RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing tls 1.3

_ From: Ramaiah, Ravichandran Bagalur Sent: Wednesday, June 29, 2022 12:55 PM To: Matt Caswell ; openssl-users@openssl.org Subject: RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing tls 1.3 Hi Matt, Below is the error I got

RE: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing tls 1.3

; openssl-users@openssl.org Subject: [EXTERNAL] Re: SSL error (78c0100): malloc failure while implementing tls 1.3 On 16/06/2022 05:52, Ramaiah, Ravichandran Bagalur wrote: > > *SSL error (78c0100): malloc failure Do you get anything in the OpenSSL error stack for this (e.g. try "ERR_prin

Re: SSL error (78c0100): malloc failure while implementing tls 1.3

On 16/06/2022 05:52, Ramaiah, Ravichandran Bagalur wrote: *SSL error (78c0100): malloc failure Do you get anything in the OpenSSL error stack for this (e.g. try "ERR_print_errors_fp(stdout);"). We need a bit more to go on to figure out where specifically the malloc failure is occurring.

RE: SSL error (78c0100): malloc failure while implementing tls 1.3

Hi All, Could anyone tell me if this issue is caused due to application error or an openssl bug? This malloc failure is happening when I try to establish TLS connection between 2 SIP applications. Regards, Ravi From: Ramaiah, Ravichandran Bagalur Sent: Thursday, June 16, 2022 10:23 AM To: ope

Re: SSL operation failed with code 1: error:0A000126:SSL routines

Isn't it a fix for this issue? https://github.com/php/php-src/issues/8369 On Thu, 19 May 2022, 21:17 Frederic Leclercq, wrote: > Hi all, > > Apologies for just popping in here, but since I installed ubuntu 22.04 LTS > I often come across the error > "file_get_contents(): SSL operation failed wi

Re: SSL and "custom" EVP_KEY

On 02/11/2021 04:42, Alex Dankow wrote: Matt, Thank you very much for your response. I understand that the FIPS certified OpenSSL module is long awaited and the team was quite limited in time to complete all features. I tried Windows certificates +Openssl because it implements the most com

Re: SSL and "custom" EVP_KEY

On Tue, 2021-11-02 at 11:42 +0700, Alex Dankow wrote: > Matt, > > Thank you very much for your response. I understand that the FIPS > certified OpenSSL module is long awaited and the team was quite > limited in time to complete all features. > I tried Windows certificates +Openssl because it impl

Re: SSL and "custom" EVP_KEY

Matt, Thank you very much for your response. I understand that the FIPS certified OpenSSL module is long awaited and the team was quite limited in time to complete all features. I tried Windows certificates +Openssl because it implements the most common scenario: you can get a certificate to Opens

Re: SSL and "custom" EVP_KEY

Hi Alex, On 29/10/2021 14:32, Alex Dankow wrote: Hi OpenSSL team! I wrote a provider for Windows certificates and implemented "openssl ca". Now, I think it would be fun to see a HTTPS server using certificates installed in Windows storage. Nice! Certificate is loaded using load_cert_pass (

Re: ssl client write / server accept seems broken

On 3/24/21 9:53 PM, Embedded Devel wrote: On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps and nope still have the err

Re: ssl client write / server accept seems broken

On Wed, Mar 24, 2021, 10:54 PM Embedded Devel wrote: > > On 3/23/21 11:06 PM, Matt Caswell wrote: > > > > > > On 23/03/2021 15:47, Embedded Devel wrote: > >>> Do you know if your application is statically linked or dynamically > >>> linked to OpenSSL? > >> Ive attached the code in question if it

Re: ssl client write / server accept seems broken

On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps original code was deprecated, and changed from /*  if ((ssl_con->ct

Re: ssl client write / server accept seems broken

On 3/23/21 11:06 PM, Matt Caswell wrote: On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps Looks like the original developer already tried to print the contents

