Javax.Crypto.AEADBadTagException: Tag Mismatch
Hi, We've Java on the client side & OpenSSL on the server side. After updating Java to 1.8u261 & started getting following exception: Javax.Crypto.AEADBadTagException: Tag Mismatch when trying to communicate with a server having OpenSSL 1.0.2. Looks like the issue is due to AES-GCM ciphers. So, just wanted to know if we need to make some changes in OpenSSL configuration to avoid the given exception. Regards, PR
Re: [openssl-users] tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384
Following link might give you, some clue about the problem: https://stackoverflow.com/questions/30446431/wrong-cipher-suite-or-no-connection-with-openssl-server Regards, PR On Fri, Jan 12, 2018 at 9:27 PM, johan perssonwrote: > I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-SHA384" > cipher. > OpenSSL 1.0.2h > > This is how I generate test certificates. > openssl ecparam -out /data/ca.key -name secp256k1 -genkey > openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM > -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER > openssl ecparam -out /data/server.key -name secp256k1 -genkey > openssl req -new -nodes -key /data/server.key -outform pem -out > /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER' > openssl ecparam -out /data/client.key -name secp256k1 -genkey > openssl req -new -nodes -key /data/client.key -outform pem -out > /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT' > openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in > /data/server.req -out /data/server.pem -outdir /data/ > openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in > /data/client.req -out /data/client.pem -outdir /data/ > > > Running the following test: > openssl s_server -accept 1 -cert server.pem -key server.key -CAfile > ca.pem -debug -tlsextdebug > openssl s_client -connect localhost:1 -cert client.pem -key client.key > -CAfile ca.pem -tls1_2 > > I get a handshake working ok with the cipher I want > "ECDHE-ECDSA-AES256-GCM-SHA384", perfect!: > > > Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to > work. I cannot use "ECDHE-ECDSA-AES256-GCM-SHA384" which I want. > Anyone knows what I'm missing from the following setup?: > > #define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384" << NOT WORKING > //#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING > > // Init for OpenSSL > SSL_library_init(); > OpenSSL_add_all_algorithms(); > SSL_load_error_strings(); > > ctx_ = SSL_CTX_new(TLSv1_2_server_method()); > if (ctx_ == NULL) > { >LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__); >return RET_FAIL; > } > > (Load Ca cert, server and server private key) > > if (SSL_CTX_set_ecdh_auto(ctx_, 1)) { >LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__); >return RET_FAIL; > } > > if (!SSL_CTX_set_cipher_list(ctx_, VOC_TLS_CIPHERS)) { > LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n", > __FUNCTION__, VOC_TLS_CIPHERS); > return RET_FAIL; > } > > ssl_ = SSL_new(ctx_); > > error on server side: > > Server has 1 from 0xb475ef98: > 0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 > Client sent 1 from 0xb3502308: > 0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 > rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 > 0:[0080:0040:0140:00D4]0xb6daa440:ECDHE-ECDS > A-AES256-GCM-SHA384 > 2958031164:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher:s3_srvr.c:1417: > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Problem in connecting to Java (Tomcat) server with ECDHE ciphers
Hi, Even though I've disabled SSLvX protocols on both - client (openssl-1.0.2k) & server (Java 1.8 with Tomcat), still getting following handshake error, while executing: "openssl s_client -connect a.b.c.d: -msg -debug -cipher ECDHE-ECDSA-AES256-GCM-SHA384" ... read from 0x213f50 [0x21c410] (7 bytes => 7 (0x7)) - 15 03 03 00 02 02 28 ..( <<< TLS 1.2 [length 0005] 15 03 03 00 02 <<< TLS 1.2 Alert [length 0002], fatal handshake_failure 02 28 14756:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:769: ... And, such error happens, only when ECDHE ciphers are selected during the connection. Any clue on this? Thanks, PR -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: SSL_set_fd() and fd type in Windows 64
