[openssl-users] Unable to run Configure for msys/mingw

[杨春雷]

I had been always successful with Configure for last several releases. But with 
1.0.2h, I am not able to run Configure correctly. Note that I am on Windows 
msys.

Here is what I get :

$ ./configure no-symlinks shared mingw
Configuring for mingw
    no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-libunbound   [experimental] OPENSSL_NO_LIBUNBOUND (skip dir)
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
    no-ssl-trace    [default]  OPENSSL_NO_SSL_TRACE (skip dir)
    no-ssl2         [default]  OPENSSL_NO_SSL2 (skip dir)
    no-store        [experimental] OPENSSL_NO_STORE (skip dir)
    no-symlinks     [option]
    no-unit-test    [default]  OPENSSL_NO_UNIT_TEST (skip dir)
    no-weak-ssl-ciphers [default]  OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir)
    no-zlib         [default]
    no-zlib-dynamic [default]
IsMK1MF=0
CC            =gcc
CFLAG         =-D_WINDLL -DOPENSSL_USE_APPLINK -DOPENSSL_PIC -DOPENSSL_THREADS 
-D_MT -DDSO_WIN32 -DL_ENDIAN -DWIN32_LEAN_AND_MEAN -fomit-frame-pointer -O3 
-march=i486 -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM 
-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM 
-DGHASH_ASM
EX_LIBS       =-lws2_32 -lgdi32 -lcrypt32
CPUID_OBJ     =x86cpuid.o uplink.o uplink-x86.o
BN_ASM        =bn-586.o co-586.o x86-mont.o x86-gf2m.o
EC_ASM        =
DES_ENC       =des-586.o crypt586.o
AES_ENC       =aes-586.o vpaes-x86.o aesni-x86.o
BF_ENC        =bf-586.o
CAST_ENC      =c_enc.o
RC4_ENC       =rc4-586.o
RC5_ENC       =rc5-586.o
MD5_OBJ_ASM   =md5-586.o
SHA1_OBJ_ASM  =sha1-586.o sha256-586.o sha512-586.o
RMD160_OBJ_ASM=rmd-586.o
CMLL_ENC      =cmll-x86.o
MODES_OBJ     =ghash-x86.o
ENGINES_OBJ   =
PROCESSOR     =
RANLIB        =true
ARFLAGS       =
PERL          =perl
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined


Configured for mingw.


*** Because of configuration changes, you MUST do the following before
*** building:


        make depend

The configure script abruptly stops at "RC4_CHUNK is undefined", and no other 
error messages are given.

I'm not a familiar with Shell script so I am not able to locate the bug. Need 
help.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] regarding ssl_server test

[Jeffrey Walton]

On Thu, May 26, 2016 at 5:51 PM, Jakob Bohm  wrote:
> On 26/05/2016 18:33, R-D intern wrote:
>>
>> Hello,
>>   I have implemented ssl for my internal server that listens over
>> a
>> private ip. Can anyone suggest how can I test my ssl_server? For eg.
>> Qualys
>> test shows the amount of ssl implementation of a server listening over
>> public ip  and even checks for vulnerabilities in ssl implementation. How
>> can such a thing be tested for a server listening over private ip?
>> Please help. Awaiting response.
>> Regards,
>> R-D Intern
>>
>
> Indeed, there are many servers that cannot be reached by the
> online configuration tests such as the one run by Qualsys.
>
> What would be really nice would be if one of the good test
> suites could be downloaded and run locally on internal servers,
> non-web servers, staging servers etc. to verify that
> configurations are correct, or at least as good as possible.

That's sslscan (http://sourceforge.net/projects/sslscan/). You need a
modern fork because the original version by Ventura-Whiting and Bowman
has been abandoned. The abandoned version lacks things like TLV 1.2
support and SNI support.

