Re: Enabling Logging in OpenSSL
Thanks Dave, Please find my reply inline. On Tue, Sep 11, 2012 at 8:08 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Monday, 10 September, 2012 08:17 On Mon, Sep 10, 2012 at 1:52 PM, Dave Thompson dthomp...@prinpay.com wrote: 2. If it's a handshake failure, can you use commandline s_client? That has logging builtin, use -msg and/or -debug . MithunLast time i used i got the below ...openssl s_client -connect NC-WIN2008X64:1433 -state -debug -msg -ssl3 snip SSL_connect:SSLv3 write client hello A read from 08A018A8 [08A06E50] (5 bytes = 0 (0x0)) SSL_connect:failed in SSLv3 read server hello A 12542:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I see your reply Read count 0 nominally means the server closed the TCP connection, neither continuing the handshake (with ServerHello)nor cleanly aborting (with alert). A compliant server shouldn't do this, but some do, especially if it judges you shouldn't be allowed to connect e.g. blacklisted IPaddr, too many attempts too fast, etc. Ask the server operator(s) why it didn't/doesn't like you. Alternatively, there is a remote possibility some middlebox in your network path such as a firewall is doing the close. However middleboxes usually do this earlier: on the TCP connection (SYN) not during SSL handshake, which is just data to the TCP/IP level. Any work around that you suggest ? I didn't notice before, but 1433 on Windows is usually SQLServer. If so, SQLServer doesn't start in SSL; it starts in a SQLServer protocol (TDS) and optionally switches to SSL. If you connect to 1433 and just start an SSL handshake, SQLServer will consider this a violation of TDS protocol. This falls under the case in my prior reply make sure the server is doing SSL. And in fact on my elderly SQLServer2005 Express, connecting to 1433 and starting -ssl3 handshake does exactly as you report, with an event logged: source=MSSQLSERVER eventid=17836 Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 127.0.0.1] whereas a (default) ssl2 clienthello hangs (at least 1minute). Looking briefly at a trace of a clear TDS connection, it appears that bytes 2 and 3 are (bigendian inclusive) length, and in ssl3 clienthello these are 00 00 which is clearly invalid, whereas in ssl2 clienthello they are 01 00 which is longer than the message actually sent, thus the server is likely waiting for the rest of the supposed TDS message. In this case, you must implement the TDS protocol, or at least the part of it that starts SSL. (And once you get SSL, you still need to implement the TDS protocol if you want to use the connection for anything.) I haven't found protocol doc or sourcecode available from Microsoft (which doesn't prove it isn't there somewhere I don't know about). freetds.sourceforge.net claims to be an opensource driver implementation, using either gnutls or openssl; I haven't tried it, but it might work for you, or looking at the source might help. jtds.sourceforge.net is a Java port of freetds that I do use okay, and Java's SSL implementation (JSSE) has the feature that (fairly verbose) logging can be turned on by a sysprop without code change: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefG uide.html#Debug If 1433 is not SQLServer, I'm back to: find out what it dislikes. MithunI am trying to connect to SQLServer which by default starts in TDS. you said *And in fact on my elderly SQLServer2005 Express, connecting to 1433 and starting -ssl3 handshake does exactly as you report, with an event logged: source=MSSQLSERVER eventid=17836* Did you get the events logged in SQLServer Log's? Can you please elaborate so that i can confirm what i am seeing? JSSE tracing indeed gives in detail log on the handshake , Unfortunately i am not sure how to enable the same on SQLServer !!! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: HTTPS connection hangs during SSL handshake
