Short, Todd via RT | 6 Mar 16:02 2015
Picon

[openssl.org #3729] Patch to add support for iovec-based IO in OpenSSL

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add “struct iovec” variants to ssl IO (configurable, disabled by default)

This adds support of iovec-based IO into openSSL. iovec can be faster than normal IO mechanism as there are
fewer calls into the kernel.
Regular APIs are modified to use “ssl_bucket” (similar to iovec structures) at the lower level, so the
IO path is still the same regardless of whether iovec-based APIs are used or not.

Github link:
https://github.com/akamai/openssl/commit/91f65728bbd7d52ae6b75050d31e197591769d78

And attachment.

Thank you.
--
-Todd Short
// tshort <at> akamai.com
// “One if by land, two if by sea, three if by the Internet."

_______________________________________________
openssl-dev mailing list
(Continue reading)

Matt Caswell via RT | 6 Mar 16:21 2015
Picon

[openssl.org #3730] openssl 1.0.2 compile failure with OPENSSL_FIPS

On Fri Mar 06 16:02:37 2015, Duane.Bronson <at> riverbed.com wrote:
> Openssl guys,
>
> It looks like an accidental * slipped into *pcurveslen in
> ssl/t1_lib.c. This patch fixes it and also a warning, but I still get
> an installed but unpackaged error that could be my fault. Still
> investigating.

Hi Duane

This issue has been previously reported, and has been fixed in commit
6fa805f516f. This will be incorporated into the next 1.0.2 release.

Matt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Richard C Paterson via RT | 6 Mar 16:03 2015
Picon

[openssl.org #3732] Does OpenSSL construe expired certs as reason to downgrade?

Hi,

Our certificates expired recently, and our application log contained the following error:
“SSL3_GET_BYTES:sslv3 alert handshake failure”

From what I can see, this message is a valid error message indicating that SSLv3 is not supported by the server.
My question is, why are we seeing this message in this situation? Does OpenSSL construe certificate expiry
as a reason to downgrade to SSLv3?

Richard C Paterson
Development Testing Manager
SAS R&D Scotland
Tel: +44 141 223 9100 ■ Mobile: +447977 477296 ■ richard.c.paterson <at> sas.com<mailto:richard.c.paterson <at> sas.com>
www.sas.com<http://www.sas.com/>
SAS®...  THE POWER TO KNOW
P Please consider the environment before printing this e-mail

The information in this e-mail and any attached files is confidential. It is intended solely for the use of
the addressee. Any unauthorised disclosure or use is prohibited. If you are not the intended recipient of
the message, please notify the sender immediately and do not disclose the contents to any other person,
use it for any purpose, or store or copy the information in any medium. The views of the author may not
necessarily reflect those of the company.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Paul Nelson via RT | 6 Mar 16:02 2015
Picon

[openssl.org #3731] BUG darwin FIPS openssl-1.0.2 ssl/t1_lib.c line 472

OS is darwin
openssl version is 1.0.2

Bug only happens when building the FIPS version of SSL.  In t1_lib.c at line 472 the assignment to
*pcurveslen should be to pcurveslen instead.

Here is the diff for the fix:

diff -ur openssl-1.0.2/ssl/t1_lib.c openssl-1.0.2_patched/ssl/t1_lib.c
--- openssl-1.0.2/ssl/t1_lib.c  2015-01-22 08:58:32.000000000 -0600
+++ openssl-1.0.2_patched/ssl/t1_lib.c  2015-03-05 16:40:35.000000000 -0600
 <at>  <at>  -470,7 +470,7  <at>  <at> 
 # ifdef OPENSSL_FIPS
             if (FIPS_mode()) {
                 *pcurves = fips_curves_default;
-                *pcurveslen = sizeof(fips_curves_default);
+                pcurveslen = sizeof(fips_curves_default);
             } else
 # endif
             {

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Duane Bronson via RT | 6 Mar 16:02 2015
Picon

[openssl.org #3730] openssl 1.0.2 compile failure with OPENSSL_FIPS

Openssl guys,

It looks like an accidental * slipped into *pcurveslen in ssl/t1_lib.c.  This patch fixes it and also a
warning, but I still get an installed but unpackaged error that could be my fault.  Still investigating.

bash-4.1# cat openssl-1.0.2-pcurveslen.patch
diff -up openssl-1.0.2/ssl/t1_lib.c.fips openssl-1.0.2/ssl/t1_lib.c
--- openssl-1.0.2/ssl/t1_lib.c.fips 2015-03-05 16:26:48.786265443 -0500
+++ openssl-1.0.2/ssl/t1_lib.c 2015-03-05 16:29:35.419166733 -0500
 <at>  <at>  -119,6 +119,9  <at>  <at> 
 #include <openssl/ocsp.h>
 #include <openssl/rand.h>
 #include "ssl_locl.h"
+#ifndef OPENSSL_NO_KRB5
+# include <ssl/kssl_lcl.h>
+#endif

 const char tls1_version_str[] = "TLSv1" OPENSSL_VERSION_PTEXT;

 <at>  <at>  -470,7 +473,7  <at>  <at>  static int tls1_get_curvelist(SSL *s, in
 # ifdef OPENSSL_FIPS
             if (FIPS_mode()) {
                 *pcurves = fips_curves_default;
-                *pcurveslen = sizeof(fips_curves_default);
+                pcurveslen = sizeof(fips_curves_default);
             } else
 # endif
             {

Duane
(Continue reading)

Steve Schefter | 6 Mar 14:35 2015

Intent of the private_ wrappers

Hi.

