RE: TLS application data MAC
Hello Dragos, I was able to solve this issue.. thanks to Niklas and Goran :) I was using the wrong sequence number. Once again thank you everyone for your help. Regards, Avinash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dragos liciu Sent: Tuesday, September 21, 2004 12:11 AM To: [EMAIL PROTECTED] Subject: RE: TLS application data MAC Hi Avinash, Sorry for late reply, but I didn't follow the emails on weekend. You sent: . Key for HMAC_MD5 = server_auth_key Input msg to MAC algorithm { seq no = 0x00 (8bytes) Type = 0x23 (application data) version = 0x0301 Length = 0x05 Data = 0x01 0x07 0x00 0x05 0x01 } The only problem I see in your email is that the 'Length' field seems to be only 1 byte long, but it should be 2 bytes long instead (see RFC); Please let me know if this is indeed the problem. If no, we'll dig further; you are very close. Also I supposeed you've verified that keys calculated by both server and client match. Dragos. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: TLS application data MAC
Hello dragos, Thanks for the input. The MAC generation mentioned below works alright for MAC generation of Client/server hanshake finished messages. However for the MAC generation for the TLS app data this is not working. Any pointers on what could be wrong? Regards, Avinash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dragos liciu Sent: Thursday, September 16, 2004 12:07 AM To: [EMAIL PROTECTED] Subject: Re: TLS application data MAC Hi Avinash, The paragraph you mentioned is little bit vague, better look at 6.2.3.1 from the same RFC; below is a fragment from 6.2.3.1 paragraph: .. The MAC is generated as: HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment)); where + denotes concatenation. . The two fixed character strings are 'type' and 'version'; I implemented it (in C++) just as specified above and it works. Dragos. __ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com http://messenger.yahoo.com __ OpenSSL Project http://www.openssl.org http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
TLS application data MAC
Hello all, I'm trying to figure out how to generate the MAC for application data in TLS v1. The rfc (2246) says at ยง F.2 protecting application data Outgoing data is protected with a MAC before transmission. To prevent message replay or modification attacks, the MAC is computed from the MAC secret, the sequence number, the message length, the message contents, and two fixed character strings. What are the two fixed character strings? TIA Regards, Avinash __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl libs vs RSA libs problem
I tried using the openssl s_server . I got the same errors on bothe ends. Here is the output I get on the server side Using default temp DH parameters Enter PEM pass phrase: ACCEPT read from 00158A88 [001630E8] (11 bytes = 11 (0xB)) - 16 03 00 00 37 01 00 00-33 03 7...3. 000b - SPACES/NULS read from 00158A88 [001630F3] (49 bytes = 49 (0x31)) - 3e 8b d4 53 ef d9 ea c8-f0 6d 97 98 f7 1d e4 51 ..S.m.Q 0010 - 9d 98 52 f4 41 a5 ca 11-0e d9 c9 57 70 d4 56 55 ..R.A..Wp.VU 0020 - 00 00 0c 00 0a 00 05 00-04 00 09 00 03 00 08 01 0031 - SPACES/NULS write to 00158A88 [0016C108] (79 bytes = 79 (0x4F)) - 16 03 00 00 4a 02 00 00-46 03 00 3e 8b d4 20 f7 J...F . 0010 - 3b 8a 2e 1f b8 8d a7 2e-dd 4a 50 51 77 10 7a aa ;JPQw.z. 0020 - f4 16 b1 b4 e5 b4 86 7a-f2 56 9c 20 83 78 43 f3 ...z.V. .xC. 0030 - c5 84 7f 7b 32 44 d1 7a-64 3e d3 b0 0b 84 92 34 ...{2D.zd.4 0040 - 2b fb 5b 40 2c 24 3a 45-ba 37 c1 b3 00 0a +.[@,$:E.7 004f - SPACES/NULS write to 00158A88 [0016C108] (640 bytes = 640 (0x280)) - 16 03 00 02 7b 0b 00 02-77 00 02 74 00 02 71 30 {...w..t..q0 0010 - 82 02 6d 30 82 01 d6 a0-03 02 01 02 02 02 00 d7 ..m0 0020 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 04 05 00 30 0...