Free StartSSL certificate not trusted
Hi all,
I have installed an ubuntu server with dovecot and a free certificate from
startssl, but I get:
verify error:num=20:unable to get local issuer certificate
and
verify error:num=21:unable to verify the first certificate
Any idea why?
Tanks in advance, Allan
My dovecot conf:
---
auth_username_chars = xxx_@
default_login_user = dovecot
listen = *
login_greeting = Dovecot DA ready.
mail_access_groups = mail
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
passdb {
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}
protocols = pop3
service auth {
user = root
}
service imap-login {
process_min_avail = 16
user = dovecot
}
service pop3-login {
inet_listener pop3s {
address = *
port = 995
}
process_min_avail = 16
user = dovecot
}
#verbose_ssl = yes
ssl_ca = /etc/dovecot/startcom_ca.pem
ssl_cert = /etc/ssl/certs/ssl.crt
ssl_key = /etc/dovecot/pop3d.pem
#ssl_verify_client_cert = yes
userdb {
driver = passwd
}
userdb {
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}
verbose_proctitle = yes
protocol pop3 {
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, bytes=%i/%o
pop3_uidl_format = %08Xu%08Xv
}
---
Complete test:
an@an-laptop:~$ openssl s_client -connect mail.minlilleverden.dk:995
CONNECTED(0003)
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=35l5njOWJKek82Eu/C=DK/CN=
mail.minlilleverden.dk/emailAddress=postmas...@minlilleverden.dk
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-BEGIN CERTIFICATE-
MIIGcDCCBVigAwIBAgIDD92mMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNDE1MTIzMzEz
WhcNMTUwNDE2MDA1NjMzWjB2MRkwFwYDVQQNExAzNWw1bmpPV0pLZWs4MkV1MQsw
CQYDVQQGEwJESzEfMB0GA1UEAxMWbWFpbC5taW5saWxsZXZlcmRlbi5kazErMCkG
CSqGSIb3DQEJARYccG9zdG1hc3RlckBtaW5saWxsZXZlcmRlbi5kazCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKczgWa90C7guVSaMcc3CuluzHHZFXN0
jtNkGguy8uzhKo4d57Igeyd17/0xV1Ye12Hqh0PR8RHLaGdlT9iOyccpFqZRIfnN
Gw0Gaf1bO0sJJ+ij3VzwwB9S16Rg1rbG4RgaKQaz5Ktr7vEVsbLp0VnPUUKKLMdt
i7jIH8rD8l+6MXQmLrLSFR9OBQmMtpLR5PdnSz416CQtadWAvwG6Nfv7eqh27LAq
aH+fBLxbgCpix9860jmksxKybu0JMjSzg1VU5QYZL3PQxXN9bhNDOc4Sm+jlgw7r
yTTOkitYQQ+OwH0dYg8l7aVkEwlIaaIlt08DPfIPR+OCexd2EZVEa00CAwEAAaOC
Au4wggLqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMB0GA1UdDgQWBBTji5K9jpxFs2erCE0OINCqxiFjzzAfBgNVHSMEGDAWgBTr
QjTQmLCrn/Qbawj3zGQu7w4sRTA0BgNVHREELTArghZtYWlsLm1pbmxpbGxldmVy
ZGVuLmRrghFtaW5saWxsZXZlcmRlbi5kazCCAVYGA1UdIASCAU0wggFJMAgGBmeB
DAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlm
aWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRh
dGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVs
aWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5j
ZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAq
oCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggr
BgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j
b20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEu
c3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNV
HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQAD
ggEBAAaM8/sYqms0PpsT5awstfxziAyd6NVjvl4ZMtPLVQXUOcBjnJrpwbcw5d5d
O4RmZTRVC+ejPDqXothoQnIgg/QuT74TJp13RDm1yFrxRh09sRfYX3AT1IBD6l6c
+29fM4xqZ68KWslMCMyGXFUaGaZPAAZ8c3YrsLkEuotGYeBpRtgKIeubmwiwPWTI
tLaZiTpstsRLkVX49Dxkwy5W2h4SCB82Vtv2KV/8rHY5JpIrQSDZzxuZrp++FRiC
c9RP7MlT9yehGLZSIPFCWEcyynEWVUQkgklP78avH8f1ZNmIAF5pe9E1WO3jJvfq
z8is8rnym/TsZ2SzyFbDqVtECTI=
-END CERTIFICATE-
subject=/description=35l5njOWJKek82Eu/C=DK/CN=
mail.minlilleverden.dk/emailAddress=postmas...@minlilleverden.dk
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2497 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Free StartSSL certificate not trusted
Hi all,
I have installed an ubuntu server with dovecot and a free certificate from
startssl, but I get:
verify error:num=20:unable to get local issuer certificate
and
verify error:num=21:unable to verify the first certificate
Any idea why?
