Generating a CSR using an engine in OpenSSL3 - how?

[Graham Leggett via openssl-users]

Hi all,

When the openssl interactive mode was still possible, you could set up an 
engine and then use it as follows:

OpenSSL> engine -t dynamic -pre 
SO_PATH:/usr/lib64/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre 
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib64/pkcs11/onepin-opensc-pkcs11.so
OpenSSL> req -engine pkcs11 -new
 -key 0:7f72c103216c285f28d0a05bcf87678e25b0f1e2 -keyform engine -out 
matthew.csr

What is the equivalent of the above in openssl3?

Regards,
Graham
—

Re: OpenSSL provider replacement for ENGINE_load_private_key

[Graham Leggett via openssl-users]

On 13 Dec 2021, at 12:15, Tomas Mraz  wrote:

> One option would be for a provider to provide provider-storemgmt
> implementation to load a key from its special URI. You'd then use
> OSSL_STORE from the application to load a private key from that special
> URI.
> 
> Another, rather simplistic, approach would be to use the
> EVP_PKEY_fromdata() function. In that case you'd have to know what the
> key algorithm are you using. You'd then use EVP_PKEY_CTX_new_from_name
> with query properties to include "provider=your_provider" and the
> params used with EVP_PKEY_fromdata() would contain just the special id
> parameter that the provider would use to identify the private key from
> the device.

The specific example is for PKCS11.

Is there a PKCS11 provider available to be used?

Regards,
Graham
—

OpenSSL provider replacement for ENGINE_load_private_key

[Graham Leggett via openssl-users]

Hi all,

The ENGINE API is deprecated in favour of the new Provider API.

What is the provider equivalent function that replaces 
ENGINE_load_private_key()?

Regards,
Graham
—

X509_verify_cert() rejects all trusted certs with "default" X509_VERIFY_PARAM

[Graham Leggett via openssl-users]

Hi all,

While running code that calls X509_verify_cert(), the trusted root certificates 
(“BEGIN TRUSTED CERTIFICATE”) loaded into the verification are failing 
verification with “certificate rejected”:

2: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE: verify failed: 
certificate rejected

The code path we’re following looks like this:

  * frame #0: 0x00010060b808 libcrypto.3.dylib`obj_trust(id=910, 
x=0x00010096da70, flags=8) at x509_trs.c:271:17
frame #1: 0x00010060b672 
libcrypto.3.dylib`X509_check_trust(x=0x00010096da70, id=0, flags=0) at 
x509_trs.c:72:16
frame #2: 0x00010061207b 
libcrypto.3.dylib`check_trust(ctx=0x0001009fe5b0, num_untrusted=2) at 
x509_vfy.c:776:17
frame #3: 0x000100610e7e 
libcrypto.3.dylib`build_chain(ctx=0x0001009fe5b0) at x509_vfy.c:3124:37
frame #4: 0x00010060d655 
libcrypto.3.dylib`verify_chain(ctx=0x0001009fe5b0) at x509_vfy.c:216:15
frame #5: 0x00010060d27b 
libcrypto.3.dylib`X509_verify_cert(ctx=0x0001009fe5b0) at x509_vfy.c:295:15

In X509_check_trust() we get to this line of code which appears to ask “trust 
roots with NID_anyExtendedKeyUsage":

https://github.com/openssl/openssl/blob/master/crypto/x509/x509_trs.c#L72

int X509_check_trust(X509 *x, int id, int flags)
{
X509_TRUST *pt;
int idx;

/* We get this as a default value */
if (id == X509_TRUST_DEFAULT)
return obj_trust(NID_anyExtendedKeyUsage, x,
 flags | X509_TRUST_DO_SS_COMPAT);

This leads us to this code here:

https://github.com/openssl/openssl/blob/master/crypto/x509/x509_trs.c#L268


for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {
ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);
int nid = OBJ_obj2nid(obj);

if (nid == id || (nid == NID_anyExtendedKeyUsage &&
(flags & X509_TRUST_OK_ANY_EKU)))
return X509_TRUST_TRUSTED;
}

We iterate through the above loop twice for our root certificate, once with a 
nid of:

(lldb) print OBJ_nid2sn(nid)
(const char *) $2 = 0x00010067b13d “emailProtection"

and a second time with a nid of:

(lldb) print OBJ_nid2sn(nid)
(const char *) $3 = 0x00010067b0d2 “serverAuth"

Neither “emailProtection” nor “serverAuth” are equal to “anyExtendedKeyUsage”, 
and so we drop to this line which triggers the rejection of our root 
certificate:

return X509_TRUST_REJECTED;

I am lost - I can fully understand what the code is doing, but I can’t see why 
openssl only trusts certs with “anyExtendedKeyUsage”.

Can anyone explain why openssl would reject this certificate?

I am using the “default” X509_VERIFY_PARAM.

Alas the source code apps/verify.c makes no attempt to set the trust parameter, 
and the docs for X509_VERIFY_PARAM_set_trust() say "sets the trust setting in 
param to trust” but doesn’t explain what possible values there are for “trust” 
or their effect.

Regards,
Graham
—

BIO_s_file() and files that are larger than int - how is overflow handled?

[Graham Leggett via openssl-users]

Hi all,

According to the manpage at 
https://www.openssl.org/docs/man1.1.0/man3/BIO_s_file.html the macro BIO_tell() 
casts to int:

/opt/local/include//openssl/bio.h:# define BIO_tell(b) 
(int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)

What happens if the file being parsed is larger than can fit in an int? Does 
BIO_s_file() do anything to limit the size of the file?

Does openssl detect overflow, or do I have to detect overflow?

Regards,
Graham
—

PKCS7: Error: Object has zero length.

[Graham Leggett]

Hi all,

I am trying to create a "Degenerate certificates-only CMS Signed-Data” using 
openssl openssl-1.1.1c (from CentOS8) as described by 
https://tools.ietf.org/html/draft-gutmann-scep-15#section-3.4, and in the 
process I am getting the entry "Error: Object has zero length” in the PKCS7 
structure and I don't know how to get rid of it:

   0 2395: SEQUENCE {
   49:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
  15 2380:   [0] {
  19 2376: SEQUENCE {
  231:   INTEGER 1
  260:   SET {}
  28   15:   SEQUENCE {
  309: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
  412: [0] {
  430:   OCTET STRING
 : Error: Object has zero length.< here
 :   }
 : }
[snip]

The code is here: 
https://source.redwax.eu/projects/RS/repos/mod_scep/browse/mod_scep.c#1134

Or more specifically looks like this:

p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_add_certificate(p7, cert);
PKCS7_add_certificate(p7, conf->signer);
i2d_PKCS7_bio(b, p7);

Can anyone confirm what step I am missing?

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

Re: During client cert verification: RSA_padding_check_PKCS1_type_1:block type is not 01

[Graham Leggett]

On 04 Aug 2019, at 01:56, Viktor Dukhovni  wrote:

> An RSA signature verification operation (block type 01) failed,
> typically because the public used to check the signature does
> not match the private key used to sign the data.

Thanks for confirming this.

> Is this a server-side log or a client-side log?  If the client is
> using the wrong private key or wrong certificate, then I'd expect
> to see this type of error on the server.

It’s a server side log of httpd linked to openssl.

I have a MyEID smartcard with two certs and two keys on it. When the smartcard 
is used with Firefox and the OpenSC PKCS11 drivers, everything works fine. When 
the smartcard is used with Windows 10 + Edge and the native manufacturer 
drivers, the wrong key is chosen for the certificate, and access is denied as 
above.

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

During client cert verification: RSA_padding_check_PKCS1_type_1:block type is not 01

[Graham Leggett]

Hi all,

I have a WIndows 10 system with a smartcard attached to it.

Firefox+Smartcard works great.

Edge using the smartcard to the same site returns the following:

[Fri Aug 02 13:47:43.238262 2019] [ssl:info] [pid 20742:tid 139771397486336] 
SSL Library Error: error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
[Fri Aug 02 13:47:43.238306 2019] [ssl:info] [pid 20742:tid 139771397486336] 
SSL Library Error: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding 
check failed
[Fri Aug 02 13:47:43.238356 2019] [ssl:info] [pid 20742:tid 139771397486336] 
SSL Library Error: error:1408807B:SSL routines:SSL3_GET_CERT_VERIFY:bad 
signature

What is the above trying to tell me?

Am I right in assuming that Edge is trying to use the wrong cert with the wrong 
key?

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

Re: Shutting down openssl - is the correct thing to do nothing?

[Graham Leggett]

On 14 Jun 2019, at 09:41, Matt Caswell  wrote:

> Correct. *All* of the above calls are no-ops in 1.1.0+, e.g:
> 
> #  define EVP_cleanup() while(0) continue
> 
> There are one or two caveats around auto-init and auto-deinit of the library.
> The documentation for it is here:
> 
> https://www.openssl.org/docs/man1.1.1/man3/OPENSSL_init_crypto.html 
> 

Further to the above question, having read the documentation, it looks like all 
of these init routines should be removed in v1.1.0 and above:

https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l398

CRYPTO_malloc_init();
OPENSSL_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_builtin_engines();
OpenSSL_add_all_algorithms();
OPENSSL_load_builtin_modules();

https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l133

CRYPTO_malloc_init();
OPENSSL_malloc_init();
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();

Can you confirm I’ve interpreted this correctly?

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

Shutting down openssl - is the correct thing to do nothing?

[Graham Leggett]

Hi all,

I am currently reviewing the shutdown behaviour in both httpd’s mod_ssl and 
apr’s apr-crypto-openssl modules.

Am I right in understanding that from openssl v1.1.0 and upwards, all the 
following calls are no longer necessary, will be called automatically atexit by 
the openssl library, and these can be removed from the code?

https://svn.apache.org/viewvc/httpd/httpd/tags/2.4.39/modules/ssl/mod_ssl.c?view=markup#l329

FIPS_mode_set(0);
OBJ_cleanup();
CONF_modules_free();
EVP_cleanup();
ENGINE_cleanup();
SSL_COMP_free_compression_methods();
ERR_remove_thread_state(NULL);
ERR_remove_state(0);
ERR_free_strings();
CRYPTO_cleanup_all_ex_data();

https://svn.apache.org/viewvc/apr/apr-util/tags/1.6.1/crypto/apr_crypto_openssl.c?view=markup#l114

ERR_free_strings();
EVP_cleanup();
ENGINE_cleanup();

Regards,
Graham
—




smime.p7s
Description: S/MIME cryptographic signature

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 19 Mar 2019, at 18:00, Viktor Dukhovni  wrote
:
> Well, the *standard* structure for passing around just the unsigned
> data underlying a CSR (X509_REQ), is a CertificationRequestInfo
> (X509_REQ_INFO).  So if the modules are to use *standard* structures
> to communicate.  The object being passed needs to be either a CSR
> (signed) or the enclosed CRI (unsigned).

I agree - it is the ideal structure to use, however translating this into real 
world implementation there aren’t any APIs in openssl that allow us to do this 
today, and it is very likely that the same limitation exists in other APIs we 
would like to support in future (NSS, native APIs, etc).

This software however is 7 years old, we’re not in a position to drop 
everything and rewrite it.

> You could, for example, sign the request with some suitable key
> (ideally the private key corresponding to the public key in the
> CSR, if available) before handing it off.  If the signing key is
> not the enclosed public key, it would not pass "req -verify" (it
> never did before either, for lack of a signature), but the called
> module would be able to decode a CSR, and work as before.

In our world we’re translating from various protocols (scep, spkac, etc etc) 
where proof of possession isn’t a signed X509_REQ, but is rather a challenge 
passphrase, previous certificate, etc etc, to a standard object (CSR) that can 
then be signed by a range of modules (simple local signing, signing on a 
smartcard, etc etc).

As a result while in the ideal world we would be dealing with signed CSRs, in 
our world we have to support a CSR with proof of possession supplied alongside 
in a range of possible formats.

We might have to go with the sign-with-a-dummy-signature route, but this would 
be unfortunate.

>> I don’t follow - in order to get access to the data inside the X509_REQ_INFO
>> structure, I need to first wrap it in a X509_REQ, otherwise I have no API
>> calls to get access to the data inside it.
> 
> No need to get access to the data inside an X509_REQ_INFO is expected.
> That object's sole purpose is to be serializable for signing.
> 
> You have rather an edge-case, where for some reason you're delegating
> signing to a CA module by passing it a non-standard structure that
> *resembles* a CSR, which is however for some reason not signed with
> the subject key (not signed at all), and you expect the CA to apply
> policy, by decoding the CRI inside  this non-CSR.
> 
> OpenSSL 1.1.x does not have structure member accessors for a CRI,
> but they would be easy to add, that's essentially what the X509_REQ
> accessors do:
> 
>long X509_REQ_get_version(const X509_REQ *req)
>{
>   return ASN1_INTEGER_get(req->req_info.version);
>}
> 
>X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req)
>{
>   return req->req_info.subject;
>}
> 
>int X509_REQ_get_attr_count(const X509_REQ *req)
>{
>   return X509at_get_attr_count(req->req_info.attributes);
>}
> 
>int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos)
>{
>   return X509at_get_attr_by_NID(req->req_info.attributes, nid, lastpos);
>}
> 
>int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
>int lastpos)
>{
>   return X509at_get_attr_by_OBJ(req->req_info.attributes, obj, lastpos);
>}
> 
>X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc)
>{
>   return X509at_get_attr(req->req_info.attributes, loc);
>}
> 
>X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc)
>{
>   return X509at_delete_attr(req->req_info.attributes, loc);
>}
> 
> If one were to "void the warranty", one could cast the (X509_REQ_INFO
> *) as an (X509_REQ *), and the accessors would just work, but you
> must not do that, the internal details might change some day, as
> they did between 1.1.x and 1.0.2 (where the X509_REQ_INFO is a
> separately allocated structure pointed to by the X509_REQ).

