Question of openssl compilation
Hello, I use follow command to compile openssl-0.9.8o 1) ./Configure solaris-sparcv9-cc --prefix=MY_OPENSSL_INSTALL_DIRECTORY shared 2) make 3) make install I can compile it successfully and under MY_OPENSSL_INSTALL_DIRECTORY/lib I can find some files like below: -rw-r--r-- 1 arkie bjumts 3623300 Aug 5 15:41 libcrypto.a lrwxrwxrwx 1 arkie bjumts18 Aug 5 15:41 libcrypto.so - libcrypto.so.0.9.8 -r-xr-xr-x 1 arkie bjumts 2567624 Aug 5 15:41 libcrypto.so.0.9.8 -rw-r--r-- 1 arkie bjumts588036 Aug 5 15:41 libssl.a lrwxrwxrwx 1 arkie bjumts15 Aug 5 15:41 libssl.so - libssl.so.0.9.8 -r-xr-xr-x 1 arkie bjumts424320 Aug 5 15:41 libssl.so.0.9.8 As we can see, there are two dynamic lib file libcrypto.so.0.9.8 and libcrypto.so.0.9.8. But my question is 1) How can I make the generated dynamic lib name as libcrypto.0.9.8.so and libcrypto.0.9.8.so, not the default name? 2) If dynamic lib name is changed successfully, How to make sure the link time name is same as the changed dynamic lib name? Is there some option similar with -soname which can specify the link time name? For example: =ldd libssl.so.0.9.8 libcrypto.so.0.9.8 = . After change name to libssl.0.9.8.so, result should be: =ldd libssl.0.9.8.so libcrypto.0.9.8.so =. . Thank you. Best Regards, Arkie
Getting detailed ssl-handshake debug output
I'd like to know if there's a way -- programmatic, config, environment -- that I can get detailed print of what goes on during a handshake at the client or the server? Below is the output from Apache Tomcat as an example of the level of details i'm looking for: http-442-1, READ: TLSv1 Handshake, length = 73 *** ClientHello, TLSv1 RandomCookie: GMT: 1269551866 bytes = { 178, 23, 135, 211, 154, 110, 144, 59, 9 9, 139, 224, 45, 156, 231, 232, 123, 36, 95, 187, 165, 56, 121, 211, 63, 117, 43 , 7, 82 } Session ID: {} Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_S HA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS _WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_ CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA _WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, Unknown 0x0:0xff] Compression Methods: { 0 } Unsupported extension type_35, data: *** %% Created: [Session-1, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA] *** ServerHello, TLSv1 RandomCookie: GMT: 1269551766 bytes = { 32, 121, 10, 209, 123, 137, 160, 183, 1 86, 107, 255, 108, 79, 16, 190, 91, 180, 86, 18, 136, 232, 108, 249, 191, 90, 17 6, 87, 231 } Session ID: {76, 172, 211, 150, 251, 114, 230, 220, 75, 218, 174, 105, 134, 185 , 144, 119, 92, 182, 1, 58, 247, 172, 121, 90, 212, 100, 58, 220, 93, 76, 97, 11 1} Cipher Suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Compression Method: 0 *** Cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA *** Certificate chain chain [0] = [ [ Version: V1 Subject: OU=Tomcat, O=ACME, emailaddress=tom...@acme.com, C=CA, CN=localhost Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 512 bits modulus: 973285574783538290665814718553460486271776249697428968977460338357983 ... public exponent: 65537 Validity: [From: Mon Jun 21 14:33:25 EDT 2010, To: Tue Jun 21 14:33:25 EDT 2011] Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA SerialNumber: [02] ] Algorithm: [SHA1withRSA] Signature: : A5 A9 E6 5F BE 51 75 E5 E3 25 9D 92 AB 45 FA 1E ..._.Qu..%...E.. ... ] *** *** Diffie-Hellman ServerKeyExchange DH Modulus: { 233, 230, 66, 89, 157, 53, 95, 55, 201, 127, 253, 53, 103, 18, 11 ... } DH Base: { 48, 71, 10, 213, 160, 5, 251, 20, 206, 45, 157, 205, 135, 227, 139, ... } Server DH Public Key: { 159, 193, 69, 114, 138, 167, 128, 50, 5, 51, 77, 127, 2 ...} Signed with a DSA or RSA public key *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: OU=Root CA, O=ACME Systems Inc., C=CA, CN=ACME Systems Root CA OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA CN=TESTCA, OU=CA, O=TEST *** ServerHelloDone http-442-1, WRITE: TLSv1 Handshake, length = 1544 http-442-1, READ: TLSv1 Handshake, length = 3309 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=fd0172c2-3f02-432e-8317-097b8fabff7d, OU=Windows/1.00, O=instance Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 1024 bits modulus: 128531339772544414974300233324968135333513753311766363920169114394683 ... public exponent: 65537 Validity: [From: Tue Oct 05 17:49:02 EDT 2010, To: Wed Oct 05 17:49:02 EDT 2011] Issuer: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION SerialNumber: [012b7e5e 79df] [2]: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ CN=guest, OU=ACME PC Client, O=instance ] [3]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment Key_Agreement ] [4]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] ] Algorithm: [SHA256withRSA] Signature: : 97 32 64 63 D4 DA ED AF CD 7F EC 77 A6 7C 72 85 .2dc...w..r. ... ] chain [1] = [ [ Version: V3 Subject: CN=TESTActivationCA, OU=Activation CA, O=TEST ACTIVATION Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 241401315179803415263681113133745704037912047640810783616090692543408 ... public exponent: 65537 Validity: [From: Wed Jun 09 14:04:45 EDT 2010, To: Thu Jun 09 14:04:45 EDT 2011] Issuer: OU=Root CA, O=ACME Systems Inc., L=TEST PURPOSES ONLY, C=CA, CN=ACME Systems Root CA SerialNumber: [01] Certificate Extensions: 6 [1]: ObjectId: 2.5.29.30 Criticality=true NameConstraints: [ Permitted: GeneralSubtrees: [ GeneralSubtree: [ GeneralName: O=instance Minimum: 0 Maximum: undefined] ] ] [2]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : 7C FB 2B 96 C9 0D 37 89 01 83 D9 5A 67 41 3B 3C ..+...7ZgA; 0010: E7 45 81 43.E.C ] ] [3]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ : 70 8F 22 BC D7 55 20 6E
