Re: Use of TLS_FALLBACK_SCSV

2014-10-17 Thread no_spam_98
Thank you, Bodo. This is a crucial point that was not clear to me when I was investigating the use of TLS_FALLBACK_SCSV the first time. If my application uses SSLv23_method() when constructing the SSL context, and then explicitly disables SSLv2 and SSLv3 using SSL_CTX_set_options(), then OpenS

CVE-2010-5298 and 0.9.8

2014-04-15 Thread no_spam_98
It appears that the NIST NVD entry for CVE-2010-5298 may be incorrect.  This issue seems to affect 1.0.0+.  Nothing earlier - specifically 0.9.8, correct? Thanks for the sanity check. __ OpenSSL Project

Re: CVE-2013-6450 and 0.9.8-line

2014-01-20 Thread no_spam_98
Dr. Henson, Can you give me any information with regards to how the exploitation of CVE-2013-6450 against 0.9.8y may manifest itself?  If not a DoS, could it cause a process using libssl to core, cause libssl to return an "okay" when it should returned an error status, leak sensitive informatio

Re: CVE-2013-6450 and 0.9.8-line

2014-01-16 Thread no_spam_98
Oh, okay.  Thank you for that tidbit. If not a DoS, how does the issue manifest itself in 0.9.8 if an adversary uses/attempts to use the flaw? Thanks.  - Original Message - > From: Dr. Stephen Henson > To: openssl-users@openssl.org > Cc: > Sent: Thursday, January 16, 2014 12:22 PM >

CVE-2013-6450 and 0.9.8-line

2014-01-16 Thread no_spam_98
It is my understanding that 0.9.8y contains the DTLS retransmission flaw described in CVE-2013-6450. I thought I read somewhere that OpenSSL.org is working on a 0.9.8za release to address this issue (and other bug fixes). Is that correct?  If so, what is the release schedule? Thanks.

RE: SSL/TLS protocol versions and their supported cipher suites

2013-06-21 Thread no_spam_98
I'm going to try this questions again because it seems like there are some anomalies in the OpenSSL implementation:  which cipher suites are available in which versions of SSL/TLS? Using Appendix A.5 from the TLS 1.0, 1.1, and 1.2 RFCs, it looks to me as though there are some cipher suites in T

Re: openssl genrsa failure when OPENSSL_FIPS defined

2013-06-06 Thread no_spam_98
# openssl rand 16 -out ./junk.bin unable to write 'random state' I have made some changes to code in the openssl-fips-ecp-2.0.2 distribution (yes, I know I cannot use the OpenSSL FIPS 140-2, Level 1 accreditation).  It's likely that I have screwed something up, huh? >># echo $OPENSSL_FIPS >>

openssl genrsa failure when OPENSSL_FIPS defined

2013-06-05 Thread no_spam_98
> echo $OPENSSL_FIPS 1 > openssl genrsa -out /home/user/key -des3 2048 error:FIPS routines:FIPS_drbg_generate:not instantiated:openssl-fips-ecp-2.0/fips/rand/fips_drbg_lib.c:459 error:rsa routines:RSA_BUILTIN_KEYGEN:BN lib:openssl-fips-ecp-2.0/crypto/rsa/rsa_gen.c:338 What am I doing wrong? Tha

Re: SSL/TLS protocol versions and their supported cipher suites

2013-06-04 Thread no_spam_98
Ahhh, it looks like Appendix A.5 answers my questions more easily than Appendix C. I believe these are the answers: In fact, TLS 1.1 does prohibit the use of the export cipher suites in TLS 1.0.   So there are effectively a few (9 by my count) cipher suites that supported in TLS 1.0 that are pr

SSL/TLS protocol versions and their supported cipher suites

2013-06-04 Thread no_spam_98
I'm a little confused about which cipher suites are supported by which SSL/TLS protocol versions. I'm using Appendix C of the TLS 1.0, 1.1, and 1.2 RFCs, respectively, as a starting point for which cipher suites are supported in which version of the protocol, but I'm not sure how to parse the f

Re: openssl 1..0.1e -bad sig size 32 32 for DSA 2048 keys

2013-06-03 Thread no_spam_98
My understanding is that 2048-bit DSA keys (with |q|=256) are currently supported - at least they seem to be in 1.0.1e and fips-2.0.2.  And "by supported" I mean that they can be 1) generated and 2) used with TLS provided the signature_algorithms extension is used so that SHA256 can be specified

Using HMAC through EVP interface?

