Kiyoshi KANAZAWA via RT | 1 Nov 00:54 2014
Picon

Re: [openssl.org #3566] openssl-1.0.1j make depend failes

Hi,

About "make check".
It seems that "no-ssl3" disables ssl2 in openssl library automatically, but dose not in test.
Specifying not only "no-ssl3" but also "no-ssl2", "make check" passes.

Regards,

--- Kiyoshi <yoi_no_myoujou <at> yahoo.co.jp>

----- Original Message -----
>From: Kiyoshi KANAZAWA <yoi_no_myoujou <at> yahoo.co.jp>
>To: "rt <at> openssl.org" <rt <at> openssl.org> 
>Cc: "openssl-dev <at> openssl.org" <openssl-dev <at> openssl.org>
>Date: 2014/10/17, Fri 00:32
>Subject: Re: [openssl.org #3566] openssl-1.0.1j make depend failes 
> 
>
>Hello,
>
>
>
>Yes, I can make without "make depend",
>but make check fails with "Failed AES256-GCM-SHA384", if I specify "no-ssl3".
>
>
>Without "no-ssl3", make check passes.
>
>
>I tried 4 patterns of Configure parameters, and got the same result.
(Continue reading)

pl via RT | 31 Oct 19:30 2014
Picon

[openssl.org #3588] obsolete comment for SSL_set_accept_state and SSL_set_connect_state

This post is really a minor detail, but - given code is not largely
documented - i would expect comments even minor to be accurate.

in ssl_lib.c line 2829 i read :
/* For the next 2 functions, SSL_clear() sets shutdown and so
   * one of these calls will reset it */
functions are :
void SSL_set_accept_state(SSL *s)
and
void SSL_set_connect_state(SSL *s)

I think comment can be removed or should be reviewed since looking in
code s->shutdown is actualy cleared correctly by SSL_clear(), so if it
should be reset to 0 it is not due to SSL_clear().
neither
void ssl2_clear(SSL *s)
void ssl3_clear(SSL *s)
void tls1_clear(SSL *s)
void dtls1_clear(SSL *s)
seems to modify shutdown field either.

And looking in git, this is not new : commit 413c4f45 that resets it to 0
in SSL_clear() is 1999-02-16 10:22:21.
So this comment is really obsolete, outdated and misleading.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

(Continue reading)

Kurt Roeckx via RT | 31 Oct 19:09 2014
Picon

Re: [openssl.org #3585] [PATCH] OPENSSL_NO_SSL3 doesn't remove all SSLv3 bits

On Thu, Oct 30, 2014 at 11:26:15PM +0100, Alin Nastac via RT wrote:
> Some SSLv3 parts (e.g. SSLv3 ciphers) are built in  even if ssl3
> support is disabled.

"SSLv3 ciphers" are not specific to SSLv3, they can also be used
in TLS.

no-ssl3 doesn't disable the SSL3 methods.  That is, you can still
call SSLv3_client_method() and set up an SSLv3 connection with
that.  It assumes that if you say that you want an SSLv3
connection that that is really what you want.  There is work being
done to have an option to also disable that, that looks very
similar to your patch but then with a new configure option.

Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Picon

Fwd: Query Regarding defining MTU for DTLS Packet


Hi All,

I am Trying to limit the packet size for DTLS messages. By using ssl_set_mtu() I am able to define max size for particular record. 

But in the above Handshake OPENSSL combines multiple records and sends out in a single UDP Packet.Is there a way we can configure OPENSSL such that it splits out each record into a separate UDP Packet in case combination of DTLS record  exceeds a given MTU? 

Sample DTLS Handshake:
Client Server
ClientHello + use_srtp --------> ServerHello + use_srtp Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished SRTP packets <-------> SRTP packets
Example: Suppose my MTU is 1500 bytes

Current Behavior ServerHello + use_srtp(100 bytes) Certificate*(1400 bytes) ServerKeyExchange*(50 bytes) CertificateRequest*(50 bytes) <-------- ServerHelloDone(50 bytes)


Expected Behavior
ServerHello + use_srtp(100 bytes) Certificate*(1400 bytes) <-------- (Since we reached MTU OPENSSL must split records into 2 UDP packets) ServerKeyExchange*(50 bytes) CertificateRequest*(50 bytes) <-------- ServerHelloDone(50 bytes)
 
Thanks
Satya


Hubert Kario via RT | 31 Oct 11:45 2014
Picon

Re: [openssl.org #3585] [PATCH] OPENSSL_NO_SSL3 doesn't remove all SSLv3 bits

On Thursday 30 October 2014 23:26:15 Alin Năstac via RT wrote:
> Some SSLv3 parts (e.g. SSLv3 ciphers)

