Re: [openssl-users] [openssl-dev] openssl 20150503 SNAP issue
SNAP releases are just that, snapshots. If you see the same problem twice, say, it is worth reporting. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Working with large DH parameters
On Tue, Apr 28, 2015 at 09:26:25AM -0500, jack seth wrote: > Ok I have been doing some experiments with OpenVPN and I can connect using > 1 bit DH parameters. Any bigger than that up to at least 13824 I get the > following 'modulus too large' error on the client log: > > TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman > routines:COMPUTE_KEY:modulus too large: error:14098005:SSL > routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib > Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read > error > Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed > > Something interesting/weird also happened. I tried to test 10001, 10002, and > 10004 bit DH to find the exact place I would get the 'modulus too large' > error. But the server log reported the DH parameters being 10008 instead. I > did a test at 15104 that gave the same error but then I tried two more times > and the client just sat at the 'initial packet point' like it does with the > 16384 bit parameters. So somewhere between 13824 and 16384 it switches > between the error above and just sitting there 'frozen'. > > Questions: 1. Can the modulus error be cured? 2. Do you think the same > modulus error is going on when the client appears to freeze with parameters > larger than 13824 or is something else going (i.e. why does it freeze instead > of giving the 'modulus error')? 3. Why does the server log report 10001, > 10002, 10004 bit DH as 10008? There is a limit of 1: #define OPENSSL_DH_MAX_MODULUS_BITS1 I suggest you do not change this. It just gets slower without adding security. I have no idea why it would freeze with something larger than 13824. I'm not sure what is logging the size, but it might be using DH_size()*8 to log it. I don't think their currently is an API that returns it in bits. Kurt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Working with large DH parameters
Can someone offer an opinion on my questions below? Thanks! > From: bird_...@hotmail.com > To: openssl-users@openssl.org > Subject: Working with large DH parameters > Date: Tue, 28 Apr 2015 09:26:25 -0500 > > Ok I have been doing some experiments with OpenVPN and I can connect using > 1 bit DH parameters. Any bigger than that up to at least 13824 I get the > following 'modulus too large' error on the client log: > > TLS_ERROR: BIO read tls_read_plaintext error: error:05066067:Diffie-Hellman > routines:COMPUTE_KEY:modulus too large: error:14098005:SSL > routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:DH lib > Wed Apr 22 07:08:58 2015 TLS Error: TLS object -> incoming plaintext read > error > Wed Apr 22 07:08:58 2015 TLS Error: TLS handshake failed > > Something interesting/weird also happened. I tried to test 10001, 10002, and > 10004 bit DH to find the exact place I would get the 'modulus too large' > error. But the server log reported the DH parameters being 10008 instead. I > did a test at 15104 that gave the same error but then I tried two more times > and the client just sat at the 'initial packet point' like it does with the > 16384 bit parameters. So somewhere between 13824 and 16384 it switches > between the error above and just sitting there 'frozen'. > > Questions: 1. Can the modulus error be cured? 2. Do you think the same > modulus error is going on when the client appears to freeze with parameters > larger than 13824 or is something else going (i.e. why does it freeze instead > of giving the 'modulus error')? 3. Why does the server log report 10001, > 10002, 10004 bit DH as 10008? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl 20150503 SNAP issue
Script started on Sun May 3 05:43:13 2015 ns2.nl2k.ab.ca//usr/source/openssl-1.0.2-stable-SNAP-20150503$ make && make tes t making all in crypto... making all in crypto/objects... making all in crypto/md4... making all in crypto/md5... making all in crypto/sha... making all in crypto/mdc2... making all in crypto/hmac... making all in crypto/ripemd... making all in crypto/whrlpool... making all in crypto/des... making all in crypto/aes... making all in crypto/rc2... making all in crypto/rc4... making all in crypto/rc5... making all in crypto/idea... making all in crypto/bf... making all in crypto/cast... making all in crypto/camellia... making all in crypto/seed... making all in crypto/modes... making all in crypto/bn... making all in crypto/ec... making all in crypto/rsa... making all in crypto/dsa... making all in crypto/ecdsa... making all in crypto/dh... making all in crypto/ecdh... making all in crypto/dso... making all in crypto/engine... making all in crypto/buffer... making all in crypto/bio... making all in crypto/stack... making all in crypto/lhash... making all in crypto/rand... making all in crypto/err... making all in crypto/evp... making all in crypto/asn1... making all in crypto/pem... making all in crypto/x509... making all in crypto/x509v3... making all in crypto/conf... making all in crypto/txt_db... making all in crypto/pkcs7... making all in crypto/pkcs12... making all in crypto/comp... making all in crypto/ocsp... making all in crypto/ui... making all in crypto/krb5... making all in crypto/cms... making all in crypto/pqueue... making all in crypto/ts... making all in crypto/jpake... making all in crypto/srp... making all in crypto/store... making all in crypto/cmac... if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make libcrypto.so.1.0.0); fi [ -z "" ] || gcc3 -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_LIBUNBOUND -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -Iinclude -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c fipscanister.o libcrypto.a -lgmp -ldl -lm -lc making all in ssl... if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make libssl.so.1.0.0); fi [ -z "" ] || gcc3 -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_LIBUNBOUND -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -Iinclude -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c fipscanister.o libcrypto.a -lgmp -ldl -lm -lc making all in engines... echo making all in engines/ccgost... making all in apps... making all in test... making all in tools... testing... making all in apps... ../util/shlib_wrap.sh ./destest Doing cbcm Doing ecb Doing ede ecb Doing cbc Doing desx cbc Doing ede cbc Doing pcbc Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done Doing ofb Doing ofb64 Doing ede_ofb64 Doing cbc_cksum Doing quad_cksum input word alignment test 0 1 2 3 output word alignment test 0 1 2 3 fast crypt test ../util/shlib_wrap.sh ./ideatest ecb idea ok cbc idea ok cfb64 idea ok ../util/shlib_wrap.sh ./shatest test 1 ok test 2 ok test 3 ok ../util/shlib_wrap.sh ./sha1test test 1 ok test 2 ok test 3 ok ../util/shlib_wrap.sh ./sha256t Testing SHA-256 ... passed. Testing SHA-224 ... passed. ../util/shlib_wrap.sh ./sha512t Testing SHA-512 ... passed. Testing SHA-384 ... passed. ../util/shlib_wrap.sh ./md4test test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok test 7 ok ../util/shlib_wrap.sh ./md5test test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok test 7 ok ../util/shlib_wrap.sh ./hmactest test 0 ok test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok ../util/shlib_wrap.sh ./md2test No MD2 support ../util/shlib_wrap.sh ./mdc2test pad1 - ok pad2 - ok ../util/shlib_wrap.sh ./wp_test Testing Whirlpool . passed. ../util/shlib_wrap.sh ./rmdtest test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test 6 ok test 7 ok test 8 ok ../util/shlib_wrap.sh ./rc2test ecb RC2 ok ../util/shlib_wrap.sh ./rc4test test 0 ok test 1 ok test 2 ok test 3 ok test 4 ok test 5 ok test end processing done test multi-call done bulk test ok ../util/shlib_wrap.sh ./rc5test ecb RC5 ok cbc RC5 ok ../util/shlib_wrap.sh ./bftest testing blowfish in raw ecb mode testing blowfish in ecb mode