Re: [openssl-users] Using a TPM to sign CSRs
Hi Kaarhik, Please refer https://github.com/ThomasHabets/openssl-tpm-engine. It is OpenSSL TPM Engine. It will help to offload all crypto operation to TPM. Regards, Devang. On Tue, Jul 24, 2018 at 4:48 PM, Kaarthik Sivakumar wrote: > Hello > > I need to create a key pair using a TPM (proprietary) and build a CSR and > sign it using it the TPM as well. Currently I dont have an engine interface > to talk to the TPM. I do the following: > > 1. generate key pair in the TPM. private key is kept private in the TPM > and public key can be obtained out of the TPM > > 2. use the public key to generate a CSR (X509_REQ_init(), etc) > > 3. Get the hash of the CSR (X509_REQ_digest()) > > 4. Pass the digest to the TPM and get back signature > > 5. Add signature to the CSR - I dont see any way to do this. Is there an > openssl API to perform this step? I dont think I can use X509_REQ_sign() > since that will use the private key provided or if I have an engine > interface then it will call the engine to do the signing. Is there a way to > call sign() and make it call my function that can do the step 4 above? > > Thanks! > > -kaarthik- > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Unexpected behaviors in TLS handshake
Hi Matt, Thanks for reply. I also used both functions SSL_CTX_set1_sigalgs_list() SSL_CTX_set1_client_sigalgs_list() but same thing happens. I set client side “RSA+SHA512” using SSL_CTX_set1_sigalgs_list() but still it is accepting sever certificate which has signature algorithm SHA256withRSAencryption. Best Regards, Devang Sent from my iPhone > On 20-Jun-2018, at 2:25 PM, Matt Caswell wrote: > > > >> On 20/06/18 09:44, Devang Kubavat wrote: >> Hi all, >> >> I set the signature algorithm using in client, >> >> /* signature algorithm list */ >> >> (void)SSL_CTX_set1_client_sigalgs_list(ctx, “RSA+SHA512”); >> >> >> >> Expected behavior: client only accepts server certificate which has >> signature algorithm SHA512withRSAencryption during TLS handshake. >> >> >> >> But, here even I set “RSA+SHA512” signature algorithm, still client is >> accepting the server certificate which has signature algorithm >> SHA256withRSAencryption. Why? > > As I said in reply to your other post: > > "The function "SSL_CTX_set1_client_sigalgs_list()" is for setting > signature algorithms related to *client authentication*. This is not the > same as the sig algs sent in the ClientHello. For that you need to use > SSL_CTX_set1_sigalgs_list()." > > Matt > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Unexpected behaviors in TLS handshake
Hi all, I set the signature algorithm using in client, /* signature algorithm list */ (void)SSL_CTX_set1_client_sigalgs_list(ctx, "RSA+SHA512"); Expected behavior: client only accepts server certificate which has signature algorithm SHA512withRSAencryption during TLS handshake. But, here even I set "RSA+SHA512" signature algorithm, still client is accepting the server certificate which has signature algorithm SHA256withRSAencryption. Why? Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Regarding to disable some signature algorithm in client hello message
Hi, I want to disable the SHA1 hash algorithm in Extension: signature algorithm client hello message. [cid:image003.jpg@01D407C3.1A227530] I have used /* the signature algorithms list */ const char signAlgo[] = "RSA+SHA256"; (void)SSL_CTX_set1_client_sigalgs_list(ctx, signAlgo); But, still client is setting all algorithms. Is there any other way to set signature algorithm to SSL_CTX or SSL ? Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] disable session id reuse
Hi Darshan, In Addition, Make sure that you should disable the session ticket based session resumption using SSL_OP_NO_TICKET. By default SSL_OP_NO_TICKET is not disabled. Thanks Devang Sent from my iPhone > On 03-May-2018, at 2:12 PM, Mody, Darshan (Darshan)> wrote: > > Hi, > > While doing a openssl s_time command I find that by default it tries for > Session Id Reuse. “Now timing with session id reuse.” > > In case if we don’t want openssl to reuse session id’s how can we configure > openssl in the application for the same. > > The application here is acting as a server. > > I have set SSL_CTX_set_session_cache_mode to SSL_SESS_CACHE_OFF > > Thanks > Darshan > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL Handshake with TPM using TPM Engine
Hi All, *SSL handshake with TPM using TPM Engine: *I am generating the RSA keys in TPM and private key will never come out from TPM I want to do SSL handshake with this scenario. Can you please point out me in SSL handshake which functions are using the RSA private key? So that, I can register those functions in TPM Engine to perform RSA private key related operation. Is there any reference implementation for SSL handshake using TPM via TPM Engine? Regards, Digant -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL Engine for TPM
Hi All, 1. Is there any built-in OpenSSL Engine to access the TPM ? 2. Is there any other OpenSSL Engine to access the TPM ? If Yes, How can we configure in OpenSSL libraries to use that engine ? Please guide me. Thanks. Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Resume the session with new session keys
Hi, There are two method to resume the session, 1.) Session ID, 2.) Session Ticket Out of these two methods, which method is useful to resume session with new session keys ? Is there any way to resume the session with new session keys ? Can anyone please help me ? Currently I am using the Ticket based session resumption and I can see that same master secret I get during SSL_get1_session even if session is resumed! Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to disable the DTLS stuff in openssl 1.0.2k
Hi, I am trying to configure the OpenSSL 1.0.2k for windows. Can anyone help me How to disable the DTLS? Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] SSL_CTX_set_timeout does not work properly
Hi, I am using Ticket based Session Resumption in my application. I need to control 'timeout of the session'. So as per the document I can set the timeout of the session using SSL_CTX_set_timeout(SSL_CTX *ctx, long t); I used SSL_CTX_set_timeout(ctx, 500); I am able to resume the session up to 500 seconds and after 500 seconds, the session fails to resume which is as expected. But when I set t=0 in SSL_CTX_set_timeout(ctx,0), I am getting different behavior. Session is resumed up to 7200 seconds. Wireshark log shows Ticket Lifetime Hint: 7200 seconds. According to me the session should not resume. Can anyone please help me why it is behaving like this. Best Regards, Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Different size of openssl libraries
Hi, I am trying to build openssl 1.0.2j. for windows. Everytime I different size of libraries. Is it depends on path ? Best Regards Devang -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users