Re: Obtaining a TLS session key
On 7/02/2013 7:11 p.m., Viktor Dukhovni wrote: On Thu, Feb 07, 2013 at 11:12:13AM +1300, T J wrote: Sorry to keep hammering away at this, but I think I am missing something here. OpenSSL does all this for a TLS connection anyway right? I mean, after a handshake, encryption keys, IV's etc are generated so that the TLS connection can use them for encrypting/decrypting data. Surely I shouldn't have to reinvent the wheel and do what OpenSSL already does... All I want to do is get those keys, after the connection has been established and use them directly in my own app instead of using the SSL connection normally. Isn't there something like ssl->s3->final_key ? It is bad practice to clone keys. You should also not depend on OpenSSL negotiating a particular algorithm. OpenSSL's key are for the OpenSSL session only. Keys for your application should be the result of a suitably independent KDF. Well I wouldn't be cloning keys if I'm not using the OpenSSL session. Once keys have been negotiated, I intend to immediately close the connection and only reuse the session if I need a new key. I'll also make sure both server and client only use one algorithm. This is not your typical internet based client/public server senario. I just need a certificate based authenticated key which SSL/TLS can provide. From what I understand so far, the "KeyBlock" is the place to look for the key? It's just a matter of getting the sizes and order of the individual Keys and IV's so that I can extract the bits I need. Any pointers in that area? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems creating valid signing certificats
On Wed, February 6, 2013 23:47, Thomas Koeller wrote: > bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose > sslserver cacert/host_ca.pem > cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = > K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family > Host Signing Certificate > error 26 at 0 depth lookup:unsupported certificate purpose > OK > > Can anybody tell why I am getting this error, and what I should do about > it? I think this is correct, you tested your CA intermediate certificate ... because of this: > SSL server : No > SSL server CA : Yes I get the same with my CA by the way, your CA certificates have a very long validity, which key length did you use? openssl verify -x509_strict -CAfile concatCA.pem -purpose sslserver ssl.pem concatCA.pem is just this ( cat cacert/root_ca.pem; cat cacert/host_ca.pem ) > concatCA.pem ssl.pem is signed with the intermediate cert cacert/host_ca.pem and is used for your Webserver ... will give you just ok. Walter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Obtaining a TLS session key
On Thu, Feb 07, 2013 at 11:12:13AM +1300, T J wrote: > Sorry to keep hammering away at this, but I think I am missing > something here. > > OpenSSL does all this for a TLS connection anyway right? I mean, > after a handshake, encryption keys, IV's etc are generated so that > the TLS connection can use them for encrypting/decrypting data. > Surely I shouldn't have to reinvent the wheel and do what OpenSSL > already does... > > All I want to do is get those keys, after the connection has been > established and use them directly in my own app instead of using the > SSL connection normally. Isn't there something like > ssl->s3->final_key ? It is bad practice to clone keys. You should also not depend on OpenSSL negotiating a particular algorithm. OpenSSL's key are for the OpenSSL session only. Keys for your application should be the result of a suitably independent KDF. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problems creating valid signing certificats
