Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On Apr 12, 2014, at 5:40 PM, Michael Tuexen wrote: >> >> "Introduced with intent" vs. "known to the NSA" -- two >> different things, right? > My statement was referring to the "Introduced with intend". Understood. I'm personally quite sure it *wasn't* introduced with intent, which is why I thought it was important to note the distinction. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: the nature of the heartbeat issue (was Re: OpenSSL Security Advisory)
On Apr 12, 2014, at 3:08 PM, Michael Tuexen wrote: >> > I have read the rumor. It is wrong. "Introduced with intent" vs. "known to the NSA" -- two different things, right? I don't have any direct knowledge of what goes on in the NSA, but if they don't have a whole cubicle farm full of people looking for vulnerabilities, I'd be surprised. OpenSSL would be an obvious high-value target for scrutiny just because of its ubiquity. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: socket functions on fds
On Thu, 5 Jan 2012 13:45:33 + (GMT) Nathan Smyth wrote: > Can you use the standard socket functions (i.e. poll/select) on a fd > for a ssl connection? > I know you need to use the ssl_read/writes and other functions etc > to actually 'do stuff', but do the std socket state checking > functions work on a socket that has SSL initiated? Funny you should mention. I just completed a little demo project that does exactly that. The short answer is 'yes'. You have to set your sockets to be nonblocking and *also* set your SSL connection objects nonblocking. Read or write the SSL objects until you get a 'waiting read' or 'waiting write' status, then add the associated socket to the appropriate fd_set and call select(). When you wake up, repeat the process. Let me know offlist if you'd like to see some sample code. It's kinda rough and ready but it works. -- -- Michael J. Smith m...@smithbowen.net Any proposition that seems self-evident is almost certainly false. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 0.9.7 and above break apache with firefox on solaris
Hi Kyle,I rebuilt with zlib 1.2.3, as I was previously using 1.1.3 - but no change. I also tried compiling openssl with -no-zlibI also triedSSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSAandSSLCipherSuite SSLv3:-LOW:-EXPORT:RC4+RSA with no successCan you make other suggestions as to things I might try?Thank youMichaelOn 2/8/06, Kyle Hamilton < [EMAIL PROTECTED]> wrote:Dr. Henson: May I direct your attention to the thread entitled "RE: [openssl.org#1204]: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUGhandling" on the openssl-dev list? It appears to be because of a zlib size calculation change.However, the specifics are slightly different between that case and this one.-Kyle HOn 2/8/06, Dr. Stephen Henson <[EMAIL PROTECTED] > wrote:> On Wed, Feb 08, 2006, Michael Smith wrote:>> >> > A follow-up to my own post from last week. I've done some more digging -> > hopefully this is enough for someone to offer some suggestions. > >> > I have been trying different versions of openssl with apache on solaris and> > sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I> > get the following error when trying to connect with Firefox with SSL3: > >> > [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server> > xxx:443, client 192.168.0.4) (OpenSSL library error follows)> > [Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL > > routines:SSL3_GET_RECORD:decryption failed or bad record mac> >> > And the browser displays a popup saying "incorrect Message Authentication> > Code"> >> > Note that there are no problems whatsoever with IE, and that I can also get > > things to work fine if I set firefox or the web server not to use SSL3.> >> > The exact versions of openssl that I have tested are:> >> > * openssl-0.9.6b: works fine > > * openssl-0.9.6m: works fine> > * openssl-0.9.7a: fails> > * openssl-0.9.7e: fails> > * openssl-0.9.7i: fails> > * openssl-0.9.8: fails> > * openssl-0.9.8-stable-SNAP-20060131 : fails> >> > Any ideas would be greatfully received. Of course, using old versions of> > openssl causes other problems ...> >>> Firstly don't use apache for your tests instead use the OpenSSL s_server > utility. If you include the -www option it will display a status page in a web> browser if it works OK.>> You can also check various options out such as -bugs and -no_tls1 to see if> that helps. >> If you created the certificates yourself check that the certificate chain you> are using doesn't include duplicate serial numbers. This wont happen if you> use the CA.pl command (be careful with 0.9.8 because it has a bug: use a> recent snapshot instead). However there are numerous "cookbooks" out there of> varying quality which use all manner of weird commands and can produce> non-compliant certificates. >> It might be an idea to start with a fresh firefox certificate database when> doing the tests. If you create a new profile you'll start with the default> one.>> Steve.> -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage> OpenSSL project core developer and freelance consultant.> Funding needed! Details on homepage.> Homepage: http://www.drh-consultancy.demon.co.uk> __> OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org> Automated List Manager [EMAIL PROTECTED]>__OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.7 and above break apache with firefox on solaris
