Re: MD2 capability
On Tue, Aug 17, 2010, kartik rustagi wrote: Thanks for replying. Can you be more specific about which option to add in ./configure in order to have md2 enabled? If you are using OpenSSL 1.0.0 or later then enable-md2 will do the trick, this option has no effect on 0.9.8 which includes md2 by default. You can't lookup md2 or use it for certificate verification since it has now been removed from the default algorithms tables for security reasons. If you want to use md2 for certificate verification for testing purposes you need to add the algorithm explicitly with: EVP_add_digest(EVP_md2()); Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Cipher selection
The application calls openssl.exe, and does not use the libeay32.dll. Is there an easy way to compile the executable with only the STRONG cipher suite? Thanks. Timothy Cloud MSPRC Database Manager Chickasaw Nation Industries (405) 869-3358 (Office) (405) 568-9752 (Cell) -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Monday, August 16, 2010 4:18 AM To: openssl-users@openssl.org Subject: Re: Cipher selection On 12-08-2010 18:03, Tim Cloud wrote: Q: I am a bit confused by the limits to your question, the two parts: have no access to the code internal to that application A: Meaning that I'm working with a commercial pre-compiled application that was designed to use OpenSSL.exe, but does not allow you to edit how that application integrates with OpenSSL.exe Please double check what your exact situation is: Does the application in question use openssl.exe or its DLL libeay32.dll, the solution will be very different in those two cases. Q: and the: special way to compile the executable seem to conflict (at least in my mind). I suppose you know what you meant - I'll go with that assumption. ;-) A: I'm taklking about compiling a special version of OpenSSL.exe not the host application. When you say: Server end: (not mentioned in your limits) - remove the unwanted ciphers from the openssl build. I.E: If the server doesn't have them, it can't offer them, and the client can choose one of them. That is EXACTLY what I want to do. But having a background as a SQL DBA, I have no idea how to do that. Is there an easy answer? The server will be running Windows 2003 32-Bit, and I just want to compile it with only the FIPS compliant strong ciphers. Any help is greatly appreciated. Again, the answer depends if the server uses openssl.exe or libeay32.dll One answer you might use in either case is to add a bunch of noxxx arguments to the perl Configure command line early in the build of openssl. This way you can disable a lot of unwanted ciphers (but not specific cipher suites), by effectively removing their implementation code completely. From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On Behalf Of Michael S. Zick [open...@morethan.org] Sent: Thursday, August 12, 2010 9:15 AM To: openssl-users@openssl.org Subject: Re: Cipher selection On Wed August 11 2010, Tim Cloud wrote: Let's pretend for a moment that an out of the box application uses openssl to provide access not through a browser, but rather through a SOAP client like Eclipse. And let's also say that you have no access to the code internal to that application. Is there any other way to limit the ciphers? Some kind of config file or a special way to compile the executable? The quick answer: cipher list is not limited by an external, run-time, config file. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org - CONFIDENTIALITY NOTICE This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited. If you receive this e-mail in error, please notify me immediately by replying to this e-mail. - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Generating Session Keys
Hello all, I am trying to generate the session key from the pre-master-secret, and I cannot for the life of me figure out how to do this. Is there any way to do this easily, or is it completely dependent on the cipher spec? Alternatively if there is a way to access the session keys once they have been generated? When I was looking through the code, I found a tls_session_secret_cb function inside of the SSL object, but it looks like this is just for resuming a session. I know that it has to generate the session keys somewhere, but I can't find where. If someone could point me in the right direction, or explain the process a little better I would really appreciate it. Thanks in advanced, Sam -- Sam Jantz Software Engineer
RE: Adobe Acrobat Certificates?
Hi Jacob, The best way to view what CDS is, is via the Adobe Website. It's a medium assurance hardware based identity credential that we, and others, supply. It's ultimately rooted through to the Adobe Root CA...ie. A root in all Adobe reader versions from Version 6 onwards. http://www.adobe.com/security/partners_cds.html We, along with other well known names in the CA industry, offer CDS certificates to the market. If anyone is interested then please mail me separately and I'd be happy to provide more details away from the list, but an example is the best way to quickly show you the differences. This one is certified with a CDS certificate http://www.globalsign.co.uk/resources/documentsign-creating-trusted-document s.pdf and this one is self signed to allow you to compare the difference in the GUI on whatever version of Adobe Acrobat you are using http://www.globalsign.co.uk/document-security-compliance/adobe-cds/ You can use the certificate viewer built into Adobe Acrobat or Reader to examine the profile of the certificates. Thanks. Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: 16 August 2010 15:52 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adobe Acrobat Certificates?
