Re: 050 + at the beginning of verified signature

2013-10-10 Thread Dave Thompson 
> From: owner-openssl-us...@openssl.org on behalf of aqueelmirza

> Sent: Thursday, October 10, 2013 06:43

> I tried replacing strlen(reply) with 20 but we are getting same result as
> before.
> 
Yes, a sha1 hash should be 20 bytes, but see below.

> I am attaching reference files with this message. While trying this
> solution, sometimes we were getting following error as well.
> RSA operation error
> 140735121490396:error:0406706C:rsa
> routines:RSA_EAY_PUBLIC_DECRYPT:data
> greater than mod len:rsa_eay.c:680:
> 
> Can you please guide me?
> 
That means there's something very wrong with your signature value,
or you've got keys of different lengths confused. If you are only using 
one key, make sure the signature is the correct size (128 bytes for the 
key and data you linked) and byte for byte the same as when generated. 
Are you copying it as binary? If not, as your use of suffix .txt suggests,
many methods for copying text change some bytes in some cases.

> result.txt 
> signature.txt

> publicKey.pem

> 
me:~/ossx/play $ od -t x1 http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How does one use fipstests.sh to generate scripts for use with Windows CE [OpenSSL FIPS]

2013-10-10 Thread Eichenberger, John 
I see that there is a "-win32" command line value.  But I would have thought 
that should not necessarily be the same as what one uses for Windows-CE.
I've tried a few thing at random, I was hoping for someone who had done this 
before to show me the way?

-Ike-
John Eichenberger
Principal Engineer: Sustaining Engineering: Intermec
425.265.2108  john.eichenber...@intermec.com


This message is intended only for the named recipient. If you are not the 
intended recipient, you are notified that disclosing, copying, distributing or 
taking any action based on the contents of this information is strictly 
prohibited.

Re: Broken implementation of OpenSSL

2013-10-10 Thread Tim Legg 
I may have figured it out (it's been a 3 hour ordeal so far.)

I was using netcat to test 443 using LAN and WAN machines, and all was going 
well.

At some point a few minutes ago, I realized that this software uses port 8080, 
not the standard 443.

I think maybe it's time to jump in a freezing river or something like that.

Well, hopefully that was the problem. I can't change the router settings until 
late tonight.

Tim Legg
- Original Message -
From: Tim Legg
Sent: 10/10/13 05:24 PM
To: openssl-users@openssl.org
Subject: Broken implementation of OpenSSL

Hello, I was following a HOWTO document: 
http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3
 In the last step, I should have a control panel application (ISPConfig 3) 
launching when accessed with https://www.example.com:8080 but instead, I get a 
connection refused. So I decided to use wget to help diagnose the issue. I had 
some success with wget, but only when using --no-check-certificate. Here are a 
few cases: wget https://www.example.com:8080 --2013-10-10 13:50:06-- 
https://www.example.com:8080/ Resolving www.example.com (www.example.com)... 
76.10.x.x Connecting to www.example.com (www.example.com)|76.10.x.x|:8080... 
failed: Connection refused. wget https://localhost:8080 --2013-10-10 13:50:56-- 
https://localhost:8080/ Resolving localhost (localhost)... 127.0.0.1 Connecting 
to localhost (localhost)|127.0.0.1|:8080... connected. ERROR: cannot verify 
localhost's certificate, issued by `/C=AU/ST=Some-State/O=Internet Widgits Pty 
Ltd': Sel
 f-signed certificate encountered. ERROR: certificate common name `' doesn't 
match requested host name `localhost'. To connect to localhost insecurely, use 
`--no-check-certificate'. wget --no-check-certificate https://localhost:8080 
--2013-10-10 13:51:39-- https://localhost:8080/ Resolving localhost 
(localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:8080... 
connected. WARNING: cannot verify localhost's certificate, issued by 
`/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd': Self-signed certificate 
encountered. WARNING: certificate common name `' doesn't match requested host 
name `localhost'. HTTP request sent, awaiting response... 200 OK Length: 
unspecified [text/html] Saving to: `index.html' 2013-10-10 13:51:39 (9.65 MB/s) 
- `index.html' saved [9199] I have a feeling that this would be an 'easy' 
problem. I don't have skill in how SSL operates or how it is expected to behave 
This is very similar to a thread I posted on the forum for ISPConfig. I came 
here
  since this community has expertise in encryption problems. The link to my 
question at ISPConfig's forum is here: 
http://www.howtoforge.com/forums/showthread.php?p=303779 
__ OpenSSL 
Project http://www.openssl.org User Support Mailing List 
openssl-users@openssl.org Automated List Manager majord...@openssl.org

Broken implementation of OpenSSL

2013-10-10 Thread Tim Legg 
Hello,

I was following a HOWTO document: 
http://www.howtoforge.com/perfect-server-ubuntu-12.04-lts-apache2-bind-dovecot-ispconfig-3

In the last step, I should have a control panel application (ISPConfig 3) 
launching when accessed with https://www.example.com:8080 but instead, I get a 
connection refused. So I decided to use wget to help diagnose the issue.  I had 
some success with wget, but only when using --no-check-certificate. Here are a 
few cases:

wget https://www.example.com:8080
--2013-10-10 13:50:06-- https://www.example.com:8080/
Resolving www.example.com (www.example.com)... 76.10.x.x
Connecting to www.example.com (www.example.com)|76.10.x.x|:8080... failed: 
Connection refused.

