1.0.1-final release time frame
Is there a time frame for the final release of openssl 1.0.1 yet? I need the GCM support, and I'd hate to have to ask people to install a snapshot in order to build my program. Thanks, zw __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Does OpenSSL look into the Windows Certificate Store?
Does OpenSSL look into the Windows Certificate Store? This is what I'm wondering here: Windows / Perl / Net::SSLeay / OpenSSL: What locations are CA certificates loaded from? http://stackoverflow.com/q/7662213/269126 If any one of you can take a look and maybe even answer the question, I would certainly appreciate that. Thanks. -- Michael Ludwig __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AW: SSL session ID vs session ticket
Hello! it looks like my original EMail has been truncated, therefore, my main questions were missing. I had already found option SSL_OP_NO_TICKET but I have some questions regarding SSL session tickets for which I have not found an answer yet: Is it OK to simply disable them or does this create some security risks? What is the advantage of using session tickets instead of session IDs? Can SSL session tickets be used with some kind of external cache? Thanks, Matthias Meixner -Ursprüngliche Nachricht- Von: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Im Auftrag von Richard Könning Gesendet: Donnerstag, 27. Oktober 2011 18:12 An: openssl-users@openssl.org Betreff: Re: SSL session ID vs session ticket Am 27.10.2011 14:09, schrieb Matthias Meixner: Hello! When upgrading to version 0.9.8r my system stopped supporting session resumption. It looks like session tickets are the reason for this. I was using some external session cache to support session resumption on a cluster of servers where it should be possible that each server in the cluster can resume the SSL connection. With the upgrade to version 0.9.8r this stopped working Try using something like SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET); Ciao, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Using certificate and private key from Windows cert store with OpenSSL
Hi!
I am trying to make a program, that uses some Web Services in Delphi XE. To
connect to the Web Services, i have to use self signed (hope this is correct
term) certificate, which is stored in Windows cert store. So, i open the cert
store with CertOpenSystemStore, get cert with CertFindCertificateInStore and
set it with SSL_CTX_use_certificate. No problem with this. Then i get the
public key blob with CryptExportKey and make up a private key like this:
function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const
ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY;
var
modulus: PByte;
bh: PBLOBHEADER;
rp: PRSAPUBKEY;
rsa_modlen: DWORD;
rsa_modulus: PAnsiChar;
rkey: PRSA;
begin
bh := PBLOBHEADER(AKeyBlob);
Assert(bh^.bType = PUBLICKEYBLOB);
rp := PRSAPUBKEY(AKeyBlob + 8);
Assert(rp.magic = $31415352);
rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12);
rkey := RSA_new_method(ASSLCtx.client_cert_engine);
rkey^.References := 1;
rkey^.e := BN_new;
rkey^.n := BN_new;
BN_set_word(rkey^.e, rp^.pubexp);
rsa_modlen := (rp^.bitlen div 8) + 1;
modulus := AllocMem(rsa_modlen);
CopyMemory(modulus, rsa_modulus, rsa_modlen);
RevBuffer(modulus, rsa_modlen);
BN_bin2bn(modulus, rsa_modlen, rkey^.n);
Result := EVP_PKEY_new;
EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey));
end;
and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also,
no problem so far. But then, when data transfer begins, i get access violation
in libeay32.dll - Access violation at address 09881C5F in module
'libeay32.dll'. Read of address . If i load the key from .pem file,
everything is fine.
The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got
the same error, just different address.
