[openssl-users] troubleshooting ssl errors

2017-10-10 Thread Paul Greene 
Hello All,

I'm trying to establish a connection between two servers for the purpose of
data sharing.

On my end, these are the version numbers of everything I'm using
RHEL 7.4
wget 1.14
openssl 1.0.2k-fips

Not sure what's on the other end, other than it is a Linux server

When I run the connectivity tests, these are the errors I'm getting - you
can see the commands run, the output that comes back (hostname and ip
address are obfuscated)

Any suggestions?

PG


[root@hostname ~]# wget https://domain.name.com:8443
--secure-protocol=SSLv3 --debug
DEBUG output created by Wget 1.14 on linux-gnu.

URI encoding = âUTF-8â
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2017-10-10 22:20:20--  https://domain.name.com:8443/
Resolving domain.name.com (domain.name.com)... 
Caching domain.name.com => 
Connecting to domain.name.com (domain.name.com)||:8443...
connected.
Created socket 3.
Releasing 0x0186e340 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.


[root@hostname ~]# curl -k https://domain.name.com:8443 -insecure -v
* Couldn't find host domain.name.com in the .netrc file; using defaults
* About to connect() to domain.name.com port 8443 (#0)
*   Trying ...
* Connected to domain.name.com () port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [ANN] M2Crypto 0.27.0

2017-10-10 Thread Blumenthal, Uri - 0553 - MITLL 
I have to report that this M2Crypto release is broken, as it cannot find 
OpenSSL installed in /opt/local (apologies for spamming multiple lists and 
people):

/usr/bin/clang -fno-strict-aliasing -fno-common -dynamic -pipe -Os -DNDEBUG -g 
-fwrapv -O3 -Wall -Wstrict-prototypes 
-I/opt/local/Library/Frameworks/Python.framework/Versions/2.7/include/python2.7 
-I/private/tmp/pip-build-lqb2R6/M2Crypto/SWIG -c SWIG/_m2crypto_wrap.c -o 
build/temp.macosx-10.12-x86_64-2.7/SWIG/_m2crypto_wrap.o 
-Wno-deprecated-declarations
SWIG/_m2crypto_wrap.c:2894:9: warning: variable 'res' is used uninitialized 
whenever 'if' condition is true [-Wsometimes-uninitialized]
if (PyType_Ready(tp) < 0)
^~~~
SWIG/_m2crypto_wrap.c:2918:10: note: uninitialized use occurs here
  return res;
 ^~~
SWIG/_m2crypto_wrap.c:2894:5: note: remove the 'if' if its condition is 
always false
if (PyType_Ready(tp) < 0)
^
SWIG/_m2crypto_wrap.c:2875:10: note: initialize the variable 'res' to 
silence this warning
  int res;
 ^
  = 0
SWIG/_m2crypto_wrap.c:3554:10: fatal error: 'openssl/err.h' file not found
#include 
 ^~~
1 warning and 1 error generated.
error: command '/usr/bin/clang' failed with exit status 1


Command 
"/opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
 -u -c "import setuptools, 
tokenize;__file__='/private/tmp/pip-build-lqb2R6/M2Crypto/setup.py';f=getattr(tokenize,
 'open', open)(__file__);code=f.read().replace('\r\n', 
'\n');f.close();exec(compile(code, __file__, 'exec'))" install --record 
/tmp/pip-VYOp3p-record/install-record.txt --single-version-externally-managed 
--compile" failed with error code 1 in /private/tmp/pip-build-lqb2R6/M2Crypto/

--
Regards,
Uri Blumenthal

On 10/5/17, 18:06, "openssl-users on behalf of Matěj Cepl" 
 wrote:

M2Crypto is the most complete Python wrapper for OpenSSL
featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric
ciphers; SSL functionality to implement clients and servers;
HTTPS extensions to Python’s httplib, urllib, and xmlrpclib;
unforgeable HMAC’ing AuthCookies for web session management;
FTP/TLS client and server; S/MIME. M2Crypto can also be used to
provide SSL for Twisted. Smartcards supported through the Engine
interface.

This is another less earth-shattering release (after 0.26.2 which
brought us OpenSSL 1.1.0 compatbility), one more step towards
Python 3 compatibility nirvana, still more cleanups and
accumulated bug fixes, which could be resolved before the big
python3 branch is merged.

The release is available on
https://pypi.python.org/pypi/M2Crypto/ and all communication with
the maintainer (that’s me) should go to
https://gitlab.com/m2crypto/m2crypto.

Talking about the python3 branch, ALL TESTS PASS on all Pythons
from 2.6, 2.7, 3.3 to 3.6!!!

Now is the time to test, help with review, and complain about
whatever is wrong! I will still keep API stable, but changes are
relatively large, so this is your opportunity to suggest whatever
substantial thing you don't like with M2Crypto. I may not make it
happen in 0.28 (which I expect to be Py3k-compatible release),
but for settling the dust down and cleanup I prepare already
0.29, which should include yet more acummulated merge requests
and bugfixes, this time ones which should be better served with
python 3 layer already happening.

Happy hacking!

Matěj

-- 
https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz
GPG Finger: 3C76 A027 CA45 AD70 98B5  BC1D 7920 5802 880B C9D8
  
Quod fuimus, estis; quod sumus, vos eritis.



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Enable FIPS mode using OPENSSL_config()

2017-10-10 Thread security veteran 
Hi All:

My understand is by using OPENSSL_config(), we will be able to enable the
FIPS mode globally on the system, is that correct?

My question is, if we enable FIPS mode through configuration and using
OPENSSL_config(), does it means for all the applications which link to
OpenSSL library, the FIPS_mode_set()  function will be invoked
automatically (at some level), even if these application are not modified
to invoke the FIPS_mode_set() by themselves?

The reason I ask was mainly because I am evaluating how I should modify my
server platform and applications in order to adapt FIPS capable OpenSSLlibrary
into the platform.

>From the previous suggestions seen in this forum, it looks like the best
strategy is to only select few important applications to make them run
under FIPS mode, and that way we only need to modify these applications to
allow them invoke FIPS_mode_set().

My assumption is, for those applications which link to OpenSSL but are not
FIPS aware, even if we run OPENSSL_config() to enable FIPS mode globally,
they will still be running on non-FIPS mode and they won't be impacted or
crash due to they are not FIPS compatible. Is my understanding correct?

Thanks.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl.cnf asking Subject Alternative Names certificates.

2017-10-10 Thread Jorge Novo 
Hi everyone,

  As most of us know, the Google Chrome Navigator ask about Subject
Alternative Name instead the Common Name.

I want to distribute a little *openssl.cnf* file for creation the CSR files
with my specific values and establish the Subject Alternative Name = Common
Name. I want yo ask about the CN and assign this value to SAN.

This is my beta *openssl.cnf* file:

*Sorry for the comments in Spanish

I do not how to set a variable (CN Variable) to assign to SAN value.


* 8<  8<
---*#
# Este fichero genera los CSR de nuestros sistemas con los paremetros
# acordados.
#
# openssl genrsa -aes256 -out www.rra.lan.key 2048 -config opensslMiCasa.cnf
#

# Establecemos un directorio de trabajo, el actual para ser exactos.

dir = .

[ req ]
default_bits= 2048  # Size of
keys
default_keyfile = key.pem   # name of
generated keys
default_md  = sha256# message
digest algorithm
string_mask = nombstr   # permitted
characters
distinguished_name  = req_distinguished_name
req_extensions  = v3_req

[ req_distinguished_name ]
# Variable name Prompt string
#---
0.organizationName  = Nombre de la Organizacion
organizationalUnitName  = Mi Casa
[Desarrollo|Infraestructuras|Laboratorio]
emailAddress= Cuenta de Correo
emailAddress_max= 64
localityName= Localidad
stateOrProvinceName = Comunidad Autónoma
countryName = ISO 3166-1 Codigo de País
countryName_min = 2
countryName_max = 2
commonName  = Common Name

# Default values for the above, for consistency and less typing.
# Variable name Value
# --
0.organizationName_default  = Mi Casa
organizationalUnitName_default  = Mi Casa Infraestructuras
localityName_default= Madrid
stateOrProvinceName_default = Comunidad de Madrid
countryName_default = ES

[ v3_req ]
basicConstraints= CA:FALSE
subjectKeyIdentifier= hash
subjectAltName  =
* **>8  >8
---*


---

SALUDE3.

http://www.rodeiroag.es/
http://soloeningles.blogspot.com/
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl FIPS 186-4 Patch

2017-10-10 Thread murugesh pitchaiah 
Hi,

That Redhat/Fedora patch is based on openssl library alone.
But I am using the fips canister approach where i use both openssl and
openssl-fips-ecp libraries.

Though the redhat/fedora patch is OK, it is not straight forward
portable to the canister model.

Any idea of patches available for this kind of fips canister usage ?

Thanks,
Murugesh P.

On 10/10/17, Marcus Meissner  wrote:
> Hi,
>
> On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote:
>> Hi,
>>
>> Thanks for the comment.
>>
>> I know that openSSL is not 186-4 compliant. That is why I am looking
>> for anybody have the patch for the same.
>>
>> I see there are some works in Fedora:
>> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch
>
> Yes, the FIPS 140-2 patches done by Redhat provide a FIPS 186-3 or 186-4
> enabled
> keygeneration.
>
> There are some small adjustments that could be merged back into the generic
> e.g. RSA key generation.
>
> Ciao, Marcus
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl FIPS 186-4 Patch

2017-10-10 Thread Marcus Meissner 
Hi,

On Mon, Oct 09, 2017 at 05:24:17PM +0530, murugesh pitchaiah wrote:
> Hi,
> 
> Thanks for the comment.
> 
> I know that openSSL is not 186-4 compliant. That is why I am looking
> for anybody have the patch for the same.
> 
> I see there are some works in Fedora:
> http://pkgs.fedoraproject.org/cgit/rpms/openssl.git/tree/openssl-1.1.0-fips.patch

Yes, the FIPS 140-2 patches done by Redhat provide a FIPS 186-3 or 186-4 enabled
keygeneration.

There are some small adjustments that could be merged back into the generic
e.g. RSA key generation.

Ciao, Marcus


signature.asc
Description: Digital signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users