We’re a modular CA, we don’t dictate to our modules what they can and can’t do, 
so to say “that object’s sole purpose” is a contradiction.

It turns out that the module that checks the proof of possession against an 
LDAP server needs to pull out the subject of the CSR in order to make the LDAP 
query, which in turn means it needs to be able to read the contents of the 
X509_REQ (or X509_REQ_INFO).

X509_REQ_INFO prevents us from seeing the information, and so this won’t work 
for us.

>> The modules are Apache httpd modules, and the boundaries between the modules
>> are hooks that pass DER encoded structures between each module.
> 
> Well, so the key question is, why not pass an actual CSR.  What's
> preventing the CSR from being signed?

Protocols like scep and spkac don’t supply a CSR, that’s not how they work.

>>> This isn't pretty, and perhaps we need some new functions to explicitly
>>> embed a CRI in a CSR, but it is certainly something you can do 

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 19 Mar 2019, at 03:22, Viktor Dukhovni  wrote:

>> On Mar 18, 2019, at 8:22 PM, Graham Leggett  wrote:
>> 
>> How would I decode the X509_REQ_INFO structure on the other side, turning it 
>> back into X509_REQ?
> 
> The function returns the DER form of the CRI, which can then be signed.
> You can use d2i_X509_REQ_INFO() to get an X509_REQ_INFO, but indeed there's
> not much you can do with that, other than DER-encode it again and sign.
> 
> Why do you need to do the encode and decode?  What's wrong with the original
> request object?

The code is a modular ca, and different modules communicate with each other 
generically using the standard DER encoded structures. Openssl isn’t visible 
through the API, it is an implementation detail.

>> While I can see a d2i_X509_REQ_INFO() function, I can’t find a corresponding 
>> function in openssl 1.1.0+ that assigns this to a X509_REQ, unless I am 
>> missing it?
> 
> It should not be needed.

I don’t follow - in order to get access to the data inside the X509_REQ_INFO 
structure, I need to first wrap it in a X509_REQ, otherwise I have no API calls 
to get access to the data inside it.

>> By way of concrete example, having crossed the module boundary we need to 
>> pull out details from the X509_REQ_INFO, which can only be done if this 
>> structure has been assigned to a X509_REQ first:
> 
> Can you be more specific about these "module boundaries”?

The modules are Apache httpd modules, and the boundaries between the modules 
are hooks that pass DER encoded structures between each module.

> In any case, given the DER form of the CRI, it is easy to construct
> the DER form of an enclosing CSR with a dummy signature:
> 
>   0:d=0  hl=4 l= 360 cons: SEQUENCE   -- Outer sequence and length:  
> 30 82 01 68
> 
>   4:d=1  hl=3 l= 210 cons: SEQUENCE   -- DER encoding of CRI
>   7:d=2  hl=2 l=   1 prim: INTEGER   :00
>   10:d=2  hl=2 l=   0 cons: SEQUENCE
>   12:d=2  hl=3 l= 159 cons: SEQUENCE
>   15:d=3  hl=2 l=  13 cons: SEQUENCE
>   17:d=4  hl=2 l=   9 prim: OBJECT:rsaEncryption
>   28:d=4  hl=2 l=   0 prim: NULL
>   30:d=3  hl=3 l= 141 prim: BIT STRING
>  174:d=2  hl=2 l=  41 cons: cont [ 0 ]
>  176:d=3  hl=2 l=  39 cons: SEQUENCE
>  178:d=4  hl=2 l=   9 prim: OBJECT:Extension Request
>  189:d=4  hl=2 l=  26 cons: SET
>  191:d=5  hl=2 l=  24 cons: SEQUENCE
>  193:d=6  hl=2 l=  22 cons: SEQUENCE
>  195:d=7  hl=2 l=   3 prim: OBJECT:X509v3 Subject Alternative 
> Name
>  200:d=7  hl=2 l=  15 prim: OCTET STRING  [HEX 
> DUMP]:300D820B6578616D706C652E636F6D
> 
>  217:d=1  hl=2 l=  13 cons: SEQUENCE  -- Signature algorithm OID 
> and parameters
>  219:d=2  hl=2 l=   9 prim: OBJECT:sha256WithRSAEncryption
>  230:d=2  hl=2 l=   0 prim: NULL
>  232:d=1  hl=3 l= 129 prim: BIT STRING-- Signature data
> 
> In the above we see that the CRI, needs (typically) an ~4-byte prefix
> of (0x30 + DER encoded length) and a suffix of the form:
> 
>   30 0d -- 13 byte sequence
>06 09 2a 86 48 86 f7 0d 01 01 0b  -- 9 byte OID 
> (sha256WithRSAEncryption)
>05 00 -- NULL parameters
>03 81 81 00   -- 128 byte bit string with 0 unused 
> bits
>xx xx xx xx ... xx-- 128 bytes of random data.
> 
> your random data could be all zeros.  The trailer length is then a
> fixed 147 bytes.  Add that to the length of CRI and prepend the
> outer sequence (0x30 + DER encoded (length CRI + 147)), then the
> CRI and then the trailer, and presto-magic you have a CSR with
> a bogus signature, but one that will encode and decode, just not
> pass "req -verify".
> 
> This isn't pretty, and perhaps we need some new functions to explicitly
> embed a CRI in a CSR, but it is certainly something you can do in the
> short term.

Can we not rather fix the initialisation of the X509_REQ in X509_REQ_new() so 
that it works like it used to? It seems like a massive headache to do something 
that used to be trivial.

I see there have been changes to openssl code relating to how structures are 
initialised, I suspect an error has crept in where an ASN.1 object is missing 
instead of empty, thus the malformed CSR.

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 18 Mar 2019, at 22:02, Dave Coombs  wrote:

>> This makes sense - however there don’t appear to be any APIs in openssl that 
>> allow you to manipulate a X509_REQ_INFO structure. I can create it, and 
>> encode/decode it, but there is no X509_REQ_INFO_get_subject_name() (or 
>> friends) to populate the structure. X509_REQ_INFO itself is opaque.
> 
> I believe you said you're using 1.0.2, right?  The structures aren't opaque 
> there.  You can make your X509_REQ and populate its name etc as you already 
> are, and then i2d_X509_REQ_INFO its req_info member.
> 
> (Even in the 1.1 API, where they are opaque, i2d_re_X509_REQ_tbs will encode 
> a given X509_REQ's X509_REQ_INFO for you.)

How would I decode the X509_REQ_INFO structure on the other side, turning it 
back into X509_REQ?

While I can see a d2i_X509_REQ_INFO() function, I can’t find a corresponding 
function in openssl 1.1.0+ that assigns this to a X509_REQ, unless I am missing 
it?

By way of concrete example, having crossed the module boundary we need to pull 
out details from the X509_REQ_INFO, which can only be done if this structure 
has been assigned to a X509_REQ first:

https://source.redwax.eu/projects/RS/repos/mod_ca/browse/mod_ca_ldap.c#368

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 18 Mar 2019, at 22:27, Viktor Dukhovni  wrote:

>> (Even in the 1.1 API, where they are opaque, i2d_re_X509_REQ_tbs will encode 
>> a given X509_REQ's X509_REQ_INFO for you.)
> 
> Yes, i2d_re_X509_REQ_tbs is the key function for constructing the
> "to be signed" (tbs) request:
> 
>  int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
>  {
>  req->req_info.enc.modified = 1;
>  return i2d_X509_REQ_INFO(>req_info, pp);
>  }
> 
> By setting the "modified" bit, it ensures that the DER representation
> will be re-generated with any changes made to the object.
> 
> So the OP can create the "partially filled in" X509_REQ and then call
> i2d_re_X509_REQ_tbs() function to generate the DER CRI blob to sign. 
> This removes any temptation to "cheat" by just casting the (X509_REQ *)
> as an (X509_REQ_INFO *) and calling i2d_X509_REQ_INFO() on that (first
> member of the X509_REQ structure).  The i2d_re_X509_REQ_tbs() function
> achieves the same effect in a type safe supported manner.

Can you confirm what structure is being encoded by i2d_re_X509_REQ_tbs, is this 
a X509_REQ_INFO?

The man page doesn’t explicitly specify the output formats of any of the 
related functions:

https://www.openssl.org/docs/man1.1.1/man3/i2d_re_X509_REQ_tbs.html

Looking at the source, we have X509_REQ_INFO being returned:

int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
{
req->req_info.enc.modified = 1;
return i2d_X509_REQ_INFO(>req_info, pp);
}

What would the corresponding functions need to be in the openssl v1.0.x world 
to achieve the same output as i2d_re_X509_REQ_tbs?

Would it just be to copy the above code in?

Regards,
Graham
—

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 18 Mar 2019, at 18:49, Viktor Dukhovni  wrote:

> A mandatory part of the CSR is missing.  It is malformed.

Some further digging shows the CSR is indeed malformed - the old openssl code 
created a CSR like this:

  507:d=2  hl=2 l=   1 prim: OBJECT:itu-t

while the new openssl code produces a CSR like this:

  508:d=2  hl=2 l=   0 prim: OBJECT:BAD OBJECT

It looks like X509_REQ_new() in older versions of openssl created an object 
with an empty signature, while the new code produces a bad signature.

> Since you don't have a CSR, the fix is to not attempt to encode the data
> as a CSR.  It sounds like what you have is a CRI (that is a
> CertificationRequestInfo structure) so you'll need to encode that instead.
> 
>  https://tools.ietf.org/html/rfc2986#section-4
> 
> The relevant codec functions are:  i2d_X509_REQ_INFO and d2i_X509_REQ_INFO.
> 
> A CSR is:
> 
>   CertificationRequest ::= SEQUENCE {
>certificationRequestInfo CertificationRequestInfo,
>signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
>signature  BIT STRING
>   }
> 
> which encapsulates the CRI a larger signed structure, adding precisely
> the bits you're missing.

This makes sense - however there don’t appear to be any APIs in openssl that 
allow you to manipulate a X509_REQ_INFO structure. I can create it, and 
encode/decode it, but there is no X509_REQ_INFO_get_subject_name() (or friends) 
to populate the structure. X509_REQ_INFO itself is opaque.

> An alternative (if you must) is to create an actual CSR, with a dummy
> signature OID, and signature and then ignore the signature on the other
> side.

This looks like a workaround for now, what API call would I use to do that?

The X509_REQ structure is opaque, so I can’t see what options I have for 
setting any OIDs.

Regards,
Graham
—

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 18 Mar 2019, at 12:51, Graham Leggett  wrote:

>> which has a non-zero length signature algorithm OID (l = 9).  Your
>> example has "l=0" where one would expect the signature OID after
>> the extensions.
> 
> How do I fix openssl to parse this as it did before?

I've raised this at https://github.com/openssl/openssl/issues/8514 to give more 
context.

Regards,
Graham
—

Re: i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

On 18 Mar 2019, at 04:55, Viktor Dukhovni  wrote:

> On Mon, Mar 18, 2019 at 01:06:19AM +0200, Graham Leggett wrote:
> 
>> [root@localhost ~]# openssl req -in req.bin -inform der
>> unable to load X509 request
>> 139903756527504:error:0D0C40D8:asn1 encoding 
>> routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287:
>> 139903756527504:error:0D08303A:asn1 encoding 
>> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
>> error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR
>> 139903756527504:error:0D08303A:asn1 encoding 
>> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
>> error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ
> 
> The CSR is malformed.

The CSR is incomplete, but isn’t malformed.

The CSR is the in the process of being built. Part of that process involves 
sending the partially complete CSR to another module, which then completes the 
CSR structure. This used to work, but has regressed when moving from rhel6 to 
rhel7.

> which has a non-zero length signature algorithm OID (l = 9).  Your
> example has "l=0" where one would expect the signature OID after
> the extensions.

How do I fix openssl to parse this as it did before?

Regards,
Graham
—

i2d_X509_REQ() -> d2i_X509_REQ() = asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding:a_object.c:287

[Graham Leggett]

Hi all,

While porting some code across from RHEL6 (openssl-1.0.1e-42) to RHEL7 
(openssl-1.0.2k-16), I am getting the failure below where previously the code 
worked.

The code creates an X509_REQ, populates it, and then passes this to a module. 
Before passing it to the module, the structure is canonicalised by passing it 
through i2d_X509_REQ() and then d2i_X509_REQ() on the other side.

