Re: [openssl-users] Certificate chain validation

2017-04-23 Thread Lei Kong 
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html

The linked documents didn’t say the APIs must be called on *client* side, and 
it works fine in my code on both client and server side.
I am under the impression that there is no asymmetry in terms of *sending* side 
chain building for client and server side, what you said below means client 
side always sends *partial* chain to server side?

Thanks.

From: Salz, Rich via openssl-users
Sent: Friday, April 21, 2017 3:37 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Certificate chain validation

You are asking two different questions.

The certificates that the *client* sends are specified by the various “use 
certficiate” API’s.  No chain is built.  See 
doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain 
file” API.

As for what the *server* does, it tries to use what the client sends and build 
a chain up to one of the certificates that is in the local, server, trust store.

The API’s are a bit different for 1.0.2 than for 1.1.0

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_CIPHER_CTX array not compiling

2017-04-23 Thread Jeffrey Walton 
On Sun, Apr 23, 2017 at 9:36 AM, Salz, Rich via openssl-users
 wrote:
>>#define OTEXT_AES_KEY_INIT(ctx, buf) { \
>>EVP_CIPHER_CTX_init(ctx); \
>>EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \
>>}
>
> Most of the datatypes are now opaque.  This means you can't have an 
> EVP_CIPHER_CTX object, but instead a pointer to it.  Don't call the init 
> function, call the new function.  And then that has rippling changes in your 
> code.

Related, see https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes.
The page name is kind of boring, but it discusses how to convert from
1.0.2 to 1.1.0. In addition, it provides a small compatibility layer
so a lot of code "just works" for both 1.0.2 and 1.1.0.

We lifted it from Kurt's patch to OpenSSH. OpenSSH is stuck at 1.0.2,
and Kurt provided them with a migration path.

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] EVP_CIPHER_CTX array not compiling

2017-04-23 Thread Salz, Rich via openssl-users 
>#define OTEXT_AES_KEY_INIT(ctx, buf) { \
>        EVP_CIPHER_CTX_init(ctx); \
>        EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \
>        }

Most of the datatypes are now opaque.  This means you can't have an 
EVP_CIPHER_CTX object, but instead a pointer to it.  Don't call the init 
function, call the new function.  And then that has rippling changes in your 
code.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] EVP_CIPHER_CTX array not compiling

2017-04-23 Thread Lior Koskas 
​Hi,

I have a problem with converting my C++ library into OpenSSL v1.1.0.

I'm using CentOS 7 and OpenSSL v1.1.0.
When I'm trying to use EVP_CIPHER_CTX as an array, my code does not compile.
I understand that this is caused by making the structures opaque.

The problem is this line

OTEXT_AES_KEY_INIT(ctx + i, pBufIdx);
The operation ctx+i is not compiling. The error I'm receiving is :

invalid use of incomplete type struct evp_cipher_ctx_st.

​
static void InitAESKey(AES_KEY_CTX* ctx, BYTE* keybytes, int numkeys)
{
BYTE* pBufIdx = keybytes;
for (int i = 0; i < numkeys; i++)
{
OTEXT_AES_KEY_INIT(ctx + i, pBufIdx);
pBufIdx += AES_KEY_BYTES;
}
}
While OTEXT_AES_KEY_INIT is macro defined like this:

#define AES_KEY_CTX EVP_CIPHER_CTX
#define OTEXT_AES_KEY_INIT(ctx, buf) { \
EVP_CIPHER_CTX_init(ctx); \
EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \
}


​What I'm doing wrong?​


-- 
Lior   Koskas
Software Engineer
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I connect to this server

2017-04-23 Thread chris . gray 
You should be able to do this using stunnel: see for example

https://www.elastic.co/guide/en/cloud/current/tunneling-ssl.html

where your telnet commands would be the "client which supports only http".
But you can also learn a lot by playing with curl ...

> I know that this is a TLS related question; however, do you know how you
> can diagnose straight HTTP using:
>
> *telnet **server1 portnumber  ?*
> Then provide HTTP/1.1 etc?
>
> Is it possible to do the same thing with:  *openssl   s_client
>  server1:portnumber* then do the HTTP/1.1 etc... etc...?
>
> Is that a possible technique?  I am interested in learning too?
>
> --
> Warron French
>
>
> On Fri, Apr 21, 2017 at 6:29 PM, Salz, Rich via openssl-users <
> openssl-users@openssl.org> wrote:
>
>> > https://username:passw...@server.com
>> > How do I specify this username and password when using SSL_connect()?
>>
>> You don't.  That stuff is at the protocol level about TLS/SSL.
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users