Re: [openssl-users] How to respond to TLS heartbeat in openssl
Hi Jeff, I checked in the git repo (tags/OpenSSL_1_0_2g), opnesslconf.h does not have OPENSSL_NO_HEARTBEATS the above definition in 1.0.2g. So I think its enabled. Regards, Keshava. On Fri, Dec 22, 2017 at 12:20 PM, Jeffrey Walton wrote: > On Fri, Dec 22, 2017 at 1:32 AM, Keshava Krishna Bhat K > wrote: > > Ok, I got to know that > > openssl version -a gives out the flags used while building openssl. > > so the output of this was > > > > OpenSSL 1.0.2g 1 Mar 2016 > > built on: reproducible build, date unspecified > > platform: debian-amd64 > > options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) > > compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS > > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 > > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro > -Wa,--noexecstack > > -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM > > -DGHASH_ASM -DECP_NISTZ256_ASM > > OPENSSLDIR: "/usr/lib/ssl" > > > > Since the putput above does not have OPENSSL_NO_HEARTBEATS, I assume > > heartbeats are not disabled in the build. > > So I am back to square one :( -> how do I make the server respond to a > TLS > > heartbeat request ? Do I have to read the packet and write it back ? > > You should also check for OPENSSL_NO_HEARTBEATS. > > $ cd openssl > $ grep -B 1 -A 1 HEART include/openssl/opensslconf.h > #endif > #ifndef OPENSSL_NO_HEARTBEATS > # define OPENSSL_NO_HEARTBEATS > #endif > > Jeff > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to respond to TLS heartbeat in openssl
On Fri, Dec 22, 2017 at 1:32 AM, Keshava Krishna Bhat K wrote: > Ok, I got to know that > openssl version -a gives out the flags used while building openssl. > so the output of this was > > OpenSSL 1.0.2g 1 Mar 2016 > built on: reproducible build, date unspecified > platform: debian-amd64 > options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) > compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack > -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM > -DGHASH_ASM -DECP_NISTZ256_ASM > OPENSSLDIR: "/usr/lib/ssl" > > Since the putput above does not have OPENSSL_NO_HEARTBEATS, I assume > heartbeats are not disabled in the build. > So I am back to square one :( -> how do I make the server respond to a TLS > heartbeat request ? Do I have to read the packet and write it back ? You should also check for OPENSSL_NO_HEARTBEATS. $ cd openssl $ grep -B 1 -A 1 HEART include/openssl/opensslconf.h #endif #ifndef OPENSSL_NO_HEARTBEATS # define OPENSSL_NO_HEARTBEATS #endif Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to respond to TLS heartbeat in openssl
Ok, I got to know that openssl version -a gives out the flags used while building openssl. so the output of this was OpenSSL 1.0.2g 1 Mar 2016 built on: reproducible build, date unspecified platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/lib/ssl" Since the putput above does not have OPENSSL_NO_HEARTBEATS, I assume heartbeats are not disabled in the build. So I am back to square one :( -> how do I make the server respond to a TLS heartbeat request ? Do I have to read the packet and write it back ? But code in the following file and method suggests this would done automatically (but again I have a layman's knowledge on C, I could be wrong) t1_lib.c tls1_process_heartbeat Regards, Keshava. On Thu, Dec 21, 2017 at 11:49 AM, Keshava Krishna Bhat K < keshavkrishn...@gmail.com> wrote: > Hi, > > Is this controlled by the Makefile? > > Regards, > Keshava. > > On Wed, Dec 20, 2017 at 6:20 PM, Keshava Krishna Bhat K < > keshavkrishn...@gmail.com> wrote: > >> Hi All, >> >> I am writing a TLS server that responds to a incoming TLS heartbeat >> request. I am using OpenSSL 1.0.2g . >> But I am not able to get the server respond to a hearbeat request. >> Any clue on what I am missing? >> The code snippets are here https://stackoverflow.com >> /questions/47902283/how-to-respond-to-tls-heartbeat-in-openssl . >> >> I also got a clue that the version of openssl I am using might have >> hearbeats disabled. But how do I check if heartbeats are enabled in OpenSSL >> 1.0.2g? >> >> Regards, >> Keshava. >> > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