Tanks in advance, Allan
My dovecot conf:
---
auth_username_chars = xxx_@
default_login_user = dovecot
listen = *
login_greeting = Dovecot DA ready.
mail_access_groups = mail
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
passdb {
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}
protocols = pop3
service auth {
user = root
}
service imap-login {
process_min_avail = 16
user = dovecot
}
service pop3-login {
inet_listener pop3s {
address = *
port = 995
}
process_min_avail = 16
user = dovecot
}
#verbose_ssl = yes
ssl_ca = /etc/dovecot/startcom_ca.pem
ssl_cert = /etc/ssl/certs/ssl.crt
ssl_key = /etc/dovecot/pop3d.pem
#ssl_verify_client_cert = yes
userdb {
driver = passwd
}
userdb {
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}
verbose_proctitle = yes
protocol pop3 {
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, bytes=%i/%o
pop3_uidl_format = %08Xu%08Xv
}
---
Complete test:
an@an-laptop:~$ openssl s_client -connect mail.minlilleverden.dk:995
CONNECTED(0003)
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=35l5njOWJKek82Eu/C=DK/CN=
mail.minlilleverden.dk/emailAddress=postmas...@minlilleverden.dk
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-BEGIN CERTIFICATE-
MIIGcDCCBVigAwIBAgIDD92mMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNDE1MTIzMzEz
WhcNMTUwNDE2MDA1NjMzWjB2MRkwFwYDVQQNExAzNWw1bmpPV0pLZWs4MkV1MQsw
CQYDVQQGEwJESzEfMB0GA1UEAxMWbWFpbC5taW5saWxsZXZlcmRlbi5kazErMCkG
CSqGSIb3DQEJARYccG9zdG1hc3RlckBtaW5saWxsZXZlcmRlbi5kazCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKczgWa90C7guVSaMcc3CuluzHHZFXN0
jtNkGguy8uzhKo4d57Igeyd17/0xV1Ye12Hqh0PR8RHLaGdlT9iOyccpFqZRIfnN
Gw0Gaf1bO0sJJ+ij3VzwwB9S16Rg1rbG4RgaKQaz5Ktr7vEVsbLp0VnPUUKKLMdt
i7jIH8rD8l+6MXQmLrLSFR9OBQmMtpLR5PdnSz416CQtadWAvwG6Nfv7eqh27LAq
aH+fBLxbgCpix9860jmksxKybu0JMjSzg1VU5QYZL3PQxXN9bhNDOc4Sm+jlgw7r
yTTOkitYQQ+OwH0dYg8l7aVkEwlIaaIlt08DPfIPR+OCexd2EZVEa00CAwEAAaOC
Au4wggLqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMB0GA1UdDgQWBBTji5K9jpxFs2erCE0OINCqxiFjzzAfBgNVHSMEGDAWgBTr
QjTQmLCrn/Qbawj3zGQu7w4sRTA0BgNVHREELTArghZtYWlsLm1pbmxpbGxldmVy
ZGVuLmRrghFtaW5saWxsZXZlcmRlbi5kazCCAVYGA1UdIASCAU0wggFJMAgGBmeB
DAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlm
aWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRh
dGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVs
aWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5j
ZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAq
oCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggr
BgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j
b20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEu
c3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNV
HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQAD
ggEBAAaM8/sYqms0PpsT5awstfxziAyd6NVjvl4ZMtPLVQXUOcBjnJrpwbcw5d5d
O4RmZTRVC+ejPDqXothoQnIgg/QuT74TJp13RDm1yFrxRh09sRfYX3AT1IBD6l6c
+29fM4xqZ68KWslMCMyGXFUaGaZPAAZ8c3YrsLkEuotGYeBpRtgKIeubmwiwPWTI
tLaZiTpstsRLkVX49Dxkwy5W2h4SCB82Vtv2KV/8rHY5JpIrQSDZzxuZrp++FRiC
c9RP7MlT9yehGLZSIPFCWEcyynEWVUQkgklP78avH8f1ZNmIAF5pe9E1WO3jJvfq
z8is8rnym/TsZ2SzyFbDqVtECTI=
-END CERTIFICATE-
subject=/description=35l5njOWJKek82Eu/C=DK/CN=
mail.minlilleverden.dk/emailAddress=postmas...@minlilleverden.dk
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2497 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
RE: SSL_ERROR_SYSCALL errno=0
Thanks for the reply. I'll give the suggestions a try tomorrow. We've been thinking, that our kernel version (it is custom and does not support all system calls) is relatively old and missing some features that are required by OpenSSL. I'll post back tomorrow, if anything changes. Note: I've tried ERR_string_error() and got 0x00 in all fileds. -- View this message in context: http://openssl.6102.n7.nabble.com/SSL-ERROR-SYSCALL-errno-0-tp49462p49489.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
If this is only ECDH than how to perform ECDHE? what changes i have to made in this code? -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49499.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Aw: Re: Re: Converting a root certificate from md5 to sha1
