Development of OpenSSL

Andy Polyakov | 1 May 2012 18:52

Re: [CVS] OpenSSL: openssl/crypto/aes/asm/ aes-586.pl aesni-x86.pl openssl...

Hi,

> this patch solve the problem of Program terminated with signal 4,
> Illegal instruction on cpu amd geode-lx and VIA Nehemiah?

Is it question or statement?

> root <at> gatto:/tmp# openssl version
> Illegal instruction (core dumped)

Is it crash before of after?

> root <at> gatto:/tmp# gdb -c core /usr/bin/openssl
> GNU gdb (GDB) 7.4
> Program terminated with signal 4, Illegal instruction.
> #0  0xb76bc1f3 in _init () from /usr/lib/libcrypto.so.0
> (gdb) disassemble
> Dump of assembler code for function _init:
>    0xb76bc1d0 <+0>:     push   %ebx
>    0xb76bc1d1 <+1>:     sub    $0x8,%esp
>    0xb76bc1d4 <+4>:     call   0xb76bc840
>    0xb76bc1d9 <+9>:     add    $0x12c697,%ebx
>    0xb76bc1df <+15>:    mov    -0x220(%ebx),%eax
>    0xb76bc1e5 <+21>:    test   %eax,%eax
>    0xb76bc1e7 <+23>:    je     0xb76bc1ee <_init+30>
>    0xb76bc1e9 <+25>:    call   0xb76bc4d0 <__gmon_start__ <at> plt>
>    0xb76bc1ee <+30>:    call   0xb76bc970
> => 0xb76bc1f3 <+35>:    nopw   %cs:0x0(%eax,%eax,1)

Obviously CPUs in question can't handle this kind of nop. Formally it's

(Continue reading)

headers

Simon Convey | 1 May 2012 23:44

Which headers do we use ? openssl-fips or openssl-1.0.1b ?

Dear openssl developers,

I suspect that this may have been asked before, but I have looked, and can't find an answer to this ......

We are downloading openssl-fips-2.0-test-201204XX and configuring ...

#./config && make && make install

and then

# cd ../openssl-1.0.1b

#./config fips shared

#make && make install

My question is, which set of headers do I include in application development ?

/usr/local/ssl/fips-2.0/include/openssl, or /usr/include/ssl/include/openssl ?

Many thanks,

Simon Convey

headers

Dr. Stephen Henson | 2 May 2012 00:56

Re: Which headers do we use ? openssl-fips or openssl-1.0.1b ?

On Tue, May 01, 2012, Simon Convey wrote:

> Dear openssl developers,
>         I suspect that this may have been asked before, but I have looked,
> and can't find an answer to this ......
> 
> We are downloading openssl-fips-2.0-test-201204XX and configuring ...
> 
> #./config  && make && make install
> 
> and then
> 
> # cd ../openssl-1.0.1b
> #./config fips shared
> #make && make install
> 
> 
> My question is, which set of headers do I include in application
> development ?
> /usr/local/ssl/fips-2.0/include/openssl, or
> /usr/include/ssl/include/openssl ?
> 

Those in /usr/include/ssl/include/openssl as they belong to OpenSSL 1.0.1.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Damian Kohlfeld | 2 May 2012 22:21

Minor Bug in 1.0.1b

New to the list, first post. Found a minor bug in 1.0.1b after upgrading from 1.0.0d.

If you use BIO to load an X509 PEM Encoded Certificate into an X509Certificate structure and call the Print() method into a BIO Stream, and print that as text the signature algorithm string:

Signature Algorithm: sha1WithRSAEncryption

Is only indented by 4 characters instead of the 8 characters in 1.0.1b, note that all other lines are indented exactly 8 characters except for that one.

If there is a bug-tracker for submissions on this project, please let me know, and I can submit code to reproduce, etc. Thank you,

Damian Kohlfeld

headers

Ranjith Kumar A. | 3 May 2012 08:24

RSA key size for FIPS 140-2

HI All,

Can any one tell me , does FIPS 140-2 supports RSA key size of 1025,1026, etc ... all or it only supports multiple of 512 bits ?

