[openssl-users] How to get list of TLS protocols supported by OpenSSL?

2015-11-12 Thread pratyush parimal 
Hi,

I'm writing a client-server program that uses TLS for communication.
I'm wondering if there's any way to programmatically find out which TLS
protocol versions are supported by the OpenSSL library installed on my
system.

I'm currently aware of three ways which "sort of" provide this information:
(1) After setting up the TLS communication, call: SSL_get_version(ssl);
which returns "TLSV1.2", etc.
(2) Try to connect to a server using TLS by specifying all possible TLS
versions in the client program, and see which connections pass/fail.
(3) Call: SSL_get_ciphers(), print their names, and try to correlate them
with the protocol they're associated with.

Unfortunately, none of the above answer my question completely.

So is it possible to ascertain which TLS protocol versions are actually
supported by my server-program, without trying the above methods? My
purpose is not to simply make a list for my own reference, but rather
finding it out on-the-fly in the server-side program, since I may run it on
different versions of OpenSSL.

Thanks in advance!
Pratyush
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to get list of TLS protocols supported by OpenSSL?

2015-11-12 Thread Jakob Bohm 

On 13/11/2015 03:56, pratyush parimal wrote:

Hi,

I'm writing a client-server program that uses TLS for communication.
I'm wondering if there's any way to programmatically find out which 
TLS protocol versions are supported by the OpenSSL library installed 
on my system.


I'm currently aware of three ways which "sort of" provide this 
information:
(1) After setting up the TLS communication, call: 
SSL_get_version(ssl);  which returns "TLSV1.2", etc.
(2) Try to connect to a server using TLS by specifying all possible 
TLS versions in the client program, and see which connections pass/fail.
(3) Call: SSL_get_ciphers(), print their names, and try to correlate 
them with the protocol they're associated with.


Unfortunately, none of the above answer my question completely.

So is it possible to ascertain which TLS protocol versions are 
actually supported by my server-program, without trying the above 
methods? My purpose is not to simply make a list for my own reference, 
but rather finding it out on-the-fly in the server-side program, since 
I may run it on different versions of OpenSSL.




If  there is no suitable direct API, the following might
still be helpful:

(4) Get the OpenSSL library version directly and compare
  to the known version ranges supporting different SSL/TLS
  versions.
(5) Looking for ways to determine the configure options
  used when the SSL library was built (in particular if it
  was compiled without some SSL/TLS versions supported in
  the source code of that version).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl FIPS uses /dev/urandom by default?

2015-11-12 Thread xxiao8 

in e_os.h I saw
==
#ifndef DEVRANDOM

/* set this to a comma-separated list of 'random' device files to try out.

* My default, we will try to read at least one of these files */

#define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"

# endif
==
this basically sets /dev/urandom as the default which really is not 
FIPS-friendly, is there a way to override this during compilation to set 
the default to /dev/random instead? I'm not supposed to modify the 
source code as it will invalidate openssl-FIPS certificate.


Thanks,
xxiao

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl FIPS uses /dev/urandom by default?

2015-11-12 Thread Ethan Rahn 
xxiao,

Are you sure you can't modify that? My understanding of FIPS mode is that
you cannot modify the FIPS code canister, which entropy sources are not a
part of.

Cheers,

Ethan

On Thu, Nov 12, 2015 at 8:08 AM, xxiao8  wrote:

> in e_os.h I saw
> ==
> #ifndef DEVRANDOM
>
> /* set this to a comma-separated list of 'random' device files to try out.
>
> * My default, we will try to read at least one of these files */
>
> #define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
>
> # endif
> ==
> this basically sets /dev/urandom as the default which really is not
> FIPS-friendly, is there a way to override this during compilation to set
> the default to /dev/random instead? I'm not supposed to modify the source
> code as it will invalidate openssl-FIPS certificate.
>
> Thanks,
> xxiao
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl FIPS uses /dev/urandom by default?

2015-11-12 Thread John Foley 
Entropy collection is outside the FIPS boundary.  If you don't want to
modify the code, you can pass in -DDEVRANDOM using CFLAGS and set it to
whatever value you desire.  For instance, maybe you have a hardware
device mapped to /dev/entropy that provides sufficient random data to
seed the DRBG. 


On 11/12/2015 11:35 AM, Ethan Rahn wrote:
> xxiao,
>
> Are you sure you can't modify that? My understanding of FIPS mode is
> that you cannot modify the FIPS code canister, which entropy sources
> are not a part of.
>
> Cheers,
>
> Ethan
>
> On Thu, Nov 12, 2015 at 8:08 AM, xxiao8  > wrote:
>
> in e_os.h I saw
> ==
> #ifndef DEVRANDOM
>
> /* set this to a comma-separated list of 'random' device files to
> try out.
>
> * My default, we will try to read at least one of these files */
>
> #define DEVRANDOM "/dev/urandom","/dev/random","/dev/srandom"
>
> # endif
> ==
> this basically sets /dev/urandom as the default which really is
> not FIPS-friendly, is there a way to override this during
> compilation to set the default to /dev/random instead? I'm not
> supposed to modify the source code as it will invalidate
> openssl-FIPS certificate.
>
> Thanks,
> xxiao
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Protecting RSA keys

2015-11-12 Thread Sergio Magra 
Hi everybody,

 

I'm new with OpenSSL and I have some questions.

 

The thing is that several RSA key pairs (each one for a
different user) will be stored in a shared secured location. As the key
pairs will be stored in the same place, we are looking for a way to ensure
that one user is able to use only its own key pair, and not the key pair of
another user.

 

In this way, I'm thinking on a passphrase to protect the
private key, so when the user needs to use its key pair for signing or
encrypting, he must provide the passphrase. As he knows its passphrase and
not the passphrase of the other key pairs, he is able to use only its own
key pair.

 

 

Until now, the theory. I don't know if I'm right.

 

If yes, I tried to generate protected key pairs, but when
using them, I'm never prompted for the passphrase. So, I'm able to use any
of the keys created.

 

Can you help me with this issue?

 

 

Thanks in advance

 

Best regards

 

Sergio Magra   

 

 

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users