FIPS OM 2.0 in application shared library?

[dave.mclellan]

Hi.   We are experimenting with the FIPS 2.0 Object Module RC1 and the recent 
GA of OpenSSL 1.0.1.   We have a successful FIPS-capable build of OpenSSL and 
we've verified it with the openssl CLI with OPENSSL_FIPS=1 set.  Our 
experiments are currently limited to Linux X86_64, and we are not using 
assembler optimizations

We are able to build FIPS into our application shared library in two scenarios:

1.   Where our shared library links against the libcrypto.so and libssl.so 
(and fipscanister.o obviously).

2.   Where our shared library links statically with libcrypto.a and 
libssl.a (and fipscanister.o obviously).  The reasons we want to do this are 
too messy for this mail.

When the application calls FIPS_mode_set(),  in Case 1 above (shared), it is 
successful.  In Case 2 (static), FIPS_mode_set() returns "fingerprint 
mistmatch" .

The User Guide implies both in sections 5.3 and 5.4 that linking FIPS 
OM/OpenSSL into an application shared library is permitted and acceptable.

THE MAIN QUESTION IS:is Case #2 supported?   Should we be able to create an 
application shared library with a statically linked libcrypto.a (and 
fipscanister.o)?   If the answer is YES, then we'll return to our drawing 
board.   If the answer is NO, then we move to a different drawing board.

Thanks for a simple YES or NO, but other explanatory details are welcome.

Dave

+-+-+-+-+-+-+
Dave McLellan, Symmetrix Software Engineering
EMC Corporation, 176 South St, Hopkinton MA
Mail Stop 176-B1 1/P-36
office 508-249-1257, fax 508-497-8027
cell 978-500-2546
+-+-+-+-+-+-+

Re: FIPS OM 2.0 in application shared library?

[Dr. Stephen Henson]

On Mon, Apr 23, 2012, dave.mclel...@emc.com wrote:

> Hi.   We are experimenting with the FIPS 2.0 Object Module RC1 and the recent 
> GA of OpenSSL 1.0.1.   We have a successful FIPS-capable build of OpenSSL and 
> we've verified it with the openssl CLI with OPENSSL_FIPS=1 set.  Our 
> experiments are currently limited to Linux X86_64, and we are not using 
> assembler optimizations
> 
> We are able to build FIPS into our application shared library in two 
> scenarios:
> 
> 1.   Where our shared library links against the libcrypto.so and 
> libssl.so (and fipscanister.o obviously).
> 
> 2.   Where our shared library links statically with libcrypto.a and 
> libssl.a (and fipscanister.o obviously).  The reasons we want to do this are 
> too messy for this mail.
> 
> When the application calls FIPS_mode_set(),  in Case 1 above (shared), it is 
> successful.  In Case 2 (static), FIPS_mode_set() returns "fingerprint 
> mistmatch" .
> 
> The User Guide implies both in sections 5.3 and 5.4 that linking FIPS 
> OM/OpenSSL into an application shared library is permitted and acceptable.
> 
> THE MAIN QUESTION IS:is Case #2 supported?   Should we be able to create 
> an application shared library with a statically linked libcrypto.a (and 
> fipscanister.o)?   If the answer is YES, then we'll return to our drawing 
> board.   If the answer is NO, then we move to a different drawing board.
> 
> Thanks for a simple YES or NO, but other explanatory details are welcome.
> 
> 

The short answer is YES. 

The longer answer is that if you link to an FIPS capable OpenSSL shared
library you don't need to perform any special link procedure because the
signature is already embedded in the shared library. If you statically link
then you need to embed the signature in the application (which might be an
exectuable or a shared library) so if you aren't using the "fipsld" utility
for the shared library link that's what's causing the problem.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: FIPS OM 2.0 in application shared library?

[dave.mclellan]

Hi Dr. Steve. Thank you very much.   

In our static case, we are using fipsld to link libcrypto and fipscanister with 
our objects.   It seems successful, and produces a loadable shared library.  
But the self-test of FIPS_mode_set() is unable to match the signature.   

So we will keep experimenting.   

Thanks again. 

Dave. 