wget https://localhost:8080
--2013-10-10 13:50:56-- https://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
ERROR: cannot verify localhost's certificate, issued by 
`/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd':
Self-signed certificate encountered.
ERROR: certificate common name `' doesn't match requested host name `localhost'.
To connect to localhost insecurely, use `--no-check-certificate'.

wget --no-check-certificate https://localhost:8080
--2013-10-10 13:51:39-- https://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
WARNING: cannot verify localhost's certificate, issued by 
`/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd':
Self-signed certificate encountered.
WARNING: certificate common name `' doesn't match requested host name 
`localhost'.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'
2013-10-10 13:51:39 (9.65 MB/s) - `index.html' saved [9199]


I have a feeling that this would be an 'easy' problem.  I don't have skill in 
how SSL operates or how it is expected to behave

This is very similar to a thread I posted on the forum for ISPConfig.  I came 
here since this community has expertise in encryption problems.  The link to my 
question at ISPConfig's forum is here:

http://www.howtoforge.com/forums/showthread.php?p=303779
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Abort after free() of non-allocated pointer

2013-10-10 Thread Daode 
Hello!  Am i right here?
It's actually hard to believe the error is on the OpenSSL side,
and i definetely should look deeper before sending this, but on
the other hand this is so deep down in the OpenSSL code...

  ?0[steffen@sherwood src]$ openssl version
  OpenSSL 1.0.1e 11 Feb 2013
  ?0[steffen@sherwood src]$ otool -L ~/usr/bin/s-nail   
  
  /Users/steffen/usr/bin/s-nail:
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 
7.0.0)
/Users/steffen/usr/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, 
current version 1.0.0)
/Users/steffen/usr/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, 
current version 1.0.0)
/Users/steffen/usr/lib/libidn.11.dylib (compatibility version 18.0.0, 
current version 18.10.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 
125.2.11)
  ?0[steffen@sherwood src]$ ll ~/usr/lib/*ssl*
 4 lrwxrwxr-x  1 steffen  staff  18 15 Feb  2013 
/Users/steffen/usr/lib/libssl.dylib@ -> libssl.1.0.0.dylib
   596 -rw-r--r--  1 steffen  staff  609480 15 Feb  2013 
/Users/steffen/usr/lib/libssl.a
   444 -r-xr-xr-x  1 steffen  staff  452952 15 Feb  2013 
/Users/steffen/usr/lib/libssl.1.0.0.dylib*

...

  T1135 OK Returned to authenticated state. (Success)
  >>> T1136 LOGOUT
  * BYE LOGOUT Requested
  s-nail(20015) malloc: *** error for object 0x1004beb00: pointer being freed 
was not allocated
  *** set a breakpoint in malloc_error_break to debug

  Program received signal SIGABRT, Aborted.
  0x7fff824df0b6 in __kill ()
  (gdb) bt
  #0  0x7fff824df0b6 in __kill ()
  #1  0x7fff8257f9f6 in abort ()
  #2  0x7fff82497195 in free ()
  #3  0x0001000f61f5 in CRYPTO_free ()
  #4  0x00010019bcdc in ASN1_primitive_free ()
  #5  0x00010019c0bc in ASN1_template_free ()
  #6  0x00010019bfbf in asn1_item_combine_free ()
  #7  0x00010019c0bc in ASN1_template_free ()
  #8  0x00010019bfbf in asn1_item_combine_free ()
  #9  0x00010019c0f7 in ASN1_item_free ()
  #10 0x0001000b7b80 in SSL_SESSION_free ()
  #11 0x0001000b49e5 in SSL_free ()
  #12 0x000100014519 in sclose ()
->
  #ifdef HAVE_OPENSSL
  if (sp->s_use_ssl) {
sp->s_use_ssl = 0;
SSL_shutdown(sp->s_ssl);
SSL_free(sp->s_ssl);
sp->s_ssl = NULL;
SSL_CTX_free(sp->s_ctx);
sp->s_ctx = NULL;
  }
  #endif
<-
  #13 0x00010001c46e in imap_exit ()
  #14 0x00010001bd10 in imap_quit ()
  warning: Could not open object file: "/Users/steffen/src/nail.git/quit.o": No 
such file or directory
  warning: Couldn't open object file '/Users/steffen/src/nail.git/quit.o'
  #15 0x00010003daed in quit ()
  #16 0x0001000274ea in setfile ()
  #17 0x0001cd90 in cfile ()
  #18 0x000100028fb8 in execute ()
  #19 0x0001000286ed in commands ()
  #20 0x00010002fd6b in main ()
  (gdb) ?

I hate debuggers and thus i am somewhat lost at this point, but if
there is something i can do, please let me know.
Thank you and ciao,

--steffen
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Increasing key size from 1024 to 2048?

2013-10-10 Thread Eric S. Eberhard 
Just curious -- what line of work is your company in?  If you were CIA 
or NASA or something I'd see the need.  If you are just a business -- 
wow!  E


On 10/10/2013 1:37 AM, int0...@safe-mail.net wrote:

Hi,

I've been asking this on the OpenVPN mailinglist, but didn't get an answer so 
far. Therefore I hope you can help me.
We use OpenVPN in our company with the default cipher suite, which should be: 
DHE_RSA_BF_CBC_SHA

So RSA is used for authentication, Blowfish in CBC mode for symmetric 
encryption. The keys for Blowfish are derived from ephermal Diffie-Hellman and 
changed every hour.
We use a keysize of 1024 bit for RSA and therefore a modulus of 1024 bit for 
Diffie-Hellman (OpenVPN uses the Easy RSA scripts. These scripts use a variable 
"KEY_SIZE" when the Diffie-Hellman parameter or the RSA keys ar built. This 
variable is set to 1024). Furthermore we  use a self-signed CA.

