Re: [openssl-users] Missing documentation

2016-11-08 Thread Frank Migge 

Hi Joachim,

>> It seems like the documentation for SSL_set_tlsext_host_name is gone.
>> Does anyone know where I can find the documentation? I am interested 
in the return values right now.


If I got it right:

1) ssl/tls1.h (line 334ff): #  define SSL_set_tlsext_host_name(s,name) \
334 
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char 
*)name)


2) https://www.openssl.org/docs/manmaster/man3/SSL_ctrl.html:
The return values of the SSL*_ctrl() functions depend on the command 
supplied via the *cmd* parameter.


3) ssl/s3_lib.c (line 3311 ff): case SSL_CTRL_SET_TLSEXT_HOSTNAME:
returns 1 on success, and 0 on failure which also writes the cause to 
the SSL error handler.


Best wishes
Frank
 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

2016-11-08 Thread Viktor Dukhovni 

> On Nov 8, 2016, at 4:26 AM, Erwann Abalea  wrote:
> 
> The root certificate is not expected to be sent by the server, as it already 
> needs to be known and trusted by the client.
> However, you’re free to configure your server to send it, for debugging or 
> informational purposes.

A root CA certificate MUST be sent when the server's DANE-TA(2)
TLSA record designates that root as a trust-anchor.

https://tools.ietf.org/html/rfc7671#section-5.2

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Missing documentation

2016-11-08 Thread Benjamin Kaduk 
On 11/08/2016 01:24 AM, Joachim Person wrote:
> Hi,
>
> It seems like the documentation for SSL_set_tlsext_host_name is gone.
> Does anyone know where I can find the documentation? I am interested
> in the return values right now.
>
> https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_tlsext_host_name.html
> 
>   
> (Page not found)

You say "gone" as if they ever existed, but I don't see any evidence of
that in the commit history for master or 1.0.2.  It looks like they are
just plain "missing", like so much other OpenSSL documentation.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-users Digest, Vol 24, Issue 16

2016-11-08 Thread Salz, Rich 
I sent them a warning yesterday and today dropped/banned them.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Access Mozilla NSS (shared) Database / PKCS#11 Modules via OpenSSL?

2016-11-08 Thread Matthias Ballreich 
Hi there,



how can i access the Mozilla NSS (shared) Database (cert8 or cert9d.db) / 
PKCS#11-Modules via OpenSSL?

I need read & write access to the NSS User Cert Database (softokn3) and to the 
Built-In Cert Database (nssckbi) under Windows.



I tried it with Libp11 this way:



int rc = 0;
PKCS11_CTX *pkcs11_ctx;
pkcs11_ctx = PKCS11_CTX_new();
PKCS11_CTX_init_args(pkcs11_ctx,
 
"configdir=''C:/Users/Username/AppData/Roaming/Mozilla/Firefox/Profiles/5wzkdcjx.default'
 certPrefix='' keyPrefix='' secmod='secmod.db'");
rc = PKCS11_CTX_load(pkcs11_ctx, " C:/Program Files 
(x86)/Mozilla/Firefox/softokn3.dll ");
printf("Desc: %s\n", pkcs11_ctx->description);
if (rc)
printf("Error loading Module");

But it return every time "-1" which tells me that the loading fails. So is this 
the right way? Or should I use another library? Or is my code not right?

And can I edit the Trust Settings with that or another library like with NSS 
directly? Because I can't delete the built-in certs of nssckbi because this is 
read-only I can edit the Trust-Settings for that certificate. Can I do that 
with OpenSSL in combination with a library, too? Or should I better use NSS 
instead of OpenSSL?



Thanks.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-users Digest, Vol 24, Issue 16

2016-11-08 Thread Wall, Stephen 
Can this person be dropped from the list?

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Hello Notelling
Sent: Tuesday, November 08, 2016 9:47 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] openssl-users Digest, Vol 24, Issue 16


Your query is being processed

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl-users Digest, Vol 24, Issue 16

2016-11-08 Thread Hello Notelling 
Your query is being processed

On 8 Nov 2016 2:14 p.m., <openssl-users-requ...@openssl.org> wrote:

