Re: [openssl-users] Lattice Ciphers

2017-12-18 Thread Alan Buxey 
Have you submitted a bug report for Apache (not honouring server config
cipher order) if one doesn't exist?

As for resistant to quantum computers, given the current aim is for systems
that can calculate things that would currently take the age of the universe
to calculate, resistance is futile ;)

alan

On 18 Dec 2017 4:47 pm, "Colony.three via openssl-users" <
openssl-users@openssl.org> wrote:

>
>
>- FF claims it does DHE/EDH
>
> ,
>but it does not actually, in practice.  It does either EC, or RSA.  I've
>tested it. (v52)  This does not look like an accident.
>
>  Have you find a server that does DHE/EDH, and only that, that FF cannot
> connect to?
>
>
> I've set mine to test this comprehensively. (Apache and NginX)  With
> Apache Firefox -ignores- server-prescribed ciphers and chooses an EC.
> NginX does properly prevail with the algo.  Was this an accident, Apache?
>
> And Firefox simply can not make a connexion when the only choices are the
> DHE/EDH algos -- which they say they can do here
> 
> .
>
>
>
>- "*Prefer conventional discrete-log-based systems over elliptic-curve
>systems; the latter have constants that the NSA influences when they can.*
>"
>
> I missed that, thanks.  And for non-NSA curves that aren’t influenced?
>
>
> As with Schnier, I don't trust any EC.  It's a shame.  I am looking
> forward to independent lattice
> .
> (Not that Mozilla, will implement it)  For now I'm set to DHE/EDH
> (fruitlessly) and RSA (AES).  RSA is cracked by a very few, but this is the
> decision I've made.
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Existing connections on certification expires

2017-08-28 Thread Alan Buxey 
hi,


> 2) How can i get the list of ciphers supported by openssl 01.01.0f ?


openssl ciphers -v ???


> These question looks to be very basic but i could not find any concrete
> information regarding the same googling.

Google provides the answers if your question is well formed. or you
could just read the
openssl man pages?

alan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a "Golden" CA makefile?

2017-04-29 Thread Alan Buxey 
https://github.com/google/easypki ,
http://pki.fedoraproject.org/wiki/PKI_Main_Page etc etc - we wrote a
simple similar system when using OpenVPN years ago. it was (IMHO) very
good but the powers that be decided that OpenVPN wasn't the way to go
and so money was spent on a (inflexible and non-modifiable) closed
source proprietary VPN solution instead :/

On 29 April 2017 at 21:01, John Lewis  wrote:
> You misunderstand.
>
> I don't want a list of vetted root CAs. I just want a make based wrapper
> over the OpenSSl commands to make it easier to run a CA. There are a few
> of them, but if there was a one that is typically recommended instead, I
> would use that one.
>
> On Sat, 2017-04-29 at 12:55 -0700, Kyle Hamilton wrote:
>> The short answer is "no".
>>
>>
>> The long answer is, OpenSSL is not in the business of vetting trust
>> roots.  Its business is ensuring that TLS-secured communications
>> happen correctly when it is used.  If you want an 'endorsed' set of
>> roots, you can find such from other projects (that have no relation to
>> OpenSSL, and for which OpenSSL can take no responsibility).
>>
>>
>> Since I'm not a member of the OpenSSL project, I can tell you that
>> there is a set of root certificates, vetted by Mozilla, available as
>> part of Mozilla's NSS (Network Security Services) project.  OpenSSL
>> cannot take any responsibility for that set of roots or any
>> behavior/misbehavior of any of the CAs represented in that set.  I had
>> also seen a script several years ago to convert Mozilla's format to
>> OpenSSL format, but I have not needed to look into it and have thus
>> lost the URL to that script since then.
>>
>>
>> -Kyle H
>>
>>
>> On Sat, Apr 29, 2017 at 10:24 AM, John Lewis 
>> wrote:
>> I am looking for a CA makefile to use with a openvpn tutorial
>> I am
>> writing https://github.com/Oflameo/openvpn_ws. Is there one
>> officially
>> endorsed by the openssl project?
>>
>> --
>> openssl-users mailing list
>> To unsubscribe:
>> https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How many SAN entries...?