On RHEL7, d2i_X509_REQ fails as follows:

[root@localhost ~]# openssl req -in req.bin -inform der
unable to load X509 request
139903756527504:error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid 
object encoding:a_object.c:287:
139903756527504:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:720:Field=algorithm, Type=X509_ALGOR
139903756527504:error:0D08303A:asn1 encoding 
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:720:Field=sig_alg, Type=X509_REQ

The failure occurs in the openssl code here:

424 for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
(gdb) 
427 seqtt = asn1_do_adb(pval, tt, 1);
(gdb) 
428 if (seqtt == NULL)
(gdb) 
427 seqtt = asn1_do_adb(pval, tt, 1);
(gdb) 
428 if (seqtt == NULL)
(gdb) 
430 pseqval = asn1_get_field_ptr(pval, seqtt);
(gdb) 
432 if (!len)
(gdb) 
430 pseqval = asn1_get_field_ptr(pval, seqtt);
(gdb) 
432 if (!len)
(gdb) 
435 if (asn1_check_eoc(, len)) {
(gdb) 
434 q = p;
(gdb) 
435 if (asn1_check_eoc(, len)) {
(gdb) 
451 if (i == (it->tcount - 1))
(gdb) 
459 ret = asn1_template_ex_d2i(pseqval, , len, seqtt, isopt, 
ctx,
(gdb) 
461 if (!ret) {
[error here]
(gdb) 
520 if (combine == 0)
(gdb) 
521 ASN1_item_ex_free(pval, it);
(gdb) 
522 if (errtt)
(gdb) 
523 ERR_add_error_data(4, "Field=", errtt->field_name,
(gdb) 
527 return 0;
(gdb) 
528 }

The CSR can be found here: http://www.sharp.fm/req.bin

Would it be possible to confirm what is wrong with this request?

Regards,
Graham
—

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

[Graham Leggett]

On 24 Jul 2018, at 18:06, Viktor Dukhovni  wrote:

>> Or is it correct in v1.1.0 and above to just not initialise anything at all, 
>> not clean anything up at all, and expect openssl to “do the right thing” 
>> when mod_ssl is unloaded?
> 
> Yes.  And *especially* when the code that depends on OpenSSL is itself a 
> library.
> OpenSSL is now (and should ideally always have been) self-initializing.

What should be behaviour be in openssl < 1.1.0?

The scenario is as follows:

- httpd runs.
- httpd dynamically loads mod_ssl, apr_crypto_openssl, libpq, libldap, etc.
- mod_ssl, apr_crypto_openssl, libpq, libldap, etc in turn dynamically load 
openssl.
- At some point a graceful shutdown is attempted and mod_ssl, 
apr_crypto_openssl, libpq, libldap, etc are unloaded.
- …what next?

How should mod_ssl, apr_crypto_openssl, libpq, libldap, etc handle the 
unloading of openssl < 1.1.0?

Should they run the openssl init functions but not the teardown functions? (And 
just accept a leak).

Should they suppress attempts to unload mod_ssl, apr_crypto_openssl, libpq, 
libldap, etc if we know for sure that openssl < 1.1.0 is linked to them?

Regards,
Graham
—

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

[Graham Leggett]

On 24 Jul 2018, at 12:15, Graham Leggett  wrote:

> Over at httpd we’re struggling with crashes and instability caused by 
> attempts by various independent libraries we link to, all of which in turn 
> link to openssl, initialising openssl multiple times. In turn these separate 
> libraries might de-initialise openssl on shutdown expecting a re-initiailise 
> to work and hilarity ensues.
> 
> What is the correct way to handle openssl initialisation when multiple 
> independent libraries are all trying to initialise openssl independently of 
> one another?
> 
> Is there reference counting of some kind?
> 
> Could instability be caused by not matching the correct teardown function 
> calls with the correct setup function calls?

Focusing a little closer on openssl v1.1.0 we get the following, but this also 
seems broken at first glance.

https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html

"Once OPENSSL_cleanup() has been called the library cannot be reinitialised”.

In our case, httpd will load mod_ssl (and in APR apr_crypto_openssl) which is 
in turn linked to openssl, and during a restart the module (and therefore the 
link to openssl I believe) will be unloaded, and thus OPENSSL_cleanup() will 
fail when httpd finally exits and calls atexit.

Am I interpreting the above correctly?

Or is it correct in v1.1.0 and above to just not initialise anything at all, 
not clean anything up at all, and expect openssl to “do the right thing” when 
mod_ssl is unloaded?

Regards,
Graham
—

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Initialising OpenSSL more than once - how do we handle this?

[Graham Leggett]

Hi all,

Over at httpd we’re struggling with crashes and instability caused by attempts 
by various independent libraries we link to, all of which in turn link to 
openssl, initialising openssl multiple times. In turn these separate libraries 
might de-initialise openssl on shutdown expecting a re-initiailise to work and 
hilarity ensues.

What is the correct way to handle openssl initialisation when multiple 
independent libraries are all trying to initialise openssl independently of one 
another?

Is there reference counting of some kind?

Could instability be caused by not matching the correct teardown function calls 
with the correct setup function calls?

Regards,
Graham
—

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] API SSL_Connect fails and always returns SSL_ERROR_WANT_READ causes infinite loop in application

[Graham Leggett]

On 14 Nov 2017, at 12:00 PM, mahesh gs  wrote:

> We have application that provide DTLS security for SCTP connections. During 
> our testing we found that API "SSL_connect " fail and always returns 
> SSL_ERROR_WANT_READ which causes infinite loop in the application.

Are you properly handling that SSL_ERROR_WANT_READ, or are you ignoring it?

The message isn’t an error (the symbol was misnamed), it just means openssl is 
asking you permission to read. If your code is saying "yes openssl you may 
read" when you actually aren’t ready you’ll end up in an infinite loop.

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

[Graham Leggett]

On 09 Nov 2017, at 2:57 PM, Michael Wojcik  
wrote:

>> This is openssl v1.0.1f (ubuntu xenial) talking to openssl v1.0.1f (ubuntu 
>> xenial), although
>> trying openssl as shipped by MacOS Sierra on the client side gives the same 
>> result.
> 
> At least prior to 1.1.0, to use ECC in OpenSSL the application has to make 
> some additional calls. (I don't remember offhand how much of this goes away 
> in the 1.1.0 API.) So it's quite possible for two applications using stock 
> OpenSSL 1.0.x to fail to use an ECC suite.
> 
>> I set the ciphers explicitly on the server side to DEFAULT and got the same 
>> result (eliminating
>> whatever weird settings postgresql-on-ubuntu might have as a default).
> 
> DEFAULT includes ECC suites. You should try something like 
> DEFAULT:!ECDHE:!ECDH to eliminate the ECC Kx suites.

I just tried that - no change in behaviour, apart from the negotiation of a 
different cipher before the connection fails (0x9f).

>> When openssl v1.0.2m tries to connect to postgresql running openssl v1.0.1f 
>> (ubuntu xenial), I get different behaviour:
>> ...
>> 2017-11-09 11:01:19 UTC [12025-1] [unknown]@[unknown] LOG:  invalid length 
>> of startup packet
> 
> Offhand, I don't know what the problem is here.

Does or did openssl server have any known bugs with respect to the length of a 
ClientHello packet being in excess of 255 bytes?

This is what a tcpdump looks like when psql linked to openssl v1.0.1f attempts 
to connect to postgresql linked to openssl v1.0.1f, the client side sends 8 
bytes, then 1 byte, then 305 bytes in my case:

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:51:45.113996 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [S], seq 
3580373978, win 26883, options [mss 8961,sackOK,TS val 12226525 ecr 
0,nop,wscale 7], length 0
11:51:45.114035 IP 172.29.228.240.5432 > 172.29.231.43.40454: Flags [S.], seq 
3310545722, ack 3580373979, win 26847, options [mss 8961,sackOK,TS val 12327573 
ecr 12226525,nop,wscale 7], length 0
11:51:45.114243 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [.], ack 1, 
win 211, options [nop,nop,TS val 12226525 ecr 12327573], length 0
11:51:45.114271 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [P.], seq 
1:9, ack 1, win 211, options [nop,nop,TS val 12226525 ecr 12327573], length 8
11:51:45.114277 IP 172.29.228.240.5432 > 172.29.231.43.40454: Flags [.], ack 9, 
win 210, options [nop,nop,TS val 12327573 ecr 12226525], length 0
11:51:45.114934 IP 172.29.228.240.5432 > 172.29.231.43.40454: Flags [P.], seq 
1:2, ack 9, win 210, options [nop,nop,TS val 12327574 ecr 12226525], length 1
11:51:45.115132 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [.], ack 2, 
win 211, options [nop,nop,TS val 12226525 ecr 12327574], length 0
11:51:45.117703 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [P.], seq 
9:314, ack 2, win 211, options [nop,nop,TS val 12226526 ecr 12327574], length 
305
11:51:45.119459 IP 172.29.228.240.5432 > 172.29.231.43.40454: Flags [P.], seq 
2:3941, ack 314, win 219, options [nop,nop,TS val 12327575 ecr 12226526], 
length 3939
11:51:45.120234 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [P.], seq 
314:321, ack 3941, win 350, options [nop,nop,TS val 12226526 ecr 12327575], 
length 7
11:51:45.120324 IP 172.29.231.43.40454 > 172.29.228.240.5432: Flags [R.], seq 
321, ack 3941, win 350, options [nop,nop,TS val 12226526 ecr 12327575], length 0

The openssl v1.0.1f server side responds with a ServerHello, however the client 
side rejects the ServerHello saying "unknown ca", even though this same set of 
certificates works fine in Ubuntu Trusty.

In a second test, if I use openssl v1.0.2m compiled from source to connect to 
the same server, the client side sends 308 bytes in one go:

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:02.032126 IP 172.29.228.7.54912 > 172.29.228.240.5432: Flags [S], seq 
1471313029, win 26883, options [mss 8961,sackOK,TS val 645036074 ecr 
0,nop,wscale 7], length 0
11:53:02.032165 IP 172.29.228.240.5432 > 172.29.228.7.54912: Flags [S.], seq 
126514461, ack 1471313030, win 26847, options [mss 8961,sackOK,TS val 12346803 
ecr 645036074,nop,wscale 7], length 0
11:53:02.032490 IP 172.29.228.7.54912 > 172.29.228.240.5432: Flags [.], ack 1, 
win 211, options [nop,nop,TS val 645036074 ecr 12346803], length 0
11:53:02.039507 IP 172.29.228.7.54912 > 172.29.228.240.5432: Flags [P.], seq 
1:309, ack 1, win 211, options [nop,nop,TS val 645036076 ecr 12346803], length 
308
11:53:02.039521 IP 172.29.228.240.5432 > 172.29.228.7.54912: Flags [.], ack 
309, win 219, options [nop,nop,TS val 12346805 ecr 645036076], length 0
11:53:02.040625 IP 172.29.228.240.5432 > 172.29.228.7.54912: Flags [F.], seq 1, 
ack 309, win 219, options [nop,nop,TS val 12346805 ecr 645036076], length 0
11:53:02.041682 IP 172.29.228.7.54912 > 172.29.228.240.5432: Flags [.], ack 2, 
win 211, options [nop,nop,TS val 645036077 ecr 

Re: [openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

[Graham Leggett]

On 09 Nov 2017, at 4:17 AM, Michael Wojcik  
wrote:

>> New, (NONE), Cipher is (NONE)
>> SSL-Session:
>>Protocol  : TLSv1.2
>>Cipher: 
> 
> Yeah. TLSv1.2, no cipher. My guess is the server is allowing the 1.2 protocol 
> level but not supporting any of the 1.2 suites.

Does this definitely mean no cipher, or could it mean “I failed earlier in the 
process before I took note of the cipher, like with the no peer certificate 
available"?

>> 42 2  0.0056 (0.0017)  S>CV3.3(62)  Handshake
>>  ServerHello
>>Version 3.3
>>random[32]=
>>  f9 4d fa 63 ee d5 65 6d ba dd 58 de 51 00 8e ac
>>  9f 45 24 43 e2 17 88 07 41 9a 8d aa 7f 95 2a 13
>>session_id[0]=
>> 
>>cipherSuite Unknown value 0xc030
> 
> Hmm. This claims they agreed on TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Maybe 
> no ECC curves in common for ECDHE Kx?

This is openssl v1.0.1f (ubuntu xenial) talking to openssl v1.0.1f (ubuntu 
xenial), although trying openssl as shipped by MacOS Sierra on the client side 
gives the same result.

I set the ciphers explicitly on the server side to DEFAULT and got the same 
result (eliminating whatever weird settings postgresql-on-ubuntu might have as 
a default).

