Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 6:32 PM, Dr. Stephen Henson wrote: > On Fri, Dec 28, 2012, Jeffrey Walton wrote: > >> On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller wrote: >> > i was going to do this: >> > >> > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); >> Yeah, it looks like that's the option. I would prefer to remove the >> code paths all together though. >> >> If the code path does not exist, it cannot be executed. >> > > Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use > zlib. Since that's the only compression method standardised for SSL/TLS it > effectively disables compression for SSL/TLS as a side effect as there are no > compression methods available. > > If you want to use zlib for other purposes (e.g. the command line option or > CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the > "no-comp" option but include zlib or zlib-dynamic. I think that's what I am looking for. -no-zlib was the proverbial cannon ball killing the fly. > All of the above options apply to the OpenSSL library only: so an application > needs to be linked to that version of OpenSSL to disable compression. > > There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable > compression for SSL/TLS even if the application is linked against a version of > OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL > already disables SSL/TLS compression that option has no effect. Thanks Dr. Henson. I think I need to file a feature request to make SSL_OP_NO_COMPRESSION a macro too so I can use it during preprocessing :o Jeff Thanks Dr. Hesn. I think I need to file a feature request for __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012, Jeffrey Walton wrote: > On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller wrote: > > i was going to do this: > > > > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); > Yeah, it looks like that's the option. I would prefer to remove the > code paths all together though. > > If the code path does not exist, it cannot be executed. > Unless OpenSSL has been build with the zlib or zlib-dynamic option it wont use zlib. Since that's the only compression method standardised for SSL/TLS it effectively disables compression for SSL/TLS as a side effect as there are no compression methods available. If you want to use zlib for other purposes (e.g. the command line option or CMS) but disable its use for SSL/TLS you'd compile OpenSSL with the "no-comp" option but include zlib or zlib-dynamic. All of the above options apply to the OpenSSL library only: so an application needs to be linked to that version of OpenSSL to disable compression. There is also the runtime option SSL_OP_NO_COMPRESSION. That will disable compression for SSL/TLS even if the application is linked against a version of OpenSSL with SSL/TLS compression enabled. If the linked version of OpenSSL already disables SSL/TLS compression that option has no effect. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH-algorithm using OpenSSL
On Fri, Dec 28, 2012 at 4:32 PM, Hemayamini Kurra wrote: > Thanks for the reply Jeff!! > > The problem comes when I try to send the values of prime and publickey to > peer. As I am converting BIGNUM to binary and then at the peer the other way > round, The parameters are not received properly by the peer!! Use BSON to package the data. It sounds like its a presentation layer problem. Jeff > On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton wrote: >> >> On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra >> wrote: >> > Hello!! >> > >> > I am implementing DH algorithm using OpenSSL library. >> > My scenario is - >> > using DH key exchange algorithm for key generation and exchange between >> > client and server. Using DSA for two way authentication. >> > server: >> Could be tricky to get right, especially when you need semantic >> authentication over the process. >> >> > I have generated DH parameters using DH_generate_parameters() >> > I have generated the public and private keys using DH_generate_key() >> Don't forget to validate the key. If you don't validate a key, you >> cannot use it. For encryption, that means you don't apply your secret >> to an unvalidated key; and for signatures, you don't trust the outcome >> of the verification process. >> >> GnuPG is a special case. They used Lim-Lee primes and they can't be >> validated without obtaining the unique factorization. I would >> recommend asking for a key composed of a strong or safe prime or >> refuse to process their data (but I've always been >> defensive/paranoid). >> >> > I am using TCP socket programming in c to send the prime generator and >> > ... >> > >> > I am getting "segmentation fault". >> That sounds like a network programming problem. Have you been through >> W. Richard Stevens' "TCP/IP Illustrated" or "UNIX Network >> Programming"? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: DH-algorithm using OpenSSL
Thanks for the reply Jeff!! The problem comes when I try to send the values of prime and publickey to peer. As I am converting BIGNUM to binary and then at the peer the other way round, The parameters are not received properly by the peer!! On Fri, Dec 28, 2012 at 2:28 PM, Jeffrey Walton wrote: > On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra > wrote: > > Hello!! > > > > I am implementing DH algorithm using OpenSSL library. > > My scenario is - > > using DH key exchange algorithm for key generation and exchange between > > client and server. Using DSA for two way authentication. > > server: > Could be tricky to get right, especially when you need semantic > authentication over the process. > > > I have generated DH parameters using DH_generate_parameters() > > I have generated the public and private keys using DH_generate_key() > Don't forget to validate the key. If you don't validate a key, you > cannot use it. For encryption, that means you don't apply your secret > to an unvalidated key; and for signatures, you don't trust the outcome > of the verification process. > > GnuPG is a special case. They used Lim-Lee primes and they can't be > validated without obtaining the unique factorization. I would > recommend asking for a key composed of a strong or safe prime or > refuse to process their data (but I've always been > defensive/paranoid). > > > I am using TCP socket programming in c to send the prime generator and > > ... > > > > I am getting "segmentation fault". > That sounds like a network programming problem. Have you been through > W. Richard Stevens' "TCP/IP Illustrated" or "UNIX Network > Programming"? > > Jeff > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
