[openssl-users] troubleshooting ssl errors
Hello All, I'm trying to establish a connection between two servers for the purpose of data sharing. On my end, these are the version numbers of everything I'm using RHEL 7.4 wget 1.14 openssl 1.0.2k-fips Not sure what's on the other end, other than it is a Linux server When I run the connectivity tests, these are the errors I'm getting - you can see the commands run, the output that comes back (hostname and ip address are obfuscated) Any suggestions? PG [root@hostname ~]# wget https://domain.name.com:8443 --secure-protocol=SSLv3 --debug DEBUG output created by Wget 1.14 on linux-gnu. URI encoding = âUTF-8â Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8) --2017-10-10 22:20:20-- https://domain.name.com:8443/ Resolving domain.name.com (domain.name.com)... Caching domain.name.com => Connecting to domain.name.com (domain.name.com)||:8443... connected. Created socket 3. Releasing 0x0186e340 (new refcount 1). Initiating SSL handshake. SSL handshake failed. Closed fd 3 Unable to establish SSL connection. [root@hostname ~]# curl -k https://domain.name.com:8443 -insecure -v * Couldn't find host domain.name.com in the .netrc file; using defaults * About to connect() to domain.name.com port 8443 (#0) * Trying ... * Connected to domain.name.com () port 8443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * NSS error -5938 (PR_END_OF_FILE_ERROR) * Encountered end of file * Closing connection 0 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [ANN] M2Crypto 0.27.0
I have to report that this M2Crypto release is broken, as it cannot find OpenSSL installed in /opt/local (apologies for spamming multiple lists and people): /usr/bin/clang -fno-strict-aliasing -fno-common -dynamic -pipe -Os -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -I/opt/local/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7 -I/private/tmp/pip-build-lqb2R6/M2Crypto/SWIG -c SWIG/_m2crypto_wrap.c -o build/temp.macosx-10.12-x86_64-2.7/SWIG/_m2crypto_wrap.o -Wno-deprecated-declarations SWIG/_m2crypto_wrap.c:2894:9: warning: variable 'res' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (PyType_Ready(tp) < 0) ^~~~ SWIG/_m2crypto_wrap.c:2918:10: note: uninitialized use occurs here return res; ^~~ SWIG/_m2crypto_wrap.c:2894:5: note: remove the 'if' if its condition is always false if (PyType_Ready(tp) < 0) ^ SWIG/_m2crypto_wrap.c:2875:10: note: initialize the variable 'res' to silence this warning int res; ^ = 0 SWIG/_m2crypto_wrap.c:3554:10: fatal error: 'openssl/err.h' file not found #include ^~~ 1 warning and 1 error generated. error: command '/usr/bin/clang' failed with exit status 1 Command "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python -u -c "import setuptools, tokenize;__file__='/private/tmp/pip-build-lqb2R6/M2Crypto/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-VYOp3p-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /private/tmp/pip-build-lqb2R6/M2Crypto/ -- Regards, Uri Blumenthal On 10/5/17, 18:06, "openssl-users on behalf of Matěj Cepl"wrote: M2Crypto is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers; SSL functionality to implement clients and servers; HTTPS extensions to Python’s httplib, urllib, and xmlrpclib; unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME. M2Crypto can also be used to provide SSL for Twisted. Smartcards supported through the Engine interface. This is another less earth-shattering release (after 0.26.2 which brought us OpenSSL 1.1.0 compatbility), one more step towards Python 3 compatibility nirvana, still more cleanups and accumulated bug fixes, which could be resolved before the big python3 branch is merged. The release is available on https://pypi.python.org/pypi/M2Crypto/ and all communication with the maintainer (that’s me) should go to https://gitlab.com/m2crypto/m2crypto. Talking about the python3 branch, ALL TESTS PASS on all Pythons from 2.6, 2.7, 3.3 to 3.6!!! Now is the time to test, help with review, and complain about whatever is wrong! I will still keep API stable, but changes are relatively large, so this is your opportunity to suggest whatever substantial thing you don't like with M2Crypto. I may not make it happen in 0.28 (which I expect to be Py3k-compatible release), but for settling the dust down and cleanup I prepare already 0.29, which should include yet more acummulated merge requests and bugfixes, this time ones which should be better served with python 3 layer already happening. Happy hacking! Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Quod fuimus, estis; quod sumus, vos eritis. smime.p7s Description: S/MIME cryptographic signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Enable FIPS mode using OPENSSL_config()
Hi All: My understand is by using OPENSSL_config(), we will be able to enable the FIPS mode globally on the system, is that correct? My question is, if we enable FIPS mode through configuration and using OPENSSL_config(), does it means for all the applications which link to OpenSSL library, the FIPS_mode_set() function will be invoked automatically (at some level), even if these application are not modified to invoke the FIPS_mode_set() by themselves? The reason I ask was mainly because I am evaluating how I should modify my server platform and applications in order to adapt FIPS capable OpenSSLlibrary into the platform. >From the previous suggestions seen in this forum, it looks like the best strategy is to only select few important applications to make them run under FIPS mode, and that way we only need to modify these applications to allow them invoke FIPS_mode_set(). My assumption is, for those applications which link to OpenSSL but are not FIPS aware, even if we run OPENSSL_config() to enable FIPS mode globally, they will still be running on non-FIPS mode and they won't be impacted or crash due to they are not FIPS compatible. Is my understanding correct? Thanks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl.cnf asking Subject Alternative Names certificates.