Below is the RSA structure i get in PrivKeyBlob2RSA:
pad0
version 0
meth $898030C
engine nil
n $A62D508
e $A62D4D8
d nil
p nil
q nil
dmp1 nil
dmq1 nil
iqmp nil
ex_data (nil, -1163005939 {$BAADF00D})
references 1
flags 6
_method_mod_n nil
_method_mod_p nil
_method_mod_q nil
bignum_data nil {#0}
blindingnil
mt_blinding nil
I checked the n and e bignums, and they are CORRECT, and everything else looks
ok. The error happens when calling function ssl_read. I can't see what i am
doing wrong, please help :)
Thanks
Andrejs
Re: SSL session ID vs session ticket
On Thu, Oct 27, 2011, Matthias Meixner wrote: Hello! it looks like my original EMail has been truncated, therefore, my main questions were missing. I had already found option SSL_OP_NO_TICKET but I have some questions regarding SSL session tickets for which I have not found an answer yet: Is it OK to simply disable them or does this create some security risks? It's fine. If you disable them the normal stateful session resumption will be used. What is the advantage of using session tickets instead of session IDs? The server doesn't need to lookup session information from a cache. Can SSL session tickets be used with some kind of external cache? The tickets themselves are stored by clients. In order to use tickets a server needs two keys: a symmtric key and an HMAC key. If you have a distributed server they will all need to share the keys in order to process each others tickets. You can use the macros SSL_CTX_get_tlsext_ticket_keys() and SSL_CTX_set_tlsext_ticket_keys() to do this. There is also a callback SSL_CTX_set_ticket_key_cb(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: writing an SSH server
On 10/28/2011 2:08 AM, Eric S. Eberhard wrote: I end up using SSL because, weirdly, credit card companies and shipping companies (I do business software), and so forth, all use SSL -- almost always HTTPS -- and I don't have a call for a protocol. It would be REALLY cool if you could make a wrapper on stunnel to handle the H protocol portion as I could certainly use it. The H parts are not in openssl because they are in the openssh addon to openssl. There is such a wrapper, it is the SSH command itself from openssh (which uses openssl for crypto). There is also another such wrapper for Windows, it is called plink from the putty product (also open source). Either can be invoked with options to act similar to openssl stunnel (passing standard input to the other end and passing the other ends output to standard out). Both also support a different SSH tunneling mechanism for passing through TCP connections in parallel to its main connection. All the tunneled TCP connections are transmitted inside the same encrypted TCP connection as the main connection. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using certificate and private key from Windows cert store with OpenSSL
Simple, really:
You have not set the private part of the private key (d, p, q, dmp1,
dmq1, iqmp).
You need to export the private key from CryptoAPI too, and convert that
blob,
not the public key blob.
Alternatively, I have heard rumors of a CryptoAPI engine plug in for
OpenSSL
which will let OpenSSL directly use the keys and certificates stored by
Windows.
On 10/28/2011 9:48 AM, Andrejs Štrumfs wrote:
Hi!
I am trying to make a program, that uses some Web Services in Delphi XE. To
connect to the Web Services, i have to use self signed (hope this is correct
term) certificate, which is stored in Windows cert store. So, i open the cert
store with CertOpenSystemStore, get cert with CertFindCertificateInStore and
set it with SSL_CTX_use_certificate. No problem with this. Then i get the
public key blob with CryptExportKey and make up a private key like this:
function PrivKeyBlob2RSA(const AKeyBlob: PByte; const ALength: Integer; const
ASSLCtx: PSSL_CTX): IdSSLOpenSSLHeaders.PEVP_PKEY;
var
modulus: PByte;
bh: PBLOBHEADER;
rp: PRSAPUBKEY;
rsa_modlen: DWORD;
rsa_modulus: PAnsiChar;
rkey: PRSA;
begin
bh := PBLOBHEADER(AKeyBlob);
Assert(bh^.bType = PUBLICKEYBLOB);
rp := PRSAPUBKEY(AKeyBlob + 8);
Assert(rp.magic = $31415352);
rsa_modulus := PAnsiChar(Integer(Pointer(rp))+12);
rkey := RSA_new_method(ASSLCtx.client_cert_engine);
rkey^.References := 1;
rkey^.e := BN_new;
rkey^.n := BN_new;
BN_set_word(rkey^.e, rp^.pubexp);
rsa_modlen := (rp^.bitlen div 8) + 1;
modulus := AllocMem(rsa_modlen);
CopyMemory(modulus, rsa_modulus, rsa_modlen);
RevBuffer(modulus, rsa_modlen);
BN_bin2bn(modulus, rsa_modlen, rkey^.n);
Result := EVP_PKEY_new;
EVP_PKEY_assign_RSA(Result, PAnsiChar(rkey));
end;
and set it up with SSL_CTX_use_PrivateKey and SSL_CTX_check_private_key. Also,
no problem so far. But then, when data transfer begins, i get access violation
in libeay32.dll - Access violation at address 09881C5F in module
'libeay32.dll'. Read of address . If i load the key from .pem file,
everything is fine.
