[openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails

2014-09-09 Thread Rich Salz via RT
SLS_library_init only loads the algorithms needed by SSL/TLS ciphersuites.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


AW: [openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails

2013-02-19 Thread Dominic Wollner via RT
Hi,

thank you, this solves the problem. But why does SSL_library_init() not load 
all algorithms? Are there any export restrictions?

Thanks,
Dominic

Dominic Wollner
Dipl.-Inf. (FH)
Development & Research Linux

IGEL Technology - The world’s most advanced thin clients 
Many Functions. One Device. ® 
IGEL Technology GmbH
Annastr. 11
86150 Augsburg, Germany

Email:   woll...@igel.com 
Phone:  +49 (0)821 34 32 08 - 233
Fax:  +49 (0)821 34 32 08 - 9
www.igel.com - www.igel.de 
IGEL Technology is a member of the Melchers group. 
Managing Directors: Heiko Gloge, Nicolas C. S. Helms, Dirk Dördelmann, Andreas 
Schönduve
District Court Bremen (Germany) HRB 20636, VAT: DE 219524359 
Confidentiality Note: The information contained in this transmission is legally 
privileged and confidential, intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, you are hereby notified that any dissemination, distribution, or 
copying of this communication is strictly prohibited. If you receive this 
communication in error, please notify us immediately by telephone call to +49 
(0)821 34 32 08 - 233 and delete the message. Thank you! 

 Please consider the environment before printing this email or its 
attachments. Many thanks... 


-Ursprüngliche Nachricht-
Von: Stephen Henson via RT [mailto:r...@openssl.org] 
Gesendet: Freitag, 15. Februar 2013 14:53
An: Dominic Wollner
Cc: openssl-dev@openssl.org
Betreff: [openssl.org #2991] Certifacte verification with a RSA-SHA512 hash 
algorithm fails 

On Fri Feb 15 10:24:22 2013, woll...@igel.com wrote:
>
> we are using OpenSSL 0.9.8k. It's not the command line utility.
> We are linking against libcrypto and libssl. We load the CA 
> certificates with SSL_CTX_set_default_verify_paths (c_rehash has been 
> executed before), disable the automatic verification by setting 
> SSL_CTX_set_verify to SSL_VERIFY_NONE, to the handshake with 
> BIO_do_handshake, get the server certificate with 
> SSL_get_peer_certificate and then verify the certificate by using 
> SSL_get_verfify_result. The result value of this function is set to 
> X509_V_ERR_CERT_SIGNATURE_FAILURE. The problem seems to be the 
> signature algorithm which is used: sha512WithRSAEncryption.
>

Are you including a call to OpenSSL_add_all_algorithms() in your application?
SSL_library_init() only adds a subset of supported signature algorithms and 
doesn't include SHA512.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails

2013-02-15 Thread Stephen Henson via RT
On Fri Feb 15 10:24:22 2013, woll...@igel.com wrote:
>
> we are using OpenSSL 0.9.8k. It's not the command line utility.
> We are linking against libcrypto and libssl. We load the CA
> certificates with SSL_CTX_set_default_verify_paths (c_rehash has
> been executed before), disable the automatic verification by
> setting SSL_CTX_set_verify to SSL_VERIFY_NONE, to the handshake
> with BIO_do_handshake, get the server certificate with
> SSL_get_peer_certificate and then verify the certificate by using
> SSL_get_verfify_result. The result value of this function is set to
> X509_V_ERR_CERT_SIGNATURE_FAILURE. The problem seems to be the
> signature algorithm which is used: sha512WithRSAEncryption.
>

Are you including a call to OpenSSL_add_all_algorithms() in your application?
SSL_library_init() only adds a subset of supported signature algorithms and
doesn't include SHA512.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails

2013-02-15 Thread Dominic Wollner via RT
ToZuC
JdJuKhjBDbZAa6m641uGQ00zDEHsnBNf02cVab3rVc2iy74kwlm2+g6alww+mL3y
NXhVmLKj0nHEbYpdY/XfLqipAVaB0RoDFBYfNIQ23rmX/GJ6jA==
-END CERTIFICATE-

