Re: certificate validation issues with openssl 1.0.0 and expired certificates in cafile

[Ashok C]

Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?

--
Ashok

On Wed, Sep 12, 2012 at 2:59 PM, Ashok C  wrote:

> Hi,
>
> I don't think this question was answered. Could you please reply?
>
> --
> Ashok
>
>
> On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion <
> klaus.mailingli...@pernau.at> wrote:
>
>> Hi!
>>
>> I wrote a small program which dumps all root certificates from Windows
>> certificate store into a file. Then I use openssl to connect to Google and
>> validate its certificate:
>>
>> openssl s_client -connect www.google.com:443 -CAfile dump.crt
>>
>> When using openssl0.9.8k or openssl0.9.8x everything works as expected.
>>
>> When using openssl1.0.0g or openssl 1.0.1c the certificate validation
>> fails with:
>>   Verify return code: 10 (certificate has expired)
>>
>> CONNECTED(016C)
>> depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
>> Certification Authority
>> verify error:num=10:certificate has expired
>> notAfter=Jan  7 23:59:59 2004 GMT
>> verify return:0
>> ---
>> Certificate chain
>>  0 s:/C=US/ST=California/L=**Mountain View/O=Google Inc/CN=www.google.com
>>i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
>>  1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
>>i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>>
>> When analyzing the cafile with the dumped certificates from Windows
>> certificate store, I found out that there are two certificates for Verisign
>> with identical subject, whereas one is expired, the other not.
>>
>> X.509 Certificate Information:
>> Version: 1
>> Serial Number (hex): 00e49efdf33ae80ecfa5113e19a424**0232
>> Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
>> Certification Authority
>> Validity:
>> Not Before: Mon Jan 29 00:00:00 UTC 1996
>> Not After: Wed Jan 07 23:59:59 UTC 2004
>> Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
>> Certification Authority
>> Subject Public Key Algorithm: RSA
>>
>> X.509 Certificate Information:
>> Version: 1
>> Serial Number (hex): 70bae41d10d92934b638ca7b03ccba**bf
>> Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
>> Certification Authority
>> Validity:
>> Not Before: Mon Jan 29 00:00:00 UTC 1996
>> Not After: Tue Aug 01 23:59:59 UTC 2028
>> Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
>> Certification Authority
>> Subject Public Key Algorithm: RSA
>>
>>
>> Thus, it seems that openssl 0.9.8 just ignores the expired certificate
>> and searches if there is another valid one whereas openssl 1.0.0 stop with
>> the first expired certificate.
>>
>> Is the new behavior the intended behavior? Is it possible to have the old
>> behavior also in new openssl versions?
>>
>> Thanks
>> Klaus
>>
>> __**__**
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
>

Re: Memory issues with ssl handshake

[Michel]

Hi Thomas,

I don't know if it makes a real difference concerning memory leaks,
but I would have freed the TLS session *BEFORE* freing the context :
   SSL_free(ssl);
   ...
   SSL_CTX_free(ssl->ctx);
Does your app setup and free a context each time a client is connecting ?

Le 12/09/2012 16:58, Thomas Eckert a écrit :

Hi,

Valgrind gives me a *lot* of messages like this

==19021== 2,056 bytes in 2 blocks are indirectly lost in loss record 
186 of 190
==19021==at 0x68EAC8B: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)

==19021==by 0x6C472DB: default_malloc_ex (mem.c:79)
==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306)
==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336)
==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451)
==19021==by 0x6C73BB2: BN_set_bit (bn_lib.c:730)
==19021==by 0x6C7E16E: BN_MONT_CTX_set (bn_mont.c:514)
==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552)
==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693)
==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309)
==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182)
==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284)
==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562)
==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335)
==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933)
==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693)
==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368)
==19021==by 0x8060D14: ssl_connect (ssl.c:1078)

Compared to the above they vary only in one line, e.g.

==19021== 1,024 bytes in 2 blocks are indirectly lost in loss record 
181 of 190
==19021==at 0x68EAC8B: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)

==19021==by 0x6C472DB: default_malloc_ex (mem.c:79)
==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306)
==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336)
==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451)
==19021==by 0x6C73D53: BN_copy (bn_lib.c:506)
==19021==by 0x6C7DFCA: BN_MONT_CTX_set (bn_mont.c:421)
==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552)
==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693)
==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309)
==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182)
==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284)
==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562)
==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335)
==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933)
==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693)
==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368)
==19021==by 0x8060D14: ssl_connect (ssl.c:1078)

The application in question is a http proxy and is leaking memory 
heavily. Actually, Valgrind also reports many entries as "still 
reachable" instead of "indirectly lost" but even those regions are 
mentioned by Valgrind like the above two blocks.


I doubt OpenSSL has such blatant memory leaks but I have been 
searching for the leaks for some time now and just cannot find 
anything - also due to the fact that Valgrind reports all the leaks 
like above, which is not really helpful. I do realize that for 
detailed help I would need to give some code on how the connections 
are set up but that code is pretty large. So best would be some hint 
as to where to look for or what regions of code to supply.


Looking for hints as to what is going wrong I went through some of the 
OpenSSL functions mentioned above and after "leaving my code" and 
entering OpenSSL code the only thing being passed around the functions 
is the actual SSL object - and no buffers of any kind. So I suppose 
the source of the problem lies in setting up the object, it's context 
or what ever is stuck to it.