Is there no one in the community who can help me to find the cause of the problem ? On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami supratiksek...@gmail.com wrote: I am using OpenSSL version : openssl-1.0.0j in our production. I am facing a strange problem where the SSL connection simply hangs during initial handshake when requested from our office IP address. When I run the same command from another IP address it works fine. From office IP (Unsuccessful connection): [root@gateway ]# openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) From a different IP (Successful connection): ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com --- Server certificate -BEGIN CERTIFICATE- REMOVED FOR SECURITY REASON -END CERTIFICATE- subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- No client certificate CA names sent --- SSL handshake has read 4827 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA Session-ID: 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 Session-ID-ctx: Master-Key: 22B470A67XXXB50ED6237BE9 Key-Arg : None Start Time: 1346765613 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain Any ideas ? -- Warm Regards Supratik -- Warm Regards Supratik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS linking a shared object
Found my own answer on an earlier thread. You need the option -Wl,-Bsymbolic to link a shared libary (that has static linked ssl-fips) correctly On Mon, Sep 10, 2012 at 5:43 PM, Jason Todd ja...@bluntstick.com wrote: So I can build a fips compliant executable and turn fips on/off (this is on linux). But when I try to statically link the fips enabled openssl into a shared object, the signature that it generates at runtime gets hosed. For example, here is my library: #include FIPSTest.h #include stdio.h #include openssl/err.h #include openssl/crypto.h #include openssl/evp.h #include openssl/fips.h #include string.h extern const void *FIPS_text_start(), *FIPS_text_end(); extern const unsigned char FIPS_rodata_start[], FIPS_rodata_end[]; extern unsigned char FIPS_signature[20]; extern unsigned intFIPS_incore_fingerprint(unsigned char *,unsigned int); void doFipsTest() { unsigned char sig[EVP_MAX_MD_SIZE]; unsigned int len,len2; unsigned int i; len=FIPS_incore_fingerprint(sig,sizeof(sig)); printf(FIPS_witness::%d\n,len); printf(current FIPS_MODE: %ld\n,FIPS_mode()); printf(.text:%p+%d=%p\n,FIPS_text_start(), (int)((size_t)FIPS_text_end()-(size_t)FIPS_text_start()), FIPS_text_end()); printf(.rodata:%p+%d=%p\n,FIPS_rodata_start, (int)((size_t)FIPS_rodata_end-(size_t)FIPS_rodata_start), FIPS_rodata_end); printf(sig:); for (i=0;ilen;i++) { printf(%02x,sig[i]); } printf(\n); printf(fips_sig:); for (i=0;i(unsigned int)strlen((char *)FIPS_signature);i++) { printf(%02x,FIPS_signature[i]); } printf(\n); long ret = FIPS_mode_set(1); if(ret) { printf(FIPS_MODE_set: passed : %ld\n,FIPS_mode()); } else { printf(FIPS_MODE_set: failed: %ld\n,FIPS_mode()); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); exit(1); } fprintf(stderr,current FIPS_MODE: %ld\n,FIPS_mode()); } That compiles into a shared library: FIPSLIBDIR=/usr/local/ssl/fips-2.0/lib FIPSLD_CC=gcc fipsld -o libblahtest.so FIPSTest.c -fPIC -shared -I../target/include/ -L../target/lib -lcrypto -ldl And then link that to just a shell main that calls the test: gcc -o libTest main.c -lblahtest -L. But the signatures don't match during runtime: 3086362252:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:229: FIPS_witness::20 current FIPS_MODE: 0 .text:0x461c84+323712=0x4b0d04 .rodata:0x551d60+54144=0x55f0e0 sig:75f0a9bf86f62839419e238afcee6e3e11f6de20 fips_sig:063541af4498ccf10d68cdd24d285c2cc4019207 FIPS_MODE_set: failed: 0 However if i collapse that into just one executable, it will work. Any ideas?