Next step was to bring openssl up onto a debugger and see what openssl was 
doing internally. I created a debug build of v1.0.2m, and I now have different 
behaviour:

When openssl v1.0.2m tries to connect to postgresql running openssl v1.0.1f 
(ubuntu xenial), I get different behaviour:

New TCP connection #2: localhost(61009) <-> localhost(15432)
2 1  0.0002 (0.0002)  C>S  Handshake
  ClientHello
Version 3.3 
cipher suites
Unknown value 0xc030
Unknown value 0xc02c
Unknown value 0xc028
Unknown value 0xc024
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0xa5
Unknown value 0xa3
Unknown value 0xa1
Unknown value 0x9f
Unknown value 0x6b
Unknown value 0x6a
Unknown value 0x69
Unknown value 0x68
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA
Unknown value 0x88
Unknown value 0x87
Unknown value 0x86
Unknown value 0x85
Unknown value 0xc032
Unknown value 0xc02e
Unknown value 0xc02a
Unknown value 0xc026
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x9d
Unknown value 0x3d
TLS_RSA_WITH_AES_256_CBC_SHA
Unknown value 0x84
Unknown value 0xc02f
Unknown value 0xc02b
Unknown value 0xc027
Unknown value 0xc023
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0xa4
Unknown value 0xa2
Unknown value 0xa0
Unknown value 0x9e
TLS_DHE_DSS_WITH_NULL_SHA
Unknown value 0x40
Unknown value 0x3f
Unknown value 0x3e
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x98
Unknown value 0x97
Unknown value 0x45
Unknown value 0x44
Unknown value 0x43
Unknown value 0x42
Unknown value 0xc031
Unknown value 0xc02d
Unknown value 0xc029
Unknown value 0xc025
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x9c
Unknown value 0x3c
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0x96
Unknown value 0x41
TLS_RSA_WITH_IDEA_CBC_SHA
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xff
compression methods
unknown value
  NULL
20.0151 (0.0148)  S>C  TCP FIN
20.0161 (0.0009)  C>S  TCP FIN

The server side logs the following and slams the phone down:

2017-11-09 11:01:19 UTC [12025-1] [unknown]@[unknown] LOG:  invalid length of 
startup packet

The client side logs the following hint:

SSL handshake has read 0 bytes and written 382 bytes

Why would 382 bytes be an invalid length for an SSL startup packet?

I did see old bug reports from around 2012 where Ubuntu shipped an openssl that 
broke on many sites, and there were references that buggy SSL implementations 
were limited to 255 bytes only. 

[openssl-users] Ubuntu Xenial + Postgresql v9.5 == SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

[Graham Leggett]

Hi all,

I am having quite a time trying to get postgresql v9.5 to talk over SSL on 
Ubuntu Xenial, running openssl v1.0.1f. Previously my setup was Ubuntu Trusty, 
and this works fine.

The questions I have based on the info below:

- It is the openssl s_client side that is triggering the handshake failure. Is 
there a way to get openssl to log why the handshake failed in the returned 
error message? Verification depth issue? No path to requested target? Something 
else?

- What is the significance of "no peer certificate available”? A tcpdump and 
the ssldump shows that three certificates are sent by the postgresql server, 
why would openssl claim no certificates were sent?

- The same certificates work fine in Ubuntu Trusty, they don’t work in Ubuntu 
Xenial. The certs are SHA256 certs, and consist of a root, two intermediates 
and a leaf cert. The postgresql server provides the two intermediates and the 
leaf cert, and the root as passed in -CAfile.

- Are there any known incompatibility issues with openssl on Xenial?

When I attempt to connect to postgresql using openssl s_client, I get this:

postgres@sql02:~$ openssl s_client -verify 10 -CAfile .postgresql/root.crt -key 
.postgresql/postgresql.key -cert .postgresql/postgresql.crt -connect sql01:5432 
-servername sql01
verify depth is 10
CONNECTED(0003)
139930468939416:error:140790E5:SSL routines:ssl23_write:ssl handshake 
failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 379 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1510188432
Timeout   : 300 (sec)
Verify return code: 0 (ok)
—

ssldump confirms that it is the client side - that’s openssl - that’s rejecting 
the handshake and returning unknown ca:

New TCP connection #42: 172.29.231.43(33116) <-> 172.29.228.240(5432)
42 1  0.0038 (0.0038)  C>SV3.1(300)  Handshake
  ClientHello
Version 3.3 
random[32]=
  80 cf 99 66 b3 07 55 c2 3f cf b2 61 13 39 89 c1 
  33 37 f4 77 21 a3 fd 2e f9 fa 9b 65 4e b5 bd 24 
cipher suites
Unknown value 0xc030
Unknown value 0xc02c
Unknown value 0xc028
Unknown value 0xc024
Unknown value 0xc014
Unknown value 0xc00a
Unknown value 0xa5
Unknown value 0xa3
Unknown value 0xa1
Unknown value 0x9f
Unknown value 0x6b
Unknown value 0x6a
Unknown value 0x69
Unknown value 0x68
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA
Unknown value 0x88
Unknown value 0x87
Unknown value 0x86
Unknown value 0x85
Unknown value 0xc032
Unknown value 0xc02e
Unknown value 0xc02a
Unknown value 0xc026
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x9d
Unknown value 0x3d
TLS_RSA_WITH_AES_256_CBC_SHA
Unknown value 0x84
Unknown value 0xc02f
Unknown value 0xc02b
Unknown value 0xc027
Unknown value 0xc023
Unknown value 0xc013
Unknown value 0xc009
Unknown value 0xa4
Unknown value 0xa2
Unknown value 0xa0
Unknown value 0x9e
TLS_DHE_DSS_WITH_NULL_SHA
Unknown value 0x40
Unknown value 0x3f
Unknown value 0x3e
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA
Unknown value 0x9a
Unknown value 0x99
Unknown value 0x98
Unknown value 0x97
Unknown value 0x45
Unknown value 0x44
Unknown value 0x43
Unknown value 0x42
Unknown value 0xc031
Unknown value 0xc02d
Unknown value 0xc029
Unknown value 0xc025
Unknown value 0xc00e
Unknown value 0xc004
Unknown value 0x9c
Unknown value 0x3c
TLS_RSA_WITH_AES_128_CBC_SHA
Unknown value 0x96
Unknown value 0x41
Unknown value 0xc011
Unknown value 0xc007
Unknown value 0xc00c
Unknown value 0xc002
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0xc012
Unknown value 0xc008
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0xff
  

[openssl-users] Unknown record type 207: what is it, and why does it cause SSL to fail?

[Graham Leggett]

Hi all,

I am having a problem where an iPhone running iOS v9.3.3 is attempting to 
connect to httpd+openssl on CentOS7 and suddenly failing when this used to work 
in the past.

The client (iOS) seems to believe the SSL handshake is successful, and so 
attempts to send some application data. The server (httpd), appears to be 
offended by this, and returns "unknown record type: 207”. The server then slams 
the phone down, and the client follows suit directly after.

Some questions:

- What is record type 207?
- Why would openssl believe that record type 207 is not known?

The trace from ssldump is below.

1 1  0.0089 (0.0089)  C>S V3.1(223)  Handshake
  ClientHello
Version 3.3 
random[32]=
  57 a4 8d b0 4c 85 18 b6 dd e1 1f 10 5a 41 5e 8b 
  73 5f eb 49 77 6c ee 33 f1 5c 57 a0 c0 d2 95 ab 
cipher suites
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
  NULL
1 2  0.0221 (0.0131)  S>C V3.3(93)  Handshake
  ServerHello
Version 3.3 
random[32]=
  57 a4 8c 87 8c 6c 8a fc e0 7f 73 64 a9 b2 27 ad 
  6a e8 fa 46 b4 e1 db dd 7d f2 fd 07 e1 e8 1e ed 
session_id[32]=
  12 7b 6e ad 46 df 9b 20 21 2a 31 e8 b6 cb 4d 75 
  cf ec 2c af 7b 22 49 8d d9 98 1d fb bf de ca e2 
cipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
compressionMethod   NULL
1 3  0.0221 (0.)  S>C V3.3(2790)  Handshake
[snip server certificate]
1 4  0.0221 (0.)  S>C  Short record: 589 bytes available (expecting: 592)
1 5  0.0221 (0.)  S>C V215.13(0)  unknown record type: 0
1 6  0.1699 (0.1478)  C>S V3.3(953)  Handshake
[snip client certificate]
1 7  0.1700 (0.)  C>S V3.3(70)  Handshake
  ClientKeyExchange
Not enough data. Found 64 bytes (expecting 16384)
1 8  0.1700 (0.)  C>S V3.3(264)  Handshake
  CertificateVerify
Not enough data. Found 258 bytes (expecting 16384)
1 9  0.1700 (0.)  C>S V3.3(1)  ChangeCipherSpec
1 10 0.1700 (0.)  C>S V3.3(40)  Handshake
1 11 0.1820 (0.0119)  C>S V3.3(379)  application_data
1 12 0.1829 (0.0008)  S>C V3.1(576)  unknown record type: 207
15.1278 (4.9449)  S>C  TCP FIN
15.6138 (0.4859)  C>S  TCP FIN

Regards,
Graham
—

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl verify reporting errors where there are none

[Graham Leggett]

Hi all,

I am trying to use “openssl verify” as a sanity check to determine whether a 
set of certificates are sane and valid in a script that issues (or reissues) 
the certificates, and I’m struggling with the output of the “openssl verify” 
command.

This is output I get while verifying three certificates in a chain:

minfrin@localhost:~$ openssl verify -issuer_checks -trusted root-ca.crt 
-untrusted intermediate.crt cert.crt 
cert.crt: [stuff]
error 29 at 0 depth lookup:subject issuer mismatch
[stuff]
error 29 at 0 depth lookup:subject issuer mismatch
[stuff]
error 29 at 0 depth lookup:subject issuer mismatch
[stuff]
error 29 at 0 depth lookup:subject issuer mismatch
OK

In theory the command just told me everything is ok. In practise, that command 
told the person running the script that 4 separate errors are present, which 
obviously in this case is not the case.

Is there a way to suppress these spurious messages so I only see actual errors?

Regards,
Graham
—

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] using a random number file for generation of keys/certificates

[Graham Leggett]

On 3 Sep 2015, at 19:23, Viktor Dukhovni  wrote:

> Cat those files into /dev/urandom or /dev/random.  That'll mix them
> into the system's entropy pool.  Then generate keys as usual from
> /dev/urandom.

I have used a deck of playing cards as a source of entropy, saved to a ram disk 
on a system with no swap, used then discarded. This has the advantage that you 
know where the randomness comes from.

Regards,
Graham
--

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Crash in SSL_do_handshake: s-method-ssl_renegotiate_check(s)

[Graham Leggett]

On 04 Apr 2015, at 9:46 PM, Michael Clark mich...@metaparadigm.com wrote:

 I am having an issue where the server crashes on subsequent connections
 *if* I close the connection file descriptor. See the note in
 openssl_async_echo_server.cc on line 239. If I leak a file descriptor
 and the next connection uses a new fd then the server works fine. Does
 openssl have an internal map of file descriptors? Am I freeing the
 connection correctly?

In the past when I have built async SSL code, I’ve used memory pools from the 
Apache Portable runtime (APR) to make sure that all the created resources get 
properly cleaned up when connections are closed.

You need to make sure everything you create is properly released when done. If 
you don’t, you either leak or crash.

Regards,
Graham
—

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL and detecting whether bugs have been patched

[Graham Leggett]

Hi all,

I just tried out the most recent version of freeradius (v3.0.7), and it failed 
to start up with the following message:

Thu Mar  5 11:12:33 2015 : Info: Debugger not attached
Thu Mar  5 11:12:33 2015 : Error: Refusing to start with libssl version OpenSSL 
1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 
1.0.1f release)
Thu Mar  5 11:12:33 2015 : Error: Security advisory CVE-2014-0160 (Heartbleed)
Thu Mar  5 11:12:33 2015 : Error: For more information see http://heartbleed.com
Thu Mar  5 11:12:33 2015 : Info: Once you have verified libssl has been 
correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160’

While the idea behind the check is sound (it would be great if people cared 
about this stuff) the implementation is rather crude - all freeradius has to go 
on to implement a check like this is to compare version numbers, and in this 
case the version numbers tell us it is unpatched when in reality this CentOS7 
provided openssl package actually is patched.

Would it be a good idea to add a simple API to the openssl code that define 
whether specific security flaws are patched or not, allowing other software to 
explicitly check for them? A vendor like Redhat then has the chance to patch 
the older version and add the extra detail to indicate that the particular 
vulnerability is patched in this particular version, like this:

int openssl_is_patched(const char *cve);

if (!openssl_is_patched(CVE-2014-0160”)) {
   complain_vociferously();
}

Thoughts? Glaring holes I have not thought of?

Regards,
Graham
—

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Nonblocking IO: Kindly need your urgent authoritative confirmation that the OpenSSL API's SSL_read and SSL_write and select() must indeed be used together *exactly* like this, as t

[Graham Leggett]

On 22 Feb 2015, at 11:22 PM, Tinker ti...@openmailbox.org wrote:

 I need your authoritative answer on the following question.

[snip stuff that is too long]

You are totally overthinking this.

The SSL protocol involves negotiation, during which the sender and the receiver 
exchange data with each other. What this means is that during either SSL_read, 
or SSL_write, openssl might try to write or read respectively. If your 
non-blocking code isn’t geared to handle this, you might end up either hanging 
or spinning as you wait for the wrong event.

The SSL_WANTS_READ response code is a warning that means “I want to read during 
SSL_write, are you ok with me doing this?”.

The SSL_WANTS_WRITE response code is a warning that means “I want to write 
during SSL_read, are you ok with me doing this?”.

In both cases, once you have determined that it is ok to read, or ok to write, 
you simply retry SSL_write() or SSL_read() again.

