Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error
2015-05-27 8:17 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: Maybe the Android user interface is really asking about something other than the issuing CA cert. What are you trying to achieve by selecting a CA cert in the client UI? The official Google documentation as well as other sources say that it asks for the Root CA certificate and with that selected I get a different error message than with any other certificate so I guess it is the right cert. I want the users to validate the RADIUS server's certificate. Which OpenSSL version is the EAP_TLS code using to verify the certificates? OpenSSL 1.0.1f 6 Jan 2014 built on: Thu Mar 19 15:12:02 UTC 2015 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: /usr/lib/ssl I read somewhere on this list that an ultra-recent OpenSSL version (not sure if 1.0.2 or 1.1.0) was changed to be more tolerant of out-of-order certificates, though I am not sure if that change is also for the location of the peer certificate in the list, and if that change is also in the part used by EAP_TLS. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] External hardware for SSL handshake (overriding PreMasterSecret decrypt)
On 27/05/2015 15:26, Pavel Abramov wrote: Hi, I have a task to use external Security Module to perform RSA functions in my WEB-server (nginx/httpd using OpenSSL for HTTPS). The goal is to store Server private key components and establish SSL Handshake using Hardware module. It is not an SSL hardware accelerator. This device has proprietary API (binary protocol over TCP/UDP, a few commands like generate RSA key pair, premaster decrypt using key#123). What is the easiest way to do it? Will be very grateful for keywords/advices. Should I write my ENGINE ? Or is there any other way? I need only 2 functions to perform using hardware: - RSA key generation (private component will be saved in hardware module) - PreMaster decrypt from client during SSL handshake How to override only these 2 functions? If there is a generic engine wrapping pkcs11 or a similar API, it may or may not be easier to implement (or reuse if already provided) a hardware specific pkcs11 (or similar) driver. I am unsure if there is or is not a well maintained pkcs11 engine for OpenSSL, either in the OpenSSL project or elsewhere. Maybe the opensc project has one, but I don't know if that would be general or specific to opensc pkcs11 drivers. Keywords to search for: pkcs11, pkcs11 engine, opensc project, openssl engine. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error
On 27/05/2015 12:47, Ben Humpert wrote: 2015-05-27 8:17 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: Maybe the Android user interface is really asking about something other than the issuing CA cert. What are you trying to achieve by selecting a CA cert in the client UI? The official Google documentation as well as other sources say that it asks for the Root CA certificate and with that selected I get a different error message than with any other certificate so I guess it is the right cert. I want the users to validate the RADIUS server's certificate. Which OpenSSL version is the EAP_TLS code using to verify the certificates? OpenSSL 1.0.1f 6 Jan 2014 built on: Thu Mar 19 15:12:02 UTC 2015 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: /usr/lib/ssl I read somewhere on this list that an ultra-recent OpenSSL version (not sure if 1.0.2 or 1.1.0) was changed to be more tolerant of out-of-order certificates, though I am not sure if that change is also for the location of the peer certificate in the list, and if that change is also in the part used by EAP_TLS. Just to clarify: The log messages in your original post, were those from Android or from the server? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error
2015-05-27 14:02 GMT+02:00 Jakob Bohm jb-open...@wisemo.com: Just to clarify: The log messages in your original post, were those from Android or from the server? These are from the RADIUS server debug output. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] External hardware for SSL handshake (overriding PreMasterSecret decrypt)
Hi, I have a task to use external Security Module to perform RSA functions in my WEB-server (nginx/httpd using OpenSSL for HTTPS). The goal is to store Server private key components and establish SSL Handshake using Hardware module. It is not an SSL hardware accelerator. This device has proprietary API (binary protocol over TCP/UDP, a few commands like generate RSA key pair, premaster decrypt using key#123). What is the easiest way to do it? Will be very grateful for keywords/advices. Should I write my ENGINE ? Or is there any other way? I need only 2 functions to perform using hardware: - RSA key generation (private component will be saved in hardware module) - PreMaster decrypt from client during SSL handshake How to override only these 2 functions? Thanks in advance! Pavel ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error
On 27/05/2015 01:21, Ben Humpert wrote: Hi everybody, I have my RADIUS server running and Windows as well as MacOS and iOS can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each with server certificate validation. However, Android 4.4.4 can not and I can't figure out why. The complete Cert Chain: Root CA - Intermediate CA1 - Intermediate CA2 - Intermediate CA3 - Signing CA - RADIUS Server Cert - Android Client Cert RADIUS server has the complete Certificate Chain in it's CA.crt file and it's own certificate in it's server.crt file. When I do not select any CA certificate in Android WiFi Setup but just a User certificate EAP-TLS connection works fine. If I use the same configuration but now select a CA certificate I get two different errors. Maybe the Android user interface is really asking about something other than the issuing CA cert. What are you trying to achieve by selecting a CA cert in the client UI? When I select the Root CA certificate I get ... Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: TLS 1.0 Alert [length 0002], fatal certificate_unknown Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS Alert read:fatal:certificate unknown Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: SSL says: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown ... When I select any other CA certificate I always get ... Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: SSL says: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Wed May 27 01:05:21 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Wed May 27 01:05:21 2015 : Debug: TLS receive handshake failed during operation ... All Windows, MacOS, iOS and Android devices have their own client certificate and have all CA certificates installed. Because of that I really have to ask what the funk is wrong with Android? From all the tests I did not it feels like Android is sending the certificates in the wrong order, so instead of sending the client cert first it sends the CA cert first and thus RADIUS / OpenSSL errors because it expected a client cert. Sadly I can't select the client cert as a CA certificate or vice-versa. Any help is much appreciated! Which OpenSSL version is the EAP_TLS code using to verify the certificates? I read somewhere on this list that an ultra-recent OpenSSL version (not sure if 1.0.2 or 1.1.0) was changed to be more tolerant of out-of-order certificates, though I am not sure if that change is also for the location of the peer certificate in the list, and if that change is also in the part used by EAP_TLS. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users