Anonymous Ciphers
Title: Anonymous Ciphers Good Morning All, I am trying to match up some anonymous ciphers to use between JSSE and OpenSSL. I did a dump of JSSE and came across some anonymous ciphers. I then did a dump of the ciphers built into my build of OpenSSL. I did see any that specifically said anonymous so I must be reading them wrong. Now if I use an anonymous cipher suite I do not need to have a public/private key pair for the server nor the client correct? My main goal is to have encryption but not authentication. I would prefer to use DH anonymous with 3DES. I did not see that for OpenSSL though. It doesn't look to me like I have all the ciphers but I could be wrong. Just thought I would start out the day with a seemingly easy question. I just wanted to consort with you guys/gals first. Thanks! - Andrew JSSE SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 OpenSSL --- EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: Cancelling threads currently blocked or doing IO
Title: Message I think that Robert was replying to my original question about cancelling threads. For some reason it took a couple of days for my message to get on the list, and I managed to get my code working properly. In case anyone is interested, it does seem to work good (at least on Solaris). I just registered a pthreads cleanup handler that calls SSL_free on the SSL *structure, and closes the socket. If my thread either gets cancelled or terminates normally, the resulting cleanup code gets executed. This is great as I can implement timeouts this way by still using Blocking IO. Non blocking IO was giving me a headache :) My code is much simpler to understand. I may still have an issue though - It seems that my memory usage is growing over time. I am not sure if this is a leak or if this is expected behaviour. The leak is not big (a couple of pages per 10 or so SSL connections opened and closed so far) but as this is a daemon process it will eventually causea problem (if this is in fact a leak). I have not run it for long enough to see if the memory usage will 'level out'. What I am trying to determine is the proper procedure for cleaning up after an established/used SSL connection. All I am doing in my code is an SSL_free followed by a close of the socket. Is this enough? Thanks, Tim -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew FinnellSent: Monday, December 17, 2001 7:52 AMTo: '[EMAIL PROTECTED]'Subject: RE: Cancelling threads currently blocked or doing IO Neff, Now by canceling the thread do you mean doing a terminate on it? If so that could be your problem. You might want to run your application through purify it will tell you exactly where the problem is. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Neff Robert A [mailto:[EMAIL PROTECTED]] Sent: Monday, December 17, 2001 9:44 AM To: 'Tim Pushor' Cc: '[EMAIL PROTECTED]' Subject: RE: Cancelling threads currently blocked or doing IO Tim, From your main/monitor pthread simply close the socket of the thread you want terminated. That kicks you out of the thread and should allow you to clean up properly. Rob -Original Message- From: Tim Pushor [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 13, 2001 6:27 PM To: [EMAIL PROTECTED] Subject: Cancelling threads currently blocked or doing IO List, Has anyone sucessfully cancelled a thread that is currently doing IO or blocked in an SSL handshake/read/write operation? I am trying to do this to simplify timeouts. The problem is when I cancel the thread and call SSL_free on the SSL structure, I still seem to have stuff stuck around in memory (leak). Has anyone done this and have any words of wisdom, or perhaps have a better way of implementing a timeout? I am currently using Solaris 2.6, OpenSSL 0.9.6b, and the app uses pthreads. Thanks! Tim __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Sorry
Please excuse my previous post in HTML. Outlook automatically used HTML as I replied to a message that was HTML formatted, and I didn't notice. Tim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Anonymous Ciphers
On Mon, Dec 17, 2001 at 09:49:37AM -0500, Andrew Finnell wrote: I am trying to match up some anonymous ciphers to use between JSSE and OpenSSL. I did a dump of JSSE and came across some anonymous ciphers. I then did a dump of the ciphers built into my build of OpenSSL. I did see any that specifically said anonymous so I must be reading them wrong. Now if I use an anonymous cipher suite I do not need to have a public/private key pair for the server nor the client correct? My main goal is to have encryption but not authentication. I would prefer to use DH anonymous with 3DES. I did not see that for OpenSSL though. It doesn't look to me like I have all the ciphers but I could be wrong. Just thought I would start out the day with a seemingly easy question. I just wanted to consort with you guys/gals first. Thanks! man ciphers (espcially look for ADH) man SSL_CTX_set_cipher_list Best regard, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem getting OpenSSL to build on AIX4.3.3
