Javax.Crypto.AEADBadTagException: Tag Mismatch

2021-01-26 Thread Pravesh Rai 
Hi,

We've Java on the client side & OpenSSL on the server side. After updating
Java to 1.8u261 & started getting following exception:

Javax.Crypto.AEADBadTagException: Tag Mismatch

when trying to communicate with a server having OpenSSL 1.0.2.

Looks like the issue is due to AES-GCM ciphers. So, just wanted to know if
we need to make some changes in OpenSSL configuration to avoid the given
exception.

Regards,
PR

Re: [openssl-users] tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384

2018-01-19 Thread Pravesh Rai 
Following link might give you, some clue about the problem:

https://stackoverflow.com/questions/30446431/wrong-cipher-suite-or-no-connection-with-openssl-server

Regards,
PR

On Fri, Jan 12, 2018 at 9:27 PM, johan persson 
wrote:

> I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-SHA384"
> cipher.
> OpenSSL 1.0.2h
>
> This is how I generate test certificates.
> openssl ecparam -out /data/ca.key -name secp256k1 -genkey
> openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM
> -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER
> openssl ecparam -out /data/server.key -name secp256k1 -genkey
> openssl req -new -nodes -key /data/server.key -outform pem -out
> /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER'
> openssl ecparam -out /data/client.key -name secp256k1 -genkey
> openssl req -new -nodes -key /data/client.key -outform pem -out
> /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT'
> openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in
> /data/server.req -out /data/server.pem -outdir /data/
> openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in
> /data/client.req -out /data/client.pem -outdir /data/
>
>
> Running the following test:
> openssl s_server -accept 1 -cert server.pem -key server.key -CAfile
> ca.pem -debug -tlsextdebug
> openssl s_client -connect localhost:1 -cert client.pem -key client.key
> -CAfile ca.pem -tls1_2
>
> I get a handshake working ok with the cipher I want
> "ECDHE-ECDSA-AES256-GCM-SHA384", perfect!:
>
>
> Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to
> work. I cannot use "ECDHE-ECDSA-AES256-GCM-SHA384" which I want.
> Anyone knows what I'm missing from the following setup?:
>
> #define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384" << NOT WORKING
> //#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING
>
> // Init for OpenSSL
> SSL_library_init();
> OpenSSL_add_all_algorithms();
> SSL_load_error_strings();
>
> ctx_ = SSL_CTX_new(TLSv1_2_server_method());
> if (ctx_ == NULL)
> {
>LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__);
>return RET_FAIL;
> }
>
> (Load Ca cert, server and server private key)
>
> if (SSL_CTX_set_ecdh_auto(ctx_, 1)) {
>LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__);
>return RET_FAIL;
> }
>
> if (!SSL_CTX_set_cipher_list(ctx_, VOC_TLS_CIPHERS)) {
> LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n",
> __FUNCTION__, VOC_TLS_CIPHERS);
> return RET_FAIL;
> }
>
> ssl_ = SSL_new(ctx_);
>
> error on server side:
> 
> Server has 1 from 0xb475ef98:
> 0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384
> Client sent 1 from 0xb3502308:
> 0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384
> rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
> 0:[0080:0040:0140:00D4]0xb6daa440:ECDHE-ECDS
> A-AES256-GCM-SHA384
> 2958031164:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher:s3_srvr.c:1417:
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers

2017-06-03 Thread Pravesh Rai 
Hi,

Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k)
& server (Java 1.8 with Tomcat), still getting following handshake error,
while executing:

"openssl s_client -connect a.b.c.d: -msg -debug -cipher
ECDHE-ECDSA-AES256-GCM-SHA384"


...
read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7))
 - 15 03 03 00 02 02 28  ..(
<<< TLS 1.2  [length 0005]
15 03 03 00 02
<<< TLS 1.2 Alert [length 0002], fatal handshake_failure
02 28
14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:.\ssl\s23_clnt.c:769:
...

And, such error happens, only when ECDHE ciphers are selected during the
connection.

Any clue on this?

Thanks,
PR
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: SSL_set_fd() and fd type in Windows 64

2013-11-04 Thread Pravesh Rai 
We get such types of warning while doing compilation for x64 environment,
but normally don't face any problem during run-time.

Thanks,
PK


On Tue, Nov 5, 2013 at 6:36 AM, sa...@zxid.org wrote:

 On Windows, sockets and filedescriptors are HANDLES which are pointers.

 This is all nice and fine on 32bit Windows.

 However on 64bit windows int is 32bits and HANDLE is a 64bit pointer,
 leading to following warning:

 warning: cast from pointer to integer of different size
 [-Wpointer-to-int-cast]
  if (!SSL_set_fd(bu-ssl, (int)bu-fd)) {

 Is this something to worry about?

 The platform is mingw-w64.

 Cheers,
 --Sampo
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

Re: memory crash when calling X509_free function

2013-10-03 Thread Pravesh Rai 
Is it because x509 is a local variable in 1 function  freed in another?