+-+-+-+-+-+-+ 
Dave McLellan, Symmetrix Software Engineering
EMC Corporation, 176 South St, Hopkinton MA
Mail Stop 176-B1 1/P-36
office 508-249-1257, fax 508-497-8027
cell 978-500-2546
+-+-+-+-+-+-+ 




-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Tuesday, April 24, 2012 6:07 AM
To: openssl-users@openssl.org
Subject: Re: FIPS OM 2.0 in application shared library?

On Mon, Apr 23, 2012, dave.mclel...@emc.com wrote:

> Hi.   We are experimenting with the FIPS 2.0 Object Module RC1 and the recent 
> GA of OpenSSL 1.0.1.   We have a successful FIPS-capable build of OpenSSL and 
> we've verified it with the openssl CLI with OPENSSL_FIPS=1 set.  Our 
> experiments are currently limited to Linux X86_64, and we are not using 
> assembler optimizations
> 
> We are able to build FIPS into our application shared library in two 
> scenarios:
> 
> 1.   Where our shared library links against the libcrypto.so and 
> libssl.so (and fipscanister.o obviously).
> 
> 2.   Where our shared library links statically with libcrypto.a and 
> libssl.a (and fipscanister.o obviously).  The reasons we want to do this are 
> too messy for this mail.
> 
> When the application calls FIPS_mode_set(),  in Case 1 above (shared), it is 
> successful.  In Case 2 (static), FIPS_mode_set() returns "fingerprint 
> mistmatch" .
> 
> The User Guide implies both in sections 5.3 and 5.4 that linking FIPS 
> OM/OpenSSL into an application shared library is permitted and acceptable.
> 
> THE MAIN QUESTION IS:is Case #2 supported?   Should we be able to create 
> an application shared library with a statically linked libcrypto.a (and 
> fipscanister.o)?   If the answer is YES, then we'll return to our drawing 
> board.   If the answer is NO, then we move to a different drawing board.
> 
> Thanks for a simple YES or NO, but other explanatory details are welcome.
> 
> 

The short answer is YES. 

The longer answer is that if you link to an FIPS capable OpenSSL shared
library you don't need to perform any special link procedure because the
signature is already embedded in the shared library. If you statically link
then you need to embed the signature in the application (which might be an
exectuable or a shared library) so if you aren't using the "fipsld" utility
for the shared library link that's what's causing the problem.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

"SSLv3 bad record mac" with Ruby OpenSSL

[Luke Carpenter]

Hi,

I am attempting to implement the STARTTLS extension (RFC 3207) for SMTP in
Ruby,
and I'm not getting very far because, if I'm perfectly honest, I don't know
my way around
OpenSSL, nor SSL itself.

My aim is to allow a SMTP to open a standard TCP socket, send "STARTTLS",
the
server and client initiate and secure an SSL connection, and then the SMTP
session is
considered secure

The code was working during testing, but in production where it is taking
"heavy" load,
I will see the message "SSLv3 bad record mac" appearing as an SSLError
exception
about 1 in every 10 requests.

I have cobbled together the various code from method lists, and
consequently, I'm not
sure if this is the recommended method for going about this (evidently not,
as I'm
occasionally reading binary from the socket, causing a JSON parse error
when I
attempt to queue the message), but I would very much appreciate any help you
could give me with finding the bug in this code:

def process_starttls
  send_line "220 Go ahead"
  @state.clear
  @ssl = true
  @ctx = OpenSSL::SSL::SSLContext.new
  @ctx.cert = OpenSSL::X509::Certificate.new File.read
"/home/luke/Dropbox/Keys/ghstwrks.com.crt"
  @ctx.key = OpenSSL::PKey::RSA.new
File.read("/home/luke/Dropbox/Keys/ghstwrks.com.key"),
"not_an_actual_secret"
  @socket = OpenSSL::SSL::SSLSocket.new @socket, @ctx
  @socket.accept
end


The errors will occur when reading from @socket later on in the program

I would be eternally grateful if anybody could teach me how OpenSSL sockets
work, or point me the direction of a resource which can

I can pay you back with documentation if you would like?


