[openssl-users] Can you suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0?
Can you please suggest any technical name for changing sources from openssl-1.0.2 to openssl-1.1.0 because we are supporting both openssl versions and To maintain these sources we are using #ifdef and #else preprocessor statement. We are looking some technical to make the difference between these sources. #ifdef // openssl 1.1.0 sources #else // openssl 1.0.2 sources #endif -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Facing issue while using -engine flag for rsa/dsa speed test in openssl-1.1.0b
Facing issue while using -engine flag for rsa/dsa speed test in openssl-1.1.0b but It's working for digest or symmetric apis. Commands Used: Not Working ./openssl speed rsa -engine ../engines/dasync.so Error: speed: Unknown algorithm -engine Commands Used: Working ./openssl speed -evp md5 -engine ../engines/dasync.so engine "dasync" set. Doing md5 for 3s on 16 size blocks: 9467552 md5's in 3.00s Doing md5 for 3s on 64 size blocks: 7379943 md5's in 3.00s Doing md5 for 3s on 256 size blocks: 4213375 md5's in 3.00s Doing md5 for 3s on 1024 size blocks: 1597182 md5's in 3.00s -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Facing issues with dynamic loading engine RSA methods using e_capi.so library in openssl-1.1.0b.
I tried to dynamically load e_capi.so engine example on openssl version 1.1.0b present in the openssl engine directory but not able to offload RSA methods. Commands Used: (i) ./openssl speed rsa -engine ../engines/capi.so Error: speed: Unknown algorithm -engine (ii) ./openssl s_server -engine ../engines/capi.so Error: invalid engine "../engines/capi.so" 139890999146240:error:25066067:DSO support routines:dlfcn_load:could not load the shared library:crypto/dso/dso_dlfcn.c:113:filename(/usr/local/lib64/engines-1.1/../engines/capi.so): /usr/local/lib64/engines-1.1/../engines/capi.so: cannot open shared object file: No such file or directory 139890999146240:error:25070067:DSO support routines:DSO_load:could not load the shared library:crypto/dso/dso_lib.c:161: 139890999146240:error:260B6084:engine routines:dynamic_load:dso not found:crypto/engine/eng_dyn.c:414: 139890999146240:error:2606A074:engine routines:ENGINE_by_id:no such engine:crypto/engine/eng_list.c:339:id=../engines/capi.so 139890999146240:error:260B606D:engine routines:dynamic_load:init failed:crypto/engine/eng_dyn.c:485: Using default temp DH parameters ACCEPT We are facing similar issue with RSA while implementing our custom engine, please let me know if any one have a solution for this. We were able to use the RSA implementation upto 1.02h version, the problem is seen 1.1.0 series. Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Failed to load libssl.so.1.1 while execuitng openssl comand
I tried to execute ./openssl s_server command in the latest Openssl Version 1.1.0c after doing Openssl compilation steps: ./config make make test make install and It's throwing this error below: ./openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory after debugging this issue I found this error is coming because libssl.so.1.1 is not present in /usr/lib64 directory. but by default it should search these library in /usr/local/lib64/ directory. Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] how to generate test8192 input data for d2i_RSAPrivateKey(....) ?
How to generate **inp for d2i_RSAPrivateKey? RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) We are having test512 to test4096 modulus data. How can I generate for test8192 modulus data? Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Openssl-1.0.1e RSA 8k is getting fail for client authentication while doing Normal Handshake
Commands Used: x86_server: openssl s_server -cert sercert8192.pem -key serverkey8192 -Verify CAcert.pem x86_client: openssl s_client -cert clientcert8192.pem -key clientkey8192 -connect : -cipher AES128-SHA - Error log: x86( Server): verify error:unable to verify the first certificate x86 (Client): 140631662409384:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter:s3_pkt.c:1256:SSL alert number 47 140631662409384:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596: Do we need to enable any flag to access 8k support? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> The DoS issue is still there. How can you prevent the "other side" from > consuming all your CPU with a large key? > Who needs 16K RSA keys, such that openssl by default should support that for > everyone? We have cryptographic accelerators on cavium platforms which minimize CPU usage. So our customers are looking for 16K support. Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
1: I didn't get it, Why this behaviour is not coming for other ciphers while doing the server/client handshake? It should fail for other ciphers also. Ciphers: working DHE-RSA-AES128-SHA ECDHE-RSA-AES256-GCM-SHA384 .. etc Ciphers: Not working AES128-SHA AES256-SHA .. etc Protocols: tls1/tls1_1/tls1_2 2: if anyway I want to use 16k modulus, Do we have solution to avoid this issue so that it won't harm to other application or create any new attack? 3: ECC cipher is not my main concerned. 4: I didn't face any issue like memory utilisation or CPU utilisation is more if I'm running more than one client in the case of 16k modulus. Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Openssl software failure for RSA 16K modulus
