Re: [openssl-users] AES-GCM cipher in TLS
Thanks Matt. I did read those RFC as well. And here is the confusion. The RFC5116 says this section 2.1 There is a *single output:* A ciphertext C, which is at least as long as the plaintext, or an indication that the requested encryption operation could not be performed. Note the emphasis on "single output". So, encryption output is just a single output ciphertext C. This C is the ciphertext + tag from what I understand in a single output. Similarly, section 2.2, does not mention anything about separating the tag from the Ciphertext and just takes C as input. Now assuming that openssl follows this, shouldn't the example at https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption just give a single output per the RFC. Instead the example requires Cipher text and tag to be extracted separately. Conversely, decryption should just take the ciphertext C (which includes the tag) and output the plaintext. But again the example requires separating the tag for verification. In summary, per my understanding of the RFC, the auth tag is seamless and the application should not have to deal with it separately. Yet, the openssl example using EVP deals with tag separately. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] AES-GCM cipher in TLS
I am trying to decrypt TLS 1.2 records that is using the TLS_AES_128_GCM_SHA256 cipher-suite using openssl's EVP API. Per RFC 5246, decryption needs 4 inputs. " In order to decrypt and verify, the cipher takes as input the key, nonce, the "additional_data", and the AEADEncrypted value. The output is either the plaintext or an error indicating that the decryption failed. There is no separate integrity check. That is: TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce, AEADEncrypted, additional_data) " But, in the AES-GCM decryption example on openssl wiki at https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption shows the decryption also takes as input the* tag *to be verified. I know that the Authentication tag is the last 16 bytes of the TLS 1.2 record payload. But, my confusion is why the RFC has no mention of the Authentication tag. And so, to decrypt the TLS record, should I follow the example on openssl wiki? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
EVP_DecryptUpdate
Hello, Can I use the same input and output buffer in calls to EVP_DecryptUpdate and the EVP_DecryptUpdate_final_ex functions? The padding is on by default. And my application will always feed 8k chunks in the update and the final calls? Is it safe to then do the decrypt in place?
vulnerability management
Hi all, I have run a vulnerability scanning against some systems and some vulnerabilities have come up related with OpenSSL. However, some of them have not 443 port open or have nothing but a single file named as openSSL inside some other's application folder. I asked about the operation of that application and whether it uses openSSL somehow. It does not. Not to mention that OpenSSL does not appear among the tasks or services running. Sometimes, I find OpenSSH being used but not OpenSSL. Does that use any OpenSSL libraries? I am trying to understand how my vulnerability scanner detects OpenSSL in cases like the ones I described above... Is there any way to check whether OpenSSL is being used by a system (eg. Windows server)? I would appreciate anyone's help with this as I am not experienced with OpenSSL. Thank you.
SSL_get_peer_certificate
If Client-server session is reused from a past session then the client will not get a Server Certificate during the handshake. In this case, if I do a SSL_get_peer_certificate(), will it give me the server's certificate from the initial handshake from which this reuse happened?
Re: Public/Private Key Pair Unique?
