Nabble - OpenSSL - User

how to create a CertifiateVerify request

2009-11-30T02:28:41Z

Hi All,

I am writing a client program and my server is openssl. I am working on DTLS handshake implementation and I am stuck with Certificate Verify request. I dont know how to create this request. I could not find much info regarding this. I have all the necessary data with me but I dont know how to make the certificate verify request.

To the best of my knowledge, I have to add all the request incoming and outgoing till this point ( not adding certificateVerify) , take their MD5 digest and SHA1 digest and sign this and send this in the certificate verify request but I am always getting BAD REQUEST SIGNATURE at server.

I am adding the TLS header (e.g. handshake type, length, etc) and other content after that. below is the image. The data I keep on concatenating from all the messages is highlighted:

I dont know what I am doing and what part of all the messages I have to add to buffer which i use signing?

Regards
Krishn2

Re: error in SSLv3 read client hello

2009-11-28T05:37:24Z

Hi Rajan,

Thank you for the explanation, I have a better understanding now.

But why a client would need to renegotiate all the time ?
I don't know any setting on the client side to workaround.
Does this mean that most browsers need to be updated as well ?

Regards,
JC

Le samedi 28 novembre 2009 à 19:01 +0530, tensy joseph a écrit :

> Hi Jean,
>
> You are getting this error because either client or server is trying
> to renegotiate the session. The OpenSSL team has applied the patch
> which will disable all the renegotiation and hence will break all
> renegotiation attempt .This patch is released to take care of Security
> Vulnerabilty Issue CVE-2009-3555. If the client needs to do
> renegotiation then you will have to live with a vulnerable server for
> now.
>
> Thanks
> Rajan
>
> 2009/11/28 Jean-Christophe Baptiste <jc@...>
> Hi all,
>
> I can confirm the following issue :
> http://www.mail-archive.com/openssl-users@.../msg59562.html
>
> As an openSUSE user, I reported the bug there :
> https://bugzilla.novell.com/show_bug.cgi?id=558176
>
> They applied the same patch and I am having the same "Exit:
> error in
> SSLv3 read client hello A" error.
>
> How many people are aware of it ? Is there any patch yet ?
>
> Thank you for your help,
>
> JC
>
>

signature.asc (853 bytes) Download Attachment

Re: error in SSLv3 read client hello

2009-11-28T05:31:03Z

Hi Jean,

You are getting this error because either client or server is trying to renegotiate the session. The OpenSSL team has applied the patch which will disable all the renegotiation and hence will break all renegotiation attempt .This patch is released to take care of Security Vulnerabilty Issue CVE-2009-3555. If the client needs to do renegotiation then you will have to live with a vulnerable server for now.

Thanks
Rajan

2009/11/28 Jean-Christophe Baptiste <jc@...>

Hi all,

I can confirm the following issue :
http://www.mail-archive.com/openssl-users@.../msg59562.html

As an openSUSE user, I reported the bug there :
https://bugzilla.novell.com/show_bug.cgi?id=558176

They applied the same patch and I am having the same "Exit: error in
SSLv3 read client hello A" error.

How many people are aware of it ? Is there any patch yet ?

Thank you for your help,

JC

Re: Application crashes when trying to access X509 Certificate Extension returned by X509_get_ext method

2009-11-28T03:58:28Z

Sanjay,

Can you check if it still fails when you do a memcpy instead of direct assignment? Something like,

OrgPtr = (char *)malloc (Extension->value->length);

if (NULL == OrgPtr) assert("Malloc failure");

memcpy(OrgPtr, Extension->value->data, Extension->value->length);

-Sandeep

On Thu, Nov 26, 2009 at 8:44 AM, Sanjay Bhat <bsanjay@...> wrote:

Hi Kyle,

Thanks a ton for the quick reply buddy :)

When we debug our application in visual studio, we see that both "Extension" and "Extension->value" are not NULL. But "Extension->value->data" seems to be NULL or corrupted, causing our application to crash.

I am trying these options for debugging the problem :

> make sure the X509 certificate we are using is a valid one, containing the extension we are looking for, because "Certificate->valid" is set to 0 for our certificate.

> debug through the openssl function X509_get_ext( ) in visual studio by attaching the openssl source, to see why "Extension->value->data" is not being set correctly.

> also try using some older openssl version instead of the current 0.9.8 d we are currently using.

I will update again after trying these options.

I suspect something being wrong in this certificate itself, may be it does not comply to the X509 certificate format. Can you please confirm that the certificate we are using is a valid x509 certificate ?

This is the certificate we are using :

static unsigned char *LETestDefaultKey = {
  "-----BEGIN RSA PRIVATE KEY-----\r\n"
  "MIIBPAIBAAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp89YO/2rG0K8iAJW5AY399hh/s\r\n"
  "VjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEAAQJATBeXv0P1a77mXYAdM4LT\r\n"
  "SpNRrbfOKOi9GworyJEtts5Cn153ROK3750NHrOeaXbkFl89/UD0oMsO22TnF+Ol\r\n"
  "lQIhAO0gkTZggugyZ7HDQihy/7EVAgK9rg7SPc5JnyZITW5bAiEA3x+q4AZDXUHW\r\n"
  "26W7BlZoedPy6Mo5wWNb/gN9x/T987MCIQCt8TfUFZOxVFgwU7USCtl5QpnI/O7T\r\n"
  "PHHOAr9Vy6/RBQIhAJPO76y+mWuzDPmu/YmCPm3OWZGbPc1929gXSgDnrD//AiEA\r\n"
  "vwlwVtb26OSBJX47M+MZeWsiD3GVydtRdcL9+Xy0XEw=\r\n"
  "-----END RSA PRIVATE KEY-----\r\n"
};
static unsigned char *LETestDefaultCert = {
  "-----BEGIN CERTIFICATE-----\r\n"
  "MIIBojCCAUygAwIBAgIBMzANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJVUzEb\r\n"
  "MBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTA1MTAxMTE3NDEyOFoXDTE1\r\n"
  "MTAwOTE3NDEyOFowJjELMAkGA1UEBhMCVVMxFzAVBgNVBAMTDlNlY3VyZUxvZ2lu\r\n"
  "U1NPMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp8\r\n"
  "9YO/2rG0K8iAJW5AY399hh/sVjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEA\r\n"
  "AaNhMF8wDgYDVR0PAQH/BAQDAgWgMBgGA1UdEQQRMA+BDWFyZ2xAYmxhaC5jb20w\r\n"
  "EQYJYIZIAYb4QgEBBAQDAgWgMCAGDGCGSAGG+DcBglsKAQQQFg5TZWN1cmVMb2dp\r\n"
  "blNTTzANBgkqhkiG9w0BAQQFAANBABaOsowc+4encEksW5w1v1dHg7DNdBbQJHct\r\n"
  "JSNfzPfE8igm617Ggsfrb0nkc50mdlyugkfZC/dX+sx4vtQk1Ok=\r\n"
  "-----END CERTIFICATE-----\r\n"
};

Looking forward for your reply... have a wonderful day ahead !!!

Regards,

Sanjay

>>> Kyle Hamilton <aerowolf@...> 11/24/2009 4:56 AM >>>

Are you checking to make sure that there *is* data in that extension?
Or that the extension value even exists?

if (NULL == Extension->value) assert("Extension->value NULL");
if (NULL == Extension->value->data) assert ("Extension->value->data NULL");
OrgPtr=Extension->value->data;

