Re: OpenSSL 1.0.1 example with SRP
That did the trick! My example code now sets up an SSL client/server connection using SRP. Thanks very much Steve and all others who helped. Norm - Original Message - > From: "Dr. Stephen Henson" > To: openssl-users@openssl.org > Sent: Thursday, October 27, 2011 7:44:35 AM > Subject: Re: OpenSSL 1.0.1 example with SRP > > On Thu, Oct 27, 2011, Norm Green wrote: > > > > The best I can tell, the snapshot is broken. > > At this point, I wouldn't be surprised. > > > > Update: > > > > I made some (major) changes to my example code based on the SRP > > code in ssltest.c. Mainly, I implemented and used all the SRP > > callback functions. Previously, I was setting the userId and > > password parameters explicitly thinking I shouldn't need the > > callbacks. > > > > Now I get past the previous error and move on to this error on the > > server: > > > > SSL_accept failed, error=SSL_ERROR_SSL > > Details: error:0D06703E:asn1 encoding routines:a2i_ASN1_STRING:asn1 > > length mismatch > > ssl_asn1.c at 641 > > > > > > That was fixed a few days ago by this: > > http://cvs.openssl.org/chngview?cn=21600 > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List >openssl-users@openssl.org > Automated List Manager > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 example with SRP
On Thu, Oct 27, 2011, Norm Green wrote: > > The best I can tell, the snapshot is broken. > At this point, I wouldn't be surprised. > > Update: > > I made some (major) changes to my example code based on the SRP code in > ssltest.c. Mainly, I implemented and used all the SRP callback functions. > Previously, I was setting the userId and password parameters explicitly > thinking I shouldn't need the callbacks. > > Now I get past the previous error and move on to this error on the server: > > SSL_accept failed, error=SSL_ERROR_SSL > Details: error:0D06703E:asn1 encoding routines:a2i_ASN1_STRING:asn1 length > mismatch > ssl_asn1.c at 641 > > That was fixed a few days ago by this: http://cvs.openssl.org/chngview?cn=21600 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 example with SRP
> The best I can tell, the snapshot is broken. At this point, I wouldn't be surprised. Update: I made some (major) changes to my example code based on the SRP code in ssltest.c. Mainly, I implemented and used all the SRP callback functions. Previously, I was setting the userId and password parameters explicitly thinking I shouldn't need the callbacks. Now I get past the previous error and move on to this error on the server: SSL_accept failed, error=SSL_ERROR_SSL Details: error:0D06703E:asn1 encoding routines:a2i_ASN1_STRING:asn1 length mismatch ssl_asn1.c at 641 On the client all I get is this: SSL_connect failed, error=SSL_ERROR_SYSCALL SSL_connect, errno=0, Error 0 This looks like the server is not liking something in a TLS extension used by SRP. Any clues on how to get past this one? Norm - Original Message - > From: "Jeffrey Walton" > To: openssl-users@openssl.org > Sent: Wednesday, October 26, 2011 11:46:32 PM > Subject: Re: OpenSSL 1.0.1 example with SRP > > On Wed, Oct 26, 2011 at 10:28 PM, Norm Green > wrote: > > Is there no one that can help me get a simple SRP test case > > working? Or should I conclude SRP is broken in OpenSSL 1.0.1? > > > > From the output below, it appears the client and server support no > > less than 9 ciphers in common. Why then do I get the "no shared > > cipher" error? > > > > I rebuilt the library with -DCIPHER_DEBUG and now get the following > > output from the handshake: > > > The best I can tell, the snapshot is broken. > > Jeff > > === System === > uname -a > Linux studio 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:39:17 UTC > 2011 x86_64 GNU/Linux > > === Server === > openssl-1.0.1-stable-SNAP-20111027$ ./apps/openssl s_server -cipher > SRP -nocert -tls1 -accept 57784 -debug > WARNING: can't open config file: /usr/local/ssl/openssl.cnf > Using default temp DH parameters > Using default temp ECDH parameters > ACCEPT > > === Client === > openssl-1.0.1-stable-SNAP-20111027$ ./apps/openssl s_client -srpuser > SystemUser -srppass stdin -tls1 -cipher SRP -connect studio:57784 > -debug > WARNING: can't open config file: /usr/local/ssl/openssl.cnf > *** *** > > === GDB === > ps -a > ... > gdb attach 29478 > GNU gdb (GDB) 