Hi everyone, As most of us know, the Google Chrome Navigator ask about Subject Alternative Name instead the Common Name. I want to distribute a little *openssl.cnf* file for creation the CSR files with my specific values and establish the Subject Alternative Name = Common Name. I want yo ask about the CN and assign this value to SAN. This is my beta *openssl.cnf* file: *Sorry for the comments in Spanish I do not how to set a variable (CN Variable) to assign to SAN value. * 8< 8< ---*# # Este fichero genera los CSR de nuestros sistemas con los paremetros # acordados. # # openssl genrsa -aes256 -out www.rra.lan.key 2048 -config opensslMiCasa.cnf # # Establecemos un directorio de trabajo, el actual para ser exactos. dir = . [ req ] default_bits= 2048 # Size of keys default_keyfile = key.pem # name of generated keys default_md = sha256# message digest algorithm string_mask = nombstr # permitted characters distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] # Variable name Prompt string #--- 0.organizationName = Nombre de la Organizacion organizationalUnitName = Mi Casa [Desarrollo|Infraestructuras|Laboratorio] emailAddress= Cuenta de Correo emailAddress_max= 64 localityName= Localidad stateOrProvinceName = Comunidad Autónoma countryName = ISO 3166-1 Codigo de País countryName_min = 2 countryName_max = 2 commonName = Common Name # Default values for the above, for consistency and less typing. # Variable name Value # -- 0.organizationName_default = Mi Casa organizationalUnitName_default = Mi Casa Infraestructuras localityName_default= Madrid stateOrProvinceName_default = Comunidad de Madrid countryName_default = ES [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash subjectAltName = * **>8 >8 ---* --- SALUDE3. http://www.rodeiroag.es/ http://soloeningles.blogspot.com/ -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl FIPS 186-4 Patch
Hi, That Redhat/Fedora patch is based on openssl library alone. But I am using the fips canister approach where i use both openssl and openssl-fips-ecp libraries. Though the redhat/fedora patch is OK, it is not straight forward portable to the canister model. Any idea of patches available for this kind of fips canister usage ? Thanks, Murugesh P. On 10/10/17, Marcus Meissnerwrote: > Hi, > > On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote: >> Hi, >> >> Thanks for the comment. >> >> I know that openSSL is not 186-4 compliant. That is why I am looking >> for anybody have the patch for the same. >> >> I see there are some works in Fedora: >> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch > > Yes, the FIPS 140-2 patches done by Redhat provide a FIPS 186-3 or 186-4 > enabled > keygeneration. > > There are some small adjustments that could be merged back into the generic > e.g. RSA key generation. > > Ciao, Marcus > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl FIPS 186-4 Patch
Hi, On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote: > Hi, > > Thanks for the comment. > > I know that openSSL is not 186-4 compliant. That is why I am looking > for anybody have the patch for the same. > > I see there are some works in Fedora: > http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch Yes, the FIPS 140-2 patches done by Redhat provide a FIPS 186-3 or 186-4 enabled keygeneration. There are some small adjustments that could be merged back into the generic e.g. RSA key generation. Ciao, Marcus signature.asc Description: Digital signature -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users