Existing connections on certification expires

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Existing connections on certification expires

mahesh gs
Hello All,

We are using openssl for providing the secured communication for our application. I have some basic queries about the openssl behaviour.

1) What happens to the existing SSL connections on certification expiry? Does the openssl disconnects the existing connection?

2) How can i get the list of ciphers supported by openssl 01.01.0f ?

These question looks to be very basic but i could not find any concrete information regarding the same googling. 

Thanks,
Mahesh G S

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Paul Yang

On 28 Aug 2017, at 13:09, mahesh gs <[hidden email]> wrote:

Hello All,

We are using openssl for providing the secured communication for our application. I have some basic queries about the openssl behaviour.

1) What happens to the existing SSL connections on certification expiry? Does the openssl disconnects the existing connection?

It depends on how you control OpenSSL to process the verification. Read the man page of SSL_CTX_set_verify (and related) function. Seems you can find the doc there: https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3)


2) How can i get the list of ciphers supported by openssl 01.01.0f ?

Either by using an API as ‘SSL_get_ciphers’ or a command line tool ‘openssl ciphers some-options', read related documentation for details.


These question looks to be very basic but i could not find any concrete information regarding the same googling. 

Thanks,
Mahesh G S
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Robert Moskowitz
In reply to this post by mahesh gs


On 08/28/2017 01:09 AM, mahesh gs wrote:
Hello All,

We are using openssl for providing the secured communication for our application. I have some basic queries about the openssl behaviour.

1) What happens to the existing SSL connections on certification expiry? Does the openssl disconnects the existing connection?

Generally speaking:

openssl has nothing to do with a SSL/TLS connection.  It created the certificate, it is not the application using the certificate. 

That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client (Web browser, Mail client, VPN client).  Most of these pay no attention to the expiry date.  Some, like IPsec specify to check the expiry date and set the maximum connection lifetime to less that it.  Of course even there your mileage will vary by how each product author read the specs.


2) How can i get the list of ciphers supported by openssl 01.01.0f ?

These question looks to be very basic but i could not find any concrete information regarding the same googling. 

Thanks,
Mahesh G S




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Robert Moskowitz


On 08/28/2017 06:13 AM, Robert Moskowitz wrote:


On 08/28/2017 01:09 AM, mahesh gs wrote:
Hello All,

We are using openssl for providing the secured communication for our application. I have some basic queries about the openssl behaviour.

1) What happens to the existing SSL connections on certification expiry? Does the openssl disconnects the existing connection?

Generally speaking:

openssl has nothing to do with a SSL/TLS connection.  It created the certificate, it is not the application using the certificate. 

That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client (Web browser, Mail client, VPN client).  Most of these pay no attention to the expiry date.  Some, like IPsec specify to check the expiry date and set the maximum connection lifetime to less that it.  Of course even there your mileage will vary by how each product author read the specs.

I recall now the IPsec debate on this.  The consensus was that at the time of connection setup, the certificate was valid.  Thus the parties could set whatever connection lifetime they have in their policy.  It was not considered MANDATORY to shorten the lifetime to the certificate expiry date.  This was important, as there are IPsec policies with month-long connection lifetimes.



2) How can i get the list of ciphers supported by openssl 01.01.0f ?

These question looks to be very basic but i could not find any concrete information regarding the same googling. 

Thanks,
Mahesh G S







--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Viktor Dukhovni
In reply to this post by Robert Moskowitz
On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:

> > 1) What happens to the existing SSL connections on certification expiry?
> > Does the openssl disconnects the existing connection?

No, once authenticated, TLS connections continue indefinitely,
until either party chooses to disconnect.  The expiration of the
certificate does not invalidate the integrity of the original key
exchange, and presents no obvious increased risk of active attack.

> Generally speaking:
>
> openssl has nothing to do with a SSL/TLS connection.  It created the
> certificate, it is not the application using the certificate.

This is wrong.  Many applications delegate certificate verification
to the OpenSSL library.  OpenSSL does not limit connection lifetime
based on certificate expiration.

> That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client
> (Web browser, Mail client, VPN client).  Most of these pay no attention to
> the expiry date.

This is wrong.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Robert Moskowitz


On 08/28/2017 09:07 AM, Viktor Dukhovni wrote:

> On Mon, Aug 28, 2017 at 06:13:51AM -0400, Robert Moskowitz wrote:
>
>>> 1) What happens to the existing SSL connections on certification expiry?
>>> Does the openssl disconnects the existing connection?
> No, once authenticated, TLS connections continue indefinitely,
> until either party chooses to disconnect.  The expiration of the
> certificate does not invalidate the integrity of the original key
> exchange, and presents no obvious increased risk of active attack.
>
>> Generally speaking:
>>
>> openssl has nothing to do with a SSL/TLS connection.  It created the
>> certificate, it is not the application using the certificate.
> This is wrong.  Many applications delegate certificate verification
> to the OpenSSL library.  OpenSSL does not limit connection lifetime
> based on certificate expiration.

Argh, you are right.  The libraries are indeed used.  I was thinking the
whole program.  My error.  Thinking too narrowly.

>
>> That is commonly a server app (HTTPS, IMAPS, VPN server, etc.) and a client
>> (Web browser, Mail client, VPN client).  Most of these pay no attention to
>> the expiry date.
> This is wrong.

They pay no attention to the expiry date to force the session to end at
that time by adjusting the session lifetime to be no later than the
expiry date.  Though there are probably apps out there with this behavior.

They do indeed ensure that the certificate is within its dates.  A
nuance that I did not make clear.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Alan Buxey-2
In reply to this post by Robert Moskowitz
hi,


> 2) How can i get the list of ciphers supported by openssl 01.01.0f ?


openssl ciphers -v ???


> These question looks to be very basic but i could not find any concrete
> information regarding the same googling.

Google provides the answers if your question is well formed. or you
could just read the
openssl man pages?

alan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Existing connections on certification expires

Robert Moskowitz


On 08/28/2017 09:44 AM, Alan Buxey wrote:

> hi,
>
>
>> 2) How can i get the list of ciphers supported by openssl 01.01.0f ?
>
> openssl ciphers -v ???
>
>
>> These question looks to be very basic but i could not find any concrete
>> information regarding the same googling.
> Google provides the answers if your question is well formed. or you
> could just read the
> openssl man pages?

And I have found Professor Google to be very patient with me as I form
my questions to get answers I can work with.  But there HAVE been times
when my search foo has been weak, and the good Professor just can't
figure out what I want to learn....

Bob


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users