bug report
Dear OpenSSL development team,
I think I have found two bugs in the openssl library. I'm using version 0.92b,
but I checked it with cvsweb and I have seen no fixes for them in version 0.93
1. In the file crypto/evp/e_cbc_r2.c the function rc2_meth_to_magic(e)
calls the EVP_CIPHER_key_length function, which returns the keylength in bytes,
but afterwards this size is compared to 40, 64 and 128 which are in bits.
Therefore the size should be multiplied by eight before the comparision:
static int rc2_meth_to_magic(e)
EVP_CIPHER *e;
{
int i;
i=EVP_CIPHER_key_length(e)*8;
if (i == 128) return(RC2_128_MAGIC);
else if (i == 64) return(RC2_64_MAGIC);
else if (i == 40) return(RC2_40_MAGIC);
else return(0);
}
2. The management of the compression methods are flawed. Consider the following:
- calling SSL_COMP_add_compression_method, it creates the
ssl_comp_methods
stack and adds the SSL_COMP structure
- calling SSL_CTX_new, the comp_methods member is assigned the value
of ssl_comp_methods:
ret->comp_methods=SSL_COMP_get_compression_methods();
- connecting, data transfer etc.
- when calling the SSL_CTX_free, the comp_methods member is freed,
but the ssl_comp_methods
remains non-zero:
if (a->comp_methods != NULL) sk_pop_free(a->comp_methods,FreeFunc);
- Now an another SSL_CTX_new will assign the invalid value
ssl_comp_methods to the comp_methods member
- SSL_COMP_add_compression_method will try to push a SSL_COMP into
the already freed ssl_comp_methods
3. I also have a question. What is supposed to be the first parameter of
SSL_COMP_add_compression_method?
Best wishes,
Daniel Marx
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
0.9.8h bug report
I complie 0.9.8h today and attempted to run onwin32 machine, but I have bug: openssl pkcs12 -export -in MyCert.pem -inkey MyKey.pem -out MyCert.p12 Loading 'screen' into random state - done Enter pass phrase for MyKey.pem: Enter Export Password: Verifying - Enter Export Password: OK openssl pkcs12 -export -in MyCert.pem -inkey MyKey.pem -out yCert.p12 -name "Digital IDs" Loading 'screen' into random state - done Enter pass phrase for MyKey.pem: Enter Export Password: Verifying - Enter Export Password: 1872:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc failure:.\crypto\asn1\asn1_lib.c:381: 1872:error:0B08A041:x509 certificate routines:X509_ATTRIBUTE_set1_data:malloc failure:.\crypto\x509 \x509_att.c:317: Thanks, Nha Doan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[FWD] Bug report
Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Swaraj G Tati <[EMAIL PROTECTED]> - To: [EMAIL PROTECTED] Cc: Sudarshan Yeddula <[EMAIL PROTECTED]>, Chalapathy Sarangapani <[EMAIL PROTECTED]> Subject: Bug report From: Swaraj G Tati <[EMAIL PROTECTED]> Date: Fri, 28 Nov 2008 04:27:31 +0530 Hi, I was trying to Install Openssl for 32-bit libraries on a HP-Ux 11.11 server,However when I run ./config I am getting the following error.. Is there any diffrence in the installation process of 64-bit libraries and 32-bit libraries,,? Please Assist me.. [EMAIL PROTECTED]:/openssl-0.9.8e: ./config Operating system: 9000/800-hp-hpux1x WARNING! If you wish to build 64-bit library then you have to invoke './Configure hpux64-parisc2-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. Can't locate strict.pm in @INC (@INC contains: /opt/perl5/lib/5.00502/PA-RISC1.1 /opt/perl5/lib/5.00502 /opt/perl5/lib/site_perl/5.005/PA-RISC1.1 /opt/perl5/lib/site_perl/5.005 .) at ./Configure line 9. BEGIN failed--compilation aborted at ./Configure line 9. Can't locate strict.pm in @INC (@INC contains: /opt/perl5/lib/5.00502/PA-RISC1.1 /opt/perl5/lib/5.00502 /opt/perl5/lib/site_perl/5.005/PA-RISC1.1 /opt/perl5/lib/site_perl/5.005 .) at ./Configure line 9. BEGIN failed--compilation aborted at ./Configure line 9. This system (hpux-parisc2-cc) is not supported. See file INSTALL for details. *** Reply to "[EMAIL PROTECTED]" *** Best Regards, Swaraj Swaraj G Tati, Operations Lead Specialist - ITD ??? Global Delivery , India + : DLF IT Park (DC1-1A-048, Extn: 20545), Chennai - 600032. India. ) (M) : 91- 93814 08670 , : : [EMAIL PROTECTED], P Save a tree. Please don???t print this email or Documents unless it is really necessary. - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8h bug report