-Kyle H

On Fri, Nov 20, 2009 at 3:50 AM, Sanjay Bhat <bsanjay@...> wrote:
>
> Hi,
>
> Our application running in windows 2008 64-bit platform crashes when we try
> to access the data member of X509_EXTENSION returned by X509_get_ext().
>
> We are using 0.9.8d version of openssl compiled for windows 64 bit
> platform.
>
> We are clueless why this is happening and are badly stuck with this. Please
> help us.
>
> Here is the code snippet of our application with the point of crash in bold
> :
>
> BOOL GetX509ObjectString(X509 *Certificate, unsigned char *ASN1, unsigned
> char *Short, unsigned char *Description, unsigned char *Buffer, unsigned
> long BufSize)
> {
>     X509_EXTENSION      *Extension;
>     int                 nid;
>     int                 Position;
>     ASN1_STRING         *Value;
>     unsigned char       *OrgPtr;
>
>     if (!Buffer) {
>         return(FALSE);
>     }
>     Buffer[0]='\0';
>
>     nid = OBJ_create(ASN1, Short, Description);
>     Position=X509_get_ext_by_NID(Certificate, nid, -1);
>     if (Position==-1) {
>         return(FALSE);
>     }
>
> Extension=X509_get_ext(Certificate, Position);
>   if (!Extension) {
>         return(FALSE);
>     }
>
>     /* The M_d2i function alters the pointer, so keep a copy */
>     OrgPtr=Extension->value->data; //This is the point of crash. Referencing
> data member seems to be causing the crash
>     Value=M_d2i_ASN1_IA5STRING(NULL, &(Extension->value->data),
> Extension->value->length);
>     Extension->value->data=OrgPtr;
>     strncpy(Buffer, Value->data, min(Value->length+1, BufSize));
>     Buffer[min(Value->length+1, BufSize)-1]='\0';
>     ASN1_STRING_free(Value);
>     return(TRUE);
> }
>
> Appreciate any kind of help on this is greatly appreciated.
>
> Thanks & Regards,
> Sanjay.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

error in SSLv3 read client hello

2009-11-28T03:01:39Z

Hi all,

I can confirm the following issue :
http://www.mail-archive.com/openssl-users@.../msg59562.html

As an openSUSE user, I reported the bug there :
https://bugzilla.novell.com/show_bug.cgi?id=558176

They applied the same patch and I am having the same "Exit: error in
SSLv3 read client hello A" error.

How many people are aware of it ? Is there any patch yet ?

Thank you for your help,

JC

signature.asc (853 bytes) Download Attachment

Re: openssl and hardware tokens

2009-11-27T11:30:23Z

Nicolas Pelloux-Prayer wrote:

> I'm currently working on a similar task during the development of a
> TLS client (with client-side authentication), using a PKCS#11 hardware
> token.
>
> The main problem we encountered is that we cannot access the private
> key stored in the token; Therefore we made an engine which implements
> RSA signature methods, and used a fake private key file to make
> OpenSSL think the user cert & private key are present (state
> SSL3_ST_CW_CERT_B in d1_clnt.c) to be able to run to the
> CertificateVerify message signature state, which is performed by our
> engine using our user private key inside the token.

yes, you can't acccess the private key in a token, otherwise you could
copy it, which would invalidate the whole point of using a token in the
first place.

> Actually it works, but this approach doesn't feel right as we
> basically fool the api... I wondered if someone had a better idea of
> how to do this properly, like a way to make OpenSSL know the engine
> will handle the private key itself and will not extract it, it would
> be very helpfull.

see http://www.opensc-project.org/engine_pkcs11/

good luck figuring out how to use it though. I found this,
http://www.openssl.org/docs/crypto/engine.html and can't even find links
to the specific ENGINE_xxxx apis. in fact, coming in the front door at
http://www.openssl.org/docs/ I don't even see a link to that page?

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

RE: General question about documentation

2009-11-27T10:53:37Z

RE: General question about documentation

Yes, what ever attempts are made to improve the documentation, they should probably start with errors and omissions in this book, rather than from scratch.

Perhaps O'Rielly might want to publish a followup?

-----Original Message-----
From: owner-openssl-users@... on behalf of Mark
Sent: Fri 11/27/2009 2:46 AM
To: openssl-users@...
Subject: RE: General question about documentation

Hi All,

> Rene Hollan wrote:
> >
> > Oh, you need to dig deeper, to understand the semantics and
> not just
> > the syntax of those APIs.
> >
> > I didn't say using the source as documentation was
> convenient, but it
> > is possible, to any degree of detail you want.
> >
> > To wit: given the source code, it is possible to create
> documentation
> > to any degree of convenience. But, given some instance of external
> > documentation and no source, it is not possible to improve the
> > convenience factor of that documentation to an arbitrary degree.
> >
> > Suggesting what people who donate their time DO is rather
> like herding
> > cats. Some like coding and others like documenting and some
> like both.
> > Perhaps instead of an admonition that the project needs better
> > documentation, a question regarding who is willing to contribute to
> > said better documentation is more in order.
> >
>
> unluckily, those of us who most need the docs are least able to
> contribute, as I haven't the foggiest notion how to properly
> use any of
> the APIs at present.   I suppose I need to get the ORA book and start
> reading, as eventually I"m going to be helping another
> development team
> at work with getting an SSL connection going that needs to
> use a client
> certificate stored on a PKCS#11 PKI token, so I'll be sorting
> out how to
> use libssl w/ opensc's engine-pkcs11 module, who's
> documentation is just
> about as non-existant as that of openssl. this task was very easy in
> Java, as Java's SecureSocket hides all the complexity, up to and
> including full support for PKCS#11 plugins.

The O'Reilly book is essential reading IMHO but it is far from a
complete
guide to OpenSSL. There are many APIs that it does not mention at all.
It is also quite old now (2002).

I realize that in Open source projects it is hard to find the time to
document
the software but I believe that documentation is an essential part of
any
project, especially something as complex as OpenSSL.

Even if a wiki turnout out to be a better FAQ then it would still be
very useful IMHO.

Is it possible to gain sponsorship for this project or charge for the
documentation,
or make a commercial variant of OpenSSL which can support the open
source
version?

Mark.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData): success !

2009-11-27T06:18:25Z

On Thu, Nov 26, 2009 at 7:59 PM, Dr. Stephen Henson <steve@...> wrote:

> On Mon, Nov 23, 2009, Mathieu Malaterre wrote:
>
>> Steve,
>>
>> >> Do you have a sample PBE blob you want to decrypt?
>> >
>> > Here is one:
>> >
>> > $ wget http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2
>> > $ openssl asn1parse -in DICOMDIR -inform DER
>> >
>> > It was generated using Bouncy Castle
>>
>> I forgot to mention, if you need help from me, do not hesitate !
>>
>
> I've added experimental support to HEAD. This seems to decrypt the example OK
> and can decrypt its own output. It adds a new option -pwri_password to the
> cms utility (will need something better at some point).

EXCELLENT ! This works on my machine:

tar xvfz openssl-SNAP-20091127.tar.gz
cd openssl-SNAP-20091127/
./config --prefix=$HOME/local --openssldir=$HOME/local/openssl
make
make install
/home/mathieu/local/bin/openssl cms -decrypt -in DICOMDIR
-pwri_password password -inform DER > out.dcm

Thanks so much :)
--
Mathieu
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: Memory leak issue in openssl

2009-11-27T06:11:43Z

>>OpenSSL artifacts that are created by the application, then handed to
>>some other part of the API for use, so who is now responsible for the
>>destructions of them? That kind of misunderstanding.

>>Darryl

Hi Darryl,

To an extent you are correct. We have fixed the issue and it is due to our usage and clean up of openSSL BIOs. We have a BIO pair we got misled by the reference in following book that SSL_free will clean all the associated BIOs.

Book "Network Security with OpenSSL By Pravir Chandra, Matt Messier, John Viega", Page:137, following paragraph.

"The last point to make about this example is that we removed the call to BIO_free.
This is done because SSL_free automatically frees the SSL object's underlying BIOs for us."

But later while we were referring to the documentation on openssl website, we came to know that SSL_free cleans up only one haf of the BIO pair where as the other half need to be cleaned using BIO_free. After adding this piece of code, the memory leak has vanished.

Thanks for your guidance.

Regards
Vijay

RE: Adding a custom engine to OpenSSL

2009-11-27T06:05:54Z

Thanks, will try it out as soon as I can.

Regards,

Jun Han

> Date: Thu, 26 Nov 2009 13:24:29 +0100
> From: steve@...
> To: openssl-users@...
> Subject: Re: Adding a custom engine to OpenSSL
>
> On Thu, Nov 26, 2009, Loke Jun Han wrote:
>
> >
> > Hi,
> >
> > Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?
> >
>
> Yes, you specify details in the configuration file openssl.cnf, for the syntax
> see:
>
> http://www.openssl.org/docs/apps/config.html
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http ://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...

New Windows 7: Find the right PC for you. Learn more.

RE: Adding a custom engine to OpenSSL

2009-11-27T06:02:10Z

Yup.

> From: openSSL@...
> To: openssl-users@...
> Subject: Re: Adding a custom engine to OpenSSL
> Date: Thu, 26 Nov 2009 05:21:35 -0600
>
> On Thu November 26 2009, Loke Jun Han wrote:
> >
> > Hi,
> >
> > Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?
> >
>
> Like one of the engines in the list from:
> openssl engine
> ?
>
> Mike
> > Thanks,
> >
> > Jun Han
> >
> > _________________________________________________________________
> > Windows 7: Find the right PC for you. Learn more.
> > http://windows.microsoft.com/shop
>
>
> ______________________________________________________________________
> OpenSSL Project http://ww w.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...

Windows 7: Find the right PC for you. Learn more.

[FWD] Question on SSL_shutdown timeout

2009-11-27T06:01:26Z

Forwarded to openssl-users for public discussion.

Best regards,
Lutz
----- Forwarded message from Xavier De Kepper <xavier.dekepper@...> -----

From: Xavier De Kepper <xavier.dekepper@...>
To: "rt@..." <rt@...>
Date: Fri, 27 Nov 2009 02:15:17 -0800
Subject: Question on SSL_shutdown timeout
Thread-Topic: Question on SSL_shutdown timeout
Thread-Index: AcpvSoR93gXfC8xGT46vvjF0PlcdBQ==
Accept-Language: fr-FR, en-US
acceptlanguage: fr-FR, en-US

Hello,

I have a question concerning SSL_shutdown in case of SSLv3/TLSv1 connection.
In my usecase, I send a request to a HTTPS server but got no response, therefore my application timeouts.
Then the application is closing the connection with two calls to SSL_shutdown.
Unfortunately the server doesn't respond to the "close notify" therefore the SSL_shutdown call timeout.

My question is what is the value of this timeout and how can it be configured ?
I noticed that this timeout doesn't have always the same value.

I did a search on the web but didn't find anything on this topic.

Thank you very much,
Xavier

----- End forwarded message -----
--
Lutz Jaenicke jaenicke@...
OpenSSL Project http://www.openssl.org/~jaenicke/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

RE: General question about documentation

2009-11-27T02:46:37Z

Hi All,

> Rene Hollan wrote:
> >
> > Oh, you need to dig deeper, to understand the semantics and
> not just
> > the syntax of those APIs.
> >
> > I didn't say using the source as documentation was
> convenient, but it
> > is possible, to any degree of detail you want.
> >
> > To wit: given the source code, it is possible to create
> documentation
> > to any degree of convenience. But, given some instance of external
> > documentation and no source, it is not possible to improve the
> > convenience factor of that documentation to an arbitrary degree.
> >
> > Suggesting what people who donate their time DO is rather
> like herding
> > cats. Some like coding and others like documenting and some
> like both.
> > Perhaps instead of an admonition that the project needs better
> > documentation, a question regarding who is willing to contribute to
> > said better documentation is more in order.
> >
>
> unluckily, those of us who most need the docs are least able to
> contribute, as I haven't the foggiest notion how to properly
> use any of
> the APIs at present. I suppose I need to get the ORA book and start
> reading, as eventually I"m going to be helping another
> development team
> at work with getting an SSL connection going that needs to
> use a client
> certificate stored on a PKCS#11 PKI token, so I'll be sorting
> out how to
> use libssl w/ opensc's engine-pkcs11 module, who's
> documentation is just
> about as non-existant as that of openssl. this task was very easy in
> Java, as Java's SecureSocket hides all the complexity, up to and
> including full support for PKCS#11 plugins.

The O'Reilly book is essential reading IMHO but it is far from a
complete
guide to OpenSSL. There are many APIs that it does not mention at all.
It is also quite old now (2002).

I realize that in Open source projects it is hard to find the time to
document
the software but I believe that documentation is an essential part of
any
project, especially something as complex as OpenSSL.

Even if a wiki turnout out to be a better FAQ then it would still be
very useful IMHO.

Is it possible to gain sponsorship for this project or charge for the
documentation,
or make a commercial variant of OpenSSL which can support the open
source
version?

Mark.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: openssl and hardware tokens

2009-11-27T02:17:29Z

I'm currently working on a similar task during the development of a TLS client (with client-side authentication), using a PKCS#11 hardware token.

The main problem we encountered is that we cannot access the private key stored in the token; Therefore we made an engine which implements RSA signature methods, and used a fake private key file to make OpenSSL think the user cert & private key are present (state SSL3_ST_CW_CERT_B in d1_clnt.c) to be able to run to the CertificateVerify message signature state, which is performed by our engine using our user private key inside the token.

Actually it works, but this approach doesn't feel right as we basically fool the api... I wondered if someone had a better idea of how to do this properly, like a way to make OpenSSL know the engine will handle the private key itself and will not extract it, it would be very helpfull.

Best regards,
Nicolas

2009/11/16 Victor B. Wagner <vitus@...>

On 2009.11.13 at 04:44:02 -0800, Mansour Dagher wrote:

> Hi all,
>
>
> if certificates and associated keys are stored on HW (Sun crypto card for example), is there a way in openssl to specify the card as the location of these certificates/kets?
>
> It appears from the methods below, the openSSL only takes filesystem directory paths and file names as input for certificate/key locations:
>
> X509_STORE_load_locations()
> SSL_CTX_use_certificate_chain_file()
> SSL_CTX_use_PrivateKey_file()
>
> Any suggestions/thought?

There is SSL_CTX_use_PrivateKey which allows you to use private key
already loaded into memory as EVP_PKEY structure.

There is ENGINE_load_private_key function, which allows to create
EVP_PKEY structure engine-specific way. Engine is a module, which
handles interaction with some crypto hardware. Really this EVP_PKEY can
contain just reference for key stored in the hardware.

If engine-initialization code sets up an RSA/DSA/other PKEY method which
knows how to hand of crypto operation to the hardware, you can use
key stored on the token (and never actually leaves it) for all
operations - either PKCS7/CMS/SMIME or SSL/TLS.

If you store trusted CA certificates on the token as well, engine module
can also provide X509_STORE method, which can be used for certificate
verification. I don't remember in which version of OpenSSL support for
engine-provided X509_STORE method is appeared.

Things are somewhat worse for certificates for the your private key.

There was no ENGINE api to load certificates from token in the 0.9.8
version.

In the 1.0.0 function ENGINE_load_ssl_client_cert appeared, which allows
you to load certificate/private key pair given list of CA names
acceptable by server. This function seems to be designed for use from
SSL client certificate callback.

But there still no API for loading SSL server certificate/key pair and
for loading SMIME certificate/key pair, not to mention loading
certificate with arbitrary extendedKeyUsage.

But main problem is that when one want to use hardware token with
OpenSSL, it typically means tha one want to use token with existing
openssl applications, such as Apache, Lynx, OpenVPN etc.

OpenVPN has some support for PKCS#11 modules, but I've never tried it.

Other applications cannot make use of OpenSSL engine API without
modifications.

I'm not sure that they can work with X509_STORE method provided by
engine, even this method is set as default. Some client applications
such as lynx and wget are happy with X509_STORE_set_default_locations,
but most server applications want greater control on trusted CA store.

Few years ago I've submitted patch for PostgreSQL which allows to use
keys loaded via ENGINE_load_private_keys to connect to PostgreSQL
database and this patch got into PostgreSQL 8.3 version.
But that time there was no API to load certificates. Now, when we have
ENGINE_load_ssl_client_cert and PostgreSQL 8.4 have certificate
authentication support may be it is time for new patch.

> Thank you in advance.
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: Add new crypto algorithm into Openssl

2009-11-26T21:15:13Z

step 0

Well, first off a warning (and please read this despite the
admonishing tone it might have; crypto work is playing with live guns
and if a little up-front warning can prevent you from pointing it at
your foot witthout notiing while you ask "is this the trigger, sir?" I
opt for the sermon so survival rate will maybe be a bit higher this
year ;-) ): writing crypto code, especially implementing cryptographic
algorithms themselves, is not for the faint of heart and is definitely
/not/ a good exercise to get to learn a programming language or
development environment - it may sound wicked cool or whatever, but
know that the experience is tough and exacting at several levels and
only truly appealing to anal retentives, so trying this on for size
too early will only cause utter devastation and deception to you.
Crypto is 0% nice and 100% evil and 'Unforgiving' is it's middle name.

This warning has to be given, because experience shows that's what
happens from dabbling with these goods too early; though the
government reasons were/are different, it still should be treated as
live ammunitions (guns and stuff), locked and loaded to go and quite
like the antique ones: no safety switch /anywhere/.

So I'll assume you are fluent in 'C', don't mind a bit of perl on the
side, breathe Makefiles like they're oxygen and are familiar with the
UNIX development platform at console level - forget about the shiny
IDEs for now. That means you can juggle with 'grep', 'sed', 'awk',
'find' and other commandline friends and might be able to teach me a
lesson or two about those.
When you are working on a Windows platform (like I usually am), you
have several years experience of porting UNIX / Windows apps back and
forth and you know a linker from a librarian and don't break out a
sweat when the debugger acts hairy today. You also already have
acquired your own commandline awk/sed/perl/find/etc. equivalents or
are completely confident that you can do the same with the native
Windows commandline tools.

If you are not perfectly comfortable with that list, or have not used
some or all of the tools mentioned above yet, make yourself familiar
with those. (Knowing either sed or awk is fine; all the others are
each mandatory and non-interchangeable.) Take several months, because
you don't want to fight this battle at both a tool, a code and a
protocol level all at once.

Therefore, the next few steps are described in somewhat terse language
at times - they assume you know all this and are saying to me right
now "no worries! now please get on with it!"

step 1

You have a full source distribution of OpenSSL. You have compiled and
run the library itself and the test tools that come with it and you
have made bloody darn sure those tools are actually the ones compiled
by you yourself and are running the openssl library version you just
compiled. They should /not/ by any coincidence whatsoever happen to
work because you inadvertedly started their prebuilt and installed
copies that come with almost all Linux/BSD distros these days.

You know what to do when you are not sure whether you adhere to the
above and you already know several ways to indeed verify this.

step 2

[There's a discussion going on here about documentation and use cases
just appeared there, but we'll ignore that for now and use that corny
line of developers of all ages: "Use the Source, Luke!"]

You make sure you are familiar with the openssl, s_server and s_client
tools and anything else in the kit that is needed to set up a sample
environment where you can perform the cryptographic actions you wish
to perform with your new algorithm. Of course you ensure these
operations work as expected when you pick a few different options and
algorithms.

What I call checking out the neighbourhood.

Here I would go a bit further even; there's several tutorials on the
net how to generate a client and server certificate and how to apply
it to s_server and s_client so you can play with both for a while,
even when your final solution does not require certificates or SSL.
Getting to know these tools helps you in testing your own work later
on as you attained flexibility in testing approach; a good
implementation should be able to handle these operations you are now
playing with.

step 3

Time to dive into the code proper. First things first: the SSL
protocol is in the ssl/ directory[*]; no need to touch that, because
new crypto algorithms either go directly into libcrypto or are created
as a new 'engine' -- the latter is highly preferred, but both are
possible. The former is harder (= more costly) once your code enters
the maintenance cycle as you'll have to remerge and review every point
release to ensure you're up to par. Better take the road, which is a
bit harder for starters, but has a far better potential play at later
dev stages: a crypto engine plugin.
Yes, that's right, just like the GOST one.

Before you go there, realize this: all crypto actions, hashing,
ciphering, etc., should travel through the EVP calls/layer. Rule of
thumb.
Not always true everywhere, but stick to this as a rule of thumb for
99.99% of cases and you didn't ask the question you asked when you're
in that .01% zone anyway, trust me. ;-)

Try to see the flow for a basic 'enc'/'dec' encryption and decryption;
you need this, because your code will be part of this flow. Do
yourself a favour:

- prep out your favorite debugger
- test a commandline for 'enc' and 'dec' (which is 'enc -d') using
AES128, some content and a key you randomly picked, and make sure it
works.
- do the same, now for GOST.
- having those commandlines and testfiles at the ready, kickstart the
debugger and rerun the buggers again while you trace the callstack and
step through the functions.

What you should see happen is 'enc' digging up some info about the
AES128 cipher (EVP_get_cipherbyname()) -- which is lateron going to be
able to deliver info about your own cipher when you did get everything
right in the end! -- then travel further, into several EVP_xyz calls,
which you now know are the wrapping layer around /all/ crypto
activity, so we enter those, and for AES you'll end up at one in the
code that can be found in the directory
crypto/aes/*.[cs]
and don't worry about all the lines, the call stack is a /big/ hint
about what's going down, just by looking at the names, while you
familiarize yourself with the EVP structures.

Do this for AES first - notice that the whole engine party will be
skipped completely, because AES is a core library crypto cipher - to
see how it goes down 'old skool'. Know that 'engines' extend on this.

When you run into the surprise of landing in assembly language or
parts that are not accessible to sourceview in your debuger or some
such, reconfigure your OpenSSL copy with the 'no-asm' config flag and
rebuild the whole shebang. What this does is rip out all the highly
optimized assembly code (the *.s files) and build a C-only library.
It's slower but it's C, front to back all the way now. Try the
debugger again and see whether you can go everywhere. Watch the
callstack as it will tell you what is happening and after a while
you'll get a sense of when to skip or enter calls. This is mandatory,
because you will be debugging your own produce too -- I have yet to
meet someone who could write non-trivial code blocks and not have a
bug lurking in there at the end.

Now you have a feel for how core ciphers travel the code: DES, AES,
RC5, they're all the same that way. Different directories in ./crypto/
but look at those interfaces: they're all the same for all the secret
key ciphers.

[*]Footnote: when you wish to use your own cipher over communication
lines using SSL/TLS/DTLS, you will find that you'll need to edit a few
bits in some definition arrays in the ssl/ directory, but that's
specialist stuff for step6 or maybe it should be a step7. File this
bit away for later and retrieve when you need it.

step 4

Side note: if you wish to implement a new hash, the story is similar,
but hashes are different animals, so they travel a slightly different
path. You both mentioned 'cipher' so I'll leave it at that - once
you've looked at a few, the pattern will emerge, surely.

So this time we're going to see how GOST is employed through the
ENGINE interface -- which sits in both
./crypto/engine/*.[ch]
and
./engines/*
where the first constitutes the generic interface on the libcrypto
side, while the latter, ./engines/ , carries the different hard- and
software based engines. Several in there are smaller in implementation
that GOST, but when you have a look you'll find that critical parts
are 'missing': those are hardware-based crypto devices which expect
the presence of a hardware/device lib on the backend side of things,
so unless you have such 'dongles', they're useless. Hence we stick to
GOST, as that's a 100% software based engine.

You know what to do: enc/dec and maybe a few other things to wish to
try, now with GOST instead of AES128 as the selected cipher and each
of those commandlines executed in the debugger while having a look at
the callstack, etc.

By now you've a mental image of where OpenSSL will go when you execute
the cipher code, so you have a good initial idea where to poke when
you're going to test your own brand new engine.

step 5

there's several ways to create a new engine, starting from scratch or
borrowing, and though I personally prefer doing such things from
scratch, it is easier to borrow GOST for this, because we can do this
thing in smaller steps. The first is
faking it.

That is: we're going to act like our stuff is already done, tested and
all, and exactly the same quality of work as GOST. Which means we're
going to copy /all/ engines/ccgost files into a new directory, say
cp -R engines/ccgost/ engines/mycipher2009/
after we checked where GOST references might be hiding, which is
easily found by running
grep -i gost `find . -type f -print` -l
in the openSSL base directory. It should list a couple of
makefiles,everything in the engines/ccgost/ and a few other files as
well. Note those locations, because that's the places where we'll go
to do the 'fake'.

Having copied GOST, we now declare this cipher to be our own
magnificent work called 'mycipher2009' so I'll refer to the
requirements mentioned above and that should combine nicely with the
hint of a little
sed -e 's/GOST/MYCIPHER2009/g'
sed -e 's/gost/mycipher2009/g'
editing of everything in your new mycipher2009 directory.
Plus opening each other file mentioned by that
grep -i gost `find . -type f -print` -l
to see whether we need to vi yy,p the GOST lines in there and edit
gost into mycipher2009 in the copies.
Some files may not need to be changed as they are not relevant to the
build process, but you bet editing the Makefiles is mandatory: add you
new one to the ENGDIRS, for instance, and otherwise inspect each of
those files listed by grep to see and decide whether you should add
you mycipher2009 stuff there.

