Re: Anyone know if ettercap will be further developed (or know where the authors NaGa and Alor are nowadays?)
Hi Miguel I dont know much about ethercap except that it performs Man in the Middle attacks.I want to let u Know that there is tool called Nping which is a packet crafter and also performs all these common tasks like ARP spoofing etc; is in active development stage from Nmap community .You can give your suggestions in nmap-dev mailing list to make it a better and well documented tool.:) Regards Venkat On Mon, Jun 1, 2009 at 9:35 AM, Miguel Ghobangieno mikee...@yahoo.comwrote: Anyone know if ettercap will be further developed (or know where the authors NaGa and Alor are nowadays?) I remeber when it was in active development (ending in 2005). Each release brought new things. I remeber using it and watching as I watched in plaintext my ssh login made me configure ssh to only allow sshv2. The developers are: Alberto Ornaghi (ALoR) He works as Security Consultant in an italian professional services company active in Information and Communication Technology (ICT) Age: 30-06-17 e-mail: a...@users.sourceforge.net Marco Valleri (NaGA) Works as Security Engineer for another IT security company (we are competitors) :) Age: 30-08-02 e-mail: n...@antifork.org But they don't answer email nor is anything developed for the app anymore. It would be a shame to see it wither and die in the face of new technologies. Or become unusable in the face of linux kernel changes.
Non-blocking socket, SSL_write returned SSL_WANT_READ, what bad can happen if I call SSL_read when select detects data is available, and then re-call SSL_write with prev data plus more
1. Called SSL_write with data 'abc' 2 this returned SSL_ERROR_WANT_READ 3. Wait on a 'select' until data arrives. 4. Called SSL_read with this socket. 5. If SSL_read returns 'SSL_ERROR_NONE' or 'SSL_ERROR_WANT_READ' , then call SSL_write with data 'abcdef' (i.e. 'abc' in step 1 plus some more data) So could anyone please answer 1. Is above procedure wrong ? (If so then what is the correct procedure ?) 2. What are the bad results of above procedure if it is wrong ? Thank you. *** The information contained in this email including in any attachment is confidential and is meant to be read only by the person to whom it is addressed. If you are not the intended recipient(s), you are prohibited from printing, forwarding, saving or copying this email. If you have received this e-mail in error, please immediately notify the sender and delete this e-mail and its attachments from your computer. *** __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TLS handshake is not intiated when the SSL-ctx object has client certificate and private key on Openssl 0.9.8k
Hi All, I am using OpenSSL 0.9.8.k. We are using the following function to configure device certificate and private key: SSL_CTX_use_certificate_chain_file() and SSL_CTX_use_PrivateKey_file(). When SSL_ctx object is loaded with the client certificate and private key using above 2 functions, then TLS handshake fails, even the client hello is not sent to the server and client is closing the connection by sending FIN message. But when this object is not loaded with client certificate and private key then Client hello is sent to server and TLS handshake is successful. Following are the failure logs when client hello is not sent to server: 0529114428|sip |4|00|SSL_connect failed 'error::lib(0):func(0):reason(0)' 0529114428|sip |4|00|SSL_connect error 5 When the following macro is defined in Opensslconf.h, TLS handshake was successful: #ifndef OPENSSL_NO_TLSEXT # define OPENSSL_NO_TLSEXT #endif Could anyone please let me know why TLS is working on defining this macro? Note: Initially we used openssl 0.9.7d version. On this version we didn’t find the above problem and “OPENSSL_NO_TLSEXT” macro is not available in this version. I am using client certificate with the following options: Version : v3 Signature algorithm : SHA-256 and RSA 1024 bit private key is being used. Regards, Prathima -- View this message in context: http://www.nabble.com/TLS-handshake-is-not-intiated-when-the-SSL-ctx-object-has-client-certificate-and-private-key-on-Openssl-0.9.8k-tp23813018p23813018.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Non-blocking socket, SSL_write returned SSL_WANT_READ, what bad can happen if I call SSL_read when select detects data is available, and then re-call SSL_write with prev data plus more