Re: ssl client write / server accept seems broken

On 23/03/2021 15:47, Embedded Devel wrote: Do you know if your application is statically linked or dynamically linked to OpenSSL? Ive attached the code in question if it helps Looks like the original developer already tried to print the contents of the OpenSSL error stack:

Re: ssl client write / server accept seems broken

IM inclined top think the code for the certs is ok, but  can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. The cert looks ok - at least nothing obviously wrong. 2048 bit RSA key. yes freshly generated when i run the

Re: ssl client write / server accept seems broken

On 23/03/2021 15:02, Embedded Devel wrote: IM inclined top think the code for the certs is ok, but  can really say, and im not an openssl programmer by any means... just need someone to put eyes on the code and fix it really. The cert looks ok - at least nothing obviously wrong. 2048 bi

Re: ssl client write / server accept seems broken

On 3/23/21 9:31 PM, Matt Caswell wrote: On 23/03/2021 02:37, Embedded Devel wrote: I have an application previously written for us 10+ years ago that no longer seems to be happy Has something happened that might have caused this? Did you upgrade OpenSSL, or do some other kind of update to

Re: ssl client write / server accept seems broken

On 23/03/2021 02:37, Embedded Devel wrote: I have an application previously written for us 10+ years ago that no longer seems to be happy Has something happened that might have caused this? Did you upgrade OpenSSL, or do some other kind of update to your code? Which version of OpenSSL are

Re: SSL certificate verification

> On Dec 18, 2019, at 11:10 AM, Jan Just Keijser wrote: > > the short answer is no, it does not; the openssl library will let you load > expired/invalid certificates if you do not do any explicit checks. Use a > verify_callback and call X509_verify_cert() to check the validity. The verify cal

Re: SSL certificate verification

On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote: Hi We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file APIs to load the certificates. My query is when we are loading the certificate in the Context does openssl verify the certificates for e.g. whether th

Re: SSL Server setup DH/ECDH

On 07/08/2019 12:19, Chitrang Srivastava wrote: > Hi Matt, > > I tried following code but it is crashing @ *SSL_CTX_set_ciphersuites* > s_ctx = SSL_CTX_new(TLS_method()); > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION | > SSL_OP_CIPHER_SERVER_PREFERENCE); > SSL_CTX_set_min_proto_version(

Re: SSL Server setup DH/ECDH

Hi Matt, I tried following code but it is crashing @ *SSL_CTX_set_ciphersuites* s_ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION); SSL_CTX_set_ciphersuites(s_ctx, "TLS_AES_

Re: SSL Server setup DH/ECDH

On 06/08/2019 11:21, Chitrang Srivastava wrote: > Yes , since in my case mostly browser will be used to access webserver running > on embedded platform. > Another question, since my webserver is running on embedded platform and it > has > limited memory , I have disabled > ARIA/CAMELLIA  and fe

Re: SSL Server setup DH/ECDH

Yes , since in my case mostly browser will be used to access webserver running on embedded platform. Another question, since my webserver is running on embedded platform and it has limited memory , I have disabled ARIA/CAMELLIA and few others, is that OK ? because I don't see any ciphers suites wh

Re: SSL Server setup DH/ECDH

On 06/08/2019 11:07, Chitrang Srivastava wrote: > Thanks Matt, > > So now I have, which i believe is enough ? > > SSL_CTX_set_options(s_ctx,  SSL_OP_NO_RENEGOTIATION | > SSL_OP_CIPHER_SERVER_PREFERENCE); > SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION); This is fine although it obviousl

Re: SSL Server setup DH/ECDH

Thanks Matt, So now I have, which i believe is enough ? SSL_CTX_set_options(s_ctx, SSL_OP_NO_RENEGOTIATION | SSL_OP_CIPHER_SERVER_PREFERENCE); SSL_CTX_set_min_proto_version(s_ctx, TLS1_2_VERSION); On Tue, Aug 6, 2019 at 3:04 PM Matt Caswell wrote: > > > On 06/08/2019 09:42, Chitrang Srivastav