Now that you have made a mirror-copy of GOST under a new name, it's
time to recompile/rebuild and see where you forgot something; expect
the process to go belly up and dig around a bit to fix that. It isn't
hard, it's just work.
Once you have new builds of all the tools all that previous
seemingly-nonsense walking about I had you pays off, because the only
thing to worry about now is whether or not your mycipher2009 engine
gets integrated correctly or not: you know the tools, so you know how
to list the 'known ciphers' using the openssl tool, you know how to
use GOST, so you can now pick your mycipher2009 instead and try with
that and given the fact that you just ripped off a copy of GOST the
encrypted data should even match up with the GOST runs: both
mycipher2009 and GOST are identical twins now, after all.

Which has you set up for a fresh new engine of your own.

The hard part is 'step 6' which will depend on what you want to do:
here the work on your own cipher starts, as those debugger-assisted
walks have given you a clear idea where goes what inside the GOST
engine and with a bit of source-inspection you can start ripping out
parts and replace them by your own. Easy as pie. ;-) <yes, that was an
evil grin, right there>

Before you go, do yourself a favor and make a backup - so in case of
panic you don't have to return to step1 but can backpedal to
mycipher2009 and GOST being identical twins, which spares a bit of
work when the faeces hit the propellors.

So far the story of building engines. You've got a lot of ground to
cover getting to step6, so I'll assume for now that this is enough to
get you occupied for a while and that last bit of integrating your own
cipher, well, by hen you've seen enough code flows to have a pretty
good idea where you're going.

Take care,

Ger

PS: forgot to mention this: pick a OpenSSL tree distribution you feel
safe about; I myself like to ride bleeding edge from CVS HEAD, but
that may get you a few surprises at times where you don't want any, so
my advice would be to take the latest bundled tar.gz release and go
from there.

[When you go with latest as of the date of this writing, be aware
there's an issue lurking in the SSL renegotiation code that is under
scrutiny right now, so check up on that again once it becomes
important to you: you might need to download the next distrib package
then for this particular communication feature fix-of-a-fix, which is
a nice exercise in merging your code with an updated OpenSSL source
tree -- there's code merge tools for that; I use a semi-manual process
through a windows app called 'Beyond Compare' but that's because I'm
very comfortable with that one and I like to be in total control over
which lines enter my repositories where and when. Pick your own
favorite here. This little blurb is only important when you employ
OpenSSL for its secure /comminucation/ abilities, i.e. when you use it
to provide SSL/TLS/DTLS or anything that's riding on top of that.]

On Wed, Nov 25, 2009 at 12:05 PM, Mystic Boy <sbprabhakar@...> wrote:

>
>
>
> Gloria Lee wrote:
>>
>> Hi,
>> I wanna ask something...
>> Im trying to add crypto algorithm into Openssl,
>> I heard about the engine(ccgost), and read the README.txt file, but I
>> don't understand
>> how to do it..
>> I wonder If I add my own algorithm, Do I just copy ccgost pattern? or have
>> to change
>> entire openssl core source??..
>> Besides that, I want to know how to use ccgost engine, It's very hard for
>> me.
>> Thanks,... :)
>>
>
> Hi,
> I am also trying to add new crypto algo. to the crypto library. But didn't
> succeed. I explored OpenSSL/crypto library, it's different algo. has
> dependencies on different files.
> I am looking forward for help
>
> Thanks:
> --
> View this message in context: http://old.nabble.com/Add-new-crypto-algorithm-into-Openssl-tp26488823p26510888.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...
>

--
Met vriendelijke groeten / Best regards,

Ger Hobbelt

--------------------------------------------------
web: http://www.hobbelt.com/
http://www.hebbut.net/
mail: ger@...
mobile: +31-6-11 120 978
--------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: General question about documentation

2009-11-26T16:42:56Z

This is an example of a relatively common use-case that I was alluding to in a previous email...it would be nice to not have to figure this out either by guessing, reverse-engineering something, or other sub-optimal form of development strategy....

Randy

On Nov 26, 2009, at 4:03 PM, John R Pierce wrote:

> Rene Hollan wrote:
>>
>> Oh, you need to dig deeper, to understand the semantics and not just the syntax of those APIs.
>>
>> I didn't say using the source as documentation was convenient, but it is possible, to any degree of detail you want.
>>
>> To wit: given the source code, it is possible to create documentation to any degree of convenience. But, given some instance of external documentation and no source, it is not possible to improve the convenience factor of that documentation to an arbitrary degree.
>>
>> Suggesting what people who donate their time DO is rather like herding cats. Some like coding and others like documenting and some like both. Perhaps instead of an admonition that the project needs better documentation, a question regarding who is willing to contribute to said better documentation is more in order.
>>
>
> unluckily, those of us who most need the docs are least able to contribute, as I haven't the foggiest notion how to properly use any of the APIs at present. I suppose I need to get the ORA book and start reading, as eventually I"m going to be helping another development team at work with getting an SSL connection going that needs to use a client certificate stored on a PKCS#11 PKI token, so I'll be sorting out how to use libssl w/ opensc's engine-pkcs11 module, who's documentation is just about as non-existant as that of openssl. this task was very easy in Java, as Java's SecureSocket hides all the complexity, up to and including full support for PKCS#11 plugins.
>
>
>
> .
>
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...
>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: General question about documentation

2009-11-26T16:40:41Z

Yes, I noted that usage of the APIs in combination with common use-cases is more appropriate, but this doesn't obviate the need for per-API documentation, as has occurred so far on the openssl website.

And I agree with the previous point that we should be trying to collectively figure out how to update the documentation in sync with the available features and functionality of the 1.0 release.

Randy

On Nov 26, 2009, at 3:35 PM, John R Pierce wrote:

>
>> Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.
>>
>
> the implementation details of the 250-odd API entry points in libssl.so would tell me very little about how to properly USE those APIs, and in fact, designing an application around my interpretation of the library developers intent would likely lead me down some rabbit holes I'd rather not explore.
>
> This is my idea of how open source documentation should be organized and written.
> http://www.postgresql.org/docs/current/static/index.html
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...
>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: General question about documentation

2009-11-26T16:16:33Z

From: "John R Pierce" <pierce@...>
>
> this task was very easy in Java, as Java's SecureSocket hides all the
> complexity, up to and including full support for PKCS#11 plugins.

Weren't you lucky.

I gave up trying to do that sort of thing in Java when I ran across its
habit of doing reverse DNS lookups on every IP address it came across, just
in case it needed the FQDN for anything (I think it was stuck in the mindset
of "people only use SSL to talk to web servers, don't they, and the only way
of validating a web server is a certificate containing an FDQN, isn't it, so
whenever I see an IP address I'd better get the FQDN, hadn't I, because I'm
bound to need it soon, aren't I").

Well, no, actually. Guess what: sometimes people use SSL for purposes other
than talking to web severs, and in the cases of embedded devices with no DNS
records talking to each other by explicitly configured IP address the DNS
lookup took minutes to time out before Java would deign to get on with doing
what it was told. With no way of switching this nonsense off. Hence I used a
C++ DLL to do the crypto stuff.

Tim Ward - Brett Ward Limited - 07801 703 600
www.brettward.co.uk

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Secure command line "enc -K"

2009-11-26T16:10:39Z

Is there a way to securely pass an exact key to "openssl enc"? The
"-pass" option is looking for a password that it will pass though a
key derivation function (IIUC), but I want to specify the exact binary
key to use without it being passed though a key derivation function.
The "-K" option would fit my needs, except that since it requires the
key to be put on the literal command line, it exposes the key to other
users on the same system (they can run "ps -f").

I'm looking for something like "-pass file:<keyfile>" (to keep the key
off the command line) except I want to bypass the key derivation
function. (If I were hashing instead of encoding I would just use
"openssl sha1 -sign hmac.pem".)