On Fri, May 30, 2008, Tuan Nha wrote: > I complie 0.9.8h today and attempted to run onwin32 machine, > but I have bug: > > openssl pkcs12 -export -in MyCert.pem -inkey MyKey.pem -out MyCert.p12 >Loading 'screen' into random state - done >Enter pass phrase for MyKey.pem: >Enter Export Password: >Verifying - Enter Export Password: >OK > > openssl pkcs12 -export -in MyCert.pem -inkey MyKey.pem -out yCert.p12 > -name "Digital IDs" >Loading 'screen' into random state - done >Enter pass phrase for MyKey.pem: >Enter Export Password: >Verifying - Enter Export Password: >1872:error:0D0BA041:asn1 encoding routines:ASN1_STRING_set:malloc > failure:.\crypto\asn1\asn1_lib.c:381: >1872:error:0B08A041:x509 certificate > routines:X509_ATTRIBUTE_set1_data:malloc failure:.\crypto\x509 > \x509_att.c:317: > > This patch should fix it: http://cvs.openssl.org/chngview?cn=17196 or try tomorrows snapshot. Thanks for the report. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[EMAIL PROTECTED]: BUG REPORT]
Forwarded to openssl-users Regards, Lutz - Forwarded message from [EMAIL PROTECTED] - X-Original-To: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Mon, 10 Apr 2006 16:51:54 -0400 (EDT) Subject: BUG REPORT From: [EMAIL PROTECTED] To: openssl-bugs@openssl.org User-Agent: SquirrelMail/1.4.2 X-Priority: 3 Importance: Normal X-Virus-Scanned: by amavisd 0.1 X-Virus-Scanned: by amavisd 0.1 make making all in crypto... make[1]: Entering directory `/home/jesse/openssl-0.9.8a/openssl-0.9.8a/crypto' ( echo "#ifndef MK1MF_BUILD"; \ echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ echo ' #define CFLAGS "gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM"'; \ echo ' #define PLATFORM "linux-elf"'; \ echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ echo '#endif' ) >buildinf.h gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o cryptlib.o cryptlib.c make[1]: gcc: Command not found make[1]: *** [cryptlib.o] Error 127 make[1]: Leaving directory `/home/jesse/openssl-0.9.8a/openssl-0.9.8a/crypto' make: *** [build_crypto] Error 1 - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[EMAIL PROTECTED]: Bug report]
Forwarded to openssl-users for discussion. Having a glance on your report it seems that you have created a certificate request which is to be submitted to CA for signing. Only the certificate signed by the CA is a X.509 object that can be handled with the "openssl x509" application. To display the contents of the request you have to use the "openssl req" application itself. Best regards, Lutz - Forwarded message from Alex <[EMAIL PROTECTED]> - X-Original-To: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:to:subject:message-id:x-mailer:mime-version:content-type:content-transfer-encoding; b=Q+HL49EBRVDhCgCS+rHODm5tUo91b702ogfKywIBUayBbANF4H2QZVyAJOf+m+wufgwyCw6Mlc2OexvkG7uNbh6pJEQwoXnJmoDskMrGqimSeBzueH17dy3beOIxgrxRNA1fO9rWfAsBoetgCw5dny9IkS+P8ph8qt9046n+Rig= Date: Mon, 11 Dec 2006 18:37:19 -0500 From: Alex <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Bug report X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; i686-pc-linux-gnu) X-Virus-Scanned: by amavisd 0.1 X-Virus-Scanned: by amavisd 0.1 Hello, I am having trouble generating a certificate with OpenSSL. Here is what I am doing: [EMAIL PROTECTED] test]$ openssl req -new -out test Generating a 1024 bit RSA private key ..++ ..++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [EMAIL PROTECTED] test]$ openssl x509 -in test -text -noout unable to load certificate 22193:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE I feel that this is a bug in OpenSSL. Version is below: OpenSSL 0.9.8a 11 Oct 2005 built on: Wed Oct 4 11:53:45 UTC 2006 platform: debian-i386-i686/cmov options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -march=i686 -mcpu=i686 -Wa,--noexecstack -g -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM Thank you for your assistance. -- Alex - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Bug report with patch
Hi all,
Problem:
If the negotiated cipher is ADH (ie, the SSL_aNULL flag is set) and if
the verify mode is SSL_VERIFY_PEER, the server will send a certificate
request to the client. The receipt of this request by the client is
considered a fatal protocol error in TLS. Therefore, the request
should not be sent.
