1.0.1i breaks SRP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

1.0.1i breaks SRP

Norm Green
I just upgraded our product to 1.0.1i and logins via SRP are now
broken.  Shown below are the SSL calls made from both the client and
server.  Everything worked perfectly under 1.0.1h.
Bot sides set the cipher list to 'SRP' via calls to
SSL_CTX_set_cipher_list(), so the "no shared cipher" complaint after
line 31 on the server side is clearly bogus.

Any idea where to begin debugging this?  Any and all help is appreciated.

Norm Green





Server Side:

[   1] SSL call: SSL_load_error_strings with args: NONE (nothing returned)
[   2] SSL call: ERR_load_crypto_strings with args: NONE (nothing returned)
[   3] SSL call: OpenSSL_add_all_ciphers with args: NONE (nothing returned)
[   4] SSL call: OpenSSL_add_all_digests with args: NONE (nothing returned)
[   5] SSL call: SSL_library_init with args: NONE result=1
[   6] SSL call: RAND_status with args: NONE   result=1
[   7] SSL call: TLSv1_1_server_method with args: NONE result=0x7f1407999040
[   8] SSL call: SSL_CTX_new with args: 0x7f1407999040 result=0x1f8a8e0
[   9] SSL call: SSL_CTX_ctrl with args: 0x1f8a8e0 33 4 (NULL)   result=4
[  10] SSL call: SSL_CTX_set_verify with args: 0x1f8a8e0 0 (NULL)  
(nothing returned)
[  11] SSL call: SSL_CTX_set_cipher_list with args: 0x1f8a8e0 'SRP'  
result=1
[  12] SSL call: SSL_CTX_set_srp_strength with args: 0x1f8a8e0 1024  
result=1
[  13] SSL call: BN_init with args: 0x7f14197a3a88 (nothing returned)
[  14] SSL call: BN_init with args: 0x7f14197a3aa0 (nothing returned)
[  15] SSL call: BN_init with args: 0x7f14197a3ab8 (nothing returned)
[  16] SSL call: BN_init with args: 0x7f14197a3ad0 (nothing returned)
[  17] SSL call: SRP_get_default_gN with args: '1024' result=0x7f14079adb50
[  18] SSL call: BN_copy with args: 0x7f14197a3ab8 0x7f14079adaa0  
result=0x7f14197a3ab8
[  19] SSL call: BN_copy with args: 0x7f14197a3ad0 0x7f14079ad980  
result=0x7f14197a3ad0
[  20] SSL call: BN_bin2bn with args: 0x7fff686674c0 128
0x7f14197a3aa0   result=0x7f14197a3aa0
[  21] SSL call: BN_bin2bn with args: 0x7fff686674c0 20 0x7f14197a3a88  
result=0x7f14197a3a88
[  22] SSL call: SSL_CTX_set_verify with args: 0x1f8a8e0 0 (NULL)  
(nothing returned)
[  23] SSL call: SSL_CTX_set_cipher_list with args: 0x1f8a8e0 'SRP'  
result=1
[  24] SSL call: SSL_CTX_set_srp_cb_arg with args: 0x1f8a8e0
0x7f14197a3a80   result=1
[  25] SSL call: SSL_CTX_set_srp_username_callback with args: 0x1f8a8e0
0x7f1418ab6d26   result=1
[  26] SSL call: SSL_new with args: 0x1f8a8e0 result=0x1f8b680
[  27] SSL call: SSL_set_fd with args: 0x1f8b680 5 result=1
[  28] SSL call: SSL_get_fd with args: 0x1f8b680   result=5
[  29] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  30] SSL call: SSL_accept with args: 0x1f8b680 result=-1
[  31] SSL call: SSL_get_error with args: 0x1f8b680 -1 result=1
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1358:

[  32] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  33] SSL call: SSL_accept with args: 0x1f8b680 result=-1
[  34] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  35] SSL call: SSL_accept with args: 0x1f8b680 result=-1
[  36] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  37] SSL call: SSL_accept with args: 0x1f8b680 result=-1
SSL_accept() failed after 4 tries
[  38] SSL call: SSL_free with args: 0x1f8b680   (nothing returned)
[  39] SSL call: SSL_CTX_free with args: 0x1f8a8e0 (nothing returned)


Client Side:

[   1] SSL call: SSL_load_error_strings with args: NONE (nothing returned)
[   2] SSL call: ERR_load_crypto_strings with args: NONE (nothing returned)
[   3] SSL call: OpenSSL_add_all_ciphers with args: NONE (nothing returned)
[   4] SSL call: OpenSSL_add_all_digests with args: NONE (nothing returned)
[   5] SSL call: SSL_library_init with args: NONE result=1
[   6] SSL call: RAND_status with args: NONE   result=1
[   7] SSL call: TLSv1_1_client_method with args: NONE result=0x7ffff6460a40
[   8] SSL call: SSL_CTX_new with args: 0x7ffff6460a40 result=0x62f150
[   9] SSL call: SSL_CTX_ctrl with args: 0x62f150 33 4 (NULL)   result=4
[  10] SSL call: SSL_CTX_set_verify with args: 0x62f150 0 (NULL)  
(nothing returned)
[  11] SSL call: SSL_CTX_set_cipher_list with args: 0x62f150 'SRP'  
result=1
[  12] SSL call: SSL_CTX_set_srp_strength with args: 0x62f150 1024  
result=1
[  13] SSL call: SSL_CTX_set_srp_username with args: 0x62f150
'SystemUser'   result=1
[  14] SSL call: SSL_CTX_set_srp_password with args: 0x62f150
'swordfish'   result=1
[  15] SSL call: SSL_new with args: 0x62f150 result=0x62f990
[  16] SSL call: SSL_set_fd with args: 0x62f990 6 result=1
[  17] SSL call: SSL_get_fd with args: 0x62f990   result=6
[  18] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  19] SSL call: SSL_connect with args: 0x62f990   result=0
[  20] SSL call: SSL_get_error with args: 0x62f990 0 result=1
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1275:SSL alert number 40

[  21] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  22] SSL call: SSL_connect with args: 0x62f990   result=0
[  23] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  24] SSL call: SSL_connect with args: 0x62f990   result=0
[  25] SSL call: ERR_clear_error with args: NONE   (nothing returned)
[  26] SSL call: SSL_connect with args: 0x62f990   result=0
SSL_connect() failed after 4 tries
[  27] SSL call: SSL_free with args: 0x62f990   (nothing returned)
[  28] SSL call: SSL_CTX_free with args: 0x62f150 (nothing returned)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Dr. Stephen Henson
On Thu, Aug 07, 2014, Norm Green wrote:

> I just upgraded our product to 1.0.1i and logins via SRP are now
> broken.  Shown below are the SSL calls made from both the client and
> server.  Everything worked perfectly under 1.0.1h.
> Bot sides set the cipher list to 'SRP' via calls to
> SSL_CTX_set_cipher_list(), so the "no shared cipher" complaint after
> line 31 on the server side is clearly bogus.
>

Well maybe, maybe not. Just because a ciphersuite is included in the
cipherlist doesn't mean it is included or could be selected. For example if
you set a ciphersuite which uses ECDSA authentication it wont be selected if
the server doesn't include an ECDSA certificate.

That might be what is happening here: the ciphersuite is being (incorrectly)
excluded either client or server side.

> Any idea where to begin debugging this?  Any and all help is appreciated.
>

Can you reproduce this with s_client and s_server?

Can you try a 1.0.1i client versus a 1.0.1h server and vice-versa?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Dr. Stephen Henson
In reply to this post by Norm Green
On Thu, Aug 07, 2014, Norm Green wrote:

> I just upgraded our product to 1.0.1i and logins via SRP are now
> broken.  Shown below are the SSL calls made from both the client and
> server.  Everything worked perfectly under 1.0.1h.
> Bot sides set the cipher list to 'SRP' via calls to
> SSL_CTX_set_cipher_list(), so the "no shared cipher" complaint after
> line 31 on the server side is clearly bogus.
>
> Any idea where to begin debugging this?  Any and all help is appreciated.
>

Hmm... think I can reproduce it now. There is a problem with some
ciphersuites. Looking into it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Dr. Stephen Henson
In reply to this post by Norm Green
On Thu, Aug 07, 2014, Norm Green wrote:

>
> Any idea where to begin debugging this?  Any and all help is appreciated.
>

The cause is incorrect handling of new SRP authentication type which was added
to correct a bug where SRP authentication was incorrectly classified as NULL
authhentication.

