SSL alert number 51

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL alert number 51

Charles Mills

Good day –

 

Can anyone offer some clues on

 

10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:.\ssl\s3_pkt.c:1275:SSL alert number 51

 

OpenSSL 1.01h is the server, running on Windows 7 Pro 64 bit.

 

Thanks,

 

Charles

Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Dave Thompson-5
> From: [hidden email] On Behalf Of Charles Mills
> Sent: Wednesday, November 19, 2014 14:08

> 10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:.\ssl\s3_pkt.c:1275:SSL alert number 51

http://tools.ietf.org/html/rfc5246.html#section-7.2
   decrypt_error
      A handshake cryptographic operation failed, including being unable
      to correctly verify a signature or validate a Finished message.
      This message is always fatal.

Either there's a bug somewhere or you are being attacked (MitM'ed).

> OpenSSL 1.01h is the server, running on Windows 7 Pro 64 bit.

Do you mean the server, running 1.0.1h on Win7, produced this error message,
or some client talking *to* such a server produced the error?
In either case, what is in the error output or log of the opposite peer?

If you try to connect s_client to the server, or the client to s_server,
respectively,
does it work or what error info does it give you?



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
Dave -

Thanks much.

> Either there's a bug somewhere or you are being attacked (MitM'ed).

Unlikely I am being MitM'ed -- the connection is over a VPN. (Why TLS when
there is already a VPN in place? I am testing TLS software and the VPN is a
fact of life and my only client to server link.

> Do you mean the server, running 1.0.1h on Win7, produced this error
message, or some client talking *to* such a server produced the error?

Statement was kind of ambiguous, wasn't it? The server, which is OpenSSL
1.0.1h 5 Jun 2014, produced this message, when the client attempted to
connect.

The client is application software that uses the IBM GSK crypto library on
z/OS. The error message at the client end is Error code 9 returned from GSK
function gsk_secure_socket_init(): Cryptographic processing error. It is my
code that produces that exact message, but the 9 comes back from the
indicated method and the text comes from a system function, gsk_strerror(9).
The documentation says

9 Cryptographic processing error.
Explanation: An error is detected by a cryptographic
function. This error may also occur if key sizes that are
non-FIPS are used during an SSL handshake while
operating in FIPS mode.
User response: If the error occurred while executing
in FIPS mode, check that only FIPS key sizes are used.
Collect a System SSL trace containing the error and
then contact your service representative.

I can connect between the client and the server using the set of parameters
under test. They negotiate TLSV1.1 and what you call DHE-RSA-AES256-SHA and
GSK calls Cipher Suite 39 - SSL V3.0 AES SHA-1(ephemeral Diffie-Hellman)
RSA. It works provided I do not turn on FIPS 140-2 mode. If I turn on FIPS
140-2 mode with rc = gsk_fips_state_set(GSK_FIPS_STATE_ON); and use
otherwise identical parameters then this error occurs. (Cipher Suite 39 is a
valid FIPS 140-2 cipher suite, according to the IBM GSK documentation.)

I don't think that an s_client test would be terribly informative, seeing as
I can connect with the actual client software.

Back to you ...

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dave Thompson
Sent: Wednesday, November 19, 2014 2:20 PM
To: [hidden email]
Subject: RE: SSL alert number 51

> From: [hidden email] On Behalf Of Charles Mills
> Sent: Wednesday, November 19, 2014 14:08

> 10280:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt
error:.\ssl\s3_pkt.c:1275:SSL alert number 51

http://tools.ietf.org/html/rfc5246.html#section-7.2
   decrypt_error
      A handshake cryptographic operation failed, including being unable
      to correctly verify a signature or validate a Finished message.
      This message is always fatal.

Either there's a bug somewhere or you are being attacked (MitM'ed).

> OpenSSL 1.01h is the server, running on Windows 7 Pro 64 bit.

Do you mean the server, running 1.0.1h on Win7, produced this error message,
or some client talking *to* such a server produced the error?
In either case, what is in the error output or log of the opposite peer?

If you try to connect s_client to the server, or the client to s_server,
respectively, does it work or what error info does it give you?