Some days ago I recommended to update the key size to 2048 bit, mainly because 
some sources say 1024 bit aren't enough anymore. Because quite a lot of our 
staff uses OpenVPN, they asked me, if it is possible, to not update all keys at 
once - but only issue user certs with 2048 from now on for new OpenVPN users 
(and leave the old ones in places for later update).
The process of doing that should look like that:

a) Change variable KEY_SIZE used in Easy RSA scripts from 1024 to 2048 (bit).
b) Create new Diffie-Hellman params with the Easy RSA build-dh script (will 
create the params with 2048 bit modulus).
c) Update the OpenVPN server config with the path of the new Diffie-Hellman 
param file.

Now here are my concerns and why _I_ think, that is a bad idea:
If I do it like that, new users would get 2048 bit keys/cert as requested by the company. But theses certs would still 
be signed by our self signed CA which still uses the old 1024 bit key/cert. Given that an attacker has enough computing 
power, he could factorize "n" (from the pub key in the CA cert) to get "p" and "q". With 
that he would have our CA's private key, being able to create a faked server cert and sign it with the CA key. With 
that server certificate the attacker could launch a man in the middle attack. That would mean: Authentication via RSA 
would be "leveraged".

So my question are:
I.  Am I right, or is that rubbish?

II. Is an attacker able to get the CA cert at all? It looks as if during TLS 
handshake only the User certificate and the Server certificates are 
transmitted, but not the CA cert.

III. To complicate things a bit more:
OpenVPN supports a so called "tls-auth" directive which takes a 160 bit key. 
According to the OpenVPN documentation this key is used to generate a HMAC over every 
packet during TLS handshake (and append it?). It looks as if this is not part of TLS 
itself, but a modified implementation of TLS. They say, that without the key, not even 
the handshake would work.
So my last question is:
If the CA cert, can be requested from the OpenVPN Server somehow, that wouldn't 
work anymore, if such a key is used. Is that correct?

Thanks a lot for your help!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


   


--
Eric S. Eberhard
VICS
2933 W Middle Verde Road
Camp Verde, AZ  86322

928-567-3727  work  928-301-7537  cell

http://www.vicsmba.com/index.html (our work)
http://www.vicsmba.com/ourpics/index.html (fun pictures)

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Angelin Lalev 
Just to clear everything and finish up. I had global int variable
named "read"...

On Thu, Oct 10, 2013 at 8:33 PM, Angelin Lalev  wrote:
> SOLVED: The very basic thing that get's the whole thing broken seems
> to be VERY BASIC understanding of C. I did cut out only the
> initialization code in a separate program and it worked fine.
> Somewhere in the program before the initialization of openssl I'm
> having pointer problems of some sort.
> Thanks very much for the quick reply and sorry for rising any false alarms...
>
> On Thu, Oct 10, 2013 at 8:02 PM, Jeff Trawick  wrote:
>> On Thu, Oct 10, 2013 at 12:54 PM, Angelin Lalev 
>> wrote:
>>>
>>> (gdb) r
>>> Starting program: /home/ventsi/fing/fing
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> 0x0086d1fc in read ()
>>> (gdb) info threads
>>>   Id   Target Id Frame
>>> * 1process 13262 "fing" 0x0086d1fc in read ()
>>
>>
>> Ouch/I'll shut up now.
>>
>> (I think there's something very basic going wrong/getting corrupted if a
>> segfault is reported in the syscall interface.)
>>
>>>
>>> On Thu, Oct 10, 2013 at 7:19 PM, Jeff Trawick  wrote:
>>> > On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev
>>> > 
>>> > wrote:
>>> >>
>>> >> Greetings,
>>> >> I could use some help.
>>> >>
>>> >> I'm getting segmentation fault from this code:
>>> >>
>>> >>/* Init the openssl library */
>>> >> SSL_load_error_strings();
>>> >> SSL_library_init();
>>> >>
>>> >> ctx=SSL_CTX_new(SSLv3_client_method());
>>> >>
>>> >> The backtrace looks like this:
>>> >>
>>> >> Program received signal SIGSEGV, Segmentation fault.
>>> >> 0x0086d1fc in read ()
>>> >> (gdb) backtrace
>>> >> #0  0x0086d1fc in read ()
>>> >
>>> >
>>> > Run "info threads" and see what the other threads are doing.  ("thread
>>> > n"
>>> > followed by "backtrace")  Presumably the crash is on another thread
>>> > since it
>>> > is "hard" to make read() crash.
>>> >
>>> >
>>> >>
>>> >> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
>>> >> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16,
>>> >> pseudo=1)
>>> >> at md_rand.c:394
>>> >> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "",
>>> >> num=16)
>>> >> at md_rand.c:543
>>> >> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
>>> >> at rand_lib.c:172
>>> >> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
>>> >> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at
>>> >> fing.c:253
>>> >>
>>> >> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
>>> >> VirtualBox virtual machine.
>>> >> I'm not at all proficient in C, even more in Linux development and I
>>> >> cannot by myself determine what
>>> >> I did to break things. Up to one moment, the program was working, at
>>> >> the next recompilation/reboot it just
>>> >> stopped :-) I do a binary which will be located on initramfs system,
>>> >> so it is statically compiled.
>>> >> OpenSSL is compiled with the following config options
>>> >>
>>> >> ./config -d no-dso no-shared
>>> >> __
>>> >> OpenSSL Project http://www.openssl.org
>>> >> User Support Mailing Listopenssl-users@openssl.org
>>> >> Automated List Manager   majord...@openssl.org
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Born in Roswell... married an alien...
>>> > http://emptyhammock.com/
>>> __
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing Listopenssl-users@openssl.org
>>> Automated List Manager   majord...@openssl.org
>>
>>
>>
>>
>> --
>> Born in Roswell... married an alien...
>> http://emptyhammock.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Angelin Lalev 
SOLVED: The very basic thing that get's the whole thing broken seems
to be VERY BASIC understanding of C. I did cut out only the
initialization code in a separate program and it worked fine.
Somewhere in the program before the initialization of openssl I'm
having pointer problems of some sort.
Thanks very much for the quick reply and sorry for rising any false alarms...

