[openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?

2016-11-23 Thread Gupta, Saurabh 
Can you please suggest any technical name for changing sources from 
openssl-1.0.2 to openssl-1.1.0 because we are supporting both openssl versions 
and To maintain these sources we are using #ifdef and #else preprocessor 
statement.


We are looking some technical  to make the difference between these 
sources.

#ifdef 

// openssl 1.1.0 sources

#else

// openssl 1.0.2 sources

#endif
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Facing issue while using -engine flag for rsa/dsa speed test in openssl-1.1.0b

2016-11-18 Thread Gupta, Saurabh 
Facing issue while using -engine flag for rsa/dsa speed test in openssl-1.1.0b 
but It's working for digest or symmetric apis.


Commands Used: Not Working

./openssl speed rsa -engine ../engines/dasync.so
Error:
speed: Unknown algorithm -engine

Commands Used: Working
./openssl speed -evp md5 -engine ../engines/dasync.so
engine "dasync" set.
Doing md5 for 3s on 16 size blocks: 9467552 md5's in 3.00s
Doing md5 for 3s on 64 size blocks: 7379943 md5's in 3.00s
Doing md5 for 3s on 256 size blocks: 4213375 md5's in 3.00s
Doing md5 for 3s on 1024 size blocks: 1597182 md5's in 3.00s

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Facing issues with dynamic loading engine RSA methods using e_capi.so library in openssl-1.1.0b.

2016-11-11 Thread Gupta, Saurabh 

I tried to dynamically load e_capi.so engine example on openssl version 1.1.0b 
present in the openssl engine directory but not able to offload RSA methods.


Commands Used:
(i)
./openssl speed rsa -engine ../engines/capi.so
Error:
speed: Unknown algorithm -engine

(ii)
./openssl s_server -engine ../engines/capi.so
Error:
invalid engine "../engines/capi.so"
139890999146240:error:25066067:DSO support routines:dlfcn_load:could not load 
the shared 
library:crypto/dso/dso_dlfcn.c:113:filename(/usr/local/lib64/engines-1.1/../engines/capi.so):
 /usr/local/lib64/engines-1.1/../engines/capi.so: cannot open shared object 
file: No such file or directory
139890999146240:error:25070067:DSO support routines:DSO_load:could not load the 
shared library:crypto/dso/dso_lib.c:161:
139890999146240:error:260B6084:engine routines:dynamic_load:dso not 
found:crypto/engine/eng_dyn.c:414:
139890999146240:error:2606A074:engine routines:ENGINE_by_id:no such 
engine:crypto/engine/eng_list.c:339:id=../engines/capi.so
139890999146240:error:260B606D:engine routines:dynamic_load:init 
failed:crypto/engine/eng_dyn.c:485:
Using default temp DH parameters
ACCEPT

We are facing similar issue with RSA while implementing our custom engine, 
please let me know if any one have a solution for this. We were able to use the 
RSA implementation upto 1.02h version, the problem is seen 1.1.0 series.

Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Failed to load libssl.so.1.1 while execuitng openssl comand

2016-11-11 Thread Gupta, Saurabh 
I tried to execute ./openssl s_server command in the latest Openssl Version 
1.1.0c after doing Openssl compilation steps:
./config
make
make test
make install
and It's throwing this error below:
./openssl: error while loading shared libraries: libssl.so.1.1: cannot open 
shared object file: No such file or directory

after debugging this issue I found this error is coming because libssl.so.1.1 
is not present in /usr/lib64 directory.
but by default it should search these library in /usr/local/lib64/ directory.



Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] how to generate test8192 input data for d2i_RSAPrivateKey(....) ?

2016-09-28 Thread Gupta, Saurabh 
How to generate **inp for d2i_RSAPrivateKey?

RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len)


We are having test512 to test4096 modulus data. How can I generate for test8192 
modulus data?



Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Openssl-1.0.1e RSA 8k is getting fail for client authentication while doing Normal Handshake

2016-09-15 Thread Gupta, Saurabh 
Commands Used:
x86_server:
openssl s_server -cert sercert8192.pem -key serverkey8192 -Verify CAcert.pem

x86_client:
openssl s_client -cert clientcert8192.pem -key clientkey8192 -connect 
: -cipher AES128-SHA -

Error log:
x86( Server):
verify error:unable to verify the first certificate

x86 (Client):
 140631662409384:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert 
illegal parameter:s3_pkt.c:1256:SSL alert number 47
140631662409384:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:596:


Do we need to enable any flag to access 8k support?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Gupta, Saurabh 
> The DoS issue is still there.  How can you prevent the "other side" from 
> consuming all your CPU with a large key?

> Who needs 16K RSA keys, such that openssl by default should support that for 
> everyone?


We have cryptographic accelerators on cavium platforms which minimize CPU 
usage. So our customers are looking for 16K support.


Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-22 Thread Gupta, Saurabh 
1: I didn't get it, Why this behaviour is not coming for other ciphers while 
doing the server/client handshake?

It should fail for other ciphers also.


Ciphers:  working

DHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
.. etc

Ciphers: Not working
AES128-SHA
AES256-SHA
.. etc


Protocols:

tls1/tls1_1/tls1_2


2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue 
so that it won't harm to other application or create any new attack?