The libeay32.dll version is 1.0.0.5. Tried with version 0.9.something too - got
the same error, just different address.
Below is the RSA structure i get in PrivKeyBlob2RSA:
pad0
version 0
meth $898030C
engine nil
n $A62D508
e $A62D4D8
d nil
p nil
q nil
dmp1 nil
dmq1 nil
iqmp nil
ex_data (nil, -1163005939 {$BAADF00D})
references 1
flags 6
_method_mod_n nil
_method_mod_p nil
_method_mod_q nil
bignum_data nil {#0}
blindingnil
mt_blinding nil
I checked the n and e bignums, and they are CORRECT, and everything else looks
ok. The error happens when calling function ssl_read. I can't see what i am
doing wrong, please help :)
Thanks
Andrejs
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: writing an SSH server
On Thu, Oct 27, 2011 at 4:55 PM, Dave Thompson dthomp...@prinpay.com wrote: If you just want confidentiality with truly no authentication, SSL/TLS (and OpenSSL) can do that with the anonymous-DH and anonymous-ECDH suites. I assume you understand and accept the vulnerabilities you are creating by not authenticating. Thanks for this info. I'll look into it. Also: You didn't show your Error() routine (method?). I hope it displays the OpenSSL error stack in some suitable way; that information is very often vital in debugging errors. I'm just sending the message to cout. If you can point me to information on outputting the full OpenSSL error stack, I'd appreciate it. And: char *message = Hello SSL; changed to: char message[] = Hello SSL; Thanks, Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: writing an SSH server
On Fri, Oct 28, 2011 at 12:26 PM, David Durham david.durham...@gmail.com wrote: I'm just sending the message to cout. If you can point me to information on outputting the full OpenSSL error stack, I'd appreciate it. replied too soon, looks like this is what I want: ERR_print_errors(sbio); -Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: writing an SSH server
Thank you! Thank is great info for me if I ever need SSH (meaning SSL with the protocol). It may also help the original person as he may be able to solve his problem using inetd and openssh ... which is easy and reliable and works great if you have remotely reasonable traffic. Also, way less coding :-) Eric At 05:59 AM 10/28/2011, Jakob Bohm wrote: On 10/28/2011 2:08 AM, Eric S. Eberhard wrote: I end up using SSL because, weirdly, credit card companies and shipping companies (I do business software), and so forth, all use SSL -- almost always HTTPS -- and I don't have a call for a protocol. It would be REALLY cool if you could make a wrapper on stunnel to handle the H protocol portion as I could certainly use it. The H parts are not in openssl because they are in the openssh addon to openssl. There is such a wrapper, it is the SSH command itself from openssh (which uses openssl for crypto). There is also another such wrapper for Windows, it is called plink from the putty product (also open source). Either can be invoked with options to act similar to openssl stunnel (passing standard input to the other end and passing the other ends output to standard out). Both also support a different SSH tunneling mechanism for passing through TCP connections in parallel to its main connection. All the tunneled TCP connections are transmitted inside the same encrypted TCP connection as the main connection. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com For pictures: http://www.vicsmba.com/ourpics/index.html (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: strong TLS connections
After all my wrangling, I'm leaning towards just using client certs. Is it a reasonable assumption that on UNIX'es these days I can expect to find libssl.so AND the openssl command line? If not, is it reasonable to assume that A sysadmin will install openssl to get my app to work? Otherwise, it would seem that something as easy and well documented as creating a CSR could be a lot more coding... Many thanks for all the useful comments! Kris On 10/27/11 7:20 AM, Michael S. Zick wrote: On Wed October 26 2011, Kristen J. Webb wrote: Having an app that can use certs, it appears, is nothing compared with how to deploy it and manage those certs ;) A general truism not specific to certs. Recognizing (or implementing) a need for trust is one thing; Determining (or establishing) what is to be trusted is quite another. Consider: Your roof leaks. Its easy to find a contractor who claims they will fix it. Its an entirely different matter to find one you can __trust__ to do the job correctly and to your satisfaction. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Mr. Kristen J. Webb Teradactyl LLC. PHONE: 1-505-242-1091 EMAIL: kw...@teradactyl.com VISIT: http://www.teradactyl.com Home of the True incremental Backup System __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: strong TLS connections
