Re: Size of DH Params
Thank you Dave! Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Dirk Menstermann Sent: Wednesday, 10 March, 2010 10:57 when I generate DH parameters with: int bits = 1024; DH *params = DH_generate_parameters (bits, DH_GENERATOR_5, NULL, NULL); Can I then later read the value of the bits parameter from the DH struct? DH_size() gives you the number of BYTES for the modulus (and thus group elements like privpubkey values). If it was a multiple of 8 to start with, as it was in this example and usually is, bytes*8 = bits. If (possibly) not, BH_num_bits(dh-p) gives the exact bits. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems with SSL_shutdown() and non blocking socket
Victor Stinner wrote: I'm trying to fix a bug in Python which is specific to OpenSSL 0.9.8m. The problem is in a FTP test using a blocking socket (client) and a non blocking socket (server). There are different tests, some tests use a timeout of 2 seconds on the client socket. Pseudo-code of Python shutdown low-level function: err = SSL_shutdown(self-ssl); if (err == 0) err = SSL_shutdown(self-ssl); if (err 0) raise an exception else ok Using OpenSSL 0.9.8m, SSL_shutdown() returns sometimes -1 and SSL_get_error() gives SSL_ERROR_WANT_READ. If I understood correctly, I have to read some bytes from the sockets using SSL_read() to make OpenSSL happy. But how many bytes? And can I read directly bytes or should I ensure that bytes are available using select() (or anything else)? The change in behavior was introduced by a patch I submitted to fix a long standing bug with SSL_shutdown() and the handling of non-blocking sockets. This did change the behavior since it never used to return -1/WANT_WRITE or -1/WANT_READ at all but internally mitigate them back to a zero value. Please take a look at the following threads for background info on the bug: http://marc.info/?t=11910906151r=1w=2 http://marc.info/?t=11924658681r=1w=2 Short answer For all intents an purposes to convert older code not expecting to see these two error returns you simply check for them explicitly and follow the same execution path in your code as you do for a 0 return value from SSL_shutdown(). For any other kind of -1 error return you follow the execution path as you did before, for example your raise an exception. However by not understanding what is going on fully you could get a hung connection in situations where you shouldn't (unless you implement an external timeout) if you don't SSL_read() to sink the application data that may exist in the stream ahead of the inbound end-of-stream notify. To port older code try the following C code snippet (this code is also compatible with older versions of the OpenSSL library, so it doesn't matter if you add this snippet to your application but use an older version of OpenSSL at runtime) : int rc = SSL_shutdown(ssl); /* BEGIN - INSERT THIS CODE AFTER EVERY SSL_shutdown() INVOCATION IN YOUR CODE */ if(rc == -1) { int ssl_errno; SSL_get_error(ssl, ssl_errno); if(ssl_errno == SSL_ERROR_WANT_READ || ssl_errno == SSL_ERROR_WANT_WRITE) rc = 0; } /* END - INSERT THIS CODE AFTER EVERY SSL_shutdown() INVOCATION IN YOUR CODE */ With this the observable behavior that you got before should be consistent. This doesn't necessarily mean your code is correctly going a graceful SSL stream shutdown. For that you need to understand your application the context you use SSL etc... hence the long answer. Long answer === * SSL_read() is responsible for reading application data (i.e. the data that is encrypted for transport and then decrypted) * Application payload data can only be received while the receiving half of the SSL stream is still open. * The other end voluntarily controls weather the receiving half of the SSL stream is still open. Or to put another way the sending side controls when the end-of-stream notify is sent to securely close that half of the stream. As opposed to dropping the TCP network connection and not being cryptographically secure stream shutdown; how do you know there wasn't some other piece of data the sending side sent but some attacker doesn't want you to receive it ? You securely need to know when the end-of-stream has been