For example, a read loop:

sense = READ;
while (sense == READ ? if_ready_to_read() : if_ready_to_write()) {
rc = SSL_read();
if (rc == SSL_WANT_WRITE) {
sense = WRITE;
} else {
sense = READ;
}
// do stuff with what you read (you may have read nothing, but that’s fine 
too)
}

Regards,
Graham
—

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE

[Graham Leggett]

On 21 Feb 2015, at 12:58 PM, Serj Rakitov ra...@yandex.com wrote:

 I set socket to non-blocking mode.
 
 1. If I do SSL_read() and get result =0 and then SSL_get_error() returns 
 SSL_ERROR_WANT_WRITE what must I to do?
 Is it enough to call SSL_write(ssl,0,0) one time and then again call 
 SSL_read() untill it successed. Is this right?
 
 
 2.  If I do SSL_write() and get result =0 and then SSL_get_error() returns 
 SSL_ERROR_WANT_READ what must I to do?
 If I must read some data can it be application data or no? So, if I call 
 SSL_read(ssl,buf,buf_size) must I waiting in buf some application data or 
 never?
 And after I did SSL_read(ssl,buf,buf_size) then I must again call SSL_write() 
 untill it returns with success?
 
 
 3. Can be this situation: SSL_write() returns =0 and then SSL_get_error() 
 returns SSL_ERROR_WANT_WRITE?
 What to do in this case for non-blocking socket?

In both cases you return back to your poll and ask the OS to wait for the event 
that openssl asked for. If openssl asked for read, you poll until the socket is 
readable. If openssl asked for a write, you poll until the socket is writable.

When you get the event you asked for, you just run whatever you were running 
again. For example, if you were running SSL_read, run SSL_read again. If you 
were running SSL_write, run SSL write again.

So to write it out:

- Call SSL_read(), it returns SSL_ERROR_WANT_WRITE
- Poll for the socket being writable.
- It’s writable! call SSL_read() again. it might return SSL_ERROR_WANT_READ
- Poll for the socket being readable.
- It’s readable! Call SSL_read() again, and so on.

If openssl wants read, poll for read. If openssl wants write, poll for write. 
Don’t arbitrarily swap round SSL_read and SSL_write, those two calls are what 
*you* want to do, not what openssl wants to do.

Regards,
Graham
—

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: Parsing an SSL hello packet

[Graham Leggett]

On 28 Oct 2014, at 1:30 PM, Florian Weimer f...@deneb.enyo.de wrote:

 * Graham Leggett:
 
 I have a need to parse the first incoming hello packet on an
 incoming TLS connection and based on the presence (or absence) of
 the SNI header, choose to pass the connection through to another
 server.
 
 I think you'll need to work with BIOs to make a copy of the initial
 handshake messages and prevent the OpenSSL code from sending any data,
 install a server name callback (see SSL_CTX_callback_ctrl and
 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB), and abort the connection from
 OpenSSL's point of view at that point.  You then know the SNI value
 and can forward the stored handshake messages to the correct server.
 
 The callback is invoked fairly late, so OpenSSL needs to be able to
 parse the handshake messages.  A separate Client Hello parser is not
 part of the OpenSSL public API.

Is there a way to know whether the initial handshake has arrived fully?

Should I just call SSL_read() over and over until the point at which it wants 
to write data, and go “initial handshake is done”?

Regards,
Graham
—

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Parsing an SSL hello packet

[Graham Leggett]

Hi all,

I have a need to parse the first incoming hello packet on an incoming TLS 
connection and based on the presence (or absence) of the SNI header, choose to 
pass the connection through to another server.

What openssl functions should I be looking at to do this?

Regards,
Graham
—

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Order of certs returned by SSL_get_peer_cert_chain()

[Graham Leggett]

Hi all,

Can anyone confirm the order in which certs are returned by 
SSL_get_peer_cert_chain()?

Regards,
Graham
—

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Symmetrical encryption in FIPS mode?

[Graham Leggett]

Hi all,

Looking at the headers in the FIPS module of openssl, I see none of the 
EVP_Encrypt* functions are available. Am I assuming correctly that no 
symmetrical encryption is possible at all in FIPS mode?

Regards,
Graham
—

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Using a salt to inprove key strength in HLS

[Graham Leggett]

Hi all,

In the HLS protocol[1], there is the option of serving encrypted data protected 
by a simple symmetrical key and AES-128. The symmetrical key is served to the 
client over a secure connection, and the data is then retrieved separately over 
a probably-insecure-but-cacheable connection and unlocked with the key.

I would like to strengthen the key by using the URL of the content as a salt, 
and would like to verify the most cryptographically sound way to do this. Would 
it make sense to create an HMAC out of the key and the salt (inserting them 
into HMAC’s “message and “key), and then using the result as the key that is 
used to protect the content?

The end goal would be that the holder of a valid HMAC-used-as-key for one URL 
would find it sufficiently hard to derive the HMAC-used-as-key for the other 
URLs that might be hosted alongside. In both cases the client will know the 
URLs and specific HMAC-used-as-keys that here revealed to the client, but won’t 
know the underlying key that started it all.

Does this make sense?

[1] http://tools.ietf.org/html/draft-pantos-http-live-streaming-13

Regards,
Graham
—

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Root CA and Intermediate CA Certs.

[Graham Leggett]

On 23 Apr 2014, at 2:23 PM, Kaushal Shriyan kaushalshri...@gmail.com wrote:

 I am new to SSL/TLS Certificates. Please help me understand what is the 
 difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I 
 will appreciate if i can refer to some books or tutorials to know about 
 SSL/TLS technology.

The closest thing you'll probably encounter in the real world to a digital 
certificate is a diploma or degree from an educational institution.

Anyone can write John Smith (PhD) on a piece of paper, that doesn't indicate 
anything special or prove anything. We might improve that by writing John 
Smith (PhD), Faculty of Philosophy on that piece of paper, but again, which 
faculty of philosophy? Never heard of them. Still, the piece of paper is 
useless. We can however write John Smith (PhD), Faculty of Philosophy, 
University of Cambridge on the piece of paper and sign the paper by putting a 
great big seal on the paper to make the paper hard to forge. In theory, we have 
heard of and trust the University of Cambridge, and in turn the University of 
Cambridge trusts the Faculty of Philosophy, which in turn trusts John Smith. If 
we trust the University of Cambridge, then we trust John Smith.

If we were using digital certificates instead of a certificate you might hang 
on a wall we might create a certificate called cn=John Smith (PhD) and get 
John Smith to sign it. This cert is largely meaningless, given that in order to 
trust John Smith we need to already trust John Smith using some out-of-band 
method. This is a self signed certificate.

If we were using certificates with a full certificate authority, we would 
instead have a certificate called cn=John Smith (PhD) issued by and signed by 
ou=Faculty of Philosophy which is in turn issued by and signed by 
o=University of Cambridge. The o=University of Cambridge certificate is 
called the ROOT CA certificate, because we have manually trusted that one using 
an out of band method (we might have got it built into our browser). The 
intermediate certificate is the ou=Faculty of Philosophy certificate, which 
is trusted by o=University of Cambridge and trusts cn=John Smith (PhD). John 
Smith is the leaf certificate trusted by the others.

All you need to do is trust the root CA certificate o=University of 
Cambridge, and you automatically trust everyone they trust, including cn=John 
Smith (PhD). Instead of relying on a big elaborate piece of paper with a wax 
seal on it, you rely on a mathematical equation that verifies that the 
certificate is legitimate, but the idea is the same.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Who uses heartbeat?

[Graham Leggett]

On 13 Apr 2014, at 12:25 PM, Hanno Böck ha...@hboeck.de wrote:

 I wasn't really sure where to ask this, but I think this list is
 appropriate.
 
 While having read so much about heartbleed, one question stays
 unanswered for me all the time:
 What's the use of this heartbeat extension? I mean not the theoretical
 use (I can imagine that) but the use in practise.
 
 Is there any software out there that doees anything with heatbeat? And
 more specifically: If there is, is it using TCP or UDP?

The RFC answers this:

https://tools.ietf.org/html/rfc6520

1.1.  Overview

   This document describes the Heartbeat Extension for the Transport
   Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
   protocols, as defined in [RFC5246] and [RFC6347] and their
   adaptations to specific transport protocols described in [RFC3436],
   [RFC5238], and [RFC6083].

   DTLS is designed to secure traffic running on top of unreliable
   transport protocols.  Usually, such protocols have no session
   management.  The only mechanism available at the DTLS layer to figure
   out if a peer is still alive is a costly renegotiation, particularly
   when the application uses unidirectional traffic.  Furthermore, DTLS
   needs to perform path MTU (PMTU) discovery but has no specific
   message type to realize it without affecting the transfer of user
   messages.

   TLS is based on reliable protocols, but there is not necessarily a
   feature available to keep the connection alive without continuous
   data transfer.

   The Heartbeat Extension as described in this document overcomes these
   limitations.  The user can use the new HeartbeatRequest message,
   which has to be answered by the peer with a HeartbeartResponse
   immediately.  To perform PMTU discovery, HeartbeatRequest messages
   containing padding can be used as probe packets, as described in
   [RFC4821].

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Who uses heartbeat?

[Graham Leggett]

On 13 Apr 2014, at 2:04 PM, Michael Ströder mich...@stroeder.com wrote:

 No, it does *not* answer the question.
 
 The question was: Who is currently using it?

Just to clarify any possible confusion, whether or not a piece of software 
actively uses the heartbeat makes no difference to the bug, you are still 
vulnerable simply by virtue of the feature being there. Make sure that if you 
are using an effected version of openssl, you patch openssl.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ASN1_generate_v3: reading X509 extension via the API

[Graham Leggett]

On 18 Jan 2014, at 4:09 AM, Graham Leggett minf...@sharp.fm wrote:

 I am trying to load the name and value of an X509 extension programmatically 
 via the API (in other words, the openssl.cnf file isn't being used), and I am 
 struggling with openssl telling me that the tag doesn't exist.
 
 The extension I want to load has the name keyUsage and value 
 nonRepudiation,digitalSignature,keyEncipherment, and the error I get looks 
 like this:
 
 139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown 
 tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment

Some more digging and I still can't find how openssl parses extensions.

Reverse engineering the code, it appears that ASN1_generate_v3() expects to be 
passed a parameter string that is a name value pair separated with a colon, 
which the string nonRepudiation isn't.

I tried passing the string OID:1.3.6.1.5.5.7.3.2 for the extendedKeyUsage 
extension, and ASN1_generate_v3() goes through the motions, but the client side 
complains that the extendedKeyUsage value in the generated certificate is 
invalid.

Can anyone explain what the correct sequence of API calls should be to convert 
nonRepudiation and clientAuth into something that openssl can add as an 
extension to a certificate?

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ASN1_generate_v3: reading X509 extension via the API

[Graham Leggett]

On 18 Jan 2014, at 2:25 PM, Dr. Stephen Henson st...@openssl.org wrote:

 Have a look at demos/x509/mkcert.c

I eventually found it was as simple as this:

*extension = X509V3_EXT_conf(NULL, NULL, (char *)name, (char *)val);

What threw me was whether it was ok to pass NULL or not (it is).

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ASN1_generate_v3: reading X509 extension via the API

[Graham Leggett]

Hi all,

I am trying to load the name and value of an X509 extension programmatically 
via the API (in other words, the openssl.cnf file isn't being used), and I am 
struggling with openssl telling me that the tag doesn't exist.

The extension I want to load has the name keyUsage and value 
nonRepudiation,digitalSignature,keyEncipherment, and the error I get looks 
like this:

139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown 
tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment

The code that is trying to load in the extension looks like this:

/* find the name of the extension */
if (!(obj = OBJ_txt2obj(name, 0))) {
// error handler, this works fine when name has value keyUsage
}

type = ASN1_generate_v3((char *)val, NULL);
if (type == NULL) {
// we bomb out here with val as 
nonRepudiation,digitalSignature,keyEncipherment

When I initialise openssl, I run the following two functions:

OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();

Can anyone shed some light on what I might be doing wrong?

The code above was obtained by reverse engineering openssl itself, what is 
throwing me is that I can't see how openssl understands the words 
nonRepudiation,digitalSignature,keyEncipherment when my code doesn't.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Verifying all subjects in a certificate chain

[Graham Leggett]

Hi all,

In a typical client certificate scenario, you might verify that a certificate 
chain is complete, not expired, and trusted by a root certificate. If you were 
to choose a way to authorize the certificate over and above the check that the 
cert is valid, you might store it's subject in a directory, and compare that.

I face a problem where I need to trust two client certificate trees, and there 
is no guarantee that the subject of a certificate issued beneath the first tree 
doesn't collide with the subject of a certificate in the second tree, and so 
storing the subject isn't good enough any more. In the past you might have 
stored and trusted the issuer, but given that certificate chains can be of 
arbitrary depth this isn't good enough either.

In theory I would need to store all the subjects of all the certificates in the 
chain to unique identify that certificate where multiple independent CAs are 
trusted, but I am struggling to find an existing standard way to encode this 
list of subject names. Does such a thing exist?

In theory I might encode the subjects of the certificate chain as 
subject=escaped-subject-client-cert, 
subject=escaped-subject-of-intermediate-cert, 
subject=escaped-subject-of-root-cert and assign this to an LDAP attribute. 
Lots of escaping though.

Alternatively I might generate a hash (sha256?) of all the subjects, suitably 
canonicalised (rfc2253?), although that is less readable.

