RE: What version(s) of SSL/TLS are supported in openssl 1.0.1g
Thank You for the prompt and insightful response Jeffrey :-) -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Jeffrey Walton Sent: Thursday, November 20, 2014 1:09 PM To: OpenSSL Users List Subject: Re: What version(s) of SSL/TLS are supported in openssl 1.0.1g > Would any one be able to let me know what versions of SSL (if applicable) > and TLS is supported in openssl 1.0.1g > All of them. Its up to you to trim what you don't want. You can remove protocols (and other features) at compile time with, for example: ./config no-ssl2 no-ssl3 no-comp Or, you can remove them at runtime with, for example: const SSL_METHOD* method = SSLv23_method(); SSL_CTX* context = SSL_CTX_new(method); long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION; SSL_CTX_set_options(context, flags); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
What version(s) of SSL/TLS are supported in openssl 1.0.1g
Hello, Would any one be able to let me know what versions of SSL (if applicable) and TLS is supported in openssl 1.0.1g Thank you in advance.
Openssl 0.9.8r <-> openssl 1.0.1e
Hello All, If I have a Linux CLIENT machine running with openssl 0.9.8r establishing HTTPS sessions with a Linux SERVER running openssl 1.0.1e Is there any problems I should anticipate? In other words, should those two versions of openssl be able to play nicely with each other without causing any undesired behavior ? Are there any limitations that I need to be aware of? Thanks in Advance.
Unexpected message during renegotiate attempt
Hello All, I am using openssl 0.9.8r on one Linux box (BoxA) communicating with another Linux box running openssl 1.0.0e (BoxB). There are certain curl uploads that need to occur fromBoxA --> BoxB. Usually we don't have any problems. But in a simulated environment, where there could be significant delay/latency (~2 to 3 seconds) in traffic between BoxA and BoxB, we are seeing that the curl operations are not completing as expected. Curl is sending the HTTP-100 message, in the middle of TLS Re-Negotiation, and causing BoxB to send a Fatal Alert and closing the connection. According to the TLS spec, apparently, the TLS implementation should simply ignore those unexpected messages and continue with re-negotiation?? Upon digging some openssl bug reports, we came across these two Bug Tickets. And looks like they were never addressed ? http://rt.openssl.org/Ticket/Display.html?id=2146&user=guest&pass=guest http://rt.openssl.org/Ticket/Display.html?id=2481&user=guest&pass=guest Just was trying to find out if the openssl community ever addressed this "bug" ? If so what openssl version(s) have a fix for this? Any additional information related to the bug mentioned above would be greatly appreciated. Thanks, -Rezaul.
RE: Is openssl 0.9.8r and openssl1.0.0 compatible ?
Hello All, Any insight on this would be greatly appreciated... J From: Hasan, Rezaul (NSN - US/Arlington Heights) Sent: Wednesday, August 29, 2012 11:04 AM To: 'openssl-users@openssl.org' Subject: Is openssl 0.9.8r and openssl1.0.0 compatible ? Hi All, We have a Linux box1 (Client) that has openssl 0.9.8r. That box communicates with a different kind of Linux box2 (Server) that has openssl 1.0.0e. openssl0.9.8r and openssl1.0.0e seem fairly happy together. In the near future our 2nd Linux box is migrating to a new Platform, as a result, it will have openssl1.0.0. My question is: Should I anticipate any incompatibilities between those two versions of openssl (0.9.8r -and- 1.0.0)? Out of curiosity, what version(s) of openssl1.0.X.Y are most compatible (functionality-wise) with the openssl0.9.8r version ? Thanks a bunch.
Is openssl 0.9.8r and openssl1.0.0 compatible ?
Hi All, We have a Linux box1 (Client) that has openssl 0.9.8r. That box communicates with a different kind of Linux box2 (Server) that has openssl 1.0.0e. openssl0.9.8r and openssl1.0.0e seem fairly happy together. In the near future our 2nd Linux box is migrating to a new Platform, as a result, it will have openssl1.0.0. My question is: Should I anticipate any incompatibilities between those two versions of openssl (0.9.8r -and- 1.0.0)? Out of curiosity, what version(s) of openssl1.0.X.Y are most compatible (functionality-wise) with the openssl0.9.8r version ? Thanks a bunch.
RE: Using Self-Signed Certificates to create SSL connection.
Great. Thank You :-) -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of ext Dave Thompson Sent: Thursday, July 26, 2012 5:49 PM To: openssl-users@openssl.org Subject: RE: Using Self-Signed Certificates to create SSL connection. >From: owner-openssl-us...@openssl.org On Behalf Of Hasan, Rezaul (NSN - US/Arlington Heights) >Sent: Thursday, 26 July, 2012 12:02 >I have created a self-signed CA certificate, a Client certificate and a >Server certificate. I signed the Client and Server certificates with >the self-signed CA certificate and placed all certs in the appropriate >locations. Then attempted to create an SSL connection with >'openssl s_client ..' , and get this >Verify return code: 19 (self signed certificate in certificate chain) >Is this an error indicating that the SSL connection failed, or is it simply >a "warning" ? I am guessing its just a warning, but wanted to confirm. For s_client, it's a warning. s_client overrides verify errors and allows you to continue. Most real apps don't do this and shouldn't, so for real apps this will probably be fatal. >... -cert client.crt -key client.key -CApath /root/CERT Did you put your CA cert in /root/CERT >with a symlink from $subjecthash.$seq, or if you prefer directly under that namehttp://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Using Self-Signed Certificates to create SSL connection.
Hi All, I have created a self-signed CA certificate, a Client certificate and a Server certificate. I signed the Client and Server certificates with the self-signed CA certificate and placed all certs in the appropriate locations. Then attempted to create an SSL connection with 'openssl s_client ' , and get this Verify return code: 19 (self signed certificate in certificate chain) Is this an error indicating that the SSL connection failed, or is it simply a "warning" ? I am guessing its just a warning, but wanted to confirm... [root@eLite1 CERT]# openssl s_client -connect 80.1.0.1:443 -ssl3 -cert client.crt -key client.key -CApath /root/CERT CONNECTED(0003) depth=1 /C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1 verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=TX/L=FTW/O=NSN/CN=80.1.0.1 i:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1 1 s:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1 i:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1 --- Server certificate -BEGIN CERTIFICATE- MIIFBjCCAu4CAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxCzAJBgNV ... PZ6ww2xA989bF2G1zvHwJZsdSJOCuz/ueZ760XTdhPy8PCPbU+W9JNpv -END CERTIFICATE- subject=/C=US/ST=TX/L=FTW/O=NSN/CN=80.1.0.1 issuer=/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1 --- No client certificate CA names sent --- SSL handshake has read 2998 bytes and written 709 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 4096 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher: AES256-SHA Session-ID: E09D355918C3C05C10A4B7E41BA223EA5F43A725457FB14470F727F1FE447ECD Session-ID-ctx: Master-Key: CCB3A02A4D9F090F140EFF30D18E5E82F653C77C8A66A439F4AA3E1F485713043F4AE0BE FFEB97F98D470DFD10554A20 Key-Arg : None Krb5 Principal: None Compression: 1 (zlib compression) Start Time: 1343273949 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- closed
How to use "openssl verify -crl_check ..." command
Hello All, I have a Linux system running openssl 0.9.8r. I have scripts that automatically download the latest CRL (crl.pem) every 24 hours. I also have several certificates on the system that's actively being used by various applications. EXACTLY HOW can I use the "openssl verify -crl_check ... " command to check if any of my certificates have been revoked given that I actually have the up-to-date crl.pem file ? Please help me by providing the correct syntax and input parameters that I need to provide ? Thanks in advance for your help, -Rezaul.
TLS/SSL Re-Negotiation Vulnerability [CVE-2011-1473]
Hello All, We have openssl 0.9.8r on our Linux Server. Application thats used is httpd. A Nessus security scan on our Linux server tells us that we may be vulnerable to a potential DOS due to SSL/TLS Renegotiation Vulnerability [CVE-2011-1473]. The suggestions of mitigating these (we believe) are: 1. Disable Re-Negotiation completely. {We CANNOT use this choice, because our system does need to allow Re-Negotiation in some cases. So NOT an option for us} 2. "Rate-Limit" Re-Negotiations. Can someone please provide detailed information/guidance about exactly how to go about "Rate-Limiting" Re-Negotiation requests on the Linux Server? Pointing to a detailed article would also be helpful. Thanks a bunch in advance.
SSL/TLS Renegotiation Vulnerability [CVE-2011-1473]
Hello All, We have openssl 0.9.8r on our Linux Server. A Nessus security scan on our Linux server tells us that we may be vulnerable to a potential DOS due to SSL/TLS Renegotiation Vulnerability [CVE-2011-1473]. The suggestions of mitigating these (we believe) are: 1. Disable Re-Negotiation completely. {We CANNOT use this choice, because our system does need to allow Re-Negotiation in some cases. So NOT an option for us} 2. "Rate-Limit" Re-Negotiations. Can someone please provide detailed information/guidance about exactly how to go about "Rate-Limiting" Re-Negotiation requests on the Linux Server? Pointing to a detailed article would also be helpful. Thanks a bunch in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org