RE: Default certificate path taken by openssl
Hi Viktor, Thank you for the information. It was helpful. With Regards, Chethan Kumar -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Thursday, January 9, 2020 12:35 PM To: openssl-users@openssl.org Subject: Re: Default certificate path taken by openssl On Thu, Jan 09, 2020 at 06:42:36AM +, Chethan Kumar wrote: > In Linux, if any application which uses openssl does not specify the > path from which certificates should be read by openssl, does openssl > try to read from default path or something? OpenSSL has a default cert store path, but it is up to applications to request use of the default paths for certificate validation. Many do, some don't. > Need help in this as there is one > ca-bundle.crt(\usr\lib\ssl\certs\ca-bundle.crt)" file in machine and > we use our own ca-bundle.crt in another path. Is this a Linux machine or a Windows machine? You're using backslash as a path separator, which is not something that Works on POSIX systems (e.g. Linux). > Is it ok to remove \usr\lib\ssl\certs\ca-bundle.crt file if we don't use this? You can remove whatever you want, but if it is installed by an OS package, something might break if you do. This question is best asked of your Linux vendor, the upstream OpenSSL project does not bundle any trusted certificates. -- Viktor. The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
Default certificate path taken by openssl
Hi all, Need your help in quesry related to certificate used by openssl. In Linux, if any application which uses openssl does not specify the path from which certificates should be read by openssl, does openssl try to read from default path or something? Need help in this as there is one ca-bundle.crt(\usr\lib\ssl\certs\ca-bundle.crt)" file in machine and we use our own ca-bundle.crt in another path. Is it ok to remove \usr\lib\ssl\certs\ca-bundle.crt file if we don't use this? Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: SSL_get_fd
Any help would be much appreciated. What I want to know is whether SSL_get_fd() can be used to get fd which in turn can be used with getpeername() to know the other host communicating. Thanks in advance, Chethan Kumar From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Chethan Kumar Sent: Wednesday, July 17, 2019 9:17 PM To: openssl-users@openssl.org Cc: chethu.kuma...@gmail.com Subject: SSL_get_fd Hi all, Need an help. I am trying to print IP address of destination host by doing getpeername() on fd got using SSL_get_fd() in both SSL_accept() and SSL_connect(). Doing SSL_get_fd() fails in SSL_accept() with return value as -1 but its working in SSL_connect(). Can you please help me out in knowing what is the issue. Thanks in advance, With Regards, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way from its use. The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
SSL_get_fd
Hi all, Need an help. I am trying to print IP address of destination host by doing getpeername() on fd got using SSL_get_fd() in both SSL_accept() and SSL_connect(). Doing SSL_get_fd() fails in SSL_accept() with return value as -1 but its working in SSL_connect(). Can you please help me out in knowing what is the issue. Thanks in advance, With Regards, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
SHA1_Init () is called through SSL_shutdown () in FIPS mode
Hi all, Need help in resolving an error or understanding the flow. Openssl library we are using is FIPS capabled. Openssl version is 1.0.2n with fips-2.0.16 Platform: Linux version 3.10.38-ltsi-WR6.0.0.11_standard (gcc version 4.8.1) We have an application which uses libssl and libcrypto for its operations. Application is crashing because of a call to SSL_shutdown(). Gdb trace is shown below. (gdb) bt #0 0x42926357 in raise () from /lib/libc.so.6 #1 0x42929962 in abort () from /lib/libc.so.6 #2 0x77453e7a in OpenSSLDie () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #3 0x7745d0d8 in SHA1_Init () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #4 0x774f75ee in init () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #5 0x774ee8e0 in EVP_DigestInit_ex () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #6 0x774ea1f9 in ssleay_rand_bytes () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #7 0x774ea413 in ssleay_rand_nopseudo_bytes () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #8 0x774eabd0 in RAND_bytes () from /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.0.0 #9 0x77654500 in tls1_enc () from /home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 #10 0x77645eda in ssl3_dispatch_alert () from /home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 #11 0x77644804 in ssl3_send_alert () from /home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 #12 0x7764107e in ssl3_shutdown () from /home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 #13 0x77662481 in SSL_shutdown () from /home/SYSROM_SRC/build/release/lib/libssl.so.1.0.0 #14 0x088a300e in tcp_disconnect () #15 0x088a623f in soap_closesock () #16 0x08886929 in soap_serve___stg2__login(soap*) () #17 0x08865547 in soap_serve_request () #18 0x0885fdee in soap_serve () As far as I know, SHA1_Init() is restricted when FIPS is enabled. I want to know, why SHA1_Init() was called even when FIPS is enabled. Let me know, if any more information is required to resolve the issue. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: Application linking to both libcrypto.so.1.0.0 and libcrypto.so.1.1