Re: Using CMS_verify() without certificates
On 10/07/2010 10:04 PM, Dr. Stephen Henson wrote: On Thu, Oct 07, 2010, t...@compumatica.de wrote: Hi, I like to verify a S/MIME message with CMS_verify() (openssl-1.0.0a). If the CMS structure does not contain a certificate and if I also cannot provide the certificate, the verification fails. error:2E09D08A:CMS routines:CMS_verify:signer certificate not found I know that I need the certificate to verify the signature, but what can I do in this case, to get my hands on the content? Even if I use CMS_NO_CONTENT_VERIFY I get the same error and the output is empty. Is there an other way to extract the data out of the CMS structure? You can do this via the lower level API. Something like.. ASN1_OCTET_STRING **pos = CMS_get0_content(cms); Then the content is ASN1_STRING_length(*pos) bytes using the buffer ASN1_STRING_data(*pos). Note that those are internal pointers which should be treated as read only. Works fine. Thanks for your help. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA ..snip toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 9:48 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method PEM_do_header If that happens the version of OpenSSL isn't in FIPS mode. You should get: -BEGIN PRIVATE KEY- and no Proc-Type, DEK-Info lines if it worked. If you also do: OPENSSL_FIPS=1 openssl md5 somefile it should fail with an error if FIPS mode is entered correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote: Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA ..snip toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Have you included OpenSSL_add_all_algorithms() in your code? If so then see the FAQ for details of how to print out error messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
print implicit ASN1 application tag at top level
Hello There must be an obvious answer to this... Using a current release of OpenSSL source I have declared a new array of ASN1_TEMPLATES (i.e. ##name_seq_tt), by defining an ASN1_SEQUENCE_ref with some other ASN1 objects in it. ASN1_SEQUENCE_APPLICATION_ref(FOO, FOO_cb, CRYPTO_LOCK_FOO) = { ...some ASN1 objects... } ASN1_SEQUENCE_APPLICATION_END_ref(FOO, FOO) IMPLEMENT_ASN1_FUNCTIONS(FOO) I would like to allocate an implicit tag to the array itself, so that the first thing that prints out (when a FOO runs through tasn1enc.c and is displayed in DER format) is the ASN1 encoded tag of my choice (in this case 0x7F21), rather than the 0x308X of a standard ASN1 SEQUENCE. I have worked out how to do it for the templates contained within the array (creating a new macro alongside ASN1_IMP defining ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION) and declaring the inner templates using the new macro, but am struggling with the top level one. Do I need to do something similar ? Any ideas ? -- View this message in context: http://old.nabble.com/print-implicit-ASN1-application-tag-at-top-level-tp29913785p29913785.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: print implicit ASN1 application tag at top level
On Fri, Oct 08, 2010, anon.y.mous wrote: I have worked out how to do it for the templates contained within the array (creating a new macro alongside ASN1_IMP defining ASN1_TFLG_IMPTAG|ASN1_TFLG_APPLICATION) and declaring the inner templates using the new macro, but am struggling with the top level one. Do I need to do something similar ? Any ideas ? You need a special type for the top level and item template. Check out the definition of GENERAL_NAMES for an example. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Getting detailed ssl-handshake debug output
From: owner-openssl-us...@openssl.org On Behalf Of Jeff Saremi Sent: Thursday, 07 October, 2010 15:15 I'd like to know if there's a way -- programmatic, config, environment -- that I can get detailed print of what goes on during a handshake at the client or the server? Below is the output from Apache Tomcat as an example of the level of details i'm looking for: Not in OpenSSL, I'm pretty sure. If you can install other software on the same machine, or (usually?) another machine on the same LAN, WireShark from www.wireshark.org can display it on screen, or save a trace file which you can open and re-display later. I haven't found a way to capture the formatted display (except screen print on Windows). This will only work for initial negotiation, since renegotiation is encrypted (unless the initial/current ciphersuite is eNULL). ssldump might work in that case, but I haven't tried it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org