You can find lots of forks of the original sslscan on GitHub:
http://www.google.com/search?q=sslscan+site:github.com

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[Matt Caswell]

On 27/05/16 13:23, counterpoint wrote:
> Thanks for the comments, Matt.
> 
>> read_ahead and SSL_pending() do not play nicely together unfortunately.
>> See the master (1.1.0) version of the SSL_pending() documentation which
>> discusses this issue and introduced the new function SSL_has_pending()
>> which addresses it:
> 
>> https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html
> 
> I looked at SSL_has_pending, but can't easily use it as the software needs
> to build on standard distributions, as far as possible, and it isn't in e.g.
> CentOS 6.5
> 
>> So it sounds like this is during reading of application data? Has
>> SSL_accept() returned successfully, and you are now wanting to call
>> SSL_read()?
> 
> It's getting a lot further than that. The SSL_accept returns success, and a
> whole series of SSL_read and SSL_write calls look to be operating fine. It
> appears that most of the 500KB of data used in the test is transferred, but
> (probably near the end) the process hangs. Presumably SSL_pending is
> returning 0 and there are no further EPOLLIN events.  Or something like
> that.
> 
> I expected that turning off read ahead would fix both server and client, but
> it seems not. I've read all the configuration options I can find, but so far
> haven't found a solution to the server side application.

It would be interesting to know what the value of "s->s3->rbuf.left" is
(where "s" is your SSL object) when it gets to this point. SSL_pending()
tells you how much buffered and processed data is left that OpenSSL can
provide. The above value tells you how much buffered and raw
*unprocessed* data is left. If you've turned read_ahead off it should be
zero. I wouldn't recommend looking at that in a production app (you
won't be able to access it in 1.1.0) but for debugging purposes it would
be interesting.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Missing EVP_aes_128_gcm() in openssl 1.0.2g

[Jensen, Jens H]

Hi,

I cannot find the implementation of EVP_aes_128_gcm() in openssl-1.0.2g 
(2016-Mar-01). I searched all files but it's not there. Also when compiling 
openssl as a lib, it's missing.

I can only find the header prototype of EVP_aes_128_gcm() which doesn't help 
much.

Any idea where I can find the implementation of EVP_aes_128_gcm() ?

Thanks!
Jens
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[counterpoint]

Thanks for the comments, Matt.

> read_ahead and SSL_pending() do not play nicely together unfortunately.
> See the master (1.1.0) version of the SSL_pending() documentation which
> discusses this issue and introduced the new function SSL_has_pending()
> which addresses it:

> https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html

I looked at SSL_has_pending, but can't easily use it as the software needs
to build on standard distributions, as far as possible, and it isn't in e.g.
CentOS 6.5

> So it sounds like this is during reading of application data? Has
> SSL_accept() returned successfully, and you are now wanting to call
> SSL_read()?

It's getting a lot further than that. The SSL_accept returns success, and a
whole series of SSL_read and SSL_write calls look to be operating fine. It
appears that most of the 500KB of data used in the test is transferred, but
(probably near the end) the process hangs. Presumably SSL_pending is
returning 0 and there are no further EPOLLIN events.  Or something like
that.

I expected that turning off read ahead would fix both server and client, but
it seems not. I've read all the configuration options I can find, but so far
haven't found a solution to the server side application.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66383.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Missing EVP_aes_128_gcm() in openssl 1.0.2g

[Matt Caswell]

On 27/05/16 14:49, Jensen, Jens H wrote:
> Hi,
> 
>  
> 
> I cannot find the implementation of EVP_aes_128_gcm() in openssl-1.0.2g
> (2016-Mar-01). I searched all files but it’s not there. Also when
> compiling openssl as a lib, it’s missing.
> 
>  
> 
> I can only find the header prototype of EVP_aes_128_gcm() which doesn’t
> help much.
> 
>  
> 
> Any idea where I can find the implementation of EVP_aes_128_gcm() ?

It's defined via a macro.

crypto/evp/e_aes.c line 1602.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[Matt Caswell]

On 27/05/16 07:32, counterpoint wrote:
> Hmm, some progress, but still puzzled. When my code is acting as the client,
> it seems that the problem can be overcome by calling SSL_set_read_ahead with
> a zero parameter, to turn off reading ahead. This is done just before
> calling SSL_connect. The application now seems able to read megabytes of
> data from the server without hanging.

read_ahead and SSL_pending() do not play nicely together unfortunately.
See the master (1.1.0) version of the SSL_pending() documentation which
discusses this issue and introduced the new function SSL_has_pending()
which addresses it:

https://www.openssl.org/docs/manmaster/ssl/SSL_pending.html


> 
> However, adding a similar call just before SSL_accept does not solve the
> problem when the application is the server, and is reading a lot of data
> from the client. It looks as if the data is read (certainly hundreds of KB
> in packets of 16384 bytes) but the application then hangs. Presumably for
> lack of any trigger (such as EPOLLIN) to generate any further activity.