Re: DH-algorithm using OpenSSL
On Fri, Dec 28, 2012 at 3:37 PM, Hemayamini Kurra wrote: > Hello!! > > I am implementing DH algorithm using OpenSSL library. > My scenario is - > using DH key exchange algorithm for key generation and exchange between > client and server. Using DSA for two way authentication. > server: Could be tricky to get right, especially when you need semantic authentication over the process. > I have generated DH parameters using DH_generate_parameters() > I have generated the public and private keys using DH_generate_key() Don't forget to validate the key. If you don't validate a key, you cannot use it. For encryption, that means you don't apply your secret to an unvalidated key; and for signatures, you don't trust the outcome of the verification process. GnuPG is a special case. They used Lim-Lee primes and they can't be validated without obtaining the unique factorization. I would recommend asking for a key composed of a strong or safe prime or refuse to process their data (but I've always been defensive/paranoid). > I am using TCP socket programming in c to send the prime generator and > ... > > I am getting "segmentation fault". That sounds like a network programming problem. Have you been through W. Richard Stevens' "TCP/IP Illustrated" or "UNIX Network Programming"? Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton wrote: > On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller wrote: >> i compiled openssl with no-zlib >> >> ldd client >> linux-vdso.so.1 => (0x7fff059ff000) >> libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000) >> libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) >> libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000) >> libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000) >> libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000) >> libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000) >> /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) >> >> it is still using the default libraries; when the client runs in this >> environment, it suggests 2 compression methods in the handshake (NULL, and >> ) >> >> then I change the LD_LIBRARY_PATH env and run again: >> >>> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib >>> ldd client >> linux-vdso.so.1 => (0x7fff42cfa000) >> libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 >> (0x7f76caf15000) >> libcrypto.so.1.0.0 => >> /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) >> libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000) >> libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000) >> libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000) >> /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) >> >> and in this environment (note that libz is missing), the client only >> suggests 1 compression method (NULL) in the handshake. >> >> So, compiling with no-zlib is not sufficient for turning off compression. >> It is also required to take specific actions to use the openssl libraries >> compiled with the no-zlib option at runtime. >> >> I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed >> regardless of the linkage of zlib, but I haven't tested that proposal yet. > This is bad news I believe the redefinition is because I built the > FIPS Object Module first according to the Security Policy (give or > take). That meant no knob turning whatsoever, and I had to invoke > 'configure' with no arguments. > > Then, when it came time for FIPS Capable OpenSSL: > > ./config --openssldir=/usr/local/ssl/iphoneos/ > --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib > -no-shared -no-dso -DSSL_OP_NO_COMPRESSION Doh, SSL_OP_NO_COMPRESSION is a bit masked option, not a preprocessor define. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 3:23 PM, Michael Mueller wrote: > i was going to do this: > > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); Yeah, it looks like that's the option. I would prefer to remove the code paths all together though. If the code path does not exist, it cannot be executed. Jeff > On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton wrote: >> >> On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller >> wrote: >> > i compiled openssl with no-zlib >> > >> > ldd client >> > linux-vdso.so.1 => (0x7fff059ff000) >> > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000) >> > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 >> > (0x7fefcca17000) >> > libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000) >> > libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000) >> > libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000) >> > libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000) >> > /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) >> > >> > it is still using the default libraries; when the client runs in this >> > environment, it suggests 2 compression methods in the handshake (NULL, >> > and >> > ) >> > >> > then I change the LD_LIBRARY_PATH env and run again: >> > >> >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib >> >> ldd client >> > linux-vdso.so.1 => (0x7fff42cfa000) >> > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 >> > (0x7f76caf15000) >> > libcrypto.so.1.0.0 => >> > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) >> > libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000) >> > libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000) >> > libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000) >> > /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) >> > >> > and in this environment (note that libz is missing), the client only >> > suggests 1 compression method (NULL) in the handshake. >> > >> > So, compiling with no-zlib is not sufficient for turning off >> > compression. >> > It is also