Okay, thanks for all the information, here's what I did and what will go into testing: -Recreated a CSR from the root CA cert using openssl x509 -x509toreq -in cacert.crt -signkey cakey.key -sha1 -out newcert.csr Set the system date back to the startday of the old root cert Recreated the CA cert openssl req -in newcert.csr -key cakey.key -x509 -days blablabla -out ca_new.crt So far this looks promising, the serial number is fresh, the startdate to enddate range includes all my existing certs and I hope that this is the end. Thanks, Stephan Gesendet: Dienstag, 15. April 2014 um 22:28 Uhr Von: Kyle Hamilton aerow...@gmail.com An: openssl-users openssl-users@openssl.org Betreff: Re: Re: Converting a root certificate from md5 to sha1 Stephan, It depends on how pedantic your clients are. If you aren't rekeying, it shouldn't matter, though. X.509 has a Subject and an Issuer. The Issuer of a certificate is the Subject of the certificate which private key was used to sign it. If the Issuer doesn't change, then the matching algorithm doesn't change at all. However, the answer is always going to be test the clients in your environment. There are a *lot* of options, a *lot* of things that can potentially get screwed up, and there's no way to make a blanket statement without caveat. The problem with that command, though, is that it doesn't change the serial number, or the signing algorithm claimed in the main certificate. Anything which pedantically enforces the rule that the signing algorithm claimed in the TbsCertificate MUST match the signing algorithm in the Certificate is going to fail. (I think I saw a root certificate from Boeing which failed that particular test.) As always, your mileage may vary. The proper way to do this is to create a new certificate request with the appropriate information, and then sign it, but OpenSSL makes that difficult. -Kyle H On Tue, Apr 15, 2014 at 6:54 AM, steff...@gmx.de wrote: You need to generate a new certificate with the same data (except a different serial number and a reference to sha1WithRSAEncryption), containing the same public key, and signed with the same private key. I'd recommend sha256WithRSAEncryption, but that's possibly not an option for you. Make sure that you do not reuse the same serial number, it *will* cause problems (particularly for such software as Firefox, but also for anything that's written in an X.509-pedantic mode). -Kyle H Okay, thanks. Would this mean that I need to replace the old root cert with the new one on all clients ? I have certificates that are already in use and the new root cert would have a start date of today, wouldn't it confuse the client when the start date of the cert is older than that of the root cert ? Also I managed to convert the existing root cert from md5 to sha1 with openssl x509 -sha1 -inform pem -outform pem -in cacert.pem -out cacertsha1.pem -signkey cakey.pem this recreates the cert with sha1 but it also resets the startdate to now. I tried using -startdate and -enddate but openssl moans that it doesn't recognize the date as option. I tried 'Jan 01 10:37:30 2014 GMT' as well as the YYMMDDHHMMSSZ, both don't work. Thanks, Stephan On Tue, Apr 15, 2014 at 1:41 AM, steff...@gmx.de wrote: Hello world, I am running my own little CA and the root certificate was created using md5: Signature Algorithm: md5WithRSAEncryption I need to change this do sha1 because I have clients that do not accept md5 anymore. Is there any way to convert the existing cert from md5 to sha1 ? I tried converting it to another format and then reimporting it using -sha1 but this doesn't work. Thanks, Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org[http://www.openssl.org] User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Free StartSSL certificate not trusted
-Original Message-
From Allan Nielsen
I have installed an ubuntu server with dovecot and a free certificate from
startssl, but I get:
verify error:num=20:unable to get local issuer certificate
and
verify error:num=21:unable to verify the first certificate
Any idea why?
[snip]
Certificate chain
0
s:/description=35l5njOWJKek82Eu/C=DK/CN=mail.minlilleverden.dk/emailAd
dress=postmas...@minlilleverden.dk
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Your server sends only an end entity certificate, whose issuer is not trusted
by your client. You need to add the issuer's certificate to your client's
truststore.