Thanks,I did a build with openssl-0.9.8-stable-SNAP-20060209 and the no-zlib option. I still find the same problem.I'll investigate some of the other suggestions now.Michael On 2/8/06, Kyle Hamilton <[EMAIL PROTECTED]> wrote: Dr. Henson:May I direct your attention to the thread entitled "RE: [openssl.org#1204]: bad record mac because of wrong SSL_OP_TLS_BLOCK_PADDING_BUGhandling" on the openssl-dev list? It appears to be because of a zlib size calculation change.However, the specifics are slightly different between that case and this one.-Kyle HOn 2/8/06, Dr. Stephen Henson <[EMAIL PROTECTED] > wrote:> On Wed, Feb 08, 2006, Michael Smith wrote:>> >> > A follow-up to my own post from last week. I've done some more digging -> > hopefully this is enough for someone to offer some suggestions. > >> > I have been trying different versions of openssl with apache on solaris and> > sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I> > get the following error when trying to connect with Firefox with SSL3: > >> > [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server> > xxx:443, client 192.168.0.4) (OpenSSL library error follows)> > [Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL > > routines:SSL3_GET_RECORD:decryption failed or bad record mac> >> > And the browser displays a popup saying "incorrect Message Authentication> > Code"> >> > Note that there are no problems whatsoever with IE, and that I can also get > > things to work fine if I set firefox or the web server not to use SSL3.> >> > The exact versions of openssl that I have tested are:> >> > * openssl-0.9.6b: works fine > > * openssl-0.9.6m: works fine> > * openssl-0.9.7a: fails> > * openssl-0.9.7e: fails> > * openssl-0.9.7i: fails> > * openssl-0.9.8: fails> > * openssl-0.9.8-stable-SNAP-20060131 : fails> >> > Any ideas would be greatfully received. Of course, using old versions of> > openssl causes other problems ...> >>> Firstly don't use apache for your tests instead use the OpenSSL s_server > utility. If you include the -www option it will display a status page in a web> browser if it works OK.>> You can also check various options out such as -bugs and -no_tls1 to see if> that helps. >> If you created the certificates yourself check that the certificate chain you> are using doesn't include duplicate serial numbers. This wont happen if you> use the CA.pl command (be careful with 0.9.8 because it has a bug: use a> recent snapshot instead). However there are numerous "cookbooks" out there of> varying quality which use all manner of weird commands and can produce> non-compliant certificates. >> It might be an idea to start with a fresh firefox certificate database when> doing the tests. If you create a new profile you'll start with the default> one.>> Steve.> -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage> OpenSSL project core developer and freelance consultant.> Funding needed! Details on homepage.> Homepage: http://www.drh-consultancy.demon.co.uk> __> OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org> Automated List Manager [EMAIL PROTECTED]>__OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.7 and above break apache with firefox on solaris
Thanks Kyle,Sorry if I'm being daft here - I have tried to read some of the docs and done a google search - but how do I turn off backward-compatability?Michael On 2/8/06, Kyle Hamilton <[EMAIL PROTECTED]> wrote: This sounds suspiciously like a bug due to turning on compatibilitywith broken SSL implementations that was found and quashed about aweek ago. If you turn off backward-compatibility (including MSIEbroken SSL implementation), does the problem persist? -Kyle HOn 2/8/06, Michael Smith <[EMAIL PROTECTED]> wrote:> Hi there,>> A follow-up to my own post from last week. I've done some more digging - > hopefully this is enough for someone to offer some suggestions.>> I have been trying different versions of openssl with apache on solaris and> sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I > get the following error when trying to connect with Firefox with SSL3:>> [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server> xxx:443, client 192.168.0.4) (OpenSSL library error follows)> [Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL> routines:SSL3_GET_RECORD:decryption failed or bad record> mac>> And the browser displays a popup saying "incorrect Message Authentication > Code">> Note that there are no problems whatsoever with IE, and that I can also get> things to work fine if I set firefox or the web server not to use SSL3.>> The exact versions of openssl that I have tested are: >> * openssl-0.9.6b: works fine> * openssl-0.9.6m: works fine> * openssl-0.9.7a: fails> * openssl-0.9.7e: fails> * openssl-0.9.7i: fails> * openssl-0.9.8: fails> * openssl-0.9.8-stable-SNAP-20060131 : fails>> Any ideas would be greatfully received. Of course, using old versions of> openssl causes other problems ...>> Thank you>> Michael>>>__ OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl 0.9.7 and above break apache with firefox on solaris
