Re: [openssl-users] How to use ADH with OpenSSL 1.1.0

2018-04-12 Thread Viktor Dukhovni 


> On Apr 12, 2018, at 7:12 AM, Frykenvall, Per  wrote:
> 
> Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the 
> trick, but as far as I understand, it switches off some other cipher checks. 
> What's the recommended way of allowing ADH?

For now just @SECLEVEL=0.  There's not yet a more fine-grained to set the 
security level for crypto parameters but allow certificate-less key exchange.  
If you're willing to allow MiTM attacks, then downgrades are of scope, and the 
peers will negotiate the best available ciphers, so @SECLEVEL=0 is probably 
fine, you'll still get strong ciphers.
You can also limit the cipher list to exclude anything you feel is too weak to 
offer.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to use ADH with OpenSSL 1.1.0

2018-04-12 Thread Frykenvall, Per 
Hi,

I need to permit some anonymous Diffie-Hellman ciphers in OpenSSL. This worked 
fine until I installed 1.1.0h when I get "no shared cipher". I debugged and 
found the cause in ssl_security_default_callback, ssl_cert.c line 1028:

/* No unauthenticated ciphersuites */
if (c->algorithm_auth & SSL_aNULL)
return 0;

So do I need to have my own callback, using SSL_CTX_set_security_callback? The 
manual page is not very informative and I'm not sure about how to implement the 
callback. I wouldn't like to duplicate all the other checks of the default 
callback.

Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the trick, 
but as far as I understand, it switches off some other cipher checks. What's 
the recommended way of allowing ADH?

Best regards,
Per

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Open ssl error "hex string is too long invalid hex key value"

2018-04-12 Thread Matt Caswell 


On 12/04/18 07:05, shagun maheshwari wrote:
> Hi,
> 
> We are getting an error "OpenSSL error hex string is too long invalid hex key 
> value" . OpenSSL version we are using is openssl-1.0.2k-8.el7. We have solved 
> this issue by applying a patch in openssl package suggested by openssl 
> community 
> (https://clicktime.symantec.com/a/1/7Fg4lSHbjGfkPSCbaHTn0_5SA3g7jIxY1-VykXIdKu0=?d=xVjLv3Egby2iJQ8Pps44kijPDpVNeq--5cgHmJMSt7fSfApR2--2rIk1xvvBJSwGIglcjn61v6-JXGiiMB8XDbwUXh0ZdrcNxdLZpZ4iydtMyQvgDDeJdBqNF31hW_gGSt77P5_qmJ2yJH6Z5ycJqZO-sUXRgdvObuqYlAKoqdLqFCSzKnR5BTUYw7C8JvfSp3kLE-Zbr3DSGCEz0KwUBfdYWjeH8n10a4bsKfA8cgMmRr6o9pBR66fciTOnTNJISKm5XTy6SWr9xlsKxJccrczY4TsEDL7AncqGJMaEHWBzFyRbsGWpZmsedW0xIJg0cDSkXGt4xJ3lTN26_iL2qBwfAOarzDrtJ2uQtfOgoszexm-ICb8y8VY23Y7xlvo-6awGNFuZX8xKABbpaB9Q=https%3A%2F%2Fmta.openssl.org%2Fpipermail%2Fopenssl-dev%2F2016-May%2F007266.html).
>  
> 
> In nwhich release of OpenSSL, we can expect this fix?
> 

The thread you point to doesn't describe a bug in 1.0.2. The command
line provided to OpenSSL in that thread is in error. The hex string
provided for the key is too long (by 2 bytes) so OpenSSL is doing the
right thing by issuing an error message. It seems that this was
tolerated in older versions of OpenSSL (1.0.1) - but that behaviour can
probably be considered a bug in those older (out of support) versions.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Open ssl error "hex string is too long invalid hex key value"

2018-04-12 Thread shagun maheshwari 
Hi,

We are getting an error "OpenSSL error hex string is too long invalid
hex key value" . OpenSSL version we are using is openssl-1.0.2k-8.el7.
We have solved this issue by applying a patch in openssl package
suggested by openssl community
(https://clicktime.symantec.com/a/1/7Fg4lSHbjGfkPSCbaHTn0_5SA3g7jIxY1-VykXIdKu0=?d=xVjLv3Egby2iJQ8Pps44kijPDpVNeq--5cgHmJMSt7fSfApR2--2rIk1xvvBJSwGIglcjn61v6-JXGiiMB8XDbwUXh0ZdrcNxdLZpZ4iydtMyQvgDDeJdBqNF31hW_gGSt77P5_qmJ2yJH6Z5ycJqZO-sUXRgdvObuqYlAKoqdLqFCSzKnR5BTUYw7C8JvfSp3kLE-Zbr3DSGCEz0KwUBfdYWjeH8n10a4bsKfA8cgMmRr6o9pBR66fciTOnTNJISKm5XTy6SWr9xlsKxJccrczY4TsEDL7AncqGJMaEHWBzFyRbsGWpZmsedW0xIJg0cDSkXGt4xJ3lTN26_iL2qBwfAOarzDrtJ2uQtfOgoszexm-ICb8y8VY23Y7xlvo-6awGNFuZX8xKABbpaB9Q=https%3A%2F%2Fmta.openssl.org%2Fpipermail%2Fopenssl-dev%2F2016-May%2F007266.html).

In nwhich release of OpenSSL, we can expect this fix?

Please help.


Regards,

Shagun
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users