Thanks,
Luke

RE: OpenSSL 1.0.1a

[Spence, Thomas CIV USAF AFDW 844 CS/SCOX]

Hello...

I am using AIX 5.3 with gcc 4.3.5.

Few months ago, I had no problem with OpenSSL 1.0.1.  Recently, I downloaded 
1.0.1a then compiled but got error message...  Here is what I did:

# ./Configure aix-gcc
(no problem)

# make
.
.
gcc -DMONOLITH -I.. -I../include  -DOPENSSL_THREADS -pthread -DDSO_DLFCN 
-DHAVE_DLFCN_H -O -DB_ENDIAN -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM 
-DAES_ASM   -c -o openssl.o openssl.c
rm -f openssl
shlib_target=; if [ -n "" ]; then \
shlib_target="aix-shared"; \
elif [ -n "" ]; then \
  FIPSLD_CC="gcc"; CC=/usr/local/ssl/fips-2.0/bin/fipsld; export CC FIPSLD_CC; \
fi; \
LIBRARIES="-L.. -lssl  -L.. -lcrypto" ; \
make -f ../Makefile.shared -e \
APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o 
dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o 
rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o 
genpkey.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o 
app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o 
pkeyparam.o pkeyutl.o spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o 
srp.o" \
LIBDEPS=" $LIBRARIES " \
link_app.${shlib_target}
make[2]: Entering directory `/x/openssl-1.0.1a/apps'
( :; LIBDEPS="${LIBDEPS:--L.. -lssl  -L.. -lcrypto }"; LDCMD="${LDCMD:-gcc}"; 
LDFLAGS="${LDFLAGS:--DOPENSSL_THREADS -pthread -DDSO_DLFCN -DHAVE_DLFCN_H -O 
-DB_ENDIAN -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DAES_ASM}"; 
LIBPATH=`for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | 
uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; 
LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o 
${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o 
enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o 
dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o genpkey.o s_server.o 
s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o 
sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o 
spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o ${LIBDEPS} )
ld: 0711-317 ERROR: Undefined symbol: OPENSSL_ia32cap_P
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
collect2: ld returned 8 exit status
make[2]: *** [link_app.] Error 1
make[2]: Leaving directory `/x/openssl-1.0.1a/apps'
make[1]: *** [openssl] Error 2
make[1]: Leaving directory `/x/openssl-1.0.1a/apps'
make: *** [build_apps] Error 1

Let me know what wrong with it?  Thanks so much.

Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Newbie Question here...

[BFinkeldei]

I have installed Win32 Binary including OpenSSL 0.9.8t (MSI Installer): 
httpd-2.2.22-win32-x86-openssl-0.9.8t.msi  on my windows server.   I want 
to upgrade JUST openSSL that's bundled with this install to the latest PCI 
compliant version.  I want to go to OpenSSL 0.9.8u or possibly w.How 
can I do just that ? 

Is there a step by step guide out there?

Thanks,

Brad

Re: Newbie Question here...

[Jakob Bohm]

On 4/24/2012 6:19 PM, bfinkel...@aaamissouri.com wrote:


I have installed Win32 Binary including OpenSSL 0.9.8t (MSI 
Installer): httpd-2.2.22-win32-x86-openssl-0.9.8t.msi 
 
 on my windows server.   I want to upgrade JUST openSSL that's bundled 
with this install to the latest PCI compliant version.  I want to go 
to OpenSSL 0.9.8u or possibly w.How can I do just that ?


Is there a step by step guide out there?


1. Find out how the people who made that bundle compiled OpenSSL, in
   particular if they used the standard compile or made some changes.
2. If they made their own changes to OpenSSL, you will need to find
   someone who knows how to make the same changes to the latest OpenSSL
   (version 0.9.8w, released earlier today).
3. If they used the standard compile, go to
   http://openssl.org/related/binaries.html, follow the link to the
   prebuilt binaries by Shining Light Productions and wait for them to
   make a 0.9.8w package (a few minutes ago, they only had 0.9.8v,
   which is still better than 0.9.8t).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Upgrading OPENSSL

[BFinkeldei]

I have installed Apache HTTP Server with OpenSSL 0.9.8t (MSI Installer) 
>From the Apache.org Site.

