Re: [openssl-dev] Suspicious crash in 1.0.2

2015-03-02 Thread Matt Caswell 


On 02/03/15 01:54, Erik Forsberg wrote:
 This patch fixes the issue.
 I had a similar fix, but yours is more complete.
 Thanks.
 
 Another thought. As I looked at this multiblock code I realize it
 will have some impact on memory usage. Thinking it might be good
 to have an option to disable the function at runtime so one can chose
 between memory savings and performance. Particularly in the main
 branch where these OPENSS_NO_XXX compile time options are going away ?

You can already use OPENSSL_SMALL_FOOTPRINT for this purpose.

Matt
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] openssl x509 -text incorrectly displays non-latin (non-ansi) symbols (missed '-utf8 option?)

2015-03-02 Thread Erwann Abalea 

Bonjour,

Probably an openssl-users question.

Use openssl x509 -text -in localhost-server.crt -nameopt 
oneline,utf8,-esc_msb

Your terminal must be able to display UTF8 sequences.

I sometimes add the show_type nameopt option, to check things.

--
Erwann ABALEA

Le 02/03/2015 06:58, Ikonta a écrit :

AFAIR in 2004 openssl switched to UTF8 as default bitmask in certificate.
But ANSI extension's of utf8 support is still incomplete:

$ openssl x509 -text -in localhost-server.crt
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 1 (0x1)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: C=RU, ST=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, 
L=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, O=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, 
OU=Apache, CN=\xD1\x82\xD0\xB5\xD1\x81\xD1\x82\xD0\xBE\xD0\xB2\xD1\x8B\xD0\xB9 
\xD0\xA6\xD0\x90/emailAddress=root@localhost
 Validity
 Not Before: Feb  6 08:28:23 2015 GMT
 Not After : Sep 15 08:28:23 2020 GMT
 Subject: C=RU, ST=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, 
O=\xD0\xA2\xD0\xB5\xD1\x81\xD1\x82, OU=Apache web server, 
CN=localhost/emailAddress=apache@localhost
…
(not attaching exanple certificate file because mail list seems to reject such 
letters)
displays utf8 symbol codes instead of expected human-readably letters (in this 
case —  cyrillic), shown after import this certificate into browser's profile.

Probably adding -utf8 option for x509 command should fix this particular issue.

P.S. I use =dev-libs/openssl-1.0.1k amd64 build on Gentoo GNU/Linux.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3708] segfault while generating a certificate signing request based on a malformed certificate

2015-03-02 Thread Stephen Henson via RT 
Fixed now, thanks for the report.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3726] Cocoapods install BUG

2015-03-02 Thread Alex Sklyar via RT 
Hello guys. There is a issue with openssl pod installing with cocoapods tool. 
The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. 

Downloading dependencies

- Installing OpenSSL (1.0.200)
  Http download
   $ /usr/bin/curl -f -L -o
   /Users/Quizer/Development/iOS/testOpenSsl/Pods/OpenSSL/file.tgz
   https://www.openssl.org/source/openssl-1.0.2.tar.gz; --create-dirs
 % Total% Received % Xferd  Average Speed   TimeTime Time  
Current
Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
0curl: (22) The requested URL returned error: 404 Not Found

[!] Error installing OpenSSL
[!] /usr/bin/curl -f -L -o 
/Users/Quizer/Development/iOS/testOpenSsl/Pods/OpenSSL/file.tgz 
https://www.openssl.org/source/openssl-1.0.2.tar.gz; --create-dirs

  % Total% Received % Xferd  Average Speed   TimeTime Time  Current

 Dload  Upload   Total   SpentLeft  Speed

  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
0curl: (22) The requested URL returned error: 404 Not Found
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG

2015-03-02 Thread Erwann Abalea 

It seems all the tarballs have disappeared.

--
Erwann ABALEA

Le 02/03/2015 18:06, Alex Sklyar via RT a écrit :

Hello guys. There is a issue with openssl pod installing with cocoapods tool. 
The URL «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead.



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates

2015-03-02 Thread Short, Todd via RT 
This code is currently being used by Akamai to check for the validity of 
certificates.

I find it highly unusual for multiple certificates to have the same SubjectDN 
to be valid simultaneously.
All those certificates would need to have a unique serial number; but the 
Issuer’s serial number is is not included in the certificate, so there’s no 
easy way to determine the issuing certificate.

To validate those chains, the signature would have to be validated using the 
public key of each certificate that matches the Issuer. That can be an 
expensive proposition, and there are clients that will give up after the first 
failure.

Have you seen any chains like this IRL?

Do you know of any CA that have their chains set up like this?

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On Feb 27, 2015, at 5:31 PM, Brian Smith 
br...@briansmith.orgmailto:br...@briansmith.org wrote:

Short, Todd via RT r...@openssl.orgmailto:r...@openssl.org wrote:
Check that in matching issuer/subject certs, that a self-signed subject also 
has a self-signed issuer.
Given that the subject certificate is self-signed, it means that the issuer and 
the subject are the same certificate. This change verifies that.

Github link:
https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b

Could you explain this more?

In your patch, there is a comment that says Input certificate
(subject) is self signed. But, the test is that the issuer name
equals the subject name. That means the certificate is self-*issued*,
not self-*signed*.

Consider this chain:

{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 }
{ Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 }
{ Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor }

All three certificates are self-issued. The issuer of the first
certificate is not self-signed but it is self-issued. But, it being
self-issued doesn't matter because it isn't a trust anchor.

Consider this chain:

{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 }
{ Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 }
{ Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor }

The first certificate is self-signed and self-issued. It's issuer is
not self-signed or self-issued, so your patch would reject this chain.
But, this is a valid chain.

Cheers,
Brian
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates

2015-03-02 Thread Short, Todd 
This code is currently being used by Akamai to check for the validity of 
certificates.

I find it highly unusual for multiple certificates to have the same SubjectDN 
to be valid simultaneously.
All those certificates would need to have a unique serial number; but the 
Issuer’s serial number is is not included in the certificate, so there’s no 
easy way to determine the issuing certificate.

To validate those chains, the signature would have to be validated using the 
public key of each certificate that matches the Issuer. That can be an 
expensive proposition, and there are clients that will give up after the first 
failure.

Have you seen any chains like this IRL?

Do you know of any CA that have their chains set up like this?

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On Feb 27, 2015, at 5:31 PM, Brian Smith 
br...@briansmith.orgmailto:br...@briansmith.org wrote:

Short, Todd via RT r...@openssl.orgmailto:r...@openssl.org wrote:
Check that in matching issuer/subject certs, that a self-signed subject also 
has a self-signed issuer.
Given that the subject certificate is self-signed, it means that the issuer and 
the subject are the same certificate. This change verifies that.

Github link:
https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b

Could you explain this more?

In your patch, there is a comment that says Input certificate
(subject) is self signed. But, the test is that the issuer name
equals the subject name. That means the certificate is self-*issued*,
not self-*signed*.

Consider this chain:

{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 }
{ Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 }
{ Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor }

All three certificates are self-issued. The issuer of the first
certificate is not self-signed but it is self-issued. But, it being
self-issued doesn't matter because it isn't a trust anchor.

Consider this chain:

{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 }
{ Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 }
{ Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor }

The first certificate is self-signed and self-issued. It's issuer is
not self-signed or self-issued, so your patch would reject this chain.
But, this is a valid chain.

Cheers,
Brian
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG

2015-03-02 Thread Jeremy Farrell 
And the table linking to the latest releases on 
https://www.openssl.org/source/ is empty.


On 02/03/2015 17:27, Erwann Abalea wrote:

It seems all the tarballs have disappeared.



Le 02/03/2015 18:06, Alex Sklyar via RT a écrit :
Hello guys. There is a issue with openssl pod installing with 
cocoapods tool. The URL 
«https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. 


--
J. J. Farrell


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3726] Cocoapods install BUG

2015-03-02 Thread Matt Caswell 


On 02/03/15 17:50, Jeremy Farrell wrote:
 And the table linking to the latest releases on
 https://www.openssl.org/source/ is empty.
 
 On 02/03/2015 17:27, Erwann Abalea wrote:
 It seems all the tarballs have disappeared.
 
 Le 02/03/2015 18:06, Alex Sklyar via RT a écrit :
 Hello guys. There is a issue with openssl pod installing with
 cocoapods tool. The URL
 «https://www.openssl.org/source/openssl-1.0.2.tar.gz» is dead. 
 

It should all be fixed now. Sorry for the inconvenience.

Matt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates

2015-03-02 Thread Viktor Dukhovni 
On Fri, Feb 27, 2015 at 09:14:08PM +0100, Short, Todd via RT wrote:

 Hello OpenSSL Org:
 
 This is a change that Akamai has made to its implementation of OpenSSL.
 
 Version: master branch
 Description: Additional checking of self-signed certificates.
 
 Check that in matching issuer/subject certs, that a self-signed subject also 
 has a self-signed issuer.
 Given that the subject certificate is self-signed, it means that the issuer 
 and the subject are the same certificate. This change verifies that.
 
 Github link:
 https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b

What motivates this proposed change?  What issues did you run into
without it?

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev