How does openSSL handle the pathlen constraint?
Hello openSSL gurus, I faced an issue of pathlen constraint checking by openSSL when verifying the client certificate. I did few studies for how openSSL does that and I appreciate your assistance on clarifying the issue. 1. The certificate chain with a pathlen constraint defined in a root CA: Root CA, pathlen:1 \ policy CA, pathlen:none \ issuer CA, pathlen:none \ client certificate In the first case openSSL does not verify the certificate correctly (i.e. the verification succeeds). It ignores the pathlen constraint defined in the root CA. 2. The certificate chain with a pathlen constraint defined in an intermediate CA: Root CA, pathlen:none \ policy CA, pathlen:0 \ issuer CA, pathlen:0 \ client certificate In the last case openSSL does correct verification (i.e. fails the client certificate) only when I define the intermediate CAs as untrusted. Is that supposed way the pathlen constraint works? Is it allowed to define the pathlen constraint in the root CA? I'm using openSSL 0.9.8r. Many thanks, Sergey Emantayev __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] How does openSSL handle the pathlen constraint?
Bonjour, Le 21/05/2012 14:10, Serge Emantayev a écrit : Hello openSSL gurus, I faced an issue of pathlen constraint checking by openSSL when verifying the client certificate. I did few studies for how openSSL does that and I appreciate your assistance on clarifying the issue. 1. The certificate chain with a pathlen constraint defined in a root CA: Root CA, pathlen:1 \ policy CA, pathlen:none \ issuer CA, pathlen:none \ client certificate In the first case openSSL does not verify the certificate correctly (i.e. the verification succeeds). It ignores the pathlen constraint defined in the root CA. This is conformant with X.509. The basicConstraints extension is not taken in consideration if present in a trust anchor (a root certificate is a trust anchor). Download X.509 recommendation, see chapter 10 (from memory), the validation algorithm is described. -- Erwann ABALEA - Ce ne sont que des propositions. Je ne veux pas les faire passer en force. Je pense que si mes idées doivent être reprises, elles ne doivent pas passer au vote, pour plusieurs raison : -+- BC in : http://neuneu.ctw.cc - Neuneu sans vote et sans forcer -+- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Cert order in .pem format
Hi Pete, I tried to load the .p12 certs to the code directly, but it got failed at SSL_CTX_use_PrivateKey_file 1. err = SSL_CTX_use_certificate_chain_file(ctx, KeyFile); 2. SSL_CTX_set_default_passwd_cb(ctx, passwd); 3. err = SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM); 4. SSL_CTX_check_private_key(ctx); Can you please help on this ? ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. **
Fw: Question on enhancing OpenSSL logs
Hi Marek, Thanks for the snippet. Its working in dev. But however its failing in one of our test regions with a compilation error as below. Cannot assign extern C void(*)(ssl_st*,int,int) to extern C void(*)() at a line where we have SSL_CTX_set_info_callback(ctx, ssl_connection_info_cb); We are doing the same as mentioned in the below mail chain. Can you pleas help us in resolving this. Thanks in advance. Thanks Gogula Krishnan Rajaprabhu - Forwarded by Karthikeyan Thirumal/Chennai/iNautix on 05/17/2012 12:49 PM - marek.marc...@malkom.pl Sent by: owner-openssl-us...@openssl.org 05/16/2012 09:12 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc openssl-...@openssl.org, openssl-users@openssl.org, owner-openssl-us...