2017-04-26 Thread Alan Buxey 
confirmed, i've seen dozens on one cert - far more preferable to do
that and have such numbers than a single wildcard cert (which has
issues on all sorts of platforms
for various purposes).

alan

On 26 April 2017 at 18:24, Blumenthal, Uri - 0553 - MITLL
 wrote:
> > It’s been my understanding that a cert can contain as many SAN 
> attributes as needed,
> > but it appears that Apple believes it has to be only one (because 
> certificates with
> > more than one are not processed properly).
>
> Perhaps CAs have rarely issued email certificates with multiple email 
> addresses.
>
> :-)
>
> OpenSSL will accept multiple email SANs and with email name checks will 
> accept
> the certificate as valid so long as *one* of the addresses is a match.
>
> Thank you! That’s what I expected and hoped for. Appreciate the help!
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: The no-stdio and NO_FP_API options

2014-09-03 Thread Alan Buxey 
+1 for keeping the features (I use AmiSSL ;) )

alan
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: Heart bleed with 0.9.8 and 1.0.1

2014-04-14 Thread Alan Buxey 
hi,

Will client respond for heart beat request even if server doesn't support 
heart beat . ?

no. both systems need to have some heartbeat code present.

Which version of ssl this heart beat in introduced ?

same as all the original advisories have said 1.0.1 - fixed in 1.0.1g but 
patches to previous versions
have been released.

ie basics

unpatched 1.0.1 openSSL server (pre 1.0.1g) - vulnerable to dodgy client attack

unpatched 1.0.1 openSSL client (pre 1.0.1g) - vulnerable to a dodgy server 
attacking it


remember...this attack isnt about honouring proper communication. its about 
circumventing usual conversation - so even if the Application doesnt use 
heartbeat, the APIs its using for session
establishment do - and thats where the attack vector lives.

alan

Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)

2014-04-11 Thread Alan Buxey 
It seams that there is another difference between the two openssl 
versions then only the heartbleed bugfix.

err, yes. The g release is a new minor release.  I'd ALWAYS advise reading the 
changelog before deploying. .. You'd then have seen the new features (this is 
why vendors such as redhat are just back porting the fix rather than pushing 
1.0.1g to RH6.5 usersfor example)

alan

Re: OpenSSL Security Advisory

2014-04-09 Thread Alan Buxey 
https://www.openssl.org/news/changelog.html

1.0.1 introduced the heartbeat support.

1.0.0 and earlier are fortunate in that they didnt have it.but then they 
didnt have things to stop you from being BEASTed so some you win, some you 
lose. ;)

alan

Re: CVE 2014-0160 -- disabling the heartbeat

2014-04-08 Thread Alan Buxey 
...or take the upstream fix...apply to your older version and keep the 
heartbeat functionality.  Which is what I believe the very latest redhat/centos 
patches do

Alan

Re: CVE 2014-0160 -- disabling the heartbeat

2014-04-08 Thread Alan Buxey 
But its the apps that need these features.  The app should either have the 
option to disable features of not needed. .. or be coded to not accept such 
extensions if it doesn't utilise them (which I believe is the correct way)

alan

Re: ssh-add refuses to use the key on my USB thumb drive

2013-12-11 Thread Alan Buxey 
Use Google? ;)

mount_msdosfs -u x -m 700 /dev/usbdevice /mnt/

where -u is the uid of your required user. 

alan

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: How can I enable aes-ni in openssl on Linux

2013-12-06 Thread Alan Buxey 
Hi

Likely to be already using it and you can verify this by running some 
benchmarks - this is on a massive host and not virtualised platform? I guess a 
related question is how to ensure that those functions are used by openssl 
whenever possible. ... eg required openssl config in software that uses openssl

alan

Re: I can't believe how much this sucks

2012-11-13 Thread alan buxey 
Hi,

I am not criticising the documentation for openssl, and will not; but I
would encourage those who are responsible for maintaining and improving
openssl to not neglect the documentation.  It would be a mistake to leave

it is an Open Source project - thus there is also an onus on the USERS who use 
the code
to also provide something into the mix - commonly that is for documentation - as
users are often not the ones maintaining or improving the codebase...but are 
people
USING the API and software (usually for their own purposes and financial gain) 
- so ideal
for being people to offer something back in the way of , eg, better 
documentation.