Well, think of the device as proxy which acts as the client to the server and server to the client. Hence, the proxy is configured with the same public-key and private key as that of the server so that it can act as the server to the clients. But before it starts to do that, I want to make sure that the server is using the exact same pub/pvt key pair as the one configured on the proxy. Hence, the question. So, given your response, I take it that if I compare the Pub-key in C2 (which came on the wire) with the Pub-key in C1, then I can indirectly infer that the private-key corresponding to C1 and C2 is the same. In other words, if the pub-key for 2 certs match, then they must have the same private-key. On Tue, Jul 20, 2010 at 10:41 PM, Kyle Hamilton aerow...@gmail.com wrote: Your question makes no sense. If you know PK1 (contained in C1), and you know K1, then if you receive C2 that contained PK1, you know that someone's trying to make you think you're talking to yourself. (Nobody else can, by the rules of PKI, have K1 but you -- which is why the challenge/response protocol exists, to prove that you are who you say you are. If the asserter of the identity contained in C2 can also prove that it knows the private key K1 -- which it would have to if that other certificate contained PK1 -- then you know you *are* talking to either yourself or someone who somehow got your private key, which should be disturbing if you aren't expecting it.) But, if you simply want to know if it's possible to prove that two public keys are identical by byte-comparison, you would either have to extract the public key from the subjectPublicKey portion of the certificate in the format that your own system would understand before you could do that kind of byte comparison, or byte-compare the DER-encoded keys from the certificates themselves.) -Kyle H On Tue, Jul 20, 2010 at 11:40 AM, PS mytechl...@gmail.com wrote: Let us say I have a certificate and a private key pair (C1, K1) Now, lets say I received a Certificate, C2 on the wire. Now, I want to know whether the pvt-key K1 corresponds to the private key of C2. One method is encrypt a Known random number with pub-key in C2 and decrypt with K1 and see if the number is same. But this is expensive. I thought of another method and wanted to know if this is correct: Do a byte-for-byte compare of the pub-key in C1 with that of C2. If they are same, then we can assume that K1 must be the private-key of C2. Am I correct? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Public/Private Key Pair Unique?
Let us say I have a certificate and a private key pair (C1, K1) Now, lets say I received a Certificate, C2 on the wire. Now, I want to know whether the pvt-key K1 corresponds to the private key of C2. One method is encrypt a Known random number with pub-key in C2 and decrypt with K1 and see if the number is same. But this is expensive. I thought of another method and wanted to know if this is correct: Do a byte-for-byte compare of the pub-key in C1 with that of C2. If they are same, then we can assume that K1 must be the private-key of C2. Am I correct?
Re: ignore the certificate chain self signed error
There are a couple of alternatives. You can set a callback function in the SSL_set_verify method. This callback function can then be used to mask the self-signed error.( See http://openssl.org/docs/ssl/SSL_CTX_set_verify.html# ) Alternatively, on the client side, you can invoke SSL_set_verify() method with the flag SSL_VERIFY_NONE. BTW, it is a potentially insecure system that you have if you intend to do this unless your only goal is to provide enryption and not authentication. PS On Thu, Feb 19, 2009 at 2:22 AM, Anri Lau anri...@gmail.com wrote: All, I encountered a problem. There is no trusted cert list in my system, so I have to ignore the certificate chain self signed error. Which API can I use? Two API invocation below do not worked. SSL_CTX_set_trust(ctx, X509_TRUST_SSL_CLIENT); X509_STORE_set_trust(store, 1); Thank you. -- Best regards to you and your family
Multiple CRL with same issuer
Hi All, I was under the impression that openssl allows loading multiple CRLs for the same issuer. But, this does not seem to be the case as is proved by using openssl verify. $ ls -l ./ca/ total 24 lrwxrwxrwx 1 pshah users 10 Jan 28 21:56 ba4bb3b6.0 - cacert.pem - the CA cert lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r0 - revoked_48.pem revokes only cert48.pem lrwxrwxrwx 1 pshah users 14 Jan 28 21:56 ba4bb3b6.r1 - revoked_49.pem - revokes only cert49.pem -rw-r--r-- 1 pshah users 1233 Jan 28 17:09 cacert.pem -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_48.pem -rw-r--r-- 1 pshah users 560 Jan 28 17:10 revoked_49.pem $ openssl verify -CApath ./ca/ -crl_check -verbose cert49.pem cert49.pem: OK $ openssl verify -CApath ./ca/ -crl_check -verbose cert48.pem cert48.pem: /C=--/ST=California/L=San Francisco/O=Riverbed Technology, Inc./OU=Steelhead/CN=hw1-sh18/emailaddress=fakeem...@example.com error 23 at 0 depth lookup:certificate revoked 29615:error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table:x509_lu.c:418: So, as seen above, the second CRL is not loaded (and I have confirmed this with gdb.). A second related question is that even if openssl allowed loading multiple CRL for the same issuer, it looks as if openssl will only use the first unexpired CRL from the list. There might be cases where you would have a fresher unexpired CRL which might not get picked and result in wrong verification result. A third question is that what if I had two valid CRLs from the same issuer (CRL1 revoked cert 1 and CRL2 revokes cert 2), then when cert 2 is to be verified, it would wrongly be considered unrevoked. Thanks, Paras
revoking a self-signed certificate
Hi All, Is it possible to revoke a self-signed CA certificate? If yes, then I dont understand why it should be allowed. It does not make sense. The only reason a root CA would want to revoke its own certificate is if its private-key might have been compromised. So, the CA would want to revoke its certificate and create a new CRL. But since the private-key is compromised, the attacker can always use the private-key (of the CA), and create a yet new CRL and distribute. This looks like a chicken and egg problem because you are trusting a CRL-list sent by a CA and the CRL mentions not to trust the very same CA since its certificate is revoked. What is the solution to this problem? Any insights?