Re: SSL Server setup DH/ECDH

On 06/08/2019 09:42, Chitrang Srivastava wrote: > Hi, > > I am implementing HTTPs server using openssl 1.1.1b. > Is it mandatory to setup these API's while creating ssl context ? > > SSL_CTX_set_tmp_ecdh > > SSL_CTX_set_tmp_dh By default OpenSSL will automatically use ECDH if appropriate and

Re: SSL write/read performance

On 10/04/2019 11:03, valmiki wrote: > >>> Hi All, >>> >>> I'm trying to understand server and client code over tcp using openssl. >>> >>> How does the flow work when we do SSL_write or SSL_read. >>> >>> SSL_write -> send buffer to kernel crypto subsystem -> take encrypted >>> buffer and send i

Re: SSL write/read performance

>> Hi All, >> >> I'm trying to understand server and client code over tcp using openssl. >> >> How does the flow work when we do SSL_write or SSL_read. >> >> SSL_write -> send buffer to kernel crypto subsystem -> take encrypted buffer >> and send it over network socket. >> >> Is the above unders

Re: SSL write/read performance

On 10/04/2019 10:32, valmiki wrote: > Hi All, > > I'm trying to understand server and client code over tcp using openssl. > > How does the flow work when we do SSL_write or SSL_read. > > SSL_write -> send buffer to kernel crypto subsystem -> take encrypted buffer > and send it over network s

RE: SSL alert number 51

> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Friday, November 21, 2014 12:30 > Thanks. I guess I may have to open a problem with IBM. The IBM > documentation > clearly lists a number of "cipher suites" (at they call them) that use SHA1 > (including the one we (IBM+Ope

RE: SSL alert number 51

PM To: openssl-users@openssl.org Subject: RE: SSL alert number 51 Thanks guys for all of the clues! I got it working! Long story. Wow, FIPS is a moving target. I re-did my root CA with SHA 256, and my server certificate. I had to move my testing from z/OS V1R13 to z/OS V2R1 -- *apparently* V1R13

RE: SSL alert number 51

Of Dr. Stephen Henson Sent: Friday, November 21, 2014 11:00 AM To: openssl-users@openssl.org Subject: Re: SSL alert number 51 On Fri, Nov 21, 2014, Charles Mills wrote: > Thanks. I guess I may have to open a problem with IBM. The IBM > documentation clearly lists a number of "cipher suite

Re: SSL alert number 51

On Fri, Nov 21, 2014, Charles Mills wrote: > Thanks. I guess I may have to open a problem with IBM. The IBM documentation > clearly lists a number of "cipher suites" (at they call them) that use SHA1 > (including the one we (IBM+OpenSSL) default to as being FIPS 140-2 > compliant. > > GSK appears

RE: SSL alert number 51

mber 21, 2014 7:04 AM To: openssl-users@openssl.org Subject: Re: SSL alert number 51 On 21/11/14 14:43, Charles Mills wrote: > I posted the certificates. What's next? > > Charles The key sizes look ok to me. As I said I'm no FIPS expert, but this page http://wiki.openssl.org

Re: SSL alert number 51

On Fri, Nov 21, 2014, Matt Caswell wrote: > > > On 21/11/14 14:43, Charles Mills wrote: > > I posted the certificates. What's next? > > > > Charles > > The key sizes look ok to me. As I said I'm no FIPS expert, but this page > http://wiki.openssl.org/index.php/FIPS_mode_and_TLS > > says the f

Re: SSL alert number 51

On 21/11/14 14:43, Charles Mills wrote: > I posted the certificates. What's next? > > Charles The key sizes look ok to me. As I said I'm no FIPS expert, but this page http://wiki.openssl.org/index.php/FIPS_mode_and_TLS says the following: "The RSA key in the certificate has to be of suitable s

RE: SSL alert number 51

I posted the certificates. What's next? Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: Wednesday, November 19, 2014 3:35 PM To: openssl-users@openssl.org Subject: Re: SSL alert number 51