The first thing I checked on was how the SSL connections are torn down 
in my application:

   ERR_remove_state(0);
   SSL_CTX_free(ssl->ctx);
   SSL_free(ssl);
The first line was added only after starting the search for the leaks 
and I'm still not sure if that line doesn't break anything.


I did find some minor leaks in my code along the way (e.g. a forgotten 
ASN1_INTEGER_free()) but they were neither easy to find - because 
Valgrind also reported them like the above two blocks, meaning in the 
wrong place! - nor did they change much.


Does anyone have some tips for me ?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org




__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Memory issues with ssl handshake

[Michel]

Hi again Thomas,

Do you really need to free your context each time you free your TLS 
session ?

I believe it is not needed and at least not usual.
If you need several *DIFFERENT* contexts, implying different TLS 
configurations/setup, wich, I think, is not so common,
you can keep them 'alive' during all your app 'run', even in 
multi-threaded programs.
It would allow you to access some activity informations like the ones 
documented in :

http://www.openssl.org/docs/ssl/SSL_CTX_sess_number.html

Hope this helps,
Regards

Le 13/09/2012 10:39, Thomas a écrit :

Hi Michel,

Thanks for trying to help, I really appreciate it :-)

"Does your app setup and free a context each time a client is 
connecting ?"


The context is created only when a client requests a HTTPS connection 
and is destroyed together with the SSL session once the connection 
goes down. It is rather related to connections then to clients since 
one client can open several connections but I think you implied one 
connection per client and then the answer is 'yes'.


I will try freeing the session before the context and come back with 
the results.


Regards,
 Thomas



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: build openssl for android

[Indtiny s]

Hi,
adding more to my previous problem reference post :

That library is there in the ndk floder

/home/indu/Android/android-ndk-r8b/platforms/android-9/arch-x86/usr/lib/libz.a
/home/indu/Android/android-ndk-r8b/platforms/android-9/arch-x86/usr/lib/libz.so
/home/indu/Android/android-ndk-r8b//platforms/android-9/arch-arm/usr/lib/libz.so
/home/indu/Android/android-ndk-r8b//platforms/android-4/arch-arm/usr/lib/libz.so
/home/indu/Android/android-ndk-r8b//platforms/android-8/arch-arm/usr/lib/libz.so
/home/indu/Android/android-ndk-r8b//platforms/android-5/arch-arm/usr/lib/libz.so
/home/indu/Android/android-ndk-r8b//platforms/android-3/arch-arm/usr/lib/libz.so


*But I'm getting the following error when with ndk-build *

/home/indu/Android/android-ndk-r8b/toolchains/arm-linux-androideabi-4.6/prebuilt/linux-x86/bin/../lib/gcc/arm-linux-androideabi/4.6.x-google/../../../../arm-linux-androideabi/bin/ld:
warning: libz.so, needed by ./obj/local/armeabi/libcrypto.so, not found
(try using -rpath or -rpath-link)
./obj/local/armeabi/libcrypto.so: undefined reference to `zError'
./obj/local/armeabi/libcrypto.so: undefined reference to `inflateEnd'
./obj/local/armeabi/libcrypto.so: undefined reference to `deflate'
./obj/local/armeabi/libcrypto.so: undefined reference to `deflateInit_'
./obj/local/armeabi/libcrypto.so: undefined reference to `inflate'
./obj/local/armeabi/libcrypto.so: undefined reference to `deflateEnd'
./obj/local/armeabi/libcrypto.so: undefined reference to `inflateInit_'

Rgds
Indu


On Thu, Sep 13, 2012 at 12:15 PM, Indtiny s  wrote:

> Hi,
> When I complied  my old code (openssl-android 1.0.0e)  which downloaded
> from the github , ir built properly ..
> but this new code from the
> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid
> is throwing the zlib not found error .. I ran everything through $ sudo
> ndk-build script only .
>
> Is there any reference needs to be added in the android.mk for the new
> code ..?
>
>
>
>
> On Thu, Sep 13, 2012 at 10:34 AM,  wrote:
>
>>
>> I don't at this point own an android and I am thinking of getting one.
>>  I'd like to ask of the environment.  Will I need to root it?  I expect the
>> answer is yes and I'll have to install all the development tools as well.
>>  Its there a website which provides instructions.
>>
>> Next what of cross compilers or a development environment which runs on
>> say the desktop and provides the test bed that the phone uses.
>>
>> THanks.
>>
>>
>> On Thu, Sep 13, 2012 at 09:56:03AM +0530, Indtiny s wrote:
>> > Hi,
>> > My android for the TAB is HoneyComb and its API level is 12 so I have
>> > wriiten it as
>> > TARGET_ABI:=android-12-armeabi
>> >
>> > I put the above line in android-config.mk just below the first
>> LOCAL_CFLAGS
>> > and excuted the ndk-build but I got the following error .
>> >
>> > linux-androideabi/bin/ld: warning: libz.so, needed by
>> > ./obj/local/armeabi/libcry
>> > ./obj/local/armeabi/libcrypto.so: undefined reference to `zError'
>> > ./obj/local/armeabi/libcrypto.so: undefined reference to `inflateEnd'
>> > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflate'
>> > ./obj/local/armeabi/libcrypto.so: undefined reference to `deflateInit_'
>> >
>> > Rgds
>> > Indu
>> >
>> >
>> >
>> >
>> >
>> > On Thu, Sep 13, 2012 at 8:06 AM, farmdve data.bg 
>> wrote:
>> >
>> > > Oh, and I highly suggest specifying the TARGET_ABI so that the code is
>> > > optimized(considerable boost compared to without specifying it).
>> > >
>> > > So either add TARGET_ABI := android-APILEVEL-armeabi to
>> android-config.mkOR open Android.mk in the crypto and ssl folders, and add
>> it just before
>> > > $(BUILD_SHARED_LIBRARY).
>> > > Be sure to replace APILEVEL with the API level you target. And if you
>> want
>> > > static libraries, replace  $(BUILD_SHARED_LIBRARY)  where encountered
>> to
>> > > $(BUILD_STATIC_LIBRARY)
>> > >
>> > >
>> > > On Thu, Sep 13, 2012 at 5:30 AM, farmdve data.bg 
>> wrote:
>> > >
>> > >> Do not use that one, it's old. Use this one
>> > >> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid
>> > >>
>> > >> Just calling ndk-build should work.
>> > >>
>> > >> On Wed, Sep 12, 2012 at 8:34 PM, Jason Goldberg > >wrote:
>> > >>
>> > >>>  For Android, check out this project as an example:
>> > >>>
>> > >>> https://github.com/eighthave/openssl-android
>> > >>>
>> > >>> They have the Android-specific Makefile configs for doing an NDK
>> build.
>> > >>>  You could patch it with your changes and generate the .so
>> libraries you
>> > >>> need.
>> > >>>
>> > >>>  On Sep 12, 2012, at 12:05 PM, Indtiny s  wrote:
>> > >>>
>> > >>>
>> > >>> Hi,
>> > >>>
>> > >>> I have to build the openssl 1.0.1c for the android , I have added
>> new
>> > >>>  ECC-CCM chiper key support at the openssl , hence i want build the
>> same
>> > >>> for android-ndk and use in my application as shared libraries . is
>> there
>> > >>> any guide to build the same ..?
>> > >>>
>> > >>> Rgds
>> > >>> Indu
>> > >>>
>> > >>>
>> > >>>
>> > >

RE: openssl on a home LAN

[Steven Madwin]

Hi John,

 

As an aside to what Gayathri said, I'm not a developer, but I have used
OpenSSL to create a complete PKI universe for testing. Using the
pre-compiled, downloadable installer I've been able to create Root
certificates, Intermediate CA certificates, and end-entity certificates of
all shapes and sizes (e.g. DSA, RSA, EC with varying key sizes). I've also
used it to manage revocation checking by creating CRLs and running it as an
(admittedly, a very light weight) OCSP server. I even used it once to create
an SSL certificate for an internal server :)

 

My point is, although the primary use seems to be incorporating the OpenSSL
libraries into your compiled code so you can take advantage of its
cryptographic capabilities, even someone who is not a computer scientist can
use OpenSSL from the command line to do a lot of work. What it really boils
down to is what is it that you are looking to do?

 

Steve

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Wednesday, September 12, 2012 9:58 AM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Hi, Gayathri,

 

I appreciate the clarification. It was helpful, yes. I think my confusion
stemmed from the fact that in the past while installing one or another
program, I found it to say that "OpenSSL must be installed on your system
for this program to work properly." Okay, I think I got it now, the light
has made it into my obstinate, thick skull.  Clarity is a beautiful thing,
thank you.

 

John

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Gayathri Sundar
Sent: Wednesday, September 12, 2012 10:07 AM
To: openssl-users@openssl.org
Subject: Re: openssl on a home LAN

 

Hi John,

 

I definitely do not agree with charles's email, but what I think he meant
is, you need to write programs to use OpenSSL. Its an installable library,
which you need to invoke from your application using its exposed APIs and
recompile your code, link OpenSSL library and execute for it to work. Its
not a SSL solution if that is what your looking for.

 

Just installing OpenSSL is not going to give u SSL.

 

Thanks

--Gayathri

On Tue, Sep 11, 2012 at 8:36 PM, John A. Wallace 
wrote:

Charlie, 

 

Frankly, you condescending manner is starting to annoy me, considerably.
Furthermore, your name is not on this page as one of the moderators of this
group:   http://www.openssl.org/about/.  

 

Moreover, I don't believe I need your permission to "hang out here".  You
need to read the link I provided you all the way to the end, it says that
this group is for 

 

1.   Developers

2.   OpenSSL usage

3.   Installation problems

 

Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2
above, well I think that makes my asking it a legitimate question for this
group. If you don't like it, you can just learn to use your reading program
and ignore me. Thank you very much.   J

 

John

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 3:22 PM


To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Right. Are you an application developer? In other words, do you write
computer programs? Does the following mean anything to you?

 

int main(int argc, char *argv[])

{

printf("hello world\n");

return 0;

}

 

Or alternatively, are you a Web site operator? Do you host a Web site that
others access?

 

If the answer to both of these questions is No, then you are welcome to hang
out here but the answer to your original question, "whether there is any
point in using openssl" is No.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 12:07 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Hi.  I am not trying to be mean or something, but you may want to take a
look at this page:

 

http://www.openssl.org/support/community.html

 

Focusing on the part that describes this list, one can read this about its
purpose:

 

Application Development, OpenSSL Usage, Installation Problems, etc.

