Re: [openssl-users] openssl is flexible when verifying
Not sure about how to completely solve the problem. As the function X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) is called, crit is not actually used. (e.g., in v3_purp.c, line 462) x-akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); If the value of crit can be retrieved, we may fix function X509_check_issued (around line 701). if(X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; x509v3_cache_extensions(issuer); x509v3_cache_extensions(subject); if(subject-akid) { int ret = X509_check_akid(issuer, subject-akid); if (ret != X509_V_OK) return ret; } +else if (crit==-2) //subject has more than one akids + return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH; ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl impact on CVE-2015-2808
Hello Users, Just want to understand the impact of openssl for RC4 Bar mitzvah attack. Please correct me if my understanding is wrong, basically this attack is triggered based on the design of RC4. openssl is one of the implementers of RC4 algo. I am not sure if there will be any design change or openssl will try to disable RC4 support... But, Is disabling RC4 algo usage in the applications which are using openssl a better approach? Thanks Regards Sandeep___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?
On Mon, Apr 06, 2015 at 06:40:28PM +0200, Erwann Abalea wrote: What makes you think it is incorrect to check the Key Identifier (where present) before checking a signature against a key? Because the presented file4.pem is a valid issuer certificate for the one found in file3.pem? RFC5280 section 6.1 gives the validation algorithm, and the Key Identifier isn't mentioned. 6.1.3(a) checks for signature, validity, revocation status, and names (i.e. that issuercert.subjectName = cert.issuerName). You're not supposed to follow exactly the same algorithm (or the one described in X.509), but whatever you choose, the result MUST be equivalent. On the other hand issuers should not issue certificates whose AKID keyid does not match the subject key identifier of the issuer CA. OpenSSL has been checking this condition for two decades at least, and changing this is an incompatible change that cannot be made in any releases prior to 1.1.0 (not yet released). Even then, I am not convinced that the proposed change is warranted. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there any plan for FIPS to be supported on Linux-aarch64?
On 04/06/2015 10:59 AM, Nicolae Rosia wrote: I see. Still, the documentation sent to the lab would be helpful to the community to better understand/review the existing code. We don't send any documentation to the test labs unless they are performing validations actions for us, for which we must pay them. Also FYI for change letters the (unique/creative component of the) documentation is trivial. As with most FIPS 140-2 documentation such paperwork is very low in nutritional value and of essentially no value to the end user. In particular it isn't going to help anyone better understand/review the existing code. The code itself is open source, so as Obi-Wan said, use the source, Luke. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] updating list of server account password
What does the ${ip} mean? //SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 -Original Message- From: mike nicholas [mailto:xmikenichol...@gmail.com] Sent: Monday, April 06, 2015 10:58 AM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT Cc: ESRY JR. DON; openssl-users@openssl.org; Matt Zagrabelny Subject: Re: updating list of server account password Try something like this: my $exp = new Expect; $exp-log_stdout(1); $username = XX; $exp-spawn( ssh -l ${username} ${ip} ) or die cannot spawn $command: $! \n; $exp-log_file(./${log_dir}/$ip\_info.log); print \nspawning ssh connection to $ip on $time\n\n; $exp-log_file-print( \nspawning ssh connection to $ip on $time\n\n ); $exp-expect(8, [ 'connecting' = sub { $exp-send(yes \n); exp_continue; } ], [ 'assword:' = sub { $exp-send($pw\n); exp_continue; } ], [ '-re', ' ?$' = sub { break; }], [ 'try again' = sub { die died from bad password.\n; }], [ 'refused' = sub { die died from connection refused.\n; exp_continue; } ], [ eof = sub { die died from eof.\n; }], [ timeout = sub { $exp-hard_close(); }], ); On Mon, Apr 6, 2015 at 10:52 AM, MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT andreas.magana@us.af.mil wrote: //SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 tel:%28405%29%20734-0341 -Original Message- From: mike nicholas [mailto:xmikenichol...@gmail.com] Sent: Monday, April 06, 2015 10:48 AM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT Cc: ESRY JR. DON; openssl-users@openssl.org; Matt Zagrabelny Subject: Re: updating list of server account password So the else if will only run if the first if is not true, that doesn't seem right,. On Apr 3, 2015 2:52 PM, MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT andreas.magana@us.af.mil wrote: Hello Mike, Don and Matt, At the point I am at this list of servers in my script I would really need someone with more experience to see if I even have the right scripting. #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my @servers = qw( remotehost03 remotehost04 remotehost05 remotehost06 ); for my $server (@servers) { # do your thing with $server change_password($server); } sub change_password { my $system = shift; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@' . $system); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mypassword\n); } #$ssh-log_file($filename, 'w'); $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); Mike, If that does not seem right what can I change it to make it right? Respectfully, #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh
Re: [openssl-users] openssl impact on CVE-2015-2808