We get such types of warning while doing compilation for x64 environment, but normally don't face any problem during run-time. Thanks, PK On Tue, Nov 5, 2013 at 6:36 AM, sa...@zxid.org wrote: On Windows, sockets and filedescriptors are HANDLES which are pointers. This is all nice and fine on 32bit Windows. However on 64bit windows int is 32bits and HANDLE is a 64bit pointer, leading to following warning: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] if (!SSL_set_fd(bu-ssl, (int)bu-fd)) { Is this something to worry about? The platform is mingw-w64. Cheers, --Sampo __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: memory crash when calling X509_free function
Is it because x509 is a local variable in 1 function freed in another? PK On Thu, Oct 3, 2013 at 5:22 PM, Sanjay Kumar (sanjaku5) sanja...@cisco.comwrote: Hi, ** ** I have below 2 functions ** ** **1. **Received the certificate data is DER format and convert to X509 format ** ** RetCode convert_der_to_x509(uint8_t *cert_der, uint32_t cert_len) { const unsigned char *bptr = NULL; ** ** X509 *x509 = NULL; bptr = (unsigned char *)cert_der; x509 = d2i_X509(NULL, bptr, cert_len); /*x509 structure is allocated here*/ if (x509 == NULL) { syfer_log-ERR(DER to x509 converion failed); return RET_ERROR; } return RET_SUCCESS; } ** ** **2. **Clean up the X509 structure ** ** Void cleanup_x509() { X509_free(x509); } ** ** Query: When I call the cleanup_x509 function: ** ** I get the memory crash ** ** Backtrace: Program terminated with signal 11, Segmentation fault. #0 0x081e7748 in ASN1_STRING_free () #0 0x081e7748 in ASN1_STRING_free () #1 0x081e2b90 in ASN1_primitive_free () #2 0x081e2b7a in ASN1_primitive_free () #3 0x081e2c1a in asn1_item_combine_free () #4 0x081e2e5d in ASN1_template_free () #5 0x081e2d9e in asn1_item_combine_free () #6 0x081e2e5d in ASN1_template_free () #7 0x081e2d9e in asn1_item_combine_free () #8 0x081e2e93 in ASN1_item_free () #9 0x081defd7 in X509_free () #10 0x08052673 in CertificateRemote::cleanup_x509 (this=0x9bb55f0) at syfer/crypto/Certificate.cpp:309 ** ** What could be possible reason for the above crash ? ** ** ** ** Thanks, Sanjay ** **
Re: Openssl 1.0.1x build using VS 2012
Hi All, Got the solution. The problem was due to difference in building environment of Application OpenSSL. Some of the application binaries were built using their older project format, i.e. *.vcproj rest other binaries were built using their newer project format, i.e. *.vcxproj. Thanks to all, who reponded to my query. Thanks, Pravesh On Wed, Sep 4, 2013 at 4:37 AM, Watson, Patrick patrick.wat...@ncr.comwrote: Check out this page: http://www.openssl.org/docs/crypto/OPENSSL_Applink.html ** ** Basically, you just need to #include openssl\applink.c in your application. That file defines a virtual table like list of things related to stdout, stderr, etc. This file only appears to be needed when you start using functions that might access FILEs or the console, like ERR_print_errors_fp. ** ** I’m not sure why you are only seeing it in VS2012; maybe you added logging code so you diagnose issues in the new DLL? ** ** *Patrick Watson, CISSP* *Software Engineer Data Security Electronic Payment Systems NCR Retail* *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *Pravesh Rai *Sent:* Friday, August 30, 2013 1:07 AM *To:* openssl-users@openssl.org *Subject:* Openssl 1.0.1x build using VS 2012 ** ** Hi, Even though I'm successful in getting the OpenSSL build using VS 2012, but getting following error message: OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink while trying to 'load' libeay32.dll. The problem is solved, if we use another libeay32.dll, which is built using VS 2005. Except for this, all other development usage environment is totally same. Do anybody has any clue on this? Thanks, Pravesh ** **
Openssl 1.0.1x build using VS 2012
Hi, Even though I'm successful in getting the OpenSSL build using VS 2012, but getting following error message: OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink while trying to 'load' libeay32.dll. The problem is solved, if we use another libeay32.dll, which is built using VS 2005. Except for this, all other development usage environment is totally same. Do anybody has any clue on this? Thanks, Pravesh
Openssl 1.0.1x build using VS 2012
Hi, Even though I'm successful in getting the OpenSSL build using VS 2012, but getting following error message: OPENSSL_Uplink(07FED5A31000,08): no OPENSSL_Applink while trying to 'load' libeay32.dll. The problem is solved, if we use another libeay32.dll, which is built using VS 2005. Except for this, all other development usage environment is totally same. Do anybody has any clue on this? Thanks, Pravesh