Does openssl include intel AES-NI-GCM?
Hi all I'm reading a paper from intel that mention an AES-NI-GCM implementation within the Linux kernel cryptographic framework using the new instructions(PCLMULQDQ and AES-NI). As I know ,aes-ni is already include in 1.0.1, So How does the AES-NI-GCM? The paper is here http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/aes-ipsec-performance-linux-paper.pdf Regards, Kane __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: x509 certificate conforming to RFC 3739
Hi Walter, I hope this helps. Steve id-pda-dateOfBirth = 1.3.6.1.5.5.7.9.1 [ subjectDirAttrib_sec ] 1.3.6.1.5.5.7.9.1 = SEQUENCE:dateOfBirth_sec #id-pda-dateOfBirth [ dateOfBirth_sec ] id-pda-dateOfBirth.name= OID:id-pda-dateOfBirth id-pda-dateOfBirth.value = SET:dateOfBirth_val [ dateOfBirth_val ] id-pda-dateOfBirth.value = GENERALIZEDTIME:19870427092500Z -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H. Sent: Sunday, February 17, 2013 9:07 PM To: openssl-users@openssl.org Subject: Re: x509 certificate conforming to RFC 3739 On 15.02.2013 07:42, Walter H. wrote: On Fri, February 15, 2013 07:07, Matthew Hall wrote: On Fri, Feb 15, 2013 at 07:03:20AM +0100, Walter H. wrote: Hello, can someone, please tell me, how to generate a certificate that conforms to http://www.ietf.org/rfc/rfc3739.txt (RFC 3739) Thanks, Walter Hi Walter, We could help better if we understood what's not working for you and what you tried already. Regards, Matthew. Hello, Section C.1.1.1. The subjectDirectoryAttributes Extension shows this: { type id-pda-dateOfBirth, values { GeneralizedTime : 197110141200Z } }, How do I get an attribute as GeneralizedTime instead of PrintableString? Thanks, Walter Nobody? Thanks, Walter smime.p7s Description: S/MIME cryptographic signature
Re: openssl_private_encrypt crashes browser after 10 seconds
I had the same problem with you, I've done the same thing with you to resolve the problem. but after I mentioned how my apache server can not run. is there any other way to solve this problem? -- View this message in context: http://openssl.6102.n7.nabble.com/openssl-private-encrypt-crashes-browser-after-10-seconds-tp28780p43967.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: check certificate chain in a pem file
Hi Jakob ... My doubt is like this . I have a .pem file say : chain.pem chain.pem == server certificate- intermediate CA certificate - self signed root certificate . Now i am writing the code in C using opensl Api's to verify this (chain.pem) chain . filename == chain.pem Currently I am doing like this : SSL_CTX *sslctx = NULL; STACK_OF(X509)* ca_stack = NULL ; sslctx = SSL_CTX_new(SSLv23_server_method()); BIO_new(BIO_s_file_internal()); x =PEM_read_bio_X509 store=X509_STORE_new vrfy_ctx = X509_STORE_CTX_new(); SSL_CTX_use_certificate_chain_file(sslctx, filename) ca_stack = sslctx-extra_certs X509_STORE_CTX_init(vrfy_ctx, NULL, x, ca_stack) X509_verify_cert(vrfy_ctx) ---i am seeing error while doing this .am i doing everything right . or please let me know ...how can i verify my chain.pem . -- View this message in context: http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-tp43871p43971.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need help with Windows and FIPS enabled OpenSSL libs
I wondered about that. I saw several mentions about that. -- View this message in context: http://openssl.6102.n7.nabble.com/Need-help-with-Windows-and-FIPS-enabled-OpenSSL-libs-tp43956p43975.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Need help with Windows and FIPS enabled OpenSSL libs
Does the same apply to DLLs? I'm planning on using OpenSSL+Fips in a DLL that gets loaded either by other DLLs or directly from an application as a support DLL (the App won't be known, as we're doing DLL to be used by other vendors). -- View this message in context: http://openssl.6102.n7.nabble.com/Need-help-with-Windows-and-FIPS-enabled-OpenSSL-libs-tp43956p43984.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Syntax in extension section of openssl.cnf
Hello, I have the following: --- name = ASN1:SEQUENCE:section [ section ] value.1 = XXX:text --- what is possible to have instead of XXX? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] Syntax in extension section of openssl.cnf
man asn1parse man ASN1_generate_nconf That should give you some bootstrap information. -- Erwann ABALEA - tridécatabulophobie: peur d'être treize à table Le 28/02/2013 11:16, Walter H. a écrit : Hello, I have the following: --- name = ASN1:SEQUENCE:section [ section ] value.1 = XXX:text --- what is possible to have instead of XXX? Thanks, Walter
Re: Need help with Windows and FIPS enabled OpenSSL libs
On Wed, Feb 27, 2013, Glenn Smith wrote: Does the same apply to DLLs? I'm planning on using OpenSSL+Fips in a DLL that gets loaded either by other DLLs or directly from an application as a support DLL (the App won't be known, as we're doing DLL to be used by other vendors). Since you haven't quoted any context it's not clear what the same means. I'll assume you mean the FIPS signature referred to in this thread. If the DLL ends up linking in fipscanister.lib then yes it needs to include the signature. That will happen if you link against the static versions of OpenSSL. If the DLL just links to the FIPS capable OpenSSL DLL (libeay32.dll) then it wont embed a signature as fipscanister.lib is linked into libeay32.dll and the build process automatically includes the signature. Steve, -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
how to disable