3: ECC cipher is not my main concerned.

4: I didn't face any issue like memory utilisation or CPU utilisation is more 
if I'm running more than one client in the case of 16k modulus.

Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Gupta, Saurabh 
> By raising the limit, you don't suddenly put every application at risk of a 
> DoS,
> because these applications won't suddenly use a 16k RSA key.


Instead of raising the limit of client key exchange message length more than 
2048, why can't we add the

"ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that will 
"permit appropriate message length".


I came across this functionality when I compared the code of openssl-1.0.1p and 
openssl-1.0.2e.


Regards,
Saurabh



From: openssl-users  on behalf of 
openssl-users-requ...@openssl.org 
Sent: Thursday, July 21, 2016 6:38 PM
To: openssl-users@openssl.org
Subject: openssl-users Digest, Vol 20, Issue 18

Send openssl-users mailing list submissions to
openssl-users@openssl.org

To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-requ...@openssl.org

You can reach the person managing the list at
openssl-users-ow...@openssl.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."


Today's Topics:

   1. Re: Openssl software failure for RSA 16K modulus (Salz, Rich)
   2. Re: Openssl software failure for RSA 16K modulus (Salz, Rich)
   3. Re: Help  finding replacement for ASN1_seq_unpack_X509
  (Jim Carroll)
   4. Re: [openssl-users]   Helpfinding replacement for
  ASN1_seq_unpack_X509 (Salz, Rich)
   5. Re: Openssl software failure for RSA 16K modulus (Erwann Abalea)
   6. Re: Openssl software failure for RSA 16K modulus (Salz, Rich)


--

Message: 1
Date: Thu, 21 Jul 2016 12:15:15 +
From: "Salz, Rich" 
To: "openssl-users@openssl.org" 
Subject: Re: [openssl-users] Openssl software failure for RSA 16K
modulus
Message-ID:

Content-Type: text/plain; charset="Windows-1252"


> Largest accepted client key exchange message length seems to be set to 2048 
> bytes.
> Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes 
> of pure crypto payload, plus a few bytes of overhead).

> OpenSSL is too conservative here.

Why not use an ECC key?

We have to make trade-offs.  Who uses a 16K RSA key?


--

Message: 2
Date: Thu, 21 Jul 2016 12:17:44 +
From: "Salz, Rich" 
To: "openssl-users@openssl.org" 
Subject: Re: [openssl-users] Openssl software failure for RSA 16K
modulus
Message-ID:

Content-Type: text/plain; charset="Windows-1252"

> We have to make trade-offs.  Who uses a 16K RSA key?

Let me add some  clarification.  Is it worth putting every application that 
uses OpenSSL at risk for a DoS attack with a 16K RSA key?

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz




--

Message: 3
Date: Thu, 21 Jul 2016 08:52:24 -0400
From: "Jim Carroll" 
To: 
Subject: Re: [openssl-users] Help   finding replacement for
ASN1_seq_unpack_X509
Message-ID: <00e201d1e34e$ba83f760$2f8be620$@carroll.com>

 We are porting M2Crypto which is a python swig wrapper around OpenSSL. It
currently supports OpenSSL 0.9.8 and we are porting it to 1.1.0.  The 1.1.0
branch is really cool (clean, elegant code), but there were a few
refactoring's that affected M2Crypto.  Most were trivial getter/setter type
changes, but a few were in the are of getting rid of some ASN1 processing
(which happens to be our weakest point of understanding).

We're left with porting the final bit -- which is related to X509 cert
handling.  Here's a sample use. The caller builds up the call with a the
following 'psuedo-sequence'. get_der() is the function we are working on
finishing.

X508* load_cert_bio(char* filename) {
BIO* bio = BIO_new_file(filename, "r");
return PEM_read_bio_X509(bio, NULL, NULL, NULL);
}

unsigned char* get_der(int* len_out) {
X509* cert = load_cert_bio("x509.pem");
X509* ca = load_cert_bio("ca.pem");

STACK_OF(X509)* stack = sk_x509_new_null();
sk_x509_push(stack, cert);
sk_x509_push(stack, ca);

return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out);
}

The ASN1_seq_pack_X509 was a macro -- and has been removed.


> -Original Message-
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Salz, Rich
> Sent: Thursday, July 21, 2016 4:35 AM
> To:

[openssl-users] Openssl software failure for RSA 16K modulus

2016-07-21 Thread Gupta, Saurabh 
This issue, I'm facing for openssl-1.0.2e/g/h version.

Run openssl server: Used 16K Certificate and Key
./openssl s_server -cert sercert16384.pem -key server16384

Run openssl client:
./openssl s_client -connect :port_number -cipher AES128-SHA -tls1

ERROR

139812135450280:error:1408E098:SSL routines:ssl3_get_message:excessive message 
size:s3_both.c:417:


This error is coming while using AES128-SHA as a cipher and tls1/1_1/1_2 
protocols. It's working fine with ssl3 protocol.

Note:
1. This issue, I didn't face for the openssl-1.0.1p/e version.

Can you please confirm. is this known issue?
if it is the known issue. Can you please share that fix?


Regards,
Saurabh
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users