Hi, I am trying to create a certificate chain that I intend to use for signing SSL/TLS host certificates. The chain consists of a self-signed root certificate, and an intermediate certificate which will be used to sign the actual server certificates. The root certificate looks like this: bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt no_pubkey,no_sigdump -purpose -in cacert/root_ca.pemCertificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = Network Administration, CN = Köller Family Root Signing Certificate Validity Not Before: Feb 6 00:03:53 2013 GMT Not After : Jun 6 00:03:53 2060 GMT Subject: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = Network Administration, CN = Köller Family Root Signing Certificate X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Key Usage: critical Certificate Sign Trusted Uses: TLS Web Client Authentication, TLS Web Server Authentication, E-mail Protection No Rejected Uses. Alias: Root Signing Certificate Certificate purposes: SSL client : No SSL client CA : Yes SSL server : No SSL server CA : Yes Netscape SSL server : No Netscape SSL server CA : Yes S/MIME signing : No S/MIME signing CA : Yes S/MIME encryption : No S/MIME encryption CA : Yes CRL signing : No CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes Time Stamp signing : No Time Stamp signing CA : Yes And here is the intermediate certificate: bash-4.0$ openssl x509 -noout -text -nameopt oneline,-esc_msb,utf8 -certopt no_pubkey,no_sigdump -purpose -in cacert/host_ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C = DE, ST = Hamburg, L = Hamburg, O = Köller Family, OU = Network Administration, CN = Köller Family Root Signing Certificate Validity Not Before: Feb 6 00:03:53 2013 GMT Not After : Jun 5 23:59:59 2059 GMT Subject: C = DE, ST = Hamburg, O = Köller Family, OU = Köller Family Certification Authority, CN = Köller Family Host Signing Certificate X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Certificate Sign, CRL Sign Certificate purposes: SSL client : No SSL client CA : Yes SSL server : No SSL server CA : Yes Netscape SSL server : No Netscape SSL server CA : Yes S/MIME signing : No S/MIME signing CA : Yes S/MIME encryption : No S/MIME encryption CA : Yes CRL signing : Yes CRL signing CA : Yes Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : Yes Time Stamp signing : No Time Stamp signing CA : Yes To me, this looks just as I would expect, however, if I try to validate the chain, I get an error message: bash-4.0$ openssl verify -x509_strict -CAfile cacert/root_ca.pem -purpose sslserver cacert/host_ca.pem cacert/host_ca.pem: C = DE, ST = Hamburg, O = K\C3\B6ller Family, OU = K\C3\B6ller Family Certification Authority, CN = K\C3\B6ller Family Host Signing Certificate error 26 at 0 depth lookup:unsupported certificate purpose OK Can anybody tell why I am getting this error, and what I should do about it? Thanks, Thomas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Obtaining a TLS session key
Sorry to keep hammering away at this, but I think I am missing something here. OpenSSL does all this for a TLS connection anyway right? I mean, after a handshake, encryption keys, IV's etc are generated so that the TLS connection can use them for encrypting/decrypting data. Surely I shouldn't have to reinvent the wheel and do what OpenSSL already does... All I want to do is get those keys, after the connection has been established and use them directly in my own app instead of using the SSL connection normally. Isn't there something like ssl->s3->final_key ? On 01/02/13 17:26, Viktor Dukhovni wrote: On Fri, Feb 01, 2013 at 10:05:15AM +1300, T J wrote: These are sufficient to generate a session unique key via a suitable KDF salted with an application-specific string. OK, great. So I get the master key and run it through the a KDF and I get a 256 bit encryption key for use in my application. Sounds easy... Not just the master key, also the client_random, server_random (from the SSL handshake) and a *fixed* application-specific salt, that yields a different key than another application might derive under the same conditions. Question 1: previously, you said: ... the expansion function of HKDF is a reasonable choice. ... but now you mention salt which implies I should also use the extraction stage. If the salt is random, doesn't that mean the client and server would end up with different keys? The salt is the same on client and server. Question 2: Where do the client_random and server_random values come from and what are they for? The SSL handshake, IIRC the master secret does not change when a session is reused, but client random and server_random do. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: fipslink