Michael D. Adams
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: General question about documentation

2009-11-26T16:03:03Z

Rene Hollan wrote:

>
> Oh, you need to dig deeper, to understand the semantics and not just
> the syntax of those APIs.
>
> I didn't say using the source as documentation was convenient, but it
> is possible, to any degree of detail you want.
>
> To wit: given the source code, it is possible to create documentation
> to any degree of convenience. But, given some instance of external
> documentation and no source, it is not possible to improve the
> convenience factor of that documentation to an arbitrary degree.
>
> Suggesting what people who donate their time DO is rather like herding
> cats. Some like coding and others like documenting and some like both.
> Perhaps instead of an admonition that the project needs better
> documentation, a question regarding who is willing to contribute to
> said better documentation is more in order.
>

unluckily, those of us who most need the docs are least able to
contribute, as I haven't the foggiest notion how to properly use any of
the APIs at present. I suppose I need to get the ORA book and start
reading, as eventually I"m going to be helping another development team
at work with getting an SSL connection going that needs to use a client
certificate stored on a PKCS#11 PKI token, so I'll be sorting out how to
use libssl w/ opensc's engine-pkcs11 module, who's documentation is just
about as non-existant as that of openssl. this task was very easy in
Java, as Java's SecureSocket hides all the complexity, up to and
including full support for PKCS#11 plugins.

.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

RE: General question about documentation

2009-11-26T15:40:14Z

RE: General question about documentation

Oh, you need to dig deeper, to understand the semantics and not just the syntax of those APIs.

I didn't say using the source as documentation was convenient, but it is possible, to any degree of detail you want.

To wit: given the source code, it is possible to create documentation to any degree of convenience. But, given some instance of external documentation and no source, it is not possible to improve the convenience factor of that documentation to an arbitrary degree.

Suggesting what people who donate their time DO is rather like herding cats. Some like coding and others like documenting and some like both. Perhaps instead of an admonition that the project needs better documentation, a question regarding who is willing to contribute to said better documentation is more in order.

-----Original Message-----
From: owner-openssl-users@... on behalf of John R Pierce
Sent: Thu 11/26/2009 3:35 PM
To: openssl-users@...
Subject: Re: General question about documentation

> Finally, the source code IS the only reliable source of documentation
> (assuming you can trust your compiler, OS, and hardware to do "the
> right thing"). It isn't the most CONVENIENT, which is why we desire
> other forms.
>

the implementation details of the 250-odd API entry points in libssl.so
would tell me very little about how to properly USE those APIs, and in
fact, designing an application around my interpretation of the library
developers intent would likely lead me down some rabbit holes I'd rather
not explore.

This is my idea of how open source documentation should be organized and
written.
http://www.postgresql.org/docs/current/static/index.html

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Re: General question about documentation

2009-11-26T15:35:42Z

> Finally, the source code IS the only reliable source of documentation
> (assuming you can trust your compiler, OS, and hardware to do "the
> right thing"). It isn't the most CONVENIENT, which is why we desire
> other forms.
>

the implementation details of the 250-odd API entry points in libssl.so
would tell me very little about how to properly USE those APIs, and in
fact, designing an application around my interpretation of the library
developers intent would likely lead me down some rabbit holes I'd rather
not explore.

This is my idea of how open source documentation should be organized and
written.
http://www.postgresql.org/docs/current/static/index.html

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: General question about documentation

2009-11-26T14:53:42Z

Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.

Just to clarify...

There isn't a debate about whether "source code" is documentation - documentation is something altogether different from source code, and it this altogether different form that is open to debate.

I think the layout, and organization of the existing OpenSSL website is evidence enough that the group intended to provide an organized documentation tree - that much is certain, so

we can defer the goals/desires semantic discussion. My only point is, I think documentation has taken a back seat "priority-wise" due to other apparently higher-priority development tasks (including possibly paid consulting time). My suggestion is, that we try to find some way to update the documentation on the website to reflect the features and functionality of the 1.0 release. The 1.0 release seems like a natural point at which to revisit how we (the community) or the core developers, or both, can re-sync the documentation sufficient to cover the common use-cases

envisioned for the feature-set. Including the basic API docs which make up the bulk of the existing documentation at the site today.

I wouldn't necessarily damn the wiki out of the gate, but I agree it will need some organization and possibly editorial support from the core development team, to be sufficiently usable to keep

users of the toolkit productive. And I reiterate, as a user of the toolkit, I would be happy to contribute to such a Wiki.

Randy

On Nov 26, 2009, at 1:15 PM, Rene Hollan wrote:

You are confusing goals and desires.

Someone who wants documentation beyond what they have can either (a) write it themselves, (b) wait, (c) offer a bounty. (c) is the only practical choice, if they have money but neither time, nor expertise.

Someone who wants to produce open source code to solve a problem and share the solution will do the least to get the job done. Someone who wants to produce open source software to INFLUENCE others to use it will try to produce the most usable software they can. I submit most open source projects fall somewhere in the middle.

Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.

Should the O'Reilly book be rewritten? Not unless it's truly awful. But, a wiki shouldn't start from scratch. It should draw upon existing documentation and fill in the gaps. Sucks if you don't have those docs (or can't afford the book), but it is the fastest way to "get there from here" because you don't have to start from nothing.

The problem with wikis is that they tend to be a large forest of information with little organization. Unless there is some editing effort, it will be little more useful than a FAQ and mailing list archive.

-----Original Message-----
From: owner-openssl-users@... on behalf of Randy Turner
Sent: Thu 11/26/2009 11:38 AM
To: openssl-users@...
Subject: Re: General question about documentation

That's a great idea Mark and Will,   I would be happy to contribute anything that I learn about the toolkit.

There have been a wide range of comments from people saying "look at the code" all the way to basically suggesting an attempt
at a new version of the O'Reilly book.

I can't imagine anyone with any experience at all in software development suggesting that the only source of documentation be the source code.

And I don't think I was suggesting that the OpenSSL team necessarily write a new version of the O'Reilly book.

Someone also said that if we wanted documentation we should pay for it - which seems counter to the whole open source effort. I'm assuming that the OpenSSL developers
are not spending all this time working on the toolkit for the hell of it - I would think they would like as many people to use it as possible, and with that goal in mind, I think the 1.0 release (when it comes out of beta) would be a good stopping point to re-visit the documentation set and providing examples that reflect the most common use-cases. The mailing list is always here for unusual use-cases.

That being said, I think a Wiki is also a great idea, but would not obviate the need for the developers of the toolkit to complete the documentation set. I've spent a quite a bit of time with OpenSSL and would be happy to contribute to a Wiki.

Thanks!!
Randy

On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:

> IMO a wiki would be a great resource for both developers and users of
> OpenSSL.
>
> Something along the lines of the Subversion Book - an online reference
> "book" for OpenSSL.
>
> --Will
>
>> -----Original Message-----
>> From: owner-openssl-users@...
>> [owner-openssl-users@...] On Behalf Of Mark
>> Sent: Wednesday, November 25, 2009 3:27 AM
>> To: openssl-users@...
>> Subject: RE: General question about documentation
>>
>>> I would like to post a general observation regarding users of the
>>> OpenSSL toolkit.
>>
>> [snip stuff about documentation]]
>>
>> A long time ago it was suggested to use a wiki for this
>> purpose. Can this idea be resurrected?
>>
>> Mark.
>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@...
>> Automated List Manager                           majordomo@...
>>
>>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@...
> Automated List Manager                           majordomo@...
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

RE: Help with error - hardware capability unsupported SSE2

2009-11-26T14:14:33Z

From: Jeremy Farrell

From: Chris Copeland

I am building and packaging the following on one machine (the "build"
machine) and attempting to install and use on other machines ("target"
machines) some of which have different processors.

* OpenSSL 0.9.8l
* Apache 2.2.14
* Tomcat Connectors 1.2.28

The problem, as far as I can tell, is that the build machine has more
CPU capabilities than the target machine resulting in binaries that
are not executable on the target machine. I have attempted to use
configure and compiler flags to disable use of the offending
instructions without luck.

Ultimately I get this error:

$ ./apachectl start httpd: Syntax error on line 58 of
/usr/local/apache-2.2.14/conf/httpd.conf: Cannot load
/usr/local/apache2/modules/mod_ssl.so into server: ld.so.1: httpd:
fatal: /usr/local/openssl/lib/libssl.so.0.9.8: hardware capability
unsupported: 0x1000 [ SSE2 ]

...

According to the message, your problem is that mod_ssl.so requires SSE2. You'd be best to ask the community responsible for that library how to build a version of it which doesn't require SSE2. I don't know for sure, but I think I recall mention that it's part of Apache.