Sal, Jakob, The CP for Adobe is here:- http://www.adobe.com/misc/pdfs/Adobe_CDS_CP.pdf and section 7 highlights the specific profile of the certificate. Sal, you are correct it's an X509 certificate and there are no deviations from that spec. However, there are specific OID and specific rules that the CP mandates and there are also specific services that are related to the certificate which are indicated within the profile (Time stamping for example). FYI, I've hopefully addressed Ivo's concerns in a separate e-mail and made suitable suggestions to him on ways to solve his particular issue. Thanks Steve -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Crypto Sal Sent: 17 August 2010 05:30 To: openssl-users@openssl.org Subject: Re: Adobe Acrobat Certificates? On 08/16/2010 10:52 AM, Jakob Bohm wrote: On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? Jakob, From my experiences: NOTHING. (So long as it has digital signing enabled) From what I have seen and know, Adobe CDS partners [ http://www.adobe.com/security/partners_cds.html ], get an intermediate certificate from Adobe, which they then use to issue digital signing certificates to Organizations or Individuals. (Entity/their customers). The only real benefit is much like having a publicly trusted SSL certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign, GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It helps get rid of the browser nag, because what end-user wants to actually THINK before they do something?) I do like the fact that Adobe gives end-users the ability to trust who they want (much like the friendly browsers do these days), when they want and they don't have to rely on Adobe to certify CAs especially since Adobe hasn't decided not to partner with some of the more popular global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though: Mozilla, Opera and Microsoft DO) Hope this sheds some more light on the issue. However, we await Steve's response. --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
wrong ELF class: ELFCLASS32
Can you please tell me how to compile openssl library in 64-bit type? As when compiling the openssl, and checking GNM056 sdefile bio_ssl.o bio_ssl.o: ELF 32-bit MSB relocatable SPARC32PLUS Version 1, V8+ Required GNM056 sde I need it to be in 64 bit as I need to link this library with my existing .so that is in 64 bit. My .so: GNM056 sdefile libsib_velizy_generic_uns_HTTPSClient.so libsib_velizy_generic_uns_HTTPSClient.so: ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not stripped GNM056 sde As compiling my .so with openssl .so. I am having error: ld: fatal: file /openssl-0.9.8o/ssl/bio_ssl.: wrong ELF class: ELFCLASS32 Please show me the way. Thanks. Thanks Regards, Seemant Bisht. Alcatel Ph. No. +91-124-4133453 Mobile: +919810063317 Alcatel-Lucent India Building No.1, Fourth Floor, Seat No.59 Plot No.406, Udyog Vihar, Phase III Gurgaon 122016 P Think of the environmental impact before printing
Basics concepts about openssl+rsa
Hello to all. I'm really new in openssl. In my application I will use openssl to encrpypt some password strings using rsa. I've generated the pair of keys with openssl command line and now I want to use this pair to crypt and encrypt these strings. It's really a basic doubt: How can I parse a file with the public key to a struct which I can use to encrypt the string. Maybe just a simple_example.c... :-) And also an example about decrypt using the private key, of course :-) I'm reading this page: http://www.openssl.org/docs/crypto/rsa.html but manuals aren't good to a beginner :-) Thx and sorry for my bad English :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
dynamic locks don't get cleaned up
I apologize if this shows up more than once. I've been having problems sending emails out, all day. First I encountered this with valgrind but then I decided to have openssl print the leaks and it was also confirmed. I have reduced my code to the following two lines. Prior to this if course initilization of openssl and then the cleanup. Either there's a call that I'm missing or the the dynamic locks don't get cleaned up upon exit. Looking at the code in cryptlib.c, i don't see anywhere freeing up the memory allocated to the following stacks: static STACK_OF(OPENSSL_STRING) *app_locks=NULL; static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL; And here's my sample code: int l = CRYPTO_get_new_dynlockid(); CRYPTO_destroy_dynlockid(l); Before this I have a bunch of lines like: CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); SSL_library_init(); OpenSSL_add_all_digests(); CRYPTO_set_id_callback(..); CRYPTO_set_locking_callback(...); CRYPTO_set_dynlock_create_callback(...); CRYPTO_set_dynlock_lock_callback(...); CRYPTO_set_dynlock_destroy_callback(...); And at the end of the code I have something like: CRYPTO_set_id_callback(NULL); CRYPTO_set_locking_callback(NULL); CRYPTO_set_dynlock_create_callback(NULL); CRYPTO_set_dynlock_lock_callback(NULL); CRYPTO_set_dynlock_destroy_callback(NULL); ENGINE_cleanup(); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); OBJ_NAME_cleanup(-1); ERR_remove_thread_state(NULL); SSL_free_comp_methods(); CRYPTO_mem_leaks_fp(stderr); As you can see I have included every cleanup call I could find. Running the code produces the following output: [19:49:10] 188 file=stack.c, line=125, thread=19596, number=20, address=08DF0E50 [19:49:10] 189 file=stack.c, line=127, thread=19596, number=16, address=08DF0F78 36 bytes leaked in 2 chunks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: wrong ELF class: ELFCLASS32
