RE: SSL documentation

2011-10-20 Thread Dave Thompson 
> From: owner-openssl-us...@openssl.org On Behalf Of Jakob Bohm
> Sent: Wednesday, 19 October, 2011 06:04

> On 10/19/2011 6:10 AM, Mohan Radhakrishnan wrote:
> >
> > Hi,
> >
> > Is there any material available that shows flows of one-way/two-ssl 
> > and different types of CA architectures ? We use two-way SSL and 
> > generate CSR's and update expired certificates and we are aware of the 
> > basic points.
> >
> I am not sure what you mean by "one-way" SSL.
> 
In context I'm sure he means server (only) authentication 
versus server and client authentication, which is commonly 
called just client auth or client cert since to users that 
is the visible difference. (There are suites with no auth 
at all -- A[EC]DH, KRB5, PSK -- but they are rarely used.)

The TLS RFCs (2246, 4346, 5246) show the maximal message flow, 
with description of which messages are omitted (or varied) 
in various cases. I don't know anything that lays out all 
the cases separately.

4158 describes and pictures several possible CA architectures, 
although some of them are IMHO not very practical.

> SSL does not deal with CSRs at all, those are used for CA operations
> and obtaining certificates, 
> 
SSL/TLS the protocol does not, but OpenSSL does. 


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Failing to verify the certificate of one specific site

2011-10-20 Thread Dave Thompson 
> From: owner-openssl-us...@openssl.org On Behalf Of Lucas Clemente Vella
> Sent: Wednesday, 19 October, 2011 22:44

> Then I found this directory in my system, "/etc/ssl/certs", containing
> my installed CA roots, which I provided to OpenSSL, instead of the
> certificate file: 

> It seems to me that there is one certificate installed in
> /etc/ssl/certs, which is different from the on I was providing, that
> is being used to verify the host. If it is so, how can I know what
> certificate is being used? And why Firefox and Chrome both use the
> former certificate I provided, while OpenSSL is unable to use it for
> the same host?
> 
s_client shows that host is providing a chain which has at #2 
"Digicert High Assurance EV Root CA" not actually a root but instead 
isssued by "Entrust.net Secure Server Certification Authority".
Such a cert with SHA1 99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539 
found at www.entrust.net "Download roots" does verify the chain, 
and is in my Windows/IE(7) and FF3.6 and Java(6u24) truststores 
"out of the box", so if your /etc/ssl/certs was put together with 
the "usual suspects" (a la Casablanca) very likely it's in there.

The #2 from graph.facebook.com and the root from digicert.com have 
the same public key and keyid so either one can verify the children 
(which (both) have AKI.keyid). I don't know why both forms exist 
and I don't see anything obvious on the Digicert website about it.
The dates are different: the #2 is 20061001 to 20140726 while the 
true root is 20061110 to 2030; possibly digicert initially got 
cross-signed by entrust and then established their own root(s).


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Help Needed: SSL Connect starting from a weird state

2011-10-20 Thread Jeff Saremi 
We've been running our SSL code for a while now with no issues. But
recently one of our developers started encountering this problem.
We did the best we could to troubleshoot to no avail. I know the 
problem is not OpenSSL and it's something we're doing incorrectly,
probably at the start up.

The problem:
SSL completed without having done a single send or receive during the
handshake.

What we get in the print out, after issuing SSL_connect() is this:

Printout:
18:13:56.925 [4228] connect
18:13:56.927 [4228] SSL nonblock rc:-1 shutdown:0 state:23WCHA
(from:UNKWN )
18:13:56.928 [4228] ssl_err:5 SSL_ERROR_SYSCALL

The rough version of the code printing the above is this:
printf("connect\n");
const char *fromState = SSL_state_string(mSsl);
rc = SSL_connect(mSsl);
printf("SSL nonblock rc:%d shutdown:%d state:%s (from:%s)\n",
rc,
SSL_get_shutdown(mSsl),
SSL_state_string(mSsl),
fromState);
int ssl_error = SSL_get_error(mSsl, rc);
switch(ssl_error)
{
case SSL_ERROR_SYSCALL:
  printf("%d SSL_ERROR_SYSCALL\n", SSL_ERROR_SYSCALL);
...


What I would expect to see would be something along the lines of the
following:

SSL nonblock rc:1 shutdown:0 state:SSLOK (from:UNKWN )

or
SSL nonblock rc:-1 shutdown:0 state:SSLOK (from:SSLOK )


For additional debugging I have enabled callbacks using the following
too:
SSL_set_msg_callback

And I see a lot of that happening but not in this case.
In this particular case, after switching the destination IP and port all
we get is what I showed you. Not even one single byte is exchanged
anywhere.

Looking inside ssl_stat.c I see the following:
case SSL23_ST_CW_CLNT_HELLO_A:  str="23WCHA"; break;

Looking inside s23_clnt.c I see these lines near the beginning of
ssl23_client_hello():

buf=(unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)

How can my code start in this state?

Any hints would be appreciated.
thanks
jeff

FIPS_mode_set call fails

2011-10-20 Thread Sert, Banu Cicek 
Hello,

I just want to ask for  help on a point.

I have openssl 0.9.8r development version and just build the FIPS 1.2.3 
modules.When I call FIPS_mode_set(1) in my application , it always returns 0.

What I have done so far is the following:
*I have set up perl
*I have downloaded the openssl fips 1.2.3.tar.gz and open that manually
*build that with the command ms\do_fips no-asm
*I have found the file fipscanister.lib and linked that to my application

Now I have no error while building the applicaiton or calling the function but 
it always returns 0. And when call the FIPS_mode it is 0.

I am using Microsoft Visual Studio2010. My operating system is Windows XP 32 
bits.

Could ypu please give an idea , am I missing something??

and also on web I have found that I am supposed to use  fipslink.pl to 
statically link FIPS module to my application. and do not know how to do that? 
or may it be the problem??
Many thanks and regards,
Banu
Software Developer

OpenSSL Engine - configurable ciphers/digests

2011-10-20 Thread com...@gmx.ch 

Hi,


I need some help with a special case: a dynamic engine with non-static 
or configureable ciphers.



While I do not use cryptodev, the code provides a good example of the 
intial problem:

http://cvs.openssl.org/fileview?f=openssl/crypto/engine/eng_cryptodev.c&v=1.23

I basically have it working, but there is a problem, during the first 
call to af_alg_ciphers() I have to list all ciphers the engine *could* 
support or none, as af_alg_ctrl() gets called later.
If I respond with all ciphers, OpenSSL will assume I support all of 
them, and bail out unfriendly if told later on a given cipher is not 
supported in af_alg_ciphers().
If I claim there are no supported ciphers during this initital call to 
af_alg_ciphers(), the auto-engine loading feature via openssl.cnf does 
not work and software using openssl may require modifications to use the 
engine.


The code and instructions for my engine is available here:
http://src.carnivore.it/users/common/af_alg/

The comments for cryptodev_usable_ciphers and cryptodev_usable_digests 
show there is a demand for a way to configure the ciphers/digests run by 
the particular engine.

How to do it properly?

I want this to be a runtime option, not a compile time option.


MfG
Markus
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Problem with Server-Client Sessions with SSL proxy

2011-10-20 Thread saurabh pandya 
Hi all,

Problem seems very wired to me. please bear some deficiency in
explaining the problem

I am writing one Small HTTPS proxy (trasparent proxy only ) for study work.

Client(IE)---Encrypted traffic---> || ClientSocket <---Plain text>
ServerSocket --Encrypted traffic-->Https_WebServer

In short I am doing man in middle for HTTPS content filtering... and I
have chosen
OPEN SSL for that.

Well I am redirecting port 443 traffic to my tcp listener which get all incoming
SSL traffic , i am making outbound connection for this client connection using
another socket, and reading data between for some kind of content filtering.

I have generated my selfsign CA, Private Key and using them for generating
server certificate to present to client.

ISSUE:
Its works fine with some sites like

https://encrypted.google.com
https://twitter.com

Where I am able to present newly generated certificate for each site and
signed with my CA. (I have added my Self Signed CA cert in client browser)

But with FaceBook, I am facing problem.

Facebook webpage is making few sessions a248.e.akamai.net , tcpdump
shows that akamai.net is sending server certificates only NO CA certificate
in their certificate chain. With  extension one of them is (keyUsage:
keyEncipherment)
while I am representing my made of this server certificate (with this
keyUsage exetension),
browser is rejecting my certificate by throwing error that Bad Certificate.

--

I can send code/pseudo code, tcpdump captures/Pcaps if some anybody want.
I am pulling my hair for days .. for making it work for facebook.

---
I have tried X509_new() , by directly generating certificate and
also tried by X509_REQ  (first making certificate req and then
certificate creation
by X509_new)
--

Any indication/direction would be appreciate.

-
Thanks
Saurabh Pandya
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org