Re: DTLS server implementation experiences and documentation
On Jan 26, 2009, at 5:24 PM, Daniel Mentz wrote: I'm surprised that you can use accept() on UDP sockets. I checked the man pages of a Debian GNU/Linux system. They say that you can use accept() only with connection-based socket types (SOCK_STREAM, SOCK_SEQPACKET). Is this something specific to FreeBSD? Could you please provide me with more information. Maybe you could make your source code available. Hi Daniel, sorry for causing confusion, of course you can't use accept() with UDP. You have to create a new socket, use bind() to assign it to a specific connection and create another socket. Everything else is like handling TCP connections. Unfortunately it was too long ago that I have written the code so I hadn't had all of it in mind anymore. Probably you can use connected UDP sockets with Linux, but I'm not sure. I'm working with FreeBSD and Mac OS X which support them. Sample UDP server code: while (1) { memset((void *) client_addr, 0, sizeof(client_addr)); accfd = (int*) malloc (sizeof(int)); *accfd = socket(AF_INET, SOCK_DGRAM, 0); setsockopt (*accfd, SOL_SOCKET, SO_REUSEADDR, optval, sizeof(optval)); bind(*accfd, (const struct sockaddr *) server_addr, sizeof(server_addr)); bio = BIO_new_dgram(*accfd, BIO_NOCLOSE); ssl = SSL_new(ctx); SSL_set_bio(ssl, bio, bio); SSL_accept(ssl); info = (struct pass_info*) malloc (sizeof(struct pass_info)); info-fd = *accfd; info-client_addr = client_addr; info-ssl = ssl; rc = pthread_create( tid, NULL, connection_handle, info); if (rc != 0) { perror(pthread_create); exit(1); } } Regards, Robin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What is the proper syntax to generate a certificate request.
Hello list, I am trying to imort a .der server cert into my Fedora directory services certificate store. I used the openssl utility to create the csr below. openssl genrsa -des3 -out server.key 4096 openssl req -new -key c00lsldap.key -out server.csr I am using certutil to import the cert. Certutil -A -d . -n server-cert -t u,u,u -i /tmp/server.der The cert does import, but the cert shows as having a broken chain. It also shows as being a CA cert when it is supposed to be a regular server certificate for ssl communications. And, it shows as having no Certificate Trust Flags. It should have Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User Is there something I am doing wrong? Did I generate the csr wrong. I thought surely it was the CA that decides the trust flags. Any help is appreciated. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problems with csr and importing certs.
Hello list, I am trying to imort a .der server cert into my Fedora directory services certificate store. I used the openssl utility to create the csr below. openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr I am using certutil to import the cert. Certutil -A -d . -n server-cert -t u,u,u -i /tmp/server.der The cert does import, but the cert shows as having a broken chain. It also shows as being a CA cert when it is supposed to be a regular server certificate for ssl communications. And, it shows as having no Certificate Trust Flags. It should have Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User Is there something I am doing wrong? Did I generate the csr wrong. I thought surely it was the CA that decides the trust flags. Any help is appreciated. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: revoking a self-signed certificate
There is currently no automated protocol for doing this. There is currently an effort at PKIX for a Trust Anchor Management Protocol, though, which would allow for tools to be made cross-platform. Also, self-signed CAs are basically never checked for expiration. (The 'trust anchor' is technically the public key, not the identity information strongly bound to the public key in the certificate.) -Kyle H On Mon, Jan 26, 2009 at 9:28 PM, PS mytechl...@gmail.com wrote: Can you please elaborate on how would the higher-layer security infrastructure go about this? To me, it just seems impossible to do this and the issue might only be mitigated by spreading awareness by an out-of-band means but not eliminated until ofcourse, the self-signed CA certificate expires. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl-fips 1.2 questions
Michal Trojnara wrote: Steve Marquess marqu...@oss-institute.org wrote: Stunnel has official FIPS mode support. I'm working on some fixes to cleanly compile stunnel with openssl-fips 1.2. Unfortunately it looks like fipsld is no longer installed during the openssl-fips installation process. Can you confirm it? Is there a recommended way to find fipsld in ./configure script? You are correct, the fipsld utility is not installed by either openssl-fips-1.2 or openssl-0.9.8j. I've checked with Dr. Steve Henson and he will be adding that to the next 0.9.8 release. Since the FIPS compatible openssl-fips-1.2+openssl-0.9.8j generates a shared library containing the FIPS object module most applications will want to reference that shared library; fipsld is only needed for static linking In the meantime fipsld can be copied from either of the openssl-fips-1.2 or openssl-0.9.8j build trees to the installed directory with the other FIPS module components (default /usr/local/ssl/fips-1.0/). -Steve M. -- Steve Marquess Open Source Software institute marqu...@oss-institute.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl decrypt