Fix:
The following patch to s3_srvr.c prevents the sending of the
certificate request by the server when the cipher suite is anonymous.
*** backup\s3_srvr.c Tue Nov 16 19:00:34 1999
--- s3_srvr.c Sat Dec 18 14:55:40 1999
***
*** 287,293
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
! if (!(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode &
SSL_VERIFY_CLIENT_ONCE)))
{
--- 287,294
case SSL3_ST_SW_CERT_REQ_A:
case SSL3_ST_SW_CERT_REQ_B:
! if ((s->s3->tmp.new_cipher->algorithms & SSL_aNULL) ||
! !(s->verify_mode & SSL_VERIFY_PEER) ||
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)))
{
Cheers,
- Peter
Peter "Luna" Runestig (fd. Altberg), Sweden <[EMAIL PROTECTED]>
PGP Key ID: 0xD07BBE13
Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13
Gubben Movitz ler och nickar, / men från Charons mörka sund
dödens blund / i dina blickar / bådar snart din sista stund.
Carl Michael Bellman, Fredmans epistel nr 34
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: [FWD] Bug report
there are openssl depots for hpux system. 2008-12-01 opensslmaillist 发件人: Lutz Jaenicke 发送时间: 2008-11-28 22:40:32 收件人: openssl-users@openssl.org 抄送: Swaraj G Tati 主题: [FWD] Bug report Forwarded to openssl-users for public discussion. Best regards, Lutz - Forwarded message from Swaraj G Tati <[EMAIL PROTECTED] > - To: [EMAIL PROTECTED] Cc: Sudarshan Yeddula <[EMAIL PROTECTED] >, Chalapathy Sarangapani <[EMAIL PROTECTED] > Subject: Bug report From: Swaraj G Tati <[EMAIL PROTECTED] > Date: Fri, 28 Nov 2008 04:27:31 +0530 Hi, I was trying to Install Openssl for 32-bit libraries on a HP-Ux 11.11 server,However when I run ./config I am getting the following error.. Is there any diffrence in the installation process of 64-bit libraries and 32-bit libraries,,? Please Assist me.. [EMAIL PROTECTED]:/openssl-0.9.8e: ./config Operating system: 9000/800-hp-hpux1x WARNING! If you wish to build 64-bit library then you have to invoke './Configure hpux64-parisc2-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. Can't locate strict.pm in @INC (@INC contains: /opt/perl5/lib/5.00502/PA-RISC1.1 /opt/perl5/lib/5.00502 /opt/perl5/lib/site_perl/5.005/PA-RISC1.1 /opt/perl5/lib/site_perl/5.005 .) at ./Configure line 9. BEGIN failed--compilation aborted at ./Configure line 9. Can't locate strict.pm in @INC (@INC contains: /opt/perl5/lib/5.00502/PA-RISC1.1 /opt/perl5/lib/5.00502 /opt/perl5/lib/site_perl/5.005/PA-RISC1.1 /opt/perl5/lib/site_perl/5.005 .) at ./Configure line 9. BEGIN failed--compilation aborted at ./Configure line 9. This system (hpux-parisc2-cc) is not supported. See file INSTALL for details. *** Reply to "[EMAIL PROTECTED]" *** Best Regards, Swaraj Swaraj G Tati, Operations Lead Specialist - ITD ??? Global Delivery , India + : DLF IT Park (DC1-1A-048, Extn: 20545), Chennai - 600032. India. ) (M) : 91- 93814 08670 , : : [EMAIL PROTECTED], P Save a tree. Please don???t print this email or Documents unless it is really necessary. - End forwarded message - -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
bug report: bn_rand function
hi, I am using bn_rand function which is taking more than 10 seconds to execute. OS: Windows XP SP3 OS Locale: Swidish I am not able to reproduce issue on other machine. Can you please guide me on what can reason behind BN_Rand taking so long? Any help is appreciated. Thank you Have a nice day! -- Regards, Dipti
Re: [EMAIL PROTECTED]: Bug report]
On Wed, Dec 13, 2006 at 08:07:16PM -0500, Alex wrote: > On Tue, 12 Dec 2006 09:23:48 +0100 > Lutz Jaenicke <[EMAIL PROTECTED]> wrote: > > > Forwarded to openssl-users for discussion. > > > > Having a glance on your report it seems that you have created a > > certificate request which is to be submitted to CA for signing. > > Only the certificate signed by the CA is a X.509 object that > > can be handled with the "openssl x509" application. To display the > > contents of the request you have to use the "openssl req" application > > itself. > > > > Best regards, > > Lutz > > This error also happens when I attempt to sign a CSR with the CA > command. I doubt that the CA command will complain about not finding a X509 object as it expects a CSR. You did take care of using PEM format (ASCII-armored with proper headers) instead of using DER (binary) format!? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Bug report]