On Thu, Oct 10, 2013 at 8:02 PM, Jeff Trawick  wrote:
> On Thu, Oct 10, 2013 at 12:54 PM, Angelin Lalev 
> wrote:
>>
>> (gdb) r
>> Starting program: /home/ventsi/fing/fing
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x0086d1fc in read ()
>> (gdb) info threads
>>   Id   Target Id Frame
>> * 1process 13262 "fing" 0x0086d1fc in read ()
>
>
> Ouch/I'll shut up now.
>
> (I think there's something very basic going wrong/getting corrupted if a
> segfault is reported in the syscall interface.)
>
>>
>> On Thu, Oct 10, 2013 at 7:19 PM, Jeff Trawick  wrote:
>> > On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev
>> > 
>> > wrote:
>> >>
>> >> Greetings,
>> >> I could use some help.
>> >>
>> >> I'm getting segmentation fault from this code:
>> >>
>> >>/* Init the openssl library */
>> >> SSL_load_error_strings();
>> >> SSL_library_init();
>> >>
>> >> ctx=SSL_CTX_new(SSLv3_client_method());
>> >>
>> >> The backtrace looks like this:
>> >>
>> >> Program received signal SIGSEGV, Segmentation fault.
>> >> 0x0086d1fc in read ()
>> >> (gdb) backtrace
>> >> #0  0x0086d1fc in read ()
>> >
>> >
>> > Run "info threads" and see what the other threads are doing.  ("thread
>> > n"
>> > followed by "backtrace")  Presumably the crash is on another thread
>> > since it
>> > is "hard" to make read() crash.
>> >
>> >
>> >>
>> >> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
>> >> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16,
>> >> pseudo=1)
>> >> at md_rand.c:394
>> >> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "",
>> >> num=16)
>> >> at md_rand.c:543
>> >> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
>> >> at rand_lib.c:172
>> >> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
>> >> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at
>> >> fing.c:253
>> >>
>> >> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
>> >> VirtualBox virtual machine.
>> >> I'm not at all proficient in C, even more in Linux development and I
>> >> cannot by myself determine what
>> >> I did to break things. Up to one moment, the program was working, at
>> >> the next recompilation/reboot it just
>> >> stopped :-) I do a binary which will be located on initramfs system,
>> >> so it is statically compiled.
>> >> OpenSSL is compiled with the following config options
>> >>
>> >> ./config -d no-dso no-shared
>> >> __
>> >> OpenSSL Project http://www.openssl.org
>> >> User Support Mailing Listopenssl-users@openssl.org
>> >> Automated List Manager   majord...@openssl.org
>> >
>> >
>> >
>> >
>> > --
>> > Born in Roswell... married an alien...
>> > http://emptyhammock.com/
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>
>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Updating key size - security related questions

2013-10-10 Thread Erwann Abalea 

Bonjour,

Le 10/10/2013 18:29, int0...@safe-mail.net a écrit :

Hi,

I've been asking this on the OpenVPN mailinglist, but didn't get an answer so 
far. Therefore I hope you can help me.
We use OpenVPN in our company with the default cipher suite, which should be: 
DHE_RSA_BF_CBC_SHA

So RSA is used for authentication, Blowfish in CBC mode for symmetric 
encryption. The keys for Blowfish are derived from ephermal Diffie-Hellman and 
changed every hour.


Make sure you don't encrypt more than 2^35 bytes with the same BF key. 
Otherwise, you have an additional problem.



We use a keysize of 1024 bit for RSA and therefore a modulus of 1024 bit for 
Diffie-Hellman (OpenVPN uses the Easy RSA scripts. These scripts use a variable 
"KEY_SIZE" when the Diffie-Hellman parameter or the RSA keys ar built. This 
variable is set to 1024). Furthermore we use a self-signed CA.

Some days ago I recommended to update the key size to 2048 bit, mainly because 
some sources say 1024 bit aren't enough anymore. Because quite a lot of our 
staff uses OpenVPN, they asked me, if it is possible, to not update all keys at 
once - but only issue user certs with 2048 from now on for new OpenVPN users 
(and leave the old ones in places for later update).
The process of doing that should look like that:

a) Change variable KEY_SIZE used in Easy RSA scripts from 1024 to 2048 (bit).
b) Create new Diffie-Hellman params with the Easy RSA build-dh script (will 
create the params with 2048 bit modulus).
c) Update the OpenVPN server config with the path of the new Diffie-Hellman 
param file.

