Re: SSL / SMTP
Le 16/04/2013 15:11, Joan Moreau a écrit : Hi, Since I upgraded my kernel (and rebuilt openssl), I get the following errors in Postfix: 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: while the postfix system has worked since ages. I went back to the old kernel, but the error persists. Do you have an hint ? Thank you Joan Actually, the complete log error is the following: 2013-04-17T09:17:14.283129+02:00 server postfix/smtpd[16725]: initializing the server-side TLS engine 2013-04-17T09:17:14.383298+02:00 server postfix/smtpd[16725]: connect from wana-25-254-12-196.wanamaroc.com[196.12.254.25] 2013-04-17T09:17:14.383313+02:00 server postfix/smtpd[16725]: setting up TLS connection from wana-25-254-12-196.wanamaroc.com[196.12.254.25] 2013-04-17T09:17:14.383382+02:00 server postfix/smtpd[16725]: wana-25-254-12-196.wanamaroc.com[196.12.254.25]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH 2013-04-17T09:17:14.383617+02:00 server postfix/smtpd[16725]: SSL_accept:before/accept initialization 2013-04-17T09:17:14.383702+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 read client hello A 2013-04-17T09:17:14.383710+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write server hello A 2013-04-17T09:17:14.383712+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write certificate A 2013-04-17T09:17:14.385694+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write key exchange A 2013-04-17T09:17:14.385710+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write server done A 2013-04-17T09:17:14.385720+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 flush data 2013-04-17T09:17:36.573635+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 read client key exchange A 2013-04-17T09:17:36.573659+02:00 server postfix/smtpd[16725]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-17T09:17:36.573665+02:00 server postfix/smtpd[16725]: SSL_accept error from wana-25-254-12-196.wanamaroc.com[196.12.254.25]: -1 2013-04-17T09:17:36.573670+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AW: CRYPTO_malloc (num=12, file=0x81e3ba9 lhash.c, line=193) at mem.c:308
I got it, it was my fault, using dmalloc shows: 27 (ERROR_OVER_FENCE) failed OVER picket-fence magic-number check It was a malloc(sizen) and and a strncpy(... sizen) ... ;( Surprisingly this results in an error many mallocs later. -- Deutsche Telekom AG Seamless ICT Security Infrastructure Management im Auftrag T-Systems International GmbH Dipl. Inf Alexander Elgert Langwadener Strasse 17 64625 Bensheim +49 176 22 717 661 (Mobil) +49 671 83419-12 (Tel) +49 671 83419-30 (Fax) E-Mail: alexander.elg...@gmx.de Von: Elgert, Alexander Gesendet: Dienstag, 16. April 2013 01:32 An: openssl-users@openssl.org Betreff: CRYPTO_malloc (num=12, file=0x81e3ba9 lhash.c, line=193) at mem.c:308 Hello, I got a SIGSEGV while running openssl 1.0.1c under (uname -a:) SunOS 5.10 Generic_147441-01 i86pc i386 i86pc while other OSses like AIX, HP-UX, Linux runs fine. Any suggestions / explainations would be welcome. gdb Output is: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1 (LWP 1)] 0xfed45b8e in _smalloc () from /lib/libc.so.1 (gdb) bt #0 0xfed45b8e in _smalloc () from /lib/libc.so.1 #1 0xfed45db5 in _malloc_unlocked () from /lib/libc.so.1 #2 0xfed45bdc in malloc () from /lib/libc.so.1 #3 0x080f7ac4 in CRYPTO_malloc (num=12, file=0x81e3ba9 lhash.c, line=193) at mem.c:308 #4 0x08119f50 in lh_insert (lh=0x8228038, data=0x82248f0) at lhash.c:193 #5 0x0811adca in int_err_set_item (d=0x82248f0) at err.c:407 #6 0x0811b406 in ERR_load_ERR_strings () at err.c:676 #7 0x0811b541 in ERR_load_strings (lib=128, str=0x821fb80) at err.c:683 #8 0x0815072e in ENGINE_load_4758cca () at e_4758cca_err.c:122 #9 0x0811295b in ENGINE_load_builtin_engines () at eng_all.c:86 #10 0x0809f2eb in Curl_ossl_init () #11 0x0808b6ff in curl_global_init () #12 0x0808757a in download_url () #13 0x08085f9d in main__download () #14 0x08086325 in main () Thanks in advance, Alexander -- Deutsche Telekom AG Seamless ICT Security Infrastructure Management im Auftrag T-Systems International GmbH Dipl. Inf Alexander Elgert Langwadener Strasse 17 64625 Bensheim +49 176 22 717 661 (Mobil) +49 671 83419-12 (Tel) +49 671 83419-30 (Fax) E-Mail: alexander.elg...@gmx.de __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