If you use 'openssl x509 -x509toreq' it will create a request from an X.509 object. If you use 'openssl req -x509' it will create an X.509 object instead of a request. However, the appropriate solution to this problem is to use 'openssl x509 -inform der -in test -text -noout'. It's expecting a trusted certificate in PEM (aka base-64 encoded or ascii-armored) format. '-inform der' tells it to expect a DER-encoded bytestream. Cheers, -Kyle H On 12/14/06, Lutz Jaenicke <[EMAIL PROTECTED]> wrote: On Wed, Dec 13, 2006 at 08:07:16PM -0500, Alex wrote: > On Tue, 12 Dec 2006 09:23:48 +0100 > Lutz Jaenicke <[EMAIL PROTECTED]> wrote: > > > Forwarded to openssl-users for discussion. > > > > Having a glance on your report it seems that you have created a > > certificate request which is to be submitted to CA for signing. > > Only the certificate signed by the CA is a X.509 object that > > can be handled with the "openssl x509" application. To display the > > contents of the request you have to use the "openssl req" application > > itself. > > > > Best regards, > > Lutz > > This error also happens when I attempt to sign a CSR with the CA > command. I doubt that the CA command will complain about not finding a X509 object as it expects a CSR. You did take care of using PEM format (ASCII-armored with proper headers) instead of using DER (binary) format!? Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Bug report]
It's best if you tag your in/out files with '.pem', '.csr', '.crt'. I realize that UNIX doesn't deal with file extensions, but it goes a LONG way to help with debugging. Do you have a file called ./private/ca-key.pem? It is looking for the CA's private key, which is located in the same file as the CA's certificate [used for getting the authority information]. It's supposed to be in a PEM (base-64, i.e. text)-encoded form, containing a TRUSTED CERTIFICATE and a PRIVATE KEY. If you don't have it set up properly, it will throw an error. Try going through the CA howto on the openssl website, creating a new CA, and looking at the format of the contents of the files associated with each step of the process. -Kyle H On 12/15/06, Alex <[EMAIL PROTECTED]> wrote: On Thu, 14 Dec 2006 12:03:28 -0700 "Kyle Hamilton" <[EMAIL PROTECTED]> wrote: > If you use 'openssl x509 -x509toreq' it will create a request from an > X.509 object. > If you use 'openssl req -x509' it will create an X.509 object instead > of a request. > > However, the appropriate solution to this problem is to use 'openssl > x509 -inform der -in test -text -noout'. It's expecting a trusted > certificate in PEM (aka base-64 encoded or ascii-armored) format. > '-inform der' tells it to expect a DER-encoded bytestream. > > Cheers, > > -Kyle H > The real issue here is that I can not sign anything. 'test' is indeed a valid certificate request: $ openssl req -in test -text -noout Certificate Request: Data: Version: 0 (0x0) Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd [etc] $ openssl ca -verbose -config openssl.cnf -in test -out test.crt Using configuration from openssl.cnf Enter pass phrase for ./private/ca-key.pem: unable to load certificate 2055:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE The ca command is expecting a trusted certificate? The manual says: -in filename an input filename containing a single certificate request to be signed by the CA. I don't get it. Why does the man page say that -in is supposed to be a certificate request when using -in results in an error saying it needs a certificate? -- Alex -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Bug report]
