Drbg kat test data: Openssl-fips 2.0.16

[Manish Patidar]

Hi

There is DRBG kat test data in fips_drbg_selftest.h. (Openssl-fips-2.0.16)
Can anyone let me know, What is the source of this constant arrays. NIST
link or any other  source will be helpful?

Regards
Manish

Re: How to use openssl smine sign the email body only

[anyegongjue]

Maybe I posted too many stuff. What my problem is "openssl smime" command
signed everything fed to it. For example, I wanted to sign the following
email body.

/*Hi there,

This is an test email.*
/
And after signed, the email became something like below,

/Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:24:33 +1000
Date: Thu, 11 Jul 2019 16:24:33 +1000
To: Kerry Fly 
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg="sha-256"; boundary="5D53D58F876671D7CA85A8CD28305ABB"

This is an S/MIME signed message

--5D53D58F876671D7CA85A8CD28305ABB

*Hi there,

This is an test email.*

--5D53D58F876671D7CA85A8CD28305ABB
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIIFAYJKoZIhvcNAQcCoIIIBTCCCAECAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggVmMIIFYjCCBEqgAwIBAgISA2D+gfTao7ImMR5FeJceYRQOMA0G
...
Y/5+MrMjklc=

--5D53D58F876671D7CA85A8CD28305ABB--/


And if I pass the email content with some headers, smime will wrap the
header inside, too. Like below


/Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:24:33 +1000
Date: Thu, 11 Jul 2019 16:24:33 +1000
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg="sha-256"; boundary="5D53D58F876671D7CA85A8CD28305ABB"

This is an S/MIME signed message

--5D53D58F876671D7CA85A8CD28305ABB

*Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:24:33 +1000
Date: Thu, 11 Jul 2019 16:24:33 +1000
To: Kerry Fly 
From: email_market...@xxx.com
Reply-To: email_market...@xxx.com
Subject: New T-shirt arrived
Message-ID: 
X-Mailer: xxx.com
X-MessageID: ABsLBhQBCA4
X-ListMember: kerry-...@xxx.com
Precedence: bulk
List-Unsubscribe:

List-Owner: 
Error-To: email_marketing_bou...@xxx.com
Bounces-To: email_marketing_bou...@xxx.com

Hi there,

This is an test email.*

--5D53D58F876671D7CA85A8CD28305ABB
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIIFAYJKoZIhvcNAQcCoIIIBTCCCAECAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggVmMIIFYjCCBEqgAwIBAgISA2D+gfTao7ImMR5FeJceYRQOMA0G
...
Y/5+MrMjklc=

--5D53D58F876671D7CA85A8CD28305ABB--/


Then the header inside smime cannot be seen by receiver, like gmail. And  in
this way, I cannot send emails. 

So my question is that is there a way to use "openssl smime" to sign some
email with headers?

Thank you in advance.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html

Re: How to list ssl3 ciphers

[Dennis Clarke]

On 7/10/19 1:10 AM, shiva kumar wrote:

Hi,
How to List the ssl3 ciphers in openssl1.1.1
The command "openssl ciphers -ssl3" is not working. Please help me


jupiter # /usr/local/bin/openssl version
OpenSSL 1.1.1c  28 May 2019

jupiter # /usr/local/bin/openssl ciphers -help
Usage: ciphers [options]
Valid options are:
 -help  Display this summary
 -v Verbose listing of the SSL/TLS ciphers
 -V Even more verbose
 -s Only supported ciphers
 -tls1  TLS1 mode
 -tls1_1TLS1.1 mode
 -tls1_2TLS1.2 mode
 -tls1_3TLS1.3 mode
 -stdname   Show standard cipher names
 -psk   include ciphersuites requiring PSK
 -srp   include ciphersuites requiring SRP
 -convert val   Convert standard name into OpenSSL name
 -ciphersuites val  Configure the TLSv1.3 ciphersuites to use
jupiter #

jupiter # /usr/local/bin/openssl ciphers -v -s -tls1_3
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any  Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any  Au=any 
Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any  Au=any  Enc=AESGCM(128) Mac=AEAD
jupiter #


However I seem to recall six of them really.

--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional

What's up with ectest?

[Salz, Rich via openssl-users]

Ectest has been broken for quite some time.  What are the plans to get it fixed?

