[openssl-users] OPENSSL provided by Cavium
Hi, Cavium provides a configured OPENSSL for better performance on their hardware. It usage must lowers the CPU utilization by crypto operations offloading. I wanted to ask whether we can install Cavium OPENSSL Toolkit on Linux OS (on Cavium hardware), just as we install a standard OPENSSL? OR the only way to use this Cavium OPENSSL is by making simple executive application/user space and use the provided OPENSSL as an API. Please guide and share any details (readme, tutorial, link etc) regarding Cavium OPENSSL. Regards -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Unexpected SSL23_GET_SERVER_HELLO unsupported protocol Error
Never mind ... I was sailing by the Bellman's map. The IIS servers cited were not configured correctly or as indicated. No problems, of course, with openssl From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Welling, Conrad Gerhart Sent: Friday, August 05, 2016 5:47 PM To: openssl-users@openssl.org Subject: [openssl-users] Unexpected SSL23_GET_SERVER_HELLO unsupported protocol Error --- Reformatted and resent --- I am encountering curl-7.44.0+openssl-1.0.2d (FIPS-capable) TLS session-initialization failures like ... * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol on only ONE (HOSTX) of two 2008 R2 IIS 7.5 HTTPS servers (HOSTX, ROOM40) which are supposed to be configured the same. I am using OpenSSL 1.0.2d-fips 9 Jul 2015 curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS Largefile NTLM SSL ROOM40 and HOSTX servers run IIS 7.5 or IIS 8.0, and, the values of the keys (SSL 2.0 - TLS 1.2, Client and Server) in the registry branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols are the same (see following). All the OTHER ..\Protocols keys - Ciphers, CipherSuites, Hashes, and KeyExchangeAlgorithms - are the same (all blank). SSL 2.0 Client "DisabledByDefault"=dword:0001 "Enabled"=dword: Server SSL 3.0 Client "Enabled"=dword: Server "Enabled"=dword: TLS 1.0 (Does not exist on HOSTX) Client Server TLS 1.1 Client "DisabledByDefault"=dword: "Enabled"=dword:0001 Server "DisabledByDefault"=dword: "Enabled"=dword:0001 TLS 1.2 Client "Enabled"=dword:0001 Server "Enabled"=dword:0001 I've researched "TLS version intolerance", SNI, ALPN and more, but, haven't figured this out yet. Following are four curl-7.44.0+openssl-1.0.2d (FIPS- capable) attempts to "upload" a file. The 1st attempt to server ROOM40 succeeds, but the subsequent three attempts to server HOSTX all fail. Any hints or insights are very much appreciated ... Note: The following output has been been edited to enhance readability and disguise client and servers. === ==> openssl version OpenSSL 1.0.2d-fips 9 Jul 2015 ==> curl --version curl 7.44.0 (i386-pc-win32) libcurl/7.44.0 OpenSSL/1.0.2d Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS Largefile NTLM SSL ==> REM --- ==> REM ATTEMPT TO UPLOAD TO ROOM40 (Successful) ==> REM --- ==> %CD%\curl.exe --verbose -T "stuff.dat" --tlsv1.2 --ciphers AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA --capath ..\certs --user matahari:18761917 https://ROOM40/datasink/ * Trying 10.11.51.37... * Connected to ROOM40 (10.11. 51.37) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DES-CBC3-SHA * successfully set certificate verify locations: * CAfile: none CApath: ..\certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; ST=CA; L=Los Angeles; O=CID; OU=LA DEV; CN=ROOM40 * start date: 2014-05-01 15:44:59 GMT * expire date: 2018-02-05 22:10:46 GMT * common name: ROOM40 (matched) * issuer: CN=DISRAELI * SSL certificate verify ok. * Server auth using Basic with user 'matahari' > PUT /datasink/stuff.dat HTTP/1.1 > Host: ROOM40 > Authorization: Basic
Re: [openssl-users] Migration from AES_ctr128_encrypt to EVP
> Could you please point me on some useful documentation, piece of code or any > other source of information which would provide the guidelines for > accomplishing my task? Or maybe somebody of you already have the experience > in such migration which could be shared. https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption and https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption. If you detail a specific problem, then better advice can probably be provided. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] issue while compiling openssl1.02h
You'll probably need to provide more information; what is the compiler command line and full output for this failing file; is openssl installed once or in multiple places on the machine; etc. -Ben On 08/08/2016 04:32 AM, Test ssl wrote: > Hi , > > > I am trying to compile openssl 1.0.2h for my project. > > i am facing compilation error related to "ASN1_OBJECT". Error is as > given below :- > > asn1.h:530: error: expected specifier-qualifier-list before 'ASN1_OBJECT' > asn1.h:783: error: expected '=', ',', ';', 'asm' or '__attribute__' > before '*' token > asn1.h:784: error: expected ')' before '*' token > asn1.h:785: error: expected ')' before '*' token > asn1.h:786: error: expected '=', ',', ';', 'asm' or '__attribute__' > before '*' token > asn1.h:788: error: expected '=', ',', ';', 'asm' or '__attribute__' > before '*' token > asn1.h:917: error: expected declaration specifiers or '...' before > 'ASN1_OBJECT' > asn1.h:921: error: expected declaration specifiers or '...' before > 'ASN1_OBJECT' > asn1.h:924: error: expected '=', ',', ';', 'asm' or '__attribute__' > before '*' token > > > this above error is coming while compiling for "libcurl" - curl-7.46.0. > > Is there any dependency of curl version for openssl 1.0.2h? > > > Regrads, > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Migration from AES_ctr128_encrypt to EVP