RE: SSL alert number 51

: openssl-users@openssl.org Subject: RE: SSL alert number 51 - DHE is 1024 - RSA is 2048 Server certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 13 (0xd) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Charles Mills Consulting, LLC, ST=California

RE: SSL alert number 51

Henson Sent: Wednesday, November 19, 2014 4:35 PM To: openssl-users@openssl.org Subject: Re: SSL alert number 51 On Wed, Nov 19, 2014, Matt Caswell wrote: > > > On 19/11/14 22:57, Charles Mills wrote: > > > User response: If the error occurred while executing in FIPS mode, &

Re: SSL alert number 51

On Wed, Nov 19, 2014, Matt Caswell wrote: > > > On 19/11/14 22:57, Charles Mills wrote: > > > User response: If the error occurred while executing > > in FIPS mode, check that only FIPS key sizes are used. > > Collect a System SSL trace containing the error and > > then contact your service repr

Re: SSL alert number 51

On 19/11/14 22:57, Charles Mills wrote: > Dave - > > Thanks much. > >> Either there's a bug somewhere or you are being attacked (MitM'ed). > > Unlikely I am being MitM'ed -- the connection is over a VPN. (Why TLS when > there is already a VPN in place? I am testing TLS software and the VPN is

RE: SSL alert number 51

Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Wednesday, November 19, 2014 2:20 PM To: openssl-users@openssl.org Subject: RE: SSL alert number 51 > From: owner-openssl-us...@openssl.org

RE: SSL alert number 51

> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Wednesday, November 19, 2014 14:08 > 10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:.\ssl\s3_pkt.c:1275:SSL alert number 51 http://tools.ietf.org/html/rfc5246.html#section-7.2 decrypt_error

Re: SSL v3.0 is not set as default protocol upon disabling v2.

On Thu, Sep 18, 2014 at 04:47:22PM -0400, John Lane Schultz wrote: > The documentation says that a client will use a TLS hello even > when SSLv3 is one of its supported protocols. The problem then > is, how can such a client communicate with an SSLv3 only server, > which probably won't understand

Re: SSL v3.0 is not set as default protocol upon disabling v2.

Actually, Abhijit, I think your question still has merit. The documentation says that a client will use a TLS hello even when SSLv3 is one of its supported protocols. The problem then is, how can such a client communicate with an SSLv3 only server, which probably won’t understand the TLS hello

Re: SSL v3.0 is not set as default protocol upon disabling v2.

Thanks John, After reading through http://tools.ietf.org/html/rfc2246#appendix-E I understood what you meant here, and couls make sense about fallback to SSLv3. " TLS version 1.0 and SSL 3.0 are very similar; thus, supporting both is easy. TLS clients who wish to negotiate with SSL 3.0 serve

Re: SSL v3.0 is not set as default protocol upon disabling v2.

On 16 September 2014 23:01, Viktor Dukhovni wrote: > On Mon, Sep 15, 2014 at 11:19:52AM +0530, Thulasi Goriparthi wrote: > > > I suggest you try disabling TLS 1.0 along with SSL2 if you want to force > > your client to use SSL3 without changing the context's method. > > SSL_CTX_set_options(ctx, S

Re: SSL v3.0 is not set as default protocol upon disabling v2.

On Mon, Sep 15, 2014 at 11:19:52AM +0530, Thulasi Goriparthi wrote: > I suggest you try disabling TLS 1.0 along with SSL2 if you want to force > your client to use SSL3 without changing the context's method. > SSL_CTX_set_options(ctx, SSL_OP_ALL| >

Re: SSL v3.0 is not set as default protocol upon disabling v2.

As Thulasi wrote, SSLv23_client_method supports *ALL* protocols that your library supports by default. The name of the function is just historical and should be ignored. From the documentation: "If the cipher list does not contain any SSLv2 ciphersuites (the default cipher list does not) or e

Re: SSL v3.0 is not set as default protocol upon disabling v2.