PK


On Thu, Oct 3, 2013 at 5:22 PM, Sanjay Kumar (sanjaku5)
sanja...@cisco.comwrote:

  Hi,

 ** **

 I have below 2 functions

 ** **

 **1.  **Received the certificate data is DER format and convert to
 X509 format

 ** **

 RetCode convert_der_to_x509(uint8_t *cert_der, uint32_t cert_len)

 {

   const unsigned char  *bptr = NULL;

 ** **

   X509  *x509 = NULL;

   bptr = (unsigned char *)cert_der;

   x509 = d2i_X509(NULL, bptr, cert_len);   /*x509 structure
 is allocated here*/

   if (x509 == NULL)

   {

 syfer_log-ERR(DER to x509 converion failed);

 return RET_ERROR;

   }

   return RET_SUCCESS;

 }

 ** **

 **2.  **Clean up the X509 structure

 ** **

 Void cleanup_x509()

 {

   X509_free(x509);

 }

 ** **

 Query:

 When I call the cleanup_x509 function:

 ** **

 I get the memory crash

 ** **

 Backtrace:

 Program terminated with signal 11, Segmentation fault.

 #0  0x081e7748 in ASN1_STRING_free ()

 #0  0x081e7748 in ASN1_STRING_free ()

 #1  0x081e2b90 in ASN1_primitive_free ()

 #2  0x081e2b7a in ASN1_primitive_free ()

 #3  0x081e2c1a in asn1_item_combine_free ()

 #4  0x081e2e5d in ASN1_template_free ()

 #5  0x081e2d9e in asn1_item_combine_free ()

 #6  0x081e2e5d in ASN1_template_free ()

 #7  0x081e2d9e in asn1_item_combine_free ()

 #8  0x081e2e93 in ASN1_item_free ()

 #9  0x081defd7 in X509_free ()

 #10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at
 syfer/crypto/Certificate.cpp:309

 ** **

 What could be possible reason for the above crash ?

 ** **

 ** **

 Thanks,

 Sanjay

 ** **

Re: Openssl 1.0.1x build using VS 2012

2013-09-03 Thread Pravesh Rai 
Hi All,

Got the solution.

The problem was due to difference in building environment of Application 
OpenSSL. Some of the application binaries were built using their older
project format, i.e. *.vcproj  rest other binaries were built using their
newer project format, i.e. *.vcxproj.

Thanks to all, who reponded to my query.

Thanks,
Pravesh



On Wed, Sep 4, 2013 at 4:37 AM, Watson, Patrick patrick.wat...@ncr.comwrote:

 Check out this page:
 http://www.openssl.org/docs/crypto/OPENSSL_Applink.html

 ** **

 Basically, you just need to #include openssl\applink.c in your
 application. That file defines a virtual table like list of things related
 to stdout, stderr, etc. This file only appears to be needed when you start
 using functions that might access FILEs or the console, like
 ERR_print_errors_fp. 

 ** **

 I’m not sure why you are only seeing it in VS2012; maybe you added logging
 code so you diagnose issues in the new DLL?

 ** **

 *Patrick Watson, CISSP*
 *Software Engineer
 Data Security  Electronic Payment Systems
 NCR Retail*

 

 *From:* owner-openssl-us...@openssl.org [mailto:
 owner-openssl-us...@openssl.org] *On Behalf Of *Pravesh Rai
 *Sent:* Friday, August 30, 2013 1:07 AM
 *To:* openssl-users@openssl.org
 *Subject:* Openssl 1.0.1x build using VS 2012

 ** **

 Hi,

  

 Even though I'm successful in getting the OpenSSL build using VS 2012, but
 getting following error message:

  

 OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink

  

 while trying to 'load' libeay32.dll. The problem is solved, if we use
 another libeay32.dll, which is built using VS 2005. Except for this, all
 other development  usage environment is totally same.

  

 Do anybody has any clue on this?

  

 Thanks,

 Pravesh

 ** **

Openssl 1.0.1x build using VS 2012

2013-08-29 Thread Pravesh Rai 
Hi,

Even though I'm successful in getting the OpenSSL build using VS 2012, but
getting following error message:

OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink

while trying to 'load' libeay32.dll. The problem is solved, if we use
another libeay32.dll, which is built using VS 2005. Except for this, all
other development  usage environment is totally same.

Do anybody has any clue on this?

Thanks,
Pravesh

Openssl 1.0.1x build using VS 2012

2013-08-29 Thread Pravesh Rai 
Hi,

Even though I'm successful in getting the OpenSSL build using VS 2012, but
getting following error message:

OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink

while trying to 'load' libeay32.dll. The problem is solved, if we use
another libeay32.dll, which is built using VS 2005. Except for this, all
other development  usage environment is totally same.

Do anybody has any clue on this?

Thanks,
Pravesh