[openssl-users] Problem in RSA encrypt and Decrypt using EVP

2016-01-28 Thread Sugumar 
Hi,

I have problem in RSA encrypt and decrypt using EVP methods.
My below program is some times working fine and some times it fails to
decrypt the message.
That means when i executing the below code 2 times working fine 3rd time it
fails to decrypt.
Please point out the error.

Code:

#include 
#include 
#include 
#include 
 #include 
 #include 

 EVP_PKEY *pkey = EVP_PKEY_new();
 EVP_PKEY_CTX *ctx2;
 unsigned char *out1;
 size_t outlen1;
 EVP_PKEY_CTX *ctx;
 ENGINE *eng;


RSA *rsakey =RSA_new();


bool GenerateRsaKeyPair()
{
BIGNUM *bnexp = NULL;
unsigned long exp = RSA_F4;
bnexp = BN_new();

if(!BN_set_word(bnexp,exp))
{
std::cout <<"Failed to set exponent word in BIO."

[openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

2016-01-28 Thread security veteran 
Hi All:

Is there a way to enable FIPS mode globally, instead of having to
explicitly invoke the FIPS_mode_set() API from each application, for
enabling the FIPS mode?

The reason I ask is, it will be much easier to enable FIPS mode if there're
many applications which rely on OpenSSL for crypto work, and making changes
to all of these applications to allow then invoking FIPS_mode_set() will be
too much of the work.

Thanks.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] stunnel 5.30 released

2016-01-28 Thread Michal Trojnara 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dear Users,

I have released version 5.30 of stunnel.

The ChangeLog entry:

Version 5.30, 2016.01.28, urgency: HIGH
* Security bugfixes
  - OpenSSL DLLs updated to version 1.0.2f.
https://www.openssl.org/news/secadv_20160128.txt
* New features
  - Improved compatibility with the current OpenSSL 1.1.0-dev tree.
  - Added OpenSSL autodetection for the recent versions of Xcode.
* Bugfixes
  - Fixed references to /etc removed from stunnel.init.in.
  - Stopped even trying -fstack-protector on unsupported platforms
(thx to Rob Lockhart).

Home page: https://www.stunnel.org/
Download:  https://www.stunnel.org/downloads.html

SHA-256 hashes:
7d6eb389f6a1954b3bcf6c71d4ae3c5f9dde1990dd0b9e0cb1c7caf138d60570
stunnel-5.30.tar.gz
cf13a881d2f19b8db5e70fafac6e5dad31f041ee6b9c0316dbd8f9f425c16418
stunnel-5.30-installer.exe
102c54d0f58937fc3c3de2a6fb629562e48eae200123d6357889defa45c1
stunnel-5.30-android.zip

Best regards,
Mike
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWqkhcAAoJEC78f/DUFuAUbZoP/iH+4dndQdh5SSpSH8NR2dUf
Nx10nPHP9WXZIVF9C0pISDGpRcpRi6k+4p3NU8SblGsTRm78zCpWYmeEso46Q9ve
IHCrUrmQntygZ5xL5Igij9rvN8s6VeucxiMX1pZBJWAvtV5Mj2XDWFEgGiUc+sPC
leCJIhj+2G6hNZJzl5whptW48+smqQvh8LC5jEtFaAUp5C0ptjrmz/vebEDlVKOs
qZOZMwLmNojP3WGWWrt5fkBCLZXKvkDipgI4ln3aro/fCYQZ5fikGYbW7dTOvNCT
lFmCS2vXg1hqFNM3qBWp8HKqiyYR9nVYNesW5vQW/INp6wRSqul9QSJQwsVge37N
wbl19KLZL0bqXYV5a5OTovi5X1X+wRbKkcGE8yozptifV4n1AgZL4rbLkKqFu/BF
zHHUmOi1m5SkRAoN8pmaTmNFe/Zp72o6unN1kfrXyvJj6NCiDKXMqTmYw4bfoSBM
UUg6uKtc7k7XGPvgca/HrdEu8DJPQIWcRqNVqQ5AxVnub9gBFsJC15XdgutHJK97
XuLhZhHBdm10Frf2u/nk2Q2GpPdHAPK67QgERzO2Nr35KGOxwMXahyxKK0jI5ue5
bekTLYjZYUKS94Lt/uUgxaVmwG0x1qjurfhdXoUemuYKUAzv2tZlNF1NiGme3feP
WqLyTnuGhYIxEbltnFif
=gYXk
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL version status

2016-01-28 Thread Karl Denninger 
On 1/27/2016 07:56, Nulik Nol wrote:
> Hi,
> I have to implement SSL/TLS in a proprietary web server daemon. I am
> only familiar with SSL as a user, not as developer, so my question is.
> What versions of SSL should I support for best compatibility and
> optimal development time? How much old browsers are out there that
> still use older SSL versions? Because, Wikipedia says SSL 3.0 was
> deprecated by Jun 2015 but if I only implement TLS, I may lose many
> visitors with old browsers, right ?
>
> Please advise.
> TIA
> Nulik
Some, to use a single word.  Not many though.