Now here are my concerns and why _I_ think, that is a bad idea:
If I do it like that, new users would get 2048 bit keys/cert as requested by the company. But theses certs would still 
be signed by our self signed CA which still uses the old 1024 bit key/cert. Given that an attacker has enough computing 
power, he could factorize "n" (from the pub key in the CA cert) to get "p" and "q". With 
that he would have our CA's private key, being able to create a faked server cert and sign it with the CA key. With 
that server certificate the attacker could launch a man in the middle attack. That would mean: Authentication via RSA 
would be "leveraged".


As in "broken"? Yes.


So my question are:
I. Am I right, or is that rubbish?


You're right. On the other side, how powerful are your opponents? 1024 
bits factorization isn't an easy task, it requires a large amount of 
money. "Large" isn't a precise number, for sure; I'd place the lower 
limit at 1M$. But don't trust me.



II. Is an attacker able to get the CA cert at all? It looks as if during TLS 
handshake only the User certificate and the Server certificates are 
transmitted, but not the CA cert.


A public key isn't designed to be kept private. Given some certificates 
signed by the same private key, the modulus of the signer key can be 
guessed.

Consider your CA modulus to be public.


III. To complicate things a bit more:
OpenVPN supports a so called "tls-auth" directive which takes a 160 bit key. 
According to the OpenVPN documentation this key is used to generate a HMAC over every 
packet during TLS handshake (and append it?). It looks as if this is not part of TLS 
itself, but a modified implementation of TLS. They say, that without the key, not even 
the handshake would work.
So my last question is:
If the CA cert, can be requested from the OpenVPN Server somehow, that wouldn't 
work anymore, if such a key is used. Is that correct?


It depends on how this key is used. I don't have any opinion on this point.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Increasing key size from 1024 to 2048?

2013-10-10 Thread int0x80 
Hi,

I've been asking this on the OpenVPN mailinglist, but didn't get an answer so 
far. Therefore I hope you can help me.
We use OpenVPN in our company with the default cipher suite, which should be: 
DHE_RSA_BF_CBC_SHA

So RSA is used for authentication, Blowfish in CBC mode for symmetric 
encryption. The keys for Blowfish are derived from ephermal Diffie-Hellman and 
changed every hour.
We use a keysize of 1024 bit for RSA and therefore a modulus of 1024 bit for 
Diffie-Hellman (OpenVPN uses the Easy RSA scripts. These scripts use a variable 
"KEY_SIZE" when the Diffie-Hellman parameter or the RSA keys ar built. This 
variable is set to 1024). Furthermore we  use a self-signed CA.

Some days ago I recommended to update the key size to 2048 bit, mainly because 
some sources say 1024 bit aren't enough anymore. Because quite a lot of our 
staff uses OpenVPN, they asked me, if it is possible, to not update all keys at 
once - but only issue user certs with 2048 from now on for new OpenVPN users 
(and leave the old ones in places for later update).
The process of doing that should look like that:

a) Change variable KEY_SIZE used in Easy RSA scripts from 1024 to 2048 (bit).
b) Create new Diffie-Hellman params with the Easy RSA build-dh script (will 
create the params with 2048 bit modulus).
c) Update the OpenVPN server config with the path of the new Diffie-Hellman 
param file.

Now here are my concerns and why _I_ think, that is a bad idea:
If I do it like that, new users would get 2048 bit keys/cert as requested by 
the company. But theses certs would still be signed by our self signed CA which 
still uses the old 1024 bit key/cert. Given that an attacker has enough 
computing power, he could factorize "n" (from the pub key in the CA cert) to 
get "p" and "q". With that he would have our CA's private key, being able to 
create a faked server cert and sign it with the CA key. With that server 
certificate the attacker could launch a man in the middle attack. That would 
mean: Authentication via RSA would be "leveraged".

So my question are:
I.  Am I right, or is that rubbish?

II. Is an attacker able to get the CA cert at all? It looks as if during TLS 
handshake only the User certificate and the Server certificates are 
transmitted, but not the CA cert.

III. To complicate things a bit more:
OpenVPN supports a so called "tls-auth" directive which takes a 160 bit key. 
According to the OpenVPN documentation this key is used to generate a HMAC over 
every packet during TLS handshake (and append it?). It looks as if this is not 
part of TLS itself, but a modified implementation of TLS. They say, that 
without the key, not even the handshake would work.
So my last question is:
If the CA cert, can be requested from the OpenVPN Server somehow, that wouldn't 
work anymore, if such a key is used. Is that correct?

Thanks a lot for your help!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Jeff Trawick 
On Thu, Oct 10, 2013 at 12:54 PM, Angelin Lalev wrote:

> (gdb) r
> Starting program: /home/ventsi/fing/fing
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0086d1fc in read ()
> (gdb) info threads
>   Id   Target Id Frame
> * 1process 13262 "fing" 0x0086d1fc in read ()
>

Ouch/I'll shut up now.

(I think there's something very basic going wrong/getting corrupted if a
segfault is reported in the syscall interface.)


