Openssl 1.01f installs broken headers using VC++ 2013
Trying to build Qt with openssl. Built openssl with VC++ 2013 without incident. However, the header files don't look right. The file openssl/include/ssl.h contains one line: ../../ssl/ssl.h This doesn't look like C++ to me. I see no reason it should compile. All the openssl include files seem to be like this. I'd understand if it had this: #include ../../ssl/ssl.h But, it doesn't. Qt won't build with it like this. Configured openssl like this: perl Configure VC-WIN32 --prefix=c:\Qt\openssl-1.0.1f\openssl-1.0.1f\release Suggestions? Robin -- Robin Rowe Project Manager CinePaint.org Beverly Hills, California www.cinepaint.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 5.00 released
Dear Users, I have released version 5.00 of stunnel. The ChangeLog entry: stunnel 5.00 disables some features previously enabled by default. Users should review whether the new defaults are appropriate for their particular deployments. Packages maintainers may consider prepending the old defaults for fips (if supported by their OpenSSL library), pid and libwrap to stunnel.conf during automated updates. Version 5.00, 2014.03.06, urgency: HIGH: * Security bugfixes - Added PRNG state update in fork threading (CVE-2014-0016). * New global configuration file defaults - Default fips option value is now no, as FIPS mode is only helpful for compliance, and never for actual security. - Default pid is now , i.e. not to create a pid file at startup. * New service-level configuration file defaults - Default ciphers updated to HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 due to AlFBPPS attack and bad performance of DH ciphersuites. - Default libwrap setting is now no to improve performance. * New features - OpenSSL DLLs updated to version 1.0.1f. - zlib DLL updated to version 1.2.8. - autoconf scripts upgraded to version 2.69. - TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode. - New service-level option redirect to redirect SSL client connections on authentication failures instead of rejecting them. - New global engineDefault configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. - New service-level configuration file option engineId to select the engine by identifier, e.g. engineId = capi. - New global configuration file option log to control whether to append (the default), or to overwrite log file while (re)opening. - Different taskbar icon colors to indicate the service state. - New global configuration file options iconIdle, iconActive, and iconError to select status icon on GUI taskbar. - Removed the limit of 63 stunnel.conf sections on Win32 platform. - Installation of a sample certificate was moved to a separate cert target in order to allow unattended (e.g. scripted) installations. - Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time. - Improved readability of error messages printed when stunnel refuses to start due to a critical error. * Bugfixes - LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs). - CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs). - Corrected round-robin failover behavior under heavy load. - Numerous fixes in the engine support code. - On Win32 platform .rnd file moved from c:\ to the stunnel folder. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-5.00.tar.gz: 88986d52a7ef1aff0cc26fc0a9830361c991baba7ee591d5cf1cc8baef75bc13 Best regards, Mike signature.asc Description: OpenPGP digital signature
How to get 'pre master secret' of a tls session?
Hi Group, for debugging purpose, I would like to log 'pre master secret' of a TLS session. Is there an api in OpenSSL library that fetches this key for a given session. Thanks Regards Prasun
Re: How to get 'pre master secret' of a tls session?
DEBUG macro can be enabled to log this : TLS_DEBUG It will write the pre master key to standard output. This is where it is logging : tls1_setup_key_block Thanks On Thu, Mar 6, 2014 at 3:32 PM, Prasun Bheri prasun.bh...@gmail.com wrote: Hi Group, for debugging purpose, I would like to log 'pre master secret' of a TLS session. Is there an api in OpenSSL library that fetches this key for a given session. Thanks Regards Prasun
Re: AES CCM in DTLS v1.2
Thanks, guess I will have to wait for 1.0.2. My aim is still the same though, get rid of the padding required by SHA. As I understand it GCM/GMAC would be a good fit too (?). Will I be able to key it using PSK? Br Fredrik On Tue, Mar 4, 2014 at 10:05 PM, Dr. Stephen Henson st...@openssl.org wrote: On Tue, Mar 04, 2014, Fredrik Jansson wrote: I am currently using DTLS v1.1 but with the introduction of v1.2 in OpenSSL 1.0.1f I was hoping to be able to use AES CCM mode. We use PSK to key DTLS and the resulting algorithm is PSK-AES256-CBC-SHA. Is it possible to stick with PSK and migrate to AES CCM? DTLS 1.2 is supported in OpenSSL 1.0.2 only not 1.0.1f. Also it only supports AES GCM and not AES CCM. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS build of static libcrypto for a shard object