The notable problems come from very old mobile handsets (e.g. Froyo and
similar Android). I have about 3% of my users on systems I manage still
hitting them from XP machines as an example of "old", which are
potential issues in this regard, BUT TLS1.0 is supportable by XP -- so
shutting off SSL3 won't kill those users.

There are a smattering of machines that still hit my sites running
Windows 98, however (well under 1%), believe it or not.

Be aware that the OpenSSL defaults when you define a server context are
inappropriate for most purposes and thus you have to do a bit more work
when programming a server to get a reasonably-secure environment than
when connecting using OpenSSL as a client.  Specifically, be aware of
issues surrounding client renegotiation requests (which can turn into a
denial-of-service problem) and how you handle Diffie-Hellman (if you
choose to load said keys) along with the ECDH cipher set.  For a server
you also have to consider whether you're going to multiplex or
multithread as OpenSSL requires some additional attention at the
programming level (for locking) in a threaded application.

-- 
Karl Denninger
k...@denninger.net 
/The Market Ticker/
/[S/MIME encrypted email preferred]/


smime.p7s
Description: S/MIME Cryptographic Signature
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL Security Advisory

2016-01-28 Thread OpenSSL 
clients by
rejecting handshakes with DH parameters shorter than 768 bits in
releases 1.0.2b and 1.0.1n.

This limit has been increased to 1024 bits in this release, to offer
stronger cryptographic assurance for all TLS connections using
ephemeral Diffie-Hellman key exchange.

OpenSSL 1.0.2 users should upgrade to 1.0.2f
OpenSSL 1.0.1 users should upgrade to 1.0.1r

The fix was developed by Kurt Roeckx of the OpenSSL development team.

Note


As per our previous announcements and our Release Strategy
(https://www.openssl.org/policies/releasestrat.html), support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are
advised to upgrade.

Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions
are no longer receiving security updates.

References
==

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20160128.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWqiT1AAoJENnE0m0OYESR07gIAJ65FdP2oFR9pspmLh+iZ978
Q+1R8vShqUjkpE14gUOHaidgsU8l7HoR7v3mWFtv+XqBUp94ISOFeyt4B4jlDsHE
SSgO60zlnYha0KaOeRv/aH1quiWhx8bxNZ1HJbbwlxPclqmEplhXqoSEbVvOZKFZ
VPu8gmJg3fzdQpQT0eAZ/5ez6SMvIM1FO47FlqtstWgHSs0iq1scIr1LKNmH3uMZ
tmNmq5U/tTX/51eKYqFIrWXIeyHSiOTXRBUjnw4ybCiobklLH1qiEApJW6iPkOob
9WthtiyBVBxCpYpF8h4mQc3h77J/q4rLcL/b56sqMsHTV4ULhbN2VIUnzcuzIUI=
=Dfuh
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL version 1.0.2f published

2016-01-28 Thread OpenSSL 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


   OpenSSL version 1.0.2f released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2f of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

http://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2f is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

 * http://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2f.tar.gz
  Size: 5258384
  SHA1 checksum: 2047c592a6e5a42bd37970bdb4a931428110a927
  SHA256 checksum: 
932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2f.tar.gz
openssl sha256 openssl-1.0.2f.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWqh5GAAoJENnE0m0OYESRsd8IALq/rtH2LTBSva5EahcoHWbp
wa/bcqnk84tWhBtFdsPY6bc842I7KUuajdlb/O/tKket/7XDBtO8Ud+xwajCDjUR
0Ui56bWUD6KzDCKOuarTQ2zSdrnbBvO20x4WZlpNQ67ZsEQ3DuSouTetFGRmNgfb
Te2BNteBZ//OGsqfvzuegbMbAuaePwwOO8XurNqwm4O1F1dphz7BuBx9IiCsHypa
ISmmx27WzGYUS30nQuseFTHj8wd++zaJVRX8xM/alqoDdOT6qkavqpVku8RhwKuZ
gnmeIXPRPzktYagQ1w+Py5ZGEIEZhvJpf/UQktuGw6xJ+D8PXC3D3i1Rth9UHIA=
=ITZs
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL version 1.0.1r published

