Re: Reason for ASN error
I am looking for a tool which can dump out ASN.1 data. I think this will throw some light. Any inputs. On Wed, Jan 22, 2014 at 2:27 PM, Mithun Kumar mithunsi...@gmail.com wrote: I think below error is caused by corrupt data received by the client. Is my observation correct. Any idea how figure out where things are going wrong. error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib -mithun
Reason for ASN error
I think below error is caused by corrupt data received by the client. Is my observation correct. Any idea how figure out where things are going wrong. error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib -mithun
RE: Open SSL errors increase in Linux compared with Solaris
Dave, Thanks for your response. Please find the response for your queries below. 1. Yes, we are trying to upgrade it. But before that we are trying it in our testbeds and all possible options for the fix. 2. The errno is 104 and it is Connection reset by peer 3. Can you help us with the above errno and our next step will be to take the tcpdump / network trace. 4. We will check on the iptables and the setup. Thanks Regards Karthikeyan Thirumal ADD-Web-NXP-India, Application Development Delivery iNautix Technologies India Private Limited, an affiliate of Pershing LLC, a subsidiary of The Bank of New York Mellon Corporation http://www.inautix.co.in VOIP: 612-15112 Email: kthiru...@inautix.co.inmailto:kthiru...@inautix.co.in Information Classification: Internal Use Only From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Tuesday, January 07, 2014 4:08 AM To: openssl-users@openssl.org Subject: RE: Open SSL errors increase in Linux compared with Solaris 1: 0.9.8a is VERY old, and contains quite a few security flaws that have been fixed since. Even if your application(s) can't accept the fairly small changes needed to move to 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix (or [WSA}GetError() on Windows). What is it? 3: there are various TCP or (mostly) IP level errors that can cause a TCP connection initiation (also called handshake, but not to be confused with the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack returns errors to the application process in some cases that Solaris does not - or vice versa. If the errno value isn't specific enough, get a network trace on the Linux box (with tcpdump) or a machine very close: I like wireshark on Windows, also available for MacOSX, and usually one of those either exists or can be temporarily put on the desired network segment. 4: it is also possible there are actually more errors. Are you sure the Linux box's network adapter and cable are solidly good? Do any other applications (especially inbound) on that box get errors? Linux or at least most versions have iptables which functions as an IP firewall - is yours set in a way that interferes with some (or even all?) desired TCP connections? From: owner-openssl-us...@openssl.orgmailto:owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Arjunan, Karthikeyan Sent: Thursday, January 02, 2014 06:14 To: openssl-users@openssl.orgmailto:openssl-users@openssl.org Cc: Arjunan, Karthikeyan Subject: Open SSL errors increase in Linux compared with Solaris Hi, We have migrated from openssl-0.9.8a Solaris to Linux version. We find that there is a drastic increase in the SSL_ERROR_SYSCALL in Linux openssl version compared to Solaris. I am using SSL_accept which returns a negative value . The return code for SSL_get_error is 5. Please advise how to reduce the increase in error . Thanks, Karthikeyan Arjunan ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. ** ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. **
Re: Open SSL errors increase in Linux compared with Solaris