Hi Thulasi, Thanks for the response. But my point is little different here. I have a generic HTTP client, that talks to SSL 3.0 as well as TLS 1.x enabled server. And as mentioned earlier, I have disabled SSLv2. Now, when I talk to any server, shouldn't the client be sending SSLv3(SSL 3.0) in t

Re: SSL v3.0 is not set as default protocol upon disabling v2.

SSLv23_client_method supports all protocols by default and connects using the highest protocol that server supports(as received from server hello) I suggest you try disabling TLS 1.0 along with SSL2 if you want to force your client to use SSL3 without changing the context's method. SSL_CTX_set_opt

Re: ssl breaks roundcube ?

Hi sorry nevermind, fixed. It was a lighttpd setting. Thanks and have a nice week-end, RuggedInbox team On 2014-08-23 00:32, m...@ruggedinbox.com wrote: Hi sorry for cross sending, we already sent this email to roundcube's mailing list but got no answer. We recently improved our https configu

RE: SSL APIs which does not need certificates/keys stored in filesystem

>Currently we are storing certificates/keys in filesystem and using the SSL >apis like SSL_CTX_use_certificate_chain_file and SSL_CTX_load_verify_locations >to load the certificate chain from file system for server and client purpose. > We want to avoid storing in filesystem, but read the certif

Re: SSL APIs which does not need certificates/keys stored in filesystem

Resending since the previous post attempt failed On Mon, Aug 18, 2014 at 12:52 PM, zakkir hussain Kharim < zakkir.kha...@gmail.com> wrote: > Currently we are storing certificates/keys in filesystem and using the SSL > apis like SSL_CTX_use_certificate_chain_file and > SSL_CTX_load_verify_locatio

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

The official version of OpenSSL works fine when compiled against the upstream FIPS module. Yes, It's distribution specific and reverting the file fixed the issue. Thanks for your time. Regards, Abdul On 13-Aug-14 7:02 PM, Dr. Stephen Henson wrote: On Wed, Aug 13, 2014, Abdul Anshad wrote:

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

On Wed, Aug 13, 2014, Abdul Anshad wrote: > I use the src rpm downloaded from > http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 . > > Inquired about this issue with one of the package maintainers from > koji.fedoraproject.org and following was his comment. > > "Apparently the Known a

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

I use the src rpm downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 . Inquired about this issue with one of the package maintainers from koji.fedoraproject.org and following was his comment. "Apparently the Known answer test for RSA X9.31 signatures does not match an

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

On Mon, Aug 11, 2014, Abdul Anshad wrote: > Hello All, > > I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, > when I try to start the http server with FIPS mode i get the > following error. > > [Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: > suEXEC mechani

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

On Tue, Aug 12, 2014, Thulasi Goriparthi wrote: > $ openssl genrsa 2048 > key.pem > $ openssl req -new -x509 -key key.pem -out cert.pem -sha256 > You also need to set the environment variable OPENSSL_FIPS=1 so the operations are performed in FIPS mode. Steve. -- Dr Stephen N. Henson. OpenSSL pr

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

check 'ldd mod_ssl.so' for proper linkage. -Jayadev. On Tue, Aug 12, 2014 at 7:01 PM, Abdul Anshad wrote: > Thank you for the response. > > I already have a SHA-256 self signed certificate with a bit size 2048 but > still ended up with the same error. > > I used the following command to create

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

Thank you for the response. I already have a SHA-256 self signed certificate with a bit size 2048 but still ended up with the same error. I used the following command to create the self signed certificate. $ openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/lo

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

On Tue, Aug 12, 2014 at 11:24:40AM +0530, Thulasi Goriparthi wrote: > $ openssl genrsa 2048 > key.pem Don't forget "umask 077" before that. Otherwise, the key file is often world-readable. With AFS, "fs setacl . ..." to restrict access to the containing directory. -- Viktor. _

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

$ openssl genrsa 2048 > key.pem $ openssl req -new -x509 -key key.pem -out cert.pem -sha256 On Tue, Aug 12, 2014 at 11:08 AM, Abdul Anshad wrote: > Could you please provide me the steps for creating a self signed > certificate meeting the current FIPS standard ? > > Thank you for the response.