Hi there, A follow-up to my own post from last week. I've done some more digging - hopefully this is enough for someone to offer some suggestions. I have been trying different versions of openssl with apache on solaris and sun cc. With versions >= 0.9.7 (see below exact list of releases tested) I get the following error when trying to connect with Firefox with SSL3: [Wed Feb 8 14:08:07 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client 192.168.0.4) (OpenSSL library error follows)[Wed Feb 8 14:08:07 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac And the browser displays a popup saying "incorrect Message Authentication Code" Note that there are no problems whatsoever with IE, and that I can also get things to work fine if I set firefox or the web server not to use SSL3. The exact versions of openssl that I have tested are: * openssl-0.9.6b: works fine* openssl-0.9.6m: works fine* openssl-0.9.7a: fails* openssl-0.9.7e: fails* openssl-0.9.7i: fails * openssl-0.9.8: fails* openssl-0.9.8-stable-SNAP-20060131: fails Any ideas would be greatfully received. Of course, using old versions of openssl causes other problems ... Thank you Michael
Re: Errors with firefox
Thanks for the response.Yes I'd rather use SSLv3 if I can get it to work! How do I try with SSLv23? It doesn't seem to be an option in mod_ssl.MichaelOn 2/7/06, Samy Thiyagarajan <[EMAIL PROTECTED]> wrote: hi Michael, SSLv2 is obsolete and vulnerable to several attacks. It is always better not to use v2. Did u tried with SSLv23 ..? Samy Michael Smith <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 07.02.2006 14:47 Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Errors with firefox Classification OK I have been able to 'fix' this by adding the following directive: SSLProtocol SSLv2 Does this suggest a buggy SSL v3 implementation in openssl on my platform? Odd that nobody else is experiencing it. Michael On 1/31/06, Michael Smith <[EMAIL PROTECTED] > wrote: Hello there I've previously sent this to the mod_ssl list with no success. Sorry if you've seen it before: I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34 and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build). When accessing the site using Internet Explorer I have no problems. With Firefox the browser reports an 'incorrect Message Authentication Code' and the server logs report: [Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client xxx) ( OpenSSL library error follows) [Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I do have previous builds that 'work' ... but have been unable to determine precisely what change initiated this problem. It might be the release of openssl, it might also be the Sun compiler, which was now from studio 11 and was previously from an earlier version which I don't have access to any more. Any suggestions much appreciated Thanks Michael Smith
Re: Errors with firefox
OK I have been able to 'fix' this by adding the following directive: SSLProtocol SSLv2 Does this suggest a buggy SSL v3 implementation in openssl on my platform? Odd that nobody else is experiencing it. Michael On 1/31/06, Michael Smith <[EMAIL PROTECTED]> wrote: Hello thereI've previously sent this to the mod_ssl list with no success. Sorry if you've seen it before: I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34 and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).When accessing the site using Internet Explorer I have no problems. With Firefox the browser reports an 'incorrect Message Authentication Code' and the server logs report: [Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client xxx) ( OpenSSL library error follows)[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I do have previous builds that 'work' ... but have been unable to determine precisely what change initiated this problem. It might be the release of openssl, it might also be the Sun compiler, which was now from studio 11 and was previously from an earlier version which I don't have access to any more. Any suggestions much appreciatedThanksMichael Smith
Errors with firefox
Hello thereI've previously sent this to the mod_ssl list with no success. Sorry if you've seen it before:I have apache compiled on solaris with sun cc with mod_ssl- 2.8.25-1.3.34 and openssl-0.9.8a (I've also tried 0.9.7i and the nightly build).When accessing the site using Internet Explorer I have no problems. With Firefox the browser reports an 'incorrect Message Authentication Code' and the server logs report: [Mon Jan 23 13:13:54 2006] [error] mod_ssl: SSL handshake failed (server xxx:443, client xxx) (OpenSSL library error follows)[Mon Jan 23 13:13:54 2006] [error] OpenSSL: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac I do have previous builds that 'work' ... but have been unable to determine precisely what change initiated this problem. It might be the release of openssl, it might also be the Sun compiler, which was now from studio 11 and was previously from an earlier version which I don't have access to any more. Any suggestions much appreciatedThanksMichael Smith