I'm no expert, but doesn't connection reset by peer mean that the other side of the connection is hanging up? So maybe the error is with whatever you are talking to? Andrew On Wed, Jan 22, 2014 at 11:24:07AM +, Thirumal, Karthikeyan wrote: Dave, Thanks for your response. Please find the response for your queries below. 1. Yes, we are trying to upgrade it. But before that we are trying it in our testbeds and all possible options for the fix. 2. The errno is 104 and it is Connection reset by peer 3. Can you help us with the above errno and our next step will be to take the tcpdump / network trace. 4. We will check on the iptables and the setup. Thanks Regards Karthikeyan Thirumal ADD-Web-NXP-India, Application Development Delivery iNautix Technologies India Private Limited, an affiliate of Pershing LLC, a subsidiary of The Bank of New York Mellon Corporation http://www.inautix.co.in VOIP: 612-15112 Email: kthiru...@inautix.co.inmailto:kthiru...@inautix.co.in Information Classification: Internal Use Only From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Tuesday, January 07, 2014 4:08 AM To: openssl-users@openssl.org Subject: RE: Open SSL errors increase in Linux compared with Solaris 1: 0.9.8a is VERY old, and contains quite a few security flaws that have been fixed since. Even if your application(s) can't accept the fairly small changes needed to move to 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix (or [WSA}GetError() on Windows). What is it? 3: there are various TCP or (mostly) IP level errors that can cause a TCP connection initiation (also called handshake, but not to be confused with the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack returns errors to the application process in some cases that Solaris does not - or vice versa. If the errno value isn't specific enough, get a network trace on the Linux box (with tcpdump) or a machine very close: I like wireshark on Windows, also available for MacOSX, and usually one of those either exists or can be temporarily put on the desired network segment. 4: it is also possible there are actually more errors. Are you sure the Linux box's network adapter and cable are solidly good? Do any other applications (especially inbound) on that box get errors? Linux or at least most versions have iptables which functions as an IP firewall - is yours set in a way that interferes with some (or even all?) desired TCP connections? From: owner-openssl-us...@openssl.orgmailto:owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Arjunan, Karthikeyan Sent: Thursday, January 02, 2014 06:14 To: openssl-users@openssl.orgmailto:openssl-users@openssl.org Cc: Arjunan, Karthikeyan Subject: Open SSL errors increase in Linux compared with Solaris Hi, We have migrated from openssl-0.9.8a Solaris to Linux version. We find that there is a drastic increase in the SSL_ERROR_SYSCALL in Linux openssl version compared to Solaris. I am using SSL_accept which returns a negative value . The return code for SSL_get_error is 5. Please advise how to reduce the increase in error . Thanks, Karthikeyan Arjunan ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message, which arise as a result of email transmission. ** ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as information can be intercepted, corrupted, lost, destroyed, late, incomplete or may contain viruses. The sender, therefore,
Re: openssl RSA public key does not match key read from C code
On 01/06/2014 10:34 PM, Alan Cabrera wrote: I should have obtained the DER form using i2d_RSA_PUBKEY(). Also, passing buf to the method should have warned me that the pointer was being modified. I have no idea why it gets modified and what it points to after the call. So now I do |der_form= throw_away= (unsigned char *) malloc(len); i2d_RSAPublicKey(public_key, throw_away);| and use the contents of der_form. Regards, Alan This is standard behaviour with any i2d_* function. The second pointer is increased to the end of the written data. Read, for instance, the WARNINGS section here: http://www.openssl.org/docs/crypto/d2i_X509.html For what I recall, this is done because you often want to append more ASN.1 data at the end of the current data, so you need to keep track of where you are.