Bar Mitzvah is an improvement on existing attacks against RC4. It's a credible exposure under some threat models. Primarily it's an issue for sites with a lot of RC4 conversations, since it depends on the use of weak keys, which are a large subset of all RC4 keys. When a conversation (randomly) chooses a weak key, some information is leaked to the attacker, who can then try to brute-force parts of the conversation. Typically that will be something like a session ID - generally only useful for the lifetime of the session - or a commonly-used user password. (The Bar Mitzvah paper describes how it can be used to improve brute-force attacks on user passwords that are passed in RC4-encrypted data.) So: If your systems participate in a lot of RC4 conversations, and your threat model includes passive attackers gaining sufficient information to make brute-forcing small pieces of data feasible, then Bar Mitzvah is a problem. We can't tell you whether it's something you need to be concerned about. That depends on YOUR threat model. If you don't know what your threat model is, then you can't make informed security decisions. The attack applies to all implementations of RC4, and its use by any SSL/TLS implementation. OpenSSL can't fix the problem. A future release of OpenSSL may remove RC4 suites from the default list (indeed, it's probably all but inevitable), so applications won't use it unless they enable it. For now, it's enabled by default. Michael Wojcik Technology Specialist, Micro Focus From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Sandeep Umesh Sent: Monday, April 06, 2015 14:20 To: OpenSSL User Support ML Subject: [openssl-users] openssl impact on CVE-2015-2808 Just want to understand the impact of openssl for RC4 Bar mitzvah attack. Please correct me if my understanding is wrong, basically this attack is triggered based on the design of RC4. openssl is one of the implementers of RC4 algo. I am not sure if there will be any design change or openssl will try to disable RC4 support... But, Is disabling RC4 algo usage in the applications which are using openssl a better approach? Thanks This message has been scanned for malware by Websense. www.websense.com ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl is flexible when verifying
As Jeffrey Walton's comment, the standard is very malleable, making cert path validation a little unpredictable. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FW: Getting Apache to Recognize New OpenSSL Install
There might be people on the OpenSSL list who can answer this, but your question is really about Apache configuration or installation. You'll probably get more knowledgable answers on an Apache list. Regards, jjf On 06/04/2015 17:04, Cathy Fauntleroy wrote: A follow-up question…Should I have installed Apache 2.2.25 with no OpenSSL (instead of the one I did install with OpenSSL 0.9.8)? I’m thinking that perhaps with the no ssl install, Apache would more easily recognize my OpenSSL 1.0.2 instance. I appreciate your thoughts and suggestions. Thanks… */Cathy Fauntleroy,/**Security+* *Van Dyke Technology Group* *Email:**cathy.fauntle...@vdtg.com mailto:cathy.fauntle...@vdtg.com* *Office: (443) 832-4768* *From:* openssl-users [mailto:openssl-users-boun...@openssl.org] *On Behalf Of *Cathy Fauntleroy *Sent:* Monday, April 6, 2015 11:35 AM *To:* openssl-users@openssl.org *Subject:* [openssl-users] Getting Apache to Recognize New OpenSSL Install Hello Users, I am in need of some assistance/documentation. My current setup is: Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8. I need to enable TLS1.1, 1.2 but understand that 0.9.8 does not support those protocols. So, I installed OpenSSL 1.0.2a and made system environment mappings to the CNF and CFG files. The install was successful but Apache is not recognizing the updated OpenSSL version. I am not very familiar with the intricacies of configuring this product. Can anyone tell me how (or point me to documentation) I can get Apache to recognize the updated OpenSSL installation? Thanks…** ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- J. J. Farrell w: +44 161 493 4838 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FW: Getting Apache to Recognize New OpenSSL Install
I've posed the same question on the Apache user forum but have not received any responses. Thanks. Cathy From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jeremy Farrell Sent: Monday, April 6, 2015 1:55 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] FW: Getting Apache to Recognize New OpenSSL Install There might be people on the OpenSSL list who can answer this, but your question is really about Apache configuration or installation. You'll probably get more knowledgable answers on an Apache list. Regards, jjf On 06/04/2015 17:04, Cathy Fauntleroy wrote: A follow-up question.Should I have installed Apache 2.2.25 with no OpenSSL (instead of the one I did install with OpenSSL 0.9.8)? I'm thinking that perhaps with the no ssl install, Apache would more easily recognize my OpenSSL 1.0.2 instance. I appreciate your thoughts and suggestions. Thanks. Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com mailto:cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Cathy Fauntleroy Sent: Monday, April 6, 2015 11:35 AM To: openssl-users@openssl.org mailto:openssl-users@openssl.org Subject: [openssl-users] Getting Apache to Recognize New OpenSSL Install Hello Users, I am in need of some assistance/documentation. My current setup is: Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8. I need to enable TLS1.1, 1.2 but understand that 0.9.8 does not support those protocols. So, I installed OpenSSL 1.0.2a and made system environment mappings to the CNF and CFG files. The install was successful but Apache is not recognizing the updated OpenSSL version. I am not very familiar with the intricacies of configuring this product. Can anyone tell me how (or point me to documentation) I can get Apache to recognize the updated OpenSSL installation? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- J. J. Farrell w: +44 161 493 4838 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FW: Getting Apache to Recognize New OpenSSL Install