What are the contents of your openssl.cnf? Are you using precisely the same configuration you were using with earlier versions of openssl? If you have the ability to use an older version of openssl with the same configuration file, does it currently work? -Kyle H On 12/15/06, Alex <[EMAIL PROTECTED]> wrote: On Fri, 15 Dec 2006 18:20:45 -0700 "Kyle Hamilton" <[EMAIL PROTECTED]> wrote: > It's best if you tag your in/out files with '.pem', '.csr', '.crt'. I > realize that UNIX doesn't deal with file extensions, but it goes a > LONG way to help with debugging. > > Do you have a file called ./private/ca-key.pem? It is looking for the > CA's private key, which is located in the same file as the CA's > certificate [used for getting the authority information]. It's > supposed to be in a PEM (base-64, i.e. text)-encoded form, containing > a TRUSTED CERTIFICATE and a PRIVATE KEY. > > If you don't have it set up properly, it will throw an error. Try > going through the CA howto on the openssl website, creating a new CA, > and looking at the format of the contents of the files associated with > each step of the process. > > -Kyle H I do indeed have a file ./private/ca-key.pem. If it wasn't there, openssl wouldn't ask me for the password to the private key in the first place. :| The ca-key.pem file begins with: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,0CB5B11689207778 In the directory I am executing openssl from I have a file, ca-cert.pem. The reason I am sending this to the mailing list is because I _always_ used to sign certificates in this manner, and now it doesn't work. -- Alex -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Bug report]
I'm trying to retrace your steps to figure out where the bug could be (and honestly, the diagnostics are not that helpful). However, there is one more thing that I would like you to check: Is the file ./ca-cert.pem in place, and does it contain a certificate? If it does not have the text "TRUSTED CERTIFICATE" in it, but it does have "BEGIN CERTIFICATE", please do the following: cp ./ca-cert.pem ./ca-cert-orig.pem openssl x509 -addtrust serverAuthentication -in ./ca-cert.pem -out ./ca-cert2.pem openssl x509 -addtrust clientAuthentication -in ./ca-cert2.pem -out ./ca-cert3.pem openssl x509 -addtrust emailProtection -in ./ca-cert3.pem -out ./ca-cert.pem rm ca-cert2.pem ca-cert3.pem This will generate a trusted certificate from the (untrusted) CA certificate. If ./ca-cert.pem does not exist, or does not have a "BEGIN CERTIFICATE" in it, then your CA's certificate as it believes itself to be is borked and needs to be re-copied. In this case, please re-copy it, then try it again; if it still doesn't work, then go through the script above. (Note: I view this as a bug, as well. On the TLS mailing list, there's been a bit of a row pointing out that the "trust anchor" is the CA's public key as it's distributed to the clients that trust it. An X.509 CA certificate is a convenient container, but the certificate itself is not the trust anchor.) -Kyle H On 12/15/06, Alex <[EMAIL PROTECTED]> wrote: On Fri, 15 Dec 2006 19:02:35 -0700 "Kyle Hamilton" <[EMAIL PROTECTED]> wrote: > What are the contents of your openssl.cnf? Are you using precisely > the same configuration you were using with earlier versions of > openssl? > > If you have the ability to use an older version of openssl with the > same configuration file, does it currently work? > > -Kyle H > # $Id: openssl.cnf,v 1.2 2004/01/22 19:27:32 jmates Exp $ # # OpenSSL configuration file for custom Certificate Authority. Use a # different openssl.cnf file to generate certificate signing requests; # this one is for use only in Certificate Authority operations (csr -> # cert, cert revocation, revocation list generation). # # Be sure to customize this file prior to use, e.g. the commonName and # other options under the root_ca_distinguished_name section. HOME= . RANDFILE= $ENV::HOME/.rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . # unsed at present, and my limited certs can be kept in current dir #certs = $dir/certs new_certs_dir = $dir/newcerts crl_dir = $dir/crl database= $dir/index certificate = $dir/ca-cert.pem serial = $dir/serial crl = $dir/ca-crl.pem private_key = $dir/private/ca-key.pem RANDFILE= $dir/private/.rand x509_extensions = usr_cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt= ca_default cert_opt= ca_default default_crl_days= 30 default_days= 730 # if need to be compatible with older software, use weaker md5 default_md = sha1 # MSIE may need following set to yes? preserve= no # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = supplied stateOrProvinceName = optional organizationName= match organizationalUnitName = supplied commonName = supplied emailAddress= supplied # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 4096 default_keyfile = ./private/ca-key.pem default_md = rmd160 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = v3_ca # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK: a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req [ root_ca_distinguished_name ] commonName = xxx countryName = US stateOrProvinceName = xxx localityName = xxx 0.organizationName = xxx emailAddress = xxx [ usr_cert ] # Thes
