Re: OpenSSL command line HMAC
Hi all! * Dave Thompson wrote on Fri, Feb 06, 2009 at 20:59 -0500: Adding the quotes didn't work because, if I understand things correctly, the notion of quotes (or escaping characters with \) is a shell concept - hence my attempt to force the command to run under a shell. Those are shell concepts, yes. The parameter was wanted to be passed as it is and to be able to quote a shell was used? I think, quoting is to avoid that a shell interprets parameters, so I think in best case ending up with passing as it is (i.e. not evaluating). Also splitting parameters at word boundaries is a shell concept. That's why Javas Runtime.exec() has a `String[] cmdarray'. I guess cmdarray[0] is the command binary, cmdarray[1] the argv[0] and cmdarray[2] the first parameter (fortunality the Javadoc[1] does take the fun letting the developers guess, but it states that exec() executes, cmdarray is the command and envp the environment, who had guessed that! SCNR). So for passing arguments as it is a shell is not suited. Shell is designed to be convenient for normal (interactive) cases, as the cost of confusion and obscurity in weird cases. [I wouldn't call it `interactive or confusing', there are a lot of useful shell scripts also :-)] oki, Steffen [1] http://java.sun.com/j2se/1.5.0/docs/api/java/lang/Runtime.html#exec(java.lang.String[],%20java.lang.String[]) ---[ End of message ]--8=== About Ingenico: Ingenico is the world's leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL command line HMAC
-Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 07 February 2009 01:59 To: openssl-users@openssl.org Subject: RE: OpenSSL command line HMAC Without the quotes, if my hmac key contains a space or tab character, it seems that somewhere along the way, the two halves of the key are treated as separate parameters. So, if my key was £$% £$%*, attempting to execute the command simply results in OpenSSL giving a £$%* not found error. Are those pounds in 8859-1, as posted? I don't use any non-US charsets here and so can't easily test that, but with $% $%* (minus quotes) it (still) works for me. (I previously lazily tested on my local Windows instead of Linux, but this time to be certain I used a convenient Linux box, which actually has an older jre, 1.5.0_06-b05 .) Sorry - those were intended to be indicative of non-printable characters. The actual key is a string of bytes, effectively chosen at random (i.e. in the range 0x00-0xff). snip Incidentally, the simple approach (simply passing the key as a parameter, regardless of its content) worked flawlessly under Windows (using non-FIPS OpenSSL). That makes me really suspicious. I wonder if it might be an issue with high-half signed characters somewhere, or Unicode encoding, or such. Could you try passing the desired arguments to instead a simple program that just shows you exactly what it's getting, something like: [snip] Yes, I think you've hit the nail on the head there. One of the problems seems to lie in the byte[] - String conversion. In some test code I have a block like this: byte[] key = {... 32 bytes ...} String keyString = new String(key); System.out.println(key.length); System.out.println(keyString.length()); Under Windows, for my test key, key.length and keyString.length are both 32. Under Linux, the former is 32, but the latter is 29. I can (try to) force the same encoding: String keyString = new String(key, Cp1252); Now the lengths match, but the resulting hash differs between Linux and Windows (and from the test data I'm using, I know that the Windows hash is correct). If the key contains a zero-byte, then the command fails under both Linux and Windows. Ultimately, I've opted for Steffan's suggestion, with the Java code generating an escaped character sequence and passing this to a bash script. As far as I can determine, there's no way of forcing Java to produce a String which contains exactly the desired set of bytes. Thanks to everyone for the suggestions. Alistair. Please help Logica to respect the environment by not printing this email / Merci d'aider Logica à préserver l'environnement en évitant d'imprimer ce mail / Bitte drucken Sie diese Nachricht nicht aus und helfen Sie so Logica dabei die Umwelt zu schuetzen / Por favor ajude a Logica a respeitar o ambiente não imprimindo este correio electrónico. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