Re: looks like the support for Heart beat extension is removed from openssl

[Salz, Rich via openssl-users]

  *   Why the support for Heart beat extension is removed from openssl.

It’s intended use was to check MTU along the path.  That is not very useful any 
more.



  *   How to handle abnormal disconnection in DTLS？

You should be able to detect time-outs and “failure to close” in your 
application.

Re: RAND_seed buffer freeing

[Matthias St. Pierre]

On 11.07.19 12:00, tobias.w...@t-systems.com wrote:


I`ve one question regarding RAND_seed, the first parameter refers to a buffer, 
who is freeing that buffer afterwards? Can I free it after the call to 
RAND_seed or is this done by openssl?



You own the buffer, OpenSSL only reads its contents. So you can free it 
immediately after the call.
Note that before freeing it, you should erase the buffer contents for security 
reasons.

Actually, since OpenSSL 1.1.1. most applications don't need to worry about 
manual seeding anymore,
because the OpenSSL CSPRNG does it automatically. For more details, see

https://www.openssl.org/docs/man1.1.1/man7/RAND.html 


and

https://www.openssl.org/docs/man1.1.1/man7/RAND_DRBG.html 


HTH,

Matthias

Re: How to list ssl3 ciphers

[Alexander Gryanko]

Hi,

Ssl3 is deprecated and disabled by default. Rebuild your OpenSSL with 
enable-ssl3 enable-ssl3-method options. 

Sent from my iPhone

> On 11 Jul 2019, at 14:00, shiva kumar  wrote:
> 
> HI, 
> In OpenSSL 1.1.1 documentation it is mentioned as -ssl3 option is there as 
> follows, 
> openssl ciphers [-help] [-s] [-v] [-V] [-ssl3] [-tls1] [-tls1_1] [-tls1_2] 
> [-tls1_3] [-s] [-psk] [-srp] [-stdname] [-convert name] [-ciphersuites val] 
> [cipherlist]  
> 
> but, in the command line when I list the options with help command, it is not 
> showing ssl3 option as follows
> 
> $openssl ciphers -help
> Usage: ciphers [options]
> Valid options are:
>  -help  Display this summary
>  -v Verbose listing of the SSL/TLS ciphers
>  -V Even more verbose
>  -s Only supported ciphers
>  -tls1  TLS1 mode
>  -tls1_1TLS1.1 mode
>  -tls1_2TLS1.2 mode
>  -tls1_3TLS1.3 mode
>  -stdname   Show standard cipher names
>  -psk   include ciphersuites requiring PSK
>  -srp   include ciphersuites requiring SRP
>  -convert val   Convert standard name into OpenSSL name
>  -ciphersuites val  Configure the TLSv1.3 ciphersuites to use
> 
> why it is not displaying the ssl3 option? please answer me.
> 
> Thanks and Regards
> Shivakumar
> 
> 
>> On Wed, Jul 10, 2019 at 10:40 AM shiva kumar  
>> wrote:
>> Hi, 
>> How to List the ssl3 ciphers in openssl1.1.1 
>> The command "openssl ciphers -ssl3" is not working. Please help me
>> 
>> Thanks and Regards
>> Shivakumar
>> -- 
>> With Best Regards
>> Shivakumar S
> 
> 
> 

Re: How to list ssl3 ciphers

[shiva kumar]

HI,
In OpenSSL 1.1.1 documentation it is mentioned as -ssl3 option is there as
follows,
*openssl* *ciphers* [*-help*] [*-s*] [*-v*] [*-V*] [*-ssl3*] [*-tls1*] [
*-tls1_1*] [*-tls1_2*] [*-tls1_3*] [*-s*] [*-psk*] [*-srp*]
[*-stdname*] [*-convert
name*] [*-ciphersuites val*] [*cipherlist*]

but, in the command line when I list the options with help command, it is
not showing ssl3 option as follows
















*$openssl ciphers -helpUsage: ciphers [options]Valid options are: -help
 Display this summary -v Verbose listing of the
SSL/TLS ciphers -V Even more verbose -s
Only supported ciphers -tls1  TLS1 mode -tls1_1
 TLS1.1 mode -tls1_2TLS1.2 mode -tls1_3TLS1.3
mode -stdname   Show standard cipher names -psk
include ciphersuites requiring PSK -srp   include ciphersuites
requiring SRP -convert val   Convert standard name into OpenSSL
name -ciphersuites val  Configure the TLSv1.3 ciphersuites to use*

why it is not displaying the ssl3 option? please answer me.