> Send openssl-users mailing list submissions to
> openssl-users@openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
> openssl-users-requ...@openssl.org
>
> You can reach the person managing the list at
> openssl-users-ow...@openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
>1. Re: Retrieving Root CA certificate using "openssl s_client
>   -showcerts" command (Salz, Rich)
>2. Re: Problem in compiling OpenSSL on Windows-7-32-bit
>   (Michael Wojcik)
>3. Re: Problem in compiling OpenSSL on Windows-7-32-bit (Kim Gr?sman)
>4. Re: (SPAM) Retrieving Root CA certificate using "openssl
>   s_client -showcerts" command (Erwann Abalea)
>5. Re: Problem in compiling OpenSSL on Windows-7-32-bit (Jakob Bohm)
>6. Re: Problem in compiling OpenSSL on Windows-7-32-bit (Kim Gr?sman)
>
>
> --
>
> Message: 1
> Date: Tue, 8 Nov 2016 12:48:05 +
> From: "Salz, Rich" <rs...@akamai.com>
> To: Mofassir Ul Haque <mofassir_ha...@yahoo.com>,
> "openssl-users@openssl.org" <openssl-users@openssl.org>
> Subject: Re: [openssl-users] Retrieving Root CA certificate using
> "openssl s_client -showcerts" command
> Message-ID:
> <d0d55ec8a95b439ea54af80156934...@usma1ex-dag1mb1.msg.corp.
> akamai.com>
> Content-Type: text/plain; charset="utf-8"
>
> Yes, just put the entire chain in the server?s PEM file.
> -- next part --
> An HTML attachment was scrubbed...
> URL: <http://mta.openssl.org/pipermail/openssl-users/
> attachments/20161108/7be62e26/attachment-0001.html>
>
> --
>
> Message: 2
> Date: Tue, 8 Nov 2016 13:24:39 +
> From: Michael Wojcik <michael.woj...@microfocus.com>
> To: "openssl-users@openssl.org" <openssl-users@openssl.org>
> Subject: Re: [openssl-users] Problem in compiling OpenSSL on
> Windows-7-32-bit
> Message-ID:
> <B550B44BF8AF314BB00C4E2AC1C18088015E6B611A@prvxmb03.
> microfocus.com>
> Content-Type: text/plain; charset="utf-8"
>
> [not quoting anything because Outlook can't quote HTML email properly]
>
> I build OpenSSL for static linking (though using a hacked configuration,
> since it's going to be linked into a DLL, and we do not want the C RTS
> linked statically). I've not seen any of these problems. We build on a
> variety of Windows versions, using a number of compiler versions (because
> inter-version compatibility still eludes Microsoft); we've been doing that
> since the 0.9.8 days, and now do it with each release of 1.0.2.
>
> My advice, frankly, is to study the OpenSSL build process until you
> understand it. We've had issues in the past with some Windows Perl
> implementations (currently we use Cygwin Perl with a wrapper program that
> corrects paths), and as I noted above, we've had to hack the configuration
> process (with scripts that run between the OpenSSL configuration step and
> the actual build). The OpenSSL build is not trivial, and the Windows
> toolchain is, in a word, terrible.
>
> I would also recommend getting nasm out of the Visual Studio tree, where
> it most definitely does not belong, and into a normal (non-spacey) path.
>
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>
> --
>
> Message: 3
> Date: Tue, 8 Nov 2016 14:44:01 +0100
> From: Kim Gr?sman <kim.gras...@gmail.com>
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Problem in compiling OpenSSL on
> Windows-7-32-bit
> Message-ID:
> <CANt7B+cAdvnSFaE-AhfY=BXEy+gYiK9267h6LGfFQkA_iV6dtQ@mail.
> gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> On Tue, Nov 8, 2016 at 2:24 PM, Michael Wojcik
> <michael.woj...@microfocus.com> wrote:
> >
> > My advice, frankly, is to study the OpenSSL build process until you
> understand it. We've had
> > issues in the past with some Windows Perl implementations (currently we
> use Cygwin Perl with
> > a wrapper program that corrects paths)
>
> Forgot to mention; I'm building with ActiveState Perl from
> http://www.ActiveState.com.
>
> - Kim
>
>
> -

Re: [openssl-users] Problem in compiling OpenSSL on Windows-7-32-bit

2016-11-08 Thread Kim Gräsman 
On Tue, Nov 8, 2016 at 3:05 PM, Jakob Bohm  wrote:
> On 08/11/2016 14:44, Kim Gräsman wrote:
>>
>> On Tue, Nov 8, 2016 at 2:24 PM, Michael Wojcik
>>  wrote:
>>>
>>> My advice, frankly, is to study the OpenSSL build process until you
>>> understand it. We've had
>>> issues in the past with some Windows Perl implementations (currently we
>>> use Cygwin Perl with
>>> a wrapper program that corrects paths)
>>
>> Forgot to mention; I'm building with ActiveState Perl from
>> http://www.ActiveState.com.
>>
> That is the Perl most often quoted as causing problems.
>
> Try Strawberry Perl from http://strawberryperl.com/(Strawberry Perl
> is derived from vanilla Perl, hence the name).

Thanks Jakob. Funny though, it's building successfully here. The OP
hasn't reported his Perl dist yet.

I'll make a note to try with Strawberry Perl moving forward.