On the surface your OpenSSL build looks fit for purpose.

Grrr ... Apologies, that's nonsense. It always pays to read all the message before commenting. I've no idea what's going on here; I'll leave it to someone who actually has a clue to say something useful.

RE: Help with error - hardware capability unsupported SSE2

2009-11-26T14:10:39Z

From: Chris Copeland

I am building and packaging the following on one machine (the "build"
machine) and attempting to install and use on other machines ("target"
machines) some of which have different processors.

* OpenSSL 0.9.8l
* Apache 2.2.14
* Tomcat Connectors 1.2.28

The problem, as far as I can tell, is that the build machine has more
CPU capabilities than the target machine resulting in binaries that
are not executable on the target machine. I have attempted to use
configure and compiler flags to disable use of the offending
instructions without luck.

Ultimately I get this error:

$ ./apachectl start httpd: Syntax error on line 58 of
/usr/local/apache-2.2.14/conf/httpd.conf: Cannot load
/usr/local/apache2/modules/mod_ssl.so into server: ld.so.1: httpd:
fatal: /usr/local/openssl/lib/libssl.so.0.9.8: hardware capability
unsupported: 0x1000 [ SSE2 ]

...

According to the message, your problem is that mod_ssl.so requires SSE2. You'd be best to ask the community responsible for that library how to build a version of it which doesn't require SSE2. I don't know for sure, but I think I recall mention that it's part of Apache.

On the surface your OpenSSL build looks fit for purpose.

RE: General question about documentation

2009-11-26T13:15:17Z

RE: General question about documentation

You are confusing goals and desires.

Someone who wants documentation beyond what they have can either (a) write it themselves, (b) wait, (c) offer a bounty. (c) is the only practical choice, if they have money but neither time, nor expertise.

Someone who wants to produce open source code to solve a problem and share the solution will do the least to get the job done. Someone who wants to produce open source software to INFLUENCE others to use it will try to produce the most usable software they can. I submit most open source projects fall somewhere in the middle.

Finally, the source code IS the only reliable source of documentation (assuming you can trust your compiler, OS, and hardware to do "the right thing"). It isn't the most CONVENIENT, which is why we desire other forms.

Should the O'Reilly book be rewritten? Not unless it's truly awful. But, a wiki shouldn't start from scratch. It should draw upon existing documentation and fill in the gaps. Sucks if you don't have those docs (or can't afford the book), but it is the fastest way to "get there from here" because you don't have to start from nothing.

The problem with wikis is that they tend to be a large forest of information with little organization. Unless there is some editing effort, it will be little more useful than a FAQ and mailing list archive.

-----Original Message-----
From: owner-openssl-users@... on behalf of Randy Turner
Sent: Thu 11/26/2009 11:38 AM
To: openssl-users@...
Subject: Re: General question about documentation

That's a great idea Mark and Will,   I would be happy to contribute anything that I learn about the toolkit.

There have been a wide range of comments from people saying "look at the code" all the way to basically suggesting an attempt
at a new version of the O'Reilly book.

I can't imagine anyone with any experience at all in software development suggesting that the only source of documentation be the source code.

And I don't think I was suggesting that the OpenSSL team necessarily write a new version of the O'Reilly book.

Someone also said that if we wanted documentation we should pay for it - which seems counter to the whole open source effort. I'm assuming that the OpenSSL developers
are not spending all this time working on the toolkit for the hell of it - I would think they would like as many people to use it as possible, and with that goal in mind, I think the 1.0 release (when it comes out of beta) would be a good stopping point to re-visit the documentation set and providing examples that reflect the most common use-cases. The mailing list is always here for unusual use-cases.

That being said, I think a Wiki is also a great idea, but would not obviate the need for the developers of the toolkit to complete the documentation set. I've spent a quite a bit of time with OpenSSL and would be happy to contribute to a Wiki.

Thanks!!
Randy

On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:

> IMO a wiki would be a great resource for both developers and users of
> OpenSSL.
>
> Something along the lines of the Subversion Book - an online reference
> "book" for OpenSSL.
>
> --Will
>
>> -----Original Message-----
>> From: owner-openssl-users@...
>> [owner-openssl-users@...] On Behalf Of Mark
>> Sent: Wednesday, November 25, 2009 3:27 AM
>> To: openssl-users@...
>> Subject: RE: General question about documentation
>>
>>> I would like to post a general observation regarding users of the
>>> OpenSSL toolkit.
>>
>> [snip stuff about documentation]]
>>
>> A long time ago it was suggested to use a wiki for this
>> purpose. Can this idea be resurrected?
>>
>> Mark.
>>
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@...
>> Automated List Manager                           majordomo@...
>>
>>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@...
> Automated List Manager                           majordomo@...
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Re: DES3 Encryption & Decryption

2009-11-26T12:59:36Z

On Wed November 25 2009, Krishna, Bharath wrote:

Any particular operating system?
In linux, you can already choose to use DES3 for shadow passwords.

Nothing more required than a current passwd utility.

Mike

> Issue:
>
> I don't know, how to use the OPENSSL toolkit to achieve the above
> requirement.
>
>
> Can you please anybody help on this.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...
>
>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: DES3 Encryption & Decryption

2009-11-26T12:07:44Z

Hey there;

When asking for advice, please at least say whether you are trying to do
something programatically (i.e.: using the OpenSSL API), or just need to
do it from the command line.

If it is the command line, then please include what you have tried, and
the results that you got.

To this current issue, if you are trying to do it via the command line,
the man page ('man enc') has several really good examples of how to do
3DES encryption.

If you need to do it programatically, take a look at the WvStreams
'wvtripledes' class code at http://code.google.com/p/wvstreams/ .

Have fun.

Patrick.

Krishna, Bharath wrote:

> Hi All,
>
> I am new for Unix development work.
>
> Can you please enlighten me clearly about the OPENSSL tool kit and
> how we could achieve the below requirement.
>
> Requirement:
>
> As per customer requirements we should use DES3 algorithm to store
> password in a file. For this, we have installed OPENSSL toolkit in our
> server.
>
> Issue:
>
> I don't know, how to use the OPENSSL toolkit to achieve the above
> requirement.
>
>
> Can you please anybody help on this.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: New blackout

2009-11-26T11:39:25Z

Chris Wilson wrote:
> On Wed, 25 Nov 2009, The Doctor wrote:
>
>> I was able to see openssl.org last night MST but not at this current
>> time.
>
> Works fine for me.

We did have "filesystem full" problems in the last days which led to
system panics. These issues should be sorted out now (thanks to Ralf S.
Engelschall who is technically operating the server hardware).
Please excuse any inconvenience.

Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: General question about documentation

2009-11-26T11:38:28Z

That's a great idea Mark and Will, I would be happy to contribute anything that I learn about the toolkit.

There have been a wide range of comments from people saying "look at the code" all the way to basically suggesting an attempt
at a new version of the O'Reilly book.

I can't imagine anyone with any experience at all in software development suggesting that the only source of documentation be the source code.

And I don't think I was suggesting that the OpenSSL team necessarily write a new version of the O'Reilly book.

Someone also said that if we wanted documentation we should pay for it - which seems counter to the whole open source effort. I'm assuming that the OpenSSL developers
are not spending all this time working on the toolkit for the hell of it - I would think they would like as many people to use it as possible, and with that goal in mind, I think the 1.0 release (when it comes out of beta) would be a good stopping point to re-visit the documentation set and providing examples that reflect the most common use-cases. The mailing list is always here for unusual use-cases.

That being said, I think a Wiki is also a great idea, but would not obviate the need for the developers of the toolkit to complete the documentation set. I've spent a quite a bit of time with OpenSSL and would be happy to contribute to a Wiki.

