Re: [openssl-users] how to control the cipher list of an openssl server

2018-03-12 Thread Matt Caswell 


On 12/03/18 22:53, Chris Bare wrote:
> I have a fairly basic server set up based on various examples I've seen.
> 
> I run an nmap script I found against it and see only 16 ciphers listed,
> none of which are supported by modern web browsers.
> Yet when I run "openssl ciphers I get a list of 97.
> 
> I realize some of these are old and deprecated etc, but where does the
> default list come from?
> 
> I tried this code to set it to use one of the more modern ciphers shown
> in the the openssl ciphers output:
> 
> char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256";
> if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
>  return (false);
> 
> but after that the nmap script doesn't find any ciphers.
> 
> Any suggestions?

When you run "openssl ciphers" without other arguments it will give you
the default set of ciphersuites. Not all of those will be useable by
your server depending on other aspects of its configuration. For example
PSK ciphersuites will only be available if you have configured a
pre-shared-key (PSK).

Most important is the type of certificate that your server is using,
with typical types being RSA, ECDSA or DSA. It is possible to configure
a server with more than one type of certificate - but if you've only got
one then only ciphersuites compatible with that certificate will be used.

In your example the ECDHE-ECDSA-AES128-GCM-SHA256 requires an ECDSA
certificate to be present. If you haven't go one, and that's the only
ciphersuite configured, then you won't be able to successfully make
connections.

Hope that helps,

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] RSA-PSS Param File

2018-03-12 Thread Steven Madwin via openssl-users 


Hi All,

 

My ultimate goal is to generate an RSA-PSS key that will have the PSS
parameters in the subjectPublicKey section of the TBSCertificate. In order
to do that the first need is a paramfile. Here's the command being used to
to generate the parameter file:

 

OpenSSL> genpkey -genparam -paramfile .\pem\rsapssParams.pem -pkeyopt
rsa_keygen_bits:2048 -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt
rsa_pss_keygen_mgf1_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:120

 

But, it returns the error:

NB: options order may be important!  See the manual page.

error in genpkey

 

The genpkey man page says for the -genparam option, "If used this option
must precede any -algorithm, -paramfile or -pkeyopt options.

With regard to the -paramfile option it says, "If used this option must
precede any -pkeyopt options.

 

Thus, with -genparam first followed by the -paramfile option and capped off
with the -pkeyopt options it looks to me that the order is correct.

 

If anyone has any enlightenment for me I'd be eternally grateful. 

 

Thanks,

Steve

 

 




 

Steven Madwin

Software QA Engineer

Adobe Systems Incorporated

345 Park Avenue, MS-W15

San Jose, CA 95110-2704 USA

Phone:   408.536.4343

Fax: 408.536.6024

  steven.mad...@adobe.com

 

 



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] how to control the cipher list of an openssl server

2018-03-12 Thread Chris Bare 
I have a fairly basic server set up based on various examples I've seen.

I run an nmap script I found against it and see only 16 ciphers listed,
none of which are supported by modern web browsers.
Yet when I run "openssl ciphers I get a list of 97.

I realize some of these are old and deprecated etc, but where does the
default list come from?

I tried this code to set it to use one of the more modern ciphers shown in
the the openssl ciphers output:

char *ssl_cipher = "ECDHE-ECDSA-AES128-GCM-SHA256";
if(!SSL_CTX_set_cipher_list(jav->ctx, ssl_cipher))
 return (false);

but after that the nmap script doesn't find any ciphers.

Any suggestions?

-- 
Chris Bare
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Compilation error in ssl/t1_trce.c

2018-03-12 Thread Matt Caswell 


On 12/03/18 18:39, Erik Forsberg wrote:
> 
> There are missing comma's in ssl/t1_trce.c that causes compilation to fail.
> You have to configure with enable-ssl-trace to see it though.
> 
> gcc  -I. -Iinclude -I../src -I../src/include -fPIC -std=gnu90 -march=core2 
> -Wall -O3 -fomit-frame-pointer -pthread  -DFILIO_H -DDSO_DLFCN -DHAVE_DLFCN_H 
> -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS 
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
> -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM 
> -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM 
> -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" 
> -DENGINESDIR="\"/usr/local/ssl/lib/engines-1.1\"" -DL_ENDIAN 
> -DOPENSSL_NO_INLINE_ASM -DNDEBUG  -MMD -MF ssl/t1_trce.d.tmp -MT 
> ssl/t1_trce.o -c -o ssl/t1_trce.o ../src/ssl/t1_trce.c
> ../src/ssl/t1_trce.c:484:5: error: expected '}' before '{' token
>  {TLSEXT_TYPE_signature_algorithms_cert, "signature_algorithms_cert"}
>  ^
> *** Error code 1
> 

Yes, I independently discovered this myself earlier today. I just pushed
the fix to master.

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Compilation error in ssl/t1_trce.c

2018-03-12 Thread Erik Forsberg 

There are missing comma's in ssl/t1_trce.c that causes compilation to fail.
You have to configure with enable-ssl-trace to see it though.

gcc  -I. -Iinclude -I../src -I../src/include -fPIC -std=gnu90 -march=core2 
-Wall -O3 -fomit-frame-pointer -pthread  -DFILIO_H -DDSO_DLFCN -DHAVE_DLFCN_H 
-DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM 
-DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM 
-DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" 
-DENGINESDIR="\"/usr/local/ssl/lib/engines-1.1\"" -DL_ENDIAN 
-DOPENSSL_NO_INLINE_ASM -DNDEBUG  -MMD -MF ssl/t1_trce.d.tmp -MT ssl/t1_trce.o 
-c -o ssl/t1_trce.o ../src/ssl/t1_trce.c
../src/ssl/t1_trce.c:484:5: error: expected '}' before '{' token
 {TLSEXT_TYPE_signature_algorithms_cert, "signature_algorithms_cert"}
 ^
*** Error code 1

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users