 

That looks clear to me in that this list would provide support for the type
of question I just asked, or did I misunderstand you? J

 

Thanks.

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 12:52 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Do you write computer programs, or are you a home user of personal
computers?

 

If you don't write computer programs, then using OpenSSL at the level
addressed by this mailing list is not what you are looking for.

 

Some of the products you might buy might use OpenSSL "under the covers," but
you would get support generally directly from the companies 

Re: Memory issues with ssl handshake

[Thomas]

Hi Michel,

Thanks for trying to help, I really appreciate it :-)

"Does your app setup and free a context each time a client is connecting ?"

The context is created only when a client requests a HTTPS connection 
and is destroyed together with the SSL session once the connection goes 
down. It is rather related to connections then to clients since one 
client can open several connections but I think you implied one 
connection per client and then the answer is 'yes'.


I will try freeing the session before the context and come back with the 
results.


Regards,
 Thomas


On 09/13/2012 10:09 AM, Michel wrote:

Hi Thomas,

I don't know if it makes a real difference concerning memory leaks,
but I would have freed the TLS session *BEFORE* freing the context :
   SSL_free(ssl);
   ...
   SSL_CTX_free(ssl->ctx);
Does your app setup and free a context each time a client is connecting ?

Le 12/09/2012 16:58, Thomas a écrit :

Hi,

Valgrind gives me a *lot* of messages like this

==19021== 2,056 bytes in 2 blocks are indirectly lost in loss record 
186 of 190
==19021==at 0x68EAC8B: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)

==19021==by 0x6C472DB: default_malloc_ex (mem.c:79)
==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306)
==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336)
==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451)
==19021==by 0x6C73BB2: BN_set_bit (bn_lib.c:730)
==19021==by 0x6C7E16E: BN_MONT_CTX_set (bn_mont.c:514)
==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552)
==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693)
==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309)
==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182)
==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284)
==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562)
==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335)
==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933)
==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693)
==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368)
==19021==by 0x8060D14: ssl_connect (ssl.c:1078)

Compared to the above they vary only in one line, e.g.

==19021== 1,024 bytes in 2 blocks are indirectly lost in loss record 
181 of 190
==19021==at 0x68EAC8B: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)

==19021==by 0x6C472DB: default_malloc_ex (mem.c:79)
==19021==by 0x6C4795F: CRYPTO_malloc (mem.c:306)
==19021==by 0x6C73940: bn_expand_internal (bn_lib.c:336)
==19021==by 0x6C73AE0: bn_expand2 (bn_lib.c:451)
==19021==by 0x6C73D53: BN_copy (bn_lib.c:506)
==19021==by 0x6C7DFCA: BN_MONT_CTX_set (bn_mont.c:421)
==19021==by 0x6C7E402: BN_MONT_CTX_set_locked (bn_mont.c:552)
==19021==by 0x6C97053: RSA_eay_public_decrypt (rsa_eay.c:693)
==19021==by 0x6C97F1F: RSA_public_decrypt (rsa_lib.c:309)
==19021==by 0x6C98BEB: int_rsa_verify (rsa_sign.c:182)
==19021==by 0x6C98F57: RSA_verify (rsa_sign.c:284)
==19021==by 0x6949E16: ssl3_get_key_exchange (s3_clnt.c:1562)
==19021==by 0x694BF5F: ssl3_connect (s3_clnt.c:335)
==19021==by 0x6964AB9: SSL_connect (ssl_lib.c:933)
==19021==by 0x6953FDD: ssl23_connect (s23_clnt.c:693)
==19021==by 0x6963FBC: SSL_do_handshake (ssl_lib.c:2368)
==19021==by 0x8060D14: ssl_connect (ssl.c:1078)

The application in question is a http proxy and is leaking memory 
heavily. Actually, Valgrind also reports many entries as "still 
reachable" instead of "indirectly lost" but even those regions are 
mentioned by Valgrind like the above two blocks.


I doubt OpenSSL has such blatant memory leaks but I have been 
searching for the leaks for some time now and just cannot find 
anything - also due to the fact that Valgrind reports all the leaks 
like above, which is not really helpful. I do realize that for 
detailed help I would need to give some code on how the connections 
are set up but that code is pretty large. So best would be some hint 
as to where to look for or what regions of code to supply.


Looking for hints as to what is going wrong I went through some of 
the OpenSSL functions mentioned above and after "leaving my code" and 
entering OpenSSL code the only thing being passed around the 
functions is the actual SSL object - and no buffers of any kind. So I 
suppose the source of the problem lies in setting up the object, it's 
context or what ever is stuck to it.


The first thing I checked on was how the SSL connections are torn 
down in my application:

   ERR_remove_state(0);
   SSL_CTX_free(ssl->ctx);
   SSL_free(ssl);
The first line was added only after starting the search for the leaks 
and I'm still not sure if that line doesn't break anything.


I did find some minor leaks in my code along the way (e.g. a 
forgotten ASN1_INTEGER_free()) but they were neither easy to find - 
because Valgrind also reported them like the above two blocks, 
meaning in the wrong place! - nor did they chan

Re: Memory issues with ssl handshake

[Dominik Oepen]

On 12.09.2012 16:58, Thomas Eckert wrote:
> Hi,
> 
> Valgrind gives me a *lot* of messages like this
[snip]
> Does anyone have some tips for me ?