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 51

Matt Caswell-2


On 19/11/14 22:57, Charles Mills wrote:

> Dave -
>
> Thanks much.
>
>> Either there's a bug somewhere or you are being attacked (MitM'ed).
>
> Unlikely I am being MitM'ed -- the connection is over a VPN. (Why TLS when
> there is already a VPN in place? I am testing TLS software and the VPN is a
> fact of life and my only client to server link.
>
>> Do you mean the server, running 1.0.1h on Win7, produced this error
> message, or some client talking *to* such a server produced the error?
>
> Statement was kind of ambiguous, wasn't it? The server, which is OpenSSL
> 1.0.1h 5 Jun 2014, produced this message, when the client attempted to
> connect.
>
> The client is application software that uses the IBM GSK crypto library on
> z/OS. The error message at the client end is Error code 9 returned from GSK
> function gsk_secure_socket_init(): Cryptographic processing error. It is my
> code that produces that exact message, but the 9 comes back from the
> indicated method and the text comes from a system function, gsk_strerror(9).
> The documentation says
>
> 9 Cryptographic processing error.
> Explanation: An error is detected by a cryptographic
> function. This error may also occur if key sizes that are
> non-FIPS are used during an SSL handshake while
> operating in FIPS mode.

My guess is that this last sentence is the cause of your problem.

> User response: If the error occurred while executing
> in FIPS mode, check that only FIPS key sizes are used.
> Collect a System SSL trace containing the error and
> then contact your service representative.
>
> I can connect between the client and the server using the set of parameters
> under test. They negotiate TLSV1.1 and what you call DHE-RSA-AES256-SHA and

FIPS 140-2 places restrictions on the size of the RSA key that you can
use. I'm not a FIPS 140-2 expert but I believe you have to be compliant
with the various other FIPS standards including FIPS 186-4(?):

"This Standard specifies three choices for the length of the modulus
(i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities shall
generate digital signatures using one or more of these choices."

So how big is your RSA key on the server? Are you able to post the
certificate?

Matt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 51

Dr. Stephen Henson
On Wed, Nov 19, 2014, Matt Caswell wrote:

>
>
> On 19/11/14 22:57, Charles Mills wrote:
>
> > User response: If the error occurred while executing
> > in FIPS mode, check that only FIPS key sizes are used.
> > Collect a System SSL trace containing the error and
> > then contact your service representative.
> >
> > I can connect between the client and the server using the set of parameters
> > under test. They negotiate TLSV1.1 and what you call DHE-RSA-AES256-SHA and
>
> FIPS 140-2 places restrictions on the size of the RSA key that you can
> use. I'm not a FIPS 140-2 expert but I believe you have to be compliant
> with the various other FIPS standards including FIPS 186-4(?):
>
> "This Standard specifies three choices for the length of the modulus
> (i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities shall
> generate digital signatures using one or more of these choices."
>
> So how big is your RSA key on the server? Are you able to post the
> certificate?
>

Also the DH parameter size should be at least 1024 bits.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
- DHE is 1024
- RSA is 2048