Here is the file I downloaded and installed: 
httpd-2.2.22-win32-x86-openssl-0.9.8t.msi

I want to upgrade OpenSSL on that machine without having to upgrade Apache 
too.

How do I do that?  step by step?  Do i just need to get the binaries and 
install them over the old files?
If so what files and locations, etc.. Never done it before and not sure 
what to do.

Thanks,

Brad Finkeldei

Re: Upgrading OPENSSL

[Luke Carpenter]

I would not advise attempting that, Apache is compiled against a version of
OpenSSL, and simply swapping out the binaries Indiana-Jones style will
probably land you with a segfault

>From a preliminary search, it looks like you will need to re-compile the
Apache module mod_ssl against a later version of Apache

I must admit, I don't have much experience with HTTPD, but I can remember
that modules are dynamically linked, meaning you can upgrade mod_ssl
without having to re-compile Apache, but you will need to re-compile mod_ssl

I would suggest asking this question on the Apache HTTPD mailing list -
http://httpd.apache.org/userslist.html

Good luck

Thanks,
Luke


On Tue, Apr 24, 2012 at 7:14 PM,  wrote:

>
> I have installed Apache HTTP Server with OpenSSL 0.9.8t (MSI Installer)
> From the Apache.org Site.
>
> Here is the file I downloaded and installed:
> httpd-2.2.22-win32-x86-openssl-0.9.8t.msi
>
> I want to upgrade OpenSSL on that machine without having to upgrade Apache
> too.
>
> How do I do that?  step by step?  Do i just need to get the binaries and
> install them over the old files?
> If so what files and locations, etc.. Never done it before and not sure
> what to do.
>
> Thanks,
>
> Brad Finkeldei

Re: Upgrading OPENSSL

[BFinkeldei]

Thanks Luke appreciate the feedback!!

Brad Finkeldei




Luke Carpenter  
Sent by: owner-openssl-us...@openssl.org
04/24/2012 02:36 PM
Please respond to
openssl-users@openssl.org


To
openssl-users@openssl.org
cc

Subject
Re: Upgrading OPENSSL






I would not advise attempting that, Apache is compiled against a version 
of OpenSSL, and simply swapping out the binaries Indiana-Jones style will 
probably land you with a segfault

>From a preliminary search, it looks like you will need to re-compile the 
Apache module mod_ssl against a later version of Apache

I must admit, I don't have much experience with HTTPD, but I can remember 
that modules are dynamically linked, meaning you can upgrade mod_ssl 
without having to re-compile Apache, but you will need to re-compile 
mod_ssl

I would suggest asking this question on the Apache HTTPD mailing list - 
http://httpd.apache.org/userslist.html

Good luck

Thanks,
Luke


On Tue, Apr 24, 2012 at 7:14 PM,  wrote:

I have installed Apache HTTP Server with OpenSSL 0.9.8t (MSI Installer) 
>From the Apache.org Site. 

Here is the file I downloaded and installed: 
httpd-2.2.22-win32-x86-openssl-0.9.8t.msi 

I want to upgrade OpenSSL on that machine without having to upgrade Apache 
too. 

How do I do that?  step by step?  Do i just need to get the binaries and 
install them over the old files? 
If so what files and locations, etc.. Never done it before and not sure 
what to do. 

Thanks, 

Brad Finkeldei

Re: Please tell me about encryption API of OpenSSL 1.0.1

[Matt Caswell (fr...@baggins.org)]

On 23/04/12 13:16, MauMau wrote:


Apart from that, let me go back to my original question 4 in my first 
mail.



Q4: Do I have to call EVP_EncryptInit_ex/EVP_DecryptInit_ex for each
block/record? I'm concerned about the overhead of those functions. For
example, I want to make function calls as follows. However, this does not
seem to work.