Has anyone done something like this before?

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

openssl pkcs12: use of caname option

[Graham Leggett]

Hi all,

I have a cert, a CA cert, and N intermediate certificates, each in three 
separate files. I don't know the value of N during this process.

What I need to do is combine these certs into a P12 file, but crucially I need 
to give the cert and the CA cert very specific nicknames for further scripting 
to work. The -name option is working fine, it gives the nickname to the cert 
as expected, I am struggling however with the -caname option - instead of 
applying the nickname to the CA certificate, it applies the nickname to the 
first intermediate cert instead.

/usr/bin/openssl pkcs12 -export -in machine.cert -CAfile ca.pem -certfile 
machine.chain -inkey machine.key -out machine.p12 -name Server-Cert -passout 
env:PASS -chain -caname CA-Cert

As an alternative I tried piping the certs to openssl, but this time openssl 
seems to be ignoring the additional certs and throws an error:

cat machine.cert ca.pem machine.chain | /usr/bin/openssl pkcs12 -export -inkey 
machine.key -out machine.p12 -name Server-Cert -passout env:PASS -chain 
-caname CA-Cert
Error unable to get local issuer certificate getting chain.

Can this be done with openssl?

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Consequences to draw from the latest Snowden revelations?

[Graham Leggett]

On 07 Sep 2013, at 11:26 PM, Steve Marquess marqu...@opensslfoundation.com 
wrote:

 Note that Dual EC DRBG is *NOT* used by default and a calling
 application must specifically and deliberately enable it; that cannot be
 done accidentally. Any application which does so will hopefully be fully
 aware of the consequences (and probably must do so for
 policy reasons).

Is the Dual EC DRBG used in any hardware crypto implementations, and if so, how 
would we avoid using those hardware implementations with certainty in OpenSSL?

I'm thinking specifically of the Intel one described here: 
http://spectrum.ieee.org/computing/hardware/behind-intels-new-randomnumber-generator

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to securely encrypt identical files to identical ciphertext?

[Graham Leggett]

On 17 Aug 2013, at 06:03, Unga unga...@yahoo.com wrote:

 My encrypted file is with you. It is encrypted without a salt. I'm scared you 
 may use a sophisticated system to decrypt it and read the sensitive info. I 
 use a per file not guessable 150 character password. This password is not 
 repeated, only reuse on identical plaintext files only.
 
 
 I want to understand is it any easy for you to decrypt it than a salted 
 encrypted file?

The purpose behind the salt is to make sure two identical plaintexts encrypted 
with the same key give different values for the cyphertext. This remains 
important in your case because your file is actually a series of plaintexts of 
a given block size one after the other, and if you have regular data in the 
plaintext you will have regular data in the cyphertext without a salt.

What you might do when you generate your unique random passphrase is at the 
same time generate a unique random salt, and store the two together.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SNI: What *doesn’t* support it?

[Graham Leggett]

On 19 Apr 2013, at 21:06, Felipe Gasper fel...@felipegasper.com wrote:

What are the big things out there that still don’t have SNI support?
 
As far as I know:
 
 CentOS 5 (by default)
 Android 2.x
 original iPhone  iPod Touch
 IE on WinXP
 
I’m looking for “major obstacles to deployment”. The Wikipedia page 
 (https://en.wikipedia.org/wiki/Server_Name_Indication) gives quite a few, but 
 I thought maybe folks here could contribute something additional.

Java 6 and earlier lack support, as does httpclient which refuses to support 
SNI on principle: https://issues.apache.org/jira/browse/HTTPCLIENT-1119. This 
affects the most recent versions of maven.

Svnkit also doesn't support SNI until very recently, affecting many continuous 
integration servers.

Regards,
Graham
--

Re: Need input for Certificate generation

[Graham Leggett]

On 16 Nov 2012, at 4:36 AM, Jeffrey Walton noloa...@gmail.com wrote:

 On Thu, Nov 15, 2012 at 10:41 AM, Jeffrey Walton noloa...@gmail.com wrote:
 On Thu, Nov 15, 2012 at 6:03 AM, Pravesh Rai pravesh@gmail.com wrote:
 
 CryptGenRandom(hCryptProv, SEED_SIZE, buf); // On Windows OS
 apr_generate_random_bytes(buf, SEED_SIZE);  // On Linux OS
 
 Speaking of poor documentation…..

Why are you discussing APR on the openssl list? Surely if you had a problem 
with the APR documentation this would be a matter for the APR lists instead?

 I looked at the header and the source. They are different style
 sheets applied to the same file (I expected to see the H file, and
 the C file). Neither had comments.

Really?

According to the source code, the header file is here:

https://svn.apache.org/repos/asf/apr/apr/branches/1.4.x/include/apr_general.h

The implementation is platform specific (that's the point of APR), and for unix 
it is here:

https://svn.apache.org/repos/asf/apr/apr/branches/1.4.x/misc/unix/rand.c

Both the header and source contain comments.

 Confer
 http://apr.apache.org/docs/apr/0.9/apr__general_8h-source.html and
 http://apr.apache.org/docs/apr/0.9/group__apr__random.html.

Why would you choose the obsolete v0.9 of APR as an example, when the latest 
version is v1.4.6? Have you read the documentation at http://apr.apache.org/ 
that covers this?

 I'll reproduce it here without the markup:
 
 apr_status_t apr_generate_random_bytes(
unsigned char * buf,
int length 
 ) 
 
 So, there are a few problems here. First is no documentation. Verbum
 sapienti sat.

APR uses doxygen as a documentation generation system: 
http://en.wikipedia.org/wiki/Doxygen

The documentation is generated from the source headers, for example:

/**
 * Generate random bytes.
 * @param buf Buffer to fill with random bytes
 * @param length Length of buffer in bytes
 */
APR_DECLARE(apr_status_t) apr_generate_random_bytes(unsigned char * buf, 
apr_size_t length);

The phrase generate random bytes is woefully inadequate, so I did the right 
thing and raised the issue on the right mailing list, archived here:

http://www.mail-archive.com/dev@apr.apache.org/msg24968.html

 Second, you don't know what conditions need to be satisfied to define
 APR_HAS_RANDOM (did you even know it was there?). This could be fixed
 with documentation, but APR chose otherwise.

If you look closer at APR, you'll notice that to build it, you run the 
configure script generated by a tool called autoconf. If you had occasion to 
care where APR_HAS_RANDOM came from, you would ensure that you understood 
autoconf and how it tests for system capability at compile time. It is not 
APR's job to re-document the autoconf tool: 
http://en.wikipedia.org/wiki/Autoconf

 Third, you don't know what the function returns on success. Is there a
 apr_succes? Or apr_true? This could be fixed with documentation, but
 APR chose otherwise.

The error codes are documented extensively here: 
http://apr.apache.org/docs/apr/1.4/group__apr__errno.html

 Fourth, the API tells you a negative length is acceptable. This could
 be fixed with documentation, but APR chose otherwise.

Really? The API specifies a length of apr_size_t. If you read the documentation 
(Hint: try a google search for site:apr.apache.org apr_size_t) you discover 
that apr_size_t is documented here as being equivalent to size_t:

http://apr.apache.org/docs/apr/1.4/group__apr__platform.html

In turn, size_t is defined as an unsigned type, such as unsigned int, depending 
on your platform.

By reading the documentation you would have discovered that a negative length 
is not possible.

 A negative
 length makes no sense whatsoever (I know, its not limited to APR). I
 would encourage you to write a few negative self-tests and submit it
 to the project: send in a NULL`buf`, a zero `length`, and a negative
 `length`. See how the library handles it. Since they botched the API
 design, I would not be surprised if they SIGABRT on you (that's how
 *not* to build a resilient system).

I would suggest instead that you read the documentation.

 Fifth, there is probably some internal state, but we don't know that
 for sure. This could be fixed with documentation, but APR chose
 otherwise. If there is state, you don't know where it came from or its
 quality. Did they limit themselves to (1) Time of Day, (2) Mac
 address, (3) /dev/{u}rand, (4) the kernel's hwrand, or (5) virtio
 gear? Perhaps some other clever combination? Are they constantly
 hedging (probably not)? If there is no state, they have already broken
 you (that's how *not* to build a resilient system).

Correct, and I have raised this on the d...@apr.apache.org list, just as you 
should have done.

 This is a bit more personal taste, but I require PRNGs to be thread
 safe. So Sixth, is the library thread safe? Is the call to
 apr_generate_random_bytes() thread safe? I would definitely write a
 

Re: Usage of d2i_RSA_PUBKEY function!!

[Graham Leggett]

On 16 Nov 2012, at 4:37 PM, PraveenPVS meetpraveen...@gmail.com wrote:

 I need to load RSA Public key which is stored in the char buffer. I came
 across d2i_RSA_PUBKEY function to do the same (Please correct me if I am
 wrong here).

The d2i in the function you're trying to use means from DER encoded to 
internal, you'll see a whole lot of complementary functions with i2d in them 
that do the opposite.

The data you've shown looks like it has been PEM encoded, not DER encoded:

 loadRSAPubKey(MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0yepYbVklwYuwGEmenQhVwyddHGdM26rZqWG5tFFPYz1QA51EJ44thSejrbRKHqV/EmqU8wwuFeaDmxnVz6UhG3HfjuTbAkkuZ+boEIealr/Ml+kHqRgzQ6G1rP9+5goboZzlpB9b8zYvp+5my5xFCd8OqyoKKyoHBJ3Tf0NCSstow7k0W/5JMeDa844HpCK4rOxlUaIGsDGTC/XIJ93EQs8yT4js5iw++pJslQvh1RzeQtzLQ8xNGYKlr9RyIvh2S28qXb+qfEx7r+kG8RjS4jc3E3XR/nja7HXnAFWCgF/cRcj5aQHq02scW8Vi+iBS/A1Y5RD2QMxJqY1yxC28QIDAQAB);

To convert the PEM encoding, try wrap your buffer in a BIO and call 
PEM_read_bio_X509(). man PEM_read_bio_X509 for details. Make sure you 
preserve the - bars before and after the PEM encoded certificate, as they 
form part of the PEM encoding and your data may be ignored if you chop them off.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Find the difference in (milli|micro)seconds between two ASN1_TIME values

[Graham Leggett]

Hi all,

I would like to know how long a CRL has until it expires in seconds (or milli 
or microseconds, don't care, I can convert), and am struggling to find a 
formally supported way to do this.

What I would like to do is return the difference between a given ASN1_TIME and 
the current time, or two ASN1_TIME values (don't care which, I can generate an 
ASN1_TIME from the current time).

Does openssl offer a function to do this, or will I be forced to write my own?

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

[Graham Leggett]

On 07 Nov 2012, at 3:57 PM, Jakob Bohm jb-open...@wisemo.com wrote:

 Look in the code that checks certificates for expiry (during certificate
 validation), it probably calls an appropriate subroutine on the expiry
 date in the X509 cert.

Already did that, the function you're referring to is called X509_cmp_time() 
declared in crypto/x509/x509_vfy.c. This function seems to return a -1, 0 or 1 
in some cases, it doesn't return the different between the times as you would 
expect it to.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

[Graham Leggett]

On 07 Nov 2012, at 4:08 PM, Dirk-Willem van Gulik di...@webweaving.org wrote:

 The bit of code I stole from x509/x509_vfy.c works for me.
 
 Dw.
 
if(!(X509_CRL_get_nextUpdate(crl))
   return -1;
 
   int  i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
   if (i == 0)
   return -1; // could not parse date
 
   /* Ignore expiry of base CRL is delta is valid */
   if ((i  0)  !(ctx-current_crl_score  CRL_SCORE_TIME_DELTA))
   return -1;
 
   return 0;

What I'm after is the difference between the given date and now so that I can 
construct a max-age value for Cache-Control. At this stage, there doesn't seem 
to be a way to do this in openssl.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Find the difference in (milli|micro)seconds between two ASN1_TIME values

[Graham Leggett]

On 07 Nov 2012, at 4:50 PM, Ted Byers r.ted.by...@gmail.com wrote:

 Why does it need to be something in openssl?

Ideally because it needs to be as secure as openssl.

I'm after an accurate time duration between two ASN1_TIME values, that is not 
dependent on local conditions, or any external libraries.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

MIME types for PEM encoded CRLs

[Graham Leggett]

Hi all,

I understand as per RFC2585 that the MIME type for a CRL is 
application/pkix-crl, but I am struggling to figure out whether there is a way 
to specify using MIME types and/or content negotiation whether the CRL is PEM 
encoded or DER encoded.

Is there a Content-Encoding for PEM specified somewhere?

Would Content-Encoding: base64 be good enough, or should this be 
Content-Encoding: x-base64? (Or perhaps pem or x-pem).

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: MIME types for PEM encoded CRLs

[Graham Leggett]

On 27 Oct 2012, at 2:18 PM, Stefan H. Holek ste...@epy.co.at wrote:

 I understand as per RFC2585 that the MIME type for a CRL is 
 application/pkix-crl, but I am struggling to figure out whether there is a 
 way to specify using MIME types and/or content negotiation whether the CRL 
 is PEM encoded or DER encoded.
 
 Is there a Content-Encoding for PEM specified somewhere?
 
