Openssl s_client connection closes within few seconds
Hello, I have set-up the apache2 on my linux machine. Everything worked fine previously. But now, when I try to use openssl s_client command to connect to the machine, SSL handshake is completed successfully. But within few seconds the connection closes automatically. When I used -debug option, I understood that server sends alert messages and connection closes. When I try to connect to standard websites like www.google.com, connection does not closes automatically. What must be going wrong here? Thank You! -- Regards, *Sebastian*
Linux Openssl, Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) '
I am using OpenSSL for a cuda project. I just imported all the project from win to linux (Eclipse) I solved all the dependencies except this annoying error: Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) ' for this line: BN_set_word(two, 2); and the function itself says in the bn.h intBN_set_word(BIGNUM *a, BN_ULONG w); Where BN_ULONG is defined as: #define BN_ULONGunsigned long Neither it works if I do something like unsigned long q = 2; BN_set_word(two, q); Because it returns Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) ' or BN_ULONG q = 2; BN_set_word(two, q); that gives Type 'BN_ULONG' could not be resolved What is the problem? Thanks in advance, Giuseppe
Re: Linux Openssl, Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) '
On Sat, Jul 7, 2012 at 9:14 AM, Giuseppe Barbieri elec...@gmail.com wrote: I am using OpenSSL for a cuda project. I just imported all the project from win to linux (Eclipse) I solved all the dependencies except this annoying error: Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) ' for this line: BN_set_word(two, 2); and the function itself says in the bn.h intBN_set_word(BIGNUM *a, BN_ULONG w); Where BN_ULONG is defined as: #define BN_ULONGunsigned long Neither it works if I do something like unsigned long q = 2; BN_set_word(two, q); Because it returns Invalid arguments ' Candidates are: int BN_set_word(bignum_st *, ?) ' or BN_ULONG q = 2; BN_set_word(two, q); that gives Type 'BN_ULONG' could not be resolved What is the problem? Try casting 2 to BN_ULONG. I think its an int by C/C++ rules: BN_set_word(two, (BN_ULONG)2); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl building under windows
Всем привет. С чем может быть связана ошибка gcc компиля: unrecognized option -mno-cygwin? Hi all. What is the reason of gcc: error: unrecognized option -mno-cygwin while building openssl? Building process: - run MSYS - configure shared zlib-dynamic mingw - make build_libs - Output: http://paste.kde.org/513674/62730134/ + error openssl 0.9.8x Windows 7 Pro SP1 x86 gcc 4.7.1 (MinGW-w64) http://stackoverflow.com/questions/6034390/compiling-with-cython-and-mingw-produces-gcc-error-unrecognized-command-line-o here we can see that this compiler's key is deprecated in 4.7.0 but in gcc documentation I see this key as active and OK. After editing specified file error didn't disappear. If I remove this option from Makefile I got many errors in code while building. What's wrong? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Sign public key without having CSR or private key?
Hello, is it possible to sign a foreign SSL public key without having CSR/private key? Background: Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd like to pin a SSL certificate from a website I have no control over. (Therefore I no access the the private key and can subsequently also not create a CSR.) Pin the SSL cert by using a local self signed CA. Cheers, proper __ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 2:27 PM, pro...@secure-mail.biz wrote: Hello, is it possible to sign a foreign SSL public key without having CSR/private key? Background: Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd like to pin a SSL certificate from a website I have no control over. (Therefore I no access the the private key and can subsequently also not create a CSR.) Pin the SSL cert by using a local self signed CA. Don't forget MD5 signatures and the nuances of Flame (chosen collision attack, Microsoft's profile, and lack of key usage enforcement). Also, other infrastructure problems, such as DNS, are remediated. You pin a certificate by whitelisting expected server certificates (possibly thumbprints). There's usually no need to sign another's key or certificate (I've never done it that way, and never seen it done that way). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Sign public key without having CSR or private key?
noloa...@gmail.com wrote: You pin a certificate by whitelisting expected server certificates (possibly thumbprints). How to do that? There's usually no need to sign another's key or certificate (I've never done it that way, and never seen it done that way). A little more background... Stories like the diginotar compromise [1] may happen again, anytime. I am developing an anonymous operating system [2]. We use wget to download Tor Browser from torproject.org and to access check.torproject.org. (Not available over secure apt.) Wget does offer ca pinning, but does not support certificate pinning [3]. So my original question was how do I get wget to verify the torproject.org fingerprint [4] without depending on root CA's? The only possible solution I saw was downloading the torproject.org SSL public key, run a local CA, sign the certificate and run wget with the --ca-certificate switch. That's why I posted the question Sign public key without having CSR or private key? here. If there are any suggestions for this situation I am all ears. [1] https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it [2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ [3] https://lists.gnu.org/archive/html/bug-wget/2012-07/msg8.html [4] https://www.torproject.org/docs/faq.html.en#SSLcertfingerprint __ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 4:02 PM, pro...@secure-mail.biz wrote:
noloa...@gmail.com wrote:
You pin a certificate by whitelisting expected server certificates
(possibly thumbprints).
How to do that?