2013-05-23 Thread no_spam_98
Can one use HMAC through EVP?  If so, can someone point me to an example? It seems that when the OpenSSL module is in FIPS mode, it doesn't like programs using HMAC_*() functions directly: "OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode!" Tha

openssl-fips-ecp-2.0.2 and DSA

2013-05-22 Thread no_spam_98
1) I'm wondering why the FIPS_selftest_dsa() function in fips_dsa_selftest.c uses EVP_sha384 with a 2048-bit DSA key during the fips_pkey_signature_test()? If I'm reading the NIST standards (FIPS 186-3 and SP 800-57 Part 1) correctly, it looks like it is more usual for 2048-bit DSA keys to be pa

FIPS 2.0.2 and DSA self test

2013-05-20 Thread no_spam_98
I'm wondering why the FIPS_selftest_dsa() function in fips_dsa_selftest.c uses EVP_sha384 with a 2048-bit DSA key during the fips_pkey_signature_test()? If I'm reading the NIST standards (FIPS 186-3 and SP 800-57 Part 1) correctly, it looks like it is more usual for 2048-bit DSA keys to be paire

Self-signed certificates and keyUsage extension

2013-05-10 Thread no_spam_98
Must non-CA, self-signed certificates have the "keyCertSign" bit set in the keyUsage extension to be "valid?" If I don't have the bit set and execute the following command: openssl verify -check_ss_sig -CAfile ./my-ss-cert.pem ./my-ss-cert.pem I get the following error: error 20 at 0 depth look

FIPS_rand_set_key and FIPS_rand_seed

2013-04-18 Thread no_spam_98
Second try... The FIPS_rand_set_key and FIPS_rand_seed functions in 0.9.8 appear to have been removed in newer OpenSSL FIPS Object Module v2.0. Are there replacements?  Or are they not needed anymore?  If an application is in FIPS mode (i.e. the OpenSSL FIPS Object Module is in FIPS mode), can

RAND functions, FIPS, and forking

2013-04-12 Thread no_spam_98
It seems that the 0.9.8-era FIPS_rand_set_key() and FIPS_rand_seed() APIs have been removed from the 1.0.1-era FIPS Object Module.  Are there replacements for these APIs?  If so, what are they? I used to use them after my FIPS-mode application forked to reset the entropy state in the child proc

OpenSSL and FIPS

2013-03-22 Thread no_spam_98
I want to build the OpenSSL 1.0.1e distribution with the FIPS code from OpenSSL FIPS 2.0.2 distribution WITHOUT using the FIPS canister method and in-core fingerprint method described in the User Guide for the OpenSSL FIPS Object Module v2.0 document. Maybe to say it another way, I would like t

EXP-RC2-CBC-MD5

2013-02-22 Thread no_spam_98
EXP-RC2-CBC-MD5 does not appear to work in 0.9.8y.  It does in 0.9.8x. system:user/openssl-0.9.8y/apps 27% ./openssl s_client -connect 10.1.1.1:443 -tls1 -cipher EXP-RC2-CBC-MD5 CONNECTED(0003) 95776:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:4

Head check on SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option

2012-12-05 Thread no_spam_98
The SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option only affects how the OUTBOUND (i.e. SSL_write) records are split (or not), correct?  It doesn't define any behavior for how the INBOUND records (i.e. SSL_read) should be split (or not), correct? So, it's possible that different sides of an SSL conne

Re: Size of ephemeral DH keys

2012-08-14 Thread no_spam_98
Thank you for the information and links. > [stuff deleted] > >> I'm probably missing something in the OpenSSL implementation.  The > documentation for SSL_CTX_set_tmp_dh_callback() says that the > "tmp_dh_callback is called with the keylength needed..."  But surely > this can't be only 512 o

Size of ephemeral DH keys

2012-08-14 Thread no_spam_98
Is there a correlation between the strength (size) of the asymmetric keys used to do the authentication and the strength (size) of the ephemeral DH keys generated/used to protect the session key (during the key exchange)? On first glance, in s3_srvr.c, it seems like the tmp_dh_callback() functio

intel-accel-1.4 on FreeBSD variant

2012-02-27 Thread no_spam_98
I built the intel-accel-1.4 engine under a FreeBSD variant.  However, when I specify its use on the command: env OPENSSL_ENGINES=`pwd` openssl speed -evp rc4 -engine intel-accel gdb shows me that the RC4 function from libcrypto.so is getting used - not the one from the libintel-accel.so.  If I

Re: OpenSSL 1.0.0 FIPS module

2010-07-29 Thread no_spam_98
I think, perhaps, two different things are being confused here: 1) RedHat's use of the term "OpenSSL Module v1.0" and 2) James' use of the term "OpenSSL 1.0.0." Looking through RedHat's Security Policy and Certificate posted on NIST's site, it certainly looks to me that their "OpenSSL Module v1

development branches, API changes, and long-term maintenance

2010-07-26 Thread no_spam_98
Hello. I've browsed through about a year's worth of the openssl-users and openssl-dev mail list archives in search of some information. I think I found most of what I'm looking for, but I want to summarize my questions and my understanding of the current situation for your review: 1) I've see