Thanks in advance ...

Thanks,

Ranjith

headers

Alexander Komyagin | 3 May 2012 09:23

OCSP question

Hi! In our project we want to perform a complete global switch to OCSP
certificate verification (for a number of reasons we don't want CRL's
anymore) to make openldap, openvpn and others use OCSP.

Unfortunately I didn't find any implemented way to perform such a switch
in OpenSSL. There is only one check_revocation() function, which checks
a chain against CRL's. I think that check_revocation() can be altered to
use OCSP instead just like ocsp-app does. Or shall I use any other place
to perform OCSP verification?

Thanks!
--

-- 
Best wishes,
Alexander Komyagin

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Ziyu Liu | 3 May 2012 10:06

Re:OCSP question

You can use these functions to do the OCSP verification during the ssl handshaking.

#define SSL_set_tlsext_status_ids(ssl, arg) \
SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg)

#define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \
SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP,0, (void *)arg)

#define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \
SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void *)arg)

At 2012-05-03 15:23:49,"Alexander Komyagin" <komyagin <at> altell.ru> wrote: >Hi! In our project we want to perform a complete global switch to OCSP >certificate verification (for a number of reasons we don't want CRL's >anymore) to make openldap, openvpn and others use OCSP. > >Unfortunately I didn't find any implemented way to perform such a switch >in OpenSSL. There is only one check_revocation() function, which checks >a chain against CRL's. I think that check_revocation() can be altered to >use OCSP instead just like ocsp-app does. Or shall I use any other place >to perform OCSP verification? > >Thanks! >-- >Best wishes, >Alexander Komyagin > > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >Development Mailing List openssl-dev <at> openssl.org >Automated List Manager majordomo <at> openssl.org

headers

Alexander Komyagin | 3 May 2012 11:04

Re: Re:OCSP question

Thank you, Ziyu! However, these three are no use without actual query
building and querying OCSP responder.

On Thu, 2012-05-03 at 16:06 +0800, Ziyu Liu wrote:
> You can use these functions to do the OCSP verification during the ssl
> handshaking.
> 
> #define SSL_set_tlsext_status_ids(ssl, arg) \
> SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS,0, (void *)arg)
> 
> #define SSL_get_tlsext_status_ocsp_resp(ssl, arg) \
> SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP,0, (void *)arg)
> 
> #define SSL_set_tlsext_status_ocsp_resp(ssl, arg, arglen) \
> SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP,arglen, (void
> *)arg)
> 
> 
> 
> 
> 
> At 2012-05-03 15:23:49,"Alexander Komyagin" <komyagin <at> altell.ru> wrote:
> >Hi! In our project we want to perform a complete global switch to OCSP
> >certificate verification (for a number of reasons we don't want CRL's
> >anymore) to make openldap, openvpn and others use OCSP.
> >
> >Unfortunately I didn't find any implemented way to perform such a switch
> >in OpenSSL. There is only one check_revocation() function, which checks
> >a chain against CRL's. I think that check_revocation() can be altered to
> >use OCSP instead just like ocsp-app does. Or shall I use any other place
> >to perform OCSP verification?
> >
> >Thanks!
> >-- 
> >Best wishes,
> >Alexander Komyagin
> >
> >
> >______________________________________________________________________
> >OpenSSL Project                                 http://www.openssl.org
> >Development Mailing List                       openssl-dev <at> openssl.org
> >Automated List Manager                           majordomo <at> openssl.org
> 
> 

--

-- 
Best wishes,
Alexander Komyagin

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Dr. Stephen Henson | 3 May 2012 13:11

Re: OCSP question

On Thu, May 03, 2012, Alexander Komyagin wrote:

> Hi! In our project we want to perform a complete global switch to OCSP
> certificate verification (for a number of reasons we don't want CRL's
> anymore) to make openldap, openvpn and others use OCSP.
> 

You should note there is a side effect of doing this: it can't work properly
with non-blocking I/O without application modification.

The reason is that non-blocking I/O checks a single socket associated with the
SSL/TLS connection while if you want to handle OCSP properly it would need to
check a second completely different socket used by the OCSP connection. No
existing application does that and no framework currently exists in OpenSSL to 
support this.