7.3.1 > ... > attach: No such file or directory. > Attaching to process 29478 > ... > Loaded symbols for /lib/libc.so.6 > Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging > symbols found)...done. > Loaded symbols for /lib64/ld-linux-x86-64.so.2 > 0x7f3be499a4a0 in read () from /lib/libc.so.6 > (gdb) where > #0 0x7f3be499a4a0 in read () from /lib/libc.so.6 > #1 0x7f3be4935348 in _IO_file_underflow () from /lib/libc.so.6 > #2 0x7f3be4936eee in _IO_default_uflow () from /lib/libc.so.6 > #3 0x7f3be492b43e in _IO_getline_info () from /lib/libc.so.6 > #4 0x7f3be492a329 in fgets () from /lib/libc.so.6 > #5 0x004d31b5 in file_gets () > #6 0x004d09f9 in BIO_gets () > #7 0x00438072 in app_get_pass () > #8 0x00438325 in app_passwd () > #9 0x0042859d in s_client_main () > #10 0x00402d50 in do_cmd () > #11 0x004036ff in main () > (gdb) > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List >openssl-users@openssl.org > Automated List Manager > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 example with SRP
On Wed, Oct 26, 2011 at 10:28 PM, Norm Green wrote: > Is there no one that can help me get a simple SRP test case working? Or > should I conclude SRP is broken in OpenSSL 1.0.1? > > From the output below, it appears the client and server support no less than > 9 ciphers in common. Why then do I get the "no shared cipher" error? > > I rebuilt the library with -DCIPHER_DEBUG and now get the following output > from the handshake: > The best I can tell, the snapshot is broken. Jeff === System === uname -a Linux studio 2.6.32-34-generic #77-Ubuntu SMP Tue Sep 13 19:39:17 UTC 2011 x86_64 GNU/Linux === Server === openssl-1.0.1-stable-SNAP-20111027$ ./apps/openssl s_server -cipher SRP -nocert -tls1 -accept 57784 -debug WARNING: can't open config file: /usr/local/ssl/openssl.cnf Using default temp DH parameters Using default temp ECDH parameters ACCEPT === Client === openssl-1.0.1-stable-SNAP-20111027$ ./apps/openssl s_client -srpuser SystemUser -srppass stdin -tls1 -cipher SRP -connect studio:57784 -debug WARNING: can't open config file: /usr/local/ssl/openssl.cnf *** *** === GDB === ps -a ... gdb attach 29478 GNU gdb (GDB) 7.3.1 ... attach: No such file or directory. Attaching to process 29478 ... Loaded symbols for /lib/libc.so.6 Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done. Loaded symbols for /lib64/ld-linux-x86-64.so.2 0x7f3be499a4a0 in read () from /lib/libc.so.6 (gdb) where #0 0x7f3be499a4a0 in read () from /lib/libc.so.6 #1 0x7f3be4935348 in _IO_file_underflow () from /lib/libc.so.6 #2 0x7f3be4936eee in _IO_default_uflow () from /lib/libc.so.6 #3 0x7f3be492b43e in _IO_getline_info () from /lib/libc.so.6 #4 0x7f3be492a329 in fgets () from /lib/libc.so.6 #5 0x004d31b5 in file_gets () #6 0x004d09f9 in BIO_gets () #7 0x00438072 in app_get_pass () #8 0x00438325 in app_passwd () #9 0x0042859d in s_client_main () #10 0x00402d50 in do_cmd () #11 0x004036ff in main () (gdb) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 example with SRP
Is there no one that can help me get a simple SRP test case working? Or should I conclude SRP is broken in OpenSSL 1.0.1? >From the output below, it appears the client and server support no less than 9 >ciphers in common. Why then do I get the "no shared cipher" error? I rebuilt the library with -DCIPHER_DEBUG and now get the following output from the handshake: --- server: openssl s_server -cipher SRP -nocert -tls1 -accept 57784 -debug ACCEPT read from 0x7e6f30 [0x7ec523] (5 bytes => 5 (0x5)) - 16 03 01 00 55U read from 0x7e6f30 [0x7ec528] (85 bytes => 85 (0x55)) - 01 00 00 51 03 01 4e a8-bf bb 5d 89 f9 aa ae 3f ...Q..N...]? 0010 - 5f df fd dd 70 1c 4d c1-91 09 94 84 47 2f 8e a7 _...p.M.G/.. 0020 - 99 d3 fe 73 6a e1 00 00-14 c0 22 c0 21 c0 20 c0 ...sj.".!. . 0030 - 1c c0 1b c0 1a c0 1f c0-1e c0 1d 00 ff 01 00 00 0040 - 14 00 0c 00 0c 0a 53 79-73 74 65 6d 55 73 65 72 ..SystemUser 0050 - 00 00 23 ..