A temporary workaround is to revert the addition of the SRP authentication
type in commit 18c7f2fce8a82b13506cac7ca69fc333baf76408:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=18c7f2fce8a82b13506cac7ca69fc333baf76408

I'm working on the proper fix.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Norm Green
Thanks for tracking it down so fast Steve.  I will revert the mods in that commit and try it again tomorrow.

Norm

On 8/7/2014 7:21 PM, Dr. Stephen Henson wrote:
On Thu, Aug 07, 2014, Norm Green wrote:

Any idea where to begin debugging this?  Any and all help is appreciated.

The cause is incorrect handling of new SRP authentication type which was added
to correct a bug where SRP authentication was incorrectly classified as NULL
authhentication.

A temporary workaround is to revert the addition of the SRP authentication
type in commit 18c7f2fce8a82b13506cac7ca69fc333baf76408:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=18c7f2fce8a82b13506cac7ca69fc333baf76408

I'm working on the proper fix.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Norm Green
In reply to this post by Dr. Stephen Henson
Hello Steve,

Reverting the below commit is necessary but not sufficient.  There are
also references to aSRP in s3_clnt.c and ssl_lib.c that must be deleted
to get OpenSSL to build.  SRP functions correctly once that has been done.

Norm


On 8/7/14, 19:21, Dr. Stephen Henson wrote:

> On Thu, Aug 07, 2014, Norm Green wrote:
>
>> Any idea where to begin debugging this?  Any and all help is appreciated.
>>
> The cause is incorrect handling of new SRP authentication type which was added
> to correct a bug where SRP authentication was incorrectly classified as NULL
> authhentication.
>
> A temporary workaround is to revert the addition of the SRP authentication
> type in commit 18c7f2fce8a82b13506cac7ca69fc333baf76408:
>
> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=18c7f2fce8a82b13506cac7ca69fc333baf76408
>
> I'm working on the proper fix.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Matt Caswell-2


On 08/08/14 19:33, Norm Green wrote:
> Hello Steve,
>
> Reverting the below commit is necessary but not sufficient.  There are
> also references to aSRP in s3_clnt.c and ssl_lib.c that must be deleted
> to get OpenSSL to build.  SRP functions correctly once that has been done.

Those were introduced as part of the fix to CVE-2014-5139 (commit
83764a989)...deleting them may be unwise.

Matt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Norm Green
Then what would you suggest?  SRP is completely broken for us with 1.0.1i

Norm

On 8/8/14, 11:51, Matt Caswell wrote:

>
> On 08/08/14 19:33, Norm Green wrote:
>> Hello Steve,
>>
>> Reverting the below commit is necessary but not sufficient.  There are
>> also references to aSRP in s3_clnt.c and ssl_lib.c that must be deleted
>> to get OpenSSL to build.  SRP functions correctly once that has been done.
> Those were introduced as part of the fix to CVE-2014-5139 (commit
> 83764a989)...deleting them may be unwise.
>
> Matt
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Dr. Stephen Henson
On Fri, Aug 08, 2014, Norm Green wrote:

> Then what would you suggest?  SRP is completely broken for us with 1.0.1i
>

Please try the attached patch against 1.0.1i.

[BTW removing the aSRP references is fine as long as you don't delete the kSRP
references too]

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.1i breaks SRP

Norm Green
Hi Steve,

That patch works!  We will go with that one instead of rolling back the
commit mentioned in your previous message.

Thanks very much for your help!!!

Norm


On 8/8/14, 12:25, Dr. Stephen Henson wrote:

> On Fri, Aug 08, 2014, Norm Green wrote:
>
>> Then what would you suggest?  SRP is completely broken for us with 1.0.1i
>>
> Please try the attached patch against 1.0.1i.
>
> [BTW removing the aSRP references is fine as long as you don't delete the kSRP
> references too]
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

ECDSA Certificate

Walter H.
In reply to this post by Dr. Stephen Henson
On 08.08.2014 02:11, Dr. Stephen Henson wrote:

Well maybe, maybe not. Just because a ciphersuite is included in the
cipherlist doesn't mean it is included or could be selected. For example if
you set a ciphersuite which uses ECDSA authentication it wont be selected if
the server doesn't include an ECDSA certificate.
can you please give an example of an ECDSA certificate, Thanks

I'm asking this, because
one Web-Server connects with
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
and one with
SSL_CIPHER=DHE-RSA-AES256-GCM-SHA384
both with the same client;

and both Web-Server (Apache) have this
SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES

-- 
Greetings,
Walter


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: ECDSA Certificate

Dave Thompson-5

Both of those are using an RSA certificate; DHE or ECDHE is key-exchange only

not authentication. However the servers must configure *parameters* for

“temp DH” and “temp ECDH” respectively; do they? For ECDHE the parameters

must use one of the (named) curves specified by the client; openssl client

supports all named curves, but other clients like browsers might not.