RE: Open SSL errors increase in Linux compared with Solaris
From: owner-openssl-us...@openssl.org On Behalf Of andrew cooke Sent: Wednesday, January 22, 2014 06:49 I'm no expert, but doesn't connection reset by peer mean that the other side of the connection is hanging up? So maybe the error is with whatever you are talking to? Andrew Originally it meant the connection is terminated *abnormally* by the other end, as opposed to a normal/graceful FIN exchange. Windows sends RST if an application crashes, but all Unixes I have seen do FIN, unless the application forces RST by setting linger time 0. Nowadays lots of middleboxes like firewalls and routers and (supposedly) transparent proxies that want to prohibit or destroy a TCP connection use RST, so when you as one end system receive a RST in many situations there's a very good chance it's not actually from the peer. I think at this point the network capture is the best bet, first to confirm the server is actually receiving RST (and not just doing something weird on its own) and if so to start looking for where it is coming from. Although at that point we may need to know something about the affected clients. On Wed, Jan 22, 2014 at 11:24:07AM +, Thirumal, Karthikeyan wrote: Dave, Thanks for your response. Please find the response for your queries below. 1. Yes, we are trying to upgrade it. But before that we are trying it in our testbeds and all possible options for the fix. 2. The errno is 104 and it is Connection reset by peer 3. Can you help us with the above errno and our next step will be to take the tcpdump / network trace. 4. We will check on the iptables and the setup. Thanks Regards Karthikeyan Thirumal ADD-Web-NXP-India, Application Development Delivery iNautix Technologies India Private Limited, an affiliate of Pershing LLC, a subsidiary of The Bank of New York Mellon Corporation http://www.inautix.co.in VOIP: 612-15112 Email: kthiru...@inautix.co.inmailto:kthiru...@inautix.co.in Information Classification: Internal Use Only From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Dave Thompson Sent: Tuesday, January 07, 2014 4:08 AM To: openssl-users@openssl.org Subject: RE: Open SSL errors increase in Linux compared with Solaris 1: 0.9.8a is VERY old, and contains quite a few security flaws that have been fixed since. Even if your application(s) can't accept the fairly small changes needed to move to 1.0.0 or better 1.0.1, try at least to move up to or near 0.9.8y. 2: whenever you get ERROR_SYSCALL you should always look at errno on Unix (or [WSA}GetError() on Windows). What is it? 3: there are various TCP or (mostly) IP level errors that can cause a TCP connection initiation (also called handshake, but not to be confused with the SSL/TLS handshake) to fail. It wouldn't surprise me if the Linux stack returns errors to the application process in some cases that Solaris does not - or vice versa. If the errno value isn't specific enough, get a network trace on the Linux box (with tcpdump) or a machine very close: I like wireshark on Windows, also available for MacOSX, and usually one of those either exists or can be temporarily put on the desired network segment. 4: it is also possible there are actually more errors. Are you sure the Linux box's network adapter and cable are solidly good? Do any other applications (especially inbound) on that box get errors? Linux or at least most versions have iptables which functions as an IP firewall - is yours set in a way that interferes with some (or even all?) desired TCP connections? From: owner-openssl-us...@openssl.orgmailto:owner-openssl- us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Arjunan, Karthikeyan Sent: Thursday, January 02, 2014 06:14 To: openssl-users@openssl.orgmailto:openssl-users@openssl.org Cc: Arjunan, Karthikeyan Subject: Open SSL errors increase in Linux compared with Solaris Hi, We have migrated from openssl-0.9.8a Solaris to Linux version. We find that there is a drastic increase in the SSL_ERROR_SYSCALL in Linux openssl version compared to Solaris. I am using SSL_accept which returns a negative value . The return code for SSL_get_error is 5. Please advise how to reduce the increase in error . Thanks, Karthikeyan Arjunan ** This message and any files or attachments sent with this message contain confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute, copy or use any part of this email. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return Email. Email transmission cannot be guaranteed to be secure or error-free as
Re: Reason for ASN error