> On Thu, Oct 10, 2013 at 7:19 PM, Jeff Trawick  wrote:
> > On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev  >
> > wrote:
> >>
> >> Greetings,
> >> I could use some help.
> >>
> >> I'm getting segmentation fault from this code:
> >>
> >>/* Init the openssl library */
> >> SSL_load_error_strings();
> >> SSL_library_init();
> >>
> >> ctx=SSL_CTX_new(SSLv3_client_method());
> >>
> >> The backtrace looks like this:
> >>
> >> Program received signal SIGSEGV, Segmentation fault.
> >> 0x0086d1fc in read ()
> >> (gdb) backtrace
> >> #0  0x0086d1fc in read ()
> >
> >
> > Run "info threads" and see what the other threads are doing.  ("thread n"
> > followed by "backtrace")  Presumably the crash is on another thread
> since it
> > is "hard" to make read() crash.
> >
> >
> >>
> >> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
> >> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16,
> >> pseudo=1)
> >> at md_rand.c:394
> >> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "",
> >> num=16)
> >> at md_rand.c:543
> >> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
> >> at rand_lib.c:172
> >> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
> >> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at
> fing.c:253
> >>
> >> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
> >> VirtualBox virtual machine.
> >> I'm not at all proficient in C, even more in Linux development and I
> >> cannot by myself determine what
> >> I did to break things. Up to one moment, the program was working, at
> >> the next recompilation/reboot it just
> >> stopped :-) I do a binary which will be located on initramfs system,
> >> so it is statically compiled.
> >> OpenSSL is compiled with the following config options
> >>
> >> ./config -d no-dso no-shared
> >> __
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing Listopenssl-users@openssl.org
> >> Automated List Manager   majord...@openssl.org
> >
> >
> >
> >
> > --
> > Born in Roswell... married an alien...
> > http://emptyhammock.com/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Angelin Lalev 
I tried many things, but I'm not sure if I did the most elementary -
to reboot the virtual machine. But If the problem is gone this way, we
cannot reproduce the problem anymore

On Thu, Oct 10, 2013 at 7:54 PM, Angelin Lalev  wrote:
> (gdb) r
> Starting program: /home/ventsi/fing/fing
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0086d1fc in read ()
> (gdb) info threads
>   Id   Target Id Frame
> * 1process 13262 "fing" 0x0086d1fc in read ()
>
> On Thu, Oct 10, 2013 at 7:19 PM, Jeff Trawick  wrote:
>> On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev 
>> wrote:
>>>
>>> Greetings,
>>> I could use some help.
>>>
>>> I'm getting segmentation fault from this code:
>>>
>>>/* Init the openssl library */
>>> SSL_load_error_strings();
>>> SSL_library_init();
>>>
>>> ctx=SSL_CTX_new(SSLv3_client_method());
>>>
>>> The backtrace looks like this:
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> 0x0086d1fc in read ()
>>> (gdb) backtrace
>>> #0  0x0086d1fc in read ()
>>
>>
>> Run "info threads" and see what the other threads are doing.  ("thread n"
>> followed by "backtrace")  Presumably the crash is on another thread since it
>> is "hard" to make read() crash.
>>
>>
>>>
>>> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
>>> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16,
>>> pseudo=1)
>>> at md_rand.c:394
>>> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "",
>>> num=16)
>>> at md_rand.c:543
>>> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
>>> at rand_lib.c:172
>>> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
>>> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at fing.c:253
>>>
>>> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
>>> VirtualBox virtual machine.
>>> I'm not at all proficient in C, even more in Linux development and I
>>> cannot by myself determine what
>>> I did to break things. Up to one moment, the program was working, at
>>> the next recompilation/reboot it just
>>> stopped :-) I do a binary which will be located on initramfs system,
>>> so it is statically compiled.
>>> OpenSSL is compiled with the following config options
>>>
>>> ./config -d no-dso no-shared
>>> __
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing Listopenssl-users@openssl.org
>>> Automated List Manager   majord...@openssl.org
>>
>>
>>
>>
>> --
>> Born in Roswell... married an alien...
>> http://emptyhammock.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Angelin Lalev 
(gdb) r
Starting program: /home/ventsi/fing/fing

Program received signal SIGSEGV, Segmentation fault.
0x0086d1fc in read ()
(gdb) info threads
  Id   Target Id Frame
* 1process 13262 "fing" 0x0086d1fc in read ()

On Thu, Oct 10, 2013 at 7:19 PM, Jeff Trawick  wrote:
> On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev 
> wrote:
>>
>> Greetings,
>> I could use some help.
>>
>> I'm getting segmentation fault from this code:
>>
>>/* Init the openssl library */
>> SSL_load_error_strings();
>> SSL_library_init();
>>
>> ctx=SSL_CTX_new(SSLv3_client_method());
>>
>> The backtrace looks like this:
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x0086d1fc in read ()
>> (gdb) backtrace
>> #0  0x0086d1fc in read ()
>
>
> Run "info threads" and see what the other threads are doing.  ("thread n"
> followed by "backtrace")  Presumably the crash is on another thread since it
> is "hard" to make read() crash.
>
>
>>
>> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
>> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16,
>> pseudo=1)
>> at md_rand.c:394
>> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "",
>> num=16)
>> at md_rand.c:543
>> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
>> at rand_lib.c:172
>> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
>> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at fing.c:253
>>
>> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
>> VirtualBox virtual machine.
>> I'm not at all proficient in C, even more in Linux development and I
>> cannot by myself determine what
>> I did to break things. Up to one moment, the program was working, at
>> the next recompilation/reboot it just
>> stopped :-) I do a binary which will be located on initramfs system,
>> so it is statically compiled.
>> OpenSSL is compiled with the following config options
>>
>> ./config -d no-dso no-shared
>> __
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing Listopenssl-users@openssl.org
>> Automated List Manager   majord...@openssl.org
>
>
>
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Updating key size - security related questions

2013-10-10 Thread int0x80 
Hi,

I've been asking this on the OpenVPN mailinglist, but didn't get an answer so 
far. Therefore I hope you can help me.
We use OpenVPN in our company with the default cipher suite, which should be: 
DHE_RSA_BF_CBC_SHA

So RSA is used for authentication, Blowfish in CBC mode for symmetric 
encryption. The keys for Blowfish are derived from ephermal Diffie-Hellman and 
changed every hour.
We use a keysize of 1024 bit for RSA and therefore a modulus of 1024 bit for 
Diffie-Hellman (OpenVPN uses the Easy RSA scripts. These scripts use a variable 
"KEY_SIZE" when the Diffie-Hellman parameter or the RSA keys ar built. This 
variable is set to 1024). Furthermore we use a self-signed CA.