I have an easy solution I use because not only do you have the problem with admins not having the library installed, you have the problem of them having the wrong version installed for something they need. Your app or theirs won't work. Or yours will, and they update openssl and it no longer does. And some places with strict security policies won't let you install things like openssl (but if they want your app they have to install it!). I simply build the static libraries and link them in. This means nothing need exist on the target machine and that you have a more stable product because you have tested against the library version you have static linked. You could argue it makes the program bigger and my answer is -- say what? My iPod could handle my entire business suite and data (for disk space, not actually running) -- so who cares. I have found this is often the easiest way to go. I also make a small wrapper that only builds certs from openssl and uses a different name, again making it appear to be my software. I also allow them to use a Web interface to my site to make a cert and download it. Eric At 11:09 AM 10/28/2011, Kristen J. Webb wrote: After all my wrangling, I'm leaning towards just using client certs. Is it a reasonable assumption that on UNIX'es these days I can expect to find libssl.so AND the openssl command line? If not, is it reasonable to assume that A sysadmin will install openssl to get my app to work? Otherwise, it would seem that something as easy and well documented as creating a CSR could be a lot more coding... Many thanks for all the useful comments! Kris On 10/27/11 7:20 AM, Michael S. Zick wrote: On Wed October 26 2011, Kristen J. Webb wrote: Having an app that can use certs, it appears, is nothing compared with how to deploy it and manage those certs ;) A general truism not specific to certs. Recognizing (or implementing) a need for trust is one thing; Determining (or establishing) what is to be trusted is quite another. Consider: Your roof leaks. Its easy to find a contractor who claims they will fix it. Its an entirely different matter to find one you can __trust__ to do the job correctly and to your satisfaction. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Mr. Kristen J. Webb Teradactyl LLC. PHONE: 1-505-242-1091 EMAIL: kw...@teradactyl.com VISIT: http://www.teradactyl.com Home of the True incremental Backup System __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com For pictures: http://www.vicsmba.com/ourpics/index.html (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: strong TLS connections
On 10/28/11 12:39 PM, Eric S. Eberhard wrote: I have an easy solution I use because not only do you have the problem with admins not having the library installed, you have the problem of them having the wrong version installed for something they need. Your app or theirs won't work. Or yours will, and they update openssl and it no longer does. And some places with strict security policies won't let you install things like openssl (but if they want your app they have to install it!). I simply build the static libraries and link them in. This means nothing need exist on the target machine and that you have a more stable product because you have tested against the library version you have static linked. You could argue it makes the program bigger and my answer is -- say what? My iPod could handle my entire business suite and data (for disk space, not actually running) -- so who cares. I have found this is often the easiest way to go. I also make a small wrapper that only builds certs from openssl and uses a different name, again making it appear to be my software. I also allow them to use a Web interface to my site to make a cert and download it. Eric Static linking is something that we looked at a while back. Some other folks have convinced me that static linking may not the best way to go. - You have to keep up with security updates. If you link against the system libraries, then security vulnerabilities can be handled at the OS level. OS vendors try hard not to break backward compatibility, but I suppose time will tell if this will come back to bite us ;) - I don't have a complete answer on this yet, but it would seem to me that dynamic linking against crypto libraries instead of shipping those bits (static link) would make life easier from a US export side, but I am no lawyer! - If I am not mistaken, linking against system OpenSSL libraries allows you to work around the GNU licensing