Re: [openssl.org #2279] issue with compilation openssl -make install
I am trying to compile openssl in solaris 8 I use this : ./Configure --prefix=/soft/nrpe --openssldir=/soft/nrpe no-hw no-zlib solaris-sparcv8-cc shared Then make When I did the make test I met these errors : CMS consistency test /usr/bin/perl cms-test.pl CMS = PKCS#7 compatibility tests Can't use an undefined value as filehandle reference at cms-test.pl line 423. http://cvs.openssl.org/chngview?cn=20832 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: linker error while compiling latest openssl release
I have checked out the latest code from cvs -d anonym...@cvs.openssl.org:/openssl-cvs co openssl Below is the error message. sha512-586.s:(.text+0x59): undefined reference to `.L003XOP' http://cvs.openssl.org/chngview?cn=22638 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: unable to make build_tests for fipscanisteronly config
I am able to build the tests succesfully from the OpenSSL-fips-2_0-dev branch. While validating the DRBG Validation list from NIST. I find all the validations (*HASH_DRBG.txt, HMAC_DRGB.txt, **Dual_EC_DRBG.txt.* )passing except *CTR_DRBG*: Below is the error message. ./fips_drbgvs ../drbgtestvectors/CTR_DRBG.txt ../drbgtestvectors/CTR_DRBG.rng DRBG type not recognised! Can you please help. Thanks Shruthi iDirect.net On Mon, Jun 18, 2012 at 9:21 PM, Shruthi rangan shruthi.ran...@gmail.comwrote: -- Forwarded message -- From: Dr. Stephen Henson st...@openssl.org Date: Sat, Jun 16, 2012 at 6:50 AM Subject: Re: unable to make build_tests for fipscanisteronly config To: openssl-dev@openssl.org On Sat, Jun 16, 2012, Shruthi rangan wrote: Hi, I am working on Red Hat Enterprise Linux Server release 5.6 (Tikanga) and trying to validate the fips test cases for the latest code checked out from the openssl cvs. The make build_tests fails with a linker error, can you please help me resolve. These are the steps tried. cvs -d anonym...@cvs.openssl.org:/openssl-cvs co openssl Don't use CVS HEAD use a fips snapshot instead, or if you must use CVS use the OpenSSL-fips-2_0-dev branch. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: unable to make build_tests for fipscanisteronly config
On Wed, Jun 20, 2012, Shruthi rangan wrote: I am able to build the tests succesfully from the OpenSSL-fips-2_0-dev branch. While validating the DRBG Validation list from NIST. I find all the validations (*HASH_DRBG.txt, HMAC_DRGB.txt, **Dual_EC_DRBG.txt.* )passing except *CTR_DRBG*: Below is the error message. ./fips_drbgvs ../drbgtestvectors/CTR_DRBG.txt ../drbgtestvectors/CTR_DRBG.rng DRBG type not recognised! Can you please help. IIRC the NIST test vectors include tests for triple DES in CTR mode for the DRBG while OpenSSL only supports AES. So you'd need to edit those out from the test vectors. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OCSP Stapling bug with multiple certs (e.g. an RSA cert and an ECC cert)
On 18/06/12 11:40, Rob Stradling wrote: On 16/06/12 23:31, Dr. Stephen Henson wrote: snip Is there a way to patch httpd so that it can work around the limitations in the OpenSSL API and always send the correct OCSP Response? Possible changes to OpenSSL: Should the Stapling Callback function be called later in the handshake (perhaps in ssl_add_serverhello_tlsext()), after the cipher has been selected? Should ssl_get_server_send_cert() be made available for applications to call? Or should SSL_get_certificate() be updated so that it always returns the cert that the server will actually send? I can't immediately think of a clean solution to this problem. I think it makes sense for OpenSSL to return the server certificate actually used via SSL_get_certificate(). Agreed. This would avoid the need to implement a fix/workaround in the httpd code, and would presumably also mean that the OpenSSL 1.0.x branch can be fixed without breaking binary compatibility. See if adding: c-key = c-pkeys + i; to ssl_get_server_send_cert fixes this. Which it wont because the status callback is called too soon as you noted. Would moving the status callback to a sufficiently later point in the handshake work? Since it's now clear that the fix for this problem requires changing OpenSSL, I've just sent a request to the Request Tracker. I've also proposed a patch. -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured
The OCSP Stapling Callback function (s-ctx-tlsext_status_cb) is called
during the parsing of the ClientHello message, before the server has
decided which cipher to use. However, since the choice of cipher can
influence which server certificate is sent, this means that the wrong
OCSP Response may be sent in cases where multiple server certificates
are configured.
The attached patch against CVS HEAD makes the following changes:
- Moves the s-ctx-tlsext_status_cb() call to just after the cipher
has been chosen. This involves splitting ssl_check_clienthello_tlsext()
into two functions: early and late.