Thanks and Regards
Shivakumar


On Wed, Jul 10, 2019 at 10:40 AM shiva kumar 
wrote:

> Hi,
> How to List the ssl3 ciphers in openssl1.1.1
> The command "openssl ciphers -ssl3" is not working. Please help me
>
> Thanks and Regards
> Shivakumar
> --
> *With Best Regards*
> *Shivakumar S*
>

Re: OpenSSL Upgrade to 1.1.1c from very old version

[Dmitry Belyavsky]

Hello,

On Thu, Jul 11, 2019 at 12:58 PM Umamaheswari Nagarajan <
numamahesw...@pulsesecure.net> wrote:

> Hi,
>
>
>
> In couple of modules in our product, we use very older version of OpenSSL
> (0.97e) which are statically linked.
>
>
>
> We wanted to upgrade it to the latest version (1.1.1c) and also remove the
> static linking.
>
>
>
> Query- Can we upgrade from OpenSSL 0.97e to OpenSSL 1.1.1c directly or we
> have to move to some other lower version first and then proceed with 1.1.1c
>
>
>
> Please advise us.
>
>
>
99,9% you'll have to fix your openssl calls. Most of data structures became
opaque and you'll need to fix access to separate fields if any.
If you used algorithm-specific methods instead of EVP, you probably have to
rewrite this calls.
It's only a part of the changes happened since 0.9.7.

-- 
SY, Dmitry Belyavsky

looks like the support for Heart beat extension is removed from openssl

[shiva kumar]

Hi ,

Why the support for Heart beat extension is removed from openssl.
I am referring latest version of openssl(openssl-1.1.1c)

How to handle abnormal disconnection in DTLS？

Thanks!
Shiva

RAND_seed buffer freeing

[Tobias.Wolf]

I`ve one question regarding RAND_seed, the first parameter refers to a buffer, 
who is freeing that buffer afterwards? Can I free it after the call to 
RAND_seed or is this done by openssl?

OpenSSL Upgrade to 1.1.1c from very old version

[Umamaheswari Nagarajan]

Hi,

In couple of modules in our product, we use very older version of OpenSSL 
(0.97e) which are statically linked.

We wanted to upgrade it to the latest version (1.1.1c) and also remove the 
static linking.

Query- Can we upgrade from OpenSSL 0.97e to OpenSSL 1.1.1c directly or we have 
to move to some other lower version first and then proceed with 1.1.1c

Please advise us.


Thanks,
Uma

How to use openssl smine sign the email body only

[anyegongjue]

Hi there,

I created a script to use "openssl smine" to sign emails in Postfix. 

The script is running the command below.

openssl smime -sign -signer /etc/letsencrypt/live/mail.xxx.xxx/cert.pem
-inkey /etc/letsencrypt/live/mail.xxx.xxx/privkey.pem -in $MESSAGEFILE -out
$OUTFILE || { echo Problem signing message; exit $EX_UNAVAILABLE; }

The $MESSAGEFILE is email content and $OUTFILE stores the output signed
email file. The script is running without any problem and email can be sent
to mail box. But the problem is smine signed the whole email included the
existing headers. 

So is there a way to let smine only sign the email body?

Here is the email signed by smine.

*Received: from mail.xxx.xxx (unknown [xxx.xxx.xxx.xxx])
by mx21 (Coremail) with SMTP id R8CowACXTp+M2CZdostiCQ--.63511S3;
Thu, 11 Jul 2019 14:34:56 +0800 (CST)
Received: from mail.xxx.xxx (localhost [127.0.0.1])
by mail.xxx.xxx (Postfix) with ESMTP id A0C2AC149A0
for ; Thu, 11 Jul 2019 16:34:48 +1000 (AEST)
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg="sha-256"; boundary="B0D2B6501759DF22E6B9827580C1C8D1"
X-CM-TRANSID:R8CowACXTp+M2CZdostiCQ--.63511S3
Message-Id:<5d26d898.876b91.32...@m12-71.email.com>
Authentication-Results: mx21; spf=pass smtp.mail=sen...@email.com
soft.com.au;
X-Coremail-Antispam: 1Uf129KBjvJXoWxWr47KFW7ArW5JF4UurW8Crg_yoW5Ar1kpF
W2g3sFkr1kZF1Iyas7ArW8WrySvrn8Kr48Gw1DK3yUAws8uryjkF1rtw4UKa9rGFWxX3yY
ga1jqasruFZ0qrJanT9S1TB71UDqnTZGkaVYY2UrjbIjqfuFe4nvWSU5nxnvy2
9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jmc_fU=
Date: Thu, 11 Jul 2019 14:35:04 +0800 (CST)
From: email_market...@xxx.xxx