So it sounds like this is during reading of application data? Has
SSL_accept() returned successfully, and you are now wanting to call
SSL_read()?

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL shutdown timeout - Please add timeout function

[ostradegroup ostradegroup]

Two or more calls to ssl_shutdown() resulted in a lock.  ssl_shutdown would
not return for over 60 seconds or more.  The server, or host, is Microsoft
IIS.

Could OpenSSL add a setting function to the library which will set the
timeout/waketime for ssl_shutdown() (process)?

Thank you.

Gary Pham
ostradegr...@gmail.com
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[counterpoint]

Seems to always be zero, Matt, as it should be.  This gives some idea of what
is going on:
Breakpoint 4, dcb_basic_read_SSL (dcb=0x7fffdc0158d0,   
nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:12181218   
switch (SSL_get_error(dcb->ssl, *nsingleread))$352 = 16384Breakpoint 5,
dcb_basic_read_SSL (dcb=0x7fffdc0158d0,nsingleread=0x7fff86fc) at
/root/MaxScale/server/core/dcb.c:12221222MXS_DEBUG("%lu [%s]
Read %d bytes from dcb %p in state %s "Fri May 27 16:47:12 BST 2016$353 =
"Successful SSL read"Breakpoint 1, dcb_read_SSL (dcb=0x7fffdc0158d0,
head=0x7fff87d0)at /root/MaxScale/server/core/dcb.c:11911191   
ss_dassert(gwbuf_length(*head) == (start_length + nreadtotal));$354 =
0Breakpoint 9, dcb_write (dcb=0x678ef0, queue=0x67d300)at
/root/MaxScale/server/core/dcb.c:13701370below_water =
(dcb->high_water && dcb->writeqlen < dcb->high_water);Fri May 27 16:47:12
BST 2016$355 = 16384$356 = "Writing to the client"
Breakpoint 4 shows the number of bytes read.Breakpoint 5 shows the case for
analysis of the return code from the read.Breakpoint 1 shows the value of
s->s3->rbuf.leftBreakpoint 9 shows the number of bytes being passed to the
write function.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66394.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] regarding ssl_server test

[R-D intern]

Thank you so much.I tried  searching for a downloadable  ssl_server test
source  code for internal servers but couldn't get any.how could  I get one?
Thanks and regards,
R-D Intern



--
View this message in context: 
http://openssl.6102.n7.nabble.com/regarding-ssl-server-test-tp66354p66400.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[counterpoint]

Thanks Matt, good points. Not easy to implement though!

In the problem case, my code is the server (it is a proxy), and the standard
MariaDB command line client is the client. Yes, it does look as if
everything is happening as it should, except that the process stops before
all the data has been handled.

The client is sending a large query (about 500 KB, using "load data local
infile '/root/bigdata.txt' into table upload;").

If the client is connected directly to the database, using SSL, the query
runs successfully.

If the client is connected through the proxy without SSL (most of the logic
exactly the same), the query runs successfully.

If a shorter query is chosen, it works with SSL.

Looking at the data flows with Wireshark, it looks about right, but I can't
see the data in detail because of the SSL :)

I thought the read ahead issue would have fixed both sides, but somehow the
interface to the client still doesn't work. So it's hard to find things to
diagnose, leaving me scratching round for inspiration and something to
change that might fix things. And ideally, I need a quick result! Such is
life.





--
View this message in context: 
http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66396.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[Matt Caswell]