Hi All, I am trying to build a shared object which would use FIPS cannister with licrypto static library. Platform - Linux (SUSE) Architecture - x86_64 These are the steps that I did openssl-fips-2.0.5 1 ./config fipscanisterbuild 2 make 3 make install The above steps result in 1 /usr/local/ssl/fips-2.0/lib - fipscanister.o fipscanister.o.sha1 fips_premain.c fips_premain.c.sha1 2 /usr/local/ssl/fips-2.0/bin - fipsld fips_standalone_sha1 openssl-1.0.1f 1 ./config fips -d no-shared -fPIC 2 make depend 3 make 4 make install The above steps result in among other things 1 /usr/local/ssl/lib - libcrypto.a libssl.a Now to use the static version of libcrypto, I have followed the steps listed in User Guide 2.0 export CC=/usr/local/ssl/fips-2.0/bin/fipsld export FIPSLD_CC=gcc When I invoke the linking process, I see that fipsld is trying to load the shared object being created. The shared object prints debug message to console on load and somehow they are being passed to gcc. Also, I see errors being reported from fips_premain.c. If I directly link fipscannister.o to my shared object and then run incore, I get the error that the shared object passed to incore is not cross compiler aware although i get the hash printed on console when i use the dso option with incore. The compilation and error message are as below Compiling: readkmo.cpp /usr/local/ssl/fips-2.0/bin/fipsld -c -v -Wall -Werror -fPIC -errwarn=%all -o ../obj/linux_x64/debug/readkmo.o -g -D DEBUG -I ../inc -I /usr/local/ssl/include ../src/readkmo.cpp 2./readkmo.o_err 1./readkmo.o_err Linking: ../obj/linux_x64/debug/libxyz.so /usr/local/ssl/fips-2.0/bin/fipsld -fPIC --shared -Wl,-init=_attach -Wl,-fini=_detach -o ../obj/linux_x64/debug/xyz.so ../obj/linux_x64/debug/readkmo.o -Wl,--whole-archive /usr/local/ssl/lib/libssl.a -Wl,--no-whole-archive /usr/local/ssl/lib/libcrypto.a 2./libxyz.so_err 1./libxyz.so_err make: *** [../obj/linux_x64/debug/libxyz.so] Error 1 = ERROR FILE: libxyz.so_err == gcc: Failed: No such file or directory gcc: to: No such file or directory gcc: open: No such file or directory gcc: log: No such file or directory gcc: file: No such file or directory gcc: for: No such file or directory gcc: xyz: No such file or directory gcc: 13: No such file or directory gcc: 542c6482d71dbae65dc87d46ade8a13bfaeae0a6: No such file or directory gcc: unrecognized option '-2123296768' gcc: -E or -x required when input is from standard input gcc: -E or -x required when input is from standard input /usr/local/ssl/fips-2.0/bin/../lib/fips_premain.c:82: error: missing terminating character /usr/local/ssl/fips-2.0/bin/../lib/fips_premain.c:82: error: expected expression before ‘;’ token /usr/local/ssl/fips-2.0/bin/../lib/fips_premain.c: In function ‘FINGERPRINT_premain’: /usr/local/ssl/fips-2.0/bin/../lib/fips_premain.c:103: warning: comparison between pointer and integer I have been looking around the forum for manually performing the steps without use of fipsld but could not make much progress. Couple of questions that I have 1 When fipsld is trying to load the shared object being created, why are the debug messages printed passed to gcc. How do i overcome this? 2 If 1 is not feasible, then how do i manually go about embedding the cannister with the hash into my shared object. I have tried using the dynamic version of FIPS capable openssl libraries and they work correctly in FIPS mode with my shared object but I need to use the static library. Thanks, Abhishek -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-build-of-static-libcrypto-for-a-shard-object-tp48751.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS build of static libcrypto for a shard object
On Thu, Mar 06, 2014, abhispra wrote: 1 When fipsld is trying to load the shared object being created, why are the debug messages printed passed to gcc. How do i overcome this? The way native builds embed the signature is to link twice. The first time loads the DSO which should just print out the signature and exit. The second time embeds the signature. If for some reason the DSO load prints out anything else during the first link then it will confuse the second link. 2 If 1 is not feasible, then how do i manually go about embedding the cannister with the hash into my shared object. Try setting FIPS_SIG to the incore script path. Altetnatively you can use a custom fipsld script: you don't have to use the supplied version and anything functionally equivalent is acceptable. For example you could modify the part that reads the signature from standard output to ignore the debugging messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS build of static libcrypto for a shard object
Thank you for the response Dr. Steven. I would try out the suggested steps. Dr. Stephen Henson wrote On Thu, Mar 06, 2014, abhispra wrote: 1 When fipsld is trying to load the shared object being created, why are the debug messages printed passed to gcc. How do i overcome this? The way native builds embed the signature is to link twice. The first time loads the DSO which should just print out the signature and exit. The second time embeds the signature. If for some reason the DSO load prints out anything else during the first link then it will confuse the second link. 2 If 1 is not feasible, then how do i manually go about embedding the cannister with the hash into my shared object. Try setting FIPS_SIG to the incore script path. Altetnatively you can use a custom fipsld script: you don't have to use the supplied version and anything functionally equivalent is acceptable. For example you could modify the part that reads the signature from standard output to ignore the debugging messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@ Automated List Manager majordomo@ -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-build-of-static-libcrypto-for-a-shard-object-tp48751p48753.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: stunnel 5.00 released