RE: SSL connection broken after upgrading from 0.9.8a to 1.0.1e version of openssl

This is almost certainly belongs in -users only, but if I restrict reply it looks unanswered. > From: owner-openssl-us...@openssl.org On Behalf Of Nayna Jain > Sent: Thursday, July 31, 2014 17:37 > We got one of our openssl version upgraded to openssl 1.0.1e version. > But after that I am facing

Re: SSL connection broken after upgrading from 0.9.8a to 1.0.1e version of openssl

On Fri, Aug 1, 2014 at 3:07 AM, Nayna Jain wrote: > > Hi all, > > We got one of our openssl version upgraded to openssl 1.0.1e version. > But after that I am facing this error at client side. > > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > But I am not sure why is it giv

Re: SSL session with cryptodev engine

Hi all, I have solved the problem by applying the patches provided in the following link: http://rt.openssl.org/Ticket/Display.html?id=2770&user=guest&pass=guest Best regards, Aymen 2014-07-23 16:43 GMT+02:00 aymen irt : > Hi all, > > I have followed chapter 5 of the book "Network security with

RE: SSL passphare expiration

> I am encrypting a file using open SSL, but the password which is created > should be expired after 1 year or 2 year what ever we configure. It there > anything password expiry concept in openssl? Ah, licensing? :) No, password expiration is not supported. You could sign the file with a certifi

Re: SSL Renogotation failure

Thanks Raheeda, So you say this is a bug in PostgeSQL and from version 9.3 and above works fine? Do you any links which speaks on this? On Wed, Jun 4, 2014 at 3:34 PM, Rahila Syed wrote: > Hello, > > SSL renegotiation is error prone in PostgreSQL version 9.3 and below. > You can either upgra

RE: SSL Renogotation failure

It must therefore be that the *other side* is trying to do unsafe renegotiation. Someone posted a note about PostGres issues, IIRC. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz

Re: SSL Renogotation failure

You must ensure that the option is set, not cleared. -Kyle H On Wed, Jun 4, 2014 at 11:37 PM, Mithun Kumar wrote: > Thanks for the reply. > > I am currently resetting the below flag by resetting using > SSL_CTX_clear_options(). Still the handshake fails. > > SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTI

Re: SSL Renogotation failure

Thanks for the reply. I am currently resetting the below flag by resetting using SSL_CTX_clear_options(). Still the handshake fails. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Any inputs ? On Wed, Jun 4, 2014 at 6:57 PM, Salz, Rich wrote: > Ø Can you please elaborate? > > Ø > > > > One si

Re: SSL Renogotation failure

Hello, SSL renegotiation is error prone in PostgreSQL version 9.3 and below. You can either upgrade your PostgreSQL server or as a work around ,if network security is not your major concern SSL renegotiation parameter can be switched off to avoid connection lost errors due to SSL renegotiation.

RE: SSL Renogotation failure

Ø Can you please elaborate? Ø One side of your connection, and it could be either the client or the server, is doing the old-style (OpenSSL calls it LEGACY) renegotiation and the other side is rejecting it. One use for renegotiation is to get a client cert, for example. For information about

Re: SSL Renogotation failure

Hi Rich, Can you please elaborate? -Thanks On Tue, Jun 3, 2014 at 6:47 PM, Salz, Rich wrote: > Ø 2014-06-03 07:12:05 EDT LOG: SSL error: unsafe legacy renegotiation > disabled > > > > Somebody has an outdated implementation that doesn’t do secure > renegotiation. Google search. > > > >

RE: SSL Renogotation failure

Ø 2014-06-03 07:12:05 EDT LOG: SSL error: unsafe legacy renegotiation disabled Somebody has an outdated implementation that doesn’t do secure renegotiation. Google search. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me

Re: SSL Root CA and Intermediate CA Certs.