Have you recompiled Apache? Or did you only recompile OpenSSL 1.0.2a? There is no binary compatibility between 0.9.8 and 1.0.2. You'll need to recompile Apache if you haven't done this. Or, possibly a newer Apache binary (2.4.12) would work with your OpenSSL 1.0.2a build. On 04/06/2015 03:50 PM, Cathy Fauntleroy wrote: I’ve posed the same question on the Apache user forum but have not received any responses. Thanks… */Cathy /*** *From:*openssl-users [mailto:openssl-users-boun...@openssl.org] *On Behalf Of *Jeremy Farrell *Sent:* Monday, April 6, 2015 1:55 PM *To:* openssl-users@openssl.org *Subject:* Re: [openssl-users] FW: Getting Apache to Recognize New OpenSSL Install There might be people on the OpenSSL list who can answer this, but your question is really about Apache configuration or installation. You'll probably get more knowledgable answers on an Apache list. Regards, jjf On 06/04/2015 17:04, Cathy Fauntleroy wrote: A follow-up question…Should I have installed Apache 2.2.25 with no OpenSSL (instead of the one I did install with OpenSSL 0.9.8)? I’m thinking that perhaps with the no ssl install, Apache would more easily recognize my OpenSSL 1.0.2 instance. I appreciate your thoughts and suggestions. Thanks… */Cathy Fauntleroy,/* *Security+* *Van Dyke Technology Group* *Email:** cathy.fauntle...@vdtg.com mailto:cathy.fauntle...@vdtg.com* *Office: (443) 832-4768* *From:* openssl-users [mailto:openssl-users-boun...@openssl.org] *On Behalf Of *Cathy Fauntleroy *Sent:* Monday, April 6, 2015 11:35 AM *To:* openssl-users@openssl.org mailto:openssl-users@openssl.org *Subject:* [openssl-users] Getting Apache to Recognize New OpenSSL Install Hello Users, I am in need of some assistance/documentation. My current setup is: Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8. I need to enable TLS1.1, 1.2 but understand that 0.9.8 does not support those protocols. So, I installed OpenSSL 1.0.2a and made system environment mappings to the CNF and CFG files. The install was successful but Apache is not recognizing the updated OpenSSL version. I am not very familiar with the intricacies of configuring this product. Can anyone tell me how (or point me to documentation) I can get Apache to recognize the updated OpenSSL installation? Thanks… ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- J. J. Farrell w: +44 161 493 4838 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl impact on CVE-2015-2808
Please correct me if my understanding is wrong, basically this attack is triggered based on the design of RC4. openssl is one of the implementers of RC4 algo. There are biases in the stream created by RC4. In theory, and adversary could use the biases to as a launchpad to recover plain text (but I seem to recall it needs a lot of cipher text). RC4 has been wounded again, but it has not been broken. I am not sure if there will be any design change or openssl will try to disable RC4 support... Probably not. Just add !RC4 to you cipher suite list to remove it if you don't want it. For example, HIGH:!ADH:!RC4:!MD5. But, Is disabling RC4 algo usage in the applications which are using openssl a better approach? Thanks In TLS 1.2, you have the AES/GCM cipher suites. You also have the upcoming ChaCha20/Poly1305 cipher suites. (ChaCha20/Poly1305 is predicated on the TLS Working Group choosing to adopt them, see https://www.ietf.org/mail-archive/web/tls/current/msg15722.html). In TLS 1.1 and below, you only have block ciphers if you remove RC4. You'll have to make due with AES/CBC (or another block cipher). Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] updating list of server account password
Perhaps you don't want to post this kind of thing to a global mailing list for all users of openssl? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -Original Message- From: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT [mailto:andreas.magana@us.af.mil] Sent: Monday, April 06, 2015 11:53 AM To: mike nicholas Cc: openssl-users@openssl.org; ESRY JR. DON; Matt Zagrabelny Subject: Re: [openssl-users] updating list of server account password //SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 -Original Message- From: mike nicholas [mailto:xmikenichol...@gmail.com] Sent: Monday, April 06, 2015 10:48 AM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT Cc: ESRY JR. DON; openssl-users@openssl.org; Matt Zagrabelny Subject: Re: updating list of server account password So the else if will only run if the first if is not true, that doesn't seem right,. On Apr 3, 2015 2:52 PM, MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT andreas.magana@us.af.mil wrote: Hello Mike, Don and Matt, At the point I am at this list of servers in my script I would really need someone with more experience to see if I even have the right scripting. #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my @servers = qw( remotehost03 remotehost04 remotehost05 remotehost06 ); for my $server (@servers) { # do your thing with $server change_password($server); } sub change_password { my $system = shift; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@' . $system); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mypassword\n); } #$ssh-log_file($filename, 'w'); $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); Mike, If that does not seem right what can I change it to make it right? Respectfully, #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@remotehost'); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mypassword\n); } #$ssh-log_file($filename, 'w'); $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); //SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 -Original Message- From: mike nicholas [mailto:xmikenichol...@gmail.com] Sent: Wednesday, April 01, 2015 9:46 AM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT Cc: ESRY JR., DON; Matt Zagrabelny; expectperl- disc...@lists.sourceforge.net Subject: Re: [Expectperl-discuss] expect.pm not updating password Try something like this: my $exp = new Expect; $exp-log_stdout(1); $username = XX; $exp-spawn( ssh -l ${username} ${ip} ) or die cannot spawn $command: $! \n; $exp-log_file(./${log_dir}/$ip\_info.log); print \nspawning ssh connection to $ip on $time\n\n; $exp-log_file-print( \nspawning ssh connection to $ip on $time\n\n ); $exp-expect(8, [
Re: [openssl-users] openssl is flexible when verifying
On Mon, Apr 6, 2015 at 2:42 PM, Yuting Chen che...@cs.sjtu.edu.cn wrote: As Jeffrey Walton's comment, the standard is very malleable, making cert path validation a little unpredictable. Generally speaking, RFC 6125 is used to validate a PKIX certificate. Unfortunately, the RFC does not mention AKIs and SKIs. As far as validations go, they do not exist. So the validation steps have to be synthesized from RFC 5280. I think it also means anything goes as far as validating the AKIs and SKIs. PKI is the wild, wild, west. Jeff ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA
James, thanks for the reply. At this point I am using compiled Windows binaries, and am running a compiled Windows application that uses the SSL DLLs. The Windows application does let me specify a cipher list, but I do not have source to that application to re-build. I don’t think that in this situation I am able to call SSL_CTX_set_options. I guess I might be stuck if I can’t use the cipher list to disable SSL3 while leaving TLS1 enabled. Not the end of the world, but not ideal. Sincerely, David Rueter From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of James Sent: Monday, April 06, 2015 6:45 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA Hi, Can you try this option SSL_CTX_set_options(m_SslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); instead of disabling using the cipher list regards, James Arivazhagan On Tue, Apr 7, 2015 at 5:41 AM, David Rueter drue...@assyst.com mailto:drue...@assyst.com wrote: I would like to disable SSL3 (to prevent POODLE attacks), but I would like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and AES256-SHA). However disabling SSL3 with !SSLv3 disables TLSv1 also. Furthermore, disabling SSL3 with -SSLv3 then adding in individual ciphers such as +DES-CBC3-SHA seems to re-enable SSLv3. In looking at https://www.openssl.org/docs/apps/ciphers.html it looks like SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA are both referred to as DES-CBC3-SHA. Is this intentional? Are not SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA different ciphers? Is there no way to disable SSL3 while leaving TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA
I would like to disable SSL3 (to prevent POODLE attacks), but I would like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and AES256-SHA). However disabling SSL3 with !SSLv3 disables TLSv1 also. Furthermore, disabling SSL3 with -SSLv3 then adding in individual ciphers such as +DES-CBC3-SHA seems to re-enable SSLv3. In looking at https://www.openssl.org/docs/apps/ciphers.html it looks like SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA are both referred to as DES-CBC3-SHA. Is this intentional? Are not SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA different ciphers? Is there no way to disable SSL3 while leaving TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA
Hi, Can you try this option SSL_CTX_set_options(m_SslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); instead of disabling using the cipher list regards, James Arivazhagan On Tue, Apr 7, 2015 at 5:41 AM, David Rueter drue...@assyst.com wrote: I would like to disable SSL3 (to prevent POODLE attacks), but I would like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and AES256-SHA). However disabling SSL3 with !SSLv3 disables TLSv1 also. Furthermore, disabling SSL3 with -SSLv3 then adding in individual ciphers such as +DES-CBC3-SHA seems to re-enable SSLv3. In looking at https://www.openssl.org/docs/apps/ciphers.html it looks like SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA are both referred to as DES-CBC3-SHA. Is this intentional? Are not SSL_RSA_WITH_3DES_EDE_CBC_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA different ciphers? Is there no way to disable SSL3 while leaving TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA
On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote: I would like to disable SSL3 (to prevent POODLE attacks), but I would like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and AES256-SHA). You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. To disable the protocol set SSL_OP_NO_SSLv3 via SSL_CTX_set_options(). Is there no way to disable SSL3 while leaving TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled? Yes, disable the protocol, not the ciphers. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous DES-CBC3-SHA
Hi, Some time back, to fix POODLE, I tried to fix with cipher suite, but still I can use the the protocol SSLv3. The server responds with openssl s_client -connect ip:port -ssl3 So The fix should come using SSL_CTX_set_options. I understand since you are using the compiled binary, you may not be in a position to use this API. May be you can try with the latest version of openssl with the POODLE fix. regards, James On Tue, Apr 7, 2015 at 8:14 AM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote: I would like to disable SSL3 (to prevent POODLE attacks), but I would like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and AES256-SHA). You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. To disable the protocol set SSL_OP_NO_SSLv3 via SSL_CTX_set_options(). Is there no way to disable SSL3 while leaving TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled? Yes, disable the protocol, not the ciphers. -- Viktor. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ecc negotiation
Great, that works, thank you. Is this the default behavior when using the C API? Thanks, David On Sunday, April 5, 2015, Matt Caswell m...@openssl.org wrote: On 05/04/15 23:42, Matt Caswell wrote: On 05/04/15 22:04, David Rufino wrote: Hello, It's possible I'm doing something wrong here, but I can't seem to negotiate ecdhe with an elliptic curve other than P-256. To reproduce the issue, using openssl 1.0.2 openssl s_server -key server.key -cert server.crt -msg -debug -dhparam dhparam.pem -cipher ECDHE-RSA-AES128-SHA -tls1_2 gnutls-cli 127.0.0.1 -p 4433 -d 4 --insecure --priority=NORMAL:-KX-ALL:+ECDHE-RSA:-CURVE-ALL:+CURVE-SECP224R1 which gives the error :SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1366: changing to p256r1 succeeds. is there a particular why the negotation would fail with p224 ? my understanding is that openssl supports all the nist curves. Try adding -named_curve secp224r1 to your s_server arguments. This specifies the curve to use for ECDHE keys. The default if you don't specify a named curve is P-256 which is why it works when you are using that curve. BTW, you can also use -named_curve auto, which will just pick an appropriate curve. Matt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there any plan for FIPS to be supported on Linux-aarch64?