My bad. You usually do it pragmatically in an On Connect callback or
delegate. I don't have any OpenSSL code handy, but but below is some
.Net/C# code. Cocoa/CocoaTouch and Objective C would do it in
NSURLConnection and the NSURLConnectionDelegate
(https://developer.apple.com/library/mac/#documentation/Foundation/Reference/NSURLConnectionDelegate_Protocol/Reference/Reference.html);
and you would do it in Android with HttpsURLConnection and
X509TrustManager
(http://stackoverflow.com/questions/11337726/android-httpsurlconnection-and-pinset-example).
public static void Main(string[] args)
{
ServicePointManager.ServerCertificateValidationCallback = PinCertificate;
// C1956DC8A7DFB2A5A56934DA09778E3A11023358
// WebRequest wr = WebRequest.Create(https://www.google.com/;);
// 8FC079E814777F688BA4C807D9BD67D62AF71AEB
WebRequest wr = WebRequest.Create(https://encrypted.google.com/;);
wr.GetResponse();
}
public static bool PinCertificate(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
if (certificate == null)
return false;
if (chain == null)
return false;
byte[] cb = certificate.GetCertHash();
StringBuilder sb = new StringBuilder(cb.Length * 2);
foreach (byte b in cb)
sb.AppendFormat({0:X2}, b);
// Verify against known SHA1 thumb print of the certificate
String hash = sb.ToString();
if (hash != C1956DC8A7DFB2A5A56934DA09778E3A11023358)
return false;
return true;
}
There's usually no need to sign another's key
or certificate (I've never done it that way, and never seen it done
that way).
A little more background... Stories like the diginotar compromise [1] may
happen again, anytime.
Yes, agreed. I have no love or trust for the public CA hierarchy, and
I am still pissed off about what happened to the folks in Iran who
were probably tortured and killed due to Diginotar's failure.
I am developing an anonymous operating system [2]. We use wget to download
Tor Browser from torproject.org and to access check.torproject.org. (Not
available over secure apt.) Wget does offer ca pinning, but does not support
certificate pinning [3].
Unfortunately, I'm not familiar with wget (other than executing what I'm told).
So my original question was how do I get wget to verify the torproject.org
fingerprint [4] without depending on root CA's? The only possible solution I
saw was downloading the torproject.org SSL public key, run a local CA, sign
the certificate and run wget with the --ca-certificate switch. That's why I
posted the question Sign public key without having CSR or private key? here.
If there are any suggestions for this situation I am all ears.
Perhaps wget needs to be modified so that it allows you to supply
expected thumbrints of a server's certificate.
Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Re: Sign public key without having CSR or private key?
On Sat, Jul 7, 2012 at 4:02 PM, pro...@secure-mail.biz wrote: noloa...@gmail.com wrote: You pin a certificate by whitelisting expected server certificates (possibly thumbprints). [SNIP] So my original question was how do I get wget to verify the torproject.org fingerprint [4] without depending on root CA's? The only possible solution I saw was downloading the torproject.org SSL public key, run a local CA, sign the certificate and run wget with the --ca-certificate switch. That's why I posted the question Sign public key without having CSR or private key?. If there are any suggestions for this situation I am all ears. Come to think of it, you could use OpenSSL's s_client to do the pinning, and then use wget if everything is OK. Its does set up a small breeding ground for a TOCTOU (http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf), but I believe the risk is small. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re: Re: Sign public key without having CSR or private key?
noloa...@gmail.com wrote: On Sat, Jul 7, 2012 at 4:02 PM, pro...@secure-mail.biz wrote: noloa...@gmail.com wrote: You pin a certificate by whitelisting expected server certificates (possibly thumbprints). [SNIP] So my original question was how do I get wget to verify the torproject.org fingerprint [4] without depending on root CA's? The only possible solution I saw was downloading the torproject.org SSL public key, run a local CA, sign the certificate and run wget with the --ca-certificate switch. That's why I posted the question Sign public key without having CSR or private key?. If there are any suggestions for this situation I am all ears. Come to think of it, you could use OpenSSL's s_client to do the pinning, and then use wget if everything is OK. Its does set up a small breeding ground for a TOCTOU (http://nob.cs.ucdavis.edu/bishop/papers/1996-compsys/racecond.pdf), but I believe the risk is small. Since the implementation will be Open Source it were possible for an adversary to take advantage of TOCTOU, i.e. not tamper with s_client traffic but tamper with wget traffic. Cheers, proper __ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Sign public key without having CSR or private key?
On Sat, Jul 07, 2012, pro...@secure-mail.biz wrote: Hello, is it possible to sign a foreign SSL public key without having CSR/private key? Background: Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd like to pin a SSL certificate from a website I have no control over. (Therefore I no access the the private key and can subsequently also not create a CSR.) Pin the SSL cert by using a local self signed CA. I'm not sure if this will help but for testing purposes I needed to generate some certificates using DH keys. Since you can't sign with DH you can't create a CSR directly. I added an option -force_pubkey to the OpenSSL 'x509' utility to do this. It is only in HEAD at present. So what you do is create a CSR normally using any key then when you sign it to create a certtificate you specify the foreign key using -force_pubkey. There is an example of its use in demos/certs/mkcerts.sh Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Openssl s_client connection closes within few seconds
Hello, I have set-up the apache2 on my linux machine. Everything worked fine previously. But now, when I try to use openssl s_client command to connect to the machine, SSL handshake is completed successfully. But within few seconds the connection closes automatically. When I used -debug option, I understood that server sends alert messages and connection closes. When I try to connect to standard websites like www.google.com, connection does not closes automatically. What must be going wrong here? Thank You! -- Regards, *Sebastian*