s_client and Active Directory (ADAM)
Hi, I'm having difficulties using s_client against some servers running ADAM on Windows 2003 servers. This is my problem: [and...@lon ~]$ openssl s_client -connect some_host_name:port_number CONNECTED(0003) depth=1 ... verify error:num=20:unable to get local issuer certificate verify return:0 21580:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Ignore the fact that I'm not pointing to a file with the certificates. The problem is that this works (handshake succeeds) if I'm adding -debug, ssl2 or -pause as an option to openssl s_client. This problem seems similar to this previous post on this list: http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/83c19e424f3b2571/896874b0e02b9fff?lnk=gstq=active+directory#896874b0e02b9fff This doesn't seem to be a problem if I'm using GnuTLS. Anyone with some kind of information about this problem? Might be that this is a bug in Windows 2003/ADAM that is solved with some patch that the owners of these servers haven't installed yet, but I'm having a hard time finding any information about this. - Anders -- Anders Lund anders.l...@uninett.no .~. UNINETT, N-7465 Trondheim, Norway / V \ Phone: +47 73 55 79 08 | Mob: +47 93 03 41 26 /( )\ ^ ^ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: s_client and Active Directory (ADAM)
Hi again, I've finally found a solution for this problem. This is related to sertificates of more than 1024 bits, and this hotfix solve the problem: http://support.microsoft.com/kb/955610/no - Anders On Mon, 2009-02-09 at 11:44 +0100, Anders Lund wrote: Hi, I'm having difficulties using s_client against some servers running ADAM on Windows 2003 servers. This is my problem: [and...@lon ~]$ openssl s_client -connect some_host_name:port_number CONNECTED(0003) depth=1 ... verify error:num=20:unable to get local issuer certificate verify return:0 21580:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: Ignore the fact that I'm not pointing to a file with the certificates. The problem is that this works (handshake succeeds) if I'm adding -debug, ssl2 or -pause as an option to openssl s_client. This problem seems similar to this previous post on this list: http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/83c19e424f3b2571/896874b0e02b9fff?lnk=gstq=active+directory#896874b0e02b9fff This doesn't seem to be a problem if I'm using GnuTLS. Anyone with some kind of information about this problem? Might be that this is a bug in Windows 2003/ADAM that is solved with some patch that the owners of these servers haven't installed yet, but I'm having a hard time finding any information about this. - Anders -- Anders Lund anders.l...@uninett.no .~. UNINETT, N-7465 Trondheim, Norway / V \ Phone: +47 73 55 79 08 | Mob: +47 93 03 41 26 /( )\ ^ ^ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Declined: OWASP Hartford: February 2009 (Open Web Application Security Project)