required to take specific actions to use the openssl >> > libraries >> > compiled with the no-zlib option at runtime. >> > >> > I expect that by using SSL_OP_NO_COMPRESSION, compression will >> > suppressed >> > regardless of the linkage of zlib, but I haven't tested that proposal >> > yet. >> This is bad news I believe the redefinition is because I built the >> FIPS Object Module first according to the Security Policy (give or >> take). That meant no knob turning whatsoever, and I had to invoke >> 'configure' with no arguments. >> >> Then, when it came time for FIPS Capable OpenSSL: >> >> ./config --openssldir=/usr/local/ssl/iphoneos/ >> --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib >> -no-shared -no-dso -DSSL_OP_NO_COMPRESSION >> >> which eventually results in: >> >> ... >> ../../util/domd ../.. -MD >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc >> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch >> armv7 -O3 -isysroot >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk >> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 >> -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS >> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE >> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 >> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c >> making depend in crypto/cmac... >> ../../util/domd ../.. -MD >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc >> -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch >> armv7 -O3 -isysroot >> >> /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk >> -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 >> -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS >> -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE >> -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 >> -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c >> making depend in ssl... >> In file included from ssl_locl.h:165, >> from s2_meth.c:59: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> : error: this is the location of the previous definition >> In file included from ssl_locl.h:165, >> from s2_srvr.c:112: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> : error: this is the location of the previous definition >> In file included from ssl_locl.h:165, >> from s2_clnt.c:112: >> ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined >> : error: this is the location of the previou
Re: ./config and -no-zlib
i was going to do this: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION); On Fri, Dec 28, 2012 at 3:14 PM, Jeffrey Walton wrote: > On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller > wrote: > > i compiled openssl with no-zlib > > > > ldd client > > linux-vdso.so.1 => (0x7fff059ff000) > > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000) > > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 > (0x7fefcca17000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000) > > libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000) > > libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000) > > libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000) > > /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) > > > > it is still using the default libraries; when the client runs in this > > environment, it suggests 2 compression methods in the handshake (NULL, > and > > ) > > > > then I change the LD_LIBRARY_PATH env and run again: > > > >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib > >> ldd client > > linux-vdso.so.1 => (0x7fff42cfa000) > > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 > > (0x7f76caf15000) > > libcrypto.so.1.0.0 => > > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) > > libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000) > > libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000) > > libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000) > > /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) > > > > and in this environment (note that libz is missing), the client only > > suggests 1 compression method (NULL) in the handshake. > > > > So, compiling with no-zlib is not sufficient for turning off compression. > > It is also required to take specific actions to use the openssl libraries > > compiled with the no-zlib option at runtime. > > > > I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed > > regardless of the linkage of zlib, but I haven't tested that proposal > yet. > This is bad news I believe the redefinition is because I built the > FIPS Object Module first according to the Security Policy (give or > take). That meant no knob turning whatsoever, and I had to invoke > 'configure' with no arguments. > > Then, when it came time for FIPS Capable OpenSSL: > > ./config --openssldir=/usr/local/ssl/iphoneos/ > --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib > -no-shared -no-dso -DSSL_OP_NO_COMPRESSION > > which eventually results in: > > ... > ../../util/domd ../.. -MD > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc > -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch > armv7 -O3 -isysroot > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk > -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 > -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS > -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE > -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 > -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c > making depend in crypto/cmac... > ../../util/domd ../.. -MD > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc > -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch > armv7 -O3 -isysroot > > /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk > -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 > -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS > -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE > -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 > -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c > making depend in ssl... > In file included from ssl_locl.h:165, > from s2_meth.c:59: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > : error: this is the location of the previous definition > In file included from ssl_locl.h:165, > from s2_srvr.c:112: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > : error: this is the location of the previous definition > In file included from ssl_locl.h:165, > from s2_clnt.c:112: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > : error: this is the location of the previous definition > In file included from ssl_locl.h:165, > from s2_lib.c:112: > ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined > : error: this is the location of the previous definition > ... > [30 or 50 or so duplicate errors removed] > ... > > : error: this is the location of the previous definition > m