Asanka Kumara 1. Called SSL_write with data 'abc' 2 this returned SSL_ERROR_WANT_READ 3. Wait on a 'select' until data arrives. 4. Called SSL_read with this socket. Why are you calling SSL_read? 5. If SSL_read returns 'SSL_ERROR_NONE' or 'SSL_ERROR_WANT_READ' , then call SSL_write with data 'abcdef' (i.e. 'abc' in step 1 plus some more data) No matter what SSL_read returns, you should call SSL_write. The 'WANT_READ' error is invalidated as soon as data arrives at the socket. So could anyone please answer 1. Is above procedure wrong ? (If so then what is the correct procedure ?) It's fine, but why call SSL_read? If you want to write to the SSL connection, you should call SSL_write. SSL_read is for when you want to read from the SSL connection. It's OpenSSL's job to figure out whether these require reading from or writing to the socket. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS handshake is not intiated when the SSL-ctx object has client certificate and private key on Openssl 0.9.8k
I have seen this problem earlier too .Many of them has reported this problem earlier also. I think this problem is becuase from openssl 9.8k onwards tls extension is enabled by default . My doudt is that if this is the case will the openssl 9.8k will work with any of the older openssl version too ? Thanks Rajan On Mon, Jun 1, 2009 at 4:08 PM, prathima prathima.gog...@polycom.comwrote: Hi All, I am using OpenSSL 0.9.8.k. We are using the following function to configure device certificate and private key: SSL_CTX_use_certificate_chain_file() and SSL_CTX_use_PrivateKey_file(). When SSL_ctx object is loaded with the client certificate and private key using above 2 functions, then TLS handshake fails, even the client hello is not sent to the server and client is closing the connection by sending FIN message. But when this object is not loaded with client certificate and private key then Client hello is sent to server and TLS handshake is successful. Following are the failure logs when client hello is not sent to server: 0529114428|sip |4|00|SSL_connect failed 'error::lib(0):func(0):reason(0)' 0529114428|sip |4|00|SSL_connect error 5 When the following macro is defined in Opensslconf.h, TLS handshake was successful: #ifndef OPENSSL_NO_TLSEXT # define OPENSSL_NO_TLSEXT #endif Could anyone please let me know why TLS is working on defining this macro? Note: Initially we used openssl 0.9.7d version. On this version we didn’t find the above problem and “OPENSSL_NO_TLSEXT” macro is not available in this version. I am using client certificate with the following options: Version : v3 Signature algorithm : SHA-256 and RSA 1024 bit private key is being used. Regards, Prathima -- View this message in context: http://www.nabble.com/TLS-handshake-is-not-intiated-when-the-SSL-ctx-object-has-client-certificate-and-private-key-on-Openssl-0.9.8k-tp23813018p23813018.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
about ec_point and ec_group
hello, where can i find the definition of ec_point_st and ec_group_st what i found are: typedef struct ec_point_st EC_POINT; typedef struct ec_group_st 111 /* 112 EC_METHOD *meth; 113 -- field definition 114 -- curve coefficients 115 -- optional generator with associated information (order, cofactor) 116 -- optional extra data (precomputed table for fast computation of multiples of generator) 117 -- ASN1 stuff 118 */ 119 EC_GROUP; does anyone know ? thank you
does openssl support aes128xcbc?
Dear all: I find the openssl so far support following ase cryptos: #define CBC_128_AES 16 #define CBC_192_AES 17 #define CBC_256_AES 18 #define IGE_128_AES 26 #define IGE_192_AES 27 #define IGE_256_AES 28 but I cannot find aes128xcbc. Do I miss something or there is really no support of aes128xcbc mode in openssl? if the answer is the later, where I can find the sample code of it. appreciate your help, vichy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL FIPS mode problem
Hi All, When loading OpenSSL FIPS DLLs, and using FIPS_mode_set function, the following error is being returned: 9220:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match nonpic relocated:.\fips\fips.c:236: As i understand it, the DLL could not be loaded to the appropriate address in memory, therefore, the validation process could not be completed. I tried to use different base-address for the DLL (as described in the user guide) which solved the problem for now, but because my application can load other DLLs dynamically I cannot guarantee that the new base address will always be free for the FIPS DLL usage. Does OpenSSL FIPS version has other ways for solving the above error? Thanks, -- Lior Aharoni
RE: compiling 1.0.0-beta2 on OpenVMS
I'm compiling 0.9.8k on VAX and experienced the same problem with seed.c causing the compiler to get stuck. Moving it to COMPILEWITH_CC5 resolved the problem. When compiling on ia64 I got an error in VMS.MAR on a BSB 41$ that I think should be a BRB 41$ -Original Message- From: Richard Levitte [mailto:rich...@levitte.org] Sent: Friday, May 15, 2009 4:23 AM To: openssl-users@openssl.org; Richard Whalen; BércziGábor Subject: Re: compiling 1.0.0-beta2 on OpenVMS I wouldn't recommend that, it leads to very slow code last time I tried. However, if you look in [.crypto]crypto-lib.com, you'll find the following lines: $ ! Add definitions for no threads on OpenVMS 7.1 and higher $ COMPILEWITH_CC3 = ,bss_rtcp, $ ! Disable the DOLLARID warning $ COMPILEWITH_CC4 = ,a_utctm,bss_log,o_time,o_dir $ ! Disable disjoint optimization $ COMPILEWITH_CC5 = ,md2_dgst,md4_dgst,md5_dgst,mdc2dgst, + - sha_dgst,sha1dgst,rmd_dgst,bf_enc, $ ! Disable the MIXLINKAGE warning $ COMPILEWITH_CC6 = ,enc_read,set_key, I'm thinking that one might want to add seed to COMPILEWITH_CC5 and see if that helps... As I recall, the files already mentioned there made the compiler on VAX behave as described below before I placed them there. Bérczi, please try it out and tell me if that changed things. ( if you wonder, I'm talking about changing the COMPILEWITH_CC5 line like this: $ COMPILEWITH_CC5 = ,md2_dgst,md4_dgst,md5_dgst,mdc2dgst, + - sha_dgst,sha1dgst,rmd_dgst,bf_enc,seed, ) Cheers, Richard In message 3ef96af20489a34296050fbd5c36ecb901244...@beacon.psc.process.com on Wed, 13 May 2009 11:35:31 -0400, Richard Whalen whal...@process.com said: Whalenr Typically it's the optimizer that causes the problem. Try compiling the source with /NOOPTIMIZE. Whalenr Whalenr -Original Message- Whalenr From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bérczi Gábor Whalenr Sent: Wednesday, May 13, 2009 7:02 AM Whalenr To: openssl-users@openssl.org Whalenr Subject: Re: compiling 1.0.0-beta2 on OpenVMS Whalenr Whalenr I can certainly provide a suitable account, if that helps, just let me Whalenr know. Whalenr Whalenr On May 13, 2009, at 8:09 AM, Richard Levitte wrote: Whalenr Whalenr In message af6e8d0b-23a6-422e-a699-b8c61c632...@berczi.be on Tue, Whalenr 12 May 2009 22:58:35 +0200, Bérczi Gábor ga...@berczi.be said: Whalenr Whalenr gabor Latest beta version doesn't compile on VAX/VMS (with DEC C). Whalenr gabor Compilation just hangs at seed.c, doing absolutely nothing Whalenr gabor except using CPU time. Whalenr Whalenr That sounds quite odd... Unfortunately, I've no VAX/VMS account (only Whalenr a Alpha/VMS one), so I can't verify or fix. Is there any way you can Whalenr help us? -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ Life is a tremendous celebration - and I'm invited! -- from a friend's blog, translated from Swedish __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: does openssl support aes128xcbc?
Hi, Thus wrote vichy (vichy@gmail.com): but I cannot find aes128xcbc. Do I miss something or there is really no support of aes128xcbc mode in openssl? if the answer is the later, where I can find the sample code of it. AES-XCBC-MAC is not directly supported. However, it's very simple to implement as it's based on AES-CBC for which there is support. The OpenSSL book by Oreilly contains some sample code for the AES-XCBC-MAC. You can download it on http://examples.oreilly.com/9780596002701/ Hope this helps, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
undefined symbol with AES_unwrap_key
I'm currently receiving this error and was hoping someone could help me resolve it. When I call the AES_wrap_key or AES_unwrap_key functions I get the following error: hostapd: symbol lookup error: hostapd: undefined symbol: AES_wrap_key I don't have any problems with the EVP_DigestInit, EVP_DigestUpdate or EVP_DigestFinal and the code I'm placing was using AES_set_encrypt_key. Any ideas?
Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
On Sun, May 31, 2009 at 10:13:59AM +0100, David Woodhouse wrote: That makes a certain amount of sense; thanks. Forgive my ignorance -- is there a way to ensure that the full trust chain is included in the certificate itself, rather than having to provide the -CAfile option to openssl(1) separately? I na??vely tried just appending the contents of a working cafile to the certificate.pem file but that's not sufficient. Yes, you contcatenate in a single file: --- BEGIN... client certificate bits --- END... --- BEGIN... intermediate CA certificate that signed the above certificate --- END... ... --- BEGIN... intermediate CA certificate that signed the above certificate --- END... --- BEGIN... optional root CA certificate that signed the previous certificate --- END... I found another strange behaviour that I didn't expect -- the _order_ of the certificates in the cafile seems to be important. Yes, the TLS protocol requires the trust chain to be delivered bottom-up. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL fips mode problem
Hi All, When loading OpenSSL FIPS DLLs, and using FIPS_mode_set function, the following error is being returned: 9220:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match nonpic relocated:.\fips\fips.c:236: As i understand it, the DLL could not be loaded to the appropriate address in memory, therefore, the validation process could not be completed. I tried to use different base-address for the DLL (as described in the user guide) which solved the problem for now, but because my application can load other DLLs dynamically I cannot guarantee that the new base address will always be free for the FIPS DLL usage. Does OpenSSL FIPS version has other ways for solving the above error? Thanks, -- Lior Aharoni
RE: sslv3 alert certificate unknown
From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton Sent: Friday, 29 May, 2009 20:29 certificate unknown means that the Java side sent an alert to state that there's a problem with the certificate, but it's not going to tell you what it is. It probably it relates to the fact that the CA that you're using on your openssl server isn't in the Java trust store. More precisely, in the Java trust store _being used_. Java can support multiple trust (or key) stores if you want. (The most correct and appropriate alert in this case would be unknown CA, but many implementations won't send the correct code due to security policies that the developers make on behalf of their API clients.) -Kyle H On Fri, May 29, 2009 at 7:12 AM, Vyncke, Frank frank.vyn...@esko.com wrote: I don't know exactly what this error means, so it hard to check what I am doing wrong. I presume I will have to setup some parameters on the JAVA side (the only thing I do different now versus the plain http setup is to change the URL to https). Meaning you use URL(https,...).openConnection - HttpsURLConnection ? (And don't set[Default]SSLSocketFactory?) That should use the (system) default SSLSocketFactory, which under the standard configuration uses a SSLContext which has a default (X.509/PKIX) TrustManager which uses the store in JRE/lib/security/jssecacerts if present else cacerts (and a null X.509 KeyManager, which is usually okay for web clients). Your client should have gotten javax.net.ssl.SSLHandshakeException referencing/caused by sun.security.validator.ValidatorException and sun.security.provider.certpath.SunCertPathBuilderException . You might check to see if this was reported, or why not. Any body an idea, and/or info on the things I need to setup on the JAVA side ? I am using JAVA JRE 1.6 See JSSERefGuide in the docs package under 'security' for (very!) full details. In brief, there are number of possibilities: - add the CAcert(s) you want to use to the default truststore(s) -- assuming you have access on the client machine(s) and this doesn't interfere with (endanger?) any other Java app(s) there - put the CAcert(s) you want to use in your own truststore (per-app or per-user or whatever) and configure to use that - get for your server and use a cert under a 'wellknown' CA that is already in the distributed cacerts -- may cost money - have your client(s) request/allow anonymous ciphersuite(s) and your server use no certificate at all -- loses the benefit of server authentication - write your own TrustManager and/or CertPathValidator to do whatever you want (get certs or other auth data from other sources like LDAP or DNS or whatever, and accept or reject the server based on other information than the certs or fetched data such as hardcoding, manual choice, ...) -- quite a bit more complicated Note that HttpsURLConnection also verifies that the server cert's name matches the desired (requested) URL.host. I'm not sure of the exact (default) rules since I use the lower-level SSL[Server]Socket which leaves this check to me. According to the docs this can be overridden by writing and setting your own HostnameVerifier . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: about ec_point and ec_group
On 2009.06.01 at 22:05:48 +0800, jazeltq wrote: hello, where can i find the definition of ec_point_st and ec_group_st what i found are: typedef struct ec_point_st EC_POINT; typedef struct ec_group_st 111 /* 112 EC_METHOD *meth; 113 -- field definition 114 -- curve coefficients 115 -- optional generator with associated information (order, cofactor) 116 -- optional extra data (precomputed table for fast computation of multiples of generator) 117 -- ASN1 stuff 118 */ 119 EC_GROUP; does anyone know ? thank you These are hidden structures. They are defined in the internal include file ec_lcl.h, which present in the OpenSSL sources, but not included in the compiled distribution. Idea is that members of these structures are accessable only from within libcrypto library. Users or the library shouldn't look inside these structures, they only should operate via APIs, declared in the ec.h API could be incomplete. When dealing with other newer parts of OpenSSL API (especially EVP_PKEY_CTX API) I've encountered situations where neccessary API calls are missing. In this case best approach is to design new API function which provides neccessary functionality and sumbit a patch. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org