It is certainly *invalid* data received by the client. *corrupt* normally means that correct data was sent, or at least created, and something changed it on the way to the receiver, either accidentally (such as line noise or gamma rays) or deliberately (by an attacker). Nowadays uncorrected accidental errors in Internet systems nearly never occur, so we concern ourselves mostly with attacks. The other possibility is that the data was invalid to start with (but transmitted correctly). Can you look at or have someone give you the cert file on the server? (Don't ask for the private key, just the cert; some places put them together.) 'openssl asn1parse' (commandline) will dump ASN.1 data if you have it in a file, either DER or PEM format. But here you are receiving the (purported) cert during a failed handshake, so you don't have it in a file. 'openssl s_client' with -msg or -debug will display the exact data received, before parsing, in hex. (Also data sent, which you can ignore.) It's possible but tedious to parse ASN.1 manually, but if you capture (tee or cutpaste) the hex and convert back to binary (DER) you may be able to use 'asn1parse' depending on how wrong the data is. A network capture with tcpdump or wireshark or similar can get the data; wireshark can also decode and display it in a nice GUI, again depending on how badly it's wrong, and is my first choice for easy to use. If you can capture the (Server)Cert message, or the cert in it, or get the cert file from the server, but have trouble parsing it and figuring out what's wrong, post it in a safe form preferably PEM (not an attachment). Nitpick: officially it's ASN.1 (Abstract Syntax Notation 1) or just ASN1, although there isn't and probably won't ever be any other ASN. (With that meaning; there are Autonomous System Numbers.) Kind of like PL/1 but no PL/2. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mithun Kumar Sent: Wednesday, January 22, 2014 04:08 To: openssl-users@openssl.org Subject: *** Spam *** Re: Reason for ASN error I am looking for a tool which can dump out ASN.1 data. I think this will throw some light. Any inputs. On Wed, Jan 22, 2014 at 2:27 PM, Mithun Kumar mithunsi...@gmail.com wrote: I think below error is caused by corrupt data received by the client. Is my observation correct. Any idea how figure out where things are going wrong. error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib -mithun
RE: RSA_public_decrypt(), and RSA_private_encrypt()
Those links (and the man pages in the latest release tarball, which they should and do match) are different for me as they should be. *Some* of the setup code is the same for both directions, and mostly the same for other algorithms also - the main point of EVP_ is to use different algorithms through a mostly generic API. EVP_PKEY_encrypt won't do a signature. Although for RSA only (not other algorithms) sign/verify are mathematically similar to encrypt/decrypt, and this is reflected in the (way-old) low-level RSA_* function names, the actual signature and encryption schemes use different padding, and only EVP_PKEY_{sign,verify[recover]} does signatures. And even then they don't do the (data) hashing. The general public-key sign and verify processes are: S1. compute hash of data (or for CMS, hash of data-hash plus some other bits) S2. generate signature for hash S1 using private key (RSA, DSA, or ECDSA) S3. send signature with or linked to data, and certs if needed V0. receive signature and data, and receive or otherwise obtain certs if used V1. compute hash of data (or for CMS as above) - should always be same as S1 V2. verify received signature for hash V1 using public key For RSA only (and with minor exceptions) S2 breaks down as: S21. encode hashvalue plus OID for hash in ASN.1 S22. pad S21, classically PKCS#1(v1.5) which truly just pads; an alternative now is PSS which mixes up S21 in a complicated way but it still called padding S23. modexp S22 to private exponent d mod n and V2 breaks down as: V21. modexp signature to public exponent d mod n, which recovers S22 V22. unpad V21 using the same method as S22, which recovers S21 V23. un-encode V22=S21 and match to expected value and OID (old) EVP_Sign/Verify* does all of these steps, although for 2-level hashing like CMS it does only the 'last' data hash. (1.0.0+) EVP_DigestSign/Verify* does the same but with a more flexible and more logical set of arguments. EVP_PKEY_sign/verify[_init] does only S2 or V2; you must hash the data yourself. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of HelenH Zhang Sent: Tuesday, January 21, 2014 18:51 To: openssl-users@openssl.org; fr...