Server certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13 (0xd)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charles
[hidden email], O=Charles Mills Consulting, LLC
        Validity
            Not Before: Nov 19 17:06:26 2014 GMT
            Not After : Nov 19 17:06:26 2015 GMT
        Subject: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charle
[hidden email], O=X201NOTEBOOK_Server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:31:37:47:60:74:b9:b7:f1:3e:31:40:d4:5b:
                    76:0b:a6:fb:d7:0d:75:87:3e:70:9b:1b:93:d2:a1:
                    0c:94:68:ba:ee:75:eb:28:28:de:16:25:32:d3:7a:
                    8c:4a:3f:39:1e:82:b6:5a:8a:89:75:cc:cc:77:87:
                    af:8f:9c:c6:dc:b2:40:5c:8a:0a:74:3e:f1:f5:9f:
                    da:23:b7:4d:a5:b7:48:7b:44:aa:58:8f:42:34:41:
                    a2:51:22:50:50:74:28:99:5f:56:b5:f8:77:26:8e:
                    a1:96:f3:28:10:7c:bf:75:37:a6:45:e7:3a:a2:63:
                    4f:ec:39:b0:12:51:90:18:7e:e2:a1:9e:76:c7:77:
                    bd:ab:cf:0c:d2:d0:e8:cb:a8:fc:c3:85:94:41:ed:
                    53:82:f5:0c:32:dc:0d:80:e5:2d:34:f1:9c:e4:98:
                    2d:93:20:6b:57:78:87:3e:5e:c5:50:45:5a:ac:af:
                    dc:bd:38:c1:3d:31:2c:18:bc:4f:f2:7e:cf:f0:ba:
                    94:57:54:3e:89:2a:af:37:73:08:4d:b7:e3:e1:bb:
                    9a:86:6d:f6:73:a3:22:d8:d9:c7:8d:2a:32:8a:be:
                    fa:36:66:54:c1:3a:7a:bd:e6:b8:2b:72:65:1f:c3:
                    5c:91:ca:bc:44:7b:0b:d2:8f:1c:73:75:ff:5d:ce:
                    cf:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:X201NOTEBOOK_Server, DNS:10.17.40.*, DNS:10.17.40.*
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7B:A3:68:D6:1D:26:59:91:5D:21:1B:45:99:C4:B2:92:BF:46:1D:29
    Signature Algorithm: sha1WithRSAEncryption
         61:2e:16:1c:b5:90:72:e8:b6:1c:00:82:5f:7f:70:69:14:e3:
         6b:fc:4c:3d:7f:24:f1:85:73:16:21:58:7e:46:4f:b5:97:d3:
         5e:92:f0:4e:70:be:28:41:12:65:1e:fd:12:f3:43:d5:96:44:
         60:96:3e:52:d8:1f:ae:8b:52:a1:bc:4f:1b:1a:59:2b:8f:5a:
         49:1e:21:4b:14:f1:d1:84:b3:fb:58:48:04:27:5f:ac:28:73:
         3b:81:c3:39:72:0a:6b:3e:c4:58:a9:a9:75:78:a1:f0:4e:6d:
         e7:4e:a2:71:22:9d:11:1a:a8:38:03:8c:ff:5c:9d:e0:a2:3a:
         39:39:0b:fb:c2:7a:ec:42:4e:fb:fe:53:c1:63:b1:c6:2d:59:
         14:82:4f:07:05:9d:91:96:e9:bd:15:c0:ba:f4:da:54:81:2e:
         11:f8:b9:86:00:a2:09:fc:7a:f5:c5:2d:44:06:c8:cc:2a:ad:
         b8:d7:12:90:43:7a:74:81:64:6b:19:db:00:d1:f6:cf:da:b9:
         c7:49:5e:4d:18:65:6d:ef:c0:0d:b9:9c:d1:27:27:b6:64:0c:
         11:5c:0d:a9:54:90:38:aa:61:63:f1:88:ae:d4:1b:40:98:96:
         3c:13:e9:97:8e:9f:a4:01:f5:a4:ff:4d:4a:c7:2e:a6:56:63:
         82:c0:57:7b
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgIBDTANBgkqhkiG9w0BAQUFADCBkzEmMCQGA1UEAwwdQ2hh
cmxlcyBNaWxscyBDb25zdWx0aW5nLCBMTEMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
CzAJBgNVBAYTAlVTMR8wHQYJKoZIhvcNAQkBFhBjaGFybGVzbUBtY24ub3JnMSYw
JAYDVQQKDB1DaGFybGVzIE1pbGxzIENvbnN1bHRpbmcsIExMQzAeFw0xNDExMTkx
NzA2MjZaFw0xNTExMTkxNzA2MjZaMIGJMSYwJAYDVQQDDB1DaGFybGVzIE1pbGxz
IENvbnN1bHRpbmcsIExMQzETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMC
VVMxHzAdBgkqhkiG9w0BCQEWEGNoYXJsZXNtQG1jbi5vcmcxHDAaBgNVBAoME1gy
MDFOT1RFQk9PS19TZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDCMTdHYHS5t/E+MUDUW3YLpvvXDXWHPnCbG5PSoQyUaLrudesoKN4WJTLTeoxK
PzkegrZaiol1zMx3h6+PnMbcskBcigp0PvH1n9ojt02lt0h7RKpYj0I0QaJRIlBQ
dCiZX1a1+HcmjqGW8ygQfL91N6ZF5zqiY0/sObASUZAYfuKhnnbHd72rzwzS0OjL
qPzDhZRB7VOC9Qwy3A2A5S008ZzkmC2TIGtXeIc+XsVQRVqsr9y9OME9MSwYvE/y
fs/wupRXVD6JKq83cwhNt+Phu5qGbfZzoyLY2ceNKjKKvvo2ZlTBOnq95rgrcmUf
w1yRyrxEewvSjxxzdf9dzs8xAgMBAAGjgbIwga8wCQYDVR0TBAIwADA2BgNVHREE
LzAtghNYMjAxTk9URUJPT0tfU2VydmVyggoxMC4xNy40MC4qggoxMC4xNy40MC4q
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHujaNYdJlmR
XSEbRZnEspK/Rh0pMA0GCSqGSIb3DQEBBQUAA4IBAQBhLhYctZBy6LYcAIJff3Bp
FONr/Ew9fyTxhXMWIVh+Rk+1l9NekvBOcL4oQRJlHv0S80PVlkRglj5S2B+ui1Kh
vE8bGlkrj1pJHiFLFPHRhLP7WEgEJ1+sKHM7gcM5cgprPsRYqal1eKHwTm3nTqJx
Ip0RGqg4A4z/XJ3gojo5OQv7wnrsQk77/lPBY7HGLVkUgk8HBZ2Rlum9FcC69NpU
gS4R+LmGAKIJ/Hr1xS1EBsjMKq241xKQQ3p0gWRrGdsA0fbP2rnHSV5NGGVt78AN
uZzRJye2ZAwRXA2pVJA4qmFj8Yiu1BtAmJY8E+mXjp+kAfWk/01Kxy6mVmOCwFd7
-----END CERTIFICATE-----

