RE: What version(s) of SSL/TLS are supported in openssl 1.0.1g

2014-11-21 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Thank You for the prompt and insightful response Jeffrey  :-)

-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of ext Jeffrey Walton
Sent: Thursday, November 20, 2014 1:09 PM
To: OpenSSL Users List
Subject: Re: What version(s) of SSL/TLS are supported in openssl 1.0.1g

> Would any one be able to let me know what versions of SSL (if applicable)
> and TLS is supported in openssl 1.0.1g
>
All of them. Its up to you to trim what you don't want.

You can remove protocols (and other features) at compile time with, for example:

./config no-ssl2 no-ssl3 no-comp

Or, you can remove them at runtime with, for example:

   const SSL_METHOD* method = SSLv23_method();
   SSL_CTX* context = SSL_CTX_new(method);

   long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
   SSL_CTX_set_options(context, flags);
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

What version(s) of SSL/TLS are supported in openssl 1.0.1g

2014-11-20 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello,

Would any one be able to let me know what versions of SSL (if applicable) and 
TLS is supported in openssl 1.0.1g

Thank you in advance.

Openssl 0.9.8r <-> openssl 1.0.1e

2014-01-08 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello All,

If I have a Linux CLIENT machine running with  openssl 0.9.8r  establishing 
 HTTPS sessions   with a Linux SERVER running openssl 1.0.1e

Is there any problems I should anticipate? In other words, should those two 
versions of openssl be able to play nicely with each other without causing any 
undesired behavior ?  Are there any limitations that I need to be aware of?

Thanks in Advance.

Unexpected message during renegotiate attempt

2013-03-19 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello All,

I am using openssl 0.9.8r on one Linux box (BoxA) communicating with another  
Linux box running openssl 1.0.0e  (BoxB).

There are certain curl uploads  that need to occur  fromBoxA  --> BoxB.

Usually we don't have any problems. But in a simulated environment, where there 
could be significant delay/latency (~2 to 3 seconds) in traffic between  BoxA  
and  BoxB, we are seeing that the curl operations are not completing as 
expected.

Curl is sending the HTTP-100 message, in the middle of TLS Re-Negotiation, and 
causing BoxB to send a Fatal Alert and closing the connection.  According to 
the TLS spec, apparently, the TLS implementation should simply ignore those 
unexpected messages and continue with re-negotiation??

Upon digging some openssl bug reports, we came across these two Bug Tickets. 
And looks like they were never addressed ?

http://rt.openssl.org/Ticket/Display.html?id=2146&user=guest&pass=guest
http://rt.openssl.org/Ticket/Display.html?id=2481&user=guest&pass=guest

Just was trying to find out if the openssl community ever addressed this "bug" 
? If so what openssl version(s) have a fix for this?

Any additional information related to the bug mentioned above would be greatly 
appreciated.

Thanks,

-Rezaul.

RE: Is openssl 0.9.8r and openssl1.0.0 compatible ?

2012-09-06 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello All,

 

Any insight on this would be greatly appreciated...  J

 

 

From: Hasan, Rezaul (NSN - US/Arlington Heights) 
Sent: Wednesday, August 29, 2012 11:04 AM
To: 'openssl-users@openssl.org'
Subject: Is openssl 0.9.8r and openssl1.0.0 compatible ?

 

Hi All,

 

We have a Linux box1 (Client) that has openssl 0.9.8r.   That box
communicates with a different kind of Linux box2 (Server) that has
openssl 1.0.0e.

 

openssl0.9.8r  and  openssl1.0.0e  seem fairly happy together.

 

In the near future our 2nd Linux box is migrating to a new Platform, as
a result, it will have  openssl1.0.0.

 

My question is: Should I anticipate any incompatibilities between those
two versions of openssl (0.9.8r  -and-  1.0.0)?

 

Out of curiosity, what version(s) of   openssl1.0.X.Y   are most
compatible (functionality-wise)  with the  openssl0.9.8r  version ?

 

Thanks a bunch.

Is openssl 0.9.8r and openssl1.0.0 compatible ?

2012-08-29 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hi All,

 

We have a Linux box1 (Client) that has openssl 0.9.8r.   That box
communicates with a different kind of Linux box2 (Server) that has
openssl 1.0.0e.

 

openssl0.9.8r  and  openssl1.0.0e  seem fairly happy together.

 

In the near future our 2nd Linux box is migrating to a new Platform, as
a result, it will have  openssl1.0.0.

 

My question is: Should I anticipate any incompatibilities between those
two versions of openssl (0.9.8r  -and-  1.0.0)?

 

Out of curiosity, what version(s) of   openssl1.0.X.Y   are most
compatible (functionality-wise)  with the  openssl0.9.8r  version ?

 

Thanks a bunch.

RE: Using Self-Signed Certificates to create SSL connection.

2012-07-27 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Great. Thank You  :-)


-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Dave Thompson
Sent: Thursday, July 26, 2012 5:49 PM
To: openssl-users@openssl.org
Subject: RE: Using Self-Signed Certificates to create SSL connection.

