RE: TLS application data MAC
Hello Dragos,
I was able to solve this issue.. thanks to Niklas and Goran :)
I was using the wrong sequence number.
Once again thank you everyone for your help.
Regards,
Avinash
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of dragos liciu
Sent: Tuesday, September 21, 2004 12:11 AM
To: [EMAIL PROTECTED]
Subject: RE: TLS application data MAC
Hi Avinash,
Sorry for late reply, but I didn't follow the emails
on weekend.
You sent:
.
Key for HMAC_MD5 = server_auth_key
Input msg to MAC algorithm
{
seq no = 0x00 (8bytes)
Type = 0x23 (application data)
version = 0x0301
Length = 0x05
Data = 0x01 0x07 0x00 0x05 0x01
}
The only problem I see in your email is that the
'Length' field seems to be only 1 byte long, but it
should be 2 bytes long instead (see RFC);
Please let me know if this is indeed the problem. If
no, we'll dig further; you are very close.
Also I supposeed you've verified that keys calculated
by both server and client match.
Dragos.
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com http://mail.yahoo.com
__
OpenSSL Project http://www.openssl.org
http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: TLS application data MAC
Hello dragos, Thanks for the input. The MAC generation mentioned below works alright for MAC generation of Client/server hanshake finished messages. However for the MAC generation for the TLS app data this is not working. Any pointers on what could be wrong? Regards, Avinash -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dragos liciu Sent: Thursday, September 16, 2004 12:07 AM To: [EMAIL PROTECTED] Subject: Re: TLS application data MAC Hi Avinash, The paragraph you mentioned is little bit vague, better look at 6.2.3.1 from the same RFC; below is a fragment from 6.2.3.1 paragraph: .. The MAC is generated as: HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length + TLSCompressed.fragment)); where + denotes concatenation. . The two fixed character strings are 'type' and 'version'; I implemented it (in C++) just as specified above and it works. Dragos. __ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com http://messenger.yahoo.com __ OpenSSL Project http://www.openssl.org http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
TLS application data MAC
Hello all, I'm trying to figure out how to generate the MAC for application data in TLS v1. The rfc (2246) says at ยง F.2 protecting application data Outgoing data is protected with a MAC before transmission. To prevent message replay or modification attacks, the MAC is computed from the MAC secret, the sequence number, the message length, the message contents, and two fixed character strings. What are the two fixed character strings? TIA Regards, Avinash __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl libs vs RSA libs problem
I tried using the openssl s_server . I got the same errors on bothe
ends.
Here is the output I get on the server side
Using default temp DH parameters
Enter PEM pass phrase:
ACCEPT
read from 00158A88 [001630E8] (11 bytes = 11 (0xB))
- 16 03 00 00 37 01 00 00-33 03 7...3.
000b - SPACES/NULS
read from 00158A88 [001630F3] (49 bytes = 49 (0x31))
- 3e 8b d4 53 ef d9 ea c8-f0 6d 97 98 f7 1d e4 51
..S.m.Q
0010 - 9d 98 52 f4 41 a5 ca 11-0e d9 c9 57 70 d4 56 55
..R.A..Wp.VU
0020 - 00 00 0c 00 0a 00 05 00-04 00 09 00 03 00 08 01
0031 - SPACES/NULS
write to 00158A88 [0016C108] (79 bytes = 79 (0x4F))
- 16 03 00 00 4a 02 00 00-46 03 00 3e 8b d4 20 f7 J...F
.
0010 - 3b 8a 2e 1f b8 8d a7 2e-dd 4a 50 51 77 10 7a aa
;JPQw.z.
0020 - f4 16 b1 b4 e5 b4 86 7a-f2 56 9c 20 83 78 43 f3 ...z.V.
.xC.
0030 - c5 84 7f 7b 32 44 d1 7a-64 3e d3 b0 0b 84 92 34
...{2D.zd.4
0040 - 2b fb 5b 40 2c 24 3a 45-ba 37 c1 b3 00 0a +.[@,$:E.7
004f - SPACES/NULS
write to 00158A88 [0016C108] (640 bytes = 640 (0x280))
- 16 03 00 02 7b 0b 00 02-77 00 02 74 00 02 71 30
{...w..t..q0
0010 - 82 02 6d 30 82 01 d6 a0-03 02 01 02 02 02 00 d7
..m0
0020 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 04 05 00 30
0...*.H0
0030 - 81 93 31 0b 30 09 06 03-55 04 06 13 02 55 53 31
..1.0...UUS1
0040 - 13 30 11 06 03 55 04 08-13 0a 43 61 6c 69 66 6f
.0...UCalifo
0050 - 72 6e 69 61 31 11 30 0f-06 03 55 04 07 13 08 4d
rnia1.0...UM
0060 - 69 6c 70 69 74 61 73 31-21 30 1f 06 03 55 04 0a
ilpitas1!0...U..
0070 - 13 18 47 52 49 43 20 43-6f 6d 6d 75 6e 69 63 61 ..GRIC
Communica
0080 - 74 69 6f 6e 73 20 49 6e-63 2e 31 16 30 14 06 03 tions
Inc.1.0...
