was 1.0.1g able to compile without these errors? On 11/5/2014 12:48 PM, Walter H. wrote: On 05.11.2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? yes, definitly WINSOCK2.H contains this: /* * Constants and structures defined by the internet system, * Per RFC 790, September 1981, taken from the BSD file netinet/in.h. */ by the way: Visual C++ is from 1998, also an old ancient compiler we have 2014 ;-) Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S.http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
RE: Is FTP impacted by POODLE
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kurt Roeckx Sent: Wednesday, 05 November, 2014 13:05 On Wed, Nov 05, 2014 at 03:57:48PM +0530, Venkat V wrote: Can you please let me know if FTP service can be impacted by POODLE vulnerability The attack depends on being able to let the client connect multiple times and have control over part of the plain text. Well, the POODLE attack specifically depends on that; but the underlying issue is much more general. So my understanding is that it is theoretically possible but very unlikely. The OP is asking the wrong question. SSL 3 is broken. It's broken for any application protocol that's tunneled through it. The specific attack described in the POODLE paper is for HTTP, but SSL 3 suffers from a padding-oracle attack for block ciphers (and other vulnerabilities). Chances are, if your threat model requires SSL-style communications security, it now requires TLS. The application protocol is largely irrelevant; even if there's no published attack now, there may be one tomorrow. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Again, this all worked with 1.0.1g and that also included IPv6 support, didn't it? I'm trying to understand this. No it didn't. Or perhaps more accurately: openssl code has not changed in regards to ipv4/ipv6 -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Let me re-phrase this. The 1.0.1g version of OpenSSL compiled without errors in this same environment, using these same commands. On 11/5/2014 2:25 PM, Salz, Rich wrote: Again, this all worked with 1.0.1g and that also included IPv6 support, didn't it? I'm trying to understand this. No it didn't. Or perhaps more accurately: openssl code has not changed in regards to ipv4/ipv6 -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz :��IϮ��r�m (���Z+�K�+1���x��h���[�z�(���Z+���f�y������f���h��)z{,��
RE: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
Are you absolutely positive that you did not enable ipv6 or fail to disable ipv6, like ./config no-ipv6 ? -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.memailto:rs...@jabber.me Twitter: RichSalz
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
I was unaware that option existed until you mentioned it. On 11/5/2014 2:32 PM, Salz, Rich wrote: Are you absolutely positive that you did not enable ipv6 or fail to disable ipv6, like ./config no-ipv6 ? -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me mailto:rs...@jabber.me Twitter: RichSalz
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
I just ran the commands again, adding the no-ipv6 to the 'perl Configure' line and received the exact same errors. On 11/5/2014 2:32 PM, Salz, Rich wrote: Are you absolutely positive that you did not enable ipv6 or fail to disable ipv6, like ./config no-ipv6 ? -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me mailto:rs...@jabber.me Twitter: RichSalz
RE: TLSv1.1 and TLSv1.2
Just following up on this I notice that support for v1.1 and v1.2 were added in: Changes between 1.0.0h and 1.0.1 [14 Mar 2012] We upgraded to 1.0.0o for our server recently and in our SSLv3 disabling testing, we discovered that the linux build appears to support 1.1 and 1.2 (using the openssl s_client command line interface) but the Windows version doesn't; since they're both built from the same source, is there any explanation for this that I'm not catching - does the change line above imply that some support for 1.1 and 1.2 was included in some later versions of 1.0.0? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: October-20-14 4:08 PM To: openssl-users@openssl.org Subject: Re: TLSv1.1 and TLSv1.2 On 20/10/14 23:59, Nou Dadoun wrote: This should be a short question (for a change), am I correct in assuming that the earliest version of openssl which provided support for TLSv1.1 and TLSv1.2 is openssl 1.0.1? i.e. there's no support for those in 0.9.8 (soon to be deprecated) or 1.0.0? One of our products uses 0.9.8 for the FIPS certification and I'm now seeing that it doesn't seem to support 1.1 or 1.2. Correct. You can check the change log here: https://www.openssl.org/news/changelog.html See the entries for TLS1.1 and TLS1.2 support under the section titled Changes between 1.0.0h and 1.0.1 [14 Mar 2012]. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.1j on Windows32 shows error C2027: use of undefined type 'in6_addr'
(Lets keep this on list) The headers that shipped with Visual Studio 6.0 did not cover the IPv6 parts of Winsock2.They were however included in the Visual Studio 6.0 compatible platform SDKsreleasedlater, such as the ones from at least July 2002 to sometime in 2003 or 2004. The April2005 platform SDK officially had limited support for Visual Studio 6.0, although the problemswere not that large. Later SDKs were even less compatible with Visual Studio 6.0. Additionally, the inclusion of Visual J++ with Visual Studio 6.0 meant that Microsofthad to remove it from all distribution channels due to the settlement with Sun overthe Java incompatibilities in the Microsoft Java VM. So if you have any need for Visual C++ 6.0 (e.g. to compile NT 4.0 compatible device drivers), then you should keep your copy safe as you can't easily get a new one. Conclusion: If you are compiling with Visual C++ 6.0, then you need to add a later platform SDK to the INCLUDE and (possibly) LIB paths in the environment before compiling OpenSSL. Chances are that you probably have one of those SDKs lying around already. On 05/11/2014 19:27, neil carter wrote: Sorry, typo - s/b 'VCVARS32.bat' So are you implying that MS Visual Studio 6.0 might be the issue in that it might not have built-in code with IPv6 headers? Haven't the IPv6 pieces of the OpenSSL code been around for a while? I know I saw posts regarding it from several years back in the list archive. Thanks! On 11/5/2014 12:13 PM, Walter H. wrote: On 05.11.2014 18:47, neil carter wrote: I'm trying to install the 1.0.1j version on a Windows 2003 server (32-bit), with MS Visual Studio 6.0, nasm 2.11.05, and ActiveState perl v5.16.3. Steps involved include running the VCVARS21.BAT script, ' perl Configure VC-WIN32 --prefix=c:\openssl-1.0.1j', 'ms\do_nasm.bat', and finally 'nmake -f ms\ntdll.mak'. Everything looks normal/good until the last step, which ends in the following: VCVARS21.BAT = Visual C++ 2.1? if yes, you should throw away the old ancient compiler of the early beginning of WinNT ... as of 1994; and get the new actual Platform SDK from Microsoft ... .\apps\s_cb.c(803) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(803) : see declaration of 'in6_addr' .\apps\s_cb.c(836) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(836) : see declaration of 'in6_addr' .\apps\s_cb.c(884) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(884) : see declaration of 'in6_addr' .\apps\s_cb.c(917) : error C2027: use of undefined type 'in6_addr' .\apps\s_cb.c(917) : see declaration of 'in6_addr' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. this seems that you include ancient SDK headers not capable of IPv6 at all ... -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Soborg, Denmark. direct: +45 31 13 16 10 tel:+4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org