- Kim
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in compiling OpenSSL on Windows-7-32-bit

2016-11-08 Thread Jakob Bohm 

On 08/11/2016 14:44, Kim Gräsman wrote:

On Tue, Nov 8, 2016 at 2:24 PM, Michael Wojcik
 wrote:

My advice, frankly, is to study the OpenSSL build process until you understand 
it. We've had
issues in the past with some Windows Perl implementations (currently we use 
Cygwin Perl with
a wrapper program that corrects paths)

Forgot to mention; I'm building with ActiveState Perl from
http://www.ActiveState.com.


That is the Perl most often quoted as causing problems.

Try Strawberry Perl from http://strawberryperl.com/(Strawberry Perl
is derived from vanilla Perl, hence the name).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] (SPAM) Retrieving Root CA certificate using "openssl s_client -showcerts" command

2016-11-08 Thread Erwann Abalea 
Bonjour,

The root certificate is not expected to be sent by the server, as it already 
needs to be known and trusted by the client.
However, you’re free to configure your server to send it, for debugging or 
informational purposes.

Cordialement,
Erwann Abalea

Le 8 nov. 2016 à 03:36, Mofassir Ul Haque 
> a écrit :

Hi All,

The output of "openssl s_client -showcerts -connect ..." command dose not 
include Root certificate (which is expected behaviour). However, is it possible 
to configure Server to return Root CA certificate also ?

Thanks,

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in compiling OpenSSL on Windows-7-32-bit

2016-11-08 Thread Kim Gräsman 
On Tue, Nov 8, 2016 at 2:24 PM, Michael Wojcik
 wrote:
>
> My advice, frankly, is to study the OpenSSL build process until you 
> understand it. We've had
> issues in the past with some Windows Perl implementations (currently we use 
> Cygwin Perl with
> a wrapper program that corrects paths)

Forgot to mention; I'm building with ActiveState Perl from
http://www.ActiveState.com.

- Kim
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in compiling OpenSSL on Windows-7-32-bit

2016-11-08 Thread Michael Wojcik 
[not quoting anything because Outlook can't quote HTML email properly]

I build OpenSSL for static linking (though using a hacked configuration, since 
it's going to be linked into a DLL, and we do not want the C RTS linked 
statically). I've not seen any of these problems. We build on a variety of 
Windows versions, using a number of compiler versions (because inter-version 
compatibility still eludes Microsoft); we've been doing that since the 0.9.8 
days, and now do it with each release of 1.0.2.

My advice, frankly, is to study the OpenSSL build process until you understand 
it. We've had issues in the past with some Windows Perl implementations 
(currently we use Cygwin Perl with a wrapper program that corrects paths), and 
as I noted above, we've had to hack the configuration process (with scripts 
that run between the OpenSSL configuration step and the actual build). The 
OpenSSL build is not trivial, and the Windows toolchain is, in a word, terrible.

I would also recommend getting nasm out of the Visual Studio tree, where it 
most definitely does not belong, and into a normal (non-spacey) path.

Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Retrieving Root CA certificate using "openssl s_client -showcerts" command

2016-11-08 Thread Salz, Rich 
Yes, just put the entire chain in the server’s PEM file.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Fwd: Re: Duplicating const X509_NAME

2016-11-08 Thread Sascha Steinbiss 
Dear OpenSSL developer team,

following up on the discussion quoted below on the openssl-users ML I
would like to ask your opinions on adding a OCSP_resp_get1_id() function:

int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
  ASN1_OCTET_STRING **pid,
  X509_NAME **pname);

to allow API users to obtain non-const values from responses to pass on
to downstream functions. Please also see my commit
https://github.com/satta/openssl/commit/4392b12a0caa8f8e7df0bb6e1c94de7f744407ba
implementing this. Looking forward to some comments -- if you are OK
with it I would be happy to file a pull request. My CLA has been signed
and emailed to OpenSSL Foundation's legal team.

Unfortunately I could not find any existing tests for the get0
counterpart in the OpenSSL source. Did I miss something? That's the
reason why I haven't included tests yet, having read the contributor's
guide.

Thanks and kind regards
Sascha


 Forwarded Message 
Subject:Re: [openssl-users] Duplicating const X509_NAME
Date:   Mon, 7 Nov 2016 12:54:03 -0600
From:   Benjamin Kaduk 
Reply-To:   openssl-users@openssl.org
To: openssl-users@openssl.org



On 11/07/2016 05:42 AM, Sascha Steinbiss wrote:
> Hi all,
>
> I was wondering how to properly make a clone of a const X509_NAME in
> OpenSSL 1.1?
>
> In particular, I am obtaining a const X509_NAME* via OCSP_resp_get0_id()
> and would like to pass it to X509_find_by_subject() which takes a
> X509_NAME* (non-const). I looked into using X509_NAME_dup() to obtain a
> local copy -- which looked like the obvious approach -- but that also
> only takes a non-const parameter.
>
> Any ideas? With
>

Hmm, seems like there may be a need for get1-style accessors, then.
Supposedly missing accessors will get backported from master to the 1.1
branch (though making it in time for 1.1.0c later this week could be
tough).  It might be worth filing a pull request with such things.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to use EVP_aes_256_cbc_hmac_sha256

2016-11-08 Thread Gerhard Gappmeier 
Hi,

I'm trying to use EVP_EncryptUpdate() with EVP_aes_256_cbc_hmac_sha256()
to speed up encryption.
This "stiched" version should be faster than first hashing and then
encrypt the data.
See also
https://software.intel.com/sites/default/files/open-ssl-performance-paper.pdf
for some background.