RES: HTTPS connection hangs during SSL handshake
For any SSL connection, you have to assure that: 1- The cpu's can reach each other (the hostname test.mydomain.com must be also resolved). You may use ping, HTTP, FTP to check it out; 2- Certificates or CA chain from each endpoint must be inserted in the opposite side as trust cert; 3- The both sides must have at least one cipher in common; 4- No NAT or Firewall is filtering the messages. I have never made a connection by openssl command line, so, I can't tell you how to check it out . I advice you to use some sniffer in at least one side, then you can reach the error, eg. where handshake is failuring, get the error code, etc... Using this you might be able to solve your problemm. As I saw your logs, perhaps one side doesn't trust in the opposite cert received. That may happen for many reasons. I've already got some cases that the hostname (in your case test.mydomain.com) must match with certificate common name (CN). I hope it helps. Leonardo -Mensagem original- De: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Em nome de Supratik Goswami Enviada em: terça-feira, 11 de setembro de 2012 10:15 Para: openssl-users@openssl.org Assunto: Re: HTTPS connection hangs during SSL handshake Is there no one in the community who can help me to find the cause of the problem ? On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami supratiksek...@gmail.com wrote: I am using OpenSSL version : openssl-1.0.0j in our production. I am facing a strange problem where the SSL connection simply hangs during initial handshake when requested from our office IP address. When I run the same command from another IP address it works fine. From office IP (Unsuccessful connection): [root@gateway ]# openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) From a different IP (Successful connection): ubuntu@ip-10-0-0-10 (Development):~$ openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=i...@valicert.com --- Server certificate -BEGIN CERTIFICATE- REMOVED FOR SECURITY REASON -END CERTIFICATE- subject=/O=*.mydomain.com/OU=Domain Control Validated/CN=*.mydomain.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- No client certificate CA names sent --- SSL handshake has read 4827 bytes and written 435 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: RC4-SHA Session-ID: 276ADBFB75336E7E870C5E109B4C5F6AFB8328C8775029EF135C5DA6F8608533 Session-ID-ctx: Master-Key: 22B470A67XXXB50ED6237BE9 Key-Arg : None Start Time: 1346765613 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain Any ideas ? -- Warm Regards Supratik -- Warm Regards Supratik __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl on a home LAN
I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Re: openssl on a home LAN
unless somebody is gonna tap your LAN connection, I don't see a point in using SSL. Generally its useful only when you want to send secure application data over the internet. Intranets are safe esp ur 2 home computers :). thanks --Gayathri On Tue, Sep 11, 2012 at 11:36 AM, John A. Wallace jw72...@verizon.netwrote: ** I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could Iconnect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
RE: openssl on a home LAN
Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL under the covers, but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Re: openssl on a home LAN
On Tue, Sep 11, 2012 at 12:36 PM, John A. Wallace jw72...@verizon.netwrote: ** I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could Iconnect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks. openssl, almost certainly not. That is, unless you're planning on doing some web development and/or hosting a website on your home LAN. In that case, you'd use openssl to make the certificates and keys necessary to support HTTPS on your web server or application server, as well as to create the CSR when it comes time to buy your domain name and then a more useful certificate signed by one fo the commercial CAs. But, if you use wireless connections between your computers and your router/modem (whatever your ISP provided), then it is sufficient to secure that connection, which is itself just a matter of properly configuring your router and computers. Your router probably came with instructions that tell you how to secure wireless connections between your computers and the router; possibly for Windows only, and possibly for Windows, and Linux, depending on the quality of your ISP. If all your computers can browse the web using your modem, it is possible to get them to connect to each other also; but that falls into the realm of knowing how to use your computers; especially how to configure them to work together. For information about that, Google is your friend, and apart from that, your best line of support will be the support provided by whoever distributes your OS (usually mail lists supported by whichever Linux distribution you're using, and their FAQs). Unless you're a web application programmer, you really don't need anything other than the services of the operating systems you're using. Cheers Ted
RE: openssl on a home LAN
Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL under the covers, but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