conflict which had me worried early on as I looked to adopting OpenSSL. Again, I'm no lawyer! Relying on OS configuration is more difficult, especially for Linux, as I need to now build against many linux distro's to get things right. Thanks to virtual environments, this is at least manageable. At 11:09 AM 10/28/2011, Kristen J. Webb wrote: After all my wrangling, I'm leaning towards just using client certs. Is it a reasonable assumption that on UNIX'es these days I can expect to find libssl.so AND the openssl command line? If not, is it reasonable to assume that A sysadmin will install openssl to get my app to work? Otherwise, it would seem that something as easy and well documented as creating a CSR could be a lot more coding... Many thanks for all the useful comments! Kris On 10/27/11 7:20 AM, Michael S. Zick wrote: On Wed October 26 2011, Kristen J. Webb wrote: Having an app that can use certs, it appears, is nothing compared with how to deploy it and manage those certs ;) A general truism not specific to certs. Recognizing (or implementing) a need for trust is one thing; Determining (or establishing) what is to be trusted is quite another. Consider: Your roof leaks. Its easy to find a contractor who claims they will fix it. Its an entirely different matter to find one you can __trust__ to do the job correctly and to your satisfaction. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Mr. Kristen J. Webb Teradactyl LLC. PHONE: 1-505-242-1091 EMAIL: kw...@teradactyl.com VISIT: http://www.teradactyl.com Home of the True incremental Backup System __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org Eric S. Eberhard (928) 567-3727 Voice (928) 567-6122 Fax (928) 301-7537 Cell Vertical Integrated Computer Systems, LLC Metropolis Support, LLC For Metropolis support and VICS MBA Support http://www.vicsmba.com For pictures: http://www.vicsmba.com/ourpics/index.html (You can see why we love this state :-) ) __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Mr. Kristen J. Webb Teradactyl LLC. PHONE: 1-505-242-1091 EMAIL: kw...@teradactyl.com VISIT: http://www.teradactyl.com Home of the True incremental Backup System __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to build a 64-bit FIPS-capable OpenSSL on Windows from the latest snapshots?
Hello, What is the procedure for building a 64-bit FIPS-capable OpenSSL on Windows from the following latest snapshots: ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111028.tar.gz ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111028.tar.gz I get the following compilation error: Cannot open include file: 'openssl/fips.h' I am using Visual Studio 2010 x64. Here are the build details: C:\ cd openssl-fips-2.0-test-20111028 C:\ ms\do_fips no-asm ... ... *** FIPS BUILD SUCCESS* *** C:\ cd openssl-1.0.1-stable-SNAP-20111028 C:\ set FIPSDIR=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static C:\ perl Configure VC-WIN64A fips --prefix=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static no-idea no-mdc2 no-rc5 no-asm Configuring for VC-WIN64A ... ... Configured for VC-WIN64A. C:\ ms\do_win64a c:\Crypto\Windows\build_openssl_fips_capable\openssl-1.0.1-stable-SNAP-20111028 perl util\mkfiles.pl 1MINFO ... ... c:\Crypto\Windows\build_openssl_fips_capable\openssl-1.0.1-stable-SNAP-20111028 perl util\mkdef.pl 32 ssleay 1ms\ssleay32.def C:\ set FIPSDIR=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static C:\ nmake -f ms\nt.mak Microsoft (R) Program Maintenance Utility Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved. Building OpenSSL perl util/mkdir-p.pl tmp32 created directory `tmp32' perl util/mkdir-p.pl out32 ... ... cl /Fotmp32\o_dir.obj -Iinc32 -Itmp32 /MT /Ox -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -I..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static/include -DOPENSSL_NO_IDEA -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zl /Zi /Fdtmp32/lib -c .\crypto\o_dir.c o_dir.c ... ... cl /Fotmp32\o_fips.obj -Iinc32 -Itmp32 /MT /Ox -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -I..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static/include -DOPENSSL_NO_IDEA -DOPENSSL_NO_RC5 -DOPENSSL_NO _MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPE NSSL_NO_DYNAMIC_ENGINE /Zl /Zi /Fdtmp32/lib -c .\crypto\o_fips.c o_fips.c.\crypto\o_fips.c(60) : fatal error C1083: Cannot open include file: 'openssl/fips.h': No such file or directory NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 10.0 \VC\BIN\amd64\cl.EXE' : return code '0x2' Stop. Thanks, Bill __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to build a 64-bit FIPS-capable OpenSSL on Windows from the latest snapshots?