I'm a fellow SSL-USER and not an expert, but my verification flow goes as follows: X509_STORE_CTX_new() X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this is the difference? X509_verify_cert(ctx) On Thu, 2017-12-21 at 12:42 +0100, Manuel Wagesreither wrote: > Dear all, > > I'm struggling with programatically verifying a certificate which is > solely stored in memory, i. e. not on the file system. The > certificate and the CA seem to be fine though, because when I extract > them from memory and store them as a file, and use the `openssl > verify`, verification is successful. Hence I suspect my code is > faulty. > > Unfortunately, I'm under the impression that validating certificates > which exist solely in memory is a niche application. I was yet not > able to find a comprehensive tutorial or even a code sample on the > internet. Hence, I hope you can help me. > > Below I'm posting my sample code. (I have stripped the certificate > and CA raw data, tough.) It can be compiled an run under a GNU/Linux > system. > When this code is run, OpenSSL emits a "certificate signature > failure" with an error depth of 0. > > Thanks a lot! > Manuel > > > > #include > #include > #include > > unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and > so on */ }; > unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ }; > > int main(int, char**) > { > // This holds the return codes and gets reused for most > function calls > int rc = 0; > > // Make a new store > X509_STORE *x509_store = X509_STORE_new(); > if (x509_store == NULL) { > throw std::runtime_error("X509_STORE_new() failed"); > } > > // Load and convert the authoritys certificate to a compatible > form > X509 *auth_cert = NULL; > { > const unsigned char* auth_cert_ptr = g_authority; > auth_cert = d2i_X509(NULL, &auth_cert_ptr, > sizeof(g_authority)); > if (auth_cert == nullptr) { > throw std::runtime_error("d2i_X509() failed for > authoritys certificate"); > } > } > > // Add the authoritys certificate to the store > rc = X509_STORE_add_cert(x509_store, auth_cert); > if (rc != 1) { > throw std::runtime_error("X509_STORE_add_cert() > failed"); > } > > // Make a new store context > X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new(); > if (x509_store_ctx == NULL) { > throw std::runtime_error("X509_STORE_CTX_new() > failed"); > } > > // Load and convert the certificate to be verified to a > compatible form > X509 *myself = NULL; > { > const unsigned char *my_cert_ptr = g_cert; > myself = d2i_X509(NULL, &my_cert_ptr, sizeof(g_cert)); > if (myself == NULL) { > throw std::runtime_error("d2i_X509() failed for > own certificate"); > } > } > > rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, > NULL); > if (rc != 1) { > throw std::runtime_error("X509_STORE_CTX_init() > failed"); > } > > rc = X509_verify_cert(x509_store_ctx); > > X509_STORE_free(x509_store); > X509_STORE_CTX_free(x509_store_ctx); > > if (rc > 0) { > std::cout << > X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx > )) << std::endl; > return 0; > } else { > std::cerr << > X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx > )) << std::endl; > std::cerr << "Error depth: " << > X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl; > return 1; > } > } -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Fwd: Padding for RSA signatures
Hi all, I am playing around with RSA signatures with different padding options and I have some questions. I am trying to define different padding options and so am defining and using a EVP_PKEY_CTX . However I am not sure if this padding is getting used in the signature since my Verify outputs OK regardless of which option my Sign uses. Which leads to: 1 - Do I need to use a EVP_PKEY_CTX with the same options when doing verify? If so, I assume I can't reuse the same PKey_Ctx and I have to define another one. Right now even when I don't use any EVP_PKEY_CTX in Verify, I still verify OK, which makes me question if the padding option has been set. 2 - Is there a way to figure out what padding/hashing/etc option was used for the Sign/verify operation? This way I can be sure what algorithm or standard is being used. 3 - Do I need to set the hash function I am using in both EVP_PKEY_CTX as well as EVP_MD_CTX ? Or the latter is what defines this for the signing option? 4 - In general, is there a way of making the Signature/Encryptions in OpenSSL be deterministic for debugging/testing purposes? 