As a result an unmodified application would block waiting for the OCSP
response and if it would be unable to handle any other connections during this
time.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

headers

Alexander Komyagin | 3 May 2012 13:43

Re: OCSP question

Thanks for the note, Stephen! I'll certainly take this into account.
If I incorporate OCSP check in check_revoked() function, which is called
during SSL connect/handshake it would just block during connect op for a
while, and I believe that no single service shall expect connection
establishment to be fast. Good service will handle other connections in
a separate thread for the sake of availability, won't it?

On Thu, 2012-05-03 at 13:11 +0200, Dr. Stephen Henson wrote:
> On Thu, May 03, 2012, Alexander Komyagin wrote:
> 
> > Hi! In our project we want to perform a complete global switch to OCSP
> > certificate verification (for a number of reasons we don't want CRL's
> > anymore) to make openldap, openvpn and others use OCSP.
> > 
> 
> You should note there is a side effect of doing this: it can't work properly
> with non-blocking I/O without application modification.
> 
> The reason is that non-blocking I/O checks a single socket associated with the
> SSL/TLS connection while if you want to handle OCSP properly it would need to
> check a second completely different socket used by the OCSP connection. No
> existing application does that and no framework currently exists in OpenSSL to 
> support this.
> 
> As a result an unmodified application would block waiting for the OCSP
> response and if it would be unable to handle any other connections during this
> time.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev <at> openssl.org
> Automated List Manager                           majordomo <at> openssl.org

--

-- 
Best wishes,
Alexander Komyagin

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

91	June 2013
103	May 2013
97	April 2013
216	March 2013
195	February 2013
107	January 2013
107	December 2012
116	November 2012
121	October 2012
195	September 2012
95	August 2012
65	July 2012
147	June 2012
137	May 2012
211	April 2012
241	March 2012
223	February 2012
197	January 2012
163	December 2011
90	November 2011
60	October 2011
125	September 2011
100	August 2011
134	July 2011
112	June 2011
142	May 2011
102	April 2011
137	March 2011
119	February 2011
100	January 2011
145	December 2010
167	November 2010
125	October 2010
143	September 2010
112	August 2010
129	July 2010
105	June 2010
98	May 2010
232	April 2010
245	March 2010
125	February 2010
174	January 2010
49	December 2009
195	November 2009
120	October 2009
188	September 2009
132	August 2009
125	July 2009
204	June 2009
181	May 2009
219	April 2009
209	March 2009
134	February 2009
133	January 2009
148	December 2008
199	November 2008
139	October 2008
154	September 2008
144	August 2008
127	July 2008
120	June 2008
168	May 2008
116	April 2008
105	March 2008
53	February 2008
170	January 2008
103	December 2007
121	November 2007
174	October 2007
117	September 2007
96	August 2007
57	July 2007
119	June 2007
94	May 2007
108	April 2007
175	March 2007
107	February 2007
100	January 2007
98	December 2006
113	November 2006
151	October 2006
138	September 2006
88	August 2006
154	July 2006
115	June 2006
127	May 2006
114	April 2006
120	March 2006
119	February 2006
180	January 2006
97	December 2005
126	November 2005
194	October 2005
85	September 2005
118	August 2005
320	July 2005
386	June 2005
226	May 2005
158	April 2005
136	March 2005
69	February 2005
172	January 2005
146	December 2004
151	November 2004
169	October 2004
109	September 2004
83	August 2004
191	July 2004
187	June 2004
156	May 2004
109	April 2004
195	March 2004
116	February 2004
105	January 2004
191	December 2003
210	November 2003
150	October 2003
167	September 2003
102	August 2003
116	July 2003
192	June 2003
233	May 2003
234	April 2003
219	March 2003
207	February 2003
546	January 2003
644	December 2002
517	November 2002
310	October 2002
238	September 2002
485	August 2002
395	July 2002
509	June 2002
313	May 2002
380	April 2002
150	March 2002
1	September 2001

Mon	Tue	Wed	Thu	Fri	Sat	Sun

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31