On Wed, Feb 6, 2013 at 2:40 PM, Memmott, Lester wrote: > Jon, > > I’m having trouble with fipslink as well and thought it might help to compare > notes. These are the linker errors I’m getting using Visual Studio 2008: > fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char * > FIPS_signature" (?FIPS_signature@@3PAEA) > fips_premain.obj : error LNK2001: unresolved external symbol "void const * > __cdecl FIPS_text_start(void)" (?FIPS_text_start@@YAPBXXZ) > fips_premain.obj : error LNK2001: unresolved external symbol "unsigned int > __cdecl FIPS_incore_fingerprint(unsigned char *,unsigned int)" > (?FIPS_incore_fingerprint@@YAIPAEI@Z) > > What linker errors do you get? It looks like you are not compiling fips_premain.c (that's where those symbols are allocated storage). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: fipslink
LM, I attempted to duplicate your work and mostly get to the same place as you. Here are my notes. nmake -f ms\ntdll.mak test //The tests fail for me with 'rsa_test' is not recognized as an internal or external command. - I get the same 'rsa_test' error perl Configure VC-WIN32 no-asm fips - I didn't specify directories, so I think openssl grabs the fips files from \usr\local\SSL\fips-2.0: I hadn't run this before: openssl-fips-2.0.2\outdll>nmake -f ms\ntdll.mak test - My fips tests all complete or "failure as expeted". I also did: openssl-1.0.1c>nmake -f ms\ntdll.mak install My source code is the same as yours except I changed: 1) Change the exit() to call my own Exit() function 2) Used TCHAR inside my _tmain so argv matches types 3) Used C++ cout, cin in a few places and added needed header files none of which should make a difference for the linking issues we see Differences in my previous attempt to use fipslink: I created a full VED.mak file based on ntdll.mak that has fipslink and bunch of symbols in it instead of your shorter batch file method. I ran into problems because I wasn't using the installed locations (from ntdll.mak install). I didn't use the "msincore" step. I'm building in Debug mode, not Release I finished testing with your batch and rsp files. I had to change paths to get it to work in my environment. I get the same link errors as you, but I also get my previous link errors as well. I tried removing fips_premain.obj and then just got my older link errors. I tried adding fipscanister.lib, which removed my older link errors, but the others stayed. I end up with two fips_premain.obj. One that goes with my VS project and the other that is created by fipslink. If I use the fipslink one I get additional warnings: MSVCRT.lib(MSVCRT.DLL) : error LNK2005: _fopen already defined in LIBC.lib(fopen.obj) ...and similar for about 6 system calls. Thanks, -Jon -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Memmott, Lester Sent: Wednesday, February 06, 2013 11:40 AM To: openssl-users@openssl.org Subject: RE: fipslink Jon, I’m having trouble with fipslink as well and thought it might help to compare notes. These are the linker errors I’m getting using Visual Studio 2008: fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char * FIPS_signature" (?FIPS_signature@@3PAEA) fips_premain.obj : error LNK2001: unresolved external symbol "void const * __cdecl FIPS_text_start(void)" (?FIPS_text_start@@YAPBXXZ) fips_premain.obj : error LNK2001: unresolved external symbol "unsigned int __cdecl FIPS_incore_fingerprint(unsigned char *,unsigned int)" (?FIPS_incore_fingerprint@@YAIPAEI@Z) What linker errors