5 - I noticed that there are two ways of determining the signature size: (a) by calling EVP_PKEY_size(rsaKeypair) as I am doing below, as well as (b) calling EVP_DigestSignFinal(md_ctx, nil, &sig_len) . Is one better than the other? My sample code is below for reference. It's in Swift (but it should still be close enough to C to be readable). Also in Swift, some of the complex macros in OpenSSL have to be broken down to be compilable hence my usage of EVP_DigestUpdate instead of EVP_DigestVerifyUpdate . Thanks in advance for any insight in the above. cheers! Gelareh let md_ctx = EVP_MD_CTX_create() let md_ctx_verify = EVP_MD_CTX_create() // To define padding option used in signature let pkey_ctx = EVP_PKEY_CTX_new(rsaKeypair, nil) // EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PADDING) - complex macro needs to be replaced EVP_PKEY_CTX_ctrl(pkey_ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, RSA_X931_PADDING, nil) // EVP_PKEY_CTX_set_signature_md() When should this be set? // SIGN var rc = EVP_DigestSignInit(md_ctx, &pkey_ctx, EVP_sha256(), nil, myRSA.rsaKeypair) // EVP_DigestSignUpdate(md_ctx, message, message.count) // Complex macro needs to be replaced rc = EVP_DigestUpdate(md_ctx, message, message.count) // allocate memory for signature var sig_len: Int = Int(EVP_PKEY_size(rsaKeypair)) let sig = UnsafeMutablePointer.allocate(capacity: sig_len) rc = EVP_DigestSignFinal(md_ctx, sig, &sig_len) // VERIFY rc = EVP_DigestVerifyInit(md_ctx_verify, nil, EVP_sha256(), nil, rsaKeypair) //rc = EVP_DigestVerifyUpdate(md_ctx_verify, message, message.count) rc = EVP_DigestUpdate(md_ctx_verify, message, message.count) rc = EVP_DigestVerifyFinal(md_ctx_verify, sig, sig_len) print("signature verified = \(rc == 1 ? "OK" : "FAIL")") -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Follow up
Hi all, Marry Christmas! Please take a look at my previous question, appreciate every bit of help I'm stuck. FYI the guy named ananthaneni saiteja chowdary and myself are same. This email had a problem subscribing to the mailing list earlier hence the other name. Thanks Saiteja. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Testing ports through firewall
Hi, You can test ports with OpenSSL. But you gotta need a certificate for your s_server. You can generate a self signed certificate with openssl. Try this https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl And place that file in the dir were you are running the s_server command, or can use -cert argument to give the generated certificate. And from the s_client connect to the port that you are listening with s_server Client: openssl s_client -connect hostname:port Server: openssl s_server -accept PORT Regards Saiteja. On 21-Dec-2017 7:07 PM, "warron.french" wrote: > Hello Community, and Merry Christmas/Happy Seasons Greetings, >anyway, I need some help with understanding an openssl feature - > *s_server*. > > I executed the following command: openssl s_server -accept 21937 -www & > And immediately got the following output: > [1] 3286 > [sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private > key file server.pem > 140679739017032:error:02001002:system library:fopen:No such file or > directory:bss_file.c:398:fopen('server.pem','r') > 140679739017032:error:20074002:BIO routines:FILE_CTRL:system > lib:bss_file.c:400: > unable to load server certificate private key file > > In order to test ports that are not encrypted with SSL/TLS do I still have > to generate a certificate and private key file (each)? > > I would like to test ports from one machine using openssl s_client against > a remote machine on an opposing network, running a "listener", using > openssl s_server. > > Perhaps I am way off? I am not allowed to use openssl for this sort of > thing? > Any guidance would be greatly appreciated because I want to expand my > understanding of the openssl suite of commands and its offerings. > > > Have a nice day, > -- > Warron French > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Testing ports through firewall
On 21/12/2017 14:36, warron.french wrote: Hello Community, and Merry Christmas/Happy Seasons Greetings, anyway, I need some help with understanding an openssl feature - *s_server*. I executed the following command: openssl s_server -accept 21937 -www & And immediately got the following output: [1] 3286 [sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private key file server.pem 140679739017032:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.pem','r') 140679739017032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load server certificate private key file In order to test ports that are not encrypted with SSL/TLS do I still have to generate a certificate and private key file (each)? I would like to test ports from one machine using openssl s_client against a remote machine on an opposing network, running a "listener", using openssl s_server. Perhaps I am way off? I am not allowed to use openssl for this sort of thing? Any guidance would be greatly appreciated because I want to expand my understanding of the openssl suite of commands and its offerings. Any normal SSL/TLS server needs a certificate. For testing the certificate doesn't have to be "real" (from a trusted public CA). A dummy certificate for a server named "computer.example.com" can be generated using the command: openssl req -x509 -days 365 -newkey:rsa:2048 -nodes -keyout server.key -out server.pem -subj /CN=computer.example.com/O=test/C=US Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Testing ports through firewall