/* one-time initialization */
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
EVP_CIPHER_CTX_init(&enc_ctx);
EVP_CIPHER_CTX_init(&dec_ctx);
EVP_EncryptInit_ex(&enc_ctx, EVP_aes_256_cbc(), NULL, key, iv);
EVP_CIPHER_CTX_set_padding(&enc_ctx, 0);
EVP_DecryptInit_ex(&dec_ctx, EVP_aes_256_cbc(), NULL, key, iv);
EVP_CIPHER_CTX_set_padding(&dec_ctx, 0);

/* encrypt first block */
EVP_EncryptUpdate(&enc_ctx, block1, &outlen, block1, 4096);
/* encrypt second block */
EVP_EncryptUpdate(&enc_ctx, block2, &outlen, block2, 4096);

/* decrypt second block */
EVP_DecryptUpdate(&dec_ctx, block2, &outlen, block2, 4096);
/* decrypt first block */
EVP_DecryptUpdate(&dec_ctx, block1, &outlen, block1, 4096);

The above code produces wrong data for block2. ...


I have modified your code to use XTS, which I think will achieve what 
you want to do:

 - It supports random read and write access to your data
 - It is standards based so you don't have to make up your own way of 
doing things and potentially open yourself up to security issues
 - You do not have to store a separate key and/or IV for each of the 
records that you want to encrypt


Some things to note about using XTS:
 - XTS is only supported in the latest (1.0.1) version of openssl so 
you must be using that for this to work
 - The key length is double the size of a standard AES key of the same 
strength, i.e. for AES 256 you must supply a 512 bit key
 - You do not have to use an IV. Instead you supply a so-called 
"tweak". This needs to be unique for each record (what you have called a 
"block") that you are working with. However it does not need to be 
random - it can be a simple unique identifier for the block.


The modified code is as follows:

char tweak[16]  = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};

/* one-time initialization */
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
EVP_CIPHER_CTX_init(&enc_ctx);
EVP_CIPHER_CTX_init(&dec_ctx);
EVP_EncryptInit_ex(&enc_ctx, EVP_aes_256_xts(), NULL, key, NULL); 
/* KEY MUST BE 512 BITS!!! */

EVP_CIPHER_CTX_set_padding(&enc_ctx, 0);
EVP_DecryptInit_ex(&dec_ctx, EVP_aes_256_xts(), NULL, key, NULL);
EVP_CIPHER_CTX_set_padding(&dec_ctx, 0);

/* encrypt first block */
tweak[15] = 1; /* Tweak for block1 */
EVP_EncryptInit_ex(&enc_ctx, NULL, NULL, NULL, tweak);
EVP_EncryptUpdate(&enc_ctx, block1, &outlen, block1, 4096);

/* encrypt second block */
tweak[15] = 2; /* Tweak for block2 */
EVP_EncryptInit_ex(&enc_ctx, NULL, NULL, NULL, tweak);
EVP_EncryptUpdate(&enc_ctx, block2, &outlen, block2, 4096);


/* decrypt second block */
tweak[15] = 2; /* Tweak for block2 */
EVP_DecryptInit_ex(&dec_ctx, NULL, NULL, NULL, tweak);
EVP_DecryptUpdate(&dec_ctx, block2, &outlen, block2, 4096);

/* decrypt first block */
tweak[15] = 1; /* Tweak for block1 */
EVP_DecryptInit_ex(&dec_ctx, NULL, NULL, NULL, tweak);
EVP_DecryptUpdate(&dec_ctx, block1, &outlen, block1, 4096);


Hope that helps.

Matt


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: a question about openssl sessions

[Dave Thompson]

(kept HTML because otherwise too much status lost, but my Outlook
tends to screw up formatting when editting HTML; sorry for any glitches)
 


  _  

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Stéphane Charette
Sent: Saturday, 21 April, 2012 04:14
To: openssl-users@openssl.org
Subject: Re: a question about openssl sessions


On Thu, Apr 19, 2012 at 19:45, Dave Thompson  wrote:


>   From: owner-openssl-us...@openssl.org On Behalf Of Stéphane Charette
>   Sent: Sunday, 15 April, 2012 20:31


>   I'm using Openssl to talk to a server that expects to re-use ssl
> sessions when a client needs to open many SSL connections.  I have
> the same code working on Linux and Windows.


Using classic resumption (sessionid) or RFC4507 ticket?




Thanks for the reply, Dave.  I believe this is using the classic resumption
(sessionid).