do you get? Below are more details on how I did this using a batch file to setup the environment variables that calls the perl script. Also not that I had to edit fipslink.pl to make it run. I added "perl" to these two lines (about line 57 & 58): print "perl $fips_premain_dso $fips_target\n"; system("perl $fips_premain_dso $fips_target >$fips_target.sha1"); Thanks, LM === I created this batch file to run the perl script: @echo off rem This batch file is intended to build FipsSample.exe in a FIPS enabled fashion. rem Built the project first in Visual Studio 2008 and then run this as a post build step. rem See section 5.3.2 "Linking under Windows" of the OpenSSL FIPS User Guide for details about this. rem http://www.openssl.org/docs/fips/UserGuide-2.0.pdf rem Note: I think the docs are wrong on a couple of items. rem It should be FIPS_SHA1_EXE and not PREMAIN_SHA1_EXE. rem Associated files: link.rsp @echo on set FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll set FIPS_CC=cl set FIPS_CC_ARGS=/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi /TP set FIPS_LINK=link set FIPS_SHA1_EXE=C:\openssl-fips-2.0.2\out32dll\fips_standalone_sha1.exe rem The following wasn't documented in the user guide but the script tries to use it. msincore seems like the right script, but I'm not sure. set FIPS_SIG=C:\openssl-fips-2.0.2\util\msincore rem Not used to compile an EXE: set PREMAIN_DSO_EXE=C:\openssl-1.0.1c\out32dll\fips_premain_dso.exe set PREMAIN_DSO_EXE= set FIPS_TARGET=..\Release\FipsSample.exe perl c:\openssl-fips-2.0.2\util\fipslink.pl @"link.rsp" === link.rsp: /OUT:"C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe" /INCREMENTAL:NO /LIBPATH:"C:\openssl-1.0.1c\out32dll" /MANIFEST /MANIFESTFILE:"Release\FipsSample.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"c:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.pdb" /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /DYNAMICBASE /NXCOMPAT /MACHINE:X86
Re: Issue with 1.0.1d with Apache 2.2.23
> Original Message >From: "James" >To: openssl-users@openssl.org >Sent: Wed, Feb 6, 2013, 2:50 PM >Subject: Issue with 1.0.1d with Apache 2.2.23 > >I recently upgraded our application to OpenSSL 1.0.1d with FIPS compiled in >but disabled, which has always been the case in the past. Our application runs >in a browser using Apache 2.2.23 and mod_ssl which is compiled against >OpenSSL. Testing has revealed that HTTP requests work fine, however, HTTPS >requests throw a 403. The following is exhibited in the access_log > >a.b.c.d - - [06/Feb/2013:14:18:39 -0500] "GlET / HTTP/1.1" 403 202 >a.b.c.d - - [06/Feb/2013:14:18:41 -0500] "\xf2G:ET /favicon.ico HTTP/1.1" 403 >213 >a.b.c.d - - [06/Feb/2013:14:32:00 -0500] "GVET / HTTP/1.1" 403 202 >a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\xb3G\xc1ET /favicon.ico HTTP/1.1" >403 213 >a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\x1aG\x9eET / HTTP/1.1" 403 202 >a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "tG\xfcET /favicon.ico HTTP/1.1" 403 >213 >a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\x8bG\x02ET / HTTP/1.1" 403 202 >a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\bGdET /favicon.ico HTTP/1.1" 403 213 >a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\xabG\xacET / HTTP/1.1" 403 202 >a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\xb2G\tET /favicon.ico HTTP/1.1" 400 >226 > >Testing was performed under a Redhat 6 x86_64 system and no errors were >obvious in the compilation process. > >Thanks. > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing Listopenssl-users@openssl.org >Automated List Manager majord...@openssl.org To add to this, I've tested under four systems; RHEL5 i686/x86_64 and RHEL6 i686/x86_64 where only the 64bit systems are exhibiting the issue. The 32bit systems are fine. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: fipslink
