Re: Query Verisign certificates
OK...thanksJoseph Bruni <[EMAIL PROTECTED]> wrote: Try using the -enddate option to get the expiration date.On May 3, 2004, at 12:50 PM, Reese Williams wrote:> Brand new to openssl.> Anyone use openssl x509 -text -n //certificate-name.pem with a > Verisign> certificate to get expiration date?> I have quite a few Apache and IIS 5.0 web servers and I am looking to > automate in a script notifications concerning certificate expirations.> Thanks.> __OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Re: aes-128-cbc with testvector from NIST does not match
On Tue, 2004-05-04 at 03:03, Ramon Amat Jimenez wrote:
> Using aes-128-encryption with a testvector from NIST for encryption does
> not match! I have been mostly using code from example
> ./openssl-0.9.7d/crypto/evp/evp_test.c to conduct this test.
>
> #cipher:key:iv:plaintext:ciphertext:0/1(decrypt/encrypt) (from NIST
> test vectors, encrypt)
> #AES-128-CBC:::
>
> :8A05FC5E095AF4848A08D328D3688E3D:1
>
> key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> iv:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> plain =>: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> cipher=>: 66 e9 4b d4 ef 8a 2c 3b 88 4c fa 59 ca 34 2b 2e <= does
> not match !!!
> cipher =>:8a 05 fc 5e 09 5a f4 84 8a 08 d3 28 d3 68 8e 3d < expected
>
> Decrypting 66 e9 4b d4 ef 8a 2c 3b 88 4c fa 59 ca 34 2b 2e <= with
> key, iv as stated above
> does give 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00!
>
> Can somebody explain me that ? I have attached below the code used.
> Kind regards
I tried your sample with the NIST test vectors found at:
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf and it
worked fine. Are you sure the test vectors you are using are correct?
Where did you get those vectors?
Test Vector:
char line[] =
"2b7e151628aed2a6abf7158809cf4f3c:000102030405060708090a0b0c0d0e0f:6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710:7649abac8119b246cee98e9b12e9197d5086cb9b507219ee95db113a917678b273bed6b8e3c1743b7116e69e95163ff1caa1681fac09120eca307586e1a7:";
Result:
key:
2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
iv:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
plain =>:
6b c1 be e2 2e 40 9f 96 e9 3d 7e 11 73 93 17 2a
0010 ae 2d 8a 57 1e 03 ac 9c 9e b7 6f ac 45 af 8e 51
0020 30 c8 1c 46 a3 5c e4 11 e5 fb c1 19 1a 0a 52 ef
0030 f6 9f 24 45 df 4f 9b 17 ad 2b 41 7b e6 6c 37 10
cipher=>:
76 49 ab ac 81 19 b2 46 ce e9 8e 9b 12 e9 19 7d
0010 50 86 cb 9b 50 72 19 ee 95 db 11 3a 91 76 78 b2
0020 73 be d6 b8 e3 c1 74 3b 71 16 e6 9e 22 22 95 16
0030 3f f1 ca a1 68 1f ac 09 12 0e ca 30 75 86 e1 a7
key:
2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
iv:
00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
cipher <=:
76 49 ab ac 81 19 b2 46 ce e9 8e 9b 12 e9 19 7d
0010 50 86 cb 9b 50 72 19 ee 95 db 11 3a 91 76 78 b2
0020 73 be d6 b8 e3 c1 74 3b 71 16 e6 9e 22 22 95 16
0030 3f f1 ca a1 68 1f ac 09 12 0e ca 30 75 86 e1 a7
plain <=:
6b c1 be e2 2e 40 9f 96 e9 3d 7e 11 73 93 17 2a
0010 ae 2d 8a 57 1e 03 ac 9c 9e b7 6f ac 45 af 8e 51
0020 30 c8 1c 46 a3 5c e4 11 e5 fb c1 19 1a 0a 52 ef
0030 f6 9f 24 45 df 4f 9b 17 ad 2b 41 7b e6 6c 37 10
plain <=:
6b c1 be e2 2e 40 9f 96 e9 3d 7e 11 73 93 17 2a
0010 ae 2d 8a 57 1e 03 ac 9c 9e b7 6f ac 45 af 8e 51
0020 30 c8 1c 46 a3 5c e4 11 e5 fb c1 19 1a 0a 52 ef
0030 f6 9f 24 45 df 4f 9b 17 ad 2b 41 7b e6 6c 37 10
>
> // test_ex.cpp
> #include
> #include
> #include
> #include
> #include
>
> static void hexdump(FILE *f,const char *title,const unsigned char *s,int
> l);
> static int convert(unsigned char *s);
> static unsigned char *ustrsep(char **p,const char *sep);
> static char *sstrsep(char **string, const char *delim);
> int do_encrypt(const unsigned char *plain, int pn, const unsigned char
> *key, int kn, const unsigned char *iv, int in);
> int do_decrypt(const unsigned char *cipher, int cn, const unsigned char
> *key, int kn, const unsigned char *iv, int in);
>
>
> int main(int argc, char *argv[])
> { OpenSSL_add_all_algorithms();
> // Modified Test Vector from NIST
>char line[] =
> ":::8A05FC5E095AF4848A08D328D3688E3D:";
>
>
>
>// Modified Test Vector for decryption with the wrong 66e9...