Le 17/04/2013 14:18, Viktor Dukhovni a écrit : On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. Please Viktor, I don't need your insults and mis-behaving and lack of politeness. My system is not messed up, I have thousands of people working with since ages. Now, i'll appreciate very much some help instead of those useless attacks. Thank you __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
On Wed, Apr 17, 2013 at 04:40:55PM +, Joan Moreau wrote: No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. Please Viktor, I don't need your insults and mis-behaving and lack of politeness. I did my best to help you. Your best way forward is to install Postfix on a server that is in a known working state (not messed-up, whatever, ...). You don't have an OpenSSL problem, you already demonstrated this in the Postfix list thread, where s_client and s_server worked fine. You have a problem with Postfix in an environment whose integrity is strongly suspect, and where Postfix links to a libssl whose calls into libcrypto fail to find any supported digest algorithms, despite apparent correctness of header files, library versions, ... All the easy causes have been ruled out. You can continue to waste time and hope for a miracle, or you can do the right thing and build a working system, where you either use the bundled Postfix, or compile Postfix from source against the default system OpenSSL library. Over and out. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] Re: SSL / SMTP
Le 17/04/2013 18:40, Joan Moreau a écrit : Le 17/04/2013 14:18, Viktor Dukhovni a écrit : On Wed, Apr 17, 2013 at 07:24:23AM +, Joan Moreau wrote: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? No. Install a fresh O/S image on new hardware and use that as your mail server. If a fresh install with the default Postfix for the O/S does not work, come back to the Postfix-users list for help. You've already consumed a lot of cycles on the Postfix-users list. Now you are trying the openssl-users list without referencing the prior long thread which shows your system to be messed up. Please Viktor, I don't need your insults and mis-behaving and lack of politeness. My system is not messed up, I have thousands of people working with since ages. Now, i'll appreciate very much some help instead of those useless attacks. Reading the mentioned postfix-users thread, it seems Viktor is right, you messed up with your server, compiling and installing your own cutting-edge kernels and binaries, without using a package manager, on a production server. You may try to locate the libraries that have been used during compilation, and the ones that are used by your running postfix, and compare them. The first answer is to be found somewhere in the compilation logs, the answer to the second question can be found running the following: ps faux | grep postfix | awk '{ print $2 }' | xargs -L 1 lsof -p | grep -E libcrypto|libssl considering that your postfix binary runs under the identity postfix, and that you're root (or add a sudo before xargs). I don't think It's a SHA2 error, as I'm rejected by your server when I contact it with RC4-SHA (something that is permitted by your ciphersuite string). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL / SMTP
On Wed, Apr 17, 2013, Joan Moreau wrote: Le 16/04/2013 15:11, Joan Moreau a écrit : Hi, Since I upgraded my kernel (and rebuilt openssl), I get the following errors in Postfix: 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: while the postfix system has worked since ages. I went back to the old kernel, but the error persists. Do you have an hint ? Thank you Joan Actually, the complete log error is the following: 2013-04-17T09:17:14.283129+02:00 server postfix/smtpd[16725]: initializing the server-side TLS engine 2013-04-17T09:17:14.383298+02:00 server postfix/smtpd[16725]: connect from wana-25-254-12-196.wanamaroc.com[196.12.254.25] 2013-04-17T09:17:14.383313+02:00 server postfix/smtpd[16725]: setting up TLS connection from wana-25-254-12-196.wanamaroc.com[196.12.254.25] 