Hello Community, and Merry Christmas/Happy Seasons Greetings, anyway, I need some help with understanding an openssl feature - *s_server*. I executed the following command: openssl s_server -accept 21937 -www & And immediately got the following output: [1] 3286 [sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private key file server.pem 140679739017032:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('server.pem','r') 140679739017032:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load server certificate private key file In order to test ports that are not encrypted with SSL/TLS do I still have to generate a certificate and private key file (each)? I would like to test ports from one machine using openssl s_client against a remote machine on an opposing network, running a "listener", using openssl s_server. Perhaps I am way off? I am not allowed to use openssl for this sort of thing? Any guidance would be greatly appreciated because I want to expand my understanding of the openssl suite of commands and its offerings. Have a nice day, -- Warron French -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Dear all, I forgot to mention that I'm using OpenSSL 1.0.2k. Regards Manuel -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Dear all, I'm struggling with programatically verifying a certificate which is solely stored in memory, i. e. not on the file system. The certificate and the CA seem to be fine though, because when I extract them from memory and store them as a file, and use the `openssl verify`, verification is successful. Hence I suspect my code is faulty. Unfortunately, I'm under the impression that validating certificates which exist solely in memory is a niche application. I was yet not able to find a comprehensive tutorial or even a code sample on the internet. Hence, I hope you can help me. Below I'm posting my sample code. (I have stripped the certificate and CA raw data, tough.) It can be compiled an run under a GNU/Linux system. When this code is run, OpenSSL emits a "certificate signature failure" with an error depth of 0. Thanks a lot! Manuel #include #include #include unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and so on */ }; unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ }; int main(int, char**) { // This holds the return codes and gets reused for most function calls int rc = 0; // Make a new store X509_STORE *x509_store = X509_STORE_new(); if (x509_store == NULL) { throw std::runtime_error("X509_STORE_new() failed"); } // Load and convert the authoritys certificate to a compatible form X509 *auth_cert = NULL; { const unsigned char* auth_cert_ptr = g_authority; auth_cert = d2i_X509(NULL, &auth_cert_ptr, sizeof(g_authority)); if (auth_cert == nullptr) { throw std::runtime_error("d2i_X509() failed for authoritys certificate"); } } // Add the authoritys certificate to the store rc = X509_STORE_add_cert(x509_store, auth_cert); if (rc != 1) { throw std::runtime_error("X509_STORE_add_cert() failed"); } // Make a new store context X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new(); if (x509_store_ctx == NULL) { throw std::runtime_error("X509_STORE_CTX_new() failed"); } // Load and convert the certificate to be verified to a compatible form X509 *myself = NULL; { const unsigned char *my_cert_ptr = g_cert; myself = d2i_X509(NULL, &my_cert_ptr, sizeof(g_cert)); if (myself == NULL) { throw std::runtime_error("d2i_X509() failed for own certificate"); } } rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, NULL); if (rc != 1) { throw std::runtime_error("X509_STORE_CTX_init() failed"); } rc = X509_verify_cert(x509_store_ctx); X509_STORE_free(x509_store); X509_STORE_CTX_free(x509_store_ctx); if (rc > 0) { std::cout << X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << std::endl; return 0; } else { std::cerr << X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << std::endl; std::cerr << "Error depth: " << X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl; return 1; } } -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users