I'd cite a use example - eg Cisco use OpenSSL for their AnyConnect SSL client - 
they are
using quite a few of the APIs and functions in their commercial product(s) - a 
proper
symbiotic relationship would be for their expertise to be fed back in the way of
bug fixes and documentation.

coders are often NOT the best documentation writers ;-)

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: I can't believe how much this sucks

2012-11-13 Thread alan buxey 
Hi,

Nonsense.  No-one knows better how the code ought to be working than the
folk who developed it.  I begin with the assumption that all my coders are


i'd cite the cathedral and the bazaar ...or the 'many eyes make all bugs 
shallow'
views - if you are given the API and the documents, you use the code without 
seeing
what its doing. by looking at each library you can see what it does and how it 
does it
but most importantly, you can see the bugs/issues/problems.

with the closed source proprietary software you expect to get 100% perfect docs 
because
you cannot see the source code - you are told how it works and what to feed it. 
thats that.


yes, one can complain until you are blue abotu documentation - and a few 
comments in this
thread have certainly alerted me to some of OpenSSLs other issues - enough 
perhaps to look
at GNUTLS or some alternative'ReallyOpenSSL' anyone? ;-)


alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Wild card SSL; use on multiple Apache servers

2012-10-24 Thread Alan Buxey 
The wildcard is for a particular domain (* is value for any host within it) . 
If your other server is in a different domain, then it won't work.

alan

Re: OpenSSL -- Squid !

2012-02-20 Thread Alan Buxey 
hi,

this isnt OpenSSL or its config - this is an application question. you need
to check your squid.conf configuration file - if you were already doing
CA verification with old cert, the old config will be there - otherwise
you will need to check with the squid documentation on how to do it.

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: virus or hoax in test/asn1test.exe ?

2012-02-14 Thread Alan Buxey 
Hi,

 I just compiled openssl-1.0.0g on a Win7 box using MingW. All went well,
 except I got a virus alert from Avira for 'TR/Graftor.10418.101' found
 in the file .../openssl-1.0.0g/test/asn1test.exe. That virus was added
 to the Avira VDF file on 2012-01-18.
 Avira denies access to it, so that file is unusable, and I quarantained
 it (to get rid of the alerts). Is this a real threat ? Has anyone else
 experienced it ? Or is it a hoax (cause to me it seems a bit weird to
 have a virus after just compiling a package like openssl) ?

pattern/heuristical match issue? try uploading it to one of the
multi-vendor test suite systems and see what pops out?

eg

http://www.threatexpert.com/

https://www.virustotal.com/

upload it to Avira with 'false positive' 
markinghttp://analysis.avira.com/samples/

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Removing a cipher

2012-01-13 Thread Alan Buxey 
Hi,

In an application that you use or one that you've written? Ie where is this low 
cipher being seen?

alan

Re: TLS Overhead

2011-11-14 Thread Alan Buxey 
hi,

you are using cryptodev with that Atom rather than just using software-only 
OpenSSL?

alan

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Tracking amount of Time spent on a computation

2011-08-25 Thread Alan Buxey 
Hi,
 
 Hey List,
 
 I am using Openssl for experimenting with the cryptographic  accelerator
 on Sun machine. I am using this command
 
 openssl speed -engine pkcs11 -evp aes-128-cbc
 
 to have the results and this gives me number of bytes that are
 communicated between the processor and accelerator in 3 sec (or any
 certain time).
 
 My question is, is it possible to do it the other way around, I will
 send a fix number of bytes, say 8K data, and when this job gets done
 ..see what is the time spent on that particular computation. .i.e
 instead of constant time and variable data have a constant data and see
 its effect on time.

time openssl speed -engine pkcs11 -evp aes-128-cbc 

?

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: howto be my own CA for my new certificates

2011-08-04 Thread Alan Buxey 
Hi,
 Thank you! But now I'm spending my time with another issue with this: I 
 cannot create certificate longer than I month:
 
 This is my CA certificate validity:
   ...
  Not Before: Aug  3 10:07:14 2011 GMT
  Not After : Aug  2 10:07:14 2012 GMT
   ...
 
