Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-28 Thread Robert Moskowitz 



On 09/28/2017 01:25 PM, Stuart Marsden wrote:

Hi

thanks for all the comments and suggestions, especially the ones I 
could understand


centos 7
yum upgrade

openssl version gives:

OpenSSL 1.0.2k-fips  26 Jan 2017


it looks like

echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings

allows the reading of Md5 Client certificates (which are still being 
installed in "not released yet" phones)


I am almost concerned this is being done intentionally to meet some 
security downgrade requirement.  I the more reason to only use this cert 
to bootstrap your own cert for the actual management.





That is a week of my life I wont get back

thanks again

Stuart


On 27 Sep 2017, at 19:02, Michael Wojcik 
> wrote:



From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jochen Bern
Sent: Wednesday, September 27, 2017 06:51
To: openssl-users@openssl.org 
Subject: Re: [openssl-users] Hardware client certificates moving to 
Centos 7


I don't know offhand which OpenSSL versions did away with MD5, but you
*can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
straight off CentOS 7 repos:


Ugh. No need for 0.9.8e (which is from, what, the early Industrial 
Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it 
wasn't disabled in the build configuration. I think Stuart is dealing 
with an OpenSSL build that had MD5 disabled in the Configure step.


Heck, MD4 and MDC2 are still available in 1.0.2 - even with the 
default configuration, I believe. I'm looking at 1.0.2j here and it 
has GOST, MD4, MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard 
lengths), and Whirlpool.


That's just for digests, obviously; but the point is the MD5 support 
is still there. And yes, 1.0.2j can handle certificates with 
md5WithRsaEncryption signatures.


--
Michael Wojcik
Distinguished Engineer, Micro Focus



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




Dr Stuart Marsden
*Tel:* +44 (0)1494 414100
*Email:* stu...@myphones.com 

Altos Banner





-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Query regarding the SCTP events for DTLS connections

2017-09-28 Thread mahesh gs 
Hi,

We have an application which has SCTP connections we have secured the SCTP
connections using the openssl DTLS. DTLS is working as expected other than
the SCTP events.

We use the API "BIO_new_dgram_sctp" to create a BIO objects and we register
a callback function to openssl using API "BIO_dgram_sctp_notification_cb"
to populate the SCTP events. I observe that openssl enables only
authentication related events, do not enable any other events like
association, shutdown etc.

Code snippet from the API "BIO_new_dgram_sctp":

event.sctp_authentication_event = 1;

ret =
setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, ,
   sizeof(struct sctp_event_subscribe));
if (ret < 0) {
BIO_vfree(bio);
return (NULL);
}

Is there any specific reason for just enabling the authentication events ?

If yes, is there any way applications register for other events like
shutdown, association etc. We have a requirement where based on the SCTP
events application executes certain business logic.

Thanks,
Mahesh G S
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Hardware client certificates moving to Centos 7

2017-09-28 Thread Stuart Marsden 
Hi

thanks for all the comments and suggestions, especially the ones I could 
understand

centos 7
yum upgrade

openssl version gives:

OpenSSL 1.0.2k-fips  26 Jan 2017


it looks like 

echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings

allows the reading of Md5 Client certificates (which are still being installed 
in "not released yet" phones)

That is a week of my life I wont get back

thanks again

Stuart


> On 27 Sep 2017, at 19:02, Michael Wojcik  
> wrote:
> 
>> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
>> Of Jochen Bern
>> Sent: Wednesday, September 27, 2017 06:51
>> To: openssl-users@openssl.org
>> Subject: Re: [openssl-users] Hardware client certificates moving to Centos 7
>> 
>> I don't know offhand which OpenSSL versions did away with MD5, but you
>> *can* install an 0.9.8e (+ RHEL/CentOS backported security patches)
>> straight off CentOS 7 repos:
> 
> Ugh. No need for 0.9.8e (which is from, what, the early Industrial 
> Revolution?). MD5 is still available in OpenSSL 1.0.2, assuming it wasn't 
> disabled in the build configuration. I think Stuart is dealing with an 
> OpenSSL build that had MD5 disabled in the Configure step.
> 
> Heck, MD4 and MDC2 are still available in 1.0.2 - even with the default 
> configuration, I believe. I'm looking at 1.0.2j here and it has GOST, MD4, 
> MD5, MDC2, RIPEMD-60, SHA, SHA1, SHA-2 (all standard lengths), and Whirlpool.
> 
> That's just for digests, obviously; but the point is the MD5 support is still 
> there. And yes, 1.0.2j can handle certificates with md5WithRsaEncryption 
> signatures.
> 
> -- 
> Michael Wojcik 
> Distinguished Engineer, Micro Focus 
> 
> 
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 


Dr Stuart Marsden
Tel: +44 (0)1494 414100 
Email: stu...@myphones.com  



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails

2017-09-28 Thread Steve Marquess 
On 09/28/2017 11:07 AM, Diaz de Grenu, Jose wrote:
> I am trying to validate the FIPS Object Module. 
> 
> I have built the test tools as specified in [1] Appendix B.1 and I have 
> downloaded and extract the test vectors from [2]. 
> 
> At that point I run the following:
> 
> perl fipsalgtest.pl --dir=/run/media/sda1/fips_tv/OSF_JN2859_OE46.results
> 
> (where /run/media/sda1/fips_tv/OSF_JN2859_OE46.results is the path I 
> extracted the test vectors to).
> 
> That  produces the following output:
> 
> Running DSA2 tests
> Running DSA tests
> Running ECDSA2 tests
> Running RSA tests
> FATAL parse error processing line 4
> ...