0090 - 55 04 0b 13 0d 47 52 49-43 20 43 41 20 41 64 6d UGRIC CA
Adm
00a0 - 69 6e 31 21 30 1f 06 03-55 04 03 13 18 47 52 49
in1!0...UGRI
00b0 - 43 20 43 65 72 74 69 66-69 63 61 74 65 20 4d 61 C Certificate
Ma
00c0 - 6e 61 67 65 72 30 1e 17-0d 30 32 30 36 32 38 30
nager0...0206280
00d0 - 35 34 33 31 36 5a 17 0d-30 34 30 36 32 37 30 35
54316Z..04062705
00e0 - 34 33 31 36 5a 30 60 31-0b 30 09 06 03 55 04 06
4316Z0`1.0...U..
00f0 - 13 02 55 53 31 0b 30 09-06 03 55 04 08 13 02 43
..US1.0...UC
0100 - 41 31 11 30 0f 06 03 55-04 07 13 08 4d 69 6c 70
A1.0...UMilp
0110 - 69 74 61 73 31 10 30 0e-06 03 55 04 0b 13 07 73
itas1.0...Us
0120 - 75 70 70 6f 72 74 31 0d-30 0b 06 03 55 04 0a 13
upport1.0...U...
0130 - 04 47 52 49 43 31 10 30-0e 06 03 55 04 03 13 07
.GRIC1.0...U
0140 - 73 75 70 70 6f 72 74 30-5c 30 0d 06 09 2a 86 48
support0\0...*.H
0150 - 86 f7 0d 01 01 01 05 00-03 4b 00 30 48 02 41 00
.K.0H.A.
0160 - be d4 36 8f fc 23 9f e0-98 77 0e 2a b0 7a ee 91
..6..#...w.*.z..
0170 - d7 e7 d2 0a 55 32 6e 84-fe 4b e6 d2 1d ff c5 0a
U2n..K..
0180 - d6 19 5e e5 d2 a8 04 6a-54 38 86 cb 85 c7 24 1a
..^jT8$.
0190 - 89 dc da 11 95 fe dd ca-fa ee 1e 9d 04 98 3d a1
..=.
01a0 - 02 03 01 00 01 a3 46 30-44 30 11 06 09 60 86 48
..F0D0...`.H
01b0 - 01 86 f8 42 01 01 04 04-03 02 06 40 30 0e 06 03
[EMAIL PROTECTED]
01c0 - 55 1d 0f 01 01 ff 04 04-03 02 04 f0 30 1f 06 03
U...0...
01d0 - 55 1d 23 04 18 30 16 80-14 8e da c8 3b d7 7a 34
U.#..0..;.z4
01e0 - a7 e9 3a a1 a1 5d b7 3b-b3 25 bf cf 42 30 0d 06
..:..].;.%..B0..
01f0 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00
.*.H
0200 - 63 60 50 92 ef ba a0 ac-79 9a 45 32 cf a9 d9 d7
c`P.y.E2
0210 - 17 b4 33 87 75 01 6f 84-1c d6 39 af 5b df 77 96
..3.u.o...9.[.w.
0220 - 00 b6 a9 c2 c2 e8 8a a1-fa e5 a0 61 78 fd d5 7b
...ax..{
0230 - 03 85 c0 f1 bc 9e b0 14-7f 8f 50 64 82 34 cc f1
..Pd.4..
0240 - fc 3a 49 00 59 74 e9 61-7a 29 a1 06 12 43 a7 fa
.:I.Yt.az)...C..
0250 - 94 38 50 91 ed be 4c 4f-fa a7 c7 96 13 0b 03 21
.8P...LO...!
0260 - 6b 08 be c8 7b bd 80 c0-07 a7 86 8a 04 a6 ea cb
k...{...
0270 - 04 b9 8b 53 39 c8 c9 36-80 a0 cc 2f ae 07 98 99
...S9..6.../
write to 00158A88 [0016C108] (9 bytes = 9 (0x9))
- 16 03 00 00 04 0e ..
0009 - SPACES/NULS
read from 00158A88 [001630E8] (5 bytes = 5 (0x5))
- 15 03 00 00 02.
read from 00158A88 [001630ED] (2 bytes = 2 (0x2))
- 02.
0002 - SPACES/NULS
ERROR
1626:error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:985:SSL alert number 0
1626:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
shutting down SSL
CONNECTION CLOSED
ACCEPT
Please tell me what can I do now?
Thank you,
Avinash
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: Tuesday, April 01, 2003 6:29 PM
To: [EMAIL PROTECTED]
Subject: Re: openssl libs vs RSA libs problem
On Tue, Apr 01, 2003, Avinash Agarwal wrote:
Hello all,
I have a server implemented using openssl libs and a client which
Certificare error
Hello All, I'm getting the following error , while starting my OpenSSL based server. 9350:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:279 This problem is coming with a certificate that was generated by me recently. Previously issued certificates work fine. Could someone please tell me what could be the problem. Thank you, Avinash __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