Underlying root:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            be:60:c0:40:d6:22:00:f2
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charles
[hidden email], O=Charles Mills Consulting, LLC
        Validity
            Not Before: Nov 19 16:55:15 2014 GMT
            Not After : Nov 16 16:55:15 2024 GMT
        Subject: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charle
[hidden email], O=Charles Mills Consulting, LLC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bf:d0:88:2c:50:a1:99:68:01:09:1c:90:9b:0e:
                    59:4b:52:3d:97:78:f2:1f:cc:f8:b9:63:39:54:ee:
                    3c:5b:3a:65:cb:da:e1:a5:3a:29:3f:61:b6:1d:84:
                    17:be:cb:00:90:f9:b9:84:5a:02:f4:7d:25:3a:c4:
                    85:97:14:0b:a8:f4:94:29:20:09:d2:be:d2:7c:49:
                    ec:95:ba:1e:8f:20:a9:f8:6a:cf:08:57:52:2e:4b:
                    d4:19:ab:3d:95:68:0b:96:eb:7a:06:b9:0b:de:bd:
                    a0:3b:e0:49:d8:b9:dd:fd:80:32:a4:29:f0:31:9c:
                    28:0f:59:b8:10:ab:84:f7:b5:01:41:33:cf:57:ea:
                    4d:be:56:fc:8d:64:04:43:f4:9c:97:51:e3:14:4b:
                    6a:75:c4:be:e1:66:e3:e8:b9:45:65:11:e0:8b:5a:
                    ae:7a:2f:d6:05:1d:70:32:45:ee:d6:b9:bd:fe:c7:
                    f2:c9:7a:a4:7d:de:63:4d:88:cb:87:d7:31:0e:a9:
                    f7:9e:aa:e4:a6:96:78:f7:3e:e7:16:7a:09:fa:f1:
                    0e:7a:97:ae:4d:06:fe:97:25:73:c1:fd:09:e9:09:
                    b2:a3:11:6d:76:5d:4d:d7:da:69:21:14:a3:e4:4a:
                    c8:e9:b4:90:b5:de:c0:6e:81:3f:63:98:a8:93:b0:
                    18:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         a1:0c:7e:5f:bf:f1:90:19:4d:f6:95:24:33:94:d3:ee:cb:a2:
         2f:b3:6f:65:70:90:a2:2e:2d:69:16:2c:ef:85:00:41:47:ee:
         1a:0d:d6:89:09:41:0b:7e:de:b5:5d:33:53:f6:98:dd:3b:f4:
         c9:a3:9e:d1:f6:e6:72:47:16:ed:1a:b9:90:5a:eb:9b:3d:64:
         a8:66:2d:15:34:99:af:c1:fb:f5:32:9d:6c:00:ee:3b:d9:3c:
         dc:1b:e0:a4:b1:99:26:ef:be:76:69:71:90:34:b6:8b:25:08:
         44:3d:4c:42:8f:2c:5e:ad:c1:28:b5:0d:49:65:72:1b:63:10:
         a4:8e:31:15:ab:2f:2f:89:79:df:58:60:c9:3c:62:cd:f0:e3:
         75:62:85:4e:90:9a:ae:47:48:0d:d8:d6:ef:bd:3b:84:4b:b0:
         ba:fe:ff:b9:30:33:24:32:a8:91:7a:9a:f5:8a:7f:81:84:c1:
         55:76:af:ca:7a:aa:9f:14:03:16:62:b6:e2:17:1a:a4:24:a7:
         8d:6f:ea:6a:7c:d5:97:1b:c3:f1:25:f7:34:df:77:64:fe:7b:
         a1:9f:a0:a4:e5:c0:44:d8:83:dd:4e:b9:78:0d:14:42:9e:96:
         c3:cd:2b:f1:d6:f4:2d:49:51:68:11:75:32:e5:7a:0f:45:52:
         bd:8e:b2:89
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJAL5gwEDWIgDyMA0GCSqGSIb3DQEBBQUAMIGTMSYwJAYD
VQQDDB1DaGFybGVzIE1pbGxzIENvbnN1bHRpbmcsIExMQzETMBEGA1UECAwKQ2Fs
aWZvcm5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG9w0BCQEWEGNoYXJsZXNtQG1j
bi5vcmcxJjAkBgNVBAoMHUNoYXJsZXMgTWlsbHMgQ29uc3VsdGluZywgTExDMB4X
DTE0MTExOTE2NTUxNVoXDTI0MTExNjE2NTUxNVowgZMxJjAkBgNVBAMMHUNoYXJs
ZXMgTWlsbHMgQ29uc3VsdGluZywgTExDMRMwEQYDVQQIDApDYWxpZm9ybmlhMQsw
CQYDVQQGEwJVUzEfMB0GCSqGSIb3DQEJARYQY2hhcmxlc21AbWNuLm9yZzEmMCQG
A1UECgwdQ2hhcmxlcyBNaWxscyBDb25zdWx0aW5nLCBMTEMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC/0IgsUKGZaAEJHJCbDllLUj2XePIfzPi5YzlU
7jxbOmXL2uGlOik/YbYdhBe+ywCQ+bmEWgL0fSU6xIWXFAuo9JQpIAnSvtJ8SeyV
uh6PIKn4as8IV1IuS9QZqz2VaAuW63oGuQvevaA74EnYud39gDKkKfAxnCgPWbgQ
q4T3tQFBM89X6k2+VvyNZARD9JyXUeMUS2p1xL7hZuPouUVlEeCLWq56L9YFHXAy
Re7Wub3+x/LJeqR93mNNiMuH1zEOqfeequSmlnj3PucWegn68Q56l65NBv6XJXPB
/QnpCbKjEW12XU3X2mkhFKPkSsjptJC13sBugT9jmKiTsBgPAgMBAAGjEDAOMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKEMfl+/8ZAZTfaVJDOU0+7L
oi+zb2VwkKIuLWkWLO+FAEFH7hoN1okJQQt+3rVdM1P2mN079MmjntH25nJHFu0a
uZBa65s9ZKhmLRU0ma/B+/UynWwA7jvZPNwb4KSxmSbvvnZpcZA0toslCEQ9TEKP
LF6twSi1DUllchtjEKSOMRWrLy+Jed9YYMk8Ys3w43VihU6Qmq5HSA3Y1u+9O4RL
sLr+/7kwMyQyqJF6mvWKf4GEwVV2r8p6qp8UAxZituIXGqQkp41v6mp81Zcbw/El
9zTfd2T+e6GfoKTlwETYg91OuXgNFEKelsPNK/HW9C1JUWgRdTLleg9FUr2Osok=
-----END CERTIFICATE-----

