[openssl-users] Considering C# OpenSSL openssl-net-master

2017-07-25 Thread Hegazi, Amr 
Hello *,

I'm using the last version of C# OpenSSL from 
https://github.com/openssl-net/openssl-net (This wrapper is based on version 
1.0.2a of libeay32.dll and ssleay32.dll).

I'm using C# OpenSSL to test my Tls Client that supports TLS starting from 
version 1.2 and all the cipher suites. Moreover, I'm using Microsoft windows 7. 
I have already installed Microsoft visual C++ 2010 express and Microsoft visual 
Studio 2010.

I always face an error "TLSv1.2  81 - Alert (Level: Fatal, Description: 
Insufficient Security)"

I have debugged the issue. The issue come from a function called SSL_CTX_new() 
which is connected to ssleay32.dll. the clienthello is always sent correctly 
and then the OpenSSL server replies with Insufficient Security

The console also shows this:
.NET   HSM Received: ClientHello (188 bytes)
.NET   Offered suite by client: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
(0xc02b) [not supported]
.NET   Offered suite by client: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
(0xc023) [not supported]
.NET   Offered suite by client: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025) 
[not supported]
.NET   Offered suite by client: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) 
[not supported]
.NET   Offered suite by client: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) 
[not supported]
.NET   Offered suite by client: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c) [not 
supported]
.NET   Offered suite by client: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) [not 
supported]
.NET   Offered suite by client: TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001) [not 
supported]
.NET   Offered suite by client: TLS_RSA_WITH_NULL_SHA256 (0x003b) [not 
supported]
.NET   Offered suite by client: TLS_RSA_WITH_NULL_SHA (0x0002) [not supported]
.NET   ALERT SENT: Fatal InsufficientSecurity
.NET   no shared cipher suites

And in Wireshark shows this:

"3406.315537","fe80::ff:fe00:2","fe80::1:5","SSL","271","Client Hello"
"3419.805155","fe80::1:5","fe80::ff:fe00:2","TLSv1.2","81","Alert (Level: 
Fatal, Description: Insufficient Security)"

So, I think the error is in something related to configuration of ssleay32.dll

My code is simple and is as follows:

try
{
  TestCaseBegin();

Output.WriteLine("TLS Server Certificate preparation");
CertDir = Path.GetFullPath("..\\Appl\\Certificates\\Certificate");
TlsServerCertificate = loadCertificateFromFile(Path.Combine(CertDir, 
@"Vector_ServerCertificate_RsaSha1_IA_pfx.pfx"), "123456");
TlsServerCaCertificates = new 
X509Chain(OpenSSL.Core.BIO.File(Path.Combine(CertDir, 
@"Vector_ServerCertificate_RsaSha1_Root_cert.cer"), "r"));

Output.WriteLine("Start connection");
TS_RcTlsConnect(TlsConnectMode.Rsa);

Output.WriteLine("Send Client Hello");
TS_WaitForTcpConnection();

Output.WriteLine("make sslStreamServer");
SslStream sslStreamServer = new SslStream(tcpClient.GetStream(), true, 
MyRemoteCertificateValidationHandler,MyLocalCertificateSelectionHandler);

Output.WriteLine("Start AuthenticateAsServer");

sslStreamServer.AuthenticateAsServer(TlsServerCertificate, false, 
TlsServerCaCertificates, SslProtocols.Tls, SslStrength.All, false);
}

catch (TestStepFailException e)
{
HandleTestStepFailException(e);
Output.WriteLine(e.ToString());
 }
   catch (Exception ex)
{
PrintException(ex);
Output.WriteLine(ex.ToString());
 }
finally
{
TestCaseEnd();
}

Has anyone an idea?

Best Regards;

Amr
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Considering C# OpenSSL openssl-net-master

2017-07-25 Thread Salz, Rich via openssl-users 
If you want to use those ciphers, you need to set SECLEVEL=0 when you specify 
the ciphers.
I have no idea how to do that for the OpoenSSL C# binding.  Maybe post an issue 
on openssl-net?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Considering C# OpenSSL openssl-net-master

2017-07-26 Thread Jakob Bohm 

On 25/07/2017 19:00, Salz, Rich via openssl-users wrote:


If you want to use those ciphers, you need to set SECLEVEL=0 when you 
specify the ciphers.


I have no idea how to do that for the OpoenSSL C# binding.  Maybe post 
an issue on openssl-net?





When did TLS_RSA_WITH_AES_128_CBC_SHA256 and higher become
"low security"?

It looks like the client is an older product (ECDH only offered
for ECDSA certs, classic DH not offered, no algorithms above
128 bits).

So I guess the OP just needs to check if he is using an empty
cipher string or something silly like that.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Considering C# OpenSSL openssl-net-master

2017-07-26 Thread J. J. Farrell 

On 26/07/2017 20:58, Jakob Bohm wrote:

On 25/07/2017 19:00, Salz, Rich via openssl-users wrote:


If you want to use those ciphers, you need to set SECLEVEL=0 when you 
specify the ciphers.


When did TLS_RSA_WITH_AES_128_CBC_SHA256 and higher become
"low security"?

It looks like the client is an older product (ECDH only offered
for ECDSA certs, classic DH not offered, no algorithms above
128 bits).

So I guess the OP just needs to check if he is using an empty
cipher string or something silly like that.


The OP said he was testing his "Tls Client that supports TLS starting 
from version 1.2 and all the cipher suites". Perhaps he's found his 
first bug, since the client isn't offering all the TLS 1.2 cipher suites ...


--
J. J. Farrell
Not speaking for Oracle

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users