Re: revoking a self-signed certificate
Can you please elaborate on how would the higher-layer security infrastructure go about this? To me, it just seems impossible to do this and the issue might only be mitigated by spreading awareness by an out-of-band means but not eliminated until ofcourse, the self-signed CA certificate expires. On Mon, Jan 26, 2009 at 9:20 PM, Kyle Hamilton aerow...@gmail.com wrote: A self-signed CA certificate (technically, a trust anchor) cannot be revoked via CRL. This is assumed to be a function of the higher-layer security infrastructure which led to the trust anchor being trusted in the first place, and is outside the scope of CRL. -Kyle H On Mon, Jan 26, 2009 at 9:17 PM, PS mytechl...@gmail.com wrote: Hi All, Is it possible to revoke a self-signed CA certificate? If yes, then I dont understand why it should be allowed. It does not make sense. The only reason a root CA would want to revoke its own certificate is if its private-key might have been compromised. So, the CA would want to revoke its certificate and create a new CRL. But since the private-key is compromised, the attacker can always use the private-key (of the CA), and create a yet new CRL and distribute. This looks like a chicken and egg problem because you are trusting a CRL-list sent by a CA and the CRL mentions not to trust the very same CA since its certificate is revoked. What is the solution to this problem? Any insights? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: revoking a self-signed certificate
Also, does openssl allow a CA to revoked its own self-signed certificate? What happens when during the openssl verify, it finds that the CRL given by CA contains the CA-certificate in the revoked list? On Mon, Jan 26, 2009 at 9:28 PM, PS mytechl...@gmail.com wrote: Can you please elaborate on how would the higher-layer security infrastructure go about this? To me, it just seems impossible to do this and the issue might only be mitigated by spreading awareness by an out-of-band means but not eliminated until ofcourse, the self-signed CA certificate expires. On Mon, Jan 26, 2009 at 9:20 PM, Kyle Hamilton aerow...@gmail.com wrote: A self-signed CA certificate (technically, a trust anchor) cannot be revoked via CRL. This is assumed to be a function of the higher-layer security infrastructure which led to the trust anchor being trusted in the first place, and is outside the scope of CRL. -Kyle H On Mon, Jan 26, 2009 at 9:17 PM, PS mytechl...@gmail.com wrote: Hi All, Is it possible to revoke a self-signed CA certificate? If yes, then I dont understand why it should be allowed. It does not make sense. The only reason a root CA would want to revoke its own certificate is if its private-key might have been compromised. So, the CA would want to revoke its certificate and create a new CRL. But since the private-key is compromised, the attacker can always use the private-key (of the CA), and create a yet new CRL and distribute. This looks like a chicken and egg problem because you are trusting a CRL-list sent by a CA and the CRL mentions not to trust the very same CA since its certificate is revoked. What is the solution to this problem? Any insights? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_use_peer_certificate()
Hi, I have a quick question. If Client-server session is reused ,in the re-used sessions SSL* data structure, will SSL_use_peer_certificate ( ) return the certificate that it got in the initial handshake ? PS
Re: SSL_use_peer_certificate()
I meant SSL_get_peer_certificate. On Mon, Apr 7, 2008 at 6:53 PM, PS [EMAIL PROTECTED] wrote: Hi, I have a quick question. If Client-server session is reused ,in the re-used sessions SSL* data structure, will SSL_use_peer_certificate ( ) return the certificate that it got in the initial handshake ? PS
Re: Client Side certification process through OpenSSL