Hello, I'm new to using openssl and I have a question on dcecrypting files from command line. Let's suppose that we encrypt file a.txt with key: mykey and save the encrypted in a.enc What I want is if users decrypt it with a wrong key not to be notified that their password is wrong but instead to have a wrong decrypted file. So the main question is: How do we force openssl to decrypt with wrong passwords an obtain a file? I know the file will not be working but the user doesn't know what it contained. _ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx
Re: openssl decrypt
On Wed, Jan 28, 2009 at 12:07:25AM +0200, faust cep wrote: I'm new to using openssl and I have a question on dcecrypting files from command line. Let's suppose that we encrypt file a.txt with key: mykey and save the encrypted in a.enc What I want is if users decrypt it with a wrong key not to be notified that their password is wrong but instead to have a wrong decrypted file. Incorrect keys for CBC mode encrypted octet-aligned data will with high probability of decrypting to incorrectly padded, or non-octet aligned data. So the main question is: How do we force openssl to decrypt with wrong passwords an obtain a file? You may not know that OpenSSL enc(1) uses PBKDF2 to derive keys from user supplied passwords and brute-force attacks are made computationally expensive by requiring 2000 SHA-1 HMAC computations per candidate key. Are you sure you need this? How likely are users to be fooled by false decrypts anyway? In any file that is not noise, failure to detect the right structure or stastics gives away the false key. This said, if you use a cipher that does not require padding (e.g. rc4, or aes-128-cfb8), wrong passwords won't be detected by the decryption layer. I know the file will not be working but the user doesn't know what it contained. This seems silly. They also won't know it contained when the decryption fails. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl decrypt
On Tue, Jan 27, 2009 at 06:18:08PM -0500, Victor Duchovni wrote: On Wed, Jan 28, 2009 at 12:07:25AM +0200, faust cep wrote: I'm new to using openssl and I have a question on dcecrypting files from command line. Let's suppose that we encrypt file a.txt with key: mykey and save the encrypted in a.enc What I want is if users decrypt it with a wrong key not to be notified that their password is wrong but instead to have a wrong decrypted file. Incorrect keys for CBC mode encrypted octet-aligned data will with high probability of decrypting to incorrectly padded, or non-octet aligned data. s/of decrypting/decrypt/ You can also use -nopad with standard ciphers, but only if your data is block-aligned, and it is not clear why this is useful. Note, with padding you still have a slightly greater than 1:256 odds of getting a false positive. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
Il giorno 27/gen/09, alle ore 06:01, Crypto Sal ha scritto: settings and things should be alright and you'll see if browsers choke too or its M$ products. I would also try Thunderbird and other email clients on the email server side of things. Indeed, I now tried with Thunderbird and it happily accepts both hostname and IP. My problem is that I cannot avoid the use of Outlook and OE by users. But maybe this is the proof that what I need cannot be done, because M $ mail clients do not support subjectAltName? Can this really be true? I thought SSL support was nowadays (sort of) standardized... sigh. Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? How can I dump the certificate using s_client? I can't see anything about this in its man page. openssl s_client -connect HOST_NAME:PORT -starttls pop3 | openssl x509 -text -noout. Alternatively, openssl x509 -text -noout -in YOUR_CERT_HERE, and you can read the text output of the certificate instead of it's hashed value Oh yes, I often used the second one, and yes, the subjectAltName value always appears in the right place. Usually Outlook will display a box with a series of checks and red X's. I am pretty sure it has three areas and in most cases it is the last one that it fails on. I wish I had a screenshot for you. I just saw one the other day too. No checks or X's here. Here is the warning I get from Outlook 2007 (Italian): http://www.mdv.eu/temp/outlook_ssl.png Translating literally, it just tells that the main destination name is wrong. -- Ciao, Marco. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Passing parameters to openssl for CSR
Hi guys, I'm wondering if its possible to pass parameters to openssl when creating a CSR, specifically the country name, state name, locality name, organization name, common name etc? The reason being, I ideally would like to automate the process of creating a CSR and have it not require user input (other variables would be passed to it by default from an outside source). Something like... openssl req -days 3650 -nodes -new -keyout user.key -out user.csr -config -countryname SE -commonname user ... Any help would be appreciated, Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Passing parameters to openssl for CSR
the req man page mentions: -subj arg sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as /type0=value0/type1=value1/type2=..., charac- ters may be escaped by \ (backslash), no spaces are skipped. Date: Wed, 28 Jan 2009 01:57:54 + From: jagintesven...@googlemail.com To: openssl-users@openssl.org Subject: Passing parameters to openssl for CSR Hi guys, I'm wondering if its possible to pass parameters to openssl when creating a CSR, specifically the country name, state name, locality name, organization name, common name etc? The reason being, I ideally would like to automate the process of creating a CSR and have it not require user input (other variables would be passed to it by default from an outside source). Something like... openssl req -days 3650 -nodes -new -keyout user.key -out user.csr -config -countryname SE -commonname user ... Any help would be appreciated, Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org _ HotmailĀ® goes where you go. On a PC, on the Web, on your phone. http://www.windowslive-hotmail.com/learnmore/versatility.aspx#mobile?ocid=TXT_TAGHM_WL_HM_versatility_121208 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Passing parameters to openssl for CSR