Why do you not have sha-256 values for the Windows installer? Or a detached GPG signature for it? -Kyle H On Wed, Mar 5, 2014 at 4:09 PM, Michal Trojnara michal.trojn...@mirt.netwrote: Dear Users, I have released version 5.00 of stunnel. The ChangeLog entry: stunnel 5.00 disables some features previously enabled by default. Users should review whether the new defaults are appropriate for their particular deployments. Packages maintainers may consider prepending the old defaults for fips (if supported by their OpenSSL library), pid and libwrap to stunnel.conf during automated updates. Version 5.00, 2014.03.06, urgency: HIGH: * Security bugfixes - Added PRNG state update in fork threading (CVE-2014-0016). * New global configuration file defaults - Default fips option value is now no, as FIPS mode is only helpful for compliance, and never for actual security. - Default pid is now , i.e. not to create a pid file at startup. * New service-level configuration file defaults - Default ciphers updated to HIGH:MEDIUM:+3DES:+DH:!aNULL:!SSLv2 due to AlFBPPS attack and bad performance of DH ciphersuites. - Default libwrap setting is now no to improve performance. * New features - OpenSSL DLLs updated to version 1.0.1f. - zlib DLL updated to version 1.2.8. - autoconf scripts upgraded to version 2.69. - TLS 1.1 and TLS 1.2 are now allowed in the FIPS mode. - New service-level option redirect to redirect SSL client connections on authentication failures instead of rejecting them. - New global engineDefault configuration file option to control which OpenSSL tasks are delegated to the current engine. Available tasks: ALL, RSA, DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. - New service-level configuration file option engineId to select the engine by identifier, e.g. engineId = capi. - New global configuration file option log to control whether to append (the default), or to overwrite log file while (re)opening. - Different taskbar icon colors to indicate the service state. - New global configuration file options iconIdle, iconActive, and iconError to select status icon on GUI taskbar. - Removed the limit of 63 stunnel.conf sections on Win32 platform. - Installation of a sample certificate was moved to a separate cert target in order to allow unattended (e.g. scripted) installations. - Reduced length of the logged thread identifier. It is still based on the OS thread ID, and thus not unique over long periods of time. - Improved readability of error messages printed when stunnel refuses to start due to a critical error. * Bugfixes - LD_PRELOAD Solaris compatibility bug fixed (thx to Norm Jacobs). - CRYPTO_NUM_LOCKS replaced with CRYPTO_num_locks() to improve binary compatibility with diverse builds of OpenSSL (thx to Norm Jacobs). - Corrected round-robin failover behavior under heavy load. - Numerous fixes in the engine support code. - On Win32 platform .rnd file moved from c:\ to the stunnel folder. Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html SHA-256 hash for stunnel-5.00.tar.gz: 88986d52a7ef1aff0cc26fc0a9830361c991baba7ee591d5cf1cc8baef75bc13 Best regards, Mike
fipsld/incore from the command line
I'm probably missing something really obvious here I've got a couple of non-makefile based scripts to build my program. The program is a mix of C and C++, so the FIPSLD_CC/fipsld does not work due to c++ name mangling. The scripts have a couple of variables: FIPS_PREMAIN=`find $OPENSSLDIR -iname fips_premain.c 2/dev/null` FIPS_INCORE=`find $OPENSSLDIR/fips-2.0 -iname incore 2/dev/null` If FIPS_PREMAIN is not empty, it gets added to C_SOURCES and compiled. So FIPS_text_start, FIPS_text_end, FIPS_rodata_start, FIPS_rodata_end, and FIPS_signature are present in the executable. If FIPS_PREMAIN and FIPS_INCORE are not empty, I try to embed the fingerprint after compiling and linking: if [ -z $FIPS_PREMAIN ] || [ -z $FIPS_INCORE ]; then echo Unable to build FIPS validated executable... else ( set -x ; $FIPS_INCORE -exe ac-test.exe ) fi After embedding the signature, the program will only output a fingerprint: $ ./ac-test.exe 84f0e9fb94d7388eca89ccb82026e051f0a20cb7 A few of questions: How do I invoke incore/my program the second time to embed the fingerprint? I'm trying to make sense of fipsld/incore, but its not readily apparent to me. Or, how do I instruct incore to directly embed the fingerprint without the second link? Just calculate and embed the signature in one pass. Or, what is the switch to supply to instruct fipsld to embed a signature on an existing executable *whout* trying to compile and link it? Just calculate and embed the signature. Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org