 

Is the second server on not-very-recent RedHat or CentOS?

Until late 2013, RedHat openssl packages disabled all elliptic curve crypto

due to what they called legal concerns. Everyone believes this meant

the Certicom patents, although I don’t think they ever confirmed it.

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Walter H.
Sent: Sunday, August 10, 2014 02:39
To: [hidden email]
Cc: Dr. Stephen Henson
Subject: ECDSA Certificate

 

On 08.08.2014 02:11, Dr. Stephen Henson wrote:

 

Well maybe, maybe not. Just because a ciphersuite is included in the
cipherlist doesn't mean it is included or could be selected. For example if
you set a ciphersuite which uses ECDSA authentication it wont be selected if
the server doesn't include an ECDSA certificate.

can you please give an example of an ECDSA certificate, Thanks

I'm asking this, because
one Web-Server connects with
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
and one with
SSL_CIPHER=DHE-RSA-AES256-GCM-SHA384

both with the same client;

and both Web-Server (Apache) have this
SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES

-- 
Greetings,
Walter
 
Reply | Threaded
Open this post in threaded view
|

Re: ECDSA Certificate

Walter H.

and how do I generate an ECDSA certificate?

On 10.08.2014 14:12, Dave Thompson wrote:

Both of those are using an RSA certificate; DHE or ECDHE is key-exchange only

not authentication. However the servers must configure *parameters* for

“temp DH” and “temp ECDH” respectively; do they?

I haven't configured none of those ...
 

Is the second server on not-very-recent RedHat or CentOS?

Yes, it is a CentOS 6.5
 

 

From: [hidden email] [[hidden email]] On Behalf Of Walter H.
Sent: Sunday, August 10, 2014 02:39
To: [hidden email]
Cc: Dr. Stephen Henson
Subject: ECDSA Certificate

 

On 08.08.2014 02:11, Dr. Stephen Henson wrote:

 

Well maybe, maybe not. Just because a ciphersuite is included in the  
cipherlist doesn't mean it is included or could be selected. For example if  
you set a ciphersuite which uses ECDSA authentication it wont be selected if  
the server doesn't include an ECDSA certificate.  

can you please give an example of an ECDSA certificate, Thanks

I'm asking this, because
one Web-Server connects with
SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384
and one with
SSL_CIPHER=DHE-RSA-AES256-GCM-SHA384

both with the same client;

and both Web-Server (Apache) have this
SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES

--   
Greetings,  
Walter  
   


-- 
Mit freundlichen Grüßen,
Best regards,
Mes salutations distinguées,

Ing. Walter Höhlhubmer       _/      _/  _/    _/
                            _/      _/  _/    _/
Lederergasse 47a/7         _/      _/  _/    _/
A-4020 Linz a. d. Donau   _/  _/  _/  _/_/_/_/
Austria / EUROPE         _/_/_/_/_/  _/    _/
                        _/_/  _/_/  _/    _/
[+43 664 951 83 72]    _/      _/  _/    _/

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: [SPAM?] Re: ECDSA Certificate

Dave Thompson-5
> and how do I generate an ECDSA certificate?

To generate a selfsigned ECDSA cert the same ways you do RSA,
except use EC instead of RSA.

- use req -new with EC key or -newkey with EC parms and -x509
to generate selfsigned cert directly.

- use req -new with key or -newkey to generate CSR,
then x509 -req -signkey to create selfsigned cert

Set other attributes as appropriate. If you set KeyUsage,
it must include digSign to use this cert for ECDHE-ECDSA.
(KU for RSA should include digSign or encrypt depending
on the suites to be used, but sometimes isn't enforced.)

Use a curve supported by the peers you will communicate with.

To obtain a CA-signed ECDSA cert the same ways as RSA,
except EC instead of RSA, and harder.

- generate CSR for EC key as above, for suitable curve

- find a CA that issues EC certs, with usage allowing
at least digSign=ECDSA. I haven't found any yet.

- submit CSR to CA, prove your identity, pay fees.

- receive cert and any chain cert(s) from CA.

<snip>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]