On 17/08/2010 7:03 PM, BISHT, SEEMANT (SEEMANT) wrote: Can you please tell me how to compile openssl library in 64-bit type? As when compiling the openssl, and checking If it was a linux intel based setup if would be: ./Configure linux-x86_64 or ./Configure linux-generic64 However given you seem to be on a sparc box: ./Configure solaris64-sparcv9-gcc or ./Configure solaris64-sparcv9-cc (depending on if you are using GCC or the Sun compiler) Look at the various targets available in the Configure script for more information. Then the usual make clean all Tim.
Re: Basics concepts about openssl+rsa
On Aug 17, 2010, at 12:37 PM, Leandro Santiago wrote: It's really a basic doubt: How can I parse a file with the public key to a struct which I can use to encrypt the string. Maybe just a simple_example.c... :-) And also an example about decrypt using the private key, of course :-) I'm reading this page: http://www.openssl.org/docs/crypto/rsa.html but manuals aren't good to a beginner :-) Yes, it's pretty hard to get oriented when starting to use openssl. It's usually easier to avoid the lowest-level RSA_foo() functions in favor of the slightly more abstract EVP_(PKEY_)foo() functions. (This also lets you switch algorithms etc. later without rewriting everything.) IIRC, what you need to do is load the public or private key using either a PEM_read_* function or a d2i_*() function, depending on whether the key is in a PEM or DER format: http://www.openssl.org/docs/crypto/pem.html http://www.openssl.org/docs/crypto/d2i_PKCS8PrivateKey.html For the basic public-key operation, you use functions that operate on an EVP_PKEY_CTX: http://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html But for any real-world application, you'll want to do the standard business of generating a session key, encrypting the message using conventional symmetric encryption, and encrypting the session key with the public key. Since that's a lot of hassle and it's very easy to write something that works but isn't secure, it's probably a good idea to just adopt one of the higher level cryptographic containers such as CMS: http://www.openssl.org/docs/crypto/CMS_encrypt.html even though this does mean you start having to deal with all the X.509 crud. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basics concepts about openssl+rsa
On Aug 17, 2010, at 3:19 PM, Wim Lewis wrote: But for any real-world application, you'll want to do the standard business of generating a session key, encrypting the message using conventional symmetric encryption, and encrypting the session key with the public key. Since that's a lot of hassle and it's very easy to write something that works but isn't secure, it's probably a good idea to just adopt one of the higher level cryptographic containers such as CMS: http://www.openssl.org/docs/crypto/CMS_encrypt.html even though this does mean you start having to deal with all the X.509 crud. Ah, I forgot about http://www.openssl.org/docs/crypto/EVP_SealInit.html and friends, maybe that would be an easier approach. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Basics concepts about openssl+rsa
Thx. I'll read these documents. In my system the keys aren't generated in instalation-time, but I have both the keys, private and public pre-generated. Actually in my system the password based encrypt system works fine, and it's part of a larger subsystem. So the rsa idea has sounded good for me :-) Regards 2010/8/17 Wim Lewis w...@omnigroup.com: On Aug 17, 2010, at 3:19 PM, Wim Lewis wrote: But for any real-world application, you'll want to do the standard business of generating a session key, encrypting the message using conventional symmetric encryption, and encrypting the session key with the public key. Since that's a lot of hassle and it's very easy to write something that works but isn't secure, it's probably a good idea to just adopt one of the higher level cryptographic containers such as CMS: http://www.openssl.org/docs/crypto/CMS_encrypt.html even though this does mean you start having to deal with all the X.509 crud. Ah, I forgot about http://www.openssl.org/docs/crypto/EVP_SealInit.html and friends, maybe that would be an easier approach. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