On Fri, Oct 28, 2011, Bill Durant wrote: Hello, What is the procedure for building a 64-bit FIPS-capable OpenSSL on Windows from the following latest snapshots: ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111028.tar.gz ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111028.tar.gz I get the following compilation error: Cannot open include file: 'openssl/fips.h' I am using Visual Studio 2010 x64. Here are the build details: C:\ cd openssl-fips-2.0-test-20111028 C:\ ms\do_fips no-asm ... ... *** FIPS BUILD SUCCESS* *** C:\ cd openssl-1.0.1-stable-SNAP-20111028 C:\ set FIPSDIR=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static C:\ perl Configure VC-WIN64A fips --prefix=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static no-idea no-mdc2 no-rc5 no-asm Configuring for VC-WIN64A ... ... Configured for VC-WIN64A. C:\ ms\do_win64a You need to set FIPSDIR before the call to ms\do_fips Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to build a 64-bit FIPS-capable OpenSSL on Windows from the latest snapshots?
On Oct 28, 2011, at 1:57 PM, Dr. Stephen Henson wrote: On Fri, Oct 28, 2011, Bill Durant wrote: Hello, What is the procedure for building a 64-bit FIPS-capable OpenSSL on Windows from the following latest snapshots: ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111028.tar.gz ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111028.tar.gz I get the following compilation error: Cannot open include file: 'openssl/fips.h' I am using Visual Studio 2010 x64. Here are the build details: C:\ cd openssl-fips-2.0-test-20111028 C:\ ms\do_fips no-asm ... ... *** FIPS BUILD SUCCESS* *** C:\ cd openssl-1.0.1-stable-SNAP-20111028 C:\ set FIPSDIR=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static C:\ perl Configure VC-WIN64A fips --prefix=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static no-idea no-mdc2 no-rc5 no-asm Configuring for VC-WIN64A ... ... Configured for VC-WIN64A. C:\ ms\do_win64a You need to set FIPSDIR before the call to ms\do_fips Steve. I did that and the problem still persists. What else could it be? Thanks, Bill -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: strong TLS connections
Kristen, Your points are all good. However, I have found the compatibility not good with customer installed versions versus my own. One of the problems, for example, could be that openssl compiles with a certain type of threads, not the same as your application. Same with semaphores and who knows what else. It could be many features like that. It could be changes in product I have found. Also, if they install in a different location than you, the header of your program will not find it (which can be solved with links on the user's system, sometimes). Sometimes the user installs a version with other dependencies (for example I use libxml2 but not the libzip ... and when a customer put the libzip version in, my application had problems). So then what I was doing was putting my versions of the dynamic libraries in my own location /usr/local/application_name/lib And linking that way and installing that way. But then when the security changes came ... I had to again install something and I realized it was easier to just install the static linked software. You also get tighter testing because it will force you to get the latest version, compile it, link it, test it, then install it. I do a LOT of cross-platform (AIX, Linux, OS/X, SCO, HP/UX, Windows, etc) work and have found that I am always safer linking exactly what I want and releasing that. I guess I feel I have more control over quality this way. BUT THIS IS JUST A DUMB OPINION -- most people disagree. I have found in practice that the dream of the O/S level updates magically making security updates work for your software is a dream that is more nightmare than pleasant. But that is just me. There are others who do agree, I am not alone, but I would guess a minority. As for the export question -- if they are not allowed certain things they are not allowed. Depending on your application, it may be OK. So if you require the illegal export of strong encryption and you install or ask them to install, you and they are in trouble. If your application is, say, a credit card application -- and it is static linked and can ONLY be used to process credit cards (and you let them generate keys through you) you are in fact able to export without legal complication. I export, had legal advise. I am not sure what you mean by the GNU licensing conflict. You are still only charging for your application, whether you static or dynamic link. I do always include the proper copyright files and put them in /usr/local/lib ... even though my link is static. I checked this as well. I will tell you that both my legal checks were cursory but I am confident they were sufficient. If you are really worried, check with a lawyer. On the GNU I think it is pretty much a matter of the intent of the license anyway. If you disclose it's use, include the proper