I am compiling OpenSSL with the FIPS options and seeing a build error. 
My question is more about the intent than the problem.

One example:  When apps/speed.c is compiled with FIPS enabled, 
OPENSSL_FIPS is defined and DES_set_key_unchecked gets defined to be 
private_DES_set_key_unchecked.

The use of the private_ function means that fips_cipher_abort is not called.

Am I correct that the intent is to allow the OpenSSl-provided apps to 
use the low level APIs (like DES) while user applications linking with 
libcrypto.so can not?

The problem is that the OpenSSL-provided apps also link with that 
library and the private_ functions are not global (they are not in 
openssl.ld).  So the OpenSSL-provided apps fail to link.  In the above 
example, apps/speed.c can't find private_DES_set_key_unchecked().

Or am I not understanding the intent?

Regards,
	Steve
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

dE | 6 Mar 07:25 2015
Picon

Set fragment size.

I'm trying to set the fragment size for the TLS connection under the 
hopes that it improves compression.

Is there anyway I can do so?
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Matt Caswell via RT | 5 Mar 17:58 2015
Picon

[openssl.org #3728] Question: does "sslv3" in log mean we're using SSLv3?

On Thu Mar 05 17:42:49 2015, richard.c.paterson <at> sas.com wrote:
> Apologies if this is the incorrect forum for this question.
>
> We’re
> seeing error messages like SSL3_READ_BYTES and
> SSL3_GET_SERVER_CERTIFICATE for some reason;
>
> -
> SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> -
> SSL£_GET_BYTES:sslv3 alert handshake failure
>
> However, we believe
> that we have disabled the use of SSLv3. Does the presence of
> “SSL3_” in the logs indicate that we are still using SSLv3 and not
> TLS like we think?

No. These are just the names of internal functions. Originally written when it
was just a choice of ssl2 or ssl3 they were subsequently reused for TLS - but
the names have remained the same.

Matt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Richard C Paterson via RT | 5 Mar 17:42 2015
Picon

[openssl.org #3728] Question: does "sslv3" in log mean we're using SSLv3?

Apologies if this is the incorrect forum for this question.

We’re seeing error messages like SSL3_READ_BYTES and SSL3_GET_SERVER_CERTIFICATE for some reason;

-          SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

-          SSL£_GET_BYTES:sslv3 alert handshake failure

However, we believe that we have disabled the use of SSLv3. Does the presence of “SSL3_” in the logs
indicate that we are still using SSLv3 and not TLS like we think?

Richard C Paterson
Development Testing Manager
SAS R&D Scotland
Tel: +44 141 223 9100 ■ Mobile: +447977 477296 ■ richard.c.paterson <at> sas.com<mailto:richard.c.paterson <at> sas.com>
www.sas.com<http://www.sas.com/>
SAS®...  THE POWER TO KNOW
P Please consider the environment before printing this e-mail

The information in this e-mail and any attached files is confidential. It is intended solely for the use of
the addressee. Any unauthorised disclosure or use is prohibited. If you are not the intended recipient of
the message, please notify the sender immediately and do not disclose the contents to any other person,
use it for any purpose, or store or copy the information in any medium. The views of the author may not
necessarily reflect those of the company.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Matt Caswell via RT | 5 Mar 10:34 2015
Picon

[openssl.org #3725] [PATCH] Use warning/fatal constants instead of numbers with comments

Patch applied. Many thanks.

Matt

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

dE | 5 Mar 07:48 2015
Picon

openssl (lib and application) localhost problems.

First I encountered problems here --

https://mta.openssl.org/pipermail/openssl-dev/2015-March/000806.html

Guessing if this's a openssl command related problem, but now I've 
problems in code.

     SSL_library_init();
     SSL_load_error_strings();
     const SSL_METHOD* meth;
     meth = TLSv1_2_method();
     SSL_CTX* ctx = SSL_CTX_new(meth);
     if ( ctx == NULL ) {
         printf ("ERROR: TLS internal error!\n");
     }
     SSL* sslconnection = SSL_new (ctx);
     BIO* bioconnection = BIO_new(BIO_s_socket());

     int hSocket = 0;
     struct sockaddr_in server;
     server.sin_family = AF_INET;
     server.sin_port = htons(80);
     server.sin_addr.s_addr = inet_addr ("104.68.173.123");
     hSocket = socket(AF_INET, SOCK_STREAM, 0);
     if (connect(hSocket, (struct sockaddr*) &server, sizeof(server)) < 0)
         printf ("connection failed\n");

     BIO_set_fd(bioconnection, hSocket, BIO_NOCLOSE);
     SSL_set_bio(sslconnection, bioconnection, bioconnection);

(Continue reading)


Gmane