 Would Content-Encoding: base64 be good enough, or should this be 
 Content-Encoding: x-base64? (Or perhaps pem or x-pem).
 
 The same RFC also says that CRLs must be DER encoded:
 http://tools.ietf.org/html/rfc2585.html#section-3

The section you quote refers to the content of files with the extensions .cer 
and .crl, it doesn't refer to HTTP:

   For convenience, the names of files that contain certificates should
   have a suffix of .cer.  Each .cer file contains exactly one
   certificate, encoded in DER format.  Likewise, the names of files
   that contain CRLs should have a suffix of .crl.  Each .crl file
   contains exactly one CRL, encoded in DER format.

Section 4.1 says:

Encoding considerations: will be none for 8-bit transports and most
   likely Base64 for SMTP or other 7-bit transports

What I'm after is how to interpret section 4.1 in the context of HTTP content 
negotiation.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Mac OS X and SSL Client Certitficates

[Graham Leggett]

On 12 Oct 2012, at 3:59 PM, Tom Browder tom.brow...@gmail.com wrote:

 I have successfully generated SSL client certs (generated with openssl
 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus
 IE 9 on Windows, but I cannot get successful access with either Safari
 or Firefox on Mac OS X.
 
 When I try on Mac/Safari I get the error:
 
  The server did not accept the certificate. (NSURLErrorDomain:-1205)
 
 When I try on Mac/Firefox I get the error:
 
  SSL peer has rejected your certificate as expired.
 
  (Error code: ssl_error_expired_cert_alert)
 
 When I view the cert on the Mac it clearly shows an expiration date
 approximately one year from now.

Is both the clock and the timezone on this machine correct? You may find the 
certificate is not yet valid.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Firefox unhappy with my self signed Cert

[Graham Leggett]

On 12 Oct 2012, at 1:03 AM, Derek Cole derek.c...@gmail.com wrote:

 I installed my_server_cert.pem as a trusted authority in firefox, however, it 
 still prompts that it is an Untrusted Connection and has the button to add 
 security exception. When I click this button, I noticed that under 
 Certificate Status it says Wrong Site and This iste attempts to identify 
 itself iwth invalid information

What DNS name did you insert into the certificate, and does this DNS name match 
the name of the site you're connecting to exactly?

One of the key purposes of an SSL cert in an https connection is to verify that 
you are actually connecting to the site you think you're connecting to. If the 
DNS names don't match, the connection will fail, as it should.

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Firefox unhappy with my self signed Cert

[Graham Leggett]

On 12 Oct 2012, at 1:40 AM, Charles Mills charl...@mcn.org wrote:

 How do you specify the name (URL) of the Web site in Firefox? Do you use 
 exactly the same name as you use with the test client (and the name in the 
 certificate)?
  
 Firefox is saying the certificate is for myserver but you are specifying a 
 different name when you open the site. The name has to be exactly the same as 
 one of the names (including alternates) in the certificate. (You can wildcard 
 the last node in the alternate names.) myserver is not the same asmyserver.com

If you see http://mysite.somewhere; in your browser, then the name 
mysite.somewhere needs to be embedded in the certificate, and this need to be 
precise. You can't arbitrarily leave parts of the names out, or insert some 
kind of approximation (with the exception of a wildcard entry in a cert, 
subject to specific rules).

What URL are you typing into Firefox? What DNS name have you embedded into the 
cert, and how have you done it?

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Safari and application/x-x509-user-cert

[Graham Leggett]

Hi all,

I have some openssl code that creates a certificate based on a SPKAC, and then 
attempts to send the certificate back to the browser. This works fine in 
Firefox, but doesn't working in Safari, or at least it does work, except that 
Safari doesn't recognise the MIME type of the certificate, and tries to 
download the certificate and save it to the downloads folder instead.

I am struggling with the lack of documentation on this stuff, what is the 
expected certificate format when delivering a certificate as 
application/x-x509-user-cert?

Most specifically, is this code correct:

BIO *b = BIO_new(BIO_s_mem());
char buf[LEN];
int len;

set_content_type(r, application/x-x509-user-cert);
i2d_X509_bio(b, cert);

while ((len = BIO_gets(b, buf, sizeof(buf)))  0) {
// write buf
}

BIO_free(b);

Or should I be using something other than i2d_X509_bio()?

Regards,
Graham
--



smime.p7s
Description: S/MIME cryptographic signature

Re: Using OpenSSL with non-blocking I/O

[Graham Leggett]

On 06 May 2011, at 9:23 PM, derleader mail wrote:


 Can you show us the source code. Paste it into pastebin.org.


We do non blocking SSL by accepting the socket in the normal way  
(using accept, not SSL_accept), and then wrapping the socket in a BIO  
like this:


BIO *sbio = BIO_new_socket(c-socket, BIO_NOCLOSE);
SSL *ssl = SSL_new(ctx);
SSL_set_bio(ssl, sbio, sbio);
SSL_set_connect_state(ssl);

We then put the socket in the event loop, and on read and write events  
we called SSL_read and SSL_write as appropriate. The first time we  
call SSL_read, the proper handshake is completed.


One thing that you need to support for non blocking SSL to work  
properly is to take account the fact that during SSL_write, SSL may  
want to read from the socket, and during SSL_read, SSL may want to  
write. We keep track of whether a ready to read event should call  
SSL_read or SSL_write as appropriate, reacting to the  
SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE result codes.


Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: callbacks: application context

[Graham Leggett]

On 20 Mar 2011, at 9:35 PM, Victor Duchovni wrote:


What's the obstacle to a global variable that is initialized once and
never changes? You also only need to call:

SSL_load_error_strings();
   OpenSSL_add_ssl_algorithms();

once, ... so there needs to be some once-only code in your  
application,

and setting a write-once global there does not seem burdensome.


It is a showstopper for many asynchronous applications, where the same  
process attempts to keep track of multiple contexts in parallel. The  
lack of a callback makes this very difficult.


Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Loading a CRL from RAM (and not from file or directory)

[Graham Leggett]

Hi all,

I am trying to load a CRL, and currently my options seem to be  
choosing one of the following:


X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir())
X509_STORE_add_lookup(certstore, X509_LOOKUP_file())

The dilemma I face is that I need to do this in a non blocking fashion  
in an event loop, so the functions above won't help me.


What I am looking for is a function that will add a certificate to the  
store from an area in memory, loaded earlier.


Having picked apart the lookup code, I can't find the point where the  
CRL is read into the certificate store.


Is there a recommended function to use for this?

I was also struggling to understand the exact semantics of reading  
certificates from a directory, and what exactly is meant by the hash  
in the directory. I have a set of CRLs in a directory, and I find  
files with the extensions, .pem, .r0 and r0.p7, and files with the  
extension .old. Is there a special way each of these files is handled?


Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Loading a CRL from RAM (and not from file or directory)

[Graham Leggett]

On 21 Jan 2011, at 7:20 PM, Dr. Stephen Henson wrote:

You can read the CRL into an X509_CRL stucture using d2i_X509_CRL()  
or the

PEM functions using a memory BIO.

Once you have the X509_CRL structure you can add the CRL with
X509_STORE_add_crl().


When reading a CRL in a directory, is it enough to simply do the above  
once for every file you find in that directory?


Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Apache client certificate authentication

[Graham Leggett]

On 2010/03/20 6:55 PM, Nuno Gonçalves wrote:


Questions:
Is normal that firefox hangs when it doesn't have a valid certificate
to provide?
Openssl output looks OK?(or the error in the end is a exception?)


I am not 100% sure of the details, but I do recall a hang being a 
symptom of using a client or a server that did not have the TLS 
renegotiation bug fixed along with a server or client that did.


First, check you are using the latest version of openssl, the latest 
version of the webserver, and the latest version of Firefox.


Regards,
Graham
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Coaxing an error message out of PKCS7_verify()

[Graham Leggett]

Hi all,

I am currently struggling to get to the bottom of a problem verifying  
a PKCS7 message, and before I can make any headway, I need access to  
the error message.


The error message I am getting is this:

error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error

which, given it is being thrown inside the PKCS7_verify(), is the  
equivalent of an error has occurred, without revealing what the  
error is. An error exists underneath this error, but I am unable to  
retrieve it.


I am fetching this error using the following piece of code:

while ((e = ERR_get_error())) {
flag-error = apr_pstrcat(flag-pool, flag-error, : ,
ERR_error_string(e, NULL), NULL);
}

The above loop only executes once, meaning that only one single error  
is on the error stack (as I read it).


Digging into the openssl code, I find the error is thrown in  
pk7_smime.c:


i = X509_verify_cert(cert_ctx);
if (i = 0) j = X509_STORE_CTX_get_error(cert_ctx);
X509_STORE_CTX_cleanup(cert_ctx);
if (i = 0) {
 
PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY

_ERROR);
ERR_add_error_data(2, Verify error:,
  
X509_verify_cert_error_string(j));

sk_X509_free(signers);
return 0;
}

From my understanding of the code above, X509_verify_cert is failing,  
and the error I am seeing is created in this code:  
PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CERTIFICATE_VERIFY_ERROR)


What follows directly afterwards is a call to ERR_add_error_data(),  
where the underlying error from X509_verify_cert() is placed,  and is  
the error message I am interested in.


I cannot see how to retrieve this error.

I can find nothing in the man page for ERR_add_error_data() that  
explains what the corresponding function is to retrieve this data  
afterwards, and I am stuck.


Can anyone tell me what function I should be using to retrieve the  
error saved by ERR_add_error_data()?


Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Coaxing an error message out of PKCS7_verify()

[Graham Leggett]

On 07 Mar 2010, at 12:13 AM, Graham Leggett wrote:

Can anyone tell me what function I should be using to retrieve the  
error saved by ERR_add_error_data()?


After some reverse engineering, it turns out ERR_get_error_line_data()  
does the trick. It was the file and line parameters that threw me off,  
if you don't need them, ignore them.


This code works for me:

unsigned long e;
const char *file = NULL, *data = NULL;
int line, flags;
cfg-error = apr_psprintf(cfg-perror, can't load CA  
file %s,

nscfg-CAfile);
while ((e = ERR_get_error_line_data(file, line, data,  
flags))) {

cfg-error = apr_pstrcat(cfg-perror, cfg-error, : ,
ERR_error_string(e, NULL), NULL);
if (data) {
cfg-error = apr_pstrcat(cfg-perror, cfg-error,  
: , data, NULL);

}
}
ERR_clear_error();

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

PKCS7_verify() and being valid on a certain date

[Graham Leggett]

Hi all,

Now that I have my full error message, the problem I have is that the  
verification is failing because the certificate has expired:


error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:  
Verify error:certificate has expired


The error message is correct - the certificate has expired - but - the  
certificate was valid when the message was originally signed.


Is there a specific way I should format the effective date of the  
PKCS7 smime message, so that PKCS7_verify() will say on the date this  
message was signed, the attached certs were valid (and if so, how),  
or must I parse the date of the message manually, and then feed it  
into X509_VERIFY_PARAM_set_time() on the certificate store parameters?


I just need to check I am doing the right thing.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SHA-1() question

[Graham Leggett]

Sebastián Treu wrote:

 are thes equivalent to each others? or should I use the openssl
 toolkit? I ask this cause sha1sum results are 41 bytes long. the
 SHA-1() doc says 20bytes for output.

Check whether the binary sha1 hashes are being encoded along the way. A
common way to encode sha1 hashes is encoded as hex, turning 20 bytes
into 40. The 41st byte could be a newline.

Regards,
Graham
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: General question about documentation

[Graham Leggett]

Kenneth Goldman wrote:

 1 - Reading the source is only as reliable as the skill of the reader and
 the comments in the code.  I'd rather have the answers than a research
 project.

So would I. But far too often, in code of all kinds, this documentation
doesn't exist. As an investor I would far rather have my coders reverse
engineer the code and make it work, than be faced with no information,
and have code doomed to be thrown away.

 2 - If I read the source, I can't determine which functions are stable
 and intended to be used by applications and which are internal and
 subject to change or deletion with every release.

This is only a problem if the developers of the library haven't packaged
their library properly, something that one doesn't expect to still see
in 2009.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: General question about documentation

[Graham Leggett]

Randy Turner wrote:

 As an investor, I would rather have my coders use a product with 
 documentation to make progress
 on the actual goals of the product, rather than reverse-engineer the 
 information they're trying to look for.

Obviously, as I already stated below:

 So would I.

Regards,
Graham
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: General question about documentation

[Graham Leggett]

Tim Ward wrote:

 Yes indeed. This is why I often go for commercial software in preference
 fo free - it took me a day and a half to get a working Visual Studio
 2005 debug DLL built, at a cost to my client of ... er ... well ... none
 of anyone else's business really, but lots more than any software
 package I remember buying. If instead of the free OpenSSL there'd been
 available a non-free product that cost £500 with normal commercial
 standards of installation and documentation and support we'd be laughing
 all the way to the bank.

I go the opposite way - the risk of encountering an un-solveable problem
due to lack of access to source code means the potential to be forced to
throw away and reimplement code is always present. This factor increases
with time, as with age it becomes more and more certain that the code
will either be updated outside of your control or no longer supported. A
greater cost with a lower risk is always preferable to me in the long run.

In the really big corporates I have been involved with, they have all
demanded either source code with the product or the source in escrow
before they will consider using it. Some of the in house systems I
encountered started out life as commercial software whose vendors had
ceased supporting the software.

