Re: ./config and -no-zlib

2012-12-28 Thread Jeffrey Walton
On Fri, Dec 28, 2012 at 6:32 PM, Dr. Stephen Henson  wrote:
> On Fri, Dec 28, 2012, Jeffrey Walton wrote:
>
>> On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller  wrote:
>> > i was going to do this:
>> >
>> > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
>> Yeah, it looks like that's the option. I would prefer to remove the
>> code paths all together though.
>>
>> If the code path does not exist, it cannot be executed.
>>
>
> Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use
> zlib. Since that's the only compression method standardised for SSL/TLS it
> effectively disables compression for SSL/TLS as a side effect as there are no
> compression methods available.
>
> If you want to use zlib for other purposes (e.g. the command line option or
> CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the
> "no-comp" option but include zlib or zlib-dynamic.
I think that's what I am looking for. -no-zlib was the proverbial
cannon ball killing the fly.

> All of the above options apply to the OpenSSL library only: so an application
> needs to be linked to that version of OpenSSL to disable compression.
>
> There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable
> compression for SSL/TLS even if the application is linked against a version of
> OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL
> already disables SSL/TLS compression that option has no effect.
Thanks Dr. Henson. I think I need to file a feature request to make
SSL_OP_NO_COMPRESSION a macro too so I can use it during preprocessing
:o

Jeff
Thanks Dr. Hesn. I think I need to file a feature request for
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: ./config and -no-zlib

2012-12-28 Thread Dr. Stephen Henson
On Fri, Dec 28, 2012, Jeffrey Walton wrote:

> On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller  wrote:
> > i was going to do this:
> >
> > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
> Yeah, it looks like that's the option. I would prefer to remove the
> code paths all together though.
> 
> If the code path does not exist, it cannot be executed.
> 

Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use
zlib. Since that's the only compression method standardised for SSL/TLS it
effectively disables compression for SSL/TLS as a side effect as there are no
compression methods available.

If you want to use zlib for other purposes (e.g. the command line option or
CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the
"no-comp" option but include zlib or zlib-dynamic.

All of the above options apply to the OpenSSL library only: so an application
needs to be linked to that version of OpenSSL to disable compression.

There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable
compression for SSL/TLS even if the application is linked against a version of
OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL
already disables SSL/TLS compression that option has no effect.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: DH-algorithm using OpenSSL

2012-12-28 Thread Jeffrey Walton
On Fri, Dec 28, 2012 at 4:32 PM, Hemayamini Kurra
 wrote:
> Thanks for the reply Jeff!!
>
> The problem comes when I try to send the values of prime and publickey to
> peer. As I am converting BIGNUM to binary and then at the peer the other way
> round, The parameters are not received properly by the peer!!
Use BSON to package the data. It sounds like its a presentation layer problem.

Jeff

> On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton  wrote:
>>
>> On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra
>>  wrote:
>> > Hello!!
>> >
>> > I am implementing DH algorithm using OpenSSL library.
>> > My scenario is -
>> > using DH key exchange algorithm for key generation and exchange between
>> > client and server. Using DSA for two way authentication.
>> > server:
>> Could be tricky to get right, especially when you need semantic
>> authentication over the process.
>>
>> > I have generated DH parameters using DH_generate_parameters()
>> > I have generated the public and private keys using DH_generate_key()
>> Don't forget to validate the key. If you don't validate a key, you
>> cannot use it. For encryption, that means you don't apply your secret
>> to an unvalidated key; and for signatures, you don't trust the outcome
>> of the verification process.
>>
>> GnuPG is a special case. They used Lim-Lee primes and they can't be
>> validated without obtaining the unique factorization. I would
>> recommend asking for a key composed of a strong or safe prime or
>> refuse to process their data (but I've always been
>> defensive/paranoid).
>>
>> > I am using TCP socket programming in c to send the prime generator and
>> > ...
>> >
>> > I am getting "segmentation fault".
>> That sounds like a network programming problem. Have you been through
>> W. Richard Stevens' "TCP/IP Illustrated" or "UNIX Network
>> Programming"?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: DH-algorithm using OpenSSL

2012-12-28 Thread Hemayamini Kurra
Thanks for the reply Jeff!!

The problem comes when I try to send the values of prime and publickey to
peer. As I am converting BIGNUM to binary and then at the peer the other
way round, The parameters are not received properly by the peer!!