Have you seen the FAQ entry regarding valgrind:
http://www.openssl.org/support/faq.html#PROG14 ?

Regards,
Dominik
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: openssl on a home LAN

[Gayathri Sundar]

Charles,

I think he wanted to use SSL for data transfer between 2 computers. What
you have used is the PKI infrastructure.
Infact even for SSL there are sample client and server codes in the
examples folder, but that does not hook into your application.

Thanks
--Gayathri

On Wed, Sep 12, 2012 at 1:29 PM, Steven Madwin  wrote:

> Hi John,
>
> ** **
>
> As an aside to what Gayathri said, I’m not a developer, but I have used
> OpenSSL to create a complete PKI universe for testing. Using the
> pre-compiled, downloadable installer I’ve been able to create Root
> certificates, Intermediate CA certificates, and end-entity certificates of
> all shapes and sizes (e.g. DSA, RSA, EC with varying key sizes). I’ve also
> used it to manage revocation checking by creating CRLs and running it as an
> (admittedly, a very light weight) OCSP server. I even used it once to
> create an SSL certificate for an internal server :)
>
> ** **
>
> My point is, although the primary use seems to be incorporating the
> OpenSSL libraries into your compiled code so you can take advantage of its
> cryptographic capabilities, even someone who is not a computer scientist
> can use OpenSSL from the command line to do a lot of work. What it really
> boils down to is what is it that you are looking to do?
>
> ** **
>
> Steve
>
> ** **
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] *On Behalf Of *John A. Wallace
> *Sent:* Wednesday, September 12, 2012 9:58 AM
> *To:* openssl-users@openssl.org
> *Subject:* RE: openssl on a home LAN
>
> ** **
>
> Hi, Gayathri,
>
> ** **
>
> I appreciate the clarification. It was helpful, yes. I think my confusion
> stemmed from the fact that in the past while installing one or another
> program, I found it to say that “OpenSSL must be installed on your system
> for this program to work properly.” Okay, I think I got it now, the light
> has made it into my obstinate, thick skull.  Clarity is a beautiful thing,
> thank you.
>
> ** **
>
> John
>
> ** **
>
> ** **
>
> *From:* owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Gayathri Sundar
> *Sent:* Wednesday, September 12, 2012 10:07 AM
> *To:* openssl-users@openssl.org
> *Subject:* Re: openssl on a home LAN
>
> ** **
>
> Hi John,
>
> ** **
>
> I definitely do not agree with charles's email, but what I think he meant
> is, you need to write programs to use OpenSSL. Its an installable library,
> which you need to invoke from your application using its exposed APIs and
> recompile your code, link OpenSSL library and execute for it to work. Its
> not a SSL solution if that is what your looking for.
>
> ** **
>
> Just installing OpenSSL is not going to give u SSL.
>
> ** **
>
> Thanks
>
> --Gayathri
>
> On Tue, Sep 11, 2012 at 8:36 PM, John A. Wallace 
> wrote:
>
> Charlie, 
>
>  
>
> Frankly, you condescending manner is starting to annoy me, considerably.
>  Furthermore, your name is not on this page as one of the moderators of
> this group:   http://www.openssl.org/about/.  
>
>  
>
> Moreover, I don’t believe I need your permission to “hang out here”.  You
> need to read the link I provided you all the way to the end, it says that
> this group is for 
>
>  
>
> 1.   Developers
>
> 2.   OpenSSL usage
>
> 3.   Installation problems
>
>  
>
> Now inasmuch as my question pertained to “OpenSSL Usage”, i.e., number 2
> above, well I think that makes my asking it a legitimate question for this
> group. If you don’t like it, you can just learn to use your reading program
> and ignore me. Thank you very much.   J
>
>  
>
> John
>
>  
>
>  
>
> *From:* owner-openssl-us...@openssl.org [mailto:
> owner-openssl-us...@openssl.org] *On Behalf Of *Charles Mills
> *Sent:* Tuesday, September 11, 2012 3:22 PM
>
>
> *To:* openssl-users@openssl.org
> *Subject:* RE: openssl on a home LAN
>
>  
>
> Right. Are you an application developer? In other words, do you write
> computer programs? Does the following mean anything to you?
>
>  
>
> int main(int argc, char *argv[])
>
> {
>
> printf(“hello world\n”);
>
> return 0;
>
> }
>
>  
>
> Or alternatively, are you a Web site operator? Do you host a Web site that
> others access?
>
>  
>
> If the answer to both of these questions is No, then you are welcome to
> hang out here but the answer to your original question, “whether there is
> any point in using openssl” is No.
>
>  
>
> *Charles*
>
> *From:* owner-openssl-us...@openssl.org [
> mailto:owner-openssl-us...@openssl.org ]
> *On Behalf Of *John A. Wallace
> *Sent:* Tuesday, September 11, 2012 12:07 PM
> *To:* openssl-users@openssl.org
> *Subject:* RE: openssl on a home LAN
>
>  
>
> Hi.  I am not trying to be mean or something, but you may want to take a
> look at this page:
>
>  
>
> http://www.opens

RE: openssl on a home LAN

[Charles Mills]

It's true.