@openssl.org Subject Re: Question on enhancing OpenSSL logs Hello, You may trace connect/accept progres defining some callback function: /** * SSL connection info callback. * * @paramssl SSL connection socket * @paramtypeconnection type * @paramval connection info * @return none */ static void ssl_connection_info_cb(const SSL * ssl, int type, int val) { if (type SSL_CB_LOOP) { log_tra(ssl_state: %s: %s, type SSL_ST_CONNECT ? connect : type SSL_ST_ACCEPT ? accept : undefined, SSL_state_string_long(ssl)); } if (type SSL_CB_ALERT) { log_tra(ssl_alert: %s:%s: %s, type SSL_CB_READ ? read : write, SSL_alert_type_string_long(val), SSL_alert_desc_string_long(val)); } } and at library initialization set this callback: /* callback for connection information on SSL/TLS session negotiation */ SSL_CTX_set_info_callback(ctx, ssl_connection_info_cb); Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 05/16/2012 05:15:40 PM: kthiru...@inautix.co.in Sent by: owner-openssl-us...@openssl.org 05/16/2012 05:25 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org, openssl-...@openssl.org cc Subject Question on enhancing OpenSSL logs Team I have a query on enhancing the OpenSSL logs, As you know, SSL_accept is just one call using SSL library for an SSL handshake, but there are couple of steps inside this process like Client Hello / Server Hello, etc. What if i need to find the internal failures in SSL handshake ? Is there any openssl debug option available where the SSL library is capable of logging additional info ? We already have a series of error cases handled for SSL handshake, but they are pre- defined by OpenSSL and they do not speak on where they failed, err = SSL_accept((SSL *)SockObj-SSLCtx); if(err=0){ err=SSL_get_error((SSL *)SockObj-SSLCtx,err); switch(err){ case SSL_ERROR_NONE: case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_SYSCALL: case SSL_ERROR_SSL: } } Can you shed some lights here ? Thanks Regards Karthikeyan Thirumal ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. ** __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Information Classification: Public ** This message and any files or attachments sent with this message contain confidential information and is intended only
Re: Fw: Question on enhancing OpenSSL logs
Hello, This looks like declaration mismatch, you should send more info (used compilers, environment), maybe simple test code. Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 05/21/2012 02:52:15 PM: grajapra...@inautix.co.in Sent by: owner-openssl-us...@openssl.org 05/21/2012 04:51 PM Please respond to openssl-users@openssl.org To marek.marc...@malkom.pl cc openssl-users@openssl.org, openssl-...@openssl.org Subject Fw: Question on enhancing OpenSSL logs Hi Marek, Thanks for the snippet. Its working in dev. But however its failing in one of our test regions with a compilation error as below. Cannot assign extern C void(*)(ssl_st*,int,int) to extern C void(*)() at a line where we have SSL_CTX_set_info_callback(ctx, ssl_connection_info_cb); We are doing the same as mentioned in the below mail chain. Can you pleas help us in resolving this. Thanks in advance. Thanks Gogula Krishnan Rajaprabhu - Forwarded by Karthikeyan Thirumal/Chennai/iNautix on 05/17/2012 12:49 PM - marek.marc...@malkom.pl Sent by: owner-openssl-us...@openssl.org 05/16/2012 09:12 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc openssl-...@openssl.org, openssl-users@openssl.org, owner-openssl-us...@openssl.org Subject Re: Question on enhancing OpenSSL logs Hello, You may trace connect/accept progres defining some callback function: /** * SSL connection info callback. * * @paramssl SSL connection socket * @paramtypeconnection type * @paramval connection info * @return none */ static void ssl_connection_info_cb(const SSL * ssl, int type, int val) { if (type SSL_CB_LOOP) { log_tra(ssl_state: %s: %s, type SSL_ST_CONNECT ? connect : type SSL_ST_ACCEPT ? accept : undefined, SSL_state_string_long(ssl)); } if (type SSL_CB_ALERT) { log_tra(ssl_alert: %s:%s: %s, type SSL_CB_READ ? read : write, SSL_alert_type_string_long(val), SSL_alert_desc_string_long(val)); } } and at library initialization set this callback: /* callback for connection information on SSL/TLS session negotiation */ SSL_CTX_set_info_callback(ctx, ssl_connection_info_cb); Best regards, -- Marek Marcola marek.marc...@malkom.pl owner-openssl-us...@openssl.org wrote on 05/16/2012 05:15:40 PM: kthiru...