Re: [openssl-users] Does openssl pick low level interface or high level interface to do encrypt?
On Wed, Aug 09, 2017 at 01:08:47PM +, - JinsongJi wrote: > For one simple operation: openssl enc -aes-256-cbc -salt -in foo.txt -out > foo.enc > Does openssl pick classic implementation or AES-NI implementation to do this > encrypt? The enc(1) command uses the EVP API to access the requested symmetric cipher. As a result, AES-NI and the like will be used when supported by the hardware and enabled in your OpenSSL library. > Does any user/application always pick classic implementation for > AES operation regardless of AES-NI improves speed much? If the application uses EVP_get_cipherbyname() and the like, it gets the best available implementation of the cipher. If it bypasses EVP it may get a slower implementation and/or one that has less side-channel resistance. Bottom-line, use EVP. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Password protect EC private key
On 08/10/2017 04:26 PM, Viktor Dukhovni wrote: On Thu, Aug 10, 2017 at 03:17:02PM -0400, Robert Moskowitz wrote: Are you sure you want secp256k1? By far the more common choice is prime256r1 (aka P-256 or secp256r1). Do you mean prime256v1? Yes, it is the primary name in OpenSSL for secp256r1 aka (NIST) P-256. Thank you for the help. I now have a simple guide and a complement of files to work on a new project. Did not do CRL or OCSP, but I don't need them yet. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Password protect EC private key
On Thu, Aug 10, 2017 at 03:17:02PM -0400, Robert Moskowitz wrote: > > Are you sure you want secp256k1? By far the more common choice is > > prime256r1 (aka P-256 or secp256r1). > > Do you mean prime256v1? Yes, it is the primary name in OpenSSL for secp256r1 aka (NIST) P-256. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Password protect EC private key
On 08/10/2017 02:27 PM, Viktor Dukhovni wrote: On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote: openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem But openssl ecparam does not have any option equivalent (that I can find) to -aes256 Yes, this command does not currently support key encryption. What am I missing. The command that does is: $ openssl genpkey -aes256 -algorithm ec \ -pkeyopt ec_paramgen_curve:secp256k1 \ -pkeyopt ec_param_enc:named_curve \ -out private/ca.key.pem Are you sure you want secp256k1? By far the more common choice is prime256r1 (aka P-256 or secp256r1). Do you mean prime256v1? $ openssl ecparam -list_curves secp256k1 : SECG curve over a 256 bit prime field secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field openssl ecparam -in private/ca.key.pem -text -noout EC keys are read with "openssl ec" not "openssl ecparam". -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Password protect EC private key
On Thu, Aug 10, 2017 at 02:49:02PM -0400, Robert Moskowitz wrote: > > The command that does is: > > > > $ openssl genpkey -aes256 -algorithm ec \ > > -pkeyopt ec_paramgen_curve:secp256k1 \ > > -pkeyopt ec_param_enc:named_curve \ > > -out private/ca.key.pem > > So I see that I use this for the CA(s) key generation, but what about a > Server or Client key pair to feed into a CSR? I probably do not want those > keys encrypted (well I do, but we sacrifice protection for easy of use, > sigh). Just leave off the "-aes256" option. > > Are you sure you want secp256k1? By far the more common choice is > > prime256r1 (aka P-256 or secp256r1). > > Thanks, I read things wrong and selected the wrong curve. Yes, I want > prime256r1. > > > > openssl ecparam -in private/ca.key.pem -text -noout > > EC keys are read with "openssl ec" not "openssl ecparam". > > Ah. I will give this a try. Better yet, use "openssl pkey". -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Fwd: Error in Opening SSL Certificate
On Thu, Aug 10, 2017 at 06:27:41PM +0530, Amiya Das wrote: > I have written an application for connecting to AzureIOT hub using AMQP > protocol. > When i run the application it fails because of SSL issue stating *14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed.* This means that the certificate chain presented does not chain up to a locally trusted root CA, or is expired, or some other chain verification problem. You need to determine what certificates are presented by the remote peer, what trust anchors (root CAs) you're using and why the chain does not verify against these trust-anchors. > Any help would be appreciate.. > Below are the details for the OS > Yocto linux > Kernel 4.4.19-gdb0b54cdad > > Info: IoT Hub SDK for C, version 1.1.19 That's largely irrelevant. > i am not sure why this issue is appearing, it looks like an openssl issue. > But i do have the openssl certificates in the below location, > "/etc/ssl/certs/ca-certificates.crt" That's not where OpenSSL will look by default, unless: > Following are the more information using openssl, > > -sh-3.2# openssl version -d > OPENSSLDIR: "/usr/lib/ssl" OpenSSL will by default look in: /certs.pem - PEM file with multiple trusted certificates /certs/ - Directory with certificate files "hashed" via c_rehash Perhaps you have symlinks in place that lead to ca-certificates.crt, or code to populate the /certs/ directory, but otherwise you'll need such links, or the application will need to explicity set the appropriate CAfile or CApath. > Verify return code: 20 (unable to get local issuer certificate) Your CAfile/CApath do not contain a trust-anchor that verifies the given chain. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Password protect EC private key
Thank you, Viktor. On 08/10/2017 02:27 PM, Viktor Dukhovni wrote: On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote: openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem But openssl ecparam does not have any option equivalent (that I can find) to -aes256 Yes, this command does not currently support key encryption. What am I missing. The command that does is: $ openssl genpkey -aes256 -algorithm ec \ -pkeyopt ec_paramgen_curve:secp256k1 \ -pkeyopt ec_param_enc:named_curve \ -out private/ca.key.pem So I see that I use this for the CA(s) key generation, but what about a Server or Client key pair to feed into a CSR? I probably do not want those keys encrypted (well I do, but we sacrifice protection for easy of use, sigh). Are you sure you want secp256k1? By far the more common choice is prime256r1 (aka P-256 or secp256r1). Thanks, I read things wrong and selected the wrong curve. Yes, I want prime256r1. openssl ecparam -in private/ca.key.pem -text -noout EC keys are read with "openssl ec" not "openssl ecparam". Ah. I will give this a try. Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Password protect EC private key