"Edward Ned Harvey (openssl)" writes: >> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- >> us...@openssl.org] On Behalf Of Michael Wojcik >> >> For someone who does want more background in cryptography, I'd >> recommend Schneier's /Applied Cryptography/ over /Cryptography >> Engine

Re: SSL Root CA and Intermediate CA Certs.

On Thu, Apr 24, 2014 at 12:57:36PM +, Michael Wojcik wrote: [snip] > > How and why do you trust any root certs? Generally they're built-in to your > > OS or your browser, so you're just blindly trusting that those guys know > > what > > they're doing. > > And they don't, and they don't care

RE: SSL Root CA and Intermediate CA Certs.

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Michael Wojcik > > For someone who does want more background in cryptography, I'd > recommend Schneier's /Applied Cryptography/ over /Cryptography > Engineering/. The latter is for people implementing

RE: SSL Root CA and Intermediate CA Certs.

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Edward Ned Harvey (openssl) > Sent: Wednesday, 23 April, 2014 21:05 > Subject: RE: SSL Root CA and Intermediate CA Certs. > > I don't know how you learn about SSL/TLS, oth

RE: SSL Root CA and Intermediate CA Certs.

> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Kaushal Shriyan > > I am new to SSL/TLS Certificates. Please help me understand what is the > difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I > will appreciate if i can refer

Re: SSL Root CA and Intermediate CA Certs.

Hi, > > I am new to SSL/TLS Certificates. Please help me understand what is the > > difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I > > will appreciate if i can refer to some books or tutorials to know about > > SSL/TLS technology. > > The closest thing you'll probabl

Re: SSL Root CA and Intermediate CA Certs.

On 23 Apr 2014, at 2:23 PM, Kaushal Shriyan wrote: > I am new to SSL/TLS Certificates. Please help me understand what is the > difference between ROOT CA Certs and Intermediate Certs or Chain Certs. I > will appreciate if i can refer to some books or tutorials to know about > SSL/TLS technolog

Re: SSL vs. SSH in the context of CVE 2014-0160

Thanks Wim. On Tue, Apr 8, 2014 at 10:36 PM, Wim Lewis wrote: > > On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: > > Team, I am having a discussions with a few friends about why this > OpenSSL vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for > many of you (apologize in advance)

Re: SSL vs. SSH in the context of CVE 2014-0160

On 8 Apr 2014, at 7:14 PM, Chris Hill wrote: > Team, I am having a discussions with a few friends about why this OpenSSL > vuln (CVE 2014-0160) does not affect SSH. This may be TOO basic for many of > you (apologize in advance), but can't think of any other way to prove my > point other than sp

Re: SSL alert number 42 in logs

On Thu, Jan 30, 2014 at 06:10:45PM +0100, Jaime Fuentes - Ditecal wrote: > I connect to the server using Mozilla Thunderbird. Then you need to configure Mozilla to accept your server certificate or get a new one that it does accept. > >They mean that the remote SMTP client was for some reason un

Re: SSL alert number 42 in logs

On first, thanks for your quickly answer. That's true, I took only this lines from my log file. I paste here the log from another connection attempt: Jan 30 18:04:31 correo1 dbmail/imap4d[14702]: Message:[serverchild] serverchild.c,PerformChildTask(+349): incoming connection from [10.0.0.1] b

Re: SSL alert number 42 in logs

On Thu, Jan 30, 2014 at 12:23:28PM +0100, Jaime Fuentes - Ditecal wrote: > I am implementing a Mail Server using postfix + dbmail. I recently > configured STARTTLS and I found that lines on my */var/log/mail.log* > >Jan 29 19:59:56 correo2 postfix/smtpd[3384]: warning: TLS library >proble