DH:

   PKCS#3 DH Parameters: (1024 bit)
        prime:
            00:98:61:e7:82:f2:0a:00:cd:9a:26:7d:e3:e1:f2:
            fa:64:53:00:f4:ea:ce:eb:fe:a8:59:7c:47:f8:44:
            e2:93:26:69:33:4f:4a:fb:01:f4:67:90:f5:1c:d0:
            4f:ce:d7:1f:33:8b:60:35:49:fa:94:dd:3e:1a:58:
            6e:ef:4c:88:d4:93:c7:af:a1:7a:f3:d7:9c:f0:4a:
            2a:0b:cc:04:bd:a0:61:08:37:ac:8c:c7:67:dc:82:
            a2:b5:be:97:b9:0d:c3:bf:15:fd:c6:c0:21:0b:e4:
            e9:e9:ff:c2:5c:8a:49:15:8d:af:99:f9:4d:17:2e:
            3f:63:1f:34:bc:1b:08:49:07
        generator: 5 (0x5)
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJhh54LyCgDNmiZ94+Hy+mRTAPTqzuv+qFl8R/hE4pMmaTNPSvsB9GeQ
9RzQT87XHzOLYDVJ+pTdPhpYbu9MiNSTx6+hevPXnPBKKgvMBL2gYQg3rIzHZ9yC
orW+l7kNw78V/cbAIQvk6en/wlyKSRWNr5n5TRcuP2MfNLwbCEkHAgEF
-----END DH PARAMETERS-----

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, November 19, 2014 4:35 PM
To: [hidden email]
Subject: Re: SSL alert number 51

On Wed, Nov 19, 2014, Matt Caswell wrote:

>
>
> On 19/11/14 22:57, Charles Mills wrote:
>
> > User response: If the error occurred while executing in FIPS mode,
> > check that only FIPS key sizes are used.
> > Collect a System SSL trace containing the error and then contact
> > your service representative.
> >
> > I can connect between the client and the server using the set of
> > parameters under test. They negotiate TLSV1.1 and what you call
> > DHE-RSA-AES256-SHA and
>
> FIPS 140-2 places restrictions on the size of the RSA key that you can
> use. I'm not a FIPS 140-2 expert but I believe you have to be
> compliant with the various other FIPS standards including FIPS 186-4(?):
>
> "This Standard specifies three choices for the length of the modulus
> (i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities
> shall generate digital signatures using one or more of these choices."
>
> So how big is your RSA key on the server? Are you able to post the
> certificate?
>

Also the DH parameter size should be at least 1024 bits.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
To be perfectly clear, the server is not OpenSSL itself but application code
that calls OpenSSL. The code is stable and in production and, as I said,
works if I do *not* turn on FIPS on the client. I could trace through the
calls if necessary.

Also, I will be out of the office all day Thursday so this is probably my
last reply for ~36 hours.

Thanks for your help. I really appreciate what you folks do.

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Charles Mills
Sent: Wednesday, November 19, 2014 4:53 PM
To: [hidden email]
Subject: RE: SSL alert number 51