BEGIN:VCALENDAR METHOD:REPLY PRODID:Microsoft CDO for Microsoft Exchange VERSION:2.0 BEGIN:VTIMEZONE TZID:(GMT-05.00) Eastern Time (US Canada) X-MICROSOFT-CDO-TZID:10 BEGIN:STANDARD DTSTART:16010101T02 TZOFFSETFROM:-0400 TZOFFSETTO:-0500 RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=11;BYDAY=1SU END:STANDARD BEGIN:DAYLIGHT DTSTART:16010101T02 TZOFFSETFROM:-0500 TZOFFSETTO:-0400 RRULE:FREQ=YEARLY;WKST=MO;INTERVAL=1;BYMONTH=3;BYDAY=2SU END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT DTSTAMP:20081125T200509Z DTSTART;TZID=(GMT-05.00) Eastern Time (US Canada):20090210T17 SUMMARY:Declined: OWASP Hartford: February 2009 (Open Web Application Secur ity Project) UID:04008200E00074C5B7101A82E0086015A2316121C901000 010008755599A2D01DB488364749052F323A6 ATTENDEE;ROLE=REQ-PARTICIPANT;PARTSTAT=DECLINED;RSVP=TRUE;CN=Fabro, Loic: MAILTO:lfa...@microstrategy.com ORGANIZER:MAILTO:openssl-users@openssl.org LOCATION:The Hartford\, Tower Building: Atrium Conference Room DTEND;TZID=(GMT-05.00) Eastern Time (US Canada):20090210T19 SEQUENCE:1 PRIORITY:5 COMMENT:Sorry\, not close to CT this week. Iâm looking forward to read th e meeting minutes. \NHave a great day\, \NLoic.\N CLASS:Company-Confidential CREATED:20090209T145649Z LAST-MODIFIED:20090209T145649Z STATUS:TENTATIVE TRANSP:OPAQUE X-MICROSOFT-CDO-BUSYSTATUS:BUSY X-MICROSOFT-CDO-INSTTYPE:0 X-MICROSOFT-CDO-REPLYTIME:20090209T145549Z X-MICROSOFT-CDO-INTENDEDSTATUS:BUSY X-MICROSOFT-CDO-ALLDAYEVENT:FALSE X-MICROSOFT-CDO-IMPORTANCE:1 X-MICROSOFT-CDO-OWNERAPPTID:-1986226216 X-MICROSOFT-CDO-APPT-SEQUENCE:1 X-MICROSOFT-CDO-ATTENDEE-CRITICAL-CHANGE:20090209T145549Z X-MICROSOFT-CDO-OWNER-CRITICAL-CHANGE:20081125T200509Z END:VEVENT END:VCALENDAR
Re: s_client and Active Directory (ADAM)
On Mon, 2009-02-09 at 15:10 +0100, Anders Lund wrote: Hi again, I've finally found a solution for this problem. This is related to sertificates of more than 1024 bits, and this hotfix solve the problem: http://support.microsoft.com/kb/955610/no I wrote bits, but I see now that the hotfix is related to certificates larger than 1024 _bytes_. I'm no cert expert, and the reason I wrote bits was that when running s_client I just looked at the line saying: Server public key is 2048 bit Anyhow. This fix solved my problem, and I've been looking for this solution for some time now, so I'm happy. :-) - Anders -- Anders Lund anders.l...@uninett.no .~. UNINETT, N-7465 Trondheim, Norway / V \ Phone: +47 73 55 79 08 | Mob: +47 93 03 41 26 /( )\ ^ ^ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECC
On Sat, 2009-02-07 at 21:57 +0100, Z wrote: OpenSSL can encrypt with ECC? no. Not directly, at least. OpenSSL has support for ECC, but only ECDSA (signature scheme) and ECDH (key agreement protocol) are implemented. You should implement ECIES or ECElGamal or whatever you like for encryption. Any example? for ECC, check apps/ec* bye! -- Emanuele Cesena emanuele.ces...@gmail.com http://ecesena.dyndns.org Il corpo non ha ideali smime.p7s Description: S/MIME cryptographic signature
Re: [OT] PermitRootLogin is Missing in /etc/ssh_config
Hi all, * Charles Darwin wrote on Sun, Feb 08, 2009 at 09:27 -0500: Any idea? (This is off topic here) Shouldn't it be in /etc/sshd_config (or /etc/ssh/sshd_config)? And if missing there, why not simply add it?! oki, Steffen ps.: is this your real name or is it because of the `Darwin Year 2009'? ===8-[ End of Message]--- About Ingenico: Ingenico is the world's leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Declined: OWASP Hartford: February 2009 (Open Web Application Security Project)
BEGIN:VCALENDAR PRODID:-//Microsoft Corporation//Outlook 11.0 MIMEDIR//EN VERSION:2.0 METHOD:REPLY BEGIN:VEVENT ORGANIZER:MAILTO:openssl-users@openssl.org DTSTART:20090210T22Z DTEND:20090211T00Z LOCATION:The Hartford\, Tower Building: Atrium Conference Room TRANSP:OPAQUE SEQUENCE:1 UID:04008200E00074C5B7101A82E0086015A2316121C901100 08755599A2D01DB488364749052F323A6 DTSTAMP:20090209T170849Z SUMMARY:Declined: OWASP Hartford: February 2009 (Open Web Application Security Project) PRIORITY:5 X-MICROSOFT-CDO-IMPORTANCE:1 CLASS:PUBLIC ATTENDEE;PARTSTAT=DECLINED:MAILTO:mad...@webster.edu END:VEVENT END:VCALENDAR __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Configure command line options