>From: owner-openssl-us...@openssl.org On Behalf Of Hasan, Rezaul (NSN -
US/Arlington Heights)
>Sent: Thursday, 26 July, 2012 12:02

>I have created a self-signed CA certificate, a Client certificate and a

>Server certificate. I signed the Client and Server certificates with 
>the self-signed CA certificate and placed all certs in the appropriate 
>locations. Then attempted to create an SSL connection with 
>'openssl s_client ..' ,  and get  this 
>Verify return code: 19 (self signed certificate in certificate chain)

>Is this an error indicating that the SSL connection failed, or is it
simply

>a "warning" ? I am guessing its just a warning, but wanted to confirm.

For s_client, it's a warning. s_client overrides verify errors and 
allows you to continue. Most real apps don't do this and shouldn't, 
so for real apps this will probably be fatal.

>... -cert client.crt -key client.key -CApath /root/CERT

Did you put your CA cert in /root/CERT >with a symlink from
$subjecthash.$seq, 
or if you prefer directly under that namehttp://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Using Self-Signed Certificates to create SSL connection.

2012-07-26 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hi All,

 

I have created a self-signed CA certificate, a Client certificate and a
Server certificate. I signed the Client and Server certificates with the
self-signed CA certificate and placed all certs in the appropriate
locations. Then attempted to create an SSL connection with 'openssl
s_client ' ,  and get  this 

 

Verify return code: 19 (self signed certificate in certificate chain)

 

Is this an error indicating that the SSL connection failed, or is it
simply a "warning" ? I am guessing its just a warning, but wanted to
confirm...

 

[root@eLite1 CERT]# openssl s_client -connect 80.1.0.1:443 -ssl3 -cert
client.crt -key client.key -CApath /root/CERT

CONNECTED(0003)

depth=1 /C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

0 s:/C=US/ST=TX/L=FTW/O=NSN/CN=80.1.0.1

   i:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

1 s:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

   i:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

---

Server certificate

-BEGIN CERTIFICATE-

MIIFBjCCAu4CAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxCzAJBgNV

 

...

 

PZ6ww2xA989bF2G1zvHwJZsdSJOCuz/ueZ760XTdhPy8PCPbU+W9JNpv

-END CERTIFICATE-

subject=/C=US/ST=TX/L=FTW/O=NSN/CN=80.1.0.1

issuer=/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

---

No client certificate CA names sent

---

SSL handshake has read 2998 bytes and written 709 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 4096 bit

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

Protocol  : SSLv3

Cipher: AES256-SHA

Session-ID:
E09D355918C3C05C10A4B7E41BA223EA5F43A725457FB14470F727F1FE447ECD

Session-ID-ctx: 

Master-Key:
CCB3A02A4D9F090F140EFF30D18E5E82F653C77C8A66A439F4AA3E1F485713043F4AE0BE
FFEB97F98D470DFD10554A20

Key-Arg   : None

Krb5 Principal: None

   Compression: 1 (zlib compression)

Start Time: 1343273949

Timeout   : 7200 (sec)

Verify return code: 19 (self signed certificate in certificate
chain)

---

closed

How to use "openssl verify -crl_check ..." command

2012-06-19 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello All,

 

I have a Linux system running openssl 0.9.8r.

 

I have scripts that automatically download the latest CRL  (crl.pem)
every 24 hours.

 

I also have several certificates on the system that's actively being
used by various applications.

 

EXACTLY  HOW  can I use the   "openssl verify -crl_check  ... "
command to check if any of my certificates have been revoked given that
I actually have the up-to-date  crl.pem file ?

 

Please help me by providing the correct syntax and input parameters that
I need to provide ?

 

Thanks in advance for your help,

 

-Rezaul.

TLS/SSL Re-Negotiation Vulnerability [CVE-2011-1473]

2011-12-21 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello All,

We have openssl 0.9.8r on our Linux Server. Application thats used is
httpd.

A Nessus security scan on our Linux server tells us that we may be
vulnerable to a potential DOS due to SSL/TLS Renegotiation Vulnerability
[CVE-2011-1473].

The suggestions of mitigating these (we believe) are:

1. Disable Re-Negotiation completely. {We CANNOT use this choice,
because our system does need to allow Re-Negotiation in some cases. So
NOT an option for us}

2. "Rate-Limit" Re-Negotiations.

Can someone please provide detailed information/guidance about exactly
how to go about "Rate-Limiting" Re-Negotiation requests on the Linux
Server? Pointing to a detailed article would also be helpful.

Thanks a bunch in advance.

SSL/TLS Renegotiation Vulnerability [CVE-2011-1473]

2011-12-20 Thread Hasan, Rezaul (NSN - US/Arlington Heights) 
Hello All,

We have openssl 0.9.8r on our Linux Server. 

A Nessus security scan on our Linux server tells us that we may be
vulnerable to a potential DOS due to  SSL/TLS Renegotiation
Vulnerability [CVE-2011-1473].

The suggestions of mitigating these (we believe) are:

1. Disable Re-Negotiation completely.  {We CANNOT use this choice,
because our system does need to allow Re-Negotiation in some cases. So
NOT an option for us}

2. "Rate-Limit" Re-Negotiations.

Can someone please provide detailed information/guidance about exactly
how to go about  "Rate-Limiting" Re-Negotiation requests on the Linux
Server? Pointing to a detailed article would also be helpful.

Thanks a bunch in advance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org