On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton  wrote:

> On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra
>  wrote:
> > Hello!!
> >
> > I am implementing DH algorithm using OpenSSL library.
> > My scenario is -
> > using DH key exchange algorithm for key generation and exchange between
> > client and server. Using DSA for two way authentication.
> > server:
> Could be tricky to get right, especially when you need semantic
> authentication over the process.
>
> > I have generated DH parameters using DH_generate_parameters()
> > I have generated the public and private keys using DH_generate_key()
> Don't forget to validate the key. If you don't validate a key, you
> cannot use it. For encryption, that means you don't apply your secret
> to an unvalidated key; and for signatures, you don't trust the outcome
> of the verification process.
>
> GnuPG is a special case. They used Lim-Lee primes and they can't be
> validated without obtaining the unique factorization. I would
> recommend asking for a key composed of a strong or safe prime or
> refuse to process their data (but I've always been
> defensive/paranoid).
>
> > I am using TCP socket programming in c to send the prime generator and
> > ...
> >
> > I am getting "segmentation fault".
> That sounds like a network programming problem. Have you been through
> W. Richard Stevens' "TCP/IP Illustrated" or "UNIX Network
> Programming"?
>
> Jeff
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>


Re: DH-algorithm using OpenSSL

2012-12-28 Thread Jeffrey Walton
On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra
 wrote:
> Hello!!
>
> I am implementing DH algorithm using OpenSSL library.
> My scenario is -
> using DH key exchange algorithm for key generation and exchange between
> client and server. Using DSA for two way authentication.
> server:
Could be tricky to get right, especially when you need semantic
authentication over the process.

> I have generated DH parameters using DH_generate_parameters()
> I have generated the public and private keys using DH_generate_key()
Don't forget to validate the key. If you don't validate a key, you
cannot use it. For encryption, that means you don't apply your secret
to an unvalidated key; and for signatures, you don't trust the outcome
of the verification process.

GnuPG is a special case. They used Lim-Lee primes and they can't be
validated without obtaining the unique factorization. I would
recommend asking for a key composed of a strong or safe prime or
refuse to process their data (but I've always been
defensive/paranoid).

> I am using TCP socket programming in c to send the prime generator and
> ...
>
> I am getting "segmentation fault".
That sounds like a network programming problem. Have you been through
W. Richard Stevens' "TCP/IP Illustrated" or "UNIX Network
Programming"?

Jeff
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: ./config and -no-zlib

2012-12-28 Thread Jeffrey Walton
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton  wrote:
> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller  wrote:
>> i compiled openssl with no-zlib
>>
>> ldd client
>> linux-vdso.so.1 =>  (0x7fff059ff000)
>> libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000)
>> libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x7fefcca17000)
>> libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000)
>> libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000)
>> libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000)
>> libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000)
>> /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000)
>>
>> it is still using the default libraries; when the client runs in this
>> environment, it suggests 2 compression methods in the handshake (NULL, and
>> )
>>
>> then I change the LD_LIBRARY_PATH env and run again:
>>
>>> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib
>>> ldd client
>> linux-vdso.so.1 =>  (0x7fff42cfa000)
>> libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0
>> (0x7f76caf15000)
>> libcrypto.so.1.0.0 =>
>> /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000)
>> libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000)
>> libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000)
>> libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000)
>> /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000)
>>
>> and in this environment (note that libz is missing), the client only
>> suggests 1 compression method (NULL) in the handshake.
>>
>> So, compiling with no-zlib is not sufficient for turning off compression.
>> It is also required to take specific actions to use the openssl libraries
>> compiled with the no-zlib option at runtime.
>>
>> I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed
>> regardless of the linkage of zlib, but I haven't tested that proposal yet.
> This is bad news I believe the redefinition is because I built the
> FIPS Object Module first according to the Security Policy (give or
> take). That meant no knob turning whatsoever, and I had to invoke
> 'configure' with no arguments.
>
> Then, when it came time for FIPS Capable OpenSSL:
>
> ./config --openssldir=/usr/local/ssl/iphoneos/
> --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib
> -no-shared -no-dso -DSSL_OP_NO_COMPRESSION
Doh, SSL_OP_NO_COMPRESSION is a bit masked option, not a preprocessor
define.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: ./config and -no-zlib

2012-12-28 Thread Jeffrey Walton
On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller  wrote:
> i was going to do this:
>
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);
Yeah, it looks like that's the option. I would prefer to remove the
code paths all together though.

If the code path does not exist, it cannot be executed.

Jeff

> On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton  wrote:
>>
>> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller 
>> wrote:
>> > i compiled openssl with no-zlib
>> >
>> > ldd client
>> > linux-vdso.so.1 =>  (0x7fff059ff000)
>> > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000)
>> > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0
>> > (0x7fefcca17000)
>> > libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000)
>> > libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000)
>> > libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000)
>> > libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000)
>> > /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000)
>> >
>> > it is still using the default libraries; when the client runs in this
>> > environment, it suggests 2 compression methods in the handshake (NULL,
>> > and
>> > )
>> >
>> > then I change the LD_LIBRARY_PATH env and run again:
>> >
>> >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib
>> >> ldd client
>> > linux-vdso.so.1 =>  (0x7fff42cfa000)
>> > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0
>> > (0x7f76caf15000)
>> > libcrypto.so.1.0.0 =>
>> > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000)
>> > libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000)
>> > libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000)
>> > libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000)
>> > /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000)
>> >
>> > and in this environment (note that libz is missing), the client only
>> > suggests 1 compression method (NULL) in the handshake.
>> >
>> > So, compiling with no-zlib is not sufficient for turning off
>> > compression.
>> > It is also required to take specific actions to use the openssl
>> > libraries
>> > compiled with the no-zlib option at runtime.
>> >
>> > I expect that by using SSL_OP_NO_COMPRESSION, compression will
>> > suppressed
>> > regardless of the linkage of zlib, but I haven't tested that proposal
>> > yet.
>> This is bad news I believe the redefinition is because I built the
>> FIPS Object Module first according to the Security Policy (give or
>> take). That meant no knob turning whatsoever, and I had to invoke
>> 'configure' with no arguments.
>>
>> Then, when it came time for FIPS Capable OpenSSL:
>>
>> ./config --openssldir=/usr/local/ssl/iphoneos/
>> --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib
>> -no-shared -no-dso -DSSL_OP_NO_COMPRESSION
>>
>> which eventually results in:
>>
>> ...
>> ../../util/domd ../.. -MD
>>
>> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc
>> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch
>> armv7 -O3 -isysroot
>>
>> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
>> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1
>> -I../evp -I../../include  -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS
>> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE
>> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
>> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE --  srp_lib.c srp_vfy.c
>> making depend in crypto/cmac...
>> ../../util/domd ../.. -MD
>>
>> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc
>> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch
>> armv7 -O3 -isysroot
>>
>> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
>> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1
>> -I../evp -I../../include  -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS
>> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE
>> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
>> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE --  cmac.c cm_ameth.c cm_pmeth.c
>> making depend in ssl...
>> In file included from ssl_locl.h:165,
>>  from s2_meth.c:59:
>> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
>> : error: this is the location of the previous definition
>> In file included from ssl_locl.h:165,
>>  from s2_srvr.c:112:
>> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
>> : error: this is the location of the previous definition
>> In file included from ssl_locl.h:165,
>>  from s2_clnt.c:112:
>> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
>> : error: this is the location of the previou

Re: ./config and -no-zlib

2012-12-28 Thread Michael Mueller
i was going to do this:

SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);


On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton  wrote:

> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller 
> wrote:
> > i compiled openssl with no-zlib
> >
> > ldd client
> > linux-vdso.so.1 =>  (0x7fff059ff000)
> > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000)
> > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0
> (0x7fefcca17000)
> > libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000)
> > libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000)
> > libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000)
> > libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000)
> > /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000)
> >
> > it is still using the default libraries; when the client runs in this
> > environment, it suggests 2 compression methods in the handshake (NULL,
> and
> > )
> >
> > then I change the LD_LIBRARY_PATH env and run again:
> >
> >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib
> >> ldd client
> > linux-vdso.so.1 =>  (0x7fff42cfa000)
> > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0
> > (0x7f76caf15000)
> > libcrypto.so.1.0.0 =>
> > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000)
> > libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000)
> > libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000)
> > libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000)
> > /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000)
> >
> > and in this environment (note that libz is missing), the client only
> > suggests 1 compression method (NULL) in the handshake.
> >
> > So, compiling with no-zlib is not sufficient for turning off compression.
> > It is also required to take specific actions to use the openssl libraries
> > compiled with the no-zlib option at runtime.
> >
> > I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed
> > regardless of the linkage of zlib, but I haven't tested that proposal
> yet.
> This is bad news I believe the redefinition is because I built the
> FIPS Object Module first according to the Security Policy (give or
> take). That meant no knob turning whatsoever, and I had to invoke
> 'configure' with no arguments.
>
> Then, when it came time for FIPS Capable OpenSSL:
>
> ./config --openssldir=/usr/local/ssl/iphoneos/
> --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib
> -no-shared -no-dso -DSSL_OP_NO_COMPRESSION
>
> which eventually results in:
>
> ...
> ../../util/domd ../.. -MD
>
> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc
> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch
> armv7 -O3 -isysroot
>
> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1
> -I../evp -I../../include  -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS
> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE
> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE --  srp_lib.c srp_vfy.c
> making depend in crypto/cmac...
> ../../util/domd ../.. -MD
>
> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc
> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch
> armv7 -O3 -isysroot
>
> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1
> -I../evp -I../../include  -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS
> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE
> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE --  cmac.c cm_ameth.c cm_pmeth.c
> making depend in ssl...
> In file included from ssl_locl.h:165,
>  from s2_meth.c:59:
> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
> : error: this is the location of the previous definition
> In file included from ssl_locl.h:165,
>  from s2_srvr.c:112:
> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
> : error: this is the location of the previous definition
> In file included from ssl_locl.h:165,
>  from s2_clnt.c:112:
> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
> : error: this is the location of the previous definition
> In file included from ssl_locl.h:165,
>  from s2_lib.c:112:
> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
> : error: this is the location of the previous definition
> ...
> [30 or 50 or so duplicate errors removed]
> ...
>
> : error: this is the location of the previous definition
> m