The FIPS module and test suite software (fipsalgtest.pl) are designed to
work with exactly those algorithm tests relevant to the associated
validations (#1747/2398/2473). The test labs generate a unique set of
test vectors for each platform validation; those test vectors must be of
the expected format to be successfully processed. Often they are not,
either because they we incorrectly specified or due to errors. Figuring
out such discrepancies can be lots of fun (not!).

You will want to compare your test vectors with a known good set from
http://openssl.com/testing/validation-2.0/testvectors/. Pick a recent
set, as the format of the test vectors changes over time. Note that as a
result frequent adjustment of fipsalgtest.pl is often necessary.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 301 874 2571
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS Object Module 2.0, fipsalgtest.pl fails

2017-09-28 Thread Diaz de Grenu, Jose 
I am trying to validate the FIPS Object Module. 

I have built the test tools as specified in [1] Appendix B.1 and I have 
downloaded and extract the test vectors from [2]. 

At that point I run the following:

perl fipsalgtest.pl --dir=/run/media/sda1/fips_tv/OSF_JN2859_OE46.results

(where /run/media/sda1/fips_tv/OSF_JN2859_OE46.results is the path I extracted 
the test vectors to).

That  produces the following output:

Running DSA2 tests
Running DSA tests
Running ECDSA2 tests
Running RSA tests
FATAL parse error processing line 4
FATAL RSAVTEST file processing error
WARNING: error executing verify test SigGen15 ../test/fips_rsavtest 
"/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGen15_186-3.tst"
 "/run/m
edia/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGen15_186-3.ver"
Running RSA tests
FATAL parse error processing line 4
FATAL RSAVTEST file processing error
WARNING: error executing verify test SigGenPSS(0) ../test/fips_rsavtest 
-saltlen 0 
"/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGenPSS_18
6-3.tst" 
"/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46/RSA2/resp/SigGenPSS_186-3.ver"
Running RSA tests
FATAL parse error processing line 4
FATAL RSAVTEST file processing error
WARNING: error executing verify test SigGenPSS(62) ../test/fips_rsavtest 
-saltlen 62 
"/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46_RSA62_PSS/RSA2/resp/
SigGenPSS_186-3.tst" 
"/run/media/sda1/fips_tv/OSF_JN2859_OE46.results/OSF_2859_OE46_RSA62_PSS/RSA2/resp/SigGenPSS_186-3.ver"
Running SHA tests
Running SP800-90 DRBG tests
Running HMAC tests
Running CMAC tests
Running AES tests
Running Triple DES tests
Running AES CCM tests
Running AES GCM tests
Running AES XTS tests
Running ECDH Ephemeral Primitives Only tests
ALGORITHM TEST VERIFY SUMMARY REPORT:
Tests skipped due to missing files:0
Algorithm test program execution failures: 0
Test comparisons successful:   223
Test comparisons failed:   0
Test sanity checks successful: 6
Test sanity checks failed: 0
Sanity check program execution failures:   3
***TEST FAILURE***


What could be causing those errors?

Some more information:
 * OpenSSL 1.0.2j-fips  26 Sep 2016 
 * ARM7 platform.
 *  The fips_test_suite binary runs successfully ("All tests completed with 0 
errors").

Thanks

[1] User Guide for the OpenSSL FIPS Objet Module 2.0: 
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
[2] Test vector tarball: 
https://www.openssl.com/testing/validation-2.0/testvectors/tv.tar.gz 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-28 Thread ch 

Hi!

I thought the difference between PEM and DER is NOT ONLY a different 
encoding of the string?

base64 vs. binary

So to understand that clear please let me ask:
If I convert a PEM-signature from base64 to binary then it is DER?

Thanks
Chris

On 2017-09-28 11:23, Wouter Verhelst wrote:

On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it
is not working for verifiying

a SMIME-message in my experience with
smime or cms-smime on the console. I tried to convert the binary ones to
base64 but that does not everytime the trick.

What you call "base64" is commonly known as "PEM" :-)

You can get it to parse binary, but to do so you need to specify
"-inform der".



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] PKCS7 and RSA_verify

2017-09-28 Thread Wouter Verhelst 
On 28-09-17 01:19, ch wrote> If the pkcs-signature is binary encoded it
is not working for verifiying
> a SMIME-message in my experience with
> smime or cms-smime on the console. I tried to convert the binary ones to
> base64 but that does not everytime the trick.

What you call "base64" is commonly known as "PEM" :-)

You can get it to parse binary, but to do so you need to specify
"-inform der".

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users