reached in order to be sure the stream has not been tampered with in anyway. So the first time you call SSL_shutdown() what you are in effect saying is, I have no more data to send to the other side, so I'm going to write the end-of-stream notify packet into the SSL stream so the other end knows this. The next action is then for your side to finish processing all inbound application data. Now just because you decided you were not going to send any more data to the other end, this doesn't mean the far end has finished sending data to you. So between zero and an infinite amount of application data may still need to be received and removed from the stream via SSL_read(). It is possible for whatever reason the far end isn't sending any data now and is keeping the stream open but has nothing to send right at this moment. These situations are valid SSL protocol scenarios. Eventually the far end should finish sending and will then send its own end-of-stream notify packet for you to receive. Only once your end receives this notify packet does the OpenSSL API function SSL_shutdown() return a value of 1. You must also consider that due to buffering an inbound end-of-stream packet may not be processed while there is
WG: OCSP response signature verification
Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? I've added the response for further information. Any help would be appreciated! S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = DE, O = D-Trust GmbH, CN = D-TRUST OCSP-03 2008:PN Produced At: Mar 12 09:58:31 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A611B199CA6EE1B1B8599953CBF428F8F8C94641 Issuer Key Hash: F9CBC2D42788A9A1B050625E4DD2547D74731EBE Serial Number: 094D36 Cert Status: good This Update: Mar 12 09:58:31 2010 GMT Response Single Extensions: 1.3.36.8.3.12: ..20090715143639Z 1.3.36.8.3.13: 0!0...+...'.}O.L.j}..T. Response Extensions: OCSP Nonce: 0410F987B6A59DB4116D1F60F436790C8C73 OCSP Archive Cutoff: Mar 21 00:00:00 1975 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 515214 (0x7dc8e) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN Validity Not Before: Jul 25 08:25:06 2008 GMT Not After : Jul 24 08:25:06 2013 GMT Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST OCSP-03 2008:PN Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:f9:ee:d4:f3:19:42:22:88:7b:cc:d4:9d:63:5b: 4b:7d:ed:ad:76:18:2d:90:76:d4:d3:46:b1:7a:fc: [...]47:83:7a:39:40:7c:dd:45:92:a3:d8:3d:e4:4c:62: c3:bd Exponent: 3017650581 (0xb3ddb195) X509v3 extensions: X509v3 Extended Key Usage: OCSP Signing X509v3 Authority Key Identifier: keyid:67:E0:65:56:FC:7D:25:37:C5:BF:ED:78:88:2A:F0:FA:F2:47:C0:3A qcStatements: 0.0..F..0..F. Authority Information Access: OCSP - URI:http://qual.ocsp.d-trust.net X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.4788.2.31.1 X509v3 CRL Distribution Points: URI:ldap://directory.d-trust.net/CN=D-TRUST%20Qualified%20Root%20CA%201%202008%3APN,O=D-Trust%20GmbH,C=DE?certificaterevocationlist URI:http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2008.crl X509v3 Issuer Alternative Name: email:i...@d-trust.net, URI:http://www.d-trust.net X509v3 Subject Key Identifier: 69:6E:2D:C0:AC:21:5E:52:4F:04:B2:57:B9:A8:93:18:D9:4B:F3:42 X509v3 Key Usage: critical Non Repudiation Signature Algorithm: sha256WithRSAEncryption 08:15:99:7a:60:45:35:c0:48:78:b2:e8:cd:fe:c8:2d:ad:3d: [...] 44:b6:ea:3d:75:cb:40:5a:c4:e3:31:3b:69:14:77:e1:01:59: 3c:a8:56:27 -BEGIN CERTIFICATE- MIIFCjCCA/KgAwIBAgIDB9yOMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNVBAYTAkRF [...] SycN3OakJ+QSiYCOOlQOY5TC+Ns5r/I9UzgGRzUqSr5Ho1kkI9h3Z0fnCjLlHwC5 +f/EUYHDfsXGTLQT1L1xEcSOUMJqV3c2RLbqPXXLQFrE4zE7aRR34QFZPKhWJw== -END CERTIFICATE- Certificate: Data: Version: 3 (0x2) Serial Number: 515120 (0x7dc30) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN Validity Not Before: Jul 24 16:36:17 2008 GMT Not After : Jul 24 16:36:17 2013 GMT Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST Qualified Root CA 1 2008:PN Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:a6:87:ed:90:a5:73:91:95:c2:19:37:b5:29:c4: a4:5f:9d:0b:29:90:28:a7:07:7e:3f:62:49:b6:25: 2f:59:db:33:2d:25:d6:d7:a1:ff:87:08:f0:b5:04: dd:45:ca:25:a5:e3:29:8c:48:8d:06:79:a7:26:9f: c8:20:2d:09:de:bc:84:94:6d:23:8a:8a:98:1a:a9: 9e:5e:de:8e:f7:ca:b5:92:dc:0a:59:ef:03:e6:b4: 9c:83:9f:8a:b5:0e:e5:2c:2a:d5:c7:60:fa:00:ae: 41:db:76:e8:8b:bd:b1:16:06:37:85:d3:50:6d:6c: 56:af:42:6d:19:28:25:8a:a7:c5:de:e1:0b:b3:32:
Re: WG: OCSP response signature verification
On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? It should print the signature algorithm and signature just before the certificates. See the OCSP_RESPONSE_print() function in ocsp_prn.c. Are you using an old version of OpenSSL? I've added the response for further information. Any help would be appreciated! Would be more useful if you'd attached the DER response i.e. response-2.der, can you send that? S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text [snip] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: WG: OCSP response signature verification
Sure! Here are the request and response files. Kind regards Michel Pittelkow Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? It should print the signature algorithm and signature just before the certificates. See the OCSP_RESPONSE_print() function in ocsp_prn.c. Are you using an old version of OpenSSL? I've added the response for further information. Any help would be appreciated! Would be more useful if you'd attached the DER response i.e. response-2.der, can you send that? S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text [snip] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ request-2.der Description: request-2.der response-2.der Description: response-2.der
AW: WG: OCSP response signature verification
I forgot to write, which versions are used. For the client we are using 0.9.8L. But we also tested with M. We are not sure about the responders but we are trying to find out. Kind regards Michel Pittelkow Hi everyone, we are currently trying to verify an ocsp response. The return is Response verify OK but we need to verify the signature algorithm of the response signature. We tried putting the response into an DER and parsing it. But still no information about the signature. There are signature algorithm printed, but those are the ones of the certificates. Or am I wrong? Is there a way to only print the signature of the response? It should print the signature algorithm and signature just before the certificates. See the OCSP_RESPONSE_print() function in ocsp_prn.c. Are you using an old version of OpenSSL? I've added the response for further information. Any help would be appreciated! Would be more useful if you'd attached the DER response i.e. response-2.der, can you send that? S999D003:/tmp/ocsp # openssl ocsp -respin response-2.der -text [snip] Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: WG: OCSP response signature verification
On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: I forgot to write, which versions are used. For the client we are using 0.9.8L. But we also tested with M. We are not sure about the responders but we are trying to find out. Oops, there was a bug in the print routine which meant the signature and signature algorithm were never printed out. I've just fixed it here: http://cvs.openssl.org/chngview?cn=19434 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AW: WG: OCSP response signature verification
Ah! That's exactly the point, where I tried to edit the code and recompile it. But every time I tried to I became an error in make complaining about [link_app.] and a false call of 'main' in _start... Can I just replace the file and recompile openssl? Or do I have to edit something in any type of data. Sorry. I am not that into C though :-( Kind regards Michel Pittelkow I forgot to write, which versions are used. For the client we are using 0.9.8L. But we also tested with M. We are not sure about the responders but we are trying to find out. Oops, there was a bug in the print routine which meant the signature and signature algorithm were never printed out. I've just fixed it here: http://cvs.openssl.org/chngview?cn=19434 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: WG: OCSP response signature verification