RE: openssl on a home LAN
Hi, Ted. What you said makes good sense and answers my question completely. I appreciate your help. Thank you. John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Ted Byers Sent: Tuesday, September 11, 2012 1:35 PM To: openssl-users@openssl.org Subject: Re: openssl on a home LAN On Tue, Sep 11, 2012 at 12:36 PM, John A. Wallace jw72...@verizon.net wrote: I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks. openssl, almost certainly not. That is, unless you're planning on doing some web development and/or hosting a website on your home LAN. In that case, you'd use openssl to make the certificates and keys necessary to support HTTPS on your web server or application server, as well as to create the CSR when it comes time to buy your domain name and then a more useful certificate signed by one fo the commercial CAs. But, if you use wireless connections between your computers and your router/modem (whatever your ISP provided), then it is sufficient to secure that connection, which is itself just a matter of properly configuring your router and computers. Your router probably came with instructions that tell you how to secure wireless connections between your computers and the router; possibly for Windows only, and possibly for Windows, and Linux, depending on the quality of your ISP. If all your computers can browse the web using your modem, it is possible to get them to connect to each other also; but that falls into the realm of knowing how to use your computers; especially how to configure them to work together. For information about that, Google is your friend, and apart from that, your best line of support will be the support provided by whoever distributes your OS (usually mail lists supported by whichever Linux distribution you're using, and their FAQs). Unless you're a web application programmer, you really don't need anything other than the services of the operating systems you're using. Cheers Ted
RE: openssl on a home LAN
Right. Are you an application developer? In other words, do you write computer programs? Does the following mean anything to you? int main(int argc, char *argv[]) { printf(hello world\n); return 0; } Or alternatively, are you a Web site operator? Do you host a Web site that others access? If the answer to both of these questions is No, then you are welcome to hang out here but the answer to your original question, whether there is any point in using openssl is No. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:07 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL under the covers, but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Parsing X509 certificate subjectAltName
I'm 90% deep into parsing an X509 certificate, but I can't find sample code for the last piece. I found the extension, and located the ASN1_OBJECT with nid 85, OID 2.5.29.17, the subjectAltName. From the dumpasn output, I see that this is an octet string of a sequence, etc. I have to pull out the three OIDs '2.23.133.2. [1, 2, and 3]' which are presumably in the ASN1_OBJECT. Can anyone point me to sample code or a hint? ~~ 515 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17) : . . . . . . (X.509 extension) 01 01 FF 520 1: . . . . . BOOLEAN TRUE 04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 523 74: . . . . . OCTET STRING, encapsulates { 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 525 72: . . . . . . SEQUENCE { A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 527 70: . . . . . . . [4] { 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 529 68: . . . . . . . . SEQUENCE { 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30 531 66: . . . . . . . . . SET { 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30 533 20: . . . . . . . . . . SEQUENCE { 06 05 67 81 05 02 01 535 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1' 13 0B 69 64 3A 35 37 34 35 34 33 30 30 542 11: . . . . . . . . . . . PrintableString 'id:57454300' : . . . . . . . . . . . } 30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 555 24: . . . . . . . . . . SEQUENCE { 06 05 67 81 05 02 02 557 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2' 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78 564 15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x' : . . . . . . . . . . . } 30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31 581 16: . . . . . . . . . . SEQUENCE { 06 05 67 81 05 02 03 583 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3' 13 07 69 64 3A 30 33 39 31 590 7: . . . . . . . . . . . PrintableString 'id:0391' : . . . . . . . . . . . } : . . . . . . . . . . } : . . . . . . . . . } : . . . . . . . . } : . . . . . . . } : . . . . . . } : . . . . . } -- Ken Goldman kgold...@us.ibm.com 914-945-2415 (862-2415)
RE: Parsing X509 certificate subjectAltName