2016-01-28 Thread OpenSSL 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


   OpenSSL version 1.0.1r released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.1r of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

http://www.openssl.org/news/openssl-1.0.1-notes.html

   OpenSSL 1.0.1r is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

 * http://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.1r.tar.gz
  Size: 4547786
  SHA1 checksum: d2cfa980ef4548da6079fa1e51fe1fb2e5a53e99
  SHA256 checksum: 
784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.1r.tar.gz
openssl sha256 openssl-1.0.1r.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWqiPkAAoJENnE0m0OYESRcmgIAJidxSVl5K1TE23gWxVrj75z
tYY1YGGi+DjyYMJCxuXaKKZ/Yidhj8w3d+b0HnUs8r2YJNRjDQmh+BvGtA4FIgcq
WQlypzUL/hmyicdvhTz/Y0r3O0DNOpYFIrjkWGkJFiYYm2bZIwDqkx4UAImOM3r1
qh0SfUuILDsHhwsi/EMexmTNKOuqcXWc/UVy2a5q074Va7BRJnUvAApD/jBpZgdh
fIWOlVs1BnVE87wPddyXHK6UlyUd+5Zuc91ytvxYQayqx9D/t0AZ73isfzoE1jj9
dDS9H2+SJyN+WwJI1UUxZ8QthmPbnWwKpR733xtMUZ5r0M2e+V92eOgTNfcVvEI=
=AYwY
-END PGP SIGNATURE-
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Acessing a proxy with OpenSSL

2016-01-28 Thread Marcos Bontempo 
Thanks for your answer!
Have you got a C example using the CONNECT request to the proxy?In this case I 
want to avoid NAT.
It helped a lot!Thanks.
To: openssl-users@openssl.org
From: t...@convey.de
Date: Thu, 28 Jan 2016 12:47:48 +0100
Subject: Re: [openssl-users] Acessing a proxy with OpenSSL


  

  
  
Am 28.01.2016 um 12:02 schrieb Marcos
  Bontempo:



  
  
Hello,



I'm using this example to make a SSL connection:
  http://fm4dd.com/openssl/sslconnect.htm.
Now I want to also acess a HTTPS proxy. Is there a way to
  acess a HTTPS proxy with the OpenSSL library?



Any tip will be very helpful,
Thanks.
  



See http://wiki.squid-cache.org/Features/HTTPS and
http://tools.ietf.org/rfc/rfc2817.



AFAIK OpenSSL does not provide specific support for SSL via proxy,
but you can set up a SSL connection using the CONNECT request to the
proxy.



Using a proxy for SSL connection does not make sense if you want to
take advantage of a proxy's caching feature, since these CONNECT
requests cannot be cached. This is by design.



Using a proxy for SSL can be useful if you want to avoid NAT, or
want to log, or filter, the connection targets.



Hope this helps,

Ted

;)

-- 
PGP Public Key Information
Key ID = 7AFB8D26
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

  


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users  
  ___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Acessing a proxy with OpenSSL

2016-01-28 Thread Bernhard Fröhlich 

Am 28.01.2016 um 12:02 schrieb Marcos Bontempo:

Hello,

I'm using this example to make a SSL connection: 
http://fm4dd.com/openssl/sslconnect.htm.
Now I want to also acess a HTTPS proxy. Is there a way to acess a 
HTTPS proxy with the OpenSSL library?


Any tip will be very helpful,
Thanks.


See http://wiki.squid-cache.org/Features/HTTPS and 
http://tools.ietf.org/rfc/rfc2817.


AFAIK OpenSSL does not provide specific support for SSL via proxy, but 
you can set up a SSL connection using the CONNECT request to the proxy.


Using a proxy for SSL connection does not make sense if you want to take 
advantage of a proxy's caching feature, since these CONNECT requests 
cannot be cached. This is by design.


Using a proxy for SSL can be useful if you want to avoid NAT, or want to 
log, or filter, the connection targets.


Hope this helps,
Ted
;)

--
PGP Public Key Information
Key ID = 7AFB8D26
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Acessing a proxy with OpenSSL

2016-01-28 Thread Marcos Bontempo 
Hello,
I'm using this example to make a SSL connection: 
http://fm4dd.com/openssl/sslconnect.htm.Now I want to also acess a HTTPS proxy. 
Is there a way to acess a HTTPS proxy with the OpenSSL library?
Any tip will be very helpful,Thanks.  ___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users