RE: Why Openssl s_server is allowing Session Reuse on the same tcp connection
Thanks Patrick. But what Use Case does this have, where client tells the server to resume the ssl session on the same tcp connection. Usually a different tcp connection makes sense to reuse the session id. -- View this message in context: http://openssl.6102.n7.nabble.com/Why-Openssl-s-server-is-allowing-Session-Reuse-on-the-same-tcp-connection-tp44907p44926.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
X509 custom extension
I am adding a custom extension to an x509 a png icon basically (bytes). Since the png icon is too large to post the data I have subsituted it with a file called sample.txt that has a text line This is a sample. The code excerpt to add the extension is below. getdata(sample.txt,length); //abstracted nid = OBJ_create(1.03, samplealias, sample); ASN1_OCTET_STRING_set(os,(unsigned char*)data,length); ret = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); X509_add_ext(x,ret,-1); *I have 2 Questions (1) the x509 before adding a custom extension looks like this* Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=OpenSSL Group Validity Not Before: Apr 26 12:48:18 2013 GMT Not After : Apr 26 12:48:18 2014 GMT Subject: C=UK, CN=OpenSSL Group Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:df:82:85:c6:0b:18:50:75:35:6b:3b:cc:2e:94: a0:b4:a6:8e:21:19:9e:28:ca:46:54:b5:5f:75:c4: bb:a2:19:c7:51:c4:19:0d:ef:ce:65:39:0f:90:90: 2b:2a:46:76:f4:03:be:a7:f2:76:4d:26:af:8e:ce: 84:43:52:74:d1 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 8b:a6:4d:0a:0b:b6:8f:13:f6:58:10:a2:a4:cc:9c:ba:37:8c: 53:07:22:f0:93:29:17:78:b4:0a:28:91:ae:24:86:bf:2f:bf: d8:bc:4a:97:bd:36:09:c2:b3:21:fa:fe:fe:90:91:31:00:5e: 01:f9:19:1b:54:89:f9:1f:b5:fa -BEGIN RSA PRIVATE KEY- MIIBOgIBAAJBAN+ChcYLGFB1NWs7zC6UoLSmjiEZnijKRlS1X3XEu6IZx1HEGQ3v zmU5D5CQKypGdvQDvqfydk0mr47OhENSdNECAwEAAQJAZH+v3ujGOgc5ycnNeXRi /leVuNRoBTdOgHA9SBr5s1zE14gfKX40N2WpaiD5aDyNcp/CImXzPtKgIZ4NoG33 AQIhAPPOXRy6aHSqEfFodntOnrpGayn4C+Gcy5E1E5R05KRJAiEA6rBKVB/YIN3r uUfOUbYBIgy61lhUweQvnwao6IWqvEkCIFrMFOM5DOO93rbQF6fubLCkvw4/QXWB ZlKquKMGMYx5AiB5hJqYAH0aV45Mu397E7B2fvznK4mHc62su/gNndiP8QIhAMWa bnLCEKDk3vZJsBXlDz0SeVvDA/+jR7hydR+BGP+g -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIIBODCB46ADAgECAgEAMA0GCSqGSIb3DQEBBQUAMCUxCzAJBgNVBAYTAlVLMRYw FAYDVQQDEw1PcGVuU1NMIEdyb3VwMB4XDTEzMDQyNjEyNDgxOFoXDTE0MDQyNjEy NDgxOFowJTELMAkGA1UEBhMCVUsxFjAUBgNVBAMTDU9wZW5TU0wgR3JvdXAwXDAN BgkqhkiG9w0BAQEFAANLADBIAkEA34KFxgsYUHU1azvMLpSgtKaOIRmeKMpGVLVf dcS7ohnHUcQZDe/OZTkPkJArKkZ29AO+p/J2TSavjs6EQ1J00QIDAQABMA0GCSqG SIb3DQEBBQUAA0EAi6ZNCgu2jxP2WBCipMycujeMUwci8JMpF3i0CiiRriSGvy+/ 2LxKl702CcKzIfr+/pCRMQBeAfkZG1SJ+R+1+g== -END CERTIFICATE- *After I added the extension you can see my field added and thats great* Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=OpenSSL Group Validity Not Before: Apr 26 12:49:39 2013 GMT Not After : Apr 26 12:49:39 2014 GMT Subject: C=UK, CN=OpenSSL Group Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:cf:53:10:b6:c4:ef:f3:a7:7d:39:64:18:75:2a: 77:a9:82:52:59:a9:29:e8:d6:57:de:9e:4e:3f:6a: 69:b6:b5:48:c2:ab:5a:1e:f0:c4:8d:25:2a:3d:21: 04:49:59:46:b6:d5:23:39:38:26:68:71:1d:67:31: d4:dc:a4:3b:09 Exponent: 65537 (0x10001) *X509v3 extensions: sample: This is a sample * Signature Algorithm: sha1WithRSAEncryption af:5e:52:9d:cc:e7:5e:2c:63:81:76:53:c6:92:cb:81:3d:a7: 16:63:3d:97:2a:c1:dc:12:64:e1:5b:16:f3:8b:f4:5e:e2:0c: 3f:04:4d:b8:67:b7:35:75:8a:7b:b0:3a:c8:f0:7b:7d:2e:b3: b3:6a:9d:07:21:87:32:b6:4d:4f -BEGIN RSA PRIVATE KEY- MIIBOgIBAAJBAM9TELbE7/OnfTlkGHUqd6mCUlmpKejWV96eTj9qaba1SMKrWh7w xI0lKj0hBElZRrbVIzk4JmhxHWcx1NykOwkCAwEAAQJACS79w4rPsjROGLe1WaNK 76hFK5GRuK2d8M+EWczF6ADlUQaKJbc6G81v3soxNsd5If33It0AKZIrSwXKIPnb zQIhAOtou0qNZo8cOJNLvi2pXXYAVsFap5ydGqbqHgmGcmFXAiEA4XV2yqx9yktP NXqYiuB5ZeFXvwHqIa+eWGaVPGj6qp8CIHbTud6K+573dtNbI1c3K5cZ2rDlCsAy STbB7IGQXQInAiEAsAGdXRdPlA86pMsyLqiS3QAQGiMKfoW1HdnngyOJHI0CIG9J NiVAQRzi0pkBEQG23Kn9eq3m3zd1EoMpDeC+JftK -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIIBVjCCAQCgAwIBAgIBADANBgkqhkiG9w0BAQUFADAlMQswCQYDVQQGEwJVSzEW MBQGA1UEAxMNT3BlblNTTCBHcm91cDAeFw0xMzA0MjYxMjQ5MzlaFw0xNDA0MjYx MjQ5MzlaMCUxCzAJBgNVBAYTAlVLMRYwFAYDVQQDEw1PcGVuU1NMIEdyb3VwMFww DQYJKoZIhvcNAQEBBQADSwAwSAJBAM9TELbE7/OnfTlkGHUqd6mCUlmpKejWV96e Tj9qaba1SMKrWh7wxI0lKj0hBElZRrbVIzk4JmhxHWcx1NykOwkCAwEAAaMbMBkw FwYBKwQSVGhpcyBpcyBhIHNhbXBsZQoKMA0GCSqGSIb3DQEBBQUAA0EAr15Snczn XixjgXZTxpLLgT2nFmM9lyrB3BJk4VsW84v0XuIMPwRNuGe3NXWKe7A6yPB7fS6z s2qdByGHMrZNTw== -END CERTIFICATE- *But I noticed that the end data
Re: [openssl-users] X509 custom extension
Bonjour, Le 26/04/2013 15:15, redpath a écrit : I am adding a custom extension to an x509 a png icon basically (bytes). Since the png icon is too large to post the data I have subsituted it with a file called sample.txt that has a text line This is a sample. The code excerpt to add the extension is below. getdata(sample.txt,length); //abstracted nid = OBJ_create(1.03, samplealias, sample); Avoid the use of existing OIDs for private purpose. 1.3 is already defined (/ISO/Identified-Organization). Register for your own private OID (ask for one under the 1.3.6.1.4.1 branch, for example), and do whatever you want in your sandbox. ASN1_OCTET_STRING_set(os,(unsigned char*)data,length); ret = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); X509_add_ext(x,ret,-1); *I have 2 Questions (1) the x509 before adding a custom extension looks like this* Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=OpenSSL Group Validity Not Before: Apr 26 12:48:18 2013 GMT Not After : Apr 26 12:48:18 2014 GMT Subject: C=UK, CN=OpenSSL Group Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:df:82:85:c6:0b:18:50:75:35:6b:3b:cc:2e:94: a0:b4:a6:8e:21:19:9e:28:ca:46:54:b5:5f:75:c4: bb:a2:19:c7:51:c4:19:0d:ef:ce:65:39:0f:90:90: 2b:2a:46:76:f4:03:be:a7:f2:76:4d:26:af:8e:ce: 84:43:52:74:d1 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 8b:a6:4d:0a:0b:b6:8f:13:f6:58:10:a2:a4:cc:9c:ba:37:8c: 53:07:22:f0:93:29:17:78:b4:0a:28:91:ae:24:86:bf:2f:bf: d8:bc:4a:97:bd:36:09:c2:b3:21:fa:fe:fe:90:91:31:00:5e: 01:f9:19:1b:54:89:f9:1f:b5:fa -BEGIN CERTIFICATE- MIIBODCB46ADAgECAgEAMA0GCSqGSIb3DQEBBQUAMCUxCzAJBgNVBAYTAlVLMRYw FAYDVQQDEw1PcGVuU1NMIEdyb3VwMB4XDTEzMDQyNjEyNDgxOFoXDTE0MDQyNjEy NDgxOFowJTELMAkGA1UEBhMCVUsxFjAUBgNVBAMTDU9wZW5TU0wgR3JvdXAwXDAN BgkqhkiG9w0BAQEFAANLADBIAkEA34KFxgsYUHU1azvMLpSgtKaOIRmeKMpGVLVf dcS7ohnHUcQZDe/OZTkPkJArKkZ29AO+p/J2TSavjs6EQ1J00QIDAQABMA0GCSqG SIb3DQEBBQUAA0EAi6ZNCgu2jxP2WBCipMycujeMUwci8JMpF3i0CiiRriSGvy+/ 2LxKl702CcKzIfr+/pCRMQBeAfkZG1SJ+R+1+g== -END CERTIFICATE- *After I added the extension you can see my field added and thats great* Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=UK, CN=OpenSSL Group Validity Not Before: Apr 26 12:49:39 2013 GMT Not After : Apr 26 12:49:39 2014 GMT Subject: C=UK, CN=OpenSSL Group Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:cf:53:10:b6:c4:ef:f3:a7:7d:39:64:18:75:2a: 77:a9:82:52:59:a9:29:e8:d6:57:de:9e:4e:3f:6a: 69:b6:b5:48:c2:ab:5a:1e:f0:c4:8d:25:2a:3d:21: 04:49:59:46:b6:d5:23:39:38:26:68:71:1d:67:31: d4:dc:a4:3b:09 Exponent: 65537 (0x10001) *X509v3 extensions: sample: This is a sample * Signature Algorithm: sha1WithRSAEncryption af:5e:52:9d:cc:e7:5e:2c:63:81:76:53:c6:92:cb:81:3d:a7: 16:63:3d:97:2a:c1:dc:12:64:e1:5b:16:f3:8b:f4:5e:e2:0c: 3f:04:4d:b8:67:b7:35:75:8a:7b:b0:3a:c8:f0:7b:7d:2e:b3: b3:6a:9d:07:21:87:32:b6:4d:4f -BEGIN CERTIFICATE- MIIBVjCCAQCgAwIBAgIBADANBgkqhkiG9w0BAQUFADAlMQswCQYDVQQGEwJVSzEW MBQGA1UEAxMNT3BlblNTTCBHcm91cDAeFw0xMzA0MjYxMjQ5MzlaFw0xNDA0MjYx MjQ5MzlaMCUxCzAJBgNVBAYTAlVLMRYwFAYDVQQDEw1PcGVuU1NMIEdyb3VwMFww DQYJKoZIhvcNAQEBBQADSwAwSAJBAM9TELbE7/OnfTlkGHUqd6mCUlmpKejWV96e Tj9qaba1SMKrWh7wxI0lKj0hBElZRrbVIzk4JmhxHWcx1NykOwkCAwEAAaMbMBkw FwYBKwQSVGhpcyBpcyBhIHNhbXBsZQoKMA0GCSqGSIb3DQEBBQUAA0EAr15Snczn XixjgXZTxpLLgT2nFmM9lyrB3BJk4VsW84v0XuIMPwRNuGe3NXWKe7A6yPB7fS6z s2qdByGHMrZNTw== -END CERTIFICATE- The extension is here, it looks fine, but it's not. The content of your extension is a simple string: This is a sample\n\n, where the content of an extension is supposed to be the DER encoding of something. *But I noticed that the end data has gotten larger? -BEGIN CERTIFICATE- -END CERTIFICATE-* *And of course it is much larger when using a real PNG, very much so.. Why is that? I'm not sure I understand the question. You had no extension in your first certificate, you added an extension with 18 bytes of content, and are wondering if it's normal that your certificate is now bigger? To the 18 bytes of content, you have to add 2 bytes
Re: X509 custom extension
Thanks and also the OID register. -- View this message in context: http://openssl.6102.n7.nabble.com/X509-custom-extension-tp44930p44933.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS with openssl 1.0.1c strange error
I cross compiled openssl 1.0.1c with FIPS with following commands: For FIPS module: ./config make for openssl ./config fips no-asm shared --with-fipsdir=/software/openssl/openssl-fips-2.0.2/ export FIPS_SIG=/software/openssl/openssl-fips-2.0.2/util/incore changed fipsld line 132 to ${FIPS_SIG} -dso ${TARGET} make Everything was fine. openssl was working fine after installing in the target machine. I had to rebuild libcrypto for some reason. With the same options i did a clear build and created libcrypto.so.1.0.0 . But in the target system after installing, i get this when i run openssl. [root@PC ~]# openssl b69a5b834670cad92f1ecced70bc732857b3580e [root@PC ~]# openssl