Dear all, Sorry for the inconvenience caused by not asking query clearly. Below is the output from ldd on application. Seriously I didn't knew application uses these many libraries[Knew only the problem]. linux-gate.so.1 (0xf76fc000) libpam.so.0 => /lib/i386-linux-gnu/libpam.so.0 (0xf6a63000) libldap-2.4.so.2 => /home/SYSROM_SRC/build/release/lib/libldap-2.4.so.2 (0xf6a29000) libssl.so.1.1 => /home/SYSROM_SRC/build/release/lib/libssl.so.1.1 (0xf699) libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xf6972000) libsqlite3.so.0 => /usr/lib/i386-linux-gnu/libsqlite3.so.0 (0xf689c000) libcrypto.so.1.1 => /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.1 (0xf65af000) libk5crypto.so.3 => /usr/lib/i386-linux-gnu/libk5crypto.so.3 (0xf657e000) libresolv.so.2 => /lib/i386-linux-gnu/libresolv.so.2 (0xf6566000) libext2fs.so.2 => /lib/i386-linux-gnu/libext2fs.so.2 (0xf6516000) libuuid.so.1 => /lib/i386-linux-gnu/libuuid.so.1 (0xf6511000) libdns.so.69 => /home/SYSROM_SRC/build/release/lib/libdns.so.69 (0xf635c000) libisc.so.62 => /home/SYSROM_SRC/build/release/lib/libisc.so.62 (0xf62e7000) librt.so.1 => /lib/i386-linux-gnu/librt.so.1 (0xf62de000) libkrb5support.so.0 => /usr/lib/i386-linux-gnu/libkrb5support.so.0 (0xf62d2000) libkrb5.so.25 => /home/SYSROM_SRC/build/release/lib/libkrb5.so.25 (0xf6259000) libgssapi.so.2 => /home/SYSROM_SRC/build/release/lib/libgssapi.so.2 (0xf6222000) libCryptolib.so.0 => /home/SYSROM_SRC/build/release/lib/libCryptolib.so.0 (0xf6191000) libimf.so => /mfp/lib/libimf.so (0xf5dd8000) libirng.so => /usr/lib/libirng.so (0xf5c6e000) libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf5c1a000) libcilkrts.so.5 => /usr/lib/libcilkrts.so.5 (0xf5bec000) libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xf5afd000) libsvml.so => /mfp/lib/libsvml.so (0xf4bbf000) libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xf4bab000) libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xf4ba6000) libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf49e4000) liblber-2.4.so.2 => /home/SYSROM_SRC/build/release/lib/liblber-2.4.so.2 (0xf49d9000) libsasl2.so.3 => /home/SYSROM_SRC/build/release/lib/libsasl2.so.3 (0xf49a4000) /lib/i386-linux-gnu/ld-linux.so.2 (0xf76fd000) libkeyutils.so.1 => /lib/i386-linux-gnu/libkeyutils.so.1 (0xf49a) libcom_err.so.2 => /lib/i386-linux-gnu/libcom_err.so.2 (0xf499b000) libgssapi_krb5.so.2 => /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2 (0xf494c000) libcom_err.so.1 => /home/SYSROM_SRC/build/release/lib/libcom_err.so.1 (0xf4948000) libcrypto.so.1.0.0 => /usr/lib/i386-linux-gnu/libcrypto.so.1.0.0 (0xf476b000) libcap.so.2 => /lib/i386-linux-gnu/libcap.so.2 (0xf4766000) libhx509.so.5 => /home/SYSROM_SRC/build/release/lib/libhx509.so.5 (0xf472) libheimsqlite.so.0 => /home/SYSROM_SRC/build/release/lib/libheimsqlite.so.0 (0xf46a9000) libhcrypto.so.4 => /home/SYSROM_SRC/build/release/lib/libhcrypto.so.4 (0xf4673000) libasn1.so.8 => /home/SYSROM_SRC/build/release/lib/libasn1.so.8 (0xf45cd000) libwind.so.0 => /home/SYSROM_SRC/build/release/lib/libwind.so.0 (0xf45a3000) libroken.so.18 => /home/SYSROM_SRC/build/release/lib/libroken.so.18 (0xf458d000) libcrypt.so.1 => /lib/i386-linux-gnu/libcrypt.so.1 (0xf455b000) libheimntlm.so.0 => /home/SYSROM_SRC/build/release/lib/libheimntlm.so.0 (0xf4555000) libintlc.so.5 => /mfp/lib/libintlc.so.5 (0xf44f1000) libkrb5.so.3 => /usr/lib/i386-linux-gnu/libkrb5.so.3 (0xf441d000) libattr.so.1 => /lib/i386-linux-gnu/libattr.so.1 (0xf4418000) Here libcrypto.so.1.1 is newly generated using openssl 1.1.1b and libcrypto.so.1.0.0 is one provided by OS. readelf for same application is below. Dynamic section at offset 0xc29258 contains 48 entries: TagType Name/Value 0x0001 (NEEDED) Shared library: [libpam.so.0] 0x0001 (NEEDED) Shared library: [libldap-2.4.so.2] 0x0001 (NEEDED) Shared library: [libssl.so.1.1] 0x0001 (NEEDED) Shared library: [libpthread.so.0] 0x0001 (NEEDED) Shared library: [libsqlite3.so.0] 0x0001 (NEEDED) Shared library: [libcrypto.so.1.1] 0x0001 (NEEDED) Shared library: [libk5crypto.so.3] 0x0001 (NEEDED) Shared library: [libresolv.so.2] 0x0001 (NEEDED) Shared library: [libext2fs.so.2] 0x0001 (NEEDED) Shared library: [libuuid.so.1] 0x0001 (NEEDED) Shared library: [libdns.so.69] 0x0001 (NEEDED) Shared library:
RE: Application linking to both libcrypto.so.1.0.0 and libcrypto.so.1.1
I meant to say linking to both by doing ldd. When ldd is done on application, both libcrypto.so.1.0.0 and libcrypto.1.1 is shown. Here libcrypto.so.1.0.0 is taken from the one provided by OS. > Is it using some kind of dynamic module that happens to be linked with an > older OpenSSL version? No, its not using any dynamic module. Its built on platform: Linux version 4.4.130-cip23-eBN-kernel (jenkins@skelios-plt) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Richard Levitte Sent: Tuesday, May 28, 2019 7:37 PM To: openssl-users@openssl.org Subject: Re: Application linking to both libcrypto.so.1.0.0 and libcrypto.so.1.1 In what way does it link to both? What output do you get when running 'ldd' in your application? Is it using some kind of dynamic module that happens to be linked with an older OpenSSL version? Cheers, Richard On Tue, 28 May 2019 06:59:27 +0200, Chethan Kumar wrote: > > > Dear all, > > Any help for the below query would be appreciated. > > Thanks in advance, > > Chethan Kumar > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Chethan Kumar > Sent: Wednesday, May 22, 2019 11:35 AM > To: openssl-users@openssl.org > Subject: Application linking to both libcrypto.so.1.0.0 and > libcrypto.so.1.1 > > Dear all, > > While migrating from openssl 1.0.2n to openssl 1.1.1b, application > which uses openssl was compiling against openssl 1.1.1b. > > Compilation is fine but its linking to both libcrypto.so.1.0.0[from > /usr/lib/] and libcrypto.so.1.1. > > Its linking correctly to libssl.1.1. > > Is this correct? If so, what could be the possible reason. > > Thanks in advance, > > Chethan Kumar > > The information contained in this e-mail message and in any > attachments/annexure/appendices is confidential to the recipient and > may