LM, Thanks for jumping in the bus with me :) I haven't had a chance to work through your last email, but was planning to soon. I see you attached your make file also, which I need to try out. I get very similar errors, but not the same functions. Mine look like: VED.obj : Error LNK2019: unresolved external symbol _FIPS_hmac_ctx_cleanup referenced in function void __cdecl dofile(struct _iobuf *)" (?dofile@@YAXPAU_iobuif@@@Z) And similar for: FIPS_hmac_final FIPS_hmac_update FIPS_hmac_init_ex FIPS_evp_sha1 FIPS_hmac_ctx_init I'm using fipslink.pl as is and didn't have to modify it. Did you have to modify yours before you called ntdll.mak? It's used in there. Also, it looks like you are stuck on fips_premain. I don't include that in my makefile directly because fipslink.pl is suppose to do it for me. fips_premain compiles and I don't have any link errors from fips_premain.obj. My equivalent of your @"link.rsp" does not have fips_premain in it. I thought fipslink compiled and linked that for me. M my fipslink.pl dies at "First stage Link Failure" - Line 55, which is the same place you get to. I can't really copy my make files because they are on a secure system, so I have to type everything here. Thanks, -Jon -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Memmott, Lester Sent: Wednesday, February 06, 2013 11:40 AM To: openssl-users@openssl.org Subject: RE: fipslink Jon, I’m having trouble with fipslink as well and thought it might help to compare notes. These are the linker errors I’m getting using Visual Studio 2008: fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char * FIPS_signature" (?FIPS_signature@@3PAEA) fips_premain.obj : error LNK2001: unresolved external symbol "void const * __cdecl FIPS_text_start(void)" (?FIPS_text_start@@YAPBXXZ) fips_premain.obj : error LNK2001: unresolved external symbol "unsigned int __cdecl FIPS_incore_fingerprint(unsigned char *,unsigned int)" (?FIPS_incore_fingerprint@@YAIPAEI@Z) What linker errors do you get? Below are more details on how I did this using a batch file to setup the environment variables that calls the perl script. Also not that I had to edit fipslink.pl to make it run. I added "perl" to these two lines (about line 57 & 58): print "perl $fips_premain_dso $fips_target\n"; system("perl $fips_premain_dso $fips_target >$fips_target.sha1"); Thanks, LM === I created this batch file to run the perl script: @echo off rem This batch file is intended to build FipsSample.exe in a FIPS enabled fashion. rem Built the project first in Visual Studio 2008 and then run this as a post build step. rem See section 5.3.2 "Linking under Windows" of the OpenSSL FIPS User Guide for details about this. rem http://www.openssl.org/docs/fips/UserGuide-2.0.pdf rem Note: I think the docs are wrong on a couple of items. rem It should be FIPS_SHA1_EXE and not PREMAIN_SHA1_EXE. rem Associated files: link.rsp @echo on set FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll set FIPS_CC=cl set FIPS_CC_ARGS=/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi /TP set FIPS_LINK=link set FIPS_SHA1_EXE=C:\openssl-fips-2.0.2\out32dll\fips_standalone_sha1.exe rem The following wasn't documented in the user guide but the script tries to use it. msincore seems like the right script, but I'm not sure. set FIPS_SIG=C:\openssl-fips-2.0.2\util\msincore rem Not used to compile an EXE: set PREMAIN_DSO_EXE=C:\openssl-1.0.1c\out32dll\fips_premain_dso.exe set PREMAIN_DSO_EXE= set FIPS_TARGET=..\Release\FipsSample.exe perl c:\openssl-fips-2.0.2\util\fipslink.pl @"link.rsp" === link.rsp: /OUT:"C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe" /INCREMENTAL:NO /LIBPATH:"C:\openssl-1.0.1c\out32dll" /MANIFEST /MANIFESTFILE:"Release\FipsSample.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"c:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.pdb" /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /DYNAMICBASE /NXCOMPAT /MACHINE:X86 libeay32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ".\Release\FipsSample.obj" ".\Release\stdafx.obj" ".\Release\fips_premain.obj" === Build Output: C:\openssl-TestUtils\FipsSample - Clean\FipsSample>g C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_CC=cl C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_CC_ARGS=/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE
Issue with 1.0.1d with Apache 2.2.23
I recently upgraded our application to OpenSSL 1.0.1d with FIPS compiled in but disabled, which has always been the case in the past. Our application runs in a browser using Apache 2.2.23 and mod_ssl which is compiled against OpenSSL. Testing has revealed that HTTP requests work fine, however, HTTPS requests throw a 403. The following is exhibited in the access_log a.b.c.d - - [06/Feb/2013:14:18:39 -0500] "GlET / HTTP/1.1" 403 202 a.b.c.d - - [06/Feb/2013:14:18:41 -0500] "\xf2G:ET /favicon.ico HTTP/1.1" 403 213 a.b.c.d - - [06/Feb/2013:14:32:00 -0500] "GVET / HTTP/1.1" 403 202 a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\xb3G\xc1ET /favicon.ico HTTP/1.1" 403 213 a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\x1aG\x9eET / HTTP/1.1" 403 202 a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "tG\xfcET /favicon.ico HTTP/1.1" 403 213 a.b.c.d - - [06/Feb/2013:14:32:01 -0500] "\x8bG\x02ET / HTTP/1.1" 403 202 a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\bGdET /favicon.ico HTTP/1.1" 403 213 a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\xabG\xacET / HTTP/1.1" 403 202 a.b.c.d - - [06/Feb/2013:14:32:02 -0500] "\xb2G\tET /favicon.ico HTTP/1.1" 400 226 Testing was performed under a Redhat 6 x86_64 system and no errors were obvious in the compilation process. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: fipslink
Jon, I’m having trouble with fipslink as well and thought it might help to compare notes. These are the linker errors I’m getting using Visual Studio 2008: fips_premain.obj : error LNK2001: unresolved external symbol "unsigned char * FIPS_signature" (?FIPS_signature@@3PAEA) fips_premain.obj : error LNK2001: unresolved external symbol "void const * __cdecl FIPS_text_start(void)" (?FIPS_text_start@@YAPBXXZ) fips_premain.obj : error LNK2001: unresolved external symbol "unsigned int __cdecl FIPS_incore_fingerprint(unsigned char *,unsigned int)" (?FIPS_incore_fingerprint@@YAIPAEI@Z) What linker errors do you get? Below are more details on how I did this using a batch file to setup the environment variables that calls the perl script. Also not that I had to edit fipslink.pl to make it run. I added "perl" to these two lines (about line 57 & 58): print "perl $fips_premain_dso $fips_target\n"; system("perl $fips_premain_dso $fips_target >$fips_target.sha1"); Thanks, LM === I created this batch file to run the perl script: @echo off rem This batch file is intended to build FipsSample.exe in a FIPS enabled fashion. rem Built the project first in Visual Studio 2008 and then run this as a post build step. rem See section 5.3.2 "Linking under Windows" of the OpenSSL FIPS User Guide for details about this. rem http://www.openssl.org/docs/fips/UserGuide-2.0.pdf rem Note: I think the docs are wrong on a couple of items. rem It should be FIPS_SHA1_EXE and not PREMAIN_SHA1_EXE. rem Associated files: link.rsp @echo on set FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll set FIPS_CC=cl set FIPS_CC_ARGS=/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi /TP set FIPS_LINK=link set FIPS_SHA1_EXE=C:\openssl-fips-2.0.2\out32dll\fips_standalone_sha1.exe rem The following wasn't documented in the user guide but the script tries to use it. msincore seems like the right script, but I'm not sure. set FIPS_SIG=C:\openssl-fips-2.0.2\util\msincore rem Not used to compile an EXE: set PREMAIN_DSO_EXE=C:\openssl-1.0.1c\out32dll\fips_premain_dso.exe set PREMAIN_DSO_EXE= set FIPS_TARGET=..