Re: enforce ALPN overlap?

2021-06-09 Thread Jan Schaumann via openssl-users 
Jan Schaumann via openssl-users  wrote:

> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Same for TLS 1.2, btw.  (I accidentally copied the
default output when writing the email.)

-Jan

enforce ALPN overlap?

2021-06-09 Thread Jan Schaumann via openssl-users 
Hello,

Based on https://alpaca-attack.com/, I was looking at
how a TLS connection with ALPN set to e.g., "banana"
by the client to a server that has ALPN set to "h2"
would behave.  For example:

$ openssl s_server -www -accept 443 -alpn h2 \
-key /tmp/key.pem -cert /tmp/cert.pem

and

$ openssl s_client -connect localhost:443 -alpn banana

It seems that OpenSSL will simply not negotiate ALPN,
but leave the connection open:

[...]
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
[...]
---
read R BLOCK

In Go, a recent commit changed their behavior to
enforce ALPN overlap:
https://github.com/golang/go/commit/90d6bbbe42c15d444c1da0a1c293192d6f735a8e


Is there any plan or consideration to follow that
approach?

-Jan

typos in man pages

2003-01-08 Thread Jan Schaumann 
Hello,

Some typos in the openssl man pages were discovered (see NetBSD's PR
misc/19627
http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=19627), attached
please find a patch to correct them.

Cheers,
-Jan

-- 
http://www.netbsd.org -
 Multiarchitecture OS, no hype required.

Index: src/lib/libcrypto/man/openssl_rand.1
diff -c src/lib/libcrypto/man/openssl_rand.1:1.8 
src/lib/libcrypto/man/openssl_rand.1:1.9
*** src/lib/libcrypto/man/openssl_rand.1:1.8Fri Aug  9 19:15:46 2002
--- src/lib/libcrypto/man/openssl_rand.1Wed Jan  1 23:43:13 2003
***
*** 156,162 
  .SH "DESCRIPTION"
  .IX Header "DESCRIPTION"
  The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding
! the random number generater once.  As in other \fBopenssl\fR command
  line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR
  in addition to the files given in the \fB\-rand\fR option.  A new
  \&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough
--- 156,162 
  .SH "DESCRIPTION"
  .IX Header "DESCRIPTION"
  The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding
! the random number generator once.  As in other \fBopenssl\fR command
  line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR
  in addition to the files given in the \fB\-rand\fR option.  A new
  \&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough
Index: src/lib/libcrypto/man/openssl_req.1
diff -c src/lib/libcrypto/man/openssl_req.1:1.8 src/lib/libcrypto/man/openssl_req.1:1.9
*** src/lib/libcrypto/man/openssl_req.1:1.8 Fri Aug  9 19:15:46 2002
--- src/lib/libcrypto/man/openssl_req.1 Wed Jan  1 23:43:13 2003
***
*** 445,451 
  The actual permitted field names are any object identifier short or
  long names. These are compiled into OpenSSL and include the usual
  values such as commonName, countryName, localityName, organizationName,
! organizationUnitName, stateOrPrivinceName. Additionally emailAddress
  is include as well as name, surname, givenName initials and dnQualifier.
  .PP
  Additional object identifiers can be defined with the \fBoid_file\fR or
--- 445,451 
  The actual permitted field names are any object identifier short or
  long names. These are compiled into OpenSSL and include the usual
  values such as commonName, countryName, localityName, organizationName,
! organizationUnitName, stateOrProvinceName. Additionally emailAddress
  is include as well as name, surname, givenName initials and dnQualifier.
  .PP
  Additional object identifiers can be defined with the \fBoid_file\fR or
***
*** 508,520 
  \& countryName_max= 2
  .Ve
  .Vb 1
! \& localityName   = Locality Name (eg, city)
  .Ve
  .Vb 1
! \& organizationalUnitName = Organizational Unit Name (eg, section)
  .Ve
  .Vb 2
! \& commonName = Common Name (eg, YOUR name)
  \& commonName_max = 64
  .Ve
  .Vb 2
--- 508,520 
  \& countryName_max= 2
  .Ve
  .Vb 1
! \& localityName   = Locality Name (e.g. city)
  .Ve
  .Vb 1
! \& organizationalUnitName = Organizational Unit Name (e.g. section)
  .Ve
  .Vb 2
! \& commonName = Common Name (e.g. YOUR name)
  \& commonName_max = 64
  .Ve
  .Vb 2
Index: src/lib/libcrypto/man/openssl_rsa.1
diff -c src/lib/libcrypto/man/openssl_rsa.1:1.8 src/lib/libcrypto/man/openssl_rsa.1:1.9
*** src/lib/libcrypto/man/openssl_rsa.1:1.8 Fri Aug  9 19:15:46 2002
--- src/lib/libcrypto/man/openssl_rsa.1 Wed Jan  1 23:43:13 2003
***
*** 259,265 
  It is not very secure and so should only be used when necessary.
  .PP
  Some newer version of \s-1IIS\s0 have additional data in the exported .key
! files. To use thse with the utility view the file with a binary editor
  and look for the string \*(L"private-key\*(R", then trace back to the byte
  sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data
  from this point onwards to another file and use that as the input
--- 259,265 
  It is not very secure and so should only be used when necessary.
  .PP
  Some newer version of \s-1IIS\s0 have additional data in the exported .key
! files. To use these with the utility view the file with a binary editor
  and look for the string \*(L"private-key\*(R", then trace back to the byte
  sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data
  from this point onwards to another file and use that as the input
Index: src/lib/libcrypto/man/openssl_s_client.1
diff -c src/lib/libcrypto/man/openssl_s_client.1:1.9 
src/lib/libcrypto/man/openssl_s_client.1:1.10
*** src/lib/libcrypto/man/openssl_s_client.1:1.9Fri Aug  9 19:15:46 2002
--- src/lib/libcrypto/man/openssl_s_client.1Wed Jan  1 23:43:13 2003
***
*** 1,4 
! .\"   $NetBSD: openssl_s_client.1,v 1.9