This is an S/MIME signed message

--B0D2B6501759DF22E6B9827580C1C8D1*
Received: from localhost (localhost [127.0.0.1])
by mail.xxx.xxx (Postfix) with ESMTP
for ; Thu, 11 Jul 2019 16:34:48 +1000 (AEST)
X-Virus-Scanned: amavisd-new at xxx.xxx
Received: from mail.xxx.xxx ([127.0.0.1])
by localhost (mail.xxx.xxx [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id HpBOnD__tFYe for ;
Thu, 11 Jul 2019 16:34:47 +1000 (AEST)
Received: from XXXMail (unknown [52.65.226.31])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
(Authenticated sender: email_market...@xxx.xxx)
by mail.xxx.xxx (Postfix) with ESMTPSA id 2A4DBC149A2
for ; Thu, 11 Jul 2019 16:34:47 +1000 (AEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.xxx.xxx 2A4DBC149A2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxx.xxx;
s=default; t=1562826887;
bh=zEHSRite2Oj6+gkb5XLOEibTqoyx4wfkxFvtHbrgboU=;
h=Date:To:From:Reply-To:Subject:List-Unsubscribe:List-Owner:From;
b=Zo7Rkn89Oe8ekeFfgvtJa/KHdIyI1NeZzyL7XQ8g7c4VIWTVOJC813l44rwAUje08
 XSnf9HLzrJy4I4suANkrmXNIF6w/UEZ/S1+qoydQE2kmlDql3p9hWDN4t4roGcCrrB
 wDgdcY4vgvld1kjh6a/sggmr4BiKG4LY0g5OfeqjxX22g1anWCY5fBB6LHrJrmR48V
 N2eQE+CRJED2ZHjC+rhf83aD4h81jt6OhVNwuIMR2nlMBBdcegibfqCw6lMd3eZrLE
 iGgHZ6dX/TrU/TZP7rC0B9IvXKcGbfIrw1KZ71McSiVw5U+JtZqa77YT9PErWj5KnS
 t+J4FVB37jpMA==
Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:34:47 +1000
Date: Thu, 11 Jul 2019 16:34:47 +1000
To: Kerry Fly 
From: email_market...@xxx.xxx
Reply-To: email_market...@xxx.xxx
Subject: New T-shirt arrived
Message-ID: 
X-Mailer: XXXMailer
X-MessageID: ABsLBhQBCAA
X-ListMember: recei...@email.com
Precedence: bulk
List-Unsubscribe:

List-Owner: 
Error-To: email_marketing_bou...@xxx.xxx
Bounces-To: email_marketing_bou...@xxx.xxx
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY"

This is a multi-part message in MIME format.
--b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

View in browser
ConfigurationSession configuration is stored in=C2=A0Configur=
e=C2=A0under the top level=C2=A0Session=C2=A0key, and a number of options a=
re available:Session.cookie=C2=A0- Change the name of the session cookie.Se=
ssion.timeout=C2=A0- The number of=C2=A0minutes=C2=A0before CakePHP=
=E2=80=99s session handler expires the session. ...
For more information about and how to integrate it inside your applications=
MADE BY ARTUR ARSENIEVClick here to unsubscribe.
--b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=09=09=09=09=09=09http://www.w3.org/TR/html4/loose.dtd";>
=09=09=09=09=09=09http://www.w3.org/1999/xhtml"; xmlns:v=3D"u=
rn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:o=
ffice">
=09=09=09=09=09=09=09
=09=09=09=09=09=09=09=09
=09=09=09=09=09=09=09=09
=09=09=09=09=09=09=09