Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

On Tue, Aug 12, 2014 at 11:24:40AM +0530, Thulasi Goriparthi wrote: > $ openssl genrsa 2048 > key.pem Don't forget "umask 077" before that. Otherwise, the key file is often world-readable. With AFS, "fs setacl . ..." to restrict access to the containing directory. -- Viktor. _

Re: Handshake finish msg

Assuming that "finish" you meant is Handshake Finished messages of SSL/TLS protocol, I assure you, you can see them with openssl too. Implementations can't (won't deliberately) change the protocol. Run s_server and s_client of openssl with -msg -debug -state options to see the handshake messages

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

$ openssl genrsa 2048 > key.pem $ openssl req -new -x509 -key key.pem -out cert.pem -sha256 On Tue, Aug 12, 2014 at 11:08 AM, Abdul Anshad wrote: > Could you please provide me the steps for creating a self signed > certificate meeting the current FIPS standard ? > > Thank you for the response.

Handshake finish msg

hi all, I did a little comparison between microsoft's handshake process to openssl one. At the end of Msft handshake process i can see a finish, which i dont see when using openssl . Can i have that finish msg using openssl too? Thanks Idan Idan Freiberg

RE: RST after close_notify

The IBM response is still significantly oversimplified, where it isn't simply wrong. I've made some comments in-line below, but to get the full picture you'd really need to study a text like Stevens' /TCP/IP Illustrated/, paying particular attention to the TCP state diagram and the empirical re

Re: empty certificate-messag

If you did not use, SSL_CTX_use_certificate(), SSL_use_certificate() and set the certificate SSL client responds with no_cert if cert request comes from the server. -Jayadev. On Mon, Aug 11, 2014 at 6:24 PM, Sanju Gurung wrote: > How to send empty certificate-message in response to certific

Configure Error with no-ec?

When trying to configure 1.0.1h with no-ec, I am getting an error out of Configure. When it's configuring the engines subdirectory: make[1]: Leaving directory `/users/scottn/testssl/openssl-1.0.1h/ssl' making links in engines... make[1]: Entering directory `/users/scottn/testssl/openssl-1.0.1h/e

Re: RST after close_notify

The server end appears to be GlobalScape EFT running on a windows server. I will summarize the IBM response: When SSL is not involved, TCP will normally go through a graceful connection teardown sequence where one side initiates the connection closure by sending out a FIN. The other si

Re: client side session cache with SNI, and tlsext_ticket_key_cb

On Mon, Aug 11, 2014 at 05:13:00PM +0200, DEXTER wrote: > > Sesssion tickets should NOT be stored on the server side, only the > > encryption keys are stored, these should be rotated from time to > > time. Postfix rotates the encryption keys once an hour, but stores > > two sets of keys, the prev

Re: client side session cache with SNI, and tlsext_ticket_key_cb

On Mon, Aug 11, 2014 at 4:09 PM, Viktor Dukhovni wrote: > Salt the session lookup key with all destination-specific and > security-relevant parameters. The Postfix SMTP client uses: > > ip, port, destination domain, mx hostname, server helo name, > protocol mask (SSL_OP_NO_SSLv2 | ...), c

[OpenSSL] [SSL_READ and SSL_WRITE] [Edge Trigged EPOLL]

I have a TLS Server and TLS Client which is running on the top of *Edge Triggered EPOLL* and *Non Blocking Sockets.* Client and server is doing following operations 1. Client -> Connect to TLS Server. (SSL_CTX_new -> SSL_new -> SSL_set_fd) 2. Client -> Set modes (SSL_MODE_ACCEPT_MOV

[OpenSSL] [SSL_READ and SSL_WRITE] [Edge Trigged EPOLL]

I have a TLS Server and TLS Client which is running on the top of *Edge Triggered EPOLL* and *Non Blocking Sockets.* Client and server is doing following operations 1. Client -> Connect to TLS Server. (SSL_CTX_new -> SSL_new -> SSL_set_fd) 2. Client -> Set modes (SSL_MODE_ACCEPT_MOV

empty certificate-messag

How to send empty certificate-message in response to certificate request from server ?

RE: Print SSL errors

Try printing "r2" in your original code. SSL_get_error isn't doing what you think it does; see the docs. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

Re: Print SSL errors

It is 1. -- Marco Bambini http://www.sqlabs.com http://twitter.com/sqlabs http://instagram.com/sqlabs On 11 Aug 2014, at 16:24, Salz, Rich wrote: > What’s the value of err (“%ul”)? > > -- > Principal Security Engineer > Akamai Technologies, Cambridge MA > IM: rs...@jabber.me Twitter: RichS

RE: Print SSL errors

What's the value of err ("%ul")? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz

Re: Print SSL errors

err = SSL_get_error(client->ssl, r2); if (err != 0) { char str[2048]; ERR_error_string_n(err, str, sizeof(str)); printf("%s", str); ERR_print_errors_fp (stdout); } The first function produces: error:0001:lib(0):func(0):reas

about EVP_DigestInit_ex

Hello, sorry for the first incomplete message :-/ I'm a bit confused about the behavior of EVP_DigestInit_ex when no md is given : int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { #ifndef OPENSSL_NO_ENGINE (...) if (type) {

Re: client side session cache with SNI, and tlsext_ticket_key_cb

On Mon, Aug 11, 2014 at 01:48:34PM +0200, DEXTER wrote: > 1. If I want session caching on the client side, I have to store the > session manually, to be able to retrieve it when the client connects > to a server and use SSL_set_session() with the stored session. Correct so far. > The question i

RE: Print SSL errors

> every time I have an SSL error I try to log useful data using > ERR_error_string_n. Can you post the code with the call? -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz _

about EVP_DigestInit_ex

Hello, I'm a bit confused about the behavior of EVP_DigestInit_ex : int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) { if (type) { else if(!ctx->digest) { EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_NO_DIGES

client side session cache with SNI, and tlsext_ticket_key_cb

Hi, I have two questions about how openssl handles session caching. 1. If I want session caching on the client side, I have to store the session manually, to be able to retrieve it when the client connects to a server and use SSL_set_session() with the stored session. The question is, how should

PR#3400 and CVE-2014-0224

Hi All, We are using OpenSSL version 0.9.8h. We take the security vulnerability fixes from latest release of OpenSSL 0.9.8 series and patch our internally used 0.9.8h. >From the OpenSSL release 0.9.8za, we took CVE-2014-0224 and merged it our OpenSSL code. But in latest release 0.9.8za, I see tha

SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

Hello All, I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try to start the http server with FIPS mode i get the following error. [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec) [M

Print SSL errors

Hello, at startup after SSL_library_init I correctly call SSL_load_error_strings and every time I have an SSL error I try to log useful data using ERR_error_string_n. The problem is that the output never contains error messages but only numeric code like: error:0001:lib(0):func(0):reason(1)