I did write up some sample code to demonstrate the problem.  And using some
Mac/iPhone/iPad app to establish SSL connections to FileZilla, this has been
confirmed on many devices, so I'm almost certain it isn't just my code.
Unless I happen to have made the exact same mistake in the sample code as
the application has done.


This isn't clear. Do you mean other FTP client apps work while yours
doesn't?
Or do you mean other apps also fail? Also hang, or any different kind of
failure?

 
Here is the sample application that works on Linux/Windows, but which hangs
when the SSL connection is first established on the Mac:

http://charette.no-ip.com:81/asio-openssl/

This code establishes the first SSL connection, then attempts to reuse the
session ID to open up a 2nd connection.  On a Mac, iPhone, and iPad, it
hangs when the 2nd connection is established.
 

This appears to involve a whole layer of boost stuff I know nothing about,
so I comment only on the OpenSSL part. If that layer is doing something 
to your socket(s), especially if it's OS-dependent (which system-library 
type stuff sometimes is) that could be part of your problem. 


Your posted code below doesn't check for error from SSL_connect;
if you do check what do you see?




Note that my code does check for errors.  In the e-mail and in the sample
code, I did trim a lot of lines to try and make a more concise posting.
 

Good. In general when posting code if you want to suppress irrelevant
sections
it's a good idea to leave a comment. But where your question actually
involves 
handling an error, it's better to leave *that* part in. Specifically here:
 
The name SSL_get_error may be misleading; its return isn't always an
'error', 
just a condition to which your code may need to respond differently. The man
page 
calls it result code. When you get any return other than success from
SSL_connect 
SSL_read etc. you should call SSL_get_error and if that returns
SSL_ERROR_SSL 
you should look at the error-queue, simplest with ERR_print_errors[_fp] if
you have 
a suitable FILE*, typically stdout or stderr, or a suitable BIO; or custom
logic 
with ERR_get_error ERR_error_string et al. Note ERR_get_error !=
SSL_get_error.
 
For SSL_ERROR_SYSCALL you should usually try both the error-queue and the 
OS-level socket error, which in Unix (including AFAIK MacOSX) is errno. 
 
The SSL_WANT_* returns should occur only(?) if you use nonblocking sockets 
(and boost::asio sounds to me like something that might use nonblocking) or 
certain unusual callbacks (not evident here), and your code needs to re-try 
the SSL_connect etc call at a suitable later time, which probably depends on

how you manage your threads, which you say nothing about. You might be 
better off doing a single-thread program first before trying multithreading.
 
Your comments say you got SSL_connect() != 1 but not what you got 
from SSL_get_error, and whether it's the same on different OSes, 
much less the error-queue and/or errno.
 
And for non-protocol SSL* calls like _set_session _load_verify_locations 
_use_PrivateKey that have a 'failure' return (usually 0 or NULL), and 
(most?) libcrypto calls like EVP* BIO* RSA* etc. that do so, again 
you should also at the error-queue (skipping SSL_get_error).

Can you recreate the problem with commandline s_client with -sess_out
on the first connection and -sess_in on the second, with or without
-no_ticket? If so, -debug and -state will probably be helpful.




Can I re-create the problem with the command-line ssl tool since it requires
copying and re-using a ssl sessionid while the first control ssl socket is
still active and in use?  Is this what you're saying with -sess_out and
-sess_in, that I can export the ssl session and re-import it even though it
is a different context in a different application? 
 

More exactly, it requires copying and reusing the whole 'session' which
includes 
session-id, negotiated ciphersuite etc., mostly-exchanged master secret, and

some other information. Within a process, including threads, you can just
use 
pointers to a single session objec

Re: Unknown CA error

[Appaji Yelamarthi]

Hi,
Just thank you - is an understatement, I completely admired with your
prompt response.
Based on your reply, I realized device was having a certificate that
is not matching a common root certificate with my server root
certificate (issuer was found to be different when observed the
details of it). Now i could perform https communication after
reloading correct ca certificates on device.
And I pointed pound config to look in correct certificate location helped! :-)

Thanks again, Your help is lot appreciated.