 One thing I still haven't found anywhere, it's not even in the O'Reilly
 book, is a description of the object system - I've sort-of picked up
 that if you XXX_new() something you maybe ought to XXX_free() it
 sometime later, and there's some sort of use counting going on, but I've
 not found any documentation for any of this yet.

Use the source: while not the easiest to read it is the most accurate
documentation available at any given time. (No, this is not a
justification for a lack of or bad documentation).

Regards,
Graham
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Encrypting 32/64 bit integers

[Graham Leggett]

Peter Wilkes wrote:

 so we ran this with a 64 bit int and noticed that 128 bits comes out.
 can we safely ignore the other 64 bits? why are we getting 128 bits out?

Ciphers generally encrypt data in fixed-width blocks, which means you'll
end up with a final encrypted cyphertext of a multiple of a given
blocksize. In the case of the cipher you've chosen, the blocksize seems
to be 128 bits (16 bytes).

Obviously your message won't necessarily be a multiple of 16 bytes wide,
so depending on what you've chosen, you might get extra bits on the end
to round it up to the 16 byte boundary. You might choose to just ignore
these extra bits when you encrypt/decrypt, or you can use optional
padding to ensure that you preserve the length through an encrypt/decrypt.

Because you have a fixed length message, you might choose to ignore the
padding, as you know how wide your message is coming out the other side.

Keep in mind if you're sending this data over a network or storing it
somewhere you might find the wasted 64 bits becomes a problem, how you
solve it will depend on the problem you're trying to solve.

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: self-signed cert without private key file

[Graham Leggett]

carock wrote:


Can the same process be duplicated without going commercial? I need a
certificate that doesn't use a FQDN for the common name and I haven't found
a commercial one that allows that.


Set up your own CA, and issue your own certificates to your own 
requirements. The problem then boils down to making sure your CA cert is 
installed where needed, which is usually not too much of a problem.


A deeper question though is why you would want to give a server a name 
that isn't a FQDN, even a private one such as serverfoo.local.



That is my other alternative. If there's a commercial one I can buy that can
have a common name without a . in it OR build a cert from a CSR without
using the private key that generated the CSR I'll take it. I don't have
access to the private key that goes with the CSR.


You cannot generate the CSR without the private key, the private key is 
an integral part of the CSR process.


Where are you getting the CSR from if you don't have a private key?

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: self-signed cert without private key file

[Graham Leggett]

carock wrote:


Unfortunately, I'm dealing with an HP Proliant server. Specifically the iLO
interface which is a backend management device embeded in the server.

This device has it's own SSL cert from the factory. With the latest rounds
of updates from Firefox, that browser now complains my certificate contains
the same serial number as issued by another authority and will not allow
you to continue.

The stupid HP iLO software will generate a CSR for you, but it only uses
the server name and does not append the domain part of the iLO configuration
settings. Also, the server name setting does not allow you to enter the .
character.

The CSR generator stores the private key somewhere inside it's storage, but
there is no way to access it. Only the iLO software can see it. Since the
commercial certs force you to use a FQDN, I had to try and generate my own
cert, but without the private key.


That sounds terminally broken. If you have a support contract with HP, 
tell them to fix it. If not...


I think I understand now. I make my own CA setup and issue my own certs. 


Correct?


...this should work.

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: how to trace aes quickly?

[Graham Leggett]

loody wrote:


Is there sample code or ducument I can realize how to use EVP?


On MacOSX, the normal man pages document the API for EVP*, I assume it 
is the same on the other unix environments.


apropos EVP should get you started.

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: how to trace aes quickly?

[Graham Leggett]

Victor Duchovni wrote:


Because in amost all cases that's exactly the right advice.

The cryptography learning that is sufficient and desirable is from books
such as Applied Cryptography which cover protocols and algorithms
at a high level. Studying the implementation or creating ones own
implementation is for experts who don't need to ask questions, or ask
sufficiently interesting questions that it is clear they are experts.


As soon as someone tells me that I shouldn't learn about something and 
that it is my best interests to remain ignorant, I no longer trust that 
thing, or the people giving the advice. This is especially true of crypto.


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: why build shared openssl

[Graham Leggett]

Julian wrote:

Never ship a Shared OpenSSL library. Anyone can rebuild it to output the 
socket buffer to disk prior to encryption and replace yours.


If someone can do that, you've been owned already, compiling it static 
won't make any practical difference.


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: why build shared openssl

[Graham Leggett]

csross wrote:


I don't know what is the purpose of building openssl shared.  I am building
apache with ssl statically built in.  What does building a shared openssl
give me?  


The ability to upgrade openssl without having to recompile anything else.

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

EVP_aes_256_ecb and EVP_CIPHER_iv_length()

[Graham Leggett]

Hi all,

I have found an anomaly in the EVP code with an ECB cipher which is 
claiming to have an IV length greater than zero.


I am under the understanding that all ECB algorithms should have an IV 
size of zero - is that correct?


The gdb trace is shown below - is this a potential bug or am I doing 
something stupid?


297 key-cipher = EVP_aes_256_ecb();
(gdb)
309 key-keyLen = EVP_CIPHER_key_length(key-cipher);
(gdb)
312 key-key = apr_pcalloc(p, key-keyLen);
(gdb)
313 if (!key-key) {
(gdb)
318 if (PKCS5_PBKDF2_HMAC_SHA1(pass, passLen,
(gdb)
324 key-doPad = doPad;
(gdb)
325 key-ivSize = EVP_CIPHER_iv_length(key-cipher);
(gdb) next
326 if (ivSize) {
(gdb) print key-ivSize
$7 = 16
 ^^  should be 0
(gdb) print key-keyLen
$8 = 32
(gdb)

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Re: OpenSSL support for RFC2898 / PBKDF2

[Graham Leggett]

[EMAIL PROTECTED] wrote:

Does openssl support RFC2898, and if so, what function should I be 
looking at?

PKCS5_PBKDF2_HMAC_SHA1()


This function seems to be undocumented:

int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
   unsigned char *salt, int saltlen, int iter,
   int keylen, unsigned char *out);

Am I correct in understanding that the key generated by this function 
will be written to the buffer specified in out, and will have the length 
specified by keylen?


What is the meaning of the int that this function returns?

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

OpenSSL support for RFC2898 / PBKDF2

[Graham Leggett]

Hi all,

According to the man page for EVP_BytesToKey, Newer applications should 
use more standard algorithms such as PKCS#5 v2.0 for key derivation.


Unfortunately the man page stops there, and doesn't give a clue as to 
which openssl function should be used to derive a key in a compliant way.


Does openssl support RFC2898, and if so, what function should I be 
looking at?


Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

List of ciphers: EVP_get_cipher_byname()

[Graham Leggett]

Hi all,

Is there a function in OpenSSL that is capable of listing the possible
ciphers that are supported by EVP_get_cipher_byname()?

Regards,
Graham
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: What Padding does OpenSSL use??

[Graham Leggett]

On Wed, November 21, 2007 2:39 pm, Lidia Fernández wrote:

 I have to encrypt a file in c with openssl and then i have to decrypt in
 Java.

 In Java i use to decrypt the algorithm

   Cipher cipher = Cipher.getInstance(DES/ECB/PKCS5Padding);

 With OpenSSL i use

   openssl enc -a -des-ecb -in file -out file.enc -pass pass:abcdefgh

 but i have an error message in Java that say

   javax.crypto.BadPaddingException: Given final block not properly padded


 What padding does OpenSSL use??? How can i specify the padding??

Having just recently been grappling with this, you need to make sure, in
your OpenSSL code, that the EVP_EncryptFinal_ex() function is being
executed correctly on the last block of data.

Left to the defaults, EVP_EncryptFinal_ex worries about the padding, you
do not need to do anything.

One problem that I did encounter was issues with the length of the
encrypted block. In my code, I was encrypting the block, and then base64
encoding the result. I then un-base64-encoded the result, and then applied
the decryption to reverse the process. The problem was in my case that the
length I was using to decrypt the code was the length returned by the
base64 decoder, which was adding 1 to the real length to be a terminating
0 character.

OpenSSL then complained that it could not decrypt the final block.

In other words, double check your lengths and make sure they are correct
all the way through.

Regards,
Graham
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Getting a certificate and private key from SSL_CTX

[Graham Leggett]

Hi all,

The SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_file() 
allow you to assign a key and cert respectively to an SSL_CTX.


I have been hunting for a while, and I have as yet not found the 
opposite functions, to extract the cert and key from an SSL_CTX.


Am I missing something, or is it just not possible?

Regards,
Graham
--


smime.p7s
Description: S/MIME Cryptographic Signature

Using a EVP_PKEY as input to EVP_EncryptInit

[Graham Leggett]

Hi all,

I have a need to encrypt a block of text (a cookie) in such a way that the
contents of the cookie can be protected[1] if and when the cookie is
stolen in transit.

I would like to use EVP_EncryptInit and friends to do this, and this
function requires that I provide a key and iv to be used as the key from
encryption.

As it turns out, I have a certificate private key handy in the form of a
EVP_PKEY that (in theory) I could potentially use as a key for
EVP_EncryptInit.

I have two questions:

- Does the use of an existing private key bring risk to that key if the
private key is used to encrypt a block of text using EVP_EncryptInit and
friends? This private key is already there in my application, and using it
would eliminate the need to generate a second key.

- If this is sane, is there a way, given a EVP_PKEY, to extract the key
block itself out of the EVP_PKEY? Everything I have found so far allows me
to pass EVP_PKEY around, but not peek inside it.

[1] It is assumed the cookie could get stolen using any one of the various
XSS risks currently out there and it is understood that the encryption
will not prevent this in any way. The purpose of the encryption is to help
protect the contents of the cookie in the event it is stolen.

Regards,
Graham
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL: What code to add for proxy use?

[Graham Leggett]

Clemens Chiba said:

 I use Winsocks and OpenSSL in a client application which simulates
 HTTPS request, and it works fine as long as I don't use a proxy
 (proxy name/port same as host name/port).

 But if I set a proxy it does not work anymore. This is clear
 because the proxy does not know where to connect to (it cannot
 take the name from the toSend string in the example below
 because this is crypted to the proxy).

 So what code do I have to add so that the code works with
 a proxy?

An SSL client that is capable of being proxyied via an SSL HTTP proxy
implements the CONNECT http method, which is an extension to HTTP. The
CONNECT method allows you to specify the host and port to connect to
outside of the SSL negotiation.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

make install failure / Solaris v2.8

[Graham Leggett]

Hi all,

While trying to install v0.9.7e of openssl on a Solaris v2.8 machine, the
build completes fine, but it bombs out during make install as below.
Google has found two other questions on mailing lists about this problem
(one on NetBSD, one on Irix) but these questions were never answered. One
person said that explicitely setting the SHELL environment variable to
bash works around this problem, but in this case the setting of SHELL
makes no difference.

The breakage is in fips, which seems to be new since v0.9.7d. Is there
any way to turn off or remove fips until this code works?

Any ideas?

making install in crypto/krb5...
installing fips...
making install in fips/sha1...
sh: syntax error at line 2: `;' unexpected
*** Error code 2
make: Fatal error: Command failed for target `install'
Current working directory
/udd001/app/spread/src/openssl/openssl-0.9.7e/fips/sha1
*** Error code 1
make: Fatal error: Command failed for target `install'
Current working directory /udd001/app/spread/src/openssl/openssl-0.9.7e/fips
*** Error code 1
make: Fatal error: Command failed for target `install_sw'

bash-2.03$ uname -a
SunOS fodev01 5.8 Generic_117350-10 sun4u sparc SUNW,Sun-Fire-480R

The compiler is the Sun Workshop compiler and make as installed in
/usr/ccs/bin/make.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Compiling OpenSSL as a shared library

[Graham Leggett]

Hi all,

Is it possible to compile openssl v0.9.5a as a shared library under
Solaris v2.6?

The default compilation builds static libs only. There does not seem to
be any mention of shared library support anywhere in any of the build
docs, and the standard --enable-shared doesn't work.

Any ideas?

Please reply personally, as I'm not on this list.

Regards,
Graham
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

make install problem with v0.9.6 beta 1

[Graham Leggett]

Hi all,

After the make install step after compiling v0.9.6 beta 1 of OpenSSL, my
/usr/local/ssl/lib directory looked like this:

[3:22pm] root@dsnstar:/opt/local/ssl/lib# ls -al
total 15364
drwxr-xr-x   2 root other512 Sep 15 15:21 ./
drwxr-xr-x   9 root other512 Sep 15 15:21 ../
-rw-r--r--   1 root other1717228 Sep 15 15:21 libcrypto.so
-rw-r--r--   1 root other1717228 Sep 15 15:21 libcrypto.so.0
-rw-r--r--   1 root other1717228 Sep 15 15:21 libcrypto.so.0.9.6
-rw-r--r--   1 root other 882860 Sep 15 15:21 libssl.so
-rw-r--r--   1 root other 882860 Sep 15 15:21 libssl.so.0
-rw-r--r--   1 root other 882860 Sep 15 15:21 libssl.so.0.9.6

These files in theory should be either hardlinked or symlinked to each
other, no?

Regards,
Graham
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]