contain privileged information. If you are not the intended > recipient, please notify the sender and delete the message along with > any attachments/annexure/appendices. You should not disclose, copy or > otherwise use the information contained in the message or any > annexure. Any views expressed in this e-mail are those of the > individual sender except where the sender specifically states them to > be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > Although this transmission and any attachments are believed to be free > of any virus or other defect that might affect any computer system > into which it is received and opened, it is the responsibility of the > recipient to ensure that it is virus free and no responsibility is accepted > by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way > from its use. > > The information contained in this e-mail message and in any > attachments/annexure/appendices is confidential to the recipient and > may contain privileged information. If you are not the intended > recipient, please notify the sender and delete the message along with > any attachments/annexure/appendices. You should not disclose, copy or > otherwise use the information contained in the message or any > annexure. Any views expressed in this e-mail are those of the > individual sender except where the sender specifically states them to > be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > Although this transmission and any attachments are believed to be free > of any virus or other defect that might affect any computer system > into which it is received and opened, it is the responsibility of the > recipient to ensure that it is virus free and no responsibility is accepted > by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way > from its use. > > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: Application linking to both libcrypto.so.1.0.0 and libcrypto.so.1.1
Dear all, Any help for the below query would be appreciated. Thanks in advance, Chethan Kumar From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Chethan Kumar Sent: Wednesday, May 22, 2019 11:35 AM To: openssl-users@openssl.org Subject: Application linking to both libcrypto.so.1.0.0 and libcrypto.so.1.1 Dear all, While migrating from openssl 1.0.2n to openssl 1.1.1b, application which uses openssl was compiling against openssl 1.1.1b. Compilation is fine but its linking to both libcrypto.so.1.0.0[from /usr/lib/] and libcrypto.so.1.1. Its linking correctly to libssl.1.1. Is this correct? If so, what could be the possible reason. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way from its use. The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: To get end point's IP address
Thanks for the input. >> If applications set this using SSL_set_tlsext_host_name(), is it >> correct to print hostname/IP in tlsext_hostname. >"correct" in what sense? "print" where? > Maybe. You haven't explained what you're trying to do. What we are trying to achieve is, if there is failure in connection between host and destination, then at the host side, log messages saying to which destination it got failed. That's why, need to know the hostname/IP address of the destination. Since many applications use openssl, we want to log messages from openssl side. Is it ok if application set IP/hostname using SSL_set_tlsext_host_name() and at openssl side, we refer tlsext_hostname to log the message.? Thanks in advance, Chethan Kumar -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Michael Wojcik Sent: Tuesday, May 21, 2019 8:30 PM To: openssl-users@openssl.org Subject: RE: To get end point's IP address > From: Chethan Kumar [mailto:chethan.ku...@toshiba-tsip.com] > Sent: Tuesday, May 21, 2019 03:53 > > I researched more and found that tlsext_hostname member variable in > SSL structure can be used to to get host name. That's the SNI hostname, which is set by the client to the hostname (or possibly some other string identifier, such as the text representation of an IP address) that it thinks it wants to connect to. It's used by the server to determine what certificate to send to the client. It's not a reliable indicator of the server's hostname, and has nothing to do with the client's hostname. > If applications set this using SSL_set_tlsext_host_name(), is it > correct to print hostname/IP in tlsext_hostname. "correct" in what sense? "print" where? Forget OpenSSL APIs and details of OpenSSL data structures. What problem are you trying to solve? > Can I use this one to set hostname/Ip address.? Maybe. You haven't explained what you're trying to do. > Can applications acting as both server and client set this? It's set by a client. It doesn't matter what else that client is doing. -- Michael Wojcik Distinguished Engineer, Micro Focus The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
Application linking to both libcrypto.so.1.0.0 and libcrypto.so.1.1
Dear all, While migrating from openssl 1.0.2n to openssl 1.1.1b, application which uses openssl was compiling against openssl 1.1.1b. Compilation is fine but its linking to both libcrypto.so.1.0.0[from /usr/lib/] and libcrypto.so.1.1. Its linking correctly to libssl.1.1. Is this correct? If so, what could be the possible reason. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: To get end point's IP address