Thanks, Victor! This was really helpful! This should be put in the FAQ. I'm sure I'm not the only one who was wondering how to use this. -John Victor Duchovni wrote: On Sun, Feb 08, 2009 at 09:06:23PM -0500, John Center wrote: Hi, I'm trying to understand the Configure command line options. How does one use the last option listed: os/compiler[:flags] I see something similar in the Configure script itself: #config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags Is this what it's referring to? Should I be able to pass the various flags listed? If I wanted to change just the $shared_ldflag, how would I do this? Here's an example: export OPTIONS=no-zlib no-idea threads shared export OSTYPE=linux-x86_64 export LDFLAGS=... SYSTEM_OPTIONS=$( ./Configure TABLE | perl -ne ' BEGIN {$/=\n\n} chomp; print $_\n if (s/\A\*\*\* ($ENV{OSTYPE})/\$platform = $1/); ' | perl -pe 's{^(\$lflags\s*=\s*.*)}{$1 $ENV{LDFLAGS}};' | perl -pe 's{^[^=]*=[^\S\n]*}{}; s/\$/\\\$/g; s/\n/:/ unless eof();' ) ./Configure $OPTIONS $SYSTEM_OPTIONS Season to taste. The idea is to parse the output of ./Configure TABLE and construct the appropriate modified option spec. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PermitRootLogin is Missing in /etc/ssh_config
On 8-Feb-09, at 5:18 PM, Kyle Hamilton wrote: This is *so* not an OpenSSL question. This is not the right place to ask it. Root as an account is disabled by default on OSX. You need to create an administrator account, log into it, and then sudo whatever it is you're trying to do. -Kyle H Got my answer somewhere else. For someone with the same problem; it's rather /etc/sshd_config sshd_ not ssh_ Thanks anyways __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PermitRootLogin is Missing in /etc/ssh_config
On 8-Feb-09, at 5:18 PM, Kyle Hamilton wrote: This is *so* not an OpenSSL question. This is not the right place to ask it. Root as an account is disabled by default on OSX. You need to create an administrator account, log into it, and then sudo whatever it is you're trying to do. -Kyle H Got my answer somewhere else. For someone with the same problem; it's rather /etc/sshd_config sshd_ not ssh_ Thanks anyways __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
are there any restrictions on the openssl passphrase?
hi team, i ran the following command openssl rsa -in rsakey -des3 -out rsakey.pub it prompts me with the passphrase input . i wanna know if there is any resctrictions on the passphrase? i checked the code, but didnt find any restrictions. thanks. 2009-02-10 opensslmaillist
Re: are there any restrictions on the openssl passphrase?
I think at least four characters
About OpenSSL 0.9.8d to 0.9.8h Upgrade
Hello, We are planning for upgrading the OpenSSL libraries which are used in our application. Currently we are using OpenSSL version 0.9.8d and now we are planning for a upgrade. What would you suggest us to upgrade to 0.9.8h or 0.9.8j? Will that be backward compatible? Will that supports all the platforms which was supported by version 0.9.8d? Please guide us regarding the same. Thanks Regards, Chidambar Kulkarni
Re: About OpenSSL 0.9.8d to 0.9.8h Upgrade
Chidambar Kulkarni1 wrote: Hello, We are planning for upgrading the OpenSSL libraries which are used in our application. Currently we are using OpenSSL version 0.9.8d and now we are planning for a upgrade. What would you suggest us to upgrade to 0.9.8h or 0.9.8j? Will that be backward compatible? Will that supports all the platforms which was supported by version 0.9.8d? Please guide us regarding the same. Thanks Regards, Chidambar Kulkarni Unless you are doing funky stuff with OpenSSL (i.e. modifying struct values directly), the 0.9.8 series is binary compatible with itself. That is, there should be no problems with upgrading. In fact, you should be staying with the absolute latest release at all times. A number of critical security and bug fixes have taken place since 0.9.8d. OpenSSL is a security product. It is imperative you stay up to date. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org