RE: ssl handshake failure in 1.0.1 but not 1.0.0

> From: Dave Thompson > > > > Yes, the server has a custom root cert that isn't installed on this > machine. I am happy that the server cert is correct. > > > For testing that's okay, but I hope in real use you are verifying. > Otherwise an active attacker may be able to MITM your connections. Pr

RE: ssl handshake failure in 1.0.1 but not 1.0.0

> From: owner-openssl-users On Behalf Of Ben Arnold > Sent: Friday, November 08, 2013 10:45 > I have tried using s_client and it fails with the same handshake failure. Please > see below. > > > > Attaching a PCAP file of the traffic is much more useful than hex packet > > dumps. > > You're righ

RE: ssl handshake failure in 1.0.1 but not 1.0.0

> From: Viktor Dukhovni > > You can test with s_client(1) and compare results. Is your client > certificate an > RSA certificate? How many bits of public key? Is its signature SHA1 or > SHA256? It's a 2048 bit RSA SHA1 certificate, but I think Dave Thompson's right and it's not getting that f

RE: ssl handshake failure in 1.0.1 but not 1.0.0

Do you still see an error if you specify one cipher? f.e. AES256-SHA? On 2013-11-07 22:26, Dave Thompson wrote: From: owner-openssl-users On Behalf Of Viktor Dukhovni Sent: Thursday, November 07, 2013 11:02 On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote: > I am using SSL_CTX_set_

RE: ssl handshake failure in 1.0.1 but not 1.0.0

> From: owner-openssl-users On Behalf Of Viktor Dukhovni > Sent: Thursday, November 07, 2013 11:02 > On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote: > > > I am using SSL_CTX_set_client_cert_cb to provide the client > > certificate when needed. I have a problem in that OpenSSL 1.0.1e

Re: ssl handshake failure in 1.0.1 but not 1.0.0

On Thu, Nov 07, 2013 at 12:29:13PM +, Ben Arnold wrote: > I am using SSL_CTX_set_client_cert_cb to provide the client > certificate when needed. I have a problem in that OpenSSL 1.0.1e > does not trigger this callback for all websites that I expect it > to, only some. Instead on the failing

RE: SSL/TLS encryption algorithms

> From: owner-openssl-users On Behalf Of Viktor Dukhovni > Sent: Friday, November 01, 2013 18:12 > > > $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA > > > DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA > Enc=Camellia(256) Mac=SHA1 > > > > > > $ openssl ciphers -v AES128-SHA256 > > >

Re: SSL/TLS encryption algorithms

On 03.11.2013 18:27, Viktor Dukhovni wrote: On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote: how would I define forward-secrecy on Apache webserver? If the server negotiated both ciphers, it already supports forward-secrecy (aka PFS) if the client does too. What about a browser that

Re: SSL/TLS encryption algorithms

On Sun, Nov 03, 2013 at 06:18:38PM +0100, Walter H. wrote: > > >how would I define forward-secrecy on Apache webserver? > > > > If the server negotiated both ciphers, it already supports > > forward-secrecy (aka PFS) if the client does too. > > What about a browser that shows this > > SSL_CIPHER

Re: SSL/TLS encryption algorithms

On 01.11.2013 23:12, Viktor Dukhovni wrote: $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 $ openssl ciphers -v AES128-SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA

Re: SSL/TLS encryption algorithms

> > $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA > > DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) > > Mac=SHA1 > > > > $ openssl ciphers -v AES128-SHA256 > > AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) > > Mac=SHA256 > > > >Does your ap

Re: SSL/TLS encryption algorithms

Hello, On 01.11.2013 22:34, Viktor Dukhovni wrote: On Fri, Nov 01, 2013 at 09:56:10PM +0100, Walter H. wrote: Which one of the following two is better (1) or (2)? (1) SSL_CIPHER=DHE-RSA-CAMELLIA256-SHA $ openssl ciphers -v DHE-RSA-CAMELLIA256-SHA DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=D

  1   2   3   4   5   6   7   8   9   >