HTH,
Patrick Eisenacher
:��IϮ��r�m
(Z+�K
�+1���x
��h[�z�(Z+�
��f�y��
�f���h��)z{,���
Getting bad record mac error
I have an application which was using openssl-0.9.8y. Now I have built fips enabled openssl1.0.1g and want to use the latest version that I have built for Linux x64. My application uses SslOpConnect. It works fine with 0.9.8y and when I use the new version I get SSL connection error (decryption failed or bad record mac).. Anyone can help me on this? -- View this message in context: http://openssl.6102.n7.nabble.com/Getting-bad-record-mac-error-tp49508.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Free StartSSL certificate not trusted
Thanks you are right. I got it to work now adding the ca_bundle to it. BR. Allan 2014-04-16 10:28 GMT+02:00 Eisenacher, Patrick patrick.eisenac...@bdr.de: -Original Message- From Allan Nielsen I have installed an ubuntu server with dovecot and a free certificate from startssl, but I get: verify error:num=20:unable to get local issuer certificate and verify error:num=21:unable to verify the first certificate Any idea why? [snip] Certificate chain 0 s:/description=35l5njOWJKek82Eu/C=DK/CN=mail.minlilleverden.dk/emailAd dress=postmas...@minlilleverden.dk i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- Your server sends only an end entity certificate, whose issuer is not trusted by your client. You need to add the issuer's certificate to your client's truststore. HTH, Patrick Eisenacher
Coverity Scan: Would/DId It Catch the Heartbleed Defect?
Is OpenSSL participating in the Coverity free scanning program for open source software? If not, it might have caught the Heartbleed bug. If so, why did it miss it? See this link for the latest report on open source statistics: http://softwareintegrity.coverity.com/register-for-scan-report-2013.html Kind regards, -Tom __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?
On Wed, 16 Apr 2014 05:25:58 -0500 Tom Browder tom.brow...@gmail.com wrote: Is OpenSSL participating in the Coverity free scanning program for open source software? Don't know. If not, it might have caught the Heartbleed bug. No. http://blog.regehr.org/archives/1128 -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 signature.asc Description: PGP signature
Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?
On Wed, Apr 16, 2014 at 5:38 AM, Hanno Böck ha...@hboeck.de wrote: On Wed, 16 Apr 2014 05:25:58 -0500 Tom Browder tom.brow...@gmail.com wrote: Is OpenSSL participating in the Coverity free scanning program for open source software? ... Thanks for the link, Hanno! Regards, -Tom __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 16 April 2014 05:48, chetan chet...@neominds.in wrote: If this is only ECDH than how to perform ECDHE? what changes i have to made in this code? Well the final E in ECHDE stands for ephemeral. It is not really a difference in the way the algorithm itself works, but more about how it is used. With ECDH both parties will reuse the same keys between different invocations, and therefore end up with the same shared secret each time. In ECDHE, one or both parties will create a new key each time that a shared secret is required. In order for that to work they will have to exchange public keys. How that happens is protocol specific (and you haven't said what protocol you are going to be using). The public keys can be exchanged in-the-clear - but they *must* be authenticated in some way (e.g. by use of a MAC or digital signature). Typically you might use RSA or ECDSA to do this. Failure to authenticate the key exchange will leave you open to a man-in-the-middle attack. The actual key generation is quite straight forward and is done in the code sample on the wiki page link I originally sent you. http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman The important bit is this bit: /* Create the context for the key generation */ if(NULL == (kctx = EVP_PKEY_CTX_new(params, NULL))) handleErrors(); /* Generate the key */ if(1 != EVP_PKEY_keygen_init(kctx)) handleErrors(); if (1 != EVP_PKEY_keygen(kctx, pkey)) handleErrors(); /* Get the peer's public key, and provide the peer with our public key - * how this is done will be specific to your circumstances */ peerkey = get_peerkey(pkey); I would also remind you about this important comment at the end of the code sample: /* Never use a derived secret directly. Typically it is passed * through some hash function to produce a key */ Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
1.0.1g Install warns: cms.pod (Error since May 1, 2013)
I will try to leave a note with the developers at OpenSSL.org Used openssl-1.0.1g.tar.gz SHA1 b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c several errors cms.pod around line 457: Expected text after =item, not a number cms.pod around line 461: Expected text after =item, not a number cms.pod around line 465: Expected text after =item, not a number cms.pod around line 470: Expected text after =item, not a number cms.pod around line 474: Expected text after =item, not a number POD document had syntax errors at /usr/bin/pod2man line 71. make: *** [install_docs] Error 255 A quick google gave some more information. https://forums.gentoo.org/viewtopic-t-958406-start-0.html (May 1, 2013) https://bugs.archlinux.org/task/35868 https://forums.freebsd.org/viewtopic.php?t=41478 (May 1, 2013) What should be done?