@inautix.co.in Sent by: owner-openssl-us...@openssl.org 05/16/2012 05:25 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org, openssl-...@openssl.org cc Subject Question on enhancing OpenSSL logs Team I have a query on enhancing the OpenSSL logs, As you know, SSL_accept is just one call using SSL library for an SSL handshake, but there are couple of steps inside this process like Client Hello / Server Hello, etc. What if i need to find the internal failures in SSL handshake ? Is there any openssl debug option available where the SSL library is capable of logging additional info ? We already have a series of error cases handled for SSL handshake, but they are pre- defined by OpenSSL and they do not speak on where they failed, err = SSL_accept((SSL *)SockObj-SSLCtx); if(err=0){ err=SSL_get_error((SSL *)SockObj-SSLCtx,err); switch(err){ case SSL_ERROR_NONE: case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_CONNECT: case SSL_ERROR_SYSCALL: case SSL_ERROR_SSL: } } Can you shed some lights here ? Thanks Regards Karthikeyan Thirumal ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender,
RE: Question about ECDSA private key
From: owner-openssl-us...@openssl.org On Behalf Of Khuc, Chuong D. Sent: Friday, 18 May, 2012 17:22 I have an ECDSA private key in the form of a 32 byte unsigned char array, and a data that needs to be signed using that key. So I wrote the following code to load the key and use it to sign my data: snip: add PEM header/footer in=BIO_new_mem_buf(tempkey,hdrlen+ftrlen+32); pkey=PEM_read_bio_ECPrivateKey(in, NULL, NULL, NULL); And right there, pkey is returned to me as NULL. snip So please tell me what I did wrong. Thank you so much. What exactly is in your 32-uchar array? It can't possibly be a PEM-body or even DER encoding of OpenSSL's ECPrivateKey, which is minimum 112 chars or 82 bytes respectively. It would be the right size to be the raw priv_key value for some 256-bit curve, perhaps secp256k1 which is fairly common. If so, it appears to me you can use EC_KEY_new_by_curve_name and put your privkey in a bignum and use EC_KEY_set_private_key. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Fw: Question on enhancing OpenSSL logs
From: owner-openssl-us...@openssl.org On Behalf Of marek.marc...@malkom.pl Sent: Monday, 21 May, 2012 11:11 (-dev dropped) This looks like declaration mismatch, you should send more info (used compilers, environment), maybe simple test code. owner-openssl-us...@openssl.org wrote on 05/21/2012 02:52:15 PM: Cannot assign extern C void(*)(ssl_st*,int,int) to extern C void(*)() at a line where we have SSL_CTX_set_info_callback(ctx, ssl_connection_info_cb); We are doing the same as mentioned in the below mail chain. Can you pleas help us in resolving this. Thanks in advance. What version of openssl? All the versions I have back to early 0.9.8 declare SSL_CTX_set_info_callback to take void(*)(const SSL*,int,int). I have a few 0.9.7 versions that make it a macro which assigns to (ctx)-info_callback, but that is declared the same way. If you have a very old openssl that uses the KR1-style declaration void(*cb)(), this exposes an incompatibility between C++ and C. In C () still has the KR1 meaning of 'unknown (but non-vararg default-promoted) arguments' and only (void) means 'no arguments'. In C++ either (void) or () means 'no arguments'. If you are using such an old version, you'll need to make the part of your app that calls _set_info_callback C instead of C++. (If you don't want to convert much/all, you could write a 2-line C wrapper that is called from your C++.) But much better use a newer version that has better security _and_ support. Also note your callback should have its first parameter a pointer to const SSL or equivalently const struct ssl_st, or in C++ just const ssl_st (but in C++ the whole function must be extern C). In both C++ and C a pointer to const T and a pointer to nonconst T are formally incompatible, although in practice they interchange. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org