As far as I can see there aren't any patches. I've also seen this problem reported a couple of times before but no one seems to have got the answer yet. This is the compiler version I have on my box: vac.C 5.0.0.0 C for AIX compiler From: Lutz Jaenicke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Problem getting OpenSSL to build on AIX4.3.3 Date: Mon, 17 Dec 2001 10:57:14 +0100 On Mon, Dec 17, 2001 at 09:38:36AM +, J S wrote: Can anyone help me with this one please? I don't seem to be able to get OpenSSL0.9.6b to build on AIX4.3.3. Configure runs OK, but the make fails. (I have tried the CVS as well but got the same error.). I tried Configure aix43-cc and Configure aix-cc. I also tried -D_REENTRANT and ./config no-threads during the configure but they ALL fail when they get to b_print.c : maxmem=16384 -c bss_file.c cc -I.. -I../.. -I../../include -DOPENSSL_NO_KRB5 -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c bss_sock.c cc -I.. -I../.. -I../../include -DOPENSSL_NO_KRB5 -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c bss_conn.c cc -I.. -I../.. -I../../include -DOPENSSL_NO_KRB5 -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c bf_null.c cc -I.. -I../.. -I../../include -DOPENSSL_NO_KRB5 -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c bf_buff.c cc -I.. -I../.. -I../../include -DOPENSSL_NO_KRB5 -O -DAIX -DB_ENDIAN -qmaxmem=16384 -c b_print.c cc: 1501-230 Internal compiler error; please contact your Service Representative Evaluating the compiler's output it seems that your compiler is buggy and there is probably not very much that can be done from OpenSSL's side. I don't know about AIX, but for HP-UX one can retrieve patches free of charge from HP's electronic support center on the WWW. You should check out, whether such service also exists from IBM. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sorry
Hey Tim, if you are concerned about security, you may want to change to an e-mail client other than OutLook, or LookOut as I call it - there have been a number of exploits targeted at OutLook... -dave On Mon, 17 Dec 2001, Tim Pushor wrote: Please excuse my previous post in HTML. Outlook automatically used HTML as I replied to a message that was HTML formatted, and I didn't notice. Tim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OUCH! Successful Install Broke Logons
Bob Foster wrote: Hi, Yesterday I successfully compiled and installed openssl-0.9.6b on RedHat Linux 6.1. Immediately, I couldn't log on (as root or as a regular user) to the Linux box from the console although I could log on using ssh from another computer. In addition, when a workstation within the subnet which had been turned off was booted up, it received the error that it's ip address was in use. So, I shut down the Linux box and then the workstation booted OK. Hmmm... 6.1 didn't include OpenSSL, and so didn't have any dependencies on it. What is the history of this machine? Were you upgrading an existing OpenSSL installation, for example? What else was on the machine that depended on OpenSSL? If you can get into single-user mode or boot with a floppy, what do you see in the log files? The business about the Linux box taking the IP address of some other workstation sounds unrelated. It's strange that it happened coincident with the OpenSSL install, but it's hard to imagine how it's related. Are you using DHCP or static addresses? If the other workstation had been turned off, perhaps the DHCP server gave the Linux box its old address? Today I started the Linux box and I can't logon from the console or through ssh. I realize that it's probably back to the install disks for me, but does anyone have any insight to what would cause this nightmare? (I don't believe that I've been hacked.) The insight is this: There is a chain of logical reasoning that leads back from your symptoms to the cause. If you didn't rebuild OpenSSH when you upgraded OpenSSL, that could be part of your problem. I don't see the connection between OpenSSL and console logins, but you know your system better than I. Ask yourelf, How is OpenSSL related to the process of logging in on the console? Examine the logs for clues. Perhaps you will follow the chain to a resolution. If you uncover more clues but still don't have a solution, post back here. Good luck! Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math Computing Technology \ [EMAIL PROTECTED] POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Should I build OpenSSL with no-idea and no-rc5?