2013-04-17T09:17:14.383382+02:00 server postfix/smtpd[16725]: wana-25-254-12-196.wanamaroc.com[196.12.254.25]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH 2013-04-17T09:17:14.383617+02:00 server postfix/smtpd[16725]: SSL_accept:before/accept initialization 2013-04-17T09:17:14.383702+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 read client hello A 2013-04-17T09:17:14.383710+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write server hello A 2013-04-17T09:17:14.383712+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write certificate A 2013-04-17T09:17:14.385694+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write key exchange A 2013-04-17T09:17:14.385710+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 write server done A 2013-04-17T09:17:14.385720+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 flush data 2013-04-17T09:17:36.573635+02:00 server postfix/smtpd[16725]: SSL_accept:SSLv3 read client key exchange A 2013-04-17T09:17:36.573659+02:00 server postfix/smtpd[16725]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-17T09:17:36.573665+02:00 server postfix/smtpd[16725]: SSL_accept error from wana-25-254-12-196.wanamaroc.com[196.12.254.25]: -1 2013-04-17T09:17:36.573670+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-17T09:17:36.573675+02:00 server postfix/smtpd[16725]: warning: TLS library problem: 16725:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: 2013-04-17T09:17:36.573971+02:00 server postfix/smtpd[16725]: lost connection after CONNECT from wana-25-254-12-196.wanamaroc.com[196.12.254.25] Can you help ? This is presumably OpenSSL 1.0.1. Do you get that error when connection with TLS 1.2 only or for TLS 1.1 or earlier? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
BN_num_bits segv fault
Hi All, I am in the process of upgrading from 0.9.8 to 1.0.1e - hence I requested some info earlier, Thanks a ton for all the wonderful answers (didn't want to spam by just sending a Thank You note). Working on Ubuntu 12.04, 32 bit I am facing this issue with curl-7.29.0 (for that matter all curl versions I tried, including latest). BN_num_bits gives a segmentation fault. Here's the partial stack trace: #0 0xb7438ed8 in BN_num_bits () from /build/toolchain/lin32/openssl-1.0.1e-1/lib/libcrypto.so.1.0.1 #1 0xb751ed9b in ?? () from /build/toolchain/lin32/openssl-1.0.1e-1/lib/libcrypto.so.1.0.1 #2 0x08108748 in ossl_connect_common () #3 0x080f117f in Curl_ssl_connect_nonblocking () #4 0x080f743f in https_connecting () #5 0x080fd399 in Curl_protocol_connecting () #6 0x080edb1b in multi_runsingle () #7 0x080eed45 in multi_socket () #8 0x080eee21 in curl_multi_socket_action () Has anyone come across this? Any known solutions? I did note that in 0.9.8 BN_num_bits was a function and now in 1.0.1e it's a macro - could it be issue! Thank You in advance. --Gopu
Re: AW: CRYPTO_malloc (num=12, file=0x81e3ba9 lhash.c, line=193) at mem.c:308
On 4/17/2013 3:58 PM, alexander.elg...@external.t-systems.com wrote: I got it, it was my fault, using dmalloc shows: 27 (ERROR_OVER_FENCE) failed OVER picket-fence magic-number check It was a malloc(sizen) and and a strncpy(... sizen) ... ;( Surprisingly this results in an error many mallocs later. This is common for heap corruption errors, because production heap implementations (not debug heaps) usually store the information about each used/free area of memory close to that area for speed, and thus overwriting that information has no effect until the heap happens to be looking at that location during an unrelated heap operation much later. If it doesn't crash then, the damage gets even worse as the heap gets confused and does wrong things. As a rule of thumb, whenever you see a crash in malloc/free/realloc etc., it is usually due to earlier corruption, not the current stack. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: BN_num_bits segv fault
On 4/17/2013 9:48 PM, Gopakumar Pillai wrote: Hi All, I am in the process of upgrading from 0.9.8 to 1.0.1e – hence I requested some info earlier, Thanks a ton for all the wonderful answers (didn’t want to spam by just sending a Thank You note). Working on Ubuntu 12.04, 32 bit I am facing this issue with curl-7.29.0 (for that matter all curl versions I tried, including latest). BN_num_bits gives a segmentation fault. Here’s the partial stack trace: Did you remember to recompile curl against your new OpenSSL 1.0.1e headers, not some old 0.9.8 headers? ... Has anyone come across this? Any known solutions? I did note that in 0.9.8 BN_num_bits was a function and now in 1.0.1e it’s a macro – could it be issue! Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: BN_num_bits segv fault
Yes Jakob, it's compiled against openssl-1.0.1e (and also zlib-1.2.3.4 and c-ares-1.9.1) --Gopu -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Wednesday, April 17, 2013 3:03 PM To: openssl-users@openssl.org Subject: Re: BN_num_bits segv fault On 4/17/2013 9:48 PM, Gopakumar Pillai wrote: Hi All, I am in the process of upgrading from 0.9.8 to 1.0.1e - hence I requested some info earlier, Thanks a ton for all the wonderful answers (didn't want to spam by just sending a Thank You note). Working on Ubuntu 12.04, 32 bit I am facing this issue with curl-7.29.0 (for that matter all curl versions I tried, including latest). BN_num_bits gives a segmentation fault. Here's the partial stack trace: Did you remember to recompile curl against your new OpenSSL 1.0.1e headers, not some old 0.9.8 headers? ... Has anyone come across this? Any known solutions? I did note that in 0.9.8 BN_num_bits was a function and now in 1.0.1e it's a macro - could it be issue! Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using libcrypto's RSA code
On 4/16/2013 10:28 PM, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Zach Sent: Tuesday, 16 April, 2013 15:55 I'm still getting an error when trying to read this key using the BIO interface: Error: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode ... The body part of your string (between BEGIN line and END line) must have newlines -- actual newlines in the data \n not discarded source linebreaks \(EOL) -- at intervals of no more than 76 characters. This sounds like a gross violation of the Postel principle. The /only/ reason for the mention of any maximum line length in the Base64 specs is to accomodate ancient 7-bit ASCII only mail servers with artificial Holerith punched card like line length limitations. Adding those line feeds may also be useful in some human-viewed files, such as the output of openssl x509 -text. No sane Base64 decoder should care. But the code in crypto/evp/bio_b64.c seems to be stupidly line oriented with small line buffers in an overcomplicated state, when a streaming Base64 encoder/decoder should be able to get away with a few unsigned ints and a state machine. (The normal output from PEM_write and thus most commandline utilities is intervals of 64 characters, which is usually convenient. I observe you've broken your lines above at 63 for some reason.) ... Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
X509_LOOKUP_load_file - X509_LOOKUP_load_charbuf
Hello, I have just a little question regarding this line of code openssl/apps/apps.c: if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { I want to load the data from a buffer instead of CAfile (without writing the data into the file CAfile). How do I do that? what function is called here? crypto/x509/x509_lu.c: return ctx-method-ctrl(ctx,cmd,argc,argl,ret); Thank you, Alexander -- Deutsche Telekom AG Seamless ICT Security Infrastructure Management im Auftrag T-Systems International GmbH Dipl. Inf Alexander Elgert Langwadener Strasse 17 64625 Bensheim +49 176 22 717 661 (Mobil) +49 671 83419-12 (Tel) +49 671 83419-30 (Fax) E-Mail: alexander.elg...@gmx.de __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Using libcrypto's RSA code
No sane Base64 decoder should care. But the code in crypto/evp/bio_b64.c seems to be stupidly line oriented with small line buffers in an overcomplicated state, when a streaming Base64 encoder/decoder should be able to get away with a few unsigned ints and a state machine. The current behavior and implementation is not great and nobody has gotten around to fixing it yet. Love to see a patch. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org