bool Comm::isAltNameMatch(X509 *certificate, const char *nodeName) { // there is alternative code on page 136 of O'Reilly OpenSSL unsigned char *pBuffer = NULL; int length = 0; GENERAL_NAMES *subjectAltNames; bool b; subjectAltNames = (GENERAL_NAMES*) X509_get_ext_d2i(certificate, NID_subject_alt_name, NULL, NULL); if ( subjectAltNames ) { int numberOfAlts; int i; // get number of names. Supposed to be at least one, but don't count on it numberOfAlts = sk_GENERAL_NAME_num (subjectAltNames); // loop through all of the alternate names for ( i = 0; i numberOfAlts; i++) { // get a handle to alternative name i const GENERAL_NAME *pName = sk_GENERAL_NAME_value (subjectAltNames, i); // what did we get? switch (pName-type) { case GEN_DNS: case GEN_URI: case GEN_IPADD: ASN1_STRING_to_UTF8(pBuffer, pName-d.ia5); b = isWildcardedCNcompare(reinterpret_castchar *(pBuffer), nodeName); OPENSSL_free(pBuffer); if ( b ) return true; break; case GEN_OTHERNAME: case GEN_EMAIL: case GEN_X400: case GEN_DIRNAME: case GEN_EDIPARTY: case GEN_RID: default: break; } } } // fall through or no alt names return false; } Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kenneth Goldman Sent: Tuesday, September 11, 2012 2:14 PM To: openssl-users@openssl.org Subject: Parsing X509 certificate subjectAltName I'm 90% deep into parsing an X509 certificate, but I can't find sample code for the last piece. I found the extension, and located the ASN1_OBJECT with nid 85, OID 2.5.29.17, the subjectAltName. From the dumpasn output, I see that this is an octet string of a sequence, etc. I have to pull out the three OIDs '2.23.133.2. [1, 2, and 3]' which are presumably in the ASN1_OBJECT. Can anyone point me to sample code or a hint? ~~ 515 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17) : . . . . . . (X.509 extension) 01 01 FF 520 1: . . . . . BOOLEAN TRUE 04 4A 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 523 74: . . . . . OCTET STRING, encapsulates { 30 48 A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 525 72: . . . . . . SEQUENCE { A4 46 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 527 70: . . . . . . . [4] { 30 44 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 529 68: . . . . . . . . SEQUENCE { 31 42 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30 531 66: . . . . . . . . . SET { 30 14 06 05 67 81 05 02 01 13 0B 69 64 3A 35 37 34 35 34 33 30 30 533 20: . . . . . . . . . . SEQUENCE { 06 05 67 81 05 02 01 535 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 1' 13 0B 69 64 3A 35 37 34 35 34 33 30 30 542 11: . . . . . . . . . . . PrintableString 'id:57454300' : . . . . . . . . . . . } 30 18 06 05 67 81 05 02 02 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 555 24: . . . . . . . . . . SEQUENCE { 06 05 67 81 05 02 02 557 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 2' 13 0F 4E 50 43 54 34 32 78 2F 4E 50 43 54 35 30 78 564 15: . . . . . . . . . . . PrintableString 'NPCT42x/NPCT50x' : . . . . . . . . . . . } 30 10 06 05 67 81 05 02 03 13 07 69 64 3A 30 33 39 31 581 16: . . . . . . . . . . SEQUENCE { 06 05 67 81 05 02 03 583 5: . . . . . . . . . . . OBJECT IDENTIFIER '2 23 133 2 3' 13 07 69 64 3A 30 33 39 31 590 7: . . . . . . . . . . .
Why is the OpenSSL documentation incomplete?
I have seen a lot of applications that utilize the OpenSSL library, however I see that the majority of the documentation is incomplete. In particular, I need some documentation for the EC package in the 'crypto' sub-folder, I mean, it's not possible for application developers to generate Elliptic Curve keys without first understanding how to use it,in what order and how to initialize it. Any help on this?
RE: openssl on a home LAN
You don't use OpenSSL on a home LAN, you use applications or OS layers that might use OpenSSL in their implementation. In general OpenSSL is a toolkit that provides cryptography and SSL/TLS implementations. I think you have to be more specific about what you mean by phrases like connect Windows with Linux. Do you mean file sharing? Remote desktop? Backup solutions? Remote command prompts? Each usage will use some sort of enabling technology that you would have to research to determine its security, and many of these solutions might just as well already be using OpenSSL. Erik Tkal Juniper OAC/UAC/Pulse Development From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:36 PM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
Re: Why is the OpenSSL documentation incomplete?
On Wed, 2012-09-12 at 00:28 +0300, farmdve data.bg wrote: I have seen a lot of applications that utilize the OpenSSL library, however I see that the majority of the documentation is incomplete. In particular, I need some documentation for the EC package in the 'crypto' sub-folder, I mean, it's not possible for application developers to generate Elliptic Curve keys without first understanding how to use it,in what order and how to initialize it. Any help on this? Please see this patch which I submitted some while ago, but unfortunately is still showing as new :-( http://rt.openssl.org/Ticket/Display.html?id=2799 This is my attempt at adding documentation for the EC library. Matt PS Apologies if you have received this twice. Problem between chair and keyboard on first sending attempt! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Parsing X509 certificate subjectAltName
On Tue, Sep 11, 2012, Charles Mills wrote: { case GEN_DNS: case GEN_URI: case GEN_IPADD: ASN1_STRING_to_UTF8(pBuffer, pName-d.ia5); b = isWildcardedCNcompare(reinterpret_castchar *(pBuffer), nodeName); Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING representing the IP address in a format described by RFC3280 et al. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Parsing X509 certificate subjectAltName