SSLv3 ciphers can be used with any version of TLS from TLSv1.0 to TLSv1.2

if you remove ciphers that are marked as "SSLv3", you actually remove all 
ciphers that can be used with TLSv1.0 and TLSv1.1, as such, the only protocol 
version that will continue to work is TLSv1.2

I'm quite sure that's not the expected behaviour of no-ssl3 flag
--

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Vaghasiya, Nimesh | 31 Oct 07:49 2014

Issue when OpenSSL 0.9.8zc built with -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3

Hi,

 

We are building OpenSSL 0.9.8zc with options -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 on a FreeBSD based OS.

This is one of the ways we are trying to mitigate CVE-2014-3566 POODLE issue in our OS.

 

We are not able to use following commands after building the library with above mentioned flags.

 

 openssl s_client [argument list]
 openssl s_server [argument list]
 openssl ciphers [argument list]
 openssl s_time [argument list]

Issue is mostly because of following condition in header file openssl/apps/progs.h
    
#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
  --Allow s_client, s_server ciphers, s_time

Is this the expected behavior ?
If not, could you please suggest fix for the issue.
 


Regards,
Nimesh
Kiyoshi KANAZAWA via RT | 30 Oct 23:26 2014
Picon

[openssl.org #3587] openssl-1.0.1j configuration for solaris-x86/x64 should be changed

Hello, again.

Configuration for solaris-x86/x64 is not good.

(1) solaris-x86-gcc
    "-march=pentium" should not be specified.
(2) solaris-x86-cc
    "-O" after "-fast" overrides optimizing level.
(3) solaris64-x86_64-cc
    "-xarch=amd64" is too old style.
    "-m64" should be used instead.

Sample patch is attached.

--- Kiyoshi <yoi_no_myoujou <at> yahoo.co.jp>
Attachment (Configure.patch): application/octet-stream, 4941 bytes
Kiyoshi KANAZAWA via RT | 30 Oct 23:26 2014
Picon

[openssl.org #3586] openssl-1.0.1j make fails if -j option is used

Hello,

"make" with -j option fails,
because dependency to libraries is not described in Makefile.

Sample fix is attached.

--- Kiyoshi <yoi_no_myoujou <at> yahoo.co.jp>

Attachment (Makefile.org.patch): application/octet-stream, 3502 bytes
Alin Năstac via RT | 30 Oct 23:26 2014
Picon

[openssl.org #3585] [PATCH] OPENSSL_NO_SSL3 doesn't remove all SSLv3 bits

Some SSLv3 parts (e.g. SSLv3 ciphers) are built in  even if ssl3
support is disabled.
Attached patch fixes it:

pl | 30 Oct 21:00 2014
Picon

misleading outdated comment

Hi,

First of all this is my first post here, i then expect from you some 
forgiveness.
I am a heavy user of openssl library.
I try to add some information into http://wiki.opensslfoundation.com at 
my level to add my little cents.

This post is really a minor detail, but - given code is not largely 
documented - i would expect comments even minor to be accurate.

in ssl_lib.c line 2829 i read :
/* For the next 2 functions, SSL_clear() sets shutdown and so
  * one of these calls will reset it */
functions are :
void SSL_set_accept_state(SSL *s)
and
void SSL_set_connect_state(SSL *s)

I think comment can be removed or should be reviewed since looking in 
code s->shutdown is actualy cleared correctly by SSL_clear(), so if it 
should be reset to 0 it is not due to SSL_clear().
neither
void ssl2_clear(SSL *s)
void ssl3_clear(SSL *s)
void tls1_clear(SSL *s)
void dtls1_clear(SSL *s)
seems to modify shutdown field either.

And looking in git, this is not new : commit 413c4f45 that resets it to 
0 in SSL_clear() is 1999-02-16 10:22:21.
So this comment is really obsolete, outdated and misleading.

Regards,
Philippe Lhardy

PS: DISCLAIMER , this is on my spare time comment, NOT INVOLVING MY 
EMPLOYER ANYHOW.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Rich Salz via RT | 30 Oct 15:47 2014
Picon

[openssl.org #3583] Typos in OpenSSL license text

The license we have is the one we were given.
It is stupid that typo's and inconsistencies cannot be fixed, but that's the
way of the world.
Sadly.
See: http://www.enotes.com/shakespeare-quotes/lets-kill-all-lawyers
--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org


Gmane