 

I think "you are a Web developer and need to generate certificates for your
Web site" was mentioned.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Gayathri Sundar
Sent: Thursday, September 13, 2012 6:01 AM
To: openssl-users@openssl.org
Subject: Re: openssl on a home LAN

 

Charles,

 

I think he wanted to use SSL for data transfer between 2 computers. What you
have used is the PKI infrastructure.

Infact even for SSL there are sample client and server codes in the examples
folder, but that does not hook into your application.

 

Thanks

--Gayathri

On Wed, Sep 12, 2012 at 1:29 PM, Steven Madwin  wrote:

Hi John,

 

As an aside to what Gayathri said, I'm not a developer, but I have used
OpenSSL to create a complete PKI universe for testing. Using the
pre-compiled, downloadable installer I've been able to create Root
certificates, Intermediate CA certificates, and end-entity certificates of
all shapes and sizes (e.g. DSA, RSA, EC with varying key sizes). I've also
used it to manage revocation checking by creating CRLs and running it as an
(admittedly, a very light weight) OCSP server. I even used it once to create
an SSL certificate for an internal server :)

 

My point is, although the primary use seems to be incorporating the OpenSSL
libraries into your compiled code so you can take advantage of its
cryptographic capabilities, even someone who is not a computer scientist can
use OpenSSL from the command line to do a lot of work. What it really boils
down to is what is it that you are looking to do?

 

Steve

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Wednesday, September 12, 2012 9:58 AM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Hi, Gayathri,

 

I appreciate the clarification. It was helpful, yes. I think my confusion
stemmed from the fact that in the past while installing one or another
program, I found it to say that "OpenSSL must be installed on your system
for this program to work properly." Okay, I think I got it now, the light
has made it into my obstinate, thick skull.  Clarity is a beautiful thing,
thank you.

 

John

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Gayathri Sundar
Sent: Wednesday, September 12, 2012 10:07 AM
To: openssl-users@openssl.org
Subject: Re: openssl on a home LAN

 

Hi John,

 

I definitely do not agree with charles's email, but what I think he meant
is, you need to write programs to use OpenSSL. Its an installable library,
which you need to invoke from your application using its exposed APIs and
recompile your code, link OpenSSL library and execute for it to work. Its
not a SSL solution if that is what your looking for.

 

Just installing OpenSSL is not going to give u SSL.

 

Thanks

--Gayathri

On Tue, Sep 11, 2012 at 8:36 PM, John A. Wallace 
wrote:

Charlie, 

 

Frankly, you condescending manner is starting to annoy me, considerably.
Furthermore, your name is not on this page as one of the moderators of this
group:   http://www.openssl.org/about/.  

 

Moreover, I don't believe I need your permission to "hang out here".  You
need to read the link I provided you all the way to the end, it says that
this group is for 

 

1.   Developers

2.   OpenSSL usage

3.   Installation problems

 

Now inasmuch as my question pertained to "OpenSSL Usage", i.e., number 2
above, well I think that makes my asking it a legitimate question for this
group. If you don't like it, you can just learn to use your reading program
and ignore me. Thank you very much.   J

 

John

 

 

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills
Sent: Tuesday, September 11, 2012 3:22 PM


To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Right. Are you an application developer? In other words, do you write
computer programs? Does the following mean anything to you?

 

int main(int argc, char *argv[])

{

printf("hello world\n");

return 0;

}

 

Or alternatively, are you a Web site operator? Do you host a Web site that
others access?

 

If the answer to both of these questions is No, then you are welcome to hang
out here but the answer to your original question, "whether there is any
point in using openssl" is No.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of John A. Wallace
Sent: Tuesday, September 11, 2012 12:07 PM
To: openssl-users@openssl.org
Subject: RE: openssl on a home LAN

 

Hi.  I am not trying to be mean or something, but you may want to take a
look at this page:

 

http://www.openssl.org/support/community.html

 

Focusing on the part that describes this list, one can read this about its
purpose:

 

Application Development, OpenSSL Usage, Installation Problems, etc.

 

That looks clear to me in that this li

RE: certificate validation issues with openssl 1.0.0 and expired certificates in cafile

[Charles Mills]

Would it make sense to delete the expired certificate from the Windows
store? Duplicate expired/non expired CA certificates sounds to me like a
problem waiting to happen.

 

Charles

From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Ashok C
Sent: Thursday, September 13, 2012 12:49 AM
To: openssl-users@openssl.org
Subject: Re: certificate validation issues with openssl 1.0.0 and expired
certificates in cafile

 

Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?

--
Ashok

On Wed, Sep 12, 2012 at 2:59 PM, Ashok C  wrote:

Hi,

I don't think this question was answered. Could you please reply?

--
Ashok

 

On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion
 wrote:

Hi!

I wrote a small program which dumps all root certificates from Windows
certificate store into a file. Then I use openssl to connect to Google and
validate its certificate:

openssl s_client -connect www.google.com:443 -CAfile dump.crt

When using openssl0.9.8k or openssl0.9.8x everything works as expected.

When using openssl1.0.0g or openssl 1.0.1c the certificate validation fails
with:
  Verify return code: 10 (certificate has expired)

CONNECTED(016C)
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify error:num=10:certificate has expired
notAfter=Jan  7 23:59:59 2004 GMT
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority

When analyzing the cafile with the dumped certificates from Windows
certificate store, I found out that there are two certificates for Verisign
with identical subject, whereas one is expired, the other not.