ciphers b69a5b834670cad92f1ecced70bc732857b3580e [root@PC ~] What does this mean? both libcrypto.so.1.0.0 (earlier and new) are equal in size and symbols also match. [root@PC~]# nm -f 'sysv' *libcrypto.so.1.0.0_earler* |grep fips|grep .rodata fips_des_sptrans|00190aa0| R | OBJECT|0800| |.rodata fips_sha1_version |001909e0| R | OBJECT|0030| |.rodata fips_sha256_version |00190a20| R | OBJECT|0033| |.rodata fips_sha512_version |00190a60| R | OBJECT|0033| |.rodata [root@PC~]# nm -f 'sysv' *libcrypto.so.1.0.0* |grep fips|grep .rodata fips_des_sptrans|00190aa0| R | OBJECT|0800| |.rodata fips_sha1_version |001909e0| R | OBJECT|0030| |.rodata fips_sha256_version |00190a20| R | OBJECT|0033| |.rodata fips_sha512_version |00190a60| R | OBJECT|0033| |.rodata But diff command says they are different. Is this something to do with env setup? I checked both Makefiles and they are same. Please some one help with this. I am frustrated with this -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-with-openssl-1-0-1c-strange-error-tp44927.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Data and Signature (envelope)
From: owner-openssl-us...@openssl.org On Behalf Of redpath Sent: Thursday, 25 April, 2013 09:40 To: openssl-users@openssl.org Subject: Re: Data and Signature (envelope) I looked at the latest smsign.c shown below modified with a large data item. The result is still a detached and quite small like a signature. The flag changed and yet nothing different. It should be quite large. snip Your code works for me, with one change to use my data file, on (home) Vista with ShiningLight 1.0.0e and mingw gcc. Are you by any chance also working on Windows? Remember that on Windows C implementations (except maybe cygwin, I'm not sure) open mode r means a text file, which is truncated at any 0x1A (^Z) byte. PDF's are usually compressed and compressed data is practically certain to contain 0x1A bytes here and there. To handle compressed or other binary data use rb. If you want to see what is actually in your generated object take the body part (i.e. skip the S/MIME headers) and feed it as input to commandline asn1parse. If your contained data is compressed it will display as unreadable gibberish, but you can see something is there and get some idea how big it is. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
On Thu, Apr 25, 2013 at 04:40:12AM -0700, Cipher wrote: For FIPS work, we are planning to support only TLSv1.2 ciphers. Is there a configuration option to use *only* TLSv1.2 ciphers? You say ciphers here. we are using apache/mod_ssl engine(v 2.2.16). *SSLProtocol* directive does not support TLSv1.1/TLSv1.2 option. And then protocols here. Which do you want, the protocol or the ciphers? if there is no config option, which functions need to be changed to support only TLSv1.2 in FIPS mode?(If the list is not so long) any inputs are highly appreciated. I am not aware of any config option. At runtime you can call: SSL_CTX_set_options() with an argument of: SSP_OP_NO_SSLv2| SSL_OP_NO_SSLv3| SSL_OP_NO_TLSv1| SSL_OP_NO_TLSv1_1 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to configure only TLSv1.2 ciphers for FIPS?