However I don't see a way to configure the offset between the data to be
signed and the data to be encrypted.
In my protocol (not TLS) we have a header of 16 byte that gets signed,
but not encrypted.

Some ASCII art to explain this (use fix size font to view this):
/signed---\
|header|seqheader|body|padding|signature|
   \encrypted---/

I debugged already "openssl speed -evp aes-256-cbc-hmac-sha256" but this
looks for me like the same data is signed and encrypted,
and no offset is used.

Is it possible somehow to define such a offset? I was expecting that the
same is necessary for TLS, but I'm not a TLS expert :-)

regards,
Gerhard.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem in compiling OpenSSL on Windows-7-32-bit

2016-11-08 Thread Ajay Garg 
Hi Kim.

Thanks for the reply.

On 8 Nov 2016 11:59 a.m., "Kim Gräsman"  wrote:
>
> On Tue, Nov 8, 2016 at 6:26 AM, Ajay Garg  wrote:
> >
> > Is compiling on windows always such a pain? :(
> > On Linux, it compiled perfectly the first time itself.
>
> It's worked well for me in a similar environment. I use DLL builds,
> though, so `ntdll.mak` instead of `nt.mak`.

Unfortunately, I need to link openssl statically to our framework. So DLL
would not help, require .libs

>
> One thing that looks suspicious is this:
>
> > NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio
14.0\VC\
> > N\nasm.EXE"' : return code '0x1'
>
> Have you put nasm.exe inside the Visual Studio install dir? That seems
> like an odd choice, not sure if the spaces in the path maybe confuses
> something?

I doubt, cl.exe is also inside this.

>
> You also don't mention which directory you're in when running these
> commands. I've run everything inside the openssl-1.0.2h (using a
> different version) source directory.

I am running everything from the openssl source directory itself.

Any chance I can get pre-compiled libraries for 1.0.2d, after which I can
link them statically to our framework?

Thanks in advance 

>
> - Kim
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] mailing list registration renewal - clarify bounce errors

2016-11-08 Thread Richard Levitte 
In message <20161108.083722.982336643109774878.levi...@openssl.org> on Tue, 08 
Nov 2016 08:37:22 +0100 (CET), Richard Levitte  said:

levitte> In message 
 on Mon, 7 
Nov 2016 21:50:13 +0300, Dmitry Belyavsky  said:
levitte> 
levitte> beldmit> Hello Rich,
levitte> beldmit> 
levitte> beldmit> On Mon, Nov 7, 2016 at 8:34 PM, Salz, Rich  
wrote:
levitte> beldmit> 
levitte> beldmit> > I can find no evidence of "excessive bounces .." so I 
am just
levitte> beldmit> asking here, is
levitte> beldmit> > this a standard clean up of the ML or have you really 
received
levitte> beldmit> excessive
levitte> beldmit> > bounces from my email address ?
levitte> beldmit> 
levitte> beldmit> The latter.
levitte> beldmit> 
levitte> beldmit> We have seen some more reports of this recently, and are
levitte> beldmit> increasing the logging to determine the cause. 
Interestingly, it's
levitte> beldmit> all from gmail.com addresses.
levitte> beldmit> 
levitte> beldmit> 
levitte> beldmit> I confirm the receiving the similar message.
levitte> 
levitte> The issue is called DMARC, and most certainly with a reject policy,
levitte> which basically tells recipients to reject messages that doesn't quite
levitte> appear to come from the originator.
levitte> 
levitte> This is problematic for mailing lists, that kind of act as a middle
levitte> man, and even moreso because rejections end up as bounces to the
levitte> mailing list software, which will end up disabling the bouncing
levitte> address.  So in the end, it becomes a story of how users from one
levitte> domain are capable of throw out everyone else that checks their DMARC
levitte> policy.
levitte> 
levitte> Last time we went through this, we ignored the problem, for reasons I
levitte> cannot remember now.  I'll have a closer look at what mailman can
levitte> offer and get back to you.

So, I changed this mailing list to munge the From: header of any
message coming from a domain that has a DMARC reject or quarantine
policy.  That should avoid any more silly bouncing of the sort we've
experienced.

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users