>// char line[] =
> ":::66e94bd4ef8a2c3b884cfa59ca342b2e:";
>
>
>char *p = line;
> unsigned char* key = ustrsep(&p,":");
>unsigned char* iv = ustrsep(&p,":");
>unsigned char* plain = ustrsep(&p,":");
>unsigned char* cipher = ustrsep(&p,":");
>
>int kn = convert(key);
>int in = convert(iv);
>int pn = convert(plain);
>int cn = convert(cipher);
>do_encrypt(plain, pn, key, kn, iv, in);
> // what we expecthexdump(stdout, "cipher =>:", cipher, cn);
> printf ("\n\n");
>
>do_decrypt(cipher, cn, key, kn, iv, in);
> hexdump(stdout, "plain <=:", plain, pn);
> return 0;
> }
>
>
> int do_decrypt(const unsigned char *cipher, int cn, const unsigned char
> *key, int kn, const unsigned char *iv, int in)
> {
> unsigned char outbu
Re: aes-128-cbc with testvector from NIST does not match
On Tue, 2004-05-04 at 09:38, Troy Monaghen wrote: > On Tue, 2004-05-04 at 03:03, Ramon Amat Jimenez wrote: > > Using aes-128-encryption with a testvector from NIST for encryption does > > not match! I have been mostly using code from example > > ./openssl-0.9.7d/crypto/evp/evp_test.c to conduct this test. > > > > #cipher:key:iv:plaintext:ciphertext:0/1(decrypt/encrypt) (from NIST > > test vectors, encrypt) > > #AES-128-CBC::: > > > > :8A05FC5E095AF4848A08D328D3688E3D:1 > > > > key: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > iv:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > plain =>: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > > cipher=>: 66 e9 4b d4 ef 8a 2c 3b 88 4c fa 59 ca 34 2b 2e <= does > > not match !!! > > cipher =>:8a 05 fc 5e 09 5a f4 84 8a 08 d3 28 d3 68 8e 3d < expected > > > > Decrypting 66 e9 4b d4 ef 8a 2c 3b 88 4c fa 59 ca 34 2b 2e <= with > > key, iv as stated above > > does give 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00! > > > > Can somebody explain me that ? I have attached below the code used. > > Kind regards > > > I tried your sample with the NIST test vectors found at: > http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf and it > worked fine. Are you sure the test vectors you are using are correct? > Where did you get those vectors? The test vectors you were using were from a Monte Carlo test which uses a number of iterations of the algorithm. More info can be found at http://csrc.nist.gov/CryptoToolkit/aes/katmct/katmct.pdf Troy __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL error: sslv3 alert bad record mac (fwd)
Hrm...I am curious if anyone on the list has any idea about what might be going on with this error. I saw a prior thread that just ended over a year ago with no resolution or explanation. Thanks! -- Jason A. Pfeil jason=at=jasonpfeil.com.NOSPAM -- Forwarded message -- Date: Thu, 22 Apr 2004 14:47:16 -0400 (EDT) From: Jason A. Pfeil <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: OpenSSL error: sslv3 alert bad record mac Greetings, List! I am having difficulty with pine connecting from one of my machines to my SSL IMAP server. What happens is that when I start pine, it asks for my password and I give it. It connects to the server and then tells me that there was an error and the connection vanishes. Then I go back to the folder list, reselect the folder, and voila! It works just fine. When the first connection vanishes, I get this error in my logfile: imapd-ssl: couriertls: read: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac I have tracked this down with the courier-imap people and they can't figure out the issue. I cannot replicate it with the exact same version of pine and openssl on another box. I have rebuild openssl *and* pine on the affected box many times. I am using pine 4.58 and openssl: % openssl version OpenSSL 0.9.7d 17 Mar 2004 Pine is linked against it: % ldd /usr/bin/pine libldap.so.2 => /usr/lib/libldap.so.2 (0x40036000) liblber.so.2 => /usr/lib/liblber.so.2 (0x4006d000) libresolv.so.2 => /lib/libresolv.so.2 (0x40079000) libncurses.so.5 => /lib/libncurses.so.5 (0x4008b000) libpam.so.0 => /lib/libpam.so.0 (0x400d) libdl.so.2 => /lib/libdl.so.2 (0x400d8000) libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x400dc000) libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x400ef000) libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 (0x40155000) libcom_err.so.3 => /usr/lib/libcom_err.so.3 (0x4024f000) libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x40251000) libc.so.6 => /lib/libc.so.6 (0x40282000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x403b1000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x403c4000) I am running gentoo linux and it is up to date as of a few days ago. Any suggestions that anyone here may have will be *extremely* welcome. Thanks! --Jason -- Jason A. Pfeil jason=at=jasonpfeil.com.NOSPAM __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Security Hole - RSA 2?