Re: [EMAIL PROTECTED]: Bug report]
On Fri, Dec 15, 2006, Kyle Hamilton wrote: > I'm trying to retrace your steps to figure out where the bug could be > (and honestly, the diagnostics are not that helpful). However, there > is one more thing that I would like you to check: Is the file > ./ca-cert.pem in place, and does it contain a certificate? > > If it does not have the text "TRUSTED CERTIFICATE" in it, but it does > have "BEGIN CERTIFICATE", please do the following: > Note that "TRUSTED CERTIFICATE" is handled differently. It will accept an ordinary certificate PEM file (with "BEGIN CERTIFICATE") as well as the trusted version. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]: Bug report]
If ca-cert.pem does not start with: -BEGIN CERTIFICATE or -BEGIN TRUSTED CERTIFICATE then it got corrupted. You need to recopy it from one of your end-entity systems that has it as a trust anchor. This is the issue, and is what's causing the problem. -Kyle H On 12/16/06, Alex <[EMAIL PROTECTED]> wrote: On Fri, 15 Dec 2006 23:26:19 -0700 "Kyle Hamilton" <[EMAIL PROTECTED]> wrote: > I'm trying to retrace your steps to figure out where the bug could be > (and honestly, the diagnostics are not that helpful). However, there > is one more thing that I would like you to check: Is the file > ./ca-cert.pem in place, and does it contain a certificate? > > If it does not have the text "TRUSTED CERTIFICATE" in it, but it does > have "BEGIN CERTIFICATE", please do the following: > > cp ./ca-cert.pem ./ca-cert-orig.pem > openssl x509 -addtrust serverAuthentication -in ./ca-cert.pem -out > ./ca-cert2.pem > openssl x509 -addtrust clientAuthentication -in ./ca-cert2.pem -out > ./ca-cert3.pem > openssl x509 -addtrust emailProtection -in ./ca-cert3.pem > -out ./ca-cert.pem rm ca-cert2.pem ca-cert3.pem > > This will generate a trusted certificate from the (untrusted) CA > certificate. > > If ./ca-cert.pem does not exist, or does not have a "BEGIN > CERTIFICATE" in it, then your CA's certificate as it believes itself > to be is borked and needs to be re-copied. In this case, please > re-copy it, then try it again; if it still doesn't work, then go > through the script above. > > (Note: I view this as a bug, as well. On the TLS mailing list, > there's been a bit of a row pointing out that the "trust anchor" is > the CA's public key as it's distributed to the clients that trust it. > An X.509 CA certificate is a convenient container, but the certificate > itself is not the trust anchor.) > > -Kyle H All of three commands failed. I modified command two and three because they depend on the first command which failed. $ openssl x509 -addtrust serverAuthentication -in ./ca-cert.pem -out ./ca-cert2.pem Invalid trust object value serverAuthentication usage: x509 args $ openssl x509 -addtrust clientAuthentication -in ./ca-cert.pem -out ./ca-cert2.pem Invalid trust object value clientAuthentication usage: x509 args $ openssl x509 -addtrust emailProtection -in ./ca-cert.pem -out ./ca-cert2.pem unable to load certificate 4757:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE $ head ca-cert.pem BZh91AY&SY [...] (unprintable characters) $ openssl x509 -inform pem -in ca-cert.pem -noout -text unable to load certificate 8089:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE -- Alex -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Bug report: primality testing algorithm.
Greetings.
I'm implementing elliptic curve software on top of OpenSSL Bignum
library. When testing it on NIST's standard curves, I found a problem that
seems not to be in my code: Bignum reports that NIST's 384-bit prime is not
prime! I've checked the value with MIRACL and Java (which in turn uses
Colin Plumb's Bnlib), and both say that P384 is indeed prime, as expected.