On Mon, Aug 08, 2016, Vladimir A. Petrov wrote: > Hello, > > I need to migrate some code from the old style software implemented > AES_ctr128_encrypt to the EVP interface. I spent pretty much time reading > OpenSSL manual pages and Wiki as well as googling. Unfortunately, I still > can't get an idea how to migrate from these AES_* functions to the API > provided by EVP. The closest info that I found is the proposal made by Dr > Stephen N. Henson ( > https://mta.openssl.org/pipermail/openssl-users/2015-March/000776.html) to > switch to EVP_aes_128_ctr, but there is no such 'ctr' mode in EVP for AES. > > I'm not sure what you mean by "but there is no such 'ctr' mode in EVP for AES": can you clarify? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] output from: dh, dhparam, pkeyparam
What Rich said, and also note that it's perfectly valid usage of the PEM routines to read one type from a BIO and then go on to read another (potentially different) type from the same BIO, as would happen if they were in the same file concatenated after each other. So, attempting to peek and see if there was other stuff after the read PEM object would be a strange special case. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Loading engines recursively and crypto engine lock
Hi, TL;DR; Is it allowed to initialise engines recursively, ie. call `engine2->init` from `engine1->init`? -- I have a solution in a consumer product based on OpenSSL 1.0.2 series that uses two engines: one (engine1) for selecting client certificate chain (TLS client auth) and another one (engine2) for RPC operations on associated private keys stored in H/W. This works only if supplied (installed) locks are recursive as for each engine initialisation `CRYPTO_LOCK_ENGINE` is taken. >From what I see, OpenSSL 1.1.x onward, provides locking internally and it's non-recursive. Also `lock_dbg_cb()` implementation in OpenSSL before 1.1.x suggests locks are not expected to be recursive. Here's some more context of my use case. OpenSSL loads `engine1` for me automatically (` OPENSSL_SSL_CLIENT_ENGINE_AUTO` variable) which is convenient as I don't have control over application's `main()` function. In my case it's proprietary code but equally it could be Python script (I do not fancy patching Python interpreter to get to its `main()` function and load/initialise engines explicitly). So my _only_ entry point is `engine1->init`. In that entry point I initialise engine2 which is a fairly slow operation (need to load certs from permanent storage) so definitely want to do this only once. Oh, and the app is heavily multi-threaded so I'm glad OpenSSL carefully takes crypto engine lock where needed. But because engines are initialised recursively, the locking implementation I supply uses recursive mutex which works very well and makes perfect sense to me in this case (I know that the same thread calls locked functions recursively for a reason). This works only before 1.1.x. Alternatively I could lazy-initialise engine2 in certificate callback function but any initialisation failure here would be less meaningful and it would require another lock to protect engine2 handle. In `engine1->init` I know a lock is already held so I thought it's safer to do more initialisation here. Besides `engine2->init` is not called directly but through a layer of application logic so conceptually these two engines are orthogonal and know nothing about each other. I guess initialising engines recursively does not work in OpenSSL 1.1.x (it'd be a dead-lock) and I need to seek for a different place to initialise engine2, for example in certificate cb? This would mean I "leak" some knowledge of engine2 existence into engine1, have guarantee that crypto engine lock is not held in certificate callabck function and need another lock to protect access to engine2 handle. Please let me know what your views are and if the above makes sense. Thanks, Kris -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] issue while compiling openssl1.02h
Hi , I am trying to compile openssl 1.0.2h for my project. i am facing compilation error related to "ASN1_OBJECT". Error is as given below :- asn1.h:530: error: expected specifier-qualifier-list before 'ASN1_OBJECT' asn1.h:783: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token asn1.h:784: error: expected ')' before '*' token asn1.h:785: error: expected ')' before '*' token asn1.h:786: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token asn1.h:788: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token asn1.h:917: error: expected declaration specifiers or '...' before 'ASN1_OBJECT' asn1.h:921: error: expected declaration specifiers or '...' before 'ASN1_OBJECT' asn1.h:924: error: expected '=', ',', ';', 'asm' or '__attribute__' before '*' token this above error is coming while compiling for "libcurl" - curl-7.46.0. Is there any dependency of curl version for openssl 1.0.2h? Regrads, -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users