On 27/05/16 15:51, counterpoint wrote:
> Seems to always be zero, Matt, as it should be. This gives some idea of
> what is going on:
> 
> Breakpoint 4, dcb_basic_read_SSL (dcb=0x7fffdc0158d0,
> nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:1218
> 1218switch (SSL_get_error(dcb->ssl, *nsingleread))
> $352 = 16384
> 
> Breakpoint 5, dcb_basic_read_SSL (dcb=0x7fffdc0158d0,
> nsingleread=0x7fff86fc) at /root/MaxScale/server/core/dcb.c:1222
> 1222MXS_DEBUG("%lu [%s] Read %d bytes from dcb %p in state %s "
> Fri May 27 16:47:12 BST 2016
> $353 = "Successful SSL read"
> 
> Breakpoint 1, dcb_read_SSL (dcb=0x7fffdc0158d0, head=0x7fff87d0)
> at /root/MaxScale/server/core/dcb.c:1191
> 1191ss_dassert(gwbuf_length(*head) == (start_length + nreadtotal));
> $354 = 0
> 
> Breakpoint 9, dcb_write (dcb=0x678ef0, queue=0x67d300)
> at /root/MaxScale/server/core/dcb.c:1370
> 1370below_water = (dcb->high_water && dcb->writeqlen < 
> dcb->high_water);
> Fri May 27 16:47:12 BST 2016
> $355 = 16384
> $356 = "Writing to the client"
> 
> Breakpoint 4 shows the number of bytes read. Breakpoint 5 shows the case
> for analysis of the return code from the read. Breakpoint 1 shows the
> value of s->s3->rbuf.left Breakpoint 9 shows the number of bytes being
> passed to the write function.

So, if I understand you correctly, s->s3->rbuf.left is always 0
(indicating that there is no unprocessed data that OpenSSL has buffered)
and SSL_pending() returns 0 (indicating that OpenSSL has no processed
data bufferred). And this is the point where the hang in epoll occurs?

It sounds to me like OpenSSL on the server is behaving as expected. Its
processed all the data it has received and sent it on to your
application. This looks like either:
- the client hasn't sent the data that you're expecting to receive
(perhaps because of a problem on the client side)
or
- your server application hasn't correctly responded to something that
the client sent you.

Either way it looks to me like an application protocol level issue
rather than an SSL/TLS level issue. So the question is what data are you
waiting for from the client at this point? Does the client think it sent
it? Perhaps its sitting in some buffer somewhere. You need to work out
at the application protocol level what state things are in, and why the
client and server are apparently out of sync with each other.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[Matt Caswell]

On 27/05/16 16:20, counterpoint wrote:
> Thanks Matt, good points. Not easy to implement though!
> 
> In the problem case, my code is the server (it is a proxy), and the standard
> MariaDB command line client is the client. Yes, it does look as if
> everything is happening as it should, except that the process stops before
> all the data has been handled.
> 
> The client is sending a large query (about 500 KB, using "load data local
> infile '/root/bigdata.txt' into table upload;").
> 
> If the client is connected directly to the database, using SSL, the query
> runs successfully.
> 
> If the client is connected through the proxy without SSL (most of the logic
> exactly the same), the query runs successfully.
> 
> If a shorter query is chosen, it works with SSL.
> 
> Looking at the data flows with Wireshark, it looks about right, but I can't
> see the data in detail because of the SSL :)

Perhaps using an eNULL ciphersuite might help?

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[counterpoint]

> Perhaps using an eNULL ciphersuite might help? 
> Matt 

Good idea, I'll give it a try.



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66398.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL/TLS /AES-GCM IV/Key uniqueness compliance with SP800-38D Section 8

[Satya Das]

All,

We are using OpenSSL 1.0.1e/FIPS 2.0.11 on CentOS6 x86_64 and I have a question 
about the TLS GCM Cipher suites -

Do the TLS GCM suites satisfy the requirements of Section 8 of SP 800-38D ?

If I am reading the document right, the following are the requirements therein.


1)  The probability that the authenticated encryption function ever will be 
invoked with the same IV and same key on two (or more) distinct sets of input 
data shall be no greater than 2-32.

2)  Any GCM key that is established among its intended users shall, with 
high probability, be fresh.

3)  The total number of invocations of the authenticated encryption 
function shall not exceed 232, including all IV lengths and all instances of 
the authenticated encryption function with the given key.

TIA.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL non-blocking epoll hanging on data receiving

[counterpoint]

Hmm, some progress, but still puzzled. When my code is acting as the client,
it seems that the problem can be overcome by calling SSL_set_read_ahead with
a zero parameter, to turn off reading ahead. This is done just before
calling SSL_connect. The application now seems able to read megabytes of
data from the server without hanging.

However, adding a similar call just before SSL_accept does not solve the
problem when the application is the server, and is reading a lot of data
from the client. It looks as if the data is read (certainly hundreds of KB
in packets of 16384 bytes) but the application then hangs. Presumably for
lack of any trigger (such as EPOLLIN) to generate any further activity.

Any suggestions please?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OpenSSL-non-blocking-epoll-hanging-on-data-receiving-tp66355p66370.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users