Thanks!!
Randy

On Nov 25, 2009, at 3:13 PM, Will Bickford wrote:

> IMO a wiki would be a great resource for both developers and users of
> OpenSSL.
>
> Something along the lines of the Subversion Book - an online reference
> "book" for OpenSSL.
>
> --Will
>
>> -----Original Message-----
>> From: owner-openssl-users@...
>> [mailto:owner-openssl-users@...] On Behalf Of Mark
>> Sent: Wednesday, November 25, 2009 3:27 AM
>> To: openssl-users@...
>> Subject: RE: General question about documentation
>>
>>> I would like to post a general observation regarding users of the
>>> OpenSSL toolkit.
>>
>> [snip stuff about documentation]]
>>
>> A long time ago it was suggested to use a wiki for this
>> purpose. Can this idea be resurrected?
>>
>> Mark.
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@...
>> Automated List Manager majordomo@...
>>
>>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@...
> Automated List Manager majordomo@...
>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: CMS with PBE (Was Re: Decrypting a password encrypted pkcs7-envelopedData)

2009-11-26T10:59:50Z

On Mon, Nov 23, 2009, Mathieu Malaterre wrote:

> Steve,
>
> >> Do you have a sample PBE blob you want to decrypt?
> >
> > Here is one:
> >
> > $ wget http://idisk.mac.com/dclunie-Public/securedicomfileset.tar.bz2
> > $ openssl asn1parse -in DICOMDIR -inform DER
> >
> > It was generated using Bouncy Castle
>
> I forgot to mention, if you need help from me, do not hesitate !
>

I've added experimental support to HEAD. This seems to decrypt the example OK
and can decrypt its own output. It adds a new option -pwri_password to the
cms utility (will need something better at some point).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: Adding a custom engine to OpenSSL

2009-11-26T04:24:29Z

On Thu, Nov 26, 2009, Loke Jun Han wrote:

>
> Hi,
>
> Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?
>

Yes, you specify details in the configuration file openssl.cnf, for the syntax
see:

http://www.openssl.org/docs/apps/config.html

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Re: Adding a custom engine to OpenSSL

2009-11-26T03:21:35Z

On Thu November 26 2009, Loke Jun Han wrote:
>
> Hi,
>
> Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?
>

Like one of the engines in the list from:
openssl engine
?

Mike
> Thanks,
>
> Jun Han
>
> _________________________________________________________________
> Windows 7: Find the right PC for you. Learn more.
> http://windows.microsoft.com/shop

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@...
Automated List Manager majordomo@...

Adding a custom engine to OpenSSL

2009-11-26T00:52:09Z

Hi,

Is there anyway to for openSSL to automatically load a specific engine when the command line program is executed?

Thanks,

Jun Han

Windows 7: Find the right PC for you. Learn more.

Re: Application crashes when trying to access X509 Certificate Extension returned by X509_get_ext method

2009-11-25T19:14:00Z

Hi Kyle,

Thanks a ton for the quick reply buddy :)

When we debug our application in visual studio, we see that both "Extension" and "Extension->value" are not NULL. But "Extension->value->data" seems to be NULL or corrupted, causing our application to crash.

I am trying these options for debugging the problem :

> make sure the X509 certificate we are using is a valid one, containing the extension we are looking for, because "Certificate->valid" is set to 0 for our certificate.

> debug through the openssl function X509_get_ext( ) in visual studio by attaching the openssl source, to see why "Extension->value->data" is not being set correctly.

> also try using some older openssl version instead of the current 0.9.8 d we are currently using.

I will update again after trying these options.

I suspect something being wrong in this certificate itself, may be it does not comply to the X509 certificate format. Can you please confirm that the certificate we are using is a valid x509 certificate ?

This is the certificate we are using :

static unsigned char *LETestDefaultKey = {
  "-----BEGIN RSA PRIVATE KEY-----\r\n"
  "MIIBPAIBAAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp89YO/2rG0K8iAJW5AY399hh/s\r\n"
  "VjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEAAQJATBeXv0P1a77mXYAdM4LT\r\n"
  "SpNRrbfOKOi9GworyJEtts5Cn153ROK3750NHrOeaXbkFl89/UD0oMsO22TnF+Ol\r\n"
  "lQIhAO0gkTZggugyZ7HDQihy/7EVAgK9rg7SPc5JnyZITW5bAiEA3x+q4AZDXUHW\r\n"
  "26W7BlZoedPy6Mo5wWNb/gN9x/T987MCIQCt8TfUFZOxVFgwU7USCtl5QpnI/O7T\r\n"
  "PHHOAr9Vy6/RBQIhAJPO76y+mWuzDPmu/YmCPm3OWZGbPc1929gXSgDnrD//AiEA\r\n"
  "vwlwVtb26OSBJX47M+MZeWsiD3GVydtRdcL9+Xy0XEw=\r\n"
  "-----END RSA PRIVATE KEY-----\r\n"
};
static unsigned char *LETestDefaultCert = {
  "-----BEGIN CERTIFICATE-----\r\n"
  "MIIBojCCAUygAwIBAgIBMzANBgkqhkiG9w0BAQQFADAqMQswCQYDVQQGEwJVUzEb\r\n"
  "MBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTA1MTAxMTE3NDEyOFoXDTE1\r\n"
  "MTAwOTE3NDEyOFowJjELMAkGA1UEBhMCVVMxFzAVBgNVBAMTDlNlY3VyZUxvZ2lu\r\n"
  "U1NPMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM6ss7cWYg0Yf7Ot6PkdWBtQ0Pp8\r\n"
  "9YO/2rG0K8iAJW5AY399hh/sVjiIfPZpqCwqJka/2r23jzZJfW8X19nTiqECAwEA\r\n"
  "AaNhMF8wDgYDVR0PAQH/BAQDAgWgMBgGA1UdEQQRMA+BDWFyZ2xAYmxhaC5jb20w\r\n"
  "EQYJYIZIAYb4QgEBBAQDAgWgMCAGDGCGSAGG+DcBglsKAQQQFg5TZWN1cmVMb2dp\r\n"
  "blNTTzANBgkqhkiG9w0BAQQFAANBABaOsowc+4encEksW5w1v1dHg7DNdBbQJHct\r\n"
  "JSNfzPfE8igm617Ggsfrb0nkc50mdlyugkfZC/dX+sx4vtQk1Ok=\r\n"
  "-----END CERTIFICATE-----\r\n"
};

Looking forward for your reply... have a wonderful day ahead !!!

Regards,

Sanjay

>>> Kyle Hamilton <aerowolf@...> 11/24/2009 4:56 AM >>>
Are you checking to make sure that there *is* data in that extension?
Or that the extension value even exists?

if (NULL == Extension->value) assert("Extension->value NULL");
if (NULL == Extension->value->data) assert ("Extension->value->data NULL");
OrgPtr=Extension->value->data;

-Kyle H

On Fri, Nov 20, 2009 at 3:50 AM, Sanjay Bhat <bsanjay@...> wrote:

>
> Hi,
>
> Our application running in windows 2008 64-bit platform crashes when we try
> to access the data member of X509_EXTENSION returned by X509_get_ext().
>
> We are using 0.9.8d version of openssl compiled for windows 64 bit
> platform.
>
> We are clueless why this is happening and are badly stuck with this. Please
> help us.
>
> Here is the code snippet of our application with the point of crash in bold
> :
>
> BOOL GetX509ObjectString(X509 *Certificate, unsigned char *ASN1, unsigned
> char *Short, unsigned char *Description, unsigned char *Buffer, unsigned
> long BufSize)
> {
>     X509_EXTENSION      *Extension;
>     int                 nid;
>     int                 Position;
>     ASN1_STRING         *Value;
>     unsigned char       *OrgPtr;
>
>     if (!Buffer) {
>         return(FALSE);
>     }
>     Buffer[0]='\0';
>
>     nid = OBJ_create(ASN1, Short, Description);
>     Position=X509_get_ext_by_NID(Certificate, nid, -1);
>     if (Position==-1) {
>         return(FALSE);
>     }
>
> Extension=X509_get_ext(Certificate, Position);
>   if (!Extension) {
>         return(FALSE);
>     }
>
>     /* The M_d2i function alters the pointer, so keep a copy */
>     OrgPtr=Extension->value->data; //This is the point of crash. Referencing
> data member seems to be causing the crash
>     Value=M_d2i_ASN1_IA5STRING(NULL, &(Extension->value->data),
> Extension->value->length);
>     Extension->value->data=OrgPtr;
>     strncpy(Buffer, Value->data, min(Value->length+1, BufSize));
>     Buffer[min(Value->length+1, BufSize)-1]='\0';
>     ASN1_STRING_free(Value);
>     return(TRUE);
> }
>
> Appreciate any kind of help on this is greatly appreciated.
>
> Thanks & Regards,
> Sanjay.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...