Regards,
Dominic

Dominic Wollner
Dipl.-Inf. (FH)
Development & Research Linux
___
IGEL Technology - The world’s most advanced thin clients 
Many Functions. One Device. ® 
IGEL Technology GmbH
Annastr. 11
86150 Augsburg, Germany

Email:   woll...@igel.com 
Phone:  +49 (0)821 34 32 08 - 233
Fax:  +49 (0)821 34 32 08 - 9
www.igel.com - www.igel.de 
IGEL Technology is a member of the Melchers group. 
Managing Directors: Heiko Gloge, Nicolas C. S. Helms, Dirk Dördelmann, Andreas 
Schönduve
District Court Bremen (Germany) HRB 20636, VAT: DE 219524359 
Confidentiality Note: The information contained in this transmission is legally 
privileged and confidential, intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, you are hereby notified that any dissemination, distribution, or 
copying of this communication is strictly prohibited. If you receive this 
communication in error, please notify us immediately by telephone call to +49 
(0)821 34 32 08 - 233 and delete the message. Thank you! 

 Please consider the environment before printing this email or its 
attachments. Many thanks... 

-Ursprüngliche Nachricht-
Von: Stephen Henson via RT [mailto:r...@openssl.org] 
Gesendet: Donnerstag, 14. Februar 2013 18:24
An: Dominic Wollner
Cc: openssl-dev@openssl.org
Betreff: [openssl.org #2991] Certifacte verification with a RSA-SHA512 hash 
algorithm fails 

On Thu Feb 14 18:14:37 2013, woll...@igel.com wrote:
> Hi,
>
> there is a problem with certificate verification. Windows allows the 
> generation of CA certificates which uses RSA-SHA512 as the hash 
> algorithm. But this hash algorithm is currently not supported by 
> OpenSSL. Will this issue be fixed in future or is there a workaround 
> for this?
>

SHA512 has been supported in OpenSSL for some time. What version are you using 
and what verification error do you get?

If possible please include a sample certificate that fails with the command 
line utilities.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org




rdp-test-CA.pem
Description: Binary data


server.pem
Description: Binary data


[openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails

2013-02-14 Thread Stephen Henson via RT
On Thu Feb 14 18:14:37 2013, woll...@igel.com wrote:
> Hi,
>
> there is a problem with certificate verification. Windows allows the
> generation of CA certificates which uses RSA-SHA512 as the hash
> algorithm. But this hash algorithm is currently not supported by
> OpenSSL. Will this issue be fixed in future or is there a
> workaround for this?
>

SHA512 has been supported in OpenSSL for some time. What version are you using
and what verification error do you get?

If possible please include a sample certificate that fails with the command
line utilities.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails

2013-02-14 Thread Dominic Wollner via RT
Hi,

there is a problem with certificate verification. Windows allows the generation 
of CA certificates which uses RSA-SHA512 as the hash algorithm. But this hash 
algorithm is currently not supported by OpenSSL. Will this issue be fixed in 
future or is there a workaround for this?

Regards,
Dominic

Dominic Wollner
Dipl.-Inf. (FH)
Development & Research Linux

IGEL Technology - The world's most advanced thin clients
Many Functions. One Device. ®
IGEL Technology GmbH
Annastr. 11
86150 Augsburg, Germany

Email:   woll...@igel.com 
Phone:  +49 (0)821 34 32 08 - 233
Fax:  +49 (0)821 34 32 08 - 9
www.igel.com  - www.igel.de 
IGEL Technology is a member of the Melchers group.
Managing Directors: Heiko Gloge, Nicolas C. S. Helms, Dirk Dördelmann, Andreas 
Schönduve
District Court Bremen (Germany) HRB 20636, VAT: DE 219524359
Confidentiality Note: The information contained in this transmission is legally 
privileged and confidential, intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, you are hereby notified that any dissemination, distribution, or 
copying of this communication is strictly prohibited. If you receive this 
communication in error, please notify us immediately by telephone call to +49 
(0)821 34 32 08 - 233 and delete the message. Thank you!
P Please consider the environment before printing this email or its 
attachments. Many thanks...


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org