# 0055 - Server has 9 from 7df600: 77e0e8:SRP-DSS-AES-256-CBC-SHA 77e090:SRP-RSA-AES-256-CBC-SHA 77e038:SRP-AES-256-CBC-SHA 77ded8:SRP-DSS-3DES-EDE-CBC-SHA 77de80:SRP-RSA-3DES-EDE-CBC-SHA 77de28:SRP-3DES-EDE-CBC-SHA 77dfe0:SRP-DSS-AES-128-CBC-SHA 77df88:SRP-RSA-AES-128-CBC-SHA 77df30:SRP-AES-128-CBC-SHA Client sent 9 from 7df960: 77e0e8:SRP-DSS-AES-256-CBC-SHA 77e090:SRP-RSA-AES-256-CBC-SHA 77e038:SRP-AES-256-CBC-SHA 77ded8:SRP-DSS-3DES-EDE-CBC-SHA 77de80:SRP-RSA-3DES-EDE-CBC-SHA 77de28:SRP-3DES-EDE-CBC-SHA 77dfe0:SRP-DSS-AES-128-CBC-SHA 77df88:SRP-RSA-AES-128-CBC-SHA 77df30:SRP-AES-128-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0002:0188:0084]77e0e8:SRP-DSS-AES-256-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0001:0188:0084]77e090:SRP-RSA-AES-256-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0004:0188:0084]77e038:SRP-AES-256-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0002:0188:0084]77ded8:SRP-DSS-3DES-EDE-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0001:0188:0084]77de80:SRP-RSA-3DES-EDE-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0004:0188:0084]77de28:SRP-3DES-EDE-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0002:0188:0084]77dfe0:SRP-DSS-AES-128-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0001:0188:0084]77df88:SRP-RSA-AES-128-CBC-SHA rt=1 rte=1 dht=1 ecdht=1 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 0:[0400:0004:0188:0084]77df30:SRP-AES-128-CBC-SHA write to 0x7e6f30 [0x7f5fd0] (7 bytes => 7 (0x7)) - 15 03 01 00 02 02 28 ..( ERROR 18446741324916266428:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1306: shutting down SSL CONNECTION CLOSED --- Client: openssl s_client -srpuser SystemUser -srppass stdin -tls1 -cipher SRP -connect localhost:57784 -debug CONNECTED(0003) write to 0x7d23a0 [0x7f22e3] (90 bytes => 90 (0x5A)) - 16 03 01 00 55 01 00 00-51 03 01 4e a8 bf bb 5d U...Q..N...] 0010 - 89 f9 aa ae 3f 5f df fd-dd 70 1c 4d c1 91 09 94 ?_...p.M 0020 - 84 47 2f 8e a7 99 d3 fe-73 6a e1 00 00 14 c0 22 .G/.sj." 0030 - c0 21 c0 20 c0 1c c0 1b-c0 1a c0 1f c0 1e c0 1d .!. 0040 - 00 ff 01 00 00 14 00 0c-00 0c 0a 53 79 73 74 65 ...Syste 0050 - 6d 55 73 65 72 00 00 23- mUser..# 005a - read from 0x7d23a0 [0x7edd83] (5 bytes => 5 (0x5)) - 15 03 01 00 02. read from 0x7d23a0 [0x7edd88] (2 bytes => 2 (0x2)) - 02 28 .( 18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1227:SSL alert number 40 18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1319681979 Timeout : 7200 (sec) Verify return code: 0 (ok) --- - Original Message - > From: "Norm Green" > To: openssl-users@openssl.org > Sent: Tuesday, October 25
Re: OpenSSL 1.0.1 example with SRP
Hi Peter, Same error on the server: normg@conifer>./srpserver Server is starting to listen on port 57784 Server is starting accept on port 57784 Connection accepted SSL_accept failed, error=SSL_ERROR_SSL Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c at 1306 /home/normg/gssua/srp normg@conifer> Client output: normg@conifer>$GEMSTONE/bin/openssl s_client -srpuser SystemUser -cipher SRP -connect localhost:57784 CONNECTED(0003) 18446741324916266428:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1227:SSL alert number 40 18446741324916266428:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:592: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1319550564 Timeout : 7200 (sec) Verify return code: 0 (ok) --- - Original Message - > From: "Peter Sylvester" > To: openssl-users@openssl.org > Sent: Tuesday, October 25, 2011 3:18:39 AM > Subject: Re: OpenSSL 1.0.1 example with SRP > > On 10/25/2011 05:15 AM, Norm Green wrote: > > Hello Experts, > > > > I'm new to OpenSSL so please bear with me. > > > > I'm trying to construct a simple example that uses a recent OpenSSL > > 1.0.1 snapshot to create secure connection using SRP without using > > any certificates. I am aware 1.0.1 is not yet released, but I've > > been told this should be possible. > try this first with s_client and s_server you need cipher SRP fo > them > > what happens when you connect to your server with > >openssl s_client -srpuser -cipher SRP -connect server:port > > > > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List >openssl-users@openssl.org > Automated List Manager > majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 example with SRP
On 10/25/2011 05:15 AM, Norm Green wrote: Hello Experts, I'm new to OpenSSL so please bear with me. I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible. try this first with s_client and s_server you need cipher SRP fo them what happens when you connect to your server with openssl s_client -srpuser -cipher SRP -connect server:port __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 example with SRP