\Release\FipsSample.exe perl c:\openssl-fips-2.0.2\util\fipslink.pl @"link.rsp" === link.rsp: /OUT:"C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe" /INCREMENTAL:NO /LIBPATH:"C:\openssl-1.0.1c\out32dll" /MANIFEST /MANIFESTFILE:"Release\FipsSample.exe.intermediate.manifest" /MANIFESTUAC:"level='asInvoker' uiAccess='false'" /DEBUG /PDB:"c:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.pdb" /SUBSYSTEM:CONSOLE /OPT:REF /OPT:ICF /LTCG /DYNAMICBASE /NXCOMPAT /MACHINE:X86 libeay32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib ".\Release\FipsSample.obj" ".\Release\stdafx.obj" ".\Release\fips_premain.obj" === Build Output: C:\openssl-TestUtils\FipsSample - Clean\FipsSample>g C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPSLIB_D=c:\openssl-fips-2.0.2\out32dll C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_CC=cl C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_CC_ARGS=/O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi /TP C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_LINK=link C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_SHA1_EXE=C:\openssl-fips-2.0.2\out32dll\fips_standalone_sha1.exe C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_SIG=C:\openssl-fips-2.0.2\util\msincore C:\openssl-TestUtils\FipsSample - Clean\FipsSample>rem Not used to comple an EXE: set PREMAIN_DSO_EXE=C:\openssl-1.0.1c\out32dll\fips_premain_dso.exe C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set PREMAIN_DSO_EXE= C:\openssl-TestUtils\FipsSample - Clean\FipsSample>set FIPS_TARGET=..\Release\FipsSample.exe C:\openssl-TestUtils\FipsSample - Clean\FipsSample>perl c:\openssl-fips-2.0.2\util\fipslink.pl @"link.rsp" Integrity check OK cl /O2 /Oi /GL /I "C:\openssl-1.0.1c\inc32" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /FD /EHsc /MD /Gy /Fo"Release\\" /Fd"Release\vc90.pdb" /W3 /c /Zi /T P c:\openssl-fips-2.0.2\out32dll/fips_premain.c Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. fips_premain.c link @link.rsp Microsoft (R) Incremental Linker Version 9.00.30729.01 Copyright (C) Microsoft Corporation. All rights reserved. "/OUT:C:\openssl-TestUtils\FipsSample - Clean\Release\FipsSample.exe" /INCREMENTAL:NO "/LIBPATH:C:\openssl-1.0.1c\out32dll" /MANIFEST "/MANIFESTFILE:Relea
What server method API should be used to enable TLSv1.2 handshake
Hi all, I am using openssl1.0.1c. And I want to make my server to use TLSv1.2 handshake. For this what server method API should I use. For eg.. Like for SSLv3, it is SSLv3_server_method() For TLSv1.0, it uses TLSv1_server_method(). Similarly, what should be used for TLSv1.2 support. Or is it some other command for this configuration. Thanks & Regards, Nayna Jain __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Compiling openssl fips in Windows
Jon, I was able to get the sample from appendix C.1 to compile for me with the following steps: 1. Build the fips module 2. Build openssl with --with-fipslibdir & --with-fipsdir 3. Create a Windows console application in Visual Studio 2008 4. Add the openssl\inc32 folder to the include path 5. Add the openssl\out32dll folder to the linker path 6. Add libeay32.lib to the linker's "Additional Dependencies". Note that this project doesn't use ssl so it doesn't need ssleay32.lib. 7. Compile. Below are the details from the build. I've noted some failures I'm getting in the tests after I build the fips module and openssl using that module. I'd be interested to know if you get the same. Hope that helps, LM == Here is how I built the fips module and openssl: Build the FIPS Module //Open a Visual Studio 2008 cmd prompt window. //Note: I was not able to get "ms\do_fips" to build without any command-line params because I seem to be missing the nasm assembler. //The compiled binaries end up here: C:\openssl-fips-2.0.2\out32dll c: cd openssl-fips-2.0.2 ms\do_fips no-asm nmake -f ms\ntdll.mak test //The tests fail for me with 'rsa_test' is not recognized as an internal or external command. But I decided the next step was good enough with the test suite that passed. cd out32dll fips_test_suite.exe //The fips_test_suite takes a while run. I don't remember exactly but I think it was about 10 