Is RSA ver 2 (SSH) compatiblity with SSL by design or a given fact? I haven't found any references anywhere addressing this or any security concern. In addition, are there any downstream problems using a cert based off of a ssh-keygen as opposed to an "openssl genrsa"? For example: ssh-keygen -trsa -b1024 -ftestid_rsa -N "" openssl req -new -key testid_rsa -out testid_rsa.csr Has anyone experimented with this? It appears to work and looks promising. In other words would authenticate, encryption, digital signatures, etc. certificate operations be normal without an OpenSSL based key? Just looking for a way to "merge" the environments if possible on a single key and not utilize a hole... Thx, cs __ Do you Yahoo!? Win a $20,000 Career Makeover at Yahoo! HotJobs http://hotjobs.sweepstakes.yahoo.com/careermakeover __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Query Verisign certificates
On Tue, May 04, 2004 at 07:26:36AM -0700, Reese Williams wrote: : I have quite a few Apache and IIS 5.0 web servers and I am looking to : automate in a script notifications concerning certificate expirations. You could also use Recon to do this for you -- http://www.BrandXDev.Net Recon's advantage over using "openssl x509 -text" is that it queries the server itself, emulating a client. This way, you don't have to worry about keeping cert files around, file mismatches, etc. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: aes-128-cbc with testvector from NIST does not match
The test vectors you were using were from a Monte Carlo test which uses a number of iterations of the algorithm. More info can be found at http://csrc.nist.gov/CryptoToolkit/aes/katmct/katmct.pdf Thanks for your input. I will check that paper. Nevertheless, I assumed that the given test-vector present in /openssl-0.9.7d/crypto/evp/evptest.txt (should be fine) and therefore I was expecting also to see a match. Perhaps somebdoy of the developers taking care about this tests may be wondering too??? If your are answer is right (sorry i don't know the implication of the Monte Carlo to aes-128-cbc) and actually am very happy to find somebody --- telling me that I can rely on the aes-128-cbc functionality of openssl ... that 's fine for me. Kind regards Ramon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: AW: memory leak in multithreaded c++ program
> Those are last two lines of my thread execution callback. > > If you call any openssl's free function after ERR_remove_state(0), you > will have a memory leak, because it will create another thread context > that will never be freed. So i can do SSL_free(clientssl); SSL_CTX_free(clientsslctx); ERR_clear_error(); ERR_remove_state(0); At the end of my thread? What kind of locking functions do I _need_? Thanks, Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA_private_decrypt errors
Title: RSA_private_decrypt errors Hi, Does anyone know what the following error messages mean and/or how I can find out more about what they mean? I am obtaining these error strings via the ERR_get_error and ERR_error_string functions but I can't seem to find any documentation anywhere to further explain how to resolve these errors. error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02" followed by on subsequent attempts: "error:04065072:lib(4):func(101):reason(114)" Thanks in advance, Janet Pytlik
Re: RSA_private_decrypt errors
Janet Pytlik wrote: Hi, Does anyone know what the following error messages mean and/or how I can find out more about what they mean? I am obtaining these error strings via the ERR_get_error and ERR_error_string functions but I can't seem to find any documentation anywhere to further explain how to resolve these errors. error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02" Well this error simply means that the stuff decrypted by RSA_private_decrypt is not pkcs1 bt02 (in pkcs1 words EME-PKCS1-V1_5-ENCODE) encoded (have a look at the pkcs1 standard). followed by on subsequent attempts: "error:04065072:lib(4):func(101):reason(114)" which means: "RSA_EAY_PRIVATE_DECRYPT:padding check failed" Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Cathy A Olson/EXT/FDMS/FDC is not available.
I will be out of the office starting 05/04/2004 and will not return until 05/05/2004. I will be out of the office the afternoon of Tuesday May 4, 2004. I will return your message when I return on May 5, 2004. If this is an urgent matter, please contact Barb Reilly. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: AW: memory leak in multithreaded c++ program
Hawk wrote: Those are last two lines of my thread execution callback. If you call any openssl's free function after ERR_remove_state(0), you will have a memory leak, because it will create another thread context that will never be freed. So i can do SSL_free(clientssl); SSL_CTX_free(clientsslctx); ERR_clear_error(); ERR_remove_state(0); At the end of my thread? What kind of locking functions do I _need_? Thanks, Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] this problem does not concerning thread locking or not When error is logged OpenSSL remember from witch thread it had been raised . Simplest thing to do is to remove all error state by ERR_remove_state(0) from the thread , just before finishing it (ERR_clear_error() will clean out entire OpenSSL error stack , so may be not that good idea , and it does not affect memory leaking situation) More complicate thing to do is remember is some kind of array all threads numbers that ever raised during run of program , at process thread (or main thread should be the name ? ) , and then calling ERR_remove_state(x) for all them. of cause all those troubles would be saved if somebody would create one function that will erase entire error stack at once (if i will had some spare time , i will look at it) Hawk , did you tried to activate OpenSSL memory leak checks ? What does it did ? it found something , or you were to busy :)?