@baggins.org Subject: Re: RSA_public_decrypt(), and RSA_private_encrypt() Thank you, Matt for your quick reply. I have additional questions: I looked both links below: https://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html https://www.openssl.org/docs/crypto/EVP_PKEY_decrypt.html One for encryption, one for decryption, however, example code in the links are the same, which can not be true. I have the following code segment: ERR_load_crypto_strings(); pkey = EVP_PKEY_new(); rc = EVP_PKEY_assign_RSA(pkey, rsaKey); if (rc) { ctx = EVP_PKEY_CTX_new(pkey); if (!ctx) { rc = -1; } rc = EVP_PKEY_CTX_set_signature_md(ctx, md); if (rc == 1) rc = EVP_PKEY_encrypt_init(ctx); if (rc == 1) rc = EVP_PKEY_CTX_set_rsa_padding(ctx, pad); if (rc == 1) rc = EVP_PKEY_encrypt(ctx, out, outlen, in, inlen) = 0) } EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); This code should perform similar function as EVP_Sign... except padding part. Is it correct? Thanks Helen _ From: Matt Caswell fr...@baggins.org To: openssl-users@openssl.org Sent: Tuesday, January 21, 2014 1:35 PM Subject: Re: RSA_public_decrypt(), and RSA_private_encrypt() On 21 January 2014 15:44, HelenH Zhang helen...@yahoo.com wrote: Dear experts: We want to be able to specify padding. RSA_PKCS1_PADDING or RSA_NO_PADDING. I would like to use EVP API instead of RSA_Public_decrypt(), and RSA_Private_encrypt(). Which API should I use? I am currently using EVP_SignInit()/Update/Final() to do rsa sign, and EVP_VerifyInit/Update/Final to do rsa verify. Thanks in advance for any suggestion. Helen Padding can be set using EVP_PKEY_CTX_set_rsa_padding. See: https://www.openssl.org/docs/crypto/EVP_PKEY_CTX_ctrl.html Matt __ OpenSSL Projecthttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_public_decrypt(), and RSA_private_encrypt()
On 21 January 2014 23:51, HelenH Zhang helen...@yahoo.com wrote: Thank you, Matt for your quick reply. I have additional questions: I looked both links below: https://www.openssl.org/docs/crypto/EVP_PKEY_encrypt.html https://www.openssl.org/docs/crypto/EVP_PKEY_decrypt.html One for encryption, one for decryption, however, example code in the links are the same, which can not be true. They look ok to me? They are not *exactly* the same? I have the following code segment: ERR_load_crypto_strings(); pkey = EVP_PKEY_new(); rc = EVP_PKEY_assign_RSA(pkey, rsaKey); if (rc) { ctx = EVP_PKEY_CTX_new(pkey); if (!ctx) { rc = -1; } rc = EVP_PKEY_CTX_set_signature_md(ctx, md); if (rc == 1) rc = EVP_PKEY_encrypt_init(ctx); if (rc == 1) rc = EVP_PKEY_CTX_set_rsa_padding(ctx, pad); if (rc == 1) rc = EVP_PKEY_encrypt(ctx, out, outlen, in, inlen) = 0) } EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); This code should perform similar function as EVP_Sign... except padding part. Is it correct? No. EVP_PKEY_encrypt is not the same operation as EVP_Sign*. The EVP_PKEY_encrypt/EVP_PKEY_decrypt functions are rarely used directly - they do not hash their input first - its just directly encrypted - which is not normally what you want. If you want to sign then typically you use EVP_Sign* or EVP_DigestSign* (the latter does the same thing but is newer and slightly more flexible as it can also be used to generate MACs). If you want to encrypt then, typically, you use EVP_Seal*. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RSA_public_decrypt(), and RSA_private_encrypt()
On 22 January 2014 22:40, Dave Thompson dthomp...@prinpay.com wrote: The general public-key sign and verify processes are: S1. compute hash of data (or for CMS, hash of data-hash plus some other bits) S2. generate signature for hash S1 using private key (RSA, DSA, or ECDSA) S3. send signature with or linked to data, and certs if needed V0. receive signature and data, and receive or otherwise obtain certs if used V1. compute hash of data (or for CMS as above) – should always be same as S1 V2. verify received signature for hash V1 using public key For RSA only (and with minor exceptions) S2 breaks down as: S21. encode hashvalue plus OID for hash in ASN.1 S22. “pad” S21, classically PKCS#1(v1.5) which truly just pads; an alternative now is PSS which mixes up S21 in a complicated way but it still called padding S23. modexp S22 to private exponent d mod n and V2 breaks down as: V21. modexp signature to public exponent d mod n, which recovers S22 V22. “unpad” V21 using the same method as S22, which recovers S21 V23. un-encode V22=S21 and match to expected value and OID (old) EVP_Sign/Verify* does all of these steps, although for 2-level hashing Good answer! Just for clarity, it does not do S3 or V0. Sending and receiving the data is up to you if you use these functions. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org