Some days ago I recommended to update the key size to 2048 bit, mainly because 
some sources say 1024 bit aren't enough anymore. Because quite a lot of our 
staff uses OpenVPN, they asked me, if it is possible, to not update all keys at 
once - but only issue user certs with 2048 from now on for new OpenVPN users 
(and leave the old ones in places for later update).
The process of doing that should look like that:

a) Change variable KEY_SIZE used in Easy RSA scripts from 1024 to 2048 (bit).
b) Create new Diffie-Hellman params with the Easy RSA build-dh script (will 
create the params with 2048 bit modulus).
c) Update the OpenVPN server config with the path of the new Diffie-Hellman 
param file.

Now here are my concerns and why _I_ think, that is a bad idea:
If I do it like that, new users would get 2048 bit keys/cert as requested by 
the company. But theses certs would still be signed by our self signed CA which 
still uses the old 1024 bit key/cert. Given that an attacker has enough 
computing power, he could factorize "n" (from the pub key in the CA cert) to 
get "p" and "q". With that he would have our CA's private key, being able to 
create a faked server cert and sign it with the CA key. With that server 
certificate the attacker could launch a man in the middle attack. That would 
mean: Authentication via RSA would be "leveraged".

So my question are:
I. Am I right, or is that rubbish?

II. Is an attacker able to get the CA cert at all? It looks as if during TLS 
handshake only the User certificate and the Server certificates are 
transmitted, but not the CA cert.

III. To complicate things a bit more:
OpenVPN supports a so called "tls-auth" directive which takes a 160 bit key. 
According to the OpenVPN documentation this key is used to generate a HMAC over 
every packet during TLS handshake (and append it?). It looks as if this is not 
part of TLS itself, but a modified implementation of TLS. They say, that 
without the key, not even the handshake would work.
So my last question is:
If the CA cert, can be requested from the OpenVPN Server somehow, that wouldn't 
work anymore, if such a key is used. Is that correct?

Thanks a lot for your help!
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Jeff Trawick 
On Thu, Oct 10, 2013 at 11:50 AM, Angelin Lalev wrote:

> Greetings,
> I could use some help.
>
> I'm getting segmentation fault from this code:
>
>/* Init the openssl library */
> SSL_load_error_strings();
> SSL_library_init();
>
> ctx=SSL_CTX_new(SSLv3_client_method());
>
> The backtrace looks like this:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0086d1fc in read ()
> (gdb) backtrace
> #0  0x0086d1fc in read ()
>

Run "info threads" and see what the other threads are doing.  ("thread n"
followed by "backtrace")  Presumably the crash is on another thread since
it is "hard" to make read() crash.



> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16,
> pseudo=1)
> at md_rand.c:394
> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "",
> num=16)
> at md_rand.c:543
> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
> at rand_lib.c:172
> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at fing.c:253
>
> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
> VirtualBox virtual machine.
> I'm not at all proficient in C, even more in Linux development and I
> cannot by myself determine what
> I did to break things. Up to one moment, the program was working, at
> the next recompilation/reboot it just
> stopped :-) I do a binary which will be located on initramfs system,
> so it is statically compiled.
> OpenSSL is compiled with the following config options
>
> ./config -d no-dso no-shared
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Angelin Lalev 
Greetings,
I could use some help.

I'm getting segmentation fault from this code:

   /* Init the openssl library */
SSL_load_error_strings();
SSL_library_init();

ctx=SSL_CTX_new(SSLv3_client_method());

The backtrace looks like this:

Program received signal SIGSEGV, Segmentation fault.
0x0086d1fc in read ()
(gdb) backtrace
#0  0x0086d1fc in read ()
#1  0x004eb3fe in RAND_poll () at rand_unix.c:347
#2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16, pseudo=1)
at md_rand.c:394
#3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "", num=16)
at md_rand.c:543
#4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
at rand_lib.c:172
#5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
#6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at fing.c:253

My system is Ubuntu Server LTS 12.10 and it's currently installed in a
VirtualBox virtual machine.
I'm not at all proficient in C, even more in Linux development and I
cannot by myself determine what
I did to break things. Up to one moment, the program was working, at
the next recompilation/reboot it just
stopped :-) I do a binary which will be located on initramfs system,
so it is statically compiled.
OpenSSL is compiled with the following config options

./config -d no-dso no-shared
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Hi, I need help with initialization of OpenSSL

2013-10-10 Thread Angelin Lalev 
I forgot to state the version of OpenSSL I'm using. It's 1.0.1e