- Updates SSL_get_certificate() so that it returns the server
certificate that actually gets sent. (This is the function that Apache
httpd's OCSP Stapling code calls in order to determine which OCSP
Response to send).
I've tested this patch successfully with an installation of httpd 2.4.2
that has both an RSA cert and an ECC cert configured.
If this patch is OK, I'd like to backport it to the OpenSSL 1.0.x branch
as well.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Index: ssl/s3_srvr.c
===
RCS file: /v/openssl/cvs/openssl/ssl/s3_srvr.c,v
retrieving revision 1.233
diff -u -r1.233 s3_srvr.c
--- ssl/s3_srvr.c 6 Jun 2012 12:52:19 - 1.233
+++ ssl/s3_srvr.c 19 Jun 2012 10:59:34 -
@@ -1424,6 +1424,16 @@
* s-tmp.new_cipher- the new cipher to use.
*/
+ /* Handles TLS extensions that we couldn't check earlier */
+ if (s-version = SSL3_VERSION)
+ {
+ if (!ssl_check_clienthello_tlsext_late(s))
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLSEXT);
+ goto err;
+ }
+ }
+
if (ret 0) ret=1;
if (0)
{
Index: ssl/ssl_lib.c
===
RCS file: /v/openssl/cvs/openssl/ssl/ssl_lib.c,v
retrieving revision 1.234
diff -u -r1.234 ssl_lib.c
--- ssl/ssl_lib.c 18 Jun 2012 12:56:59 - 1.234
+++ ssl/ssl_lib.c 19 Jun 2012 10:59:34 -
@@ -2846,6 +2846,14 @@
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
+ if (s-server)
+ {
+ CERT_PKEY *certpkey;
+ certpkey = ssl_get_server_send_pkey((SSL *)s);
+ if (certpkey certpkey-x509)
+ return certpkey-x509;
+ }
+
if (s-cert != NULL)
return(s-cert-key-x509);
else
Index: ssl/ssl_locl.h
===
RCS file: /v/openssl/cvs/openssl/ssl/ssl_locl.h,v
retrieving revision 1.141
diff -u -r1.141 ssl_locl.h
--- ssl/ssl_locl.h 18 Jun 2012 12:56:59 - 1.141
+++ ssl/ssl_locl.h 19 Jun 2012 10:59:34 -
@@ -1132,6 +1132,7 @@
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned
char *limit);
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned
char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char
*d, int n);
+int ssl_check_clienthello_tlsext_late(SSL *s);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char
*d, int n);
int ssl_prepare_clienthello_tlsext(SSL *s);
int ssl_prepare_serverhello_tlsext(SSL *s);
Index: ssl/t1_lib.c
===
RCS file: /v/openssl/cvs/openssl/ssl/t1_lib.c,v
retrieving revision 1.123
diff -u -r1.123 t1_lib.c
--- ssl/t1_lib.c11 Jun 2012 09:23:55 - 1.123
+++ ssl/t1_lib.c19 Jun 2012 10:59:34 -
@@ -123,7 +123,7 @@
static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
const unsigned char *sess_id, int sesslen,
SSL_SESSION **psess);
-static int ssl_check_clienthello_tlsext(SSL *s);
+static int ssl_check_clienthello_tlsext_early(SSL *s);
int ssl_check_serverhello_tlsext(SSL *s);
#endif
@@ -1846,7 +1846,7 @@
return 0;
}
- if (ssl_check_clienthello_tlsext(s) = 0)
+ if (ssl_check_clienthello_tlsext_early(s) = 0)
{
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_TLSEXT,SSL_R_CLIENTHELLO_TLSEXT);
return 0;
@@ -2247,7 +2247,7 @@
return 1;
}
-static int ssl_check_clienthello_tlsext(SSL *s)
+static int ssl_check_clienthello_tlsext_early(SSL *s)
{
int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -2266,42 +2266,11 @@
else if (s-initial_ctx != NULL
s-initial_ctx-tlsext_servername_callback != 0)
ret =
Re: unable to make build_tests for fipscanisteronly config
Thanks it works now. On Wed, Jun 20, 2012 at 2:51 AM, Dr. Stephen Henson st...@openssl.orgwrote: On Wed, Jun 20, 2012, Shruthi rangan wrote: I am able to build the tests succesfully from the OpenSSL-fips-2_0-dev branch. While validating the DRBG Validation list from NIST. I find all the validations (*HASH_DRBG.txt, HMAC_DRGB.txt, **Dual_EC_DRBG.txt.* )passing except *CTR_DRBG*: Below is the error message. ./fips_drbgvs ../drbgtestvectors/CTR_DRBG.txt ../drbgtestvectors/CTR_DRBG.rng DRBG type not recognised! Can you please help. IIRC the NIST test vectors include tests for triple DES in CTR mode for the DRBG while OpenSSL only supports AES. So you'd need to edit those out from the test vectors. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