On Fri, Mar 12, 2010, Michel Pittelkow - michael-wessel.de wrote: Ah! That's exactly the point, where I tried to edit the code and recompile it. But every time I tried to I became an error in make complaining about [link_app.] and a false call of 'main' in _start... Can I just replace the file and recompile openssl? Or do I have to edit something in any type of data. Sorry. I am not that into C though :-( If you've compiled OpenSSL already you should just make the change and type make and it should rebuild it OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AW: WG: OCSP response signature verification
Done that. It now seems to work! Thank you :) S999D003:/home/ah/test # ./openssl ocsp -respin response-2.der -text OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = DE, O = D-Trust GmbH, CN = D-TRUST OCSP-03 2008:PN Produced At: Mar 12 09:58:31 2010 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A611B199CA6EE1B1B8599953CBF428F8F8C94641 Issuer Key Hash: F9CBC2D42788A9A1B050625E4DD2547D74731EBE Serial Number: 094D36 Cert Status: good This Update: Mar 12 09:58:31 2010 GMT Response Single Extensions: 1.3.36.8.3.12: ..20090715143639Z 1.3.36.8.3.13: 0!0...+...'.}O.L.j}..T. Response Extensions: OCSP Nonce: 0410F987B6A59DB4116D1F60F436790C8C73 OCSP Archive Cutoff: Mar 21 00:00:00 1975 GMT Signature Algorithm: sha256WithRSAEncryption c0:71:91:0c:47:da:92:47:4a:03:a7:4f:2b:1f:fb:96:aa:a3: ce:e0:c1:23:bb:e1:39:48:4e:68:28:db:99:79:83:12:bf:48: 66:63:4b:fc:c3:39:c0:87:ef:26:2c:53:6b:54:dd:f9:1e:17: 66:ff:d9:9f:6e:7d:31:65:90:7c:5c:b5:fa:31:42:44:96:4b: 1d:c7:4d:4f:6a:57:93:2e:c6:72:6f:da:47:f7:33:58:f4:ed: 51:fc:e7:24:19:dc:23:2e:12:b4:b2:1d:76:14:7c:56:ac:0e: 81:b8:b8:ef:a2:5f:5d:11:a9:cd:a8:19:31:2e:35:5a:b4:bc: 87:4b:66:c8:7a:a1:1f:6e:6b:1b:2b:85:5c:3a:34:cb:e4:c2: 68:58:27:70:d5:99:fd:92:3c:0d:08:2d:05:93:80:ef:be:42: 0a:d1:81:82:8f:06:51:ef:15:9c:19:38:63:d9:73:0f:c3:c5: 13:26:ca:eb:b2:76:7b:32:20:df:99:c1:50:13:f5:76:5c:44: f2:91:0d:42:4f:46:57:8a:f7:f1:6f:a2:21:dd:b5:8b:84:96: d2:de:25:df:d2:4b:f4:e1:dd:9e:31:48:21:95:08:0e:67:6f: 49:e1:ab:77:11:cf:61:dc:ae:d3:38:a3:fb:54:36:70:bc:1a: 56:47:22:fe Certificate: Data: Kind regards Michel Pittelkow Ah! That's exactly the point, where I tried to edit the code and recompile it. But every time I tried to I became an error in make complaining about [link_app.] and a false call of 'main' in _start... Can I just replace the file and recompile openssl? Or do I have to edit something in any type of data. Sorry. I am not that into C though :-( If you've compiled OpenSSL already you should just make the change and type make and it should rebuild it OK. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org +--+ | - michael-wessel.de Secure E-Mail Status - | +--+ | - Die Nachricht war weder verschluesselt noch digital unterschrieben | +--+ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Shorten the timeout for openssl s_client?
Todd Thatcher wrote: Using the command openssl s_client connect gmail.google.com:443 openssl gets the certificate information and stays connected until I enter QUIT, or the timeout is hit -- about 2 minutes later. I want to script certificate expiration date checks for out servers. Is there a command-line switch or some other advice that I can use to change this behavior? Two ideas: 1) echo QUIT | openssl s_client -connect gmail.google.com:443 2) openssl s_client -connect gmail.google.com:443 /dev/null DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
client authentication and tokens.
we have a client-server application pair (ok, the server side is tomcat), the client is using an Aladdin eToken w/ openssl and engine_pkcs11 and aladdin's driver. thats all fine and working now. the client application has long running persistence, eg, once its running, it stays up for days/weeks as its a dedicated system sort of thing. the client makes periodic queries to the tomcat server, server responsds, yada yada yada... our security auditors yanked the token out, and the client continues to work, like its cached the SSL authentication and continues to reuse the same session. so, what exactly should we be doing from our xmlrpc-over-ssl client to ensure each of our macro transactions re-authenticates from scratch? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org