Thanks for the information. I researched more and found that tlsext_hostname member variable in SSL structure can be used to to get host name. If applications set this using SSL_set_tlsext_host_name(), is it correct to print hostname/IP in tlsext_hostname. Can I use this one to set hostname/Ip address.? Can applications acting as both server and client set this? Thanks in advance, Chethan Kumar -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Michael Wojcik Sent: Monday, May 20, 2019 7:35 PM To: openssl-users@openssl.org Subject: RE: To get end point's IP address > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Chethan Kumar > Sent: Monday, May 20, 2019 04:22 > I wanted to log end point's IP address during some errors in > communication using openssl. > Initially when I tried getpeername() on SSL context, its giving proxy > server's IP and not destination IP. The proxy server address *is* the peer address. Proxies terminate TLS conversations. The client has a TLS conversation with the proxy, and the proxy may have a separate TLS conversation with the origin server. (Or with whatever the next application-level node in the chain is; there can be multiple proxies, gateways, etc.) If it didn't do TLS termination, it wouldn't be a proxy, but a router. If you have a node that's doing routing at level 4 (copying data between two TCP connections) but not doing TLS termination, there's no way to get the IP addresses of the endpoints of the other connection from the stack. That information has to be provided at the application level. (Techincal quibble: "Level 4 routing" is a somewhat dubious concept in TCP/IP, since TCP straddles OSI levels 4 and 5. But applications which forward data between TCP conversations are traditionally connsidered level-4 routers. Also, note some level-4 routing packages do TLS termination - stunnel in its base mode is an example. A level-4 router may or may not do TLS termination.) -- Michael Wojcik Distinguished Engineer, Micro Focus The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
To get end point's IP address
Dear all, I wanted to log end point's IP address during some errors in communication using openssl. What is the best way to know end point's IP address in openssl as many applications use openssl and its not feasible to change in all of them. Initially when I tried getpeername() on SSL context, its giving proxy server's IP and not destination IP. Let me know how can achieve the same. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: DIfference between s2_srvr.c, s3_srvr.c, s23_srvr.c and t1_clnt.c
Thanks for the information. I understood the flow. Does t1_srvr.c is used to call respective TLS*_server_method in s3_srvr.c when tls1_get_server_method() is set while creating SSL_CTX()? Is similar logic followed for openssl as client also? Like s2_clnt.c is called when SSLv2 is used. S23_clnt.c is called for SSLv3 and above. Or is it different.? Also, please let me know if there is any document/link which describes the codeflow when clienthello is received. Thanks in advance, Chethan Kumar -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Matt Caswell Sent: Tuesday, April 23, 2019 7:30 PM To: openssl-users@openssl.org Subject: Re: DIfference between s2_srvr.c, s3_srvr.c, s23_srvr.c and t1_clnt.c On 23/04/2019 14:40, Chethan Kumar wrote: > Dear all, > > > > Can someone please explain the need for different files like > s2_srvr.c, s3_srvr.c and s23_srvr.c in ssl folder. > > I need to know the difference because ssl23_client_hello() is getting > called for all communication happening using sslv3, tls1.0/1.1/1.2 > > Then what is the use of ssl3_client_hello() in s3_srvr.c and > client_hello() in s2_srvr.c > > Does ssl23_client_hello() is getting called internally for all versions? > > If so, can some please point where does this internal call happens. s2_srvr.c processes SSLv2 only. s3_srvr.c processes SSLv3 and above for a fixed protocol version (it does not do version negotiation). s23_srvr.c does version negotiation. It pulls apart the ClientHello that has been received and works out what protocol version should be used. It then sets the protocol version in the SSL object, pushes the ClientHello back into a read buffer and restarts the process. If SSLv2 was selected then the client hello processing in s2_srvr.c is used. If SSLv3 or above was selected then the client hello processing in s3_srvr.c is used. You can see the code to set the protocol version in the SSL object, and then push the ClientHello back into the read buffer here: https://github.com/openssl/openssl/blob/f937540ec40a5e838460b8f19d2eb722529126b8/ssl/s23_srvr.c#L598-L639 At the end of this function we call SSL_accept again to restart the process: https://github.com/openssl/openssl/blob/f937540ec40a5e838460b8f19d2eb722529126b8/ssl/s23_srvr.c#L650 If you use SSLv2_server_method(), SSLv3_server_method(), TLSv1_server_method(), TLSv1_1_server_method() or TLSv1_2_server_method() when you create your SSL_CTX() then this "fixes" the protocol version at the specified level. In this case s23_srvr.c is never used and you just go straight to s3_srvr.c (or s2_srvr.c). If you use SSLv23_server_method() then version negotiation is used an you go to s23_srvr.c initially. In OpenSSL 1.1.0+ version negotiation was completely rewritten so this works very differently there. The fixed protocol server methods are deprecated and you are encouraged to use TLS_server_method() instead (which is the new name for SSLv23_server_method). Hope that helps Matt The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
DIfference between s2_srvr.c, s3_srvr.c, s23_srvr.c and t1_clnt.c
Dear all, Can someone please explain the need for different files like s2_srvr.c, s3_srvr.c and s23_srvr.c in ssl folder. I need to know the difference because ssl23_client_hello() is getting called for all communication happening using sslv3, tls1.0/1.1/1.2 Then what is the use of ssl3_client_hello() in s3_srvr.c and client_hello() in s2_srvr.c Does ssl23_client_hello() is getting called internally for all versions? If so, can some please point where does this internal call happens. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: How to disable tls 1.0 and tls 1.1