Hi Jeff, > Was OPENSSL_NO_SRP defined when you built? I'm 99.9% sure it wasn't, otherwise the compiler would have barfed on my call to SSL_CTX_SRP_CTX_init() > Thomas Wu's patches can be found in RT. The latest appears to be > http://rt.openssl.org/Ticket/Display.html?id=2523&user=guest&pass=guest. Thanks. I did see that but was hoping that his code had been merged to 1.0.1 by now since it was posted back in May. I need to look into that code further. Norm __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 example with SRP
Hello Experts, I'm new to OpenSSL so please bear with me. I'm trying to construct a simple example that uses a recent OpenSSL 1.0.1 snapshot to create secure connection using SRP without using any certificates. I am aware 1.0.1 is not yet released, but I've been told this should be possible. Here's how I'm setting up the client: srpclient.c: SSL_load_error_strings(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); (void) SSL_library_init(); // always succeeds per man page const SSL_METHOD *meth = TLSv1_client_method(); SSL_CTX *ctx = SSL_CTX_new(meth); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); SSL_CTX_SRP_CTX_init(ctx); if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1) handleError("SSL_CTX_set_cipher_list failed"); if (SSL_CTX_set_srp_username(ctx, (char *) USER_NAME) != 1) handleError("SSL_CTX_set_srp_username failed"); if (SSL_CTX_set_srp_password(ctx, (char *) PASSWORD) != 1) handleError("SSL_CTX_set_srp_password failed"); if (SSL_CTX_set_srp_strength(ctx, 1024) != 1) handleError("SSL_CTX_set_srp_strength failed"); SSL *ssl = SSL_new(ctx); if (ssl == NULL) handleError("SSL_new failed"); if (SSL_set_fd(ssl, sock) != 1) handleError("SSL_set_fd failed"); int rc = SSL_connect(ssl); = and here is the server side: = srpserver.c: SSL_load_error_strings(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); (void) SSL_library_init(); // always succeeds per man page // const SSL_METHOD *meth = SSLv23_server_method(); const SSL_METHOD *meth = TLSv1_server_method(); SSL_CTX *ctx = SSL_CTX_new(meth); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); SSL_CTX_SRP_CTX_init(ctx); if (SSL_CTX_set_cipher_list(ctx, "aNULL:!eNULL:!LOW:!EXPORT:@STRENGTH") != 1) handleError("SSL_CTX_set_cipher_list failed"); SSL *ssl = SSL_new(ctx); if (ssl == NULL) { handleError("SSL_new() failed"); } if (SSL_set_fd(ssl, sock) != 1) handleError("SSL_set_fd failed"); if (SSL_set_srp_server_param_pw(ssl, USER_NAME, PASSWORD, "1024") != 1) handleError("SSL_set_srp_server_param_pw failed"); int rc = SSL_accept(ssl); = On the server side I get this output: normg@conifer>./srpserver Server is starting to listen on port 57784 Server is starting accept on port 57784 TCP/IP Connection accepted SSL_accept failed, error=SSL_ERROR_SSL Details: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c at 1306 and on the client I get: normg@conifer>./srpclient TCP/IP connect succeeded SSL_connect failed, error=SSL_ERROR_SSL Details: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure s3_pkt.c at 1227 I've tried using various SSL methods such as SSLv3 and TLS_1_1, but I always get the same error. It looks to me like the client still wants a cert from the server. Another strange thing is that the following output seems to indicate the SRP ciphers seem to need SSLv3 instead of TLS1.x : normg@conifer>./openssl ciphers -v 'ALL:eNULL' |grep -i SRP SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(256) Mac=SHA1 SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(256) Mac=SHA1 SRP-AES-256-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(256) Mac=SHA1 SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=3DES(168) Mac=SHA1 SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=3DES(168) Mac=SHA1 SRP-3DES-EDE-CBC-SHASSLv3 Kx=SRP Au=None Enc=3DES(168) Mac=SHA1 SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP Au=DSS Enc=AES(128) Mac=SHA1 SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP Au=RSA Enc=AES(128) Mac=SHA1 SRP-AES-128-CBC-SHA SSLv3 Kx=SRP Au=None Enc=AES(128) Mac=SHA1 normg@conifer>./openssl version OpenSSL 1.0.1-dev xx XXX Can anyone point me the right direction so I can get a simple SRP example to work? Thanks for any help, Norm Green VMware, Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org