> By raising the limit, you don't suddenly put every application at risk of a > DoS, > because these applications won't suddenly use a 16k RSA key. Instead of raising the limit of client key exchange message length more than 2048, why can't we add the "ssl3_check_client_hello" functionality in the ssl/s3_srvr.c because that will "permit appropriate message length". I came across this functionality when I compared the code of openssl-1.0.1p and openssl-1.0.2e. Regards, Saurabh From: openssl-userson behalf of openssl-users-requ...@openssl.org Sent: Thursday, July 21, 2016 6:38 PM To: openssl-users@openssl.org Subject: openssl-users Digest, Vol 20, Issue 18 Send openssl-users mailing list submissions to openssl-users@openssl.org To subscribe or unsubscribe via the World Wide Web, visit https://mta.openssl.org/mailman/listinfo/openssl-users or, via email, send a message with subject or body 'help' to openssl-users-requ...@openssl.org You can reach the person managing the list at openssl-users-ow...@openssl.org When replying, please edit your Subject line so it is more specific than "Re: Contents of openssl-users digest..." Today's Topics: 1. Re: Openssl software failure for RSA 16K modulus (Salz, Rich) 2. Re: Openssl software failure for RSA 16K modulus (Salz, Rich) 3. Re: Help finding replacement for ASN1_seq_unpack_X509 (Jim Carroll) 4. Re: [openssl-users] Helpfinding replacement for ASN1_seq_unpack_X509 (Salz, Rich) 5. Re: Openssl software failure for RSA 16K modulus (Erwann Abalea) 6. Re: Openssl software failure for RSA 16K modulus (Salz, Rich) -- Message: 1 Date: Thu, 21 Jul 2016 12:15:15 + From: "Salz, Rich" To: "openssl-users@openssl.org" Subject: Re: [openssl-users] Openssl software failure for RSA 16K modulus Message-ID: Content-Type: text/plain; charset="Windows-1252" > Largest accepted client key exchange message length seems to be set to 2048 > bytes. > Key exchange for an RSA16k is slightly larger than that (exactly 2048 bytes > of pure crypto payload, plus a few bytes of overhead). > OpenSSL is too conservative here. Why not use an ECC key? We have to make trade-offs. Who uses a 16K RSA key? -- Message: 2 Date: Thu, 21 Jul 2016 12:17:44 + From: "Salz, Rich" To: "openssl-users@openssl.org" Subject: Re: [openssl-users] Openssl software failure for RSA 16K modulus Message-ID: Content-Type: text/plain; charset="Windows-1252" > We have to make trade-offs. Who uses a 16K RSA key? Let me add some clarification. Is it worth putting every application that uses OpenSSL at risk for a DoS attack with a 16K RSA key? -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- Message: 3 Date: Thu, 21 Jul 2016 08:52:24 -0400 From: "Jim Carroll" To: Subject: Re: [openssl-users] Help finding replacement for ASN1_seq_unpack_X509 Message-ID: <00e201d1e34e$ba83f760$2f8be620$@carroll.com> We are porting M2Crypto which is a python swig wrapper around OpenSSL. It currently supports OpenSSL 0.9.8 and we are porting it to 1.1.0. The 1.1.0 branch is really cool (clean, elegant code), but there were a few refactoring's that affected M2Crypto. Most were trivial getter/setter type changes, but a few were in the are of getting rid of some ASN1 processing (which happens to be our weakest point of understanding). We're left with porting the final bit -- which is related to X509 cert handling. Here's a sample use. The caller builds up the call with a the following 'psuedo-sequence'. get_der() is the function we are working on finishing. X508* load_cert_bio(char* filename) { BIO* bio = BIO_new_file(filename, "r"); return PEM_read_bio_X509(bio, NULL, NULL, NULL); } unsigned char* get_der(int* len_out) { X509* cert = load_cert_bio("x509.pem"); X509* ca = load_cert_bio("ca.pem"); STACK_OF(X509)* stack = sk_x509_new_null(); sk_x509_push(stack, cert); sk_x509_push(stack, ca); return ASN1_seq_pack_X509(stack, i2d_X509, NULL, len_out); } The ASN1_seq_pack_X509 was a macro -- and has been removed. > -Original Message- > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Salz, Rich > Sent: Thursday, July 21, 2016 4:35 AM > To:
[openssl-users] Openssl software failure for RSA 16K modulus
This issue, I'm facing for openssl-1.0.2e/g/h version. Run openssl server: Used 16K Certificate and Key ./openssl s_server -cert sercert16384.pem -key server16384 Run openssl client: ./openssl s_client -connect :port_number -cipher AES128-SHA -tls1 ERROR 139812135450280:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417: This error is coming while using AES128-SHA as a cipher and tls1/1_1/1_2 protocols. It's working fine with ssl3 protocol. Note: 1. This issue, I didn't face for the openssl-1.0.1p/e version. Can you please confirm. is this known issue? if it is the known issue. Can you please share that fix? Regards, Saurabh -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users