>>If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time. >>Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the >>SSL_CTX_set_options() or SSL_set_options() functions. Since we have many applications using openssl services, it is difficult to implement this in all applications. I need to find a single point in openssl source code[If not in Makefile] to disable TLSv1.0 and TLS1.1 for both server and client communications. Thanks in advance, Chethan -Original Message- From: Matt Caswell [mailto:m...@openssl.org] Sent: Friday, April 12, 2019 9:21 PM To: Chethan Kumar ; openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On 12/04/2019 15:50, Chethan Kumar wrote: > Thank to both Hubert Kario and Matt Caswell for your valuable information. > This group has helped a lot in gaining many insights on openssl for newbie > like me. > > I was wrong with my understanding. > But i executed below command to communicate with TLS1.2 when only > TLS1.0 and 1.1 was disabled, Even it got failed to execute by saying "unknown > option -tls1_2". > Any reason for that.? Ah! My apologies - I've just now realised that you are using OpenSSL 1.0.2 (and going back to your original post I see that you did actually say that). Sorry for misleading you. OpenSSL 1.0.2 works differently to later versions in this regards and quite inconsistently. You can disable SSLv2 and SSLv3 at compile time (SSLv2 is disabled by default) using the no-ssl2 and no-ssl3 options. If you want to disable TLSv1.0 and TLSv1.1 then you should do so at run time. Use the SSL_OP_NO_TLSv1 and SSL_OP_NO_TLSv1_1 options to the SSL_CTX_set_options() or SSL_set_options() functions. Matt > > Thanks in advance, > Chethan Kumar > > -Original Message- > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Matt Caswell > Sent: Friday, April 12, 2019 7:28 PM > To: openssl-users@openssl.org > Subject: Re: How to disable tls 1.0 and tls 1.1 > > > > On 12/04/2019 14:37, Chethan Kumar wrote: >>> Please note that curl developers have recently changed the meaning of those >>> options, please check if they do what you expect them to do by inspecting >>> the curl man page. >> Thanks for the information. I understood it. >> I also used openssl s_client to communicate with server using below command. >> openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown >> option -tls1_1" >> Same for -tls1. > > If s_client doesn't recognise the -tls1_1 and -tls1 options then this > mean that > TLSv1.1 and TLSv1.0 have been disabled. > >> >> And even if I disable TLSv1.2 and execute openssl s_client -connect >> 172.28.80.66:8080 -no_tls1_2 >> WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf >> CONNECTED(0003) >> 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake >> failure:s23_lib.c:177: > > So you attempt a connection and ask s_client to disable TLSv1.2 at runtime. > You've already asked it to disable TLSv1.1 and TLSv1.0 at compile > time. Since > SSLv3 is also compiled out by default there are no protocol versions left so > the expected result will be a handshake failure - which is exactly what > you've got. > >>> what you mean by "used them in Makefile", I'm talking about >>> configure script >> I added these options in Makefile like, CONFOPTS += linux-ppc >> -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1 >> no-tls1_1 no-tls1-method no-tls1_1-method > > *Don't edit the Makefile*. You only need to pass options to Configure. > >> >>> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected >>> result? >> Yes, even after adding these options it produces the same result. > > The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your > objective IIUC. > > >> >> I am confused what is the problem. >> Let me know if there is any other way to disable TLSv1.0 and TLS1.1 > > It sounds like you already did it. > > Matt > > The information contained in this e-mail message and in any > attachments/annexure/appendices is confidential to the recipient and > may contain privileged information. > If you are not the intended recipient, please notify the sender and > delete the message along with any attachments/annexure/appendices. You > should not disclose, copy or otherwise use the information contained > in the message or any annexure. Any views expressed in this e-mail are > those of the individual sender except where the sender specifically > states them to be the vi
RE: How to disable tls 1.0 and tls 1.1
Thank to both Hubert Kario and Matt Caswell for your valuable information. This group has helped a lot in gaining many insights on openssl for newbie like me. I was wrong with my understanding. But i executed below command to communicate with TLS1.2 when only TLS1.0 and 1.1 was disabled, Even it got failed to execute by saying "unknown option -tls1_2". Any reason for that.? Thanks in advance, Chethan Kumar -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Matt Caswell Sent: Friday, April 12, 2019 7:28 PM To: openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On 12/04/2019 14:37, Chethan Kumar wrote: >> Please note that curl developers have recently changed the meaning of those >> options, please check if they do what you expect them to do by inspecting >> the curl man page. > Thanks for the information. I understood it. > I also used openssl s_client to communicate with server using below command. > openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown > option -tls1_1" > Same for -tls1. If s_client doesn't recognise the -tls1_1 and -tls1 options then this mean that TLSv1.1 and TLSv1.0 have been disabled. > > And even if I disable TLSv1.2 and execute openssl s_client -connect > 172.28.80.66:8080 -no_tls1_2 > WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf > CONNECTED(0003) > 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake > failure:s23_lib.c:177: So you attempt a connection and ask s_client to disable TLSv1.2 at runtime. You've already asked it to disable TLSv1.1 and TLSv1.0 at compile time. Since SSLv3 is also compiled out by default there are no protocol versions left so the expected result will be a handshake failure - which is exactly what you've got. >> what you mean by "used them in Makefile", I'm talking about configure >> script > I added these options in Makefile like, CONFOPTS += linux-ppc > -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1 > no-tls1_1 no-tls1-method no-tls1_1-method *Don't edit the Makefile*. You only need to pass options to Configure. > >> do adding `no-tls1-method` and `no-tls1_1-method` produce the expected >> result? > Yes, even after adding these options it produces the same result. The result above means you have disabled TLSv1.1 and TLSv1.0 - which was your objective IIUC. > > I am confused what is the problem. > Let me know if there is any other way to disable TLSv1.0 and TLS1.1 It sounds like you already did it. Matt The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
RE: How to disable tls 1.0 and tls 1.1
>Please note that curl developers have recently changed the meaning of those >options, please check if they do what you expect them to do by inspecting the >curl man page. Thanks for the information. I understood it. I also used openssl s_client to communicate with server using below command. openssl s_client -connect 172.28.80.66:8080 -tls1_1 It says " unknown option -tls1_1" Same for -tls1. And even if I disable TLSv1.2 and execute openssl s_client -connect 172.28.80.66:8080 -no_tls1_2 WARNING: can't open config file: /usr/local/ebx/ssl/openssl.cnf CONNECTED(0003) 2001716872:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 113 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1555075165 Timeout : 300 (sec) Verify return code: 0 (ok) --- >what you mean by "used them in Makefile", I'm talking about configure script I added these options in Makefile like, CONFOPTS += linux-ppc -DOPENSSL_NO_SSL3 -DOPENSSL_NO_SSL2 -DSSL_OP_NO_SSLv2 no-tls1 no-tls1_1 no-tls1-method no-tls1_1-method > do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result? Yes, even after adding these options it produces the same result. I am confused what is the problem. Let me know if there is any other way to disable TLSv1.0 and TLS1.1 Thanks in advance, Chethan Kumar -Original Message- From: Hubert Kario [mailto:hka...@redhat.com] Sent: Friday, April 12, 2019 6:11 PM To: Chethan Kumar Cc: openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On Friday, 12 April 2019 13:54:24 CEST Chethan Kumar wrote: > >what evidence you have that what you do is ineffective? > > I tried connecting to some host by executing curl command with > --tlsv1.1 and > --tlsv1.0 options and am able to connect successfully. Please note that curl developers have recently changed the meaning of those options, please check if they do what you expect them to do by inspecting the curl man page. see: https://github.com/curl/curl/issues/2918 > >why you're not using? > >./config no-tls1 no-tls1_1 > > I have used these options in Makefile but still communication with > TLS1.0 and TLS1.1 is working. what you mean by "used them in Makefile", I'm talking about configure script > Confirmed by checking openssl/opensslconf.h file for OPENSSL_NO_TLS1 > and OPENSSL_NO_TLS1_1 macros and macros are generated. > Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at > least by changing code in openssl. macros may still be generated because the API is retained for ABI compatibility, do adding `no-tls1-method` and `no-tls1_1-method` produce the expected result? > -Original Message- > From: Hubert Kario [mailto:hka...@redhat.com] > Sent: Friday, April 12, 2019 4:50 PM > To: Chethan Kumar > Cc: openssl-users@openssl.org > Subject: Re: How to disable tls 1.0 and tls 1.1 > > On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote: > > > > there is no "min" version in Client Hello, the version in record > > > layer is irrelevant and used only for backwards compatibility > > > *NOT* for negotiation > > > > Thank you for the information. But have a doubt, then what is the > > importance of SSL_CTX_set_min_proto_version() and > > SSL_CTX_set_max_proto_version() introduced in 1.1.X along with > > SSL_CTX_set_options(). > > when the minimum set is higher than what the server answers with, the > *client* will reject the connection after receiving ServerHello > that is: > when SSL_CTX_set_min_proto_version is set to tls 1.2, > SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies > with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort > the connection > > > I would like to know how to disable TLSv1.0 and 1.1 using configure > > option[CONFOPTS] in Makefile. > > > what evidence you have that what you do is ineffective? > > why you're not using? > ./config no-tls1 no-tls1_1 > > > > Thanks in advance, > > Chethan Kumar > > > > > > -----Original Message- > > From: Hubert Kario [mailto:hka...@redhat.com] > > Sent: Thursday, April 11, 2019 7:08 PM > > To: openssl-users@openssl.org > > Cc: Chethan Kumar > > Subject: Re: How to disable tls 1.0 and tls 1.1 > > >
RE: How to disable tls 1.0 and tls 1.1