- DHE is 1024
- RSA is 2048

Server certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13 (0xd)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charles [hidden email], O=Charles Mills Consulting, LLC
        Validity
            Not Before: Nov 19 17:06:26 2014 GMT
            Not After : Nov 19 17:06:26 2015 GMT
        Subject: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charle [hidden email], O=X201NOTEBOOK_Server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c2:31:37:47:60:74:b9:b7:f1:3e:31:40:d4:5b:
                    76:0b:a6:fb:d7:0d:75:87:3e:70:9b:1b:93:d2:a1:
                    0c:94:68:ba:ee:75:eb:28:28:de:16:25:32:d3:7a:
                    8c:4a:3f:39:1e:82:b6:5a:8a:89:75:cc:cc:77:87:
                    af:8f:9c:c6:dc:b2:40:5c:8a:0a:74:3e:f1:f5:9f:
                    da:23:b7:4d:a5:b7:48:7b:44:aa:58:8f:42:34:41:
                    a2:51:22:50:50:74:28:99:5f:56:b5:f8:77:26:8e:
                    a1:96:f3:28:10:7c:bf:75:37:a6:45:e7:3a:a2:63:
                    4f:ec:39:b0:12:51:90:18:7e:e2:a1:9e:76:c7:77:
                    bd:ab:cf:0c:d2:d0:e8:cb:a8:fc:c3:85:94:41:ed:
                    53:82:f5:0c:32:dc:0d:80:e5:2d:34:f1:9c:e4:98:
                    2d:93:20:6b:57:78:87:3e:5e:c5:50:45:5a:ac:af:
                    dc:bd:38:c1:3d:31:2c:18:bc:4f:f2:7e:cf:f0:ba:
                    94:57:54:3e:89:2a:af:37:73:08:4d:b7:e3:e1:bb:
                    9a:86:6d:f6:73:a3:22:d8:d9:c7:8d:2a:32:8a:be:
                    fa:36:66:54:c1:3a:7a:bd:e6:b8:2b:72:65:1f:c3:
                    5c:91:ca:bc:44:7b:0b:d2:8f:1c:73:75:ff:5d:ce:
                    cf:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:X201NOTEBOOK_Server, DNS:10.17.40.*, DNS:10.17.40.*
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7B:A3:68:D6:1D:26:59:91:5D:21:1B:45:99:C4:B2:92:BF:46:1D:29
    Signature Algorithm: sha1WithRSAEncryption
         61:2e:16:1c:b5:90:72:e8:b6:1c:00:82:5f:7f:70:69:14:e3:
         6b:fc:4c:3d:7f:24:f1:85:73:16:21:58:7e:46:4f:b5:97:d3:
         5e:92:f0:4e:70:be:28:41:12:65:1e:fd:12:f3:43:d5:96:44:
         60:96:3e:52:d8:1f:ae:8b:52:a1:bc:4f:1b:1a:59:2b:8f:5a:
         49:1e:21:4b:14:f1:d1:84:b3:fb:58:48:04:27:5f:ac:28:73:
         3b:81:c3:39:72:0a:6b:3e:c4:58:a9:a9:75:78:a1:f0:4e:6d:
         e7:4e:a2:71:22:9d:11:1a:a8:38:03:8c:ff:5c:9d:e0:a2:3a:
         39:39:0b:fb:c2:7a:ec:42:4e:fb:fe:53:c1:63:b1:c6:2d:59:
         14:82:4f:07:05:9d:91:96:e9:bd:15:c0:ba:f4:da:54:81:2e:
         11:f8:b9:86:00:a2:09:fc:7a:f5:c5:2d:44:06:c8:cc:2a:ad:
         b8:d7:12:90:43:7a:74:81:64:6b:19:db:00:d1:f6:cf:da:b9:
         c7:49:5e:4d:18:65:6d:ef:c0:0d:b9:9c:d1:27:27:b6:64:0c:
         11:5c:0d:a9:54:90:38:aa:61:63:f1:88:ae:d4:1b:40:98:96:
         3c:13:e9:97:8e:9f:a4:01:f5:a4:ff:4d:4a:c7:2e:a6:56:63:
         82:c0:57:7b
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgIBDTANBgkqhkiG9w0BAQUFADCBkzEmMCQGA1UEAwwdQ2hh
cmxlcyBNaWxscyBDb25zdWx0aW5nLCBMTEMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
CzAJBgNVBAYTAlVTMR8wHQYJKoZIhvcNAQkBFhBjaGFybGVzbUBtY24ub3JnMSYw
JAYDVQQKDB1DaGFybGVzIE1pbGxzIENvbnN1bHRpbmcsIExMQzAeFw0xNDExMTkx
NzA2MjZaFw0xNTExMTkxNzA2MjZaMIGJMSYwJAYDVQQDDB1DaGFybGVzIE1pbGxz
IENvbnN1bHRpbmcsIExMQzETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMC
VVMxHzAdBgkqhkiG9w0BCQEWEGNoYXJsZXNtQG1jbi5vcmcxHDAaBgNVBAoME1gy
MDFOT1RFQk9PS19TZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDCMTdHYHS5t/E+MUDUW3YLpvvXDXWHPnCbG5PSoQyUaLrudesoKN4WJTLTeoxK
PzkegrZaiol1zMx3h6+PnMbcskBcigp0PvH1n9ojt02lt0h7RKpYj0I0QaJRIlBQ
dCiZX1a1+HcmjqGW8ygQfL91N6ZF5zqiY0/sObASUZAYfuKhnnbHd72rzwzS0OjL
qPzDhZRB7VOC9Qwy3A2A5S008ZzkmC2TIGtXeIc+XsVQRVqsr9y9OME9MSwYvE/y
fs/wupRXVD6JKq83cwhNt+Phu5qGbfZzoyLY2ceNKjKKvvo2ZlTBOnq95rgrcmUf
w1yRyrxEewvSjxxzdf9dzs8xAgMBAAGjgbIwga8wCQYDVR0TBAIwADA2BgNVHREE
LzAtghNYMjAxTk9URUJPT0tfU2VydmVyggoxMC4xNy40MC4qggoxMC4xNy40MC4q
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHujaNYdJlmR
XSEbRZnEspK/Rh0pMA0GCSqGSIb3DQEBBQUAA4IBAQBhLhYctZBy6LYcAIJff3Bp
FONr/Ew9fyTxhXMWIVh+Rk+1l9NekvBOcL4oQRJlHv0S80PVlkRglj5S2B+ui1Kh
vE8bGlkrj1pJHiFLFPHRhLP7WEgEJ1+sKHM7gcM5cgprPsRYqal1eKHwTm3nTqJx
Ip0RGqg4A4z/XJ3gojo5OQv7wnrsQk77/lPBY7HGLVkUgk8HBZ2Rlum9FcC69NpU
gS4R+LmGAKIJ/Hr1xS1EBsjMKq241xKQQ3p0gWRrGdsA0fbP2rnHSV5NGGVt78AN
uZzRJye2ZAwRXA2pVJA4qmFj8Yiu1BtAmJY8E+mXjp+kAfWk/01Kxy6mVmOCwFd7
-----END CERTIFICATE-----

Underlying root:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            be:60:c0:40:d6:22:00:f2
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charles [hidden email], O=Charles Mills Consulting, LLC
        Validity
            Not Before: Nov 19 16:55:15 2014 GMT
            Not After : Nov 16 16:55:15 2024 GMT
        Subject: CN=Charles Mills Consulting, LLC, ST=California,
C=US/emailAddress=charle [hidden email], O=Charles Mills Consulting, LLC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bf:d0:88:2c:50:a1:99:68:01:09:1c:90:9b:0e:
                    59:4b:52:3d:97:78:f2:1f:cc:f8:b9:63:39:54:ee:
                    3c:5b:3a:65:cb:da:e1:a5:3a:29:3f:61:b6:1d:84:
                    17:be:cb:00:90:f9:b9:84:5a:02:f4:7d:25:3a:c4:
                    85:97:14:0b:a8:f4:94:29:20:09:d2:be:d2:7c:49:
                    ec:95:ba:1e:8f:20:a9:f8:6a:cf:08:57:52:2e:4b:
                    d4:19:ab:3d:95:68:0b:96:eb:7a:06:b9:0b:de:bd:
                    a0:3b:e0:49:d8:b9:dd:fd:80:32:a4:29:f0:31:9c:
                    28:0f:59:b8:10:ab:84:f7:b5:01:41:33:cf:57:ea:
                    4d:be:56:fc:8d:64:04:43:f4:9c:97:51:e3:14:4b:
                    6a:75:c4:be:e1:66:e3:e8:b9:45:65:11:e0:8b:5a:
                    ae:7a:2f:d6:05:1d:70:32:45:ee:d6:b9:bd:fe:c7:
                    f2:c9:7a:a4:7d:de:63:4d:88:cb:87:d7:31:0e:a9:
                    f7:9e:aa:e4:a6:96:78:f7:3e:e7:16:7a:09:fa:f1:
                    0e:7a:97:ae