*.H0 0030 - 81 93 31 0b 30 09 06 03-55 04 06 13 02 55 53 31 ..1.0...UUS1 0040 - 13 30 11 06 03 55 04 08-13 0a 43 61 6c 69 66 6f .0...UCalifo 0050 - 72 6e 69 61 31 11 30 0f-06 03 55 04 07 13 08 4d rnia1.0...UM 0060 - 69 6c 70 69 74 61 73 31-21 30 1f 06 03 55 04 0a ilpitas1!0...U.. 0070 - 13 18 47 52 49 43 20 43-6f 6d 6d 75 6e 69 63 61 ..GRIC Communica 0080 - 74 69 6f 6e 73 20 49 6e-63 2e 31 16 30 14 06 03 tions Inc.1.0... 0090 - 55 04 0b 13 0d 47 52 49-43 20 43 41 20 41 64 6d UGRIC CA Adm 00a0 - 69 6e 31 21 30 1f 06 03-55 04 03 13 18 47 52 49 in1!0...UGRI 00b0 - 43 20 43 65 72 74 69 66-69 63 61 74 65 20 4d 61 C Certificate Ma 00c0 - 6e 61 67 65 72 30 1e 17-0d 30 32 30 36 32 38 30 nager0...0206280 00d0 - 35 34 33 31 36 5a 17 0d-30 34 30 36 32 37 30 35 54316Z..04062705 00e0 - 34 33 31 36 5a 30 60 31-0b 30 09 06 03 55 04 06 4316Z0`1.0...U.. 00f0 - 13 02 55 53 31 0b 30 09-06 03 55 04 08 13 02 43 ..US1.0...UC 0100 - 41 31 11 30 0f 06 03 55-04 07 13 08 4d 69 6c 70 A1.0...UMilp 0110 - 69 74 61 73 31 10 30 0e-06 03 55 04 0b 13 07 73 itas1.0...Us 0120 - 75 70 70 6f 72 74 31 0d-30 0b 06 03 55 04 0a 13 upport1.0...U... 0130 - 04 47 52 49 43 31 10 30-0e 06 03 55 04 03 13 07 .GRIC1.0...U 0140 - 73 75 70 70 6f 72 74 30-5c 30 0d 06 09 2a 86 48 support0\0...*.H 0150 - 86 f7 0d 01 01 01 05 00-03 4b 00 30 48 02 41 00 .K.0H.A. 0160 - be d4 36 8f fc 23 9f e0-98 77 0e 2a b0 7a ee 91 ..6..#...w.*.z.. 0170 - d7 e7 d2 0a 55 32 6e 84-fe 4b e6 d2 1d ff c5 0a U2n..K.. 0180 - d6 19 5e e5 d2 a8 04 6a-54 38 86 cb 85 c7 24 1a ..^jT8$. 0190 - 89 dc da 11 95 fe dd ca-fa ee 1e 9d 04 98 3d a1 ..=. 01a0 - 02 03 01 00 01 a3 46 30-44 30 11 06 09 60 86 48 ..F0D0...`.H 01b0 - 01 86 f8 42 01 01 04 04-03 02 06 40 30 0e 06 03 [EMAIL PROTECTED] 01c0 - 55 1d 0f 01 01 ff 04 04-03 02 04 f0 30 1f 06 03 U...0... 01d0 - 55 1d 23 04 18 30 16 80-14 8e da c8 3b d7 7a 34 U.#..0..;.z4 01e0 - a7 e9 3a a1 a1 5d b7 3b-b3 25 bf cf 42 30 0d 06 ..:..].;.%..B0.. 01f0 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00 .*.H 0200 - 63 60 50 92 ef ba a0 ac-79 9a 45 32 cf a9 d9 d7 c`P.y.E2 0210 - 17 b4 33 87 75 01 6f 84-1c d6 39 af 5b df 77 96 ..3.u.o...9.[.w. 0220 - 00 b6 a9 c2 c2 e8 8a a1-fa e5 a0 61 78 fd d5 7b ...ax..{ 0230 - 03 85 c0 f1 bc 9e b0 14-7f 8f 50 64 82 34 cc f1 ..Pd.4.. 0240 - fc 3a 49 00 59 74 e9 61-7a 29 a1 06 12 43 a7 fa .:I.Yt.az)...C.. 0250 - 94 38 50 91 ed be 4c 4f-fa a7 c7 96 13 0b 03 21 .8P...LO...! 0260 - 6b 08 be c8 7b bd 80 c0-07 a7 86 8a 04 a6 ea cb k...{... 0270 - 04 b9 8b 53 39 c8 c9 36-80 a0 cc 2f ae 07 98 99 ...S9..6.../ write to 00158A88 [0016C108] (9 bytes = 9 (0x9)) - 16 03 00 00 04 0e .. 0009 - SPACES/NULS read from 00158A88 [001630E8] (5 bytes = 5 (0x5)) - 15 03 00 00 02. read from 00158A88 [001630ED] (2 bytes = 2 (0x2)) - 02. 0002 - SPACES/NULS ERROR 1626:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:985:SSL alert number 0 1626:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: shutting down SSL CONNECTION CLOSED ACCEPT Please tell me what can I do now? Thank you, Avinash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, April 01, 2003 6:29 PM To: [EMAIL PROTECTED] Subject: Re: openssl libs vs RSA libs problem On Tue, Apr 01, 2003, Avinash Agarwal wrote: Hello all, I have a server implemented using openssl libs and a client which
Certificare error
Hello All, I'm getting the following error , while starting my OpenSSL based server. 9350:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:279 This problem is coming with a certificate that was generated by me recently. Previously issued certificates work fine. Could someone please tell me what could be the problem. Thank you, Avinash __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]