You need to do this : On Client Side: SSL_CTX_use_certificate () SSL_CTX_use_private_key() On Server Side: SSL_CTX_load_verify_locations() SSL_CTX_verify()// Set the flag to (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT) Paras On Thu, Mar 27, 2008 at 5:15 AM, vaibhav bindroo [EMAIL PROTECTED] wrote: HI all, I hav got a ssl client and server running with single way certificate authentication presently implemented . I want to enable client side certificate authentication as well but am stuck regarding the appropriate use of client_cert_cb callback function and the related function void SSL_CTX_set_client_cert_cb ( ctx , cb ) for installing certificates on the client side . Can anyone guide me on this ..this is a little urgent ... Thanks -Vaibhav Bindroo
Queries on Cert Store and load verify locations
Hi, I had a set of related questions regarding the trusted CA store and certificate chaining: 1. Lets say we have a chain of the form RootCA - SubCA - Server-certificate. Now, Will the openssl verify function be able to verify if I give only the SubCA as the trusted CA Cert and the above chain as the certificate to verify. 2. Is it possible to load more than one CA directories by calling SSL_CTX_load_verify_locations repeatedly. If no, then what can be done if we want to load the CA certs in 1 different directories into the SSL_CTX 3. Is there a way to know, after the certificate verification on an SSL Connection, which certificate in the chain was trusted. I mean, is there any API call which will give me the certificate that was trusted. I know about the ssl_get_peer_cert_chain but this gives the whole chain and I am interested only in the trusted CA certificate which satisfied the verification procedure. Thanks.
Certificate Chain and Trusted Directory
Hi, I had a set of related questions regarding the trusted CA store and certificate chaining: 1. Lets say we have a chain of the form RootCA - SubCA - Server-certificate. Now, Will the openssl verify function be able to verify if I give only the SubCA as the trusted CA Cert and the above chain as the certificate to verify. 2. Is it possible to load more than one CA directories by calling SSL_CTX_load_verify_locations repeatedly. If no, then what can be done if we want to load the CA certs in 1 different directories into the SSL_CTX 3. Is there a way to know, after the certificate verification on an SSL Connection, which certificate in the chain was trusted. I mean, is there any API call which will give me the certificate that was trusted. I know about the ssl_get_peer_cert_chain but this gives the whole chain and I am interested only in the trusted CA certificate which satisfied the verification procedure.
Openssl FIPS 1.1.2 - make test
Hi, One of the tests on the openssl-fips-1.1.2 fails without any warning when I try running make test. Though the test fails, the command continues to completion. Specifically this is the snippet of the output where the error occurs: Testing cipher RC4(encrypt/decrypt) Key ef 01 23 45 ef 01 23 45 ef 01 23 45 ef 01 23 45 Plaintext 00 00 00 00 00 00 00 00 00 00 Ciphertext d6 a1 41 a7 ec 3c 38 df bd 61 test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** *14357:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1321: 14357:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1321:* test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** 14363:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1321: 14363:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1321: test tls1 *** IN FIPS MODE *** TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA test tls1 with server authentication I know that the error is bound to happen since we are in FIPS mode. But the test should have been modified accordingly so that no such errors are seen.Is this seen by the openssl developers or am I missing something here?
Openssl Command line in FIPS mode
Hi, The openssl User-Guide only mentions about how to create an application in FIPS mode ( by calling FIPS_mode_set (1) ). The question is that is it possible to have the openssl command line tool (generated from openssl-fips-1.1.1) be in FIPS mode ? If yes, please can someone shed some light on this ? Thank you.
Re: FIPS request for future OpenSSL releases
You are contradicting yourself. If you link against the openssl-fips-1.1.1library, and are in FIPS_mode, then you have FIPS functionality. If you are not in FIPS mode, then the fips library trivially behaves as the traditional openssl (with all functionalities). The former is called FIPS-validated App and latter is FIPS-capable App. On Nov 29, 2007 4:22 PM, Brendan Simon [EMAIL PROTECTED] wrote: Hi, I require FIPS functionality in OpenSSL but I do NOT have a requirement to run in FIPS mode. What I would like is to build OpenSSL and have ALL functions available to me so I can choose which ones I want to use. At the moment there are some functions that are only available if the -fips configure switch is used in both the openssl-fips module and openssl itself. Unfortunately I can't get OpenSSL to build with shared libraries if -fips is specified. My logic is just because -fips is not specified, should not mean that I can't have access those functions. To me the -fips means to use the fips module which has been fips140-2 certified. Should -fips enable fips approved algorithms/methods or should it disable use of non-fips approved algorithm/methods ??? Is there a way to build OpenSSL and have ALL functions available (fips or otherwise) so that my application can use any of the functions I require. Cheers, Brendan. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Key Rotation over a long-lived SSL connection
Renegotiation. Thats what this is for. On 11/2/07, Darryl Miles [EMAIL PROTECTED] wrote: Maybe they can, but you wont get much response from me by being too lazy to start a new thread with your Compose New Mail function, as opposed to picking a historic message at random and using the Reply To Message function. Have a nice day! The Posting Police Paul Simon wrote: I have a long lived SSL connection which I'd like to create a new symmetric key every hour. Can someone shed some example or tips how to do it? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_PrivateKey does not return private key
Hi, I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that Is it possible to extend the expiry of this certificate without changing any other fields in the certificate? Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks.
Changing the expiry date of a cert
Hi, I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that Is it possible to extend the expiry of this certificate without changing any other fields in the certificate? Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks.
Re: Changing the expiry date of a cert
Yes. Thats what I was trying to ask. So, how can I change the expiry date of an existing certificate without changing any other field ? Is there any openssl command that I may use ? On 10/17/07, G.W. Haywood [EMAIL PROTECTED] wrote: Hi there, On Wed, 17 Oct 2007, David Schwartz wrote: The OP wrote: I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that Is it possible to extend the expiry of this certificate without changing any other fields in the certificate? Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks. This question comes up a lot and I still have no idea what anyone is asking. It seems fairly clear to me. It seems like it's largely a philosophical question, like am I the same person I was ten years ago even though only 1% of the molecules are the same. I don't think the OP asked anything like that. Some might consider the resulting certificate to be the original certificate with a later expiry date. Some might consider it to be a brand new certificate that just happens to share some common values with the previous certificate. I don't think the OP asked whether it would still be the old certificate or if it would be a new certificate. He just asked if he can change the date, and only the date, on his existing certificate. What possible difference does it make whether you consider the resulting certificate a new certificate or the original certificate with a later expiration date? I don't think, in this thread, that anyone else considered that difference. Or are you asking something else entirely? And if so, what? It seems to me that the OP is indeed asking something else entirely different from the question which you yourself seem to have posed and then immediately failed to answer. He's asking Is it possible to extend the expiry of this certificate without changing any other fields in the certificate? to which it seems that the answer is Yes, although one might add that the resulting certificate could be viewed by some as a different certificate. In that case, the next question would be Is it valid?, to which the answer would also presumably be Yes. Have I understood? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]