Re: ./config and -no-zlib

2012-12-28 Thread Jeffrey Walton
On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller  wrote:
> i compiled openssl with no-zlib
>
> ldd client
> linux-vdso.so.1 =>  (0x7fff059ff000)
> libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000)
> libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x7fefcca17000)
> libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000)
> libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000)
> libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000)
> libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000)
> /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000)
>
> it is still using the default libraries; when the client runs in this
> environment, it suggests 2 compression methods in the handshake (NULL, and
> )
>
> then I change the LD_LIBRARY_PATH env and run again:
>
>> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib
>> ldd client
> linux-vdso.so.1 =>  (0x7fff42cfa000)
> libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0
> (0x7f76caf15000)
> libcrypto.so.1.0.0 =>
> /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000)
> libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000)
> libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000)
> libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000)
> /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000)
>
> and in this environment (note that libz is missing), the client only
> suggests 1 compression method (NULL) in the handshake.
>
> So, compiling with no-zlib is not sufficient for turning off compression.
> It is also required to take specific actions to use the openssl libraries
> compiled with the no-zlib option at runtime.
>
> I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed
> regardless of the linkage of zlib, but I haven't tested that proposal yet.
This is bad news I believe the redefinition is because I built the
FIPS Object Module first according to the Security Policy (give or
take). That meant no knob turning whatsoever, and I had to invoke
'configure' with no arguments.

Then, when it came time for FIPS Capable OpenSSL:

./config --openssldir=/usr/local/ssl/iphoneos/
--with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib
-no-shared -no-dso -DSSL_OP_NO_COMPRESSION

which eventually results in:

...
../../util/domd ../.. -MD
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc
-M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch
armv7 -O3 -isysroot
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
-fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1
-I../evp -I../../include  -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS
-DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE
-DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
-DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE --  srp_lib.c srp_vfy.c
making depend in crypto/cmac...
../../util/domd ../.. -MD
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc
-M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch
armv7 -O3 -isysroot
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
-fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1
-I../evp -I../../include  -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS
-DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE
-DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779
-DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE --  cmac.c cm_ameth.c cm_pmeth.c
making depend in ssl...
In file included from ssl_locl.h:165,
 from s2_meth.c:59:
../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
: error: this is the location of the previous definition
In file included from ssl_locl.h:165,
 from s2_srvr.c:112:
../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
: error: this is the location of the previous definition
In file included from ssl_locl.h:165,
 from s2_clnt.c:112:
../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
: error: this is the location of the previous definition
In file included from ssl_locl.h:165,
 from s2_lib.c:112:
../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined
: error: this is the location of the previous definition
...
[30 or 50 or so duplicate errors removed]
...

: error: this is the location of the previous definition
make[1]: *** [depend] Error 1
make: *** [depend] Error 1

> On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton  wrote:
>>
>> Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or
>> is compression available through other libraries?
__
OpenSSL Project

Re: ./config and -no-zlib

2012-12-28 Thread Michael Mueller
i compiled openssl with no-zlib

here is ldd of my client:

> ldd client
linux-vdso.so.1 =>  (0x7fff059ff000)
libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000)
libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x7fefcca17000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000)
libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000)
libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000)
libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000)
/lib64/ld-linux-x86-64.so.2 (0x7fefcd025000)

it is still using the default libraries; when the client runs in this
environment, it suggests 2 compression methods in the handshake (NULL, and
)

then I change the LD_LIBRARY_PATH env and run again:

> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib
> ldd client
linux-vdso.so.1 =>  (0x7fff42cfa000)

libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0
(0x7f76caf15000)
libcrypto.so.1.0.0 =>
/home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000)

libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000)

libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000)

libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000)

/lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000)

and in this environment (note that libz is missing), the client only
suggests 1 compression method (NULL) in the handshake.

So, compiling with no-zlib is not sufficient for turning off compression.
 It is also required to take specific actions to use the openssl libraries
compiled with the no-zlib option at runtime.

I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed
regardless of the linkage of zlib, but I haven't tested that proposal yet.


On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton  wrote:

> Hi All,
>
> Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or
> is compression available through other libraries?
>
> Jeff
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>