Re: [openssl-users] May I ask you about the master-key in openssl s_client command result?
Hi, Just an Info, may not be relevant. If extended master secret is enabled,(by default on all browsers now a days) the computation of master secret is different. https://tools.ietf.org/html/rfc7627#section-4 On Thu, Sep 27, 2018 at 7:25 AM Viktor Dukhovni wrote: > > > > On Sep 26, 2018, at 9:19 PM, 이영주 wrote: > > > > I wonder why master-key is revealed in plaintext in the results below. > > (used command : Openssl s_client -connect host:port) > > Because s_client is a debugging tool, and a source of example code > that demonstrates many elaborate features of the API from which you > can pic and chose the functions that are useful to you. The s_client > command is NOT designed to be used for any non-diagnostic purposes. > > > Does it matter if the master key is exposed in plaintext? > > That's a feature. You can check when using s_server that both computed > the same key. > > > And I wonder what role this master key plays. > > https://tools.ietf.org/html/rfc5246#section-8.1 > https://tools.ietf.org/html/rfc5246#appendix-A.6 > https://tools.ietf.org/html/rfc5246#section-6.3 > https://tools.ietf.org/html/rfc5246#section-7.4.9 > https://tools.ietf.org/html/rfc5246#appendix-F.1.1 > https://tools.ietf.org/html/rfc5246#appendix-F.1.4 > https://tools.ietf.org/html/rfc5246#appendix-F.2 > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- Stiju Easo The unexamined life is not worth living for man. Socrates, in Plato, Dialogues, Apology Greek philosopher in Athens (469 BC - 399 BC) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] May I ask you about the master-key in openssl s_client command result?
> On Sep 26, 2018, at 9:19 PM, 이영주 wrote: > > I wonder why master-key is revealed in plaintext in the results below. > (used command : Openssl s_client -connect host:port) Because s_client is a debugging tool, and a source of example code that demonstrates many elaborate features of the API from which you can pic and chose the functions that are useful to you. The s_client command is NOT designed to be used for any non-diagnostic purposes. > Does it matter if the master key is exposed in plaintext? That's a feature. You can check when using s_server that both computed the same key. > And I wonder what role this master key plays. https://tools.ietf.org/html/rfc5246#section-8.1 https://tools.ietf.org/html/rfc5246#appendix-A.6 https://tools.ietf.org/html/rfc5246#section-6.3 https://tools.ietf.org/html/rfc5246#section-7.4.9 https://tools.ietf.org/html/rfc5246#appendix-F.1.1 https://tools.ietf.org/html/rfc5246#appendix-F.1.4 https://tools.ietf.org/html/rfc5246#appendix-F.2 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] May I ask you about the master-key in openssl s_client command result?
Hello. I am a person working in Korea. I have a question. I wonder why master-key is revealed in plaintext in the results below. (used command : Openssl s_client -connect host:port) (skip) SSL-Session Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID : C3921E69... Session-ID-ctx: Master-Key : 6244A1C4B9D48A6C2100198... (skip) Does it matter if the master key is exposed in plaintext? And I wonder what role this master key plays. Thank you for your detailed answer. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Need help for porting RSA_verify
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Prajapati, Amit > Sent: Wednesday, September 26, 2018 02:03 > For one of my application I am trying to port > “RSA_verify()”(crypto/rsa/rsa_sign.c) function from > openssl for verification of the signature. What do you mean by "port"? Are you trying to extract the relevant code from the OpenSSL source and incorporate it into your application? If so, you're Doing It Wrong. Don't try to do that. Link with OpenSSL (or at least libcrypto) and call the public OpenSSL APIs you need. > While compilation I am not able to find the definition of “d2i_X509_SIG()” > and “X509_SIG_free()” > functions which is called from the “int_rsa_verify()”. Probably because they're defined using macros. You haven't told us what OpenSSL version you're looking at (next time, please think about what information might be needed by the people who could answer your question), but if it's the 1.0.2 series, d2i_X509_SIG is defined in crypto/asn1/asn1t.h, for example. It's defined using a token-pasting macro, so search for "d2i_##". But trying to lift this code out of the OpenSSL source will be an exercise in frustration, and if you ever got something to compile, likely a disaster. Do not attempt to create your own cryptography implementation, even using pieces of someone else's. > I tried to find it in google but I am getting only openssl man pages. Yes, because OpenSSL provides an API for applications. Use it. > Any other suggestions for porting RSA_verify will also be welcomed. Don't. Use OpenSSL properly instead. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] An example issuing an intermediate CA with policy mappings?
> On Sep 25, 2018, at 14:34, Krehbiel, Richard wrote: > > For my testing I want to explore the behaviors of policies, policy > constraints, and policy mappings. I have figured out how to request and > issue certs with custom policy OIDs, but I haven't yet seen a method of > granting an intermediate cert with policy mappings. Can openssl do this? > How? Thanks. Yes, I've used "openssl ca" to make certs with policy mappings in the past. Try something like this in your openssl.cnf, for use with "openssl ca -extensions test_ext" for example. (I haven't tested with these exact values, but it should be a starting point.) [openssl_init] oid_section = new_oids ... [new_oids] issuerOID = Issuer Domain Policy, 1.2.3.4.5 subjectOID = Subject Domain Policy, 1.3.5.7.9 ... [test_ext] policyMappings = @policy_mappings ... [policy_mappings] issuerOID = subjectOID And if you want to map more than one subject domain policy OID to the same issuer domain policy OID, you can use issuerOID.0, issuerOID.1, issuerOID.2, etc, to differentiate them in the policy_mappings section. Good luck, -Dave -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Certificate format question?
> -Ursprüngliche Nachricht- > In the meantime: > >$ perl -ne 'print if (/^-BEGIN/../^-END/);' foo.pem | >openssl asn1parse > > > On Sep 25, 2018, at 1:15 PM, Hubert Kario wrote: > > > > then it looks like the parser used in asn1parse -inform pem is non- > > compliant... > > > > https://github.com/openssl/openssl/issues/7317 Starting with version 1.1.0, the asn1parse has the -strictpem option to deal with exactly this case. I just submitted a pull request on GitHub which attempts to make RFC compliance the default behavior and introduces a new '-inform b64' option for raw base64 parsing. https://github.com/openssl/openssl/pull/7320 I would be interested in your (the users) opinion about whether this should become the new default in the future, or whether raw base64 parsing should remain the default. Matthias -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Need help for porting RSA_verify
Hi For one of my application I am trying to port "RSA_verify()"(crypto/rsa/rsa_sign.c) function from openssl for verification of the signature. While compilation I am not able to find the definition of "d2i_X509_SIG()" and "X509_SIG_free()" functions which is called from the "int_rsa_verify()". I tried to find it in google but I am getting only openssl man pages. Could someone please help me how to get the definition of these functions. Any other suggestions for porting RSA_verify will also be welcomed. Thanks & Regards, Amit -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users