If anyone would like to check it, here's a test program that reveals the error:
#include
#include
#include "bn.h"
void main(void) {
BN_CTX *ctx;
BIGNUM *q;
int isPrime;
if ((ctx = BN_CTX_new()) == NULL) {
exit(EXIT_FAILURE);
}
q = BN_new();
/* load NIST's 384-bit prime: */
BN_dec2bn(&q,
"394020061963944792122790401001436138050797392704654466679482934042457217714
96870329047266088258938001861606973112319");
/* BN_hex2bn(&q,
"fffe000
0"); */
isPrime = BN_is_prime(q, 50, NULL, ctx, NULL);
printf("Is P384 prime? %s.\n", isPrime ? "Yes" : "No");
BN_free(q);
BN_CTX_free(ctx);
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
openssl cert problem diagnosed, bug report
dear list, further to my question earlier today i've been able to figure out what's going on and i have an interim solution, though i think the situation warrants an openssl bug report. in my micro-app, i wasn't setting up any client or server verification requirements. these seem to default to "no verification", so the cert chain was being checked but the errors ignored. in the SOAP app, someone was requiring server verification, and openssl didn't like the self-signed cert in the chain, so the verification failed. for now, i've disabled server verification in my openssl setup, and that seems to make things work (duh). of course this isn't a good long-term solution but it will have to do for now. bug report: openssl rejects certificates which have self-signed elements in the chain, regardless of whether there are other trusted elements in the chain. my server certificates were generated using conventional procedures, and so it seems prudent to remark that openssl will probably barf on a good number of server certs out there. again - the certs on my servers work 100% fine with all the major browsers, the Windows version of my program, and all our Java SSL clients. wget doesn't work, because it uses openssl. thanks for the bandwidth. jason __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Bug report: primality testing algorithm.
Paulo S. L. M. Barreto wrote: > > Greetings. > > I'm implementing elliptic curve software on top of OpenSSL Bignum > library. Interesting. Will you be making the code public? > When testing it on NIST's standard curves, I found a problem that > seems not to be in my code: Bignum reports that NIST's 384-bit prime is not > prime! Do you have a URL referencing these NIST standard curves? > I've checked the value with MIRACL and Java (which in turn uses > Colin Plumb's Bnlib), and both say that P384 is indeed prime, as expected. > I'll have a look if I have time. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug report: primality testing algorithm.
Dr Stephen Henson wrote: > > > > When testing it on NIST's standard curves, I found a problem that > > seems not to be in my code: Bignum reports that NIST's 384-bit prime is not > > prime! > > Do you have a URL referencing these NIST standard curves? > Ignore that. I've found the URL. On NISTs site oddly enough :-) -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug report: primality testing algorithm.
"Paulo S. L. M. Barreto" wrote: > > Greetings. > > I'm implementing elliptic curve software on top of OpenSSL Bignum > library. When testing it on NIST's standard curves, I found a problem that > seems not to be in my code: Bignum reports that NIST's 384-bit prime is not > prime! I've checked the value with MIRACL and Java (which in turn uses > Colin Plumb's Bnlib), and both say that P384 is indeed prime, as expected. > > If anyone would like to check it, here's a test program that reveals the error: The short answer, amazingly, is that BN_div() is broken! A quick fix is to set the "#if 0" to "#if 1" at the top of crypto/bn/bn_div.c. In a way, I'm glad this bug was there, coz it made me (finally) figure out the prime testing. It uses Fermat's test, which seems a little strange to me, since it is known to fail to diagnose some composite numbers. It also uses a home-brewed mod_exp function (essentially, that's what witness() is) which is, presumably, slower than the "real" thing. Anyway, I'm too tired now to diagnose BN_div(), I'm going back to bed. I suspect we should switch to Miller-Rabin or some other popular prime tester, though. Not that that will fix this bug. Cheers, Ben. -- SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm http://www.apache-ssl.org/ben.html Y19100 no-prize winner! http://www.ntk.net/index.cgi?back=2000/now0121.txt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Bug Report: make install problem with 0.9.7e on Solaris 8. P ath separator problem?
If Marvin Nipper is listening, I have a question about these fixes that you may have tried. Did you add the fixes provided to all the makefiles under check in #12630 or just the ones under /Fips/ “$EXHEADER”? I was getting the same errors, I’m about to try changing the makefiles under fips,but wanted to know if you had additional problems. Thanks in advance,