Re: ./config and -no-zlib
On Fri, Dec 28, 2012 at 7:48 AM, Michael Mueller wrote: > i compiled openssl with no-zlib > > ldd client > linux-vdso.so.1 => (0x7fff059ff000) > libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000) > libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000) > libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000) > libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000) > libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000) > /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) > > it is still using the default libraries; when the client runs in this > environment, it suggests 2 compression methods in the handshake (NULL, and > ) > > then I change the LD_LIBRARY_PATH env and run again: > >> export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib >> ldd client > linux-vdso.so.1 => (0x7fff42cfa000) > libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 > (0x7f76caf15000) > libcrypto.so.1.0.0 => > /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) > libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000) > libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000) > libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000) > /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) > > and in this environment (note that libz is missing), the client only > suggests 1 compression method (NULL) in the handshake. > > So, compiling with no-zlib is not sufficient for turning off compression. > It is also required to take specific actions to use the openssl libraries > compiled with the no-zlib option at runtime. > > I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed > regardless of the linkage of zlib, but I haven't tested that proposal yet. This is bad news I believe the redefinition is because I built the FIPS Object Module first according to the Security Policy (give or take). That meant no knob turning whatsoever, and I had to invoke 'configure' with no arguments. Then, when it came time for FIPS Capable OpenSSL: ./config --openssldir=/usr/local/ssl/iphoneos/ --with-fipsdir=/usr/local/ssl/iphoneos/ -no-dtls -no-hw -no-zlib -no-shared -no-dso -DSSL_OP_NO_COMPRESSION which eventually results in: ... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- srp_lib.c srp_vfy.c making depend in crypto/cmac... ../../util/domd ../.. -MD /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/llvm-gcc -M -- -DOPENSSL_THREADS -D_REENTRANT -DSSL_OP_NO_COMPRESSION -arch armv7 -O3 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk -fomit-frame-pointer -fno-common -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_DTLS -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -- cmac.c cm_ameth.c cm_pmeth.c making depend in ssl... In file included from ssl_locl.h:165, from s2_meth.c:59: ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined : error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_srvr.c:112: ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined : error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_clnt.c:112: ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined : error: this is the location of the previous definition In file included from ssl_locl.h:165, from s2_lib.c:112: ../include/openssl/ssl.h:583:1: error: "SSL_OP_NO_COMPRESSION" redefined : error: this is the location of the previous definition ... [30 or 50 or so duplicate errors removed] ... : error: this is the location of the previous definition make[1]: *** [depend] Error 1 make: *** [depend] Error 1 > On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton wrote: >> >> Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or >> is compression available through other libraries? __ OpenSSL Project
Re: ./config and -no-zlib
i compiled openssl with no-zlib here is ldd of my client: > ldd client linux-vdso.so.1 => (0x7fff059ff000) libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x7fefccdc9000) libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x7fefcca17000) libpthread.so.0 => /lib64/libpthread.so.0 (0x7fefcc7fa000) libc.so.6 => /lib64/libc.so.6 (0x7fefcc48d000) libdl.so.2 => /lib64/libdl.so.2 (0x7fefcc289000) libz.so.1 => /lib64/libz.so.1 (0x7fefcc071000) /lib64/ld-linux-x86-64.so.2 (0x7fefcd025000) it is still using the default libraries; when the client runs in this environment, it suggests 2 compression methods in the handshake (NULL, and ) then I change the LD_LIBRARY_PATH env and run again: > export LD_LIBRARY_PATH=/home/mike02/wrk/openssl/lib > ldd client linux-vdso.so.1 => (0x7fff42cfa000) libssl.so.1.0.0 => /home/mike02/wrk/openssl/lib/libssl.so.1.0.0 (0x7f76caf15000) libcrypto.so.1.0.0 => /home/mike02/wrk/openssl/lib/libcrypto.so.1.0.0 (0x7f76cab34000) libpthread.so.0 => /lib64/libpthread.so.0 (0x7f76ca917000) libc.so.6 => /lib64/libc.so.6 (0x7f76ca5aa000) libdl.so.2 => /lib64/libdl.so.2 (0x7f76ca3a6000) /lib64/ld-linux-x86-64.so.2 (0x7f76cb17f000) and in this environment (note that libz is missing), the client only suggests 1 compression method (NULL) in the handshake. So, compiling with no-zlib is not sufficient for turning off compression. It is also required to take specific actions to use the openssl libraries compiled with the no-zlib option at runtime. I expect that by using SSL_OP_NO_COMPRESSION, compression will suppressed regardless of the linkage of zlib, but I haven't tested that proposal yet. On Tue, Dec 25, 2012 at 12:27 PM, Jeffrey Walton wrote: > Hi All, > > Is it sufficient to use -no-zlib to turn off SSL/TLS compression? Or > is compression available through other libraries? > > Jeff > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >