Re: [openssl-users] Problem verifying a certificate chain

2017-11-29 Thread Pascal Withopf 
Here is serverCA.pem as a file and as text

-BEGIN CERTIFICATE-
MIICJTCCAY4CCQCS+4ZH1+sfwzANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJY
WDELMAkGA1UECAwCWFgxDTALBgNVBAcMBHRlc3QxGTAXBgNVBAoMEFRlc3Rvcmdh
bmlzYXRpb24xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTcxMTMwMDczMDEzWhcNMTcx
MjMwMDczMDEzWjBYMQswCQYDVQQGEwJYWDELMAkGA1UECAwCWFgxDTALBgNVBAcM
BHRlc3QxGTAXBgNVBAoMEFRlc3RvcmdhbmlzYXRpb24xEjAQBgNVBAMMCVNlcnZl
ciBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuvN7K+Pm7eTskAGZBVli
lBbr8P0Hjl0TOIUEckgFSHbCC7tjecdJS9IzXXVv8nnHVdsjTbZKiYK2/6od0gcb
TWjI9T2HtnYFvUoKedgn4A2np3s5E4V707ACyw49J9mmiqBlfKg6cnOpYa+ZOZfl
95yNPUq9rK9KgDHXRseaP2UCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCq0JJnFwD+
M3+5lCxjbs7PAiV32d8eiT9r/QJUcwQ2VMFapTUnS51VVfGf1HIQmuA9QuKKr4Cq
AJIWPRZJmt+UE2PfUJlQhx6gUl7siyNMKOj48/wQ/I1yHT9ArIlCGNWAA9+tJP90
w07g3qwBet+wYmcbhYS9xNSJeUEhRtZZBg==
-END CERTIFICATE-
-BEGIN PRIVATE KEY-
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALrzeyvj5u3k7JAB
mQVZYpQW6/D9B45dEziFBHJIBUh2wgu7Y3nHSUvSM111b/J5x1XbI022SomCtv+q
HdIHG01oyPU9h7Z2Bb1KCnnYJ+ANp6d7OROFe9OwAssOPSfZpoqgZXyoOnJzqWGv
mTmX5fecjT1KvayvSoAx10bHmj9lAgMBAAECgYAa021NMvqkEEFRuKj4d4cJsPBS
ODypVPm5Fn042NTJPSFDBbSUeOAvnQ35zywtIwRTcYpzUEEJ0lPoA8UbqiFkjvpb
KtsyHmxxoCcyX7YWCCS0N7Z1pMzqTJNlpoLGt9l4hysqI87oiQxhr+wqcFimUXCn
cWFXqX+L0nWHv1AUAQJBAPXcn9dftsvqvjkL5lwxw0VZzuvt/B3zrPt0iGWnLWOb
OBfPs2mhe4dbxOH/V/Z9d2fQ5D13xzYBE/SjgWrXz6UCQQDCqPs0jAq6JsFPQc0d
3jfV10FM6BLZ58fuOJzEczWETbwjpxBgpsjBREhL3OSqXKsNPJiWj83gUXHYxNxs
jaTBAkEAnMVyksWwbLShWQTSfcUpa4ZJoD0e/wZLLgfvlUoVcicejGhfUaKrfvMw
Rp8oOr9kLSmQ7/T5bOEhFWRQ+IzmFQJANPxoPHpuJRONhPRlT98AFc4c8UEueG/1
5Os2COdPRu8d6hp8g8KCXNEoWLYM7C6DRPwckMceBBRHR/j2AvpfQQJBAKu0I6XE
CZxyoPv1mRqTR7rU2dUQfrKGOccj8h8HFLbq2oWp+I9dnwRrWaPGlrmBLzoc49Fz
qpj4m4Bv4xA94Uc=
-END PRIVATE KEY-
-BEGIN CERTIFICATE-
MIICIzCCAYwCCQC1OoUz04RMqDANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJY
WDELMAkGA1UECAwCWFgxDTALBgNVBAcMBHRlc3QxGTAXBgNVBAoMEFRlc3Rvcmdh
bmlzYXRpb24xEDAOBgNVBAMMB1Jvb3QgQ0EwHhcNMTcxMTMwMDcyOTA0WhcNMTcx
MjMwMDcyOTA0WjBWMQswCQYDVQQGEwJYWDELMAkGA1UECAwCWFgxDTALBgNVBAcM
BHRlc3QxGTAXBgNVBAoMEFRlc3RvcmdhbmlzYXRpb24xEDAOBgNVBAMMB1Jvb3Qg
Q0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJnOIgoR56VGV+3waIP6xqX
fD31MUXL0+24W8QL6N7fSrpNbGwB8koUMAYIibMGL/d0WvkbzNq7415J87Qz7VDv
VWvuDsl8QNixHqN2HhUPwBTGUPMVR7Zda3oH0YstXgrf05bnMjTkK/m39mOE7PrN
d9R++4btVwLuhlfO8WNnAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAmlpfCIlsO+hw
PcyIF48wPXrd9/UWf8bNWMQ0wsMJCIxlHzb+dHaM/2B06oRbwfwvj/rdcA4hueJF
HY1fvva2E7YEpaGAKoT1LKQhadyJBf5a7UIhEzUV/OUsIfYCDzmF4DmwI5biBZpy
S887uY+40OP1b1NXktdPF3ejjYKZC7U=
-END CERTIFICATE-


2017-11-29 18:38 GMT+01:00 Viktor Dukhovni :

>
>
> > On Nov 29, 2017, at 10:57 AM, Pascal Withopf 
> wrote:
> >
> > $ openssl x509 -in serverCA.pem -noout -purpose
> >
> > ...
> >
> > If the purpose is incorrect how can I set it?
> >
> > 2017-11-29 16:48 GMT+01:00 Viktor Dukhovni :
> > On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
> >
> >>>  err 24:invalid CA certificate
> >>
> >> The intermediate CA extensions are likely incorrect.  Post
> >> the certificate in question.
>
> Post the certificate in question.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>


serverCA.pem
Description: Binary data
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Jordan Brown 
On 11/29/2017 6:13 PM, Salz, Rich via openssl-users wrote:
> I agree with you, but a problem is that “safe and secure” changes over
> time when new  crypto and other new features are added. And then users
> get upset when their connections no longer work.

Agreed, that's a tough trade-off.

Still, I'd rather have compatibility problems - as long as there's a way
to explicitly request the less-secure option - than silently be insecure.

Having per-user or system-wide configuration files that are consulted
under the covers would help, since then the user could revert to
less-secure settings without needing the application source.  Maybe have
the "create handle" function take an application name as an argument, so
that individual applications could be managed separately.

Looking at it another way:  browsers manage to do it...

-- 
Jordan Brown, Oracle Solaris

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Salz, Rich via openssl-users 
> My number one complaint is that it seems like the defaults are generally set 
> up to do the wrong things, and the application has to either explicitly set 
> "yes, you should be secure" options or do stuff on its own.  This seems to 
> have been getting better - gaining hostname validation, for instance - but 
> really a client should be able to say "give me a secure connection to 
> host:port" and have sensible and secure things happen with a single call.  
> Maybe two, one to create a handle and the other to actually set up the 
> connection (to allow for intervening calls that customize the connection).

I agree with you, but a problem is that “safe and secure” changes over time 
when new  crypto and other new features are added. And then users get upset 
when their connections no longer work.

I think the right approach is to be able to specify a policy, then at least you 
know what you’re signing up for. Right now it’s a collection of low-level 
things.  And the policy is “SECLEVEL” which ain’t great.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Jordan Brown 
On 11/29/2017 8:53 AM, Salz, Rich via openssl-users wrote:
> I am biased, but I believe the project is better, by almost any
> metric, then it used to be. If you have specific suggestions for how
> you think it could be improved, it would be great to see them. 


My number one complaint is that it seems like the defaults are generally
set up to do the wrong things, and the application has to either
explicitly set "yes, you should be secure" options or do stuff on its
own.  This seems to have been getting better - gaining hostname
validation, for instance - but really a client should be able to say
"give me a secure connection to host:port" and have sensible and secure
things happen with a single call.  Maybe two, one to create a handle and
the other to actually set up the connection (to allow for intervening
calls that customize the connection).

-- 
Jordan Brown, Oracle Solaris

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Salz, Rich via openssl-users 
➢ It probably wouldn't hurt to post something to the lists when there's a blog 
post with news like this  - items that subscribers would likely feel is 
important. Blog posts like the recent "OpenSSL in China" series probably don't 
need to be mentioned on the lists. But it's subjective, and I wouldn't want to 
create more work for anyone.

It’s a lot easier than writing the blog posts (

We should have been doing this from the very beginning, oops.  We’ll try to do 
better.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Salz, Rich via openssl-users
> Sent: Wednesday, November 29, 2017 11:54
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] FIPS certification for openssl
>

[I wrote:]
 > > That said, it wouldn't hurt for the OMC to post a message to the list 
 > > stating
> > that business will continue as planned, since two very key figures have left
> > the project.
> 
> I have two reactions, just my personal view.  First, it’s premature to say
> anything, we’re still figuring things out. Second, what open source project
> can guarantee that things will continue as they were after people left?  Or
> the larger question, what guarantees can any project really make?

That's fair. And on further consideration I'll withdraw the "to the list" part.

[Jakob wrote:]

> >  Anywhere but the well established and independently archived public
> > mailing lists.
> 
> It’s not the same Internet that it used to be…  Lots of discussion happens on
> GitHub issues these days, which I’m not thrilled with either.  (Hey you kids,
> get off my lawn.)   It seems that posting a note to the lists would be useful
> whenever we post a blog entry?

I can't speak for Jakob, of course. I was surprised to learn of the blog posts, 
because I hadn't been following the blog; if I knew it existed at some point, 
I'd forgotten. But I'm following it now.

It probably wouldn't hurt to post something to the lists when there's a blog 
post with news like this  - items that subscribers would likely feel is 
important. Blog posts like the recent "OpenSSL in China" series probably don't 
need to be mentioned on the lists. But it's subjective, and I wouldn't want to 
create more work for anyone.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem verifying a certificate chain

2017-11-29 Thread Viktor Dukhovni 


> On Nov 29, 2017, at 10:57 AM, Pascal Withopf  wrote:
> 
> $ openssl x509 -in serverCA.pem -noout -purpose
> 
> ...
> 
> If the purpose is incorrect how can I set it?
> 
> 2017-11-29 16:48 GMT+01:00 Viktor Dukhovni :
> On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
> 
>>>  err 24:invalid CA certificate
>> 
>> The intermediate CA extensions are likely incorrect.  Post
>> the certificate in question.

Post the certificate in question.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Mark Minnoch 
If you need a FIPS resource for the OpenSSL FIPS Object Module -- my
business partner (Steve Weymann) and I worked with Steve Marquess when we
were at a FIPS Testing Lab to achieve the FIPS 140-2 Cert. #1747 for the
OpenSSL FIPS Object Module.

We are now helping technology companies that need FIPS testing of the
OpenSSL FOM on specific operating systems. We also perform Private Label
validations to rebrand the OpenSSL FOM for our clients.

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 mobile
https://KeyPair.us
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Salz, Rich via openssl-users 
> That said, it wouldn't hurt for the OMC to post a message to the list stating 
> that business will continue as planned, since two very key figures have left 
> the project.

I have two reactions, just my personal view.  First, it’s premature to say 
anything, we’re still figuring things out. Second, what open source project can 
guarantee that things will continue as they were after people left?  Or the 
larger question, what guarantees can any project really make?

➢ Indeed, over the past few years I have seen an increasing tendency to hide 
monumental news in the blog, in press releases etc.

To pick a nit, it’s just the blog.  The press release was copied to the blog, 
and I don’t know of anything that would qualify as “etc” -- can you remind me?  
We started using the blog because we thought it would be a better way to get 
higher-quality information out, without being swallowed up by the volume of 
email messages.

➢  Anywhere but the well established and independently archived public mailing 
lists.

It’s not the same Internet that it used to be…  Lots of discussion happens on 
GitHub issues these days, which I’m not thrilled with either.  (Hey you kids, 
get off my lawn.)   It seems that posting a note to the lists would be useful 
whenever we post a blog entry?  

>One really has to wonder if this is still OpenSSL that the world has known 
> and loved for 20 years, or just some expensive imitation.

I am biased, but I believe the project is better, by almost any metric, then it 
used to be.  If you have specific suggestions for how you think it could be 
improved, it would be great to see them.



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Jakob Bohm 

On 29/11/2017 14:58, Michael Wojcik wrote:

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Sandeep Umesh
Sent: Wednesday, November 29, 2017 07:30
To: openssl-users@openssl.org; i...@openssl.org
As per this blog:
https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/

Thanks for pointing that out. I somehow hadn't even noticed there was an 
official OpenSSL blog (I'm now subscribed). I see from it that Steve Henson is 
also leaving (or has left) the project.


Steve who is instrumental in handling FIPS certification for openssl object 
module is no more associated with OSF.
How can we proceed for future FIPS certification ? Is there any other contact 
person to perform FIPS certification for
openssl object module ?

In homage to Steve, I'd like to point out that there's no such thing as "FIPS 
certification". Presumably you mean FIPS validation.

I assume that the OpenSSL Management Committee will find someone else to take 
on the various roles Steve Marquess filled over the years, including 
shepherding the FIPS validations through. Now that the OpenSSL Project is 
bigger and better-funded, it's quite possible FIPS validation, and other 
aspects, won't be as closely associated with a single person as they 
historically were.

And that's good, generally speaking; they should be owned by the Project and 
the OMC. While I'm sure we're all grateful to Steve M for his work with OpenSSL 
over the years - and I for one will miss hearing from him on this list, on 
matters FIPS-related and others - for a project as important as OpenSSL it's 
not really healthy for users to see aspects of it as tied to an individual.

That said, it wouldn't hurt for the OMC to post a message to the list stating 
that business will continue as planned, since two very key figures have left 
the project.


Indeed, over the past few years I have seen an increasing tendency
to hide monumental news in the blog, in press releases etc. Anywhere
but the well established and independently archived public mailing lists.

One really has to wonder if this is still OpenSSL that the world has
known and loved for 20 years, or just some expensive imitation.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem verifying a certificate chain

2017-11-29 Thread Pascal Withopf 
$ openssl x509 -in serverCA.pem -noout -purpose

gave me this

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

If the purpose is incorrect how can I set it?

2017-11-29 16:48 GMT+01:00 Viktor Dukhovni :

> On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:
>
> > Which means I have the following certificate chain:
> > root.pem -> serverCA.pem -> server.pem
> >
> > But when I try to make a connection I see following error at the client
> > side:
> > Error with certificate at depth: 1
> > issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
> > subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
> > err 24:invalid CA certificate
>
> The intermediate CA extensions are likely incorrect.  Post
> the certificate in question.
>
> > Did I do something wrong creating the certificates?
>
> Likely yes.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem verifying a certificate chain

2017-11-29 Thread Viktor Dukhovni 
On Wed, Nov 29, 2017 at 04:33:39PM +0100, Pascal Withopf wrote:

> Which means I have the following certificate chain:
> root.pem -> serverCA.pem -> server.pem
> 
> But when I try to make a connection I see following error at the client
> side:
> Error with certificate at depth: 1
> issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
> subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
> err 24:invalid CA certificate

The intermediate CA extensions are likely incorrect.  Post
the certificate in question.

> Did I do something wrong creating the certificates?

Likely yes.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Problem verifying a certificate chain

2017-11-29 Thread Pascal Withopf 
Hi,

I'm reading the book "Network Security with OpenSSL" published by O'Reilly
at the moment.
I'm following the example program and trying to establish a connection
between a server and a client.
I did the following to create my certificates:

To create the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout rootkey.pem -out
rootreq.pem
$ openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey
rootkey.pem -out rootcert.pem
$ cat rootcert.pem rootkey.pem > root.pem

To create the server CA and sign it with the root CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverCAkey.pem -out
serverCAreq.pem
$ openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA
root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
$ cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem

To create the server's certificate and sign it with the Server CA:
$ openssl req -newkey rsa:1024 -sha1 -nodes -keyout serverkey.pem -out
serverreq.pem
$ openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA
serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
$ cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem >
server.pem

Which means I have the following certificate chain:
root.pem -> serverCA.pem -> server.pem

But when I try to make a connection I see following error at the client
side:
Error with certificate at depth: 1
issuer  = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Root CA
subject = /C=XX/ST=XX/L=test/O=Testorganisation/CN=Server CA
err 24:invalid CA certificate

I get the same error with this command:
$ openssl verify -CAfile root.pem -untrusted serverCA.pem server.pem
server.pem: C = XX, ST = XX, L = test, O = Testorganisation, CN = Server CA
error 24 at 1 depth lookup:invalid CA certificate
OK

When I sign my server certificate directly with the root CA and leave the
server CA out everything works fine.

Did I do something wrong creating the certificates? Or where could the
problem be?

Best Regards
Pascal Withopf
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Salz, Rich via openssl-users 
We are no longer doing additional platforms for the existing certifications.

We are working on a plan for future FIPS validation, based on the 1.1.x line.

From: Sandeep Umesh 
Reply-To: openssl-users 
Date: Wednesday, November 29, 2017 at 7:30 AM
To: openssl-users , "i...@openssl.org" 

Subject: [openssl-users] FIPS certification for openssl


Hello

As per this blog:
https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/

Steve who is instrumental in handling FIPS certification for openssl object 
module is no more associated with OSF.
How can we proceed for future FIPS certification ? Is there any other contact 
person to perform FIPS certification for openssl object module ?
Thanks

Regards
Sandeep

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread wizard2010 
On Wed, Nov 29, 2017 at 1:54 PM, Viktor Dukhovni  wrote:

> On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:
>
> > Try adding this to the verify_callback
> >
> >
> > static int verify_callback(int ok, X509_STORE_CTX *ctx)
> > {
> > X509   *cert = NULL;
> > char   *cert_DN = NULL;
> >
> > printf("ok = %d\n", ok);
> > cert= X509_STORE_CTX_get_current_cert(ctx);
> > cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0
> );
> > printf( "cert DN: %s\n", cert_DN);
> >
> > }
>
> You've left out the final "return ok;", and there's a new memory
> leak.  Closer would be:
>
>  static int verify_callback(int ok, X509_STORE_CTX *ctx)
>  {
>  X509   *cert = NULL;
>  char   *cert_DN = NULL;
>
>  printf("ok = %d\n", ok);
>  cert= X509_STORE_CTX_get_current_cert(ctx);
>  cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL,
> 0 );
>  printf( "cert DN: %s\n", cert_DN);
>
>  OPENSSL_free(cert_DN);
>  return ok;
>  }
>
>
With that code I've got this:

> ok = 0
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> Handshake Error 1
>

I can't really understand why this is happen since I'm creating the
certificates with the right way (at least I guess I'm doing this in the
right way).

Thanks for your help.
Kind regards.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Sandeep Umesh
> Sent: Wednesday, November 29, 2017 07:30
> To: openssl-users@openssl.org; i...@openssl.org

> As per this blog:
> https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/

Thanks for pointing that out. I somehow hadn't even noticed there was an 
official OpenSSL blog (I'm now subscribed). I see from it that Steve Henson is 
also leaving (or has left) the project.

> Steve who is instrumental in handling FIPS certification for openssl object 
> module is no more associated with OSF. 
> How can we proceed for future FIPS certification ? Is there any other contact 
> person to perform FIPS certification for
> openssl object module ?

In homage to Steve, I'd like to point out that there's no such thing as "FIPS 
certification". Presumably you mean FIPS validation.

I assume that the OpenSSL Management Committee will find someone else to take 
on the various roles Steve Marquess filled over the years, including 
shepherding the FIPS validations through. Now that the OpenSSL Project is 
bigger and better-funded, it's quite possible FIPS validation, and other 
aspects, won't be as closely associated with a single person as they 
historically were.

And that's good, generally speaking; they should be owned by the Project and 
the OMC. While I'm sure we're all grateful to Steve M for his work with OpenSSL 
over the years - and I for one will miss hearing from him on this list, on 
matters FIPS-related and others - for a project as important as OpenSSL it's 
not really healthy for users to see aspects of it as tied to an individual.

That said, it wouldn't hurt for the OMC to post a message to the list stating 
that business will continue as planned, since two very key figures have left 
the project.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread Viktor Dukhovni 
On Wed, Nov 29, 2017 at 09:56:35AM +0100, Jan Just Keijser wrote:

> Try adding this to the verify_callback
> 
> 
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
>     X509   *cert = NULL;
>     char   *cert_DN = NULL;
> 
>     printf("ok = %d\n", ok);
>     cert    = X509_STORE_CTX_get_current_cert(ctx);
>     cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
>     printf( "cert DN: %s\n", cert_DN);
> 
> }

You've left out the final "return ok;", and there's a new memory
leak.  Closer would be:

 static int verify_callback(int ok, X509_STORE_CTX *ctx)
 {
     X509   *cert = NULL;
     char   *cert_DN = NULL;
 
     printf("ok = %d\n", ok);
     cert    = X509_STORE_CTX_get_current_cert(ctx);
     cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
     printf( "cert DN: %s\n", cert_DN);

 OPENSSL_free(cert_DN);
 return ok;
 }

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread Viktor Dukhovni 
On Wed, Nov 29, 2017 at 01:44:01PM +, wizard2...@gmail.com wrote:

> > > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > > {
> > > > printf("Verification callback OK!\n");
> > > > return 1;
> > > > }
> > > > ...
> > > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
> >
> > The above completely disables authentication of the peer certificate,
> > and makes your application vulnerable to man-in-the-middle attacks.
> > Perhaps that's OK, but often it is not.
> 
> Why did you say that code disable the authentication?

Because it is true.

Your verification callback overrides all certificate verification
failures by unconditionally returning "1" for success, regardless
of the "ok" value, or the error status in the X509_STORE_CTX.

> One thing that I didn't understand is what type of verification is made on
> SSL_CTX_set_verify function.

Clearly not, so you need to either find some documentation that
makes it clear to you (manpages, examples in other code, a book,
...) or not use that feature.  Calling functions whose meaning
you do not understand is a bad idea, especially in security-related
code.

> And what is supposed/right thing to do on  verify_callback in order to
> perform the client certificate authentication?

The right thing normally is not have a callback at all.  Or always
return the passed-in "ok" value, but log some information about
the certificate chain and any errors reported.

In rare situations you might choose to ignore very specific
error conditions, but getting that right requries a deeper
understanding of the implications.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread wizard2010 
On Tue, Nov 28, 2017 at 9:11 PM, Viktor Dukhovni  wrote:

> On Tue, Nov 28, 2017 at 10:03:12AM +, wizard2...@gmail.com wrote:
>
> > I guess my problem is really related to verify callback
> > on SSL_CTX_set_verify function.
> > I just add to my code a dummy callback returning 1 and everything works
> > properly.
> >
> >
> > > int verify_callback (int ok, X509_STORE_CTX *ctx);
> > > int verify_callback (int ok, X509_STORE_CTX *ctx)
> > > {
> > > printf("Verification callback OK!\n");
> > > return 1;
> > > }
> > > ...
> > > SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
> > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>
> The above completely disables authentication of the peer certificate,
> and makes your application vulnerable to man-in-the-middle attacks.
> Perhaps that's OK, but often it is not.
>

Why did you say that code disable the authentication?
One thing that I didn't understand is what type of verification is made on
SSL_CTX_set_verify function.
And what is supposed/right thing to do on  verify_callback in order to
perform the client certificate authentication?

Kind regards.


> > The problem is that error don't tell much information about what's really
> > going on or what's really missing.
>
> When the verification callback is failing, the peer's certificate
> chain is either incomplete or is using a trust-anchor (root CA)
> that is not configured as trusted on your end.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread wizard2010 
Hi JJK,

I test you function and I've got this result:

> ok = 0
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
> ok = 1
> cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd


Why I see this 2 time?
When I create the certificates I didn't fill with any special information,
just type enter in every question that is made. Did you think this could
cause this issue?

Kind regards.


On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser  wrote:

> Hi,
>
> On 28/11/17 11:03, wizard2...@gmail.com wrote:
>
> Hi there.
>
> I guess my problem is really related to verify callback
> on SSL_CTX_set_verify function.
> I just add to my code a dummy callback returning 1 and everything works
> properly.
>
>
>> int verify_callback (int ok, X509_STORE_CTX *ctx);
>> int verify_callback (int ok, X509_STORE_CTX *ctx)
>> {
>> printf("Verification callback OK!\n");
>> return 1;
>> }
>> ...
>> SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER |
>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
>> ...
>
>
> The problem is that error don't tell much information about what's really
> going on or what's really missing.
> Thanks for your help.
>
> Now you've effectively disabled all security :)
>
> Try adding this to the verify_callback
>
>
> static int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
> X509   *cert = NULL;
> char   *cert_DN = NULL;
>
> printf("ok = %d\n", ok);
> cert= X509_STORE_CTX_get_current_cert(ctx);
> cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
> printf( "cert DN: %s\n", cert_DN);
>
> }
>
>
> that way, you will know whether your server is processing the right
> certificate chain.
>
> HTH,
>
> JJK
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS certification for openssl

2017-11-29 Thread Sandeep Umesh 

Hello

As per this blog:
https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/

Steve who is instrumental in handling FIPS certification for openssl object
module is no more associated with OSF.
How can we proceed for future FIPS certification ? Is there any other
contact person to perform FIPS certification for openssl object module ?
Thanks

Regards
Sandeep

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL alert number 48

2017-11-29 Thread Jan Just Keijser 

Hi,

On 28/11/17 11:03, wizard2...@gmail.com wrote:

Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify 
function.
I just add to my code a dummy callback returning 1 and everything works 
properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | 
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...


The problem is that error don't tell much information about what's really going 
on or what's really missing.
Thanks for your help.


Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509   *cert = NULL;
    char   *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}


that way, you will know whether your server is processing the right certificate 
chain.

HTH,

JJK

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users