Thanks! Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, September 11, 2012 3:46 PM To: openssl-users@openssl.org Subject: Re: Parsing X509 certificate subjectAltName On Tue, Sep 11, 2012, Charles Mills wrote: { case GEN_DNS: case GEN_URI: case GEN_IPADD: ASN1_STRING_to_UTF8(pBuffer, pName-d.ia5); b = isWildcardedCNcompare(reinterpret_castchar *(pBuffer), nodeName); Don't do that with the GEN_IPADD: it isn't an IA5String it is an OCTETSTRING representing the IP address in a format described by RFC3280 et al. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl on a home LAN
Charlie, Frankly, you condescending manner is starting to annoy me, considerably. Furthermore, your name is not on this page as one of the moderators of this group: http://www.openssl.org/about/. Moreover, I don't believe I need your permission to hang out here. You need to read the link I provided you all the way to the end, it says that this group is for 1. Developers 2. OpenSSL usage 3. Installation problems Now inasmuch as my question pertained to OpenSSL Usage, i.e., number 2 above, well I think that makes my asking it a legitimate question for this group. If you don't like it, you can just learn to use your reading program and ignore me. Thank you very much. J John From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 3:22 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Right. Are you an application developer? In other words, do you write computer programs? Does the following mean anything to you? int main(int argc, char *argv[]) { printf(hello world\n); return 0; } Or alternatively, are you a Web site operator? Do you host a Web site that others access? If the answer to both of these questions is No, then you are welcome to hang out here but the answer to your original question, whether there is any point in using openssl is No. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 12:07 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Hi. I am not trying to be mean or something, but you may want to take a look at this page: http://www.openssl.org/support/community.html Focusing on the part that describes this list, one can read this about its purpose: Application Development, OpenSSL Usage, Installation Problems, etc. That looks clear to me in that this list would provide support for the type of question I just asked, or did I misunderstand you? J Thanks. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Tuesday, September 11, 2012 12:52 PM To: openssl-users@openssl.org Subject: RE: openssl on a home LAN Do you write computer programs, or are you a home user of personal computers? If you don't write computer programs, then using OpenSSL at the level addressed by this mailing list is not what you are looking for. Some of the products you might buy might use OpenSSL under the covers, but you would get support generally directly from the companies that produce those products, not this mailing list. Not trying to be mean or off-putting. If I have missed the mark please let me know. Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace Sent: Tuesday, September 11, 2012 9:36 AM To: openssl-users@openssl.org Subject: openssl on a home LAN I am trying to figure out whether there is any point in using openssl on a home LAN between two computers. Would that improve on security in any way? Would I be limited in the types of OS connections? I mean, could I connect Windows with Linux? Also, if I want to make such a connection between two OS running in virtual machines, could that be done too? Thanks.
RE: Enabling Logging in OpenSSL
From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar Sent: Tuesday, 11 September, 2012 02:10 On Tue, Sep 11, 2012 at 8:08 AM, Dave Thompson dthomp...@prinpay.com wrote: snip I didn't notice before, but 1433 on Windows is usually SQLServer. If so, SQLServer doesn't start in SSL; it starts in a SQLServer protocol (TDS) and optionally switches to SSL. If you connect to 1433 and just start an SSL handshake, SQLServer will consider this a violation of TDS protocol. snip And in fact on my elderly SQLServer2005 Express, connecting to 1433 and starting -ssl3 handshake does exactly as you report, with an event logged: source=MSSQLSERVER eventid=17836 Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: 127.0.0.1] whereas a (default) ssl2 clienthello hangs (at least 1minute). snip In this case, you must implement the TDS protocol, or at least the part of it that starts SSL. snip jtds.sourceforge.net is a Java port of freetds that I do use okay, and Java's SSL implementation (JSSE) has the feature that (fairly verbose) logging can be turned on by a sysprop snip MithunI am trying to connect to SQLServer which by default starts in TDS. you said And in fact on my elderly SQLServer2005 Express, connecting to 1433 and starting -ssl3 handshake does exactly as you report, with an event logged: source=MSSQLSERVER eventid=17836 Did you get the events logged in SQLServer Log's? Can you please elaborate so that i can confirm what i am seeing? I found it in the Windows application eventlog because that's quicker for me to use, but it is also in the SQLServer ERRORLOG. There was exactly one event for the one ssl3 handshake attempt. JSSE tracing indeed gives in detail log on the handshake , Unfortunately i am not sure how to enable the same on SQLServer !!! I don't know about any SSL or other connection logging in SQLServer. But do you need to? If there is no network problem in between, the messages sent and received by the client, here jtds, are the same as the messages received and sent by the server. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: HTTPS connection hangs during SSL handshake