copyright/license files, and don't charge for it, I think you are fine. There are taste issues on this -- but you may be happier with a static link. It will load a giga-blip faster too with static link, and you won't even notice :-) A lot will depend on what your software is and how much of it. We have thousands of customers. We do credit cards which requires certification and you cannot (should not) allow the customer to change your software by installing a dynamic library. In fact, what if they built themselves their own libraries that wrote the unencrypted text out to a file? Then they could steal credit card numbers. BAD BAD BAD. It is a security hole to allow dynamic libraries because you have no control on what is really there. You cannot look at a customer or credit card auditor and say with a straight face that you control the encryption and there is no security leak. If you statically link something in and certify it ... it is what is is. Under current credit card rules you may do minor updates just by notifying them -- so if you find a security patch that applies to your application (most don't for me) then you download, link statically, report to everyone who needs to know, and install your app again. Eric At 12:13 PM 10/28/2011, Kristen J. Webb wrote: On 10/28/11 12:39 PM, Eric S. Eberhard wrote: I have an easy solution I use because not only do you have the problem with admins not having the library installed, you have the problem of them having the wrong version installed for something they need. Your app or theirs won't work. Or yours will, and they update openssl and it no longer does. And some places with strict security policies won't let you install things like openssl (but if they want your app they have to install it!). I simply build the static libraries and link them in. This means nothing need exist on the target machine and that you have a more stable product because you have tested against the library version you have static linked. You could argue it makes the program bigger and my answer is
Re: How to build a 64-bit FIPS-capable OpenSSL on Windows from the latest snapshots?
On Fri, Oct 28, 2011, Bill Durant wrote: On Oct 28, 2011, at 1:57 PM, Dr. Stephen Henson wrote: On Fri, Oct 28, 2011, Bill Durant wrote: Hello, What is the procedure for building a 64-bit FIPS-capable OpenSSL on Windows from the following latest snapshots: ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111028.tar.gz ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111028.tar.gz I get the following compilation error: Cannot open include file: 'openssl/fips.h' I am using Visual Studio 2010 x64. Here are the build details: C:\ cd openssl-fips-2.0-test-20111028 C:\ ms\do_fips no-asm ... ... *** FIPS BUILD SUCCESS* *** C:\ cd openssl-1.0.1-stable-SNAP-20111028 C:\ set FIPSDIR=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static C:\ perl Configure VC-WIN64A fips --prefix=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static no-idea no-mdc2 no-rc5 no-asm Configuring for VC-WIN64A ... ... Configured for VC-WIN64A. C:\ ms\do_win64a You need to set FIPSDIR before the call to ms\do_fips Steve. I did that and the problem still persists. What else could it be? Try setting it to an absolute path and not a relative one. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS validation and TLS 1.2
Hi there, Could somebody confirm if the OpenSSL FIPS validation includes TLS 1.2? My check of the FIPS module code (openssl-fips-2.0-test-20111028.tar.gz) shows it is not. Please confirm. And what is the plan to include it if it is not currently. Thanks, -binlu
Re: How to build a 64-bit FIPS-capable OpenSSL on Windows from the latest snapshots?
On Oct 28, 2011, at 3:51 PM, Dr. Stephen Henson wrote: On Fri, Oct 28, 2011, Bill Durant wrote: On Oct 28, 2011, at 1:57 PM, Dr. Stephen Henson wrote: On Fri, Oct 28, 2011, Bill Durant wrote: Hello, What is the procedure for building a 64-bit FIPS-capable OpenSSL on Windows from the following latest snapshots: ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111028.tar.gz ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111028.tar.gz I get the following compilation error: Cannot open include file: 'openssl/fips.h' I am using Visual Studio 2010 x64. Here are the build details: C:\ cd openssl-fips-2.0-test-20111028 C:\ ms\do_fips no-asm ... ... *** FIPS BUILD SUCCESS* *** C:\ cd openssl-1.0.1-stable-SNAP-20111028 C:\ set FIPSDIR=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static C:\ perl Configure VC-WIN64A fips --prefix=..\openssl-1.0.1-stable-SNAP-20111028-x64-fips-static no-idea no-mdc2 no-rc5 no-asm Configuring for VC-WIN64A ... ... Configured for VC-WIN64A. C:\ ms\do_win64a You need to set FIPSDIR before the call to ms\do_fips Steve. I did that and the problem still persists. What else could it be? Try setting it to an absolute path and not a relative one. Steve. Thank you. That worked perfectly. Bill -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