On Thu, Oct 10, 2013 at 6:50 PM, Angelin Lalev  wrote:
> Greetings,
> I could use some help.
>
> I'm getting segmentation fault from this code:
>
>/* Init the openssl library */
> SSL_load_error_strings();
> SSL_library_init();
>
> ctx=SSL_CTX_new(SSLv3_client_method());
>
> The backtrace looks like this:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0086d1fc in read ()
> (gdb) backtrace
> #0  0x0086d1fc in read ()
> #1  0x004eb3fe in RAND_poll () at rand_unix.c:347
> #2  0x004eabed in ssleay_rand_bytes (buf=0x88ed00 "", num=16, 
> pseudo=1)
> at md_rand.c:394
> #3  0x004eb0b0 in ssleay_rand_pseudo_bytes (buf=0x88ed00 "", num=16)
> at md_rand.c:543
> #4  0x0045d352 in RAND_pseudo_bytes (buf=0x88ed00 "", num=16)
> at rand_lib.c:172
> #5  0x00424163 in SSL_CTX_new (meth=0x5c4200) at ssl_lib.c:1808
> #6  0x00402ca2 in main (argc=1, argv=0x7fffe718) at fing.c:253
>
> My system is Ubuntu Server LTS 12.10 and it's currently installed in a
> VirtualBox virtual machine.
> I'm not at all proficient in C, even more in Linux development and I
> cannot by myself determine what
> I did to break things. Up to one moment, the program was working, at
> the next recompilation/reboot it just
> stopped :-) I do a binary which will be located on initramfs system,
> so it is statically compiled.
> OpenSSL is compiled with the following config options
>
> ./config -d no-dso no-shared
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

OpenSSL version 1.0.1c - Error: ASN1_D2I_READ_BIO:not enough data

2013-10-10 Thread Helen Du 
Hi, 
 
I'm using version 1.0.1c, and I'm getting this error randomly: 
ASN1_D2I_READ_BIO:not enough data.
I know this error is fixed in version 1.0.1a. Does it also fixed in v1.0.1c?
 
Any suggestions about who to debug this random error? Should I down grade my 
OpenSSL from v1.0.1c to v1.0.1a?
 
Thank you so much!
 
Helen

Helen Du
 
System Analyst
Information Technology Services
London Health Sciences Centre
339 Windermere Road, P.O. Box 5339
London, ON Canada N6A 5A5

Tel: 519-646-6100 Ext 64675 Fax: 519-663-3654
http://www.lhsc.london.on.ca/
 
"Partnering with you to deliver excellent care for patients through technology 
and innovation."

 

This information is directed in confidence solely to the person named above and 
may contain confidential and/or privileged material. This information may not 
otherwise be distributed, copied or disclosed. If you have received this e-mail 
in error, please notify the sender immediately via a return e-mail and destroy 
original message. Thank you for your cooperation.

SSL_Connect blocking for 25 sec for the first connection

2013-10-10 Thread Madupuvenkatesh Arun-PJH784 
I have a situation where my application is trying to open 5000 SSL connections 
with server, one after another, I see the very first ssl connect is blocking 
nearly 25seconds and times out.
(Interestingly this blocking time is in proportion to the number of connections 
im intending to open. For eg, if im trying to open 1 connections the delay 
is proportionately increases approx to 40 sec for the first ssl connect that is 
happening)

However Subsequent connections (4999 out of 5000)  succeeds without any 
blockage and seems normal...

There was a post on this long time back, however I could not able to find the 
resolution if any exists for the same... 
(http://openssl.6102.n7.nabble.com/SSL-connect-blocks-for-almost-1-minute-td12478.html)

Im using version 1.0.1c of open ssl on windows 7 OS.

Any clue on the above behavior? Is there any fix or workaround available to 
avoid the blockage

Regards
Arun

Re: TLS 1.1 and 1.2 support in openssl-fips 1.2

2013-10-10 Thread Dr. Stephen Henson 
On Thu, Oct 10, 2013, Anil Kumar K K wrote:

> Hi OpenSSL experts,
> 
> I have been trying to find out whether TLS verion 1.1 and 1.2 are supported
> in openssl package openssl-fips 1.2.
> 
> Version string in the code says only TLS 1.o is supported.#define
> TLS1_VERSION0x0301
> 
> But change log listed in the below link talks about TLS 1.2 also :
> http://www.openssl.org/news/changelog.html
> 

The fips 1.2 module works with OpenSSL 0.9.8 which only supports TLS 1.0.

You need the 2.0 module which works with OpenSSL 1.0.1 and later which
includes TLS 1.1 and 1.2.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

TLS 1.1 and 1.2 support in openssl-fips 1.2

2013-10-10 Thread Anil Kumar K K 
Hi OpenSSL experts,

I have been trying to find out whether TLS verion 1.1 and 1.2 are supported
in openssl package openssl-fips 1.2.

Version string in the code says only TLS 1.o is supported.#define
TLS1_VERSION0x0301

But change log listed in the below link talks about TLS 1.2 also :
http://www.openssl.org/news/changelog.html


can somebody confirm on this ?

Thanks
Anil

Re: 050 + at the beginning of verified signature

2013-10-10 Thread aqueelmirza 
Hi

I tried replacing strlen(reply) with 20 but we are getting same result as
before. 

I am attaching reference files with this message. While trying this
solution, sometimes we were getting following error as well.
RSA operation error
140735121490396:error:0406706C:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data
greater than mod len:rsa_eay.c:680: 

Can you please guide me?

result.txt   
signature.txt   
publicKey.pem   



--
View this message in context: 
http://openssl.6102.n7.nabble.com/050-at-the-beginning-of-verified-signature-tp46825p46847.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org