On 4/25/2013 1:40 PM, Cipher wrote: Hi, For FIPS work, we are planning to support only TLSv1.2 ciphers. Is there a configuration option to use *only* TLSv1.2 ciphers? we are using apache/mod_ssl engine(v 2.2.16). *SSLProtocol* directive does not support TLSv1.1/TLSv1.2 option. Which version of the OpenSSL library was it built with? Anything less than 1.0.1 will not allow TLSv1.2, and will not work with the current FIPS-certified module 2.0. Due to known security fixes, be sure to use Apache/mod_ssl 2.2.24 or later with OpenSSL 1.0.1e or later. Apache 2.2.24 includes security fixes, and some TLSv1.2 related fixes. I it was built against OpenSSL library 1.0.1, you can use the SSLCipherSuite directive to limit the set of ciphersuites that will work. Also note that the parser for this option in earlier OpenSSL library 1.0.1 patch releases had bugs in the handling of TLSv1.2 related names, so be sure to use the current OpenSSL library version 1.0.1e. According to http://httpd.apache.org/docs/2.2/mod/mod_ssl.html, when built against OpenSSL library 1.0.1e with FIPS module 2.0, mod_ssl 2.2.23 or later *does* support the specification of the TLSv1.2 protocol in the SSLProtocol directive. And please be sure to filter the correct aspect of your setup, as there are 4 independent directives that affect *different* security parameters: # Only use the cipher suites that are new for TLS version 1.2, #regardless of their security or lack thereof. # The value of this option is parsed by the OpenSSL library and the #mod_ssl documentation of its possible values is hopelessly #outdated, for instance the value HIGH and MEDIUM do not mean #what that outdated document says. SSLCipherSuite TLSv1.2 # Only use the version 1.2 handshake and encryption protocol, this #does not prevent negotiating a weak encryption such as #56 bit single DES. # This option is new in Apache mod_ssl 2.2.23 SSLProtocol TLSv1.2 # Only use FIPS-approved algorithms in FIPS-validated implementations, # this is required for US Government work but prevents the use of # security improvements that have not made it through the bureaucracy # yet. SSLFIPS on # Prevent a traffic-analysis attack on some types of cookie- # authentication. These attacks only work if they can trick the users # browser into repeatedly sending their secret cookie with different # attacker-chosen HTTP header values, thus giving different compressed # size depending on which letters are in common between the cookie and # the attackers values. These attacks are called CRIME attacks. # A better defense against these attacks is to cancel (server side!) the # validity of any authentication cookie repeatedly received with wrong # or modified URLs or other header parameters. # Regardless, some security auditors currently insist that all data # compression of encrypted connections is disabled wholesale # regardless of other security measures taken against these attacks. # This option is new in Apache mod_ssl 2.2.24 SSLCompression off if there is no config option, which functions need to be changed to support only TLSv1.2 in FIPS mode?(If the list is not so long) any inputs are highly appreciated. Thanks, Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org