On 04/05/2015 09:13 PM, Aaron wrote: Hello, We are porting our products to Linux-aarch64. Our products are using OpenSSL with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but our products need OpenSSL FIPS as well. My question is when OpenSSL FIPS will be supported on Linux-aarch64? When we have a sponsor to cover the non-trivial costs of a platform validation. We're working on some iOS and Android ARMv8 platforms, but have nothing planned for Linux on ARMv8. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS wrapper to lock low level AES calls in FIPS mode
Hello, We are using Openssl-1.0.2a with FIPS 2.0.9 on Linux PPC environment. We have code that we assume needs updating, to avoid using low level routines in FIPS. For example, our snmp v3 implementation currently decrypts/encrypts using AES_set_encrypt_key() and AES_cfb128_encrypt(). The old decryption routine is as follows: BOOL/* TRUE:=ok, FALSE=error condition */ sc_aes_decrypt(SN_PRIVPROT privProto, /* usm priv protocol type */ UCHAR * key, /* priv key */ UINT keylen, /* priv key length */ UCHAR * iv, /* iv buffer */ UINT ivlen, /* iv length */ UCHAR * ciphertext, /* encrypted buffer: the cipher text */ UINT ctlen, /* encrypted data length */ UCHAR * plaintext, /* OUT: decrypted buffer */ int *ptlen) { /* IN: decrypt buf len, OUT: decrypt data */ static char fname[] = sc_aes_decrypt; AES_KEY aes_key; char my_iv[16]; int new_ivlen = 0; int ret; ret = AES_set_encrypt_key(key, (keylen * 8), aes_key); if (ret 0) { errorMsg(%s: call to AES_set_encrypt_key() failed (error=%d), fname, ret); return FALSE; } memcpy(my_iv, iv, ivlen); /* * Decrypt the data. */ AES_cfb128_encrypt(ciphertext, plaintext, ctlen, aes_key, my_iv, new_ivlen, AES_DECRYPT); *ptlen = ctlen; return TRUE; } AES_set_encrypt_key() is no longer useable in FIPS mode as shown in the following code snippet from openssl-1.0.2a/crypto/aes/aes_misc.c - /* FIPS wrapper functions to block low level AES calls in FIPS mode */ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) { #ifdef OPENSSL_FIPS fips_cipher_abort(AES); #endif return private_AES_set_encrypt_key(userKey, bits, key); } I could not find a parallel routine for AES_set_encrypt_key() in the high level EVP routines. I also looked on the Openssl wiki. Do I need one? Does one exist? I am attempting to replace the old code with FIPS safe EVP routines EVP_CIPHER_CTX_init(), EVP_DecryptInit_ex() using EVP_aes_128_cfb, EVP_DecryptUpdate(), EVP_DecryptFinal_ex() and EVP_CIPHER_CTX_cleanup(). The data passed into the decrypt routine is not a fixed length (not necessarily a multiple of block size). Is that the correct path? Are there any gotchas I should watch out for, for example, with padding issues? I am asking because my first attempt at the new code results in a decryption error from Openssl crypto/evp/evp_enc.c EVP_DecryptFinal_ex() line 519 if (b 1) { if (ctx-buf_len) { EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH); return (0); } Any help/guidance would be most appreciated. Thank you. Phil Bellino Principal Software Engineer | MRV Communications Inc. 300 Apollo Drive | Chelmsford, MA 01824 Phone: 978-674-6870 | Fax: 978-674-6799 www.mrv.com [MRV-email] [E-Banner]http://www.mrv.com/landing/video-datasheet-mrvs-optidriver-platform The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there any plan for FIPS to be supported on Linux-aarch64?
Is the documentation for the current validation available? Maybe someone can pick it up and work from there. On Mon, Apr 6, 2015 at 4:54 PM, Steve Marquess marqu...@openssl.com wrote: On 04/05/2015 09:13 PM, Aaron wrote: Hello, We are porting our products to Linux-aarch64. Our products are using OpenSSL with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but our products need OpenSSL FIPS as well. My question is when OpenSSL FIPS will be supported on Linux-aarch64? When we have a sponsor to cover the non-trivial costs of a platform validation. We're working on some iOS and Android ARMv8 platforms, but have nothing planned for Linux on ARMv8. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there any plan for FIPS to be supported on Linux-aarch64?
I see. Still, the documentation sent to the lab would be helpful to the community to better understand/review the existing code. On Mon, Apr 6, 2015 at 5:44 PM, Steve Marquess marqu...@openssl.com wrote: On 04/06/2015 10:09 AM, Nicolae Rosia wrote: Is the documentation for the current validation available? Maybe someone can pick it up and work from there. It doesn't work that way. With FIPS 140-2 the software itself is never the problem, it's everything else. The OpenSSL FIPS Object Module is entirely open source, but having the source code does you no good when what you want is a software product that satisfies the USG procurement requirements for FIPS 140-2 validated cryptography. Remember that the challenge with FIPS 140-2 isn't to have working code (you have that already with stock OpenSSL); it is to have code (in a peculiar form, a cryptographic module) that has been officially blessed by an arcane and tedious bureaucratic process. That blessing (validation) is something that costs money, for accredited test lab and CMVP fees, not to mention a substantial amount of labor. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] updating list of server account password
//SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 -Original Message- From: mike nicholas [mailto:xmikenichol...@gmail.com] Sent: Monday, April 06, 2015 10:48 AM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT Cc: ESRY JR. DON; openssl-users@openssl.org; Matt Zagrabelny Subject: Re: updating list of server account password So the else if will only run if the first if is not true, that doesn't seem right,. On Apr 3, 2015 2:52 PM, MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT andreas.magana@us.af.mil wrote: Hello Mike, Don and Matt, At the point I am at this list of servers in my script I would really need someone with more experience to see if I even have the right scripting. #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my @servers = qw( remotehost03 remotehost04 remotehost05 remotehost06 ); for my $server (@servers) { # do your thing with $server change_password($server); } sub change_password { my $system = shift; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@' . $system); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mypassword\n); } #$ssh-log_file($filename, 'w'); $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); Mike, If that does not seem right what can I change it to make it right? Respectfully, #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@remotehost'); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mypassword\n); } #$ssh-log_file($filename, 'w'); $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); //SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 -Original Message- From: mike nicholas [mailto:xmikenichol...@gmail.com] Sent: Wednesday, April 01, 2015 9:46 AM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT Cc: ESRY JR., DON; Matt Zagrabelny; expectperl-disc...@lists.sourceforge.net Subject: Re: [Expectperl-discuss] expect.pm not updating password Try something like this: my $exp = new Expect; $exp-log_stdout(1); $username = XX; $exp-spawn( ssh -l ${username} ${ip} ) or die cannot spawn $command: $! \n; $exp-log_file(./${log_dir}/$ip\_info.log); print \nspawning ssh connection
Re: [openssl-users] FIPS wrapper to lock low level AES calls in FIPS mode
Hello, I would like to retract my previous email on this subject. I found the routine EVP_CIPHER_CTX_set_key_length(), and have successfully implemented. I apologize for wasting anyone's time who may have read the original email. Thanks, Phil From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Philip Bellino Sent: Monday, April 06, 2015 8:03 AM To: openssl-users@openssl.org Subject: [openssl-users] FIPS wrapper to lock low level AES calls in FIPS mode Hello, We are using Openssl-1.0.2a with FIPS 2.0.9 on Linux PPC environment. We have code that we assume needs updating, to avoid using low level routines in FIPS. For example, our snmp v3 implementation currently decrypts/encrypts using AES_set_encrypt_key() and AES_cfb128_encrypt(). The old decryption routine is as follows: BOOL/* TRUE:=ok, FALSE=error condition */ sc_aes_decrypt(SN_PRIVPROT privProto, /* usm priv protocol type */ UCHAR * key, /* priv key */ UINT keylen, /* priv key length */ UCHAR * iv, /* iv buffer */ UINT ivlen, /* iv length */ UCHAR * ciphertext, /* encrypted buffer: the cipher text */ UINT ctlen, /* encrypted data length */ UCHAR * plaintext, /* OUT: decrypted buffer */ int *ptlen) { /* IN: decrypt buf len, OUT: decrypt data */ static char fname[] = sc_aes_decrypt; AES_KEY aes_key; char my_iv[16]; int new_ivlen = 0; int ret; ret = AES_set_encrypt_key(key, (keylen * 8), aes_key); if (ret 0) { errorMsg(%s: call to AES_set_encrypt_key() failed (error=%d), fname, ret); return FALSE; } memcpy(my_iv, iv, ivlen); /* * Decrypt the data. */ AES_cfb128_encrypt(ciphertext, plaintext, ctlen, aes_key, my_iv, new_ivlen, AES_DECRYPT); *ptlen = ctlen; return TRUE; } AES_set_encrypt_key() is no longer useable in FIPS mode as shown in the following code snippet from openssl-1.0.2a/crypto/aes/aes_misc.c - /* FIPS wrapper functions to block low level AES calls in FIPS mode */ int AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key) { #ifdef OPENSSL_FIPS fips_cipher_abort(AES); #endif return private_AES_set_encrypt_key(userKey, bits, key); } I could not find a parallel routine for AES_set_encrypt_key() in the high level EVP routines. I also looked on the Openssl wiki. Do I need one? Does one exist? I am attempting to replace the old code with FIPS safe EVP routines EVP_CIPHER_CTX_init(), EVP_DecryptInit_ex() using EVP_aes_128_cfb, EVP_DecryptUpdate(), EVP_DecryptFinal_ex() and EVP_CIPHER_CTX_cleanup(). The data passed into the decrypt routine is not a fixed length (not necessarily a multiple of block size). Is that the correct path? Are there any gotchas I should watch out for, for example, with padding issues? I am asking because my first attempt at the new code results in a decryption error from Openssl crypto/evp/evp_enc.c EVP_DecryptFinal_ex() line 519 if (b 1) { if (ctx-buf_len) { EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_WRONG_FINAL_BLOCK_LENGTH); return (0); } Any help/guidance would be most appreciated. Thank you. Phil Bellino Principal Software Engineer | MRV Communications Inc. 300 Apollo Drive | Chelmsford, MA 01824 Phone: 978-674-6870 | Fax: 978-674-6799 www.mrv.com [MRV-email] [Image removed by sender. E-Banner]http://www.mrv.com/landing/video-datasheet-mrvs-optidriver-platform The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited. [E-Banner]http://www.mrv.com/landing/video-datasheet-mrvs-optidriver-platform The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is there any plan for FIPS to be supported on Linux-aarch64?
On 04/06/2015 10:09 AM, Nicolae Rosia wrote: Is the documentation for the current validation available? Maybe someone can pick it up and work from there. It doesn't work that way. With FIPS 140-2 the software itself is never the problem, it's everything else. The OpenSSL FIPS Object Module is entirely open source, but having the source code does you no good when what you want is a software product that satisfies the USG procurement requirements for FIPS 140-2 validated cryptography. Remember that the challenge with FIPS 140-2 isn't to have working code (you have that already with stock OpenSSL); it is to have code (in a peculiar form, a cryptographic module) that has been officially blessed by an arcane and tedious bureaucratic process. That blessing (validation) is something that costs money, for accredited test lab and CMVP fees, not to mention a substantial amount of labor. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] updating list of server account password
Thank you Don and Matt and Mike, Your help got me here and I learned so much and there is much more to learn but I enjoy it. My script has a list of four Solaris 10 servers. Launching the perl expect.pm script from a Red Hat server it went to each box and changed my password with no problems. Thank you again. Here is the example script I used. #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my @servers = qw( Solaris-host03 Solaris-host04 Solaris-host05 Solaris-host06 ); for my $server (@servers) { # do your thing with $server change_password($server); } sub change_password { my $system = shift; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@' . $system); #my $ssh = Expect-new('ssh amagana@tstorweb01'); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mycurrentpassword\n); } $filename = /var/tmp/expect_script_. $system .log; $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); } //SIGNED// Andy Magaña UNIX Systems Administrator Diligent Contractor, 72nd Air Base Wing Tinker Air Force Base, Oklahoma Commercial: (405) 734-0341 -Original Message- From: ESRY JR., DON [mailto:de3...@att.com] Sent: Friday, April 03, 2015 3:19 PM To: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT; openssl-users@openssl.org Cc: Matt Zagrabelny; mike nicholas Subject: RE: updating list of server account password It looks to me like it will work. There is NO WAY that I would run a password changing script without logging everything I did. I would suggest again that you log the results. You have that line commented out. And with the 'w' you will overwrite the log everytime you run that sub so it will only have the last server you run it on. I suggest that you take out the 'w'. With the 'w' everytime you call that sub it will wipe out the file. This means that when you one it for remotehost6 it will wipe out everything from remotehost5 So I recommend that you replace: #$ssh-log_file($filename, 'w'); With $ssh-log_file($filename); I also recommend that you put in a couple of exits; 1 to close the root shell and the other to close your login shell. If you prefer a safer test, try running the hostname command rather than the passwd command. $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(hostname\n); # you might want to leave this in anyway to make reading the log easier $ssh-expect(60, '#'); $ssh-send(uptime\n); #$ssh-send(passwd amagana\n); #$ssh-expect(60, 'New Password:'); #$ssh-send(mynewpassword\n); #$ssh-expect(60, 'Re-enter new Password:'); #$ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-send(exit\n); $ssh-expect(60, '$'); $ssh-send(exit\n); $ssh-close(); -Original Message- From: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT [mailto:andreas.magana@us.af.mil] Sent: Friday, April 03, 2015 3:53 PM To: openssl-users@openssl.org Cc: ESRY JR., DON; Matt Zagrabelny; mike nicholas Subject: updating list of server account password Hello Mike, Don and Matt, At the point I am at this list of servers in my script I would really need someone with more experience to see if I even have the right scripting. #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my @servers = qw( remotehost03 remotehost04 remotehost05 remotehost06 ); for my $server (@servers) { # do your thing with $server change_password($server); } sub change_password { my $system = shift; my $filename = /var/tmp/expect_script.log; my $ssh = Expect-new('ssh amagana@' . $system); $ssh-debug(1); $ssh-expect ( $timeout, [ qr/Password:/], [ qr/Are you sure you want to continue connecting \(yes\/no\)?/] ); if ($ssh-match() =~ m/Are you sure you want to continue connecting \(yes\/no\)?/ ) { $ssh-send(yes\r); } elsif ($ssh-match() =~ m/Password:/ ) { $ssh-send(mypassword\n); } #$ssh-log_file($filename, 'w'); $ssh-expect(60, '$'); $ssh-send(su - root\n); $ssh-expect(60, 'Password:'); $ssh-send(rootpassword\n); $ssh-expect(60, '#'); $ssh-send(passwd amagana\n); $ssh-expect(60, 'New Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, 'Re-enter new Password:'); $ssh-send(mynewpassword\n); $ssh-expect(60, '#'); $ssh-close(); Respectfully, #!/usr/bin/perl use strict; use Expect; my $timeout = 60; my $filename =
[openssl-users] Getting Apache to Recognize New OpenSSL Install
Hello Users, I am in need of some assistance/documentation. My current setup is: Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8. I need to enable TLS1.1, 1.2 but understand that 0.9.8 does not support those protocols. So, I installed OpenSSL 1.0.2a and made system environment mappings to the CNF and CFG files. The install was successful but Apache is not recognizing the updated OpenSSL version. I am not very familiar with the intricacies of configuring this product. Can anyone tell me how (or point me to documentation) I can get Apache to recognize the updated OpenSSL installation? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FW: Getting Apache to Recognize New OpenSSL Install
A follow-up question.Should I have installed Apache 2.2.25 with no OpenSSL (instead of the one I did install with OpenSSL 0.9.8)? I'm thinking that perhaps with the no ssl install, Apache would more easily recognize my OpenSSL 1.0.2 instance. I appreciate your thoughts and suggestions. Thanks. Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: mailto:cathy.fauntle...@vdtg.com cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Cathy Fauntleroy Sent: Monday, April 6, 2015 11:35 AM To: openssl-users@openssl.org Subject: [openssl-users] Getting Apache to Recognize New OpenSSL Install Hello Users, I am in need of some assistance/documentation. My current setup is: Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8. I need to enable TLS1.1, 1.2 but understand that 0.9.8 does not support those protocols. So, I installed OpenSSL 1.0.2a and made system environment mappings to the CNF and CFG files. The install was successful but Apache is not recognizing the updated OpenSSL version. I am not very familiar with the intricacies of configuring this product. Can anyone tell me how (or point me to documentation) I can get Apache to recognize the updated OpenSSL installation? Thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd to openssl-users Re: [openssl-dev] Why the issuer cannot be found?
Le 04/04/2015 05:31, Jakob Bohm a écrit : (top posting like the rest of the thread) (I don't like it either, but that's what Thunderbird proposes by default). What makes you think it is incorrect to check the Key Identifier (where present) before checking a signature against a key? Because the presented file4.pem is a valid issuer certificate for the one found in file3.pem? RFC5280 section 6.1 gives the validation algorithm, and the Key Identifier isn't mentioned. 6.1.3(a) checks for signature, validity, revocation status, and names (i.e. that issuercert.subjectName = cert.issuerName). You're not supposed to follow exactly the same algorithm (or the one described in X.509), but whatever you choose, the result MUST be equivalent. What other reasonable purpose could the Key Identifier fields serve? A helper to build a certificate chain to be passed to the validation algorithm. On 03/04/2015 10:56, Erwann Abalea wrote: (Forwarded to openssl-users) The subjectName of file4.pem matches the issuerName of file3.pem, the signature block in file3.pem, when verified with the public key of file4.pem, gives a correct signature for the tbsCertificate of file3.pem. But Openssl also (incorrectly, IMO) checks that file4.pem.SKI matches file3.pem.AKI, and refuses to go further (here, AKI doesn't match SKI). Le 03/04/2015 03:10, Yuting Chen a écrit : I used OpenSSL to verify a certificate file (file3.pem) against another certificate file (file4.pem). OpenSSL reports that it cannot find the issuer of the cert in file3.pem; while when I displays file3.pem and file4.pem, it appears that the issuer of the cert in file3.pem is the same as the subject of the cert in file4.pem. Did I miss anything? P.S. Don't put your e-mail sig in the middle of the mail, it causes standards-compliant mail programs to cut off everything below it when replying (because everyting below the --space marker is, by definition, just the e-mail sig). I know, I often forget to manually switch between corporate and hard core modes. And Thunderbird doesn't help. -- Erwann ABALEA ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users