On 4/19/12, Jakob Bohm  wrote:
> On 4/18/2012 8:47 PM, Appaji Yelamarthi wrote:
>> Hi there,
>> I'm facing 'Unkown CA' error during ssl handshake messages between
>> client(a network device) and server (pound).
>> sorry am not much familiar with openssl library usage but setting up
>> the pound reverse proxy which use openssl 0.9.8 on redhat linux.
> First off: "Unknown CA" error from server to client means that *client*
> certificate was signed by a CA which the SSL server was not configured
> to trust as an issuer of client certificates.
>> Done a lot of googling but no clear pointers were available yet.
>> Please can anybody mention all possible list of causes behind this
>> error.
>> This error is (thrown by server to client) observed in wireshark. This
>> happens immediately after client sends 'Finished'.
>>
>> Observation:
>> A wireshark debug log (using RSA private key) shows me client and
>> server agreed on cipher sent by client cipher list(1).
>> However  openssl cipher command (one of 'AES' i think
>> TLS_DH_RSA_WITH_AES_128_CBC_SHA agreed by client/server) doesn't show
>> up this cipher. Am not suspecting (so eagerly) unknown ca error is
>> just because of this as i may have also done any other mistake.
>>
>> Hence mentioning all steps followed here. Pls correct me in case.
>> 1. Generated private key (not passphrase protected), csr using openssl
>> with a copy of openssl.cnf in a custom directory. this cnf file barely
>> filled with required fields (like OU, CN etc) in 2 mandatory sections
>> as mentioned in man age.
> OK.
>> 2. Received tgz which contains ca, intermediate and server certificate
>> (for test purpose which have a month expiry) from own organization CA.
> OK.
>> 3. As part of setup of this certificates on server, struggling while
>> following not so clear man page of pound and openssl.
> Will try to help you a bit here:
>> 4. Appended private key to server certificate
> OK
>> 5. Appended intermediate cert to ca cert to make chain cert.
> Yes, the file for the server cert as used by pound server should be simply
>
> # cat serverCert.pem ServerKey.pem
> ServerIssuingIntermediaryCACert.pem ServerIssuingCACert.pem >
> /etc/pound/pound.pem
>
>> 6. Verified all certificates using openssl verify command which says
>> OK post copying ca, oem cert (and hash'd.0 ) to openssl certs
>> directory. Here tried various things hashing on individual ca, oem
>> within certs directory so root or ca certificate can be locatable and
>> trustable!  There was no clear documentation on this crucial step. Not
>> sure if this hash has to  happen on chained cert only or on individual
>> ca, intermediate(oem) certificate only as mentioned in other sources.
> None of this hashing is needed for the *server* cert on the *server*.
>
> And pound won't use it for client certs either, see below
>> 7.Then applied openssl -addtrust command on ca certificate.
> Not useful,
>
> -addtrust is an option to various openssl utility subcommands commands
> and only affects that one run of the openssl command.
>> 8.Now tested using pound https listener with all certs, trust
>> available/a network device which makes https request to pound https
>> listener which use the server and ca (or chain!) certificate in ssl
>> certs directory!!
> Pound takes the server CA certificate from pound.pem and nowhere else,
> there is no point putting it in the openssl cert directory (for server
> cert purposes).
>> All these tests resulted unknown ca error whenever client certificate
>> verification is enabled.
> Because none of those steps configure what *client* certificates to trust.
>> 9. Also tested various other methods unsuccessfully like
>> openssl s_server/s_client and
>> s_server/browser. Though these are not going to be effective as client
>> certificate will not be sent by them as pound ssl listener demands !!
> According to the man page for 2.5 (taken from a Debian system, hope
> it is the same for RedHat), the procedure to configure client
> certificate auth with pound is as follows:
>
> 1. Figure out (from your usage scenario) which Intermediary and top CAs
> issue client certificates you want to trust.
>
> For example if you want to trust all client certificates issued by
> IntermediaryCA1 or IntermediaryCA2, but not any other Client certificates
> issued by other intermediary CAs below that same local or public CA, the
> answer is "IntermediaryCA1 and IntermediaryCA2".
>
> As another example, if you want to trust