min. //***Fix Ups: These steps were needed to get openssl to compile with the fips module I just built so it would find files in the right place copy inc32\openssl include\openssl md lib copy out32dll lib md bin copy util bin copy out32dll bin Build OpenSSL using the Newly Created FIPS Module c: cd openssl-1.0.1c perl Configure VC-WIN32 no-asm fips --with-fipslibdir=C:\openssl-fips-2.0.2\out32dll --with-fipsdir=C:\openssl-fips-2.0.2 ms\do_ms nmake -f ms\ntdll.mak clean nmake -f ms\ntdll.mak nmake -f ms\ntdll.mak test //Note: In my test it fails with the following: Curve defined by Weierstrass equation y^2 = x^3 + a*x + b (mod 0x17) a = 0x1 b = 0x1 Point is not on curve: x = 0xD, y = 0xA41E .\crypto\ec\ectest.c:318: ABORT problems. While the ectest failed, I was able to get other things to work OK so for now we're assuming things built well enough but still checking. == Here's the code. I had to tweek a few things to get it to compile: // FipsSample.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include #include #include #include #include /* Sample application using FIPS mode OpenSSL. This application will qualify as FIPS 140-2 validated when built, installed, and utilized as described in the "OpenSSL FIPS 140-2 Security Policy" manual. This command calculates a HMAC-SHA-1 digest of a file or input data stream using the same arbitrary hard-coded key as the FIPS 140-2 source file build-time integrity checks and runtime executable file integrity check. */ static void dofile(FILE *fp) { HMAC_CTX ctx; unsigned char hmac_value[EVP_MAX_MD_SIZE]; unsigned int hmac_len, i; char key[] = "etaonrishdlcupfm"; unsigned char buf[256]; /* Initialise context */ HMAC_CTX_init(&ctx); /* Set digest type and key in context */ if (!HMAC_Init_ex(&ctx, key, strlen(key), EVP_sha1(), NULL)) exit(5); /* Process input stream */ while(i = fread(buf,sizeof(char),sizeof(buf),fp)) { if(!HMAC_Update(&ctx, buf, i)) exit(3); } /* Generate digest */ if(!HMAC_Final(&ctx, hmac_value, &hmac_len)) exit(4); HMAC_CTX_cleanup(&ctx); /* Display digest in hex */ for(i = 0; i < hmac_len; i++) printf("%02x", hmac_value[i]); printf("\n"); return; } int _tmain(int argc, _TCHAR* argv[]) { char *opt = NULL; int verbose = 0; int fipsmode = 1; FILE *fp = stdin; int i; /* Process command line arguments */ i = 0; while(++i < argc) { opt = argv[i]; if (!strcmp(opt,"-v")) verbose = 1; else if (!strcmp(opt,"-c")) fipsmode = 0; else if ('-' == opt[0]) { printf("Usage: %s \n", argv[0]); puts("Options:"); puts("\t-c\tUse non-FIPS mode"); puts("\t-v\tVerbose output"); exit(1); } else break; } /* Enter FIPS mode by default */ if (fipsmode) { if(FIPS_mode_set(1)) { fputs("FIPS mode enabled\n",st
Re: Windows certificate store support
Thanks LN for the info. It is really useful. Regards, Sreekanth On Tue, Feb 5, 2013 at 4:35 PM, LN wrote: > > Hi, > > For access to the windows store, openssl provides the CAPI engine. > > I've looked into this recently, because I needed the same support for > loading server side certificates with CAPI engine, but unfortunately, I > learned that there is no support for this in an official release of openssl > (I still hope I'm wrong :) ). > There is a patch for this on the openssl dev list: > http://rt.openssl.org/Ticket/Display.html?id=2463&user=guest&pass=guest > > Anyway, as I said, I don't think that this code got into an official > release... > > Regards! > > -- > *From:* Sreekanth Sukumaran > *To:* openssl-users@openssl.org > *Sent:* Tuesday, February 5, 2013 11:56 AM > *Subject:* Windows certificate store support > > Hi, > > I am new to openssl and is facing with the following dilemma. > > A server application needs to read certificates and private keys from the > windows certificate store for establishing SSL connection with the clients. > > Can anyone tell whether openssl supports/ have interfaces for accessing > certificates from windows certificate store? > > -- > Regards, > Sreekanth > > > -- Regards, Sreekanth 09036794524