I'm trying to make sure that my use of OpenSSL is completely legal. In the United States, if that matters. My understanding is that if I don't want to deal with obtaining liscenses from patent holders, I need to make sure that my OpenSSL builds don't use any patented algorithms. So, I'm building with no-idea and no-rc5. Are there other patented algorithms, whose patents haven't expired, in the OpenSSL distribution? I plan to do some research but thought that I'd ask here first. Thanks! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: WebLogic and OpenSSL
Thanks go out to Atreya Mohan, who suggested a smaller key size for the CA. This did the trick. I guess that WebLogic 5.1 can't deal with keys bigger than 2048 bits -Original Message- From: Metzinger, Tim [mailto:[EMAIL PROTECTED]] Sent: Friday, December 14, 2001 10:03 AM To: OpenSSL user list (E-mail) Subject: WebLogic and OpenSSL I've been having problems getting a Weblogic 5.1 server to run using a cert genertated with OpenSSL. Here's what I've done: Created a CA key of 4096 bits = ohrescakey.pem Created a self-signed cert for the CA key (ohrescacert.der) valid for five years, using the following command: OpenSSL req -new -x509 -out ohrescacert.der -key ohrescakey.pem -days 1825 -config openssl_config.txt Then I created a new key and cert request for the web server, and used the OpenSSL CA function to sign this cert. All the certs are recognized by IE just fine, but when I load them into the WebLogic Server, they don't seem to work. weblogic.security.certificate.server=portalsdccert.pem weblogic.security.key.server=portalsdckey.pem weblogic.security.certificate.authority=ohrescacert.der If I submit the web server CSR to Verisign, and get a test cert back from them, then it works just fine. The only difference I can see is that the Verisign Root CA cert is a V1 cert, while the OpenSSL root CA cert I created is a V3 cert. Is there any way to force OpenSSL to create a V1 self-signed cert? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems after upgrading to latest apache+openssl+modssl+php4
Hi all... Before upgrading, one of my virtual domains (ip based) had SSL setup and was working fine. The second domain did not work. The error was odd according to people in IRC support channels, and I was told to upgrade to all of the latest versions. I did that. Now when I try to run startssl, I get errors on BOTH virtual domains. The domain that had once worked produces these errors: [Mon Dec 17 16:41:46 2001] [error] mod_ssl: Init: (.com:443) Unable to configure RSA server private key (OpenSSL library error follows)[Mon Dec 17 16:41:46 2001] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch The domain2, that I couldn't get to work before the upgrade, produces these errors: [Mon Dec 17 16:45:43 2001] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows)[Mon Dec 17 16:45:43 2001] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long - For domain1, I tried to check the md5's of each of the key and crt... The md5 for the crt shows up fine. When I try to get the md5 for the .key, I get this error: # openssl rsa -noout -modulus -in server.key | openssl md5read RSA keyunable to load keyd41d8cd98f00b204e9800998ecf8427e I get this same "unable to load key" error for any key I try to get the md5 checksum for Any help in getting both of my virtual domain's (the two that need SSL) working is greatly appreciated. Thanks. -Mike PS: Here is the Virtual Server entry from httpd.conf for domain2... domain1 has the exact same (but updated ip and paths) NamevirtualHost xxx.xxx.xxx.44:443VirtualHost xxx.xxx.xxx.44:443 SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateKeyFile /www/conf/ssl.key/domain2_server.key SSLCertificateFile /www/conf/ssl.crt/domain2.com.crt DocumentRoot /home/hosting/domain2.com/public_html ServerName domain2.com CustomLog /www/logs/domain2.com combined ErrorLog /www/logs/domain2_error_log SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Directory "/home/hosting/domain2.com/public_html/cgi-bin" SSLOptions +StdEnvVars /Directory Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$" SSLOptions +StdEnvVars /Files/VirtualHost
RSA PRIVATE KEY GENERATION (Errors)
Trying to generate a RSA private key and get the errors shown below It is able to generate private keys when numbits = 64. Any Ideas AnyOne; Thanks In Advance $WORK0 OLAPPOBJ 315 run openssl genrsa -out $work0.cadir.privkey -rand $work0.cadir.rnd -des3 -out $work0.cadir.privkey -passout pass:password 128 $WORK0 OLAPPOBJ 315.. 1024 semi-random bytes loaded Generating RSA private key, 128 bit long modulus ...1:error:0306C072:bignum routines:bn_expand2:bignum too long:$DATA5.OLCPBN.BNLIBC:-2680: 1:error:04069003:rsa routines:RSA_generate_key:BN lib:$DATA5.OLCPRSA.RSAGENC:-14608: ABENDED: 1,156 CPU time: 0:00:57.121 1: Process terminated with warning diagnostics