On Thu, Aug 10, 2017 at 12:03:31PM -0400, Robert Moskowitz wrote: > openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem > > But openssl ecparam does not have any option equivalent (that I can find) to > -aes256 Yes, this command does not currently support key encryption. > What am I missing. The command that does is: $ openssl genpkey -aes256 -algorithm ec \ -pkeyopt ec_paramgen_curve:secp256k1 \ -pkeyopt ec_param_enc:named_curve \ -out private/ca.key.pem Are you sure you want secp256k1? By far the more common choice is prime256r1 (aka P-256 or secp256r1). > openssl ecparam -in private/ca.key.pem -text -noout EC keys are read with "openssl ec" not "openssl ecparam". -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Password protect EC private key
I am following: https://jamielinux.com/docs/openssl-certificate-authority/create-the-root-pair.html But modifying it to produce ECDSA certs. So the first step is to make the private key. Jamie says: openssl genrsa -aes256 -out private/ca.key.pem 4096 The -aes256 option supposedly password protects this private key. So after some googling I created: openssl ecparam -name secp256k1 -genkey -noout -out private/ca.key.pem But openssl ecparam does not have any option equivalent (that I can find) to -aes256 What am I missing. And I successfully generated the root CA ECDSA cert with: openssl req -config openssl.cnf -key private/ca.key.pem \ -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem The config file is the one Jamie provides on his pages. Also the following: openssl ecparam -in private/ca.key.pem -text -noout Gives me an error: unable to load elliptic curve parameters 140598030526328:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: EC PARAMETERS Is this because I created the private key without including the parameters? I got my ECDSA tips from: https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations Meanwhile on to the sub-CA cert. thanks Bob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Does openssl pick low level interface or high level interface to do encrypt?
What OpenSSL does is not necessarily obvious. The INSTALL document talks about the no-asm configuration option. Details about what the assembler code does in terms of optimization are only available by reading the source code comments in the various Perl files that generate the assembler, mostly. On x86, the assembly code uses the CPUID instruction (see the OPENSSL_ia32cap.pod manpage) to determine if various instructions (AES, SSE, MMX, etc) are available and will use them if so. For other processors, similar tests are performed if at all possible. I have added this to the FAQ -- Senior Architect, Akamai Technologies Member, OpenSSL Dev Team IM: richs...@jabber.at Twitter: RichSalz From: - JinsongJi [mailto:jjsb...@hotmail.com] Sent: Wednesday, August 09, 2017 9:09 AM To: openssl-users@openssl.org Subject: [openssl-users] Does openssl pick low level interface or high level interface to do encrypt? Hi, For one simple operation: openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc Does openssl pick classic implementation or AES-NI implementation to do this encrypt? Does any user/application always pick classic implementation for AES operation regardless of AES-NI improves speed much? Is there any document about this interface selection? Thanks, Jinsong -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Does openssl pick low level interface or high level interface to do encrypt?
Hi, For one simple operation: openssl enc -aes-256-cbc -salt -in foo.txt -out foo.enc Does openssl pick classic implementation or AES-NI implementation to do this encrypt? Does any user/application always pick classic implementation for AES operation regardless of AES-NI improves speed much? Is there any document about this interface selection? Thanks, Jinsong -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Fwd: Error in Opening SSL Certificate
Hi, I have written an application for connecting to AzureIOT hub using AMQP protocol. When i run the application it fails because of SSL issue stating *14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.* Any help would be appreciate.. Below are the details for the OS Yocto linux Kernel 4.4.19-gdb0b54cdad Info: IoT Hub SDK for C, version 1.1.19 i am not sure why this issue is appearing, it looks like an openssl issue. But i do have the openssl certificates in the below location, "/etc/ssl/certs/ca-certificates.crt" Following are the more information using openssl, -sh-3.2# openssl version -d OPENSSLDIR: "/usr/lib/ssl" But the actual certificates are located under /etc/ssl/ folder, so i copied all the certificates under /usr/lib/ssl folder but still there was no luck with this. OPENSSL version 1.0.2h is currently installed. CONNECTED(0004) depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/CN=*.azure-devices.net i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root --- Server certificate -BEGIN CERTIFICATE- Certificate displayed here properly -END CERTIFICATE- subject=/CN=*.azure-devices.net issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SH A256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:ECDSA+SHA512:RSA+SH A256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1 Peer signing digest: SHA1 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3692 bytes and written 485 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-SHA256 Session-ID: DA00F6835606D8F94D7184BE980E23C55D49D08BA33A8A5709A2C476 3848 Session-ID-ctx: Master-Key: EE1BEBA238F3B31AB83419452937BEB989E8A0BEB018E5D77B1148903BA3 5905D86DDF43F2745F593EE73AF0481F6819 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1502367353 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- Thanks, Amiya. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SMime encrypted mail - find out which key was used
Hi, Is there a command line way to find out with which key an S/Mime encrypted e-mail was encrypted, so that I can use the correct private key for decryption? In my case users can have - for internal reasons - more than one public/private key pair, so using the e-mail address of the receiver won't work Thanks in advance Horst -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users