 This is my server's certificate validity (created today):
   ...
  Not Before: Aug  4 07:27:29 2011 GMT
  Not After : Sep  3 07:27:29 2011 GMT
   ...
 
 The server certificate was created by command:
   openssl req -new -key server.key -out server.csr -days 365
 
 As you can see, the -days X did not helped...

check your openssl conf file  - eg /etc/pki/tls/openssl.cnf on redhat/centos

this is a place where you can specify default values for duration, using SHA1
rather than MD5, default certificate size etc etc


alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: slow https conenctions

2011-04-27 Thread Alan Buxey 
Hi,

 Thanks for the input guys, however the 15 second pause exists even if i 
 explicitly disable reverse lookups in apache 'Hostnamelookups Off' in 
 httpd.conf and my server is operating on an internal network in a company so 
 although i cant say for sure i doubt there is much IPV6 stuff around.

the debug will probably show you this - but I dont think its a server
issue per se - its an issue at the client end.  check the behaviour
and environment of the end client 

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: slow https conenctions

2011-04-26 Thread Alan Buxey 
Hi,
 On 04/26/11 3:06 AM, Matthew Fletcher wrote:
  I've come to this list in search of help with slow https conenctions (via 
  the subversion, apache and finally mod_ssl lits).
 
  There is a 15 second ish delay whenever a client connects using https,
 
 15 seconds sounds to *me* like a DNS related timeout.  perhaps the 
 server is doing a reverse lookup on the client?

...or is getting a  record, trying to connect to that IPv6 addressand
failing, then falling back to IPv4

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: First time attempting PostgreSQL SSL

2011-01-29 Thread Alan Buxey 
Hi,
I’m new as can be with creating SSL certificates on my own.  I downloaded
the openssl binary and installed it.  The instructions and tutorials on
the website don’t help me much in terms of steps A,B,C; this could also be
due to a lack of familiarity with technical terms used for each part of
this.  The only thing I did accomplish is the following
 
 
 
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout
privateKey.key
 
 
 
I now have a privateKey and CSR file in the openssl/bin folder.  Beyond
this I do not know what goes where.  I’m on Windows 2003 (server) and
Windows XP (client).  I know what to change in the PostgreSQL config but
do not know if PostgreSQL implicitly knows that a certificate exists, and
what the client box should have.

you probably want to check the postgreSQL documentation for where and how to
use the certs - as this is not specific to OpenSSL.


anyway, in general terms...you now have a private key - good, the PSQL server
would have that you need to get your CSR signed by a CA that the client
knows. you then would configure PSQL to use the public version of the
signed CSR - usually a DER or PEM file by that point.   at this point,
its just like a client talking to an SSL'd web server (or any other service).
client connects, gets given the cert...which it trusts (because of CA) and
then SLS tunnel gets made. data is transferred over that tunnel.

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Geode on-chip AES 128-bit crypto accelerations but OpenSSL doesn't use it

2009-09-29 Thread Alan Buxey 
Hi,
 Hi,

 Since we are on the subject of hardware enhanced cryptography, does the  
 HiFn chips used in the Soekris devices, have support in openssl?.

yes - for some time now. i happen to have a vpn1401 next to me which I used in
a FreeBSD box

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Geode on-chip AES 128-bit crypto accelerations but OpenSSL doesn't use it

2009-09-27 Thread Alan Buxey 
Hi,
 Hello everybody,

 The AMD Geode LX800 CPU has an on-chip AES 128-bit crypto accelerations  
 block and a true random number generator, but OpenSSL is not using it.

 Please see the below link for test reports and openssl outputs
 http://debian.pastebin.com/faeff2a3

 Is there anybody that know what is going on here?

use 'padlock' engine or 'cryptodev' engine?

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: UltraSPARC T2 - OpenSSL - PKCS11 ???

2009-08-13 Thread Alan Buxey 
hi,

your pkcs11 on the Sparc system is fast(!) its just the verification
that seems a little b0rked/slow :-|

alan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org