From: owner-openssl-us...@openssl.org On Behalf Of Leonardo Laface de Almeida Sent: Tuesday, 11 September, 2012 10:08 To: openssl-users@openssl.org For any SSL connection, you have to assure that: 1- The cpu's can reach each other (the hostname test.mydomain.com must be also resolved). You may use ping, HTTP, FTP to check it out; More exactly, the TCP stacks must be able to connect. That requires slightly more than IP reachability -- not much more, but enough to be a problem in rare cases. But CONNECTED(fd) from s_client means they *did* TCP connect, so that's not the problem here. 2- Certificates or CA chain from each endpoint must be inserted in the opposite side as trust cert; A problem here would cause a handshake error not a hang. 3- The both sides must have at least one cipher in common; A problem here would cause a handshake error not a hang. 4- No NAT or Firewall is filtering the messages. Yes, or possibly other middlebox, see below. I have never made a connection by openssl command line, so, I can't tell you how to check it out . I advice you to use some sniffer in at least one side, then you can reach the error, eg. where handshake is failuring, get the error code, etc... Using this you might be able to solve your problemm. Maybe both sides, see below. As I saw your logs, perhaps one side doesn't trust in the opposite cert received. That may happen for many reasons. I've already got some cases that the hostname (in your case test.mydomain.com) must match with certificate common name (CN). According to the log posted, his host is www.mydomain.com and the cert is for *.mydomain.com . That is a valid wildcard match, and should be acceptable to any conforming client. But openssl library and s_client doesn't do hostname matching at all. (*Apps* using openssl normally should, and at least some do.) I don't know if mydomain is supposedly real or munged for posting. mydomain.com is a real company and test.mydomain.com doesn't resolve publicly and the cert chain used for {www.,}mydomain.com publicly is wholly different from the OP's log. OP's s_client fails to verify the received chain because it (apparently) doesn't have the ValiCert root in its truststore. Official openssl does not distribute any default trusted roots, although custom packages of it may, as may apps using it. OP probably didn't install a default truststore (or possibly is using a build that has the default truststore wrong). But failure to verify should cause a real app to reject the connection, and s_client as a test tool overrides the verify error and continues. Neither of these is a hang. In the other direction, s_client doesn't do client authentication and send a client cert unless explicitly specified, which the OP didn't. If the server wants client-auth and client doesn't provide it or provides a cert (chain) which server doesn't trust, that will give a handshake error, not a hang. -Mensagem original- De: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Em nome de Supratik Goswami Enviada em: terça-feira, 11 de setembro de 2012 10:15 Para: openssl-users@openssl.org Assunto: Re: HTTPS connection hangs during SSL handshake Is there no one in the community who can help me to find the cause of the problem ? On Tue, Sep 4, 2012 at 7:21 PM, Supratik Goswami supratiksek...@gmail.com wrote: I am using OpenSSL version : openssl-1.0.0j in our production. I am facing a strange problem where the SSL connection simply hangs during initial handshake when requested from our office IP address. When I run the same command from another IP address it works fine. From office IP (Unsuccessful connection): [root@gateway ]# openssl s_client -connect test.mydomain.com:443 CONNECTED(0003) Use s_client with at least -state and preferably -debug or -msg (you don't need both) to see how far it's getting in the handshake. If you receive some handshake messages but not all, it practically must be the server; talk to the server operator(s). It would be unusual, but not impossible, for the server to mishandle connections from one IP while it works for another. If you receive no message at all, it might be server (try them) or it might be network weirdness as (Mr?) de Almeida suggests; try a sniffer on your client machine or near it (same LAN), and if that looks okay also try one on or near the server (you may need server operator(s) to do that). For Windows or Mac, I recommend www.wireshark.org . Very capable, easy to install and use, well maintained. I don't know an equally good solution for Linux, but there may be one, or at minimum you can capture with tcpdump and if it's anything more complicated than no-response you can copy the capture and decode with wireshark. One possibility -- some servers want to lookup in DNS the address of the client who connects to them (called reverse DNS or rDNS). If