>what evidence you have that what you do is ineffective? I tried connecting to some host by executing curl command with --tlsv1.1 and --tlsv1.0 options and am able to connect successfully. >why you're not using? >./config no-tls1 no-tls1_1 I have used these options in Makefile but still communication with TLS1.0 and TLS1.1 is working. Confirmed by checking openssl/opensslconf.h file for OPENSSL_NO_TLS1 and OPENSSL_NO_TLS1_1 macros and macros are generated. Kindly let me know what could be changed to disable TLS 1.0 and 1.1 at least by changing code in openssl. -Original Message- From: Hubert Kario [mailto:hka...@redhat.com] Sent: Friday, April 12, 2019 4:50 PM To: Chethan Kumar Cc: openssl-users@openssl.org Subject: Re: How to disable tls 1.0 and tls 1.1 On Friday, 12 April 2019 06:47:54 CEST Chethan Kumar wrote: > > there is no "min" version in Client Hello, the version in record > > layer is irrelevant and used only for backwards compatibility *NOT* > > for negotiation > Thank you for the information. But have a doubt, then what is the > importance of SSL_CTX_set_min_proto_version() and > SSL_CTX_set_max_proto_version() introduced in 1.1.X along with > SSL_CTX_set_options(). when the minimum set is higher than what the server answers with, the *client* will reject the connection after receiving ServerHello that is: when SSL_CTX_set_min_proto_version is set to tls 1.2, SSL_CTX_set_max_proto_version si set to tls 1.3 and the server replies with ServerHello.version of (3, 2) i.e. TLS 1.1 the client will abort the connection > I would like to know how to disable TLSv1.0 and 1.1 using configure > option[CONFOPTS] in Makefile. what evidence you have that what you do is ineffective? why you're not using? ./config no-tls1 no-tls1_1 > Thanks in advance, > Chethan Kumar > > > -Original Message- > From: Hubert Kario [mailto:hka...@redhat.com] > Sent: Thursday, April 11, 2019 7:08 PM > To: openssl-users@openssl.org > Cc: Chethan Kumar > Subject: Re: How to disable tls 1.0 and tls 1.1 > > On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote: > > > Adding to previous mail, > > We tried -DSSL_OP_NO_TLSv1 -DSSL_OP_NO_TLSv1_1 along with disabling > > SSLv2 and v1 but still client hello is sent using min and max as TLS1.0 > > and TLS1.2. > > > there is no "min" version in Client Hello, the version in record layer > is irrelevant and used only for backwards compatibility *NOT* for > negotiation > > > > Any idea what is wrong in our options and what should be used instead.? > > > compile an openssl server with TLS 1.1 enabled, run openssl s_server > -tls1_1 to enable just TLS 1.1 and see if your production compile can > connect > > > Thanks in advance, > > Chethan Kumar > > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM > > To: openssl-users@openssl.org > > Subject: How to disable tls 1.0 and tls 1.1 > > > > Dear all, > > > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while > > compiling openssl package. I am using 1.0.2n openssl version and > > disabled > > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and > > -DOPENSSL_NO_SSL2. > > > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2, > > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain > > the difference. > > > > Thanks in advance, > > Chethan Kumar > > > > > > The information contained in this e-mail message and in any > > attachments/annexure/appendices is confidential to the recipient and > > may contain privileged information. If you are not the intended > > recipient, please notify the sender and delete the message along > > with any attachments/annexure/appendices. You should not disclose, > > copy or otherwise use the information contained in the message or > > any annexure. Any views expressed in this e-mail are those of the > > individual sender except where the sender specifically states them > > to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > > Although this transmission and any attachments are believed to be > > free of any virus or other defect that might affect any computer > > system into which it is received and opened, it is the > > responsibility of the recipient to ensure that it is virus free and > > no responsibility is accepted by Toshiba Software India Pvt. Ltd, > > for any loss or damage arising in any way from its use. The > > information contained in this e-mail
RE: How to disable tls 1.0 and tls 1.1
> there is no "min" version in Client Hello, the version in record layer is > irrelevant and used only for backwards compatibility *NOT* for negotiation Thank you for the information. But have a doubt, then what is the importance of SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version() introduced in 1.1.X along with SSL_CTX_set_options(). I would like to know how to disable TLSv1.0 and 1.1 using configure option[CONFOPTS] in Makefile. Thanks in advance, Chethan Kumar -Original Message- From: Hubert Kario [mailto:hka...@redhat.com] Sent: Thursday, April 11, 2019 7:08 PM To: openssl-users@openssl.org Cc: Chethan Kumar Subject: Re: How to disable tls 1.0 and tls 1.1 On Thursday, 11 April 2019 15:25:51 CEST Chethan Kumar wrote: > Adding to previous mail, > We tried -DSSL_OP_NO_TLSv1 -DSSL_OP_NO_TLSv1_1 along with disabling SSLv2 > and v1 but still client hello is sent using min and max as TLS1.0 and > TLS1.2. there is no "min" version in Client Hello, the version in record layer is irrelevant and used only for backwards compatibility *NOT* for negotiation > Any idea what is wrong in our options and what should be used instead.? compile an openssl server with TLS 1.1 enabled, run openssl s_server -tls1_1 to enable just TLS 1.1 and see if your production compile can connect > Thanks in advance, > Chethan Kumar > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM > To: openssl-users@openssl.org > Subject: How to disable tls 1.0 and tls 1.1 > > Dear all, > > Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while > compiling openssl package. I am using 1.0.2n openssl version and > disabled > SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and > -DOPENSSL_NO_SSL2. > > I also have a doubt on difference between -DSSL_OP_NO_SSLv2, > -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain > the difference. > > Thanks in advance, > Chethan Kumar > > > The information contained in this e-mail message and in any > attachments/annexure/appendices is confidential to the recipient and > may contain privileged information. If you are not the intended > recipient, please notify the sender and delete the message along with > any attachments/annexure/appendices. You should not disclose, copy or > otherwise use the information contained in the message or any > annexure. Any views expressed in this e-mail are those of the > individual sender except where the sender specifically states them to > be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. > Although this transmission and any attachments are believed to be free > of any virus or other defect that might affect any computer system > into which it is received and opened, it is the responsibility of the > recipient to ensure that it is virus free and no responsibility is > accepted by Toshiba Software India Pvt. Ltd, for any loss or damage > arising in any way from its use. The information contained in this > e-mail message and in any attachments/annexure/appendices is > confidential to the recipient and may contain privileged information. > If you are not the intended recipient, please notify the sender and > delete the message along with any attachments/annexure/appendices. You > should not disclose, copy or otherwise use the information contained > in the message or any annexure. Any views expressed in this e-mail are > those of the individual sender except where the sender specifically > states them to be the views of Toshiba Software India Pvt. Ltd. > (TSIP),Bangalore. > > Although this transmission and any attachments are believed to be free > of any virus or other defect that might affect any computer system > into which it is received and opened, it is the responsibility of the > recipient to ensure that it is virus free and no responsibility is > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or > damage arising in any way from its use. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views
RE: How to disable tls 1.0 and tls 1.1
Adding to previous mail, We tried -DSSL_OP_NO_TLSv1 -DSSL_OP_NO_TLSv1_1 along with disabling SSLv2 and v1 but still client hello is sent using min and max as TLS1.0 and TLS1.2. Any idea what is wrong in our options and what should be used instead.? Thanks in advance, Chethan Kumar From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Chethan Kumar Sent: Thursday, April 11, 2019 4:25 PM To: openssl-users@openssl.org Subject: How to disable tls 1.0 and tls 1.1 Dear all, Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling openssl package. I am using 1.0.2n openssl version and disabled SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. I also have a doubt on difference between -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain the difference. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Software India Pvt. Ltd, for any loss or damage arising in any way from its use. The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
How to disable tls 1.0 and tls 1.1
Dear all, Kindly help me out in knowing how to disable TLS1.0 and TLS1.1 while compiling openssl package. I am using 1.0.2n openssl version and disabled SSLv1 and v2 using -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. I also have a doubt on difference between -DSSL_OP_NO_SSLv2, -DOPENSSL_NO_SSL3 and -DOPENSSL_NO_SSL2. Can someone please explain the difference. Thanks in advance, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
migration from openssl 1.0.2n to 1.1.1
Dear all, We did openssl version upgrade from 1.0.2n to 1.1.1. While compiling some package dependent on openssl, getting errors related to M_ASN1_ D2I AND I2D functions. Digging deeper got to know that, in latest openssl asn1_mac.h header is deprecated. Can someone please help me out in knowing what are changes to be done to make it work.? We use following fucntions. M_ASN1_I2D_len(a->issuer,i2d_X509_NAME); M_ASN1_I2D_vars(a); M_ASN1_I2D_len(a->subject,i2d_X509_NAME); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->issuer,i2d_X509_NAME); M_ASN1_I2D_put(a->subject,i2d_X509_NAME); M_ASN1_I2D_finish(); M_ASN1_D2I_vars(a, pkcs7_issuer_and_subject *, M_ASN1_D2I_Init(); M_ASN1_D2I_start_sequence(); M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME); M_ASN1_D2I_get(ret->subject,d2i_X509_NAME); M_ASN1_D2I_Finish(a,pkcs7_issuer_and_subject_free, 99); M_ASN1_New_Malloc(ret,pkcs7_issuer_and_subject); M_ASN1_New(ret->issuer,X509_NAME_new); M_ASN1_New(ret->subject,X509_NAME_new); M_ASN1_New_Error(199); M_ASN1_INTEGER_free(a->subject); Thanking you, With Regards, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
openSSL 1.1.1b compatibility with GLIBC
Dear all, In need of some assistance. I compiled openssl1.1.1b on Debian and executed openssl commands on another Debian machine. Its giving below error: openssl: /lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.1) Even when I start HTTP services which uses openssl gives same error. Starting webserverhttpd: Syntax error on line 208 of /config/httpd.conf: Cannot load lib/mod_ssl.so into server: /lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /usr/local/ebx/lib/libcrypto.so.1.1) Environment used for the same is below: Compilation Environment: cat /proc/version Linux version 3.16.0-6-amd64 (debian-ker...@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) ldd --version ldd (Debian GLIBC 2.19-18+deb8u10) 2.19 Executing Environment: cat /proc/version Linux version 4.4.130-cip23-eBN-kernel (jenkins@skelios-plt) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) ldd --version ldd (GNU libc) 2.19 I need to know, how did the compilation was successful though GLIBC version was less and what should be done to make it work apart from updating GLIBC. Thanking you, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.