BH Hi All, I'm trying to pass a pci scan, I'm on Ubuntu 12.04 lts server and Nginx. I've tried everything I know and did a lot of research... apparently seems that need to disable a setting in OpenSSL which I can't find how to do. This is the result of the scan: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability www (443/tcp) CVSS Score: Medium 4.3 Fail CVE-2011-3389 and this is the suggested fix: Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. I don't know how to do this, please help. Note: tlsv1.1 and tlsv1.2 are not supported. I upgraded to latest verions of all (Ubuntu, nginx and openssl) which I read it takes care of the tls being not supported by default. But I'm getting the exact same report from the scan. -- Chaimy 786.277.8760
Re: [openssl-users] Syntax in extension section of openssl.cnf
Thanks, Walter On 28.02.2013 12:03, Erwann Abalea wrote: man asn1parse man ASN1_generate_nconf That should give you some bootstrap information. -- Erwann ABALEA - tridécatabulophobie: peur d'être treize à table Le 28/02/2013 11:16, Walter H. a écrit : Hello, I have the following: --- name = ASN1:SEQUENCE:section [ section ] value.1 = XXX:text --- what is possible to have instead of XXX? Thanks, Walter smime.p7s Description: S/MIME Cryptographic Signature
Re: aesni usage in C
On Thu, Feb 28, 2013, John-Alan Simmons wrote: I am trying to implement aes encryption via openssl using C, and cant figure out how to use the aesni hardware acceleration. I have already confirmed my processor can use, any help would be great. If you use the EVP interface AES-NI is automatically used on supported platforms. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TLS ClientHello v3.3 not supported by all servers
They just reset the connection upon the reception of the message. This is a new behavior from version 1.0.1-e 1.0.1-d was which sending ClientHello v3.2 are fine. How to reproduce: openssl s_client -connect aur.archlinux.org:443 CONFIDENTIALITY : This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
TLS ClientHello v3.3 not supported by all servers
They just reset the connection upon the reception of the message. This is a new behavior from version 1.0.1-e 1.0.1-d was which sending ClientHello v3.2 are fine. How to reproduce: openssl s_client -connect aur.archlinux.org:443 CONFIDENTIALITY : This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ongoing fingerprint does not match issues
Comparing printed debug values that I put into the incore script, it looks like our compileris putting the signature somewhere between FIPS_rodata_start and FIPS_rodata_end resulting in thefingerprint does not match segment aliasing error. I can get around this by removing the -fPIC option from the Configure files (both fips and base), but then I get the straight fingerprint does not match error. Is this because I changed the Configure file in openssl-fips-2.0? It also seems incore is incorrectly calculating the location of FIPS_signature - it's out by 65536. Compensating for it in the incore script (I simply add 65536) however, doesn't appear to make any difference. Any advice anyone? TJ.
Re: TLS ClientHello v3.3 not supported by all servers
Olivier, The command line you provided just worked fine in my box, in which a fresh openssl-1.0.1e installed. On Fri, Mar 1, 2013 at 7:31 AM, LANGLOIS Olivier PIS -EXT olivier.pis.langl...@transport.alstom.com wrote: They just reset the connection upon the reception of the message. This is a new behavior from version 1.0.1-e 1.0.1-d was which sending ClientHello v3.2 are fine. How to reproduce: openssl s_client -connect aur.archlinux.org:443 CONFIDENTIALITY : This e-mail and any attachments are confidential and may be privileged. If you are not a named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose or store or copy the information in any medium. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Regards, Huang Le (Eric, Alibaba DevOps) Email: 4tarhl AT gmail.com, le.hl AT alibaba-inc.com
Identifying length of decrypted data.
Hi, I am using the AES_cbc_encrypt() API to perform symmetric decryption. But in one of the scenarios I see the data encrypted is of 16bytes but just 1byte is useful and 15bytes is for padding. Is there some way I can know the actual encrypted data length? I came across some pointers like using EVP APIs- but I need to avoid using EVP APIs as there are locking callbacks and mallocs() involved- which I have to avoid, as my application is performance critical. Also the data I am decrypting is HTTPS packet, so I cannot manipulate the encrypted data (to mention the length in data, and then encrypt it). Any advice on this will be appreciated. -- Thanks, Nilesh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Identifying length of decrypted data.
On 3/1/2013 7:24 AM, Tayade, Nilesh wrote: Hi, I am using the AES_cbc_encrypt() API to perform symmetric decryption. But in one of the scenarios I see the data encrypted is of 16bytes but just 1byte is useful and 15bytes is for padding. Is there some way I can know the actual encrypted data length? I came across some pointers like using EVP APIs- but I need to avoid using EVP APIs as there are locking callbacks and mallocs() involved- which I have to avoid, as my application is performance critical. Also the data I am decrypting is HTTPS packet, so I cannot manipulate the encrypted data (to mention the length in data, and then encrypt it). Any advice on this will be appreciated. Please refer to the TLS RFCs (there are different RFCs depending on protocol version and encryption algorithm). Each one specifies in detail how to recover the length from the encrypted data. You also need to read the research document linked from the latest OpenSSL security advisory, as it describes security critical changes to the information in the RFCs about how to recover the length without creating a security hole (fundamentally, you need to make sure you take exactly the same number of CPU cycles to process a given number of encrypted bytes, regardless of the recovered length or decryption failures). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org