X.509 Certificate Information:
Version: 1
Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Wed Jan 07 23:59:59 UTC 2004
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Subject Public Key Algorithm: RSA

X.509 Certificate Information:
Version: 1
Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Tue Aug 01 23:59:59 UTC 2028
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority
Subject Public Key Algorithm: RSA


Thus, it seems that openssl 0.9.8 just ignores the expired certificate and
searches if there is another valid one whereas openssl 1.0.0 stop with the
first expired certificate.

Is the new behavior the intended behavior? Is it possible to have the old
behavior also in new openssl versions?

Thanks
Klaus

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

 

 

RE: certificate validation issues with openssl 1.0.0 and expired certificates in cafile

[Erik Tkal]

I suppose that's a workaround, but doesn't address the root cause.  Windows can 
quite happily handle expired certificates still hanging out in trusted stores; 
I see this all the time as root updates occur and renewed certificates are 
installed.  It seems that a change in OpenSSL broke the previous behaviour that 
allowed this as well, though we can't tell if it's the s_client app or the 
OpenSSL cert store functionality that changed this.


Erik Tkal
Juniper OAC/UAC/Pulse Development


From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Charles Mills
Sent: Thursday, September 13, 2012 9:42 AM
To: openssl-users@openssl.org
Subject: RE: certificate validation issues with openssl 1.0.0 and expired 
certificates in cafile

Would it make sense to delete the expired certificate from the Windows store? 
Duplicate expired/non expired CA certificates sounds to me like a problem 
waiting to happen.

Charles
From: owner-openssl-us...@openssl.org 
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Ashok C
Sent: Thursday, September 13, 2012 12:49 AM
To: openssl-users@openssl.org
Subject: Re: certificate validation issues with openssl 1.0.0 and expired 
certificates in cafile

Sending again as the previous email did not appear in list.
Is there some problem with the mailing list?

--
Ashok
On Wed, Sep 12, 2012 at 2:59 PM, Ashok C 
mailto:ash@gmail.com>> wrote:
Hi,

I don't think this question was answered. Could you please reply?

--
Ashok

On Tue, Jul 31, 2012 at 11:13 PM, Klaus Darilion 
mailto:klaus.mailingli...@pernau.at>> wrote:
Hi!

I wrote a small program which dumps all root certificates from Windows 
certificate store into a file. Then I use openssl to connect to Google and 
validate its certificate:

openssl s_client -connect www.google.com:443 -CAfile 
dump.crt

When using openssl0.9.8k or openssl0.9.8x everything works as expected.

When using openssl1.0.0g or openssl 1.0.1c the certificate validation fails 
with:
  Verify return code: 10 (certificate has expired)

CONNECTED(016C)
depth=2 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification 
Authority
verify error:num=10:certificate has expired
notAfter=Jan  7 23:59:59 2004 GMT
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google 
Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

When analyzing the cafile with the dumped certificates from Windows certificate 
store, I found out that there are two certificates for Verisign with identical 
subject, whereas one is expired, the other not.

X.509 Certificate Information:
Version: 1
Serial Number (hex): 00e49efdf33ae80ecfa5113e19a4240232
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification 
Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Wed Jan 07 23:59:59 UTC 2004
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification 
Authority
Subject Public Key Algorithm: RSA

X.509 Certificate Information:
Version: 1
Serial Number (hex): 70bae41d10d92934b638ca7b03ccbabf
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification 
Authority
Validity:
Not Before: Mon Jan 29 00:00:00 UTC 1996
Not After: Tue Aug 01 23:59:59 UTC 2028
Subject: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification 
Authority
Subject Public Key Algorithm: RSA


Thus, it seems that openssl 0.9.8 just ignores the expired certificate and 
searches if there is another valid one whereas openssl 1.0.0 stop with the 
first expired certificate.

Is the new behavior the intended behavior? Is it possible to have the old 
behavior also in new openssl versions?

Thanks
Klaus

__
OpenSSL Project http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org
Automated List Manager   
majord...@openssl.org

how to check the whether openssl which is built for has the all chiper suite required

[Indtiny s]

Hi,

I have added the AES-ECC-CCM chiper suite openssl downloaded from this site
  https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid
.

after I ran androi-ndk build  and I got the 4 shared libraries
*libssl.so,libcrypto.so,
openssl,ssltest* . now I have to check the chiper suite which I have added
in to that ..

Is there some way to check ?

Rgds
Indu

Re: how to check the whether openssl which is built for has the all chiper suite required

[farmdve data.bg]

I see you resolved the missing libz library errors.

Well, it get's tricky now. You must create an Android project, create
a JNI library which will wrap around the real code, since Java cannot
directly access native functions. And use the emulator to test the
code.

On Thu, Sep 13, 2012 at 7:43 PM, Indtiny s  wrote:
> Hi,
>
> I have added the AES-ECC-CCM chiper suite openssl downloaded from this site
> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid
> .
>
> after I ran androi-ndk build  and I got the 4 shared libraries
> libssl.so,libcrypto.so, openssl,ssltest . now I have to check the chiper
> suite which I have added in to that ..
>
> Is there some way to check ?
>
> Rgds
> Indu
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to check the whether openssl which is built for has the all chiper suite required

[farmdve data.bg]

Assuming you installed the Android NDK, you must have a folder called
samples somewhere with the native examples 'hello-jni'. Just look at
how the code works, and simply create a wrapper to wrap around the
OpenSSL functions.

On Thu, Sep 13, 2012 at 7:54 PM, farmdve data.bg  wrote:
> I see you resolved the missing libz library errors.
>
> Well, it get's tricky now. You must create an Android project, create
> a JNI library which will wrap around the real code, since Java cannot
> directly access native functions. And use the emulator to test the
> code.
>
> On Thu, Sep 13, 2012 at 7:43 PM, Indtiny s  wrote:
>> Hi,
>>
>> I have added the AES-ECC-CCM chiper suite openssl downloaded from this site
>> https://github.com/aluvalassuman/OpenSSL1.0.1cForAndroid
>> .
>>
>> after I ran androi-ndk build  and I got the 4 shared libraries
>> libssl.so,libcrypto.so, openssl,ssltest . now I have to check the chiper
>> suite which I have added in to that ..
>>
>> Is there some way to check ?
>>
>> Rgds
>> Indu
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: fipscanister.o: file not recognized

[TJ]

On 7 September 2012 23:54, Steve Marquess
 wrote:
> On 09/07/2012 12:24 AM, TJ wrote:
>> I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c).
>>
>> ./Configure no-asm no-hw linux-generic32
>> make -j1 -C openssl-fips
>
> Might as well stop right there as the resulting FIPS module isn't FIPS
> 140-2 validated. There is no point in using the FIPS module if you can't
> claim, and don't require, validation; it has no inherent performance or
> security advantages over regular OpenSSL (in fact it is technically
> *inferior* in both respects).
>

Actually, we do require validation, which is why I was trying to use
the FIPS module, but there are other components we need to operate
inside the logical cryptographic boundary so a separate validation
will be required anyway, This obviously means it doesn’t really matter
if I build the FIPS module in a non-compliant way.
I removed it anyway and got OpenSSL v1.0.1c to build and run, but now
the self tests (which are required for validation) don't run. Are
these self test available as a function call in base OpenSSL without
the FIPS component? If so, how? If not, what should I do now?; reload
the FIPS module and try to get it to build for my platform, or what?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: fipscanister.o: file not recognized

[Dr. Stephen Henson]

On Fri, Sep 14, 2012, TJ wrote:

> On 7 September 2012 23:54, Steve Marquess
>  wrote:
> > On 09/07/2012 12:24 AM, TJ wrote:
> >> I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c).
> >>
> >> ./Configure no-asm no-hw linux-generic32
> >> make -j1 -C openssl-fips
> >
> > Might as well stop right there as the resulting FIPS module isn't FIPS
> > 140-2 validated. There is no point in using the FIPS module if you can't
> > claim, and don't require, validation; it has no inherent performance or
> > security advantages over regular OpenSSL (in fact it is technically
> > *inferior* in both respects).
> >
> 
> Actually, we do require validation, which is why I was trying to use
> the FIPS module, but there are other components we need to operate
> inside the logical cryptographic boundary so a separate validation
> will be required anyway, This obviously means it doesn?t really matter
> if I build the FIPS module in a non-compliant way.
> I removed it anyway and got OpenSSL v1.0.1c to build and run, but now
> the self tests (which are required for validation) don't run. Are
> these self test available as a function call in base OpenSSL without
> the FIPS component? If so, how? If not, what should I do now?; reload
> the FIPS module and try to get it to build for my platform, or what?

The self tests are only part of the FIPS module.

A native build needs to execute some of the targets on the host system to
embed signatures, if you can't do that then you need to set the FIPS_SIG
environment variable to point to an appropriate script which will perform the
signature calculation. The "incore" script under the util directory is
normally used for that purpose: so try setting FIPS_SIG to point to it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: fipscanister.o: file not recognized

[Steve Marquess]

On 09/13/2012 06:08 PM, TJ wrote:
> On 7 September 2012 23:54, Steve Marquess
>  wrote:
>> On 09/07/2012 12:24 AM, TJ wrote:
>>> I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c).
>>>
>>> ./Configure no-asm no-hw linux-generic32
>>> make -j1 -C openssl-fips
>>
>> Might as well stop right there as the resulting FIPS module isn't FIPS
>> 140-2 validated. There is no point in using the FIPS module if you can't
>> claim, and don't require, validation; it has no inherent performance or
>> security advantages over regular OpenSSL (in fact it is technically
>> *inferior* in both respects).
>>
> 
> Actually, we do require validation, which is why I was trying to use
> the FIPS module, but there are other components we need to operate
> inside the logical cryptographic boundary so a separate validation
> will be required anyway, This obviously means it doesn’t really matter
> if I build the FIPS module in a non-compliant way.

So you're modifying the FIPS module. If you're not then there is no
reason to redefine the crypto module boundary, and not use the already
validated FIPS module. Additional cryptographic components can be
separately validated.

> I removed it anyway and got OpenSSL v1.0.1c to build and run, but now
> the self tests (which are required for validation) don't run. Are
> these self test available as a function call in base OpenSSL without
> the FIPS component? If so, how? If not, what should I do now?; reload
> the FIPS module and try to get it to build for my platform, or what?

What do you mean by "self tests"? The KATs that are done automatically
when FIPS mode is enabled (FIPS_mode_set())? If those fail then FIPS
mode can't be enabled and the FIPS module doesn't work at all, nothing
to do with obtaining a validation.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org