On Wed, Jan 28, 2009 at 02:37:38AM +, Giang Nguyen wrote: the req man page mentions: -subj arg sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as /type0=value0/type1=value1/type2=..., charac- ters may be escaped by \ (backslash), no spaces are skipped. It is better IMHO to use -config and specify fixed parameters in a custom .cnf file. One gets control over all the settings that way. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Passing parameters to openssl for CSR
On 01/27/2009 08:57 PM, Thor wrote: Hi guys, I'm wondering if its possible to pass parameters to openssl when creating a CSR, specifically the country name, state name, locality name, organization name, common name etc? The reason being, I ideally would like to automate the process of creating a CSR and have it not require user input (other variables would be passed to it by default from an outside source). Something like... openssl req -days 3650 -nodes -new -keyout user.key -out user.csr -config -countryname SE -commonname user ... Any help would be appreciated, Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Thor, Have you checked out the man pages for the req program? It seems you'd want the * -subj * flag. http://www.openssl.org/docs/apps/req.html Here's a sample generation openssl req -nodes -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr -subj /C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com Hope this helps __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to verify sever signatureusing openssl API
Dear all, I want to verify server certificate signature. So please tell me how to verify server certificate signature using Openssl API. What API I need to use for signature verification? Thank you. Regards, --Ajeet Kumar Singh
Fips Capable Openssl 9.8 J fails for xlc_r compiler
Hi All, I am facing problem when i am trying to build shared library of fips capable openssl 9.8J. I am using aix-xlc_r to build openssl 9.8j and whenever i try to run and aix-cc compiler for opensslfips 1.2 (I was able to build static library with no-shared option ) sh testfipsssl test SSL protocol test ssl3 is forbidden in FIPS mode 508008:error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match:fips.c:238: test ssl2 is forbidden in FIPS mode 508010:error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match:fips.c:238: test tls1 508012:error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match:fips.c:238: make: The error code from the last command is 1. but when i creating static library it was successfully working . I have applied following patches for creating shared library with respect xlc_r compiler --- Makefile.shared.aix 2006-05-20 08:51:09.0 + +++ Makefile.shared 2007-03-15 20:51:06.0 + @@ -67,8 +67,8 @@ #-- # The rest is private to this makefile. -SET_X=: -#SET_X=set -x +#SET_X=: +SET_X=set -x top: echo Trying to use this makefile interactively? Don't. @@ -101,7 +101,7 @@ LIBDEPS=$${LIBDEPS:-$(LIBDEPS)}; \ SHAREDCMD=$${SHAREDCMD:-$(CC)}; \ SHAREDFLAGS=$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}; \ -nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' lib$(LIBNAME).exp; \ +/usr/bin/nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' lib$(LIBNAME).exp; \ LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' /dev/null 21; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \ LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ @@ -109,7 +109,7 @@ -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ ) $(SYMLINK_SO); \ - ( $(SET_X); rm -f lib$(LIBNAME).exp ) + ( $(SET_X) ) SYMLINK_SO=\ if [ -n $$INHIBIT_SYMLINKS ]; then :; else \ @@ -139,7 +139,7 @@ LINK_SO_A_UNPACKED=\ UNPACKDIR=link_tmp.; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \ - (cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) \ + (cd $$UNPACKDIR; /usr/bin/ar x ../lib$(LIBNAME).a) \ ([ -z $(LIBEXTRAS) ] || cp $(LIBEXTRAS) $$UNPACKDIR) \ SHOBJECTS=$$UNPACKDIR/*.o; \ $(LINK_SO) rm -rf $$UNPACKDIR @@ -489,9 +489,10 @@ OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ - ALLSYMSFLAGS='-bnogc'; \ + ALLSYMSFLAGS=; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \ + SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -qmkshrobj -bE:lib$(LIBNAME).exp -blibpath:$(LIBRPATH):/usr/lib:/lib'; \ + LIBDEPS='$(LIBDEPS) -lm -lc'; \ $(LINK_SO_O); rm -rf lib$(LIBNAME).exp link_a.aix: @ $(CALC_VERSIONS); \ @@ -499,12 +500,14 @@ OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \ SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ - ALLSYMSFLAGS='-bnogc'; \ + ALLSYMSFLAGS=; \ NOALLSYMSFLAGS=''; \ - SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \ - $(LINK_SO_A_VIA_O) + SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -qmkshrobj -bE:lib$(LIBNAME).exp -blibpath:$(LIBRPATH):/usr/lib:/lib'; \ + LIBDEPS='$(LIBDEPS) -lm -lc'; \ + $(LINK_SO_A_UNPACKED) link_app.aix: - LDFLAGS=$(CFLAGS) -blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}; \ + LDFLAGS=$(CFLAGS) -blibpath:$(LIBRPATH):/usr/lib:/lib; \ + LIBDEPS='$(LIBDEPS) -lm -lc'; \ $(LINK_APP) link_o.reliantunix: Is there any thing extra patchs to be applied to make it workable with aix-xlc_r compiler . Please Help Thanks Joshi -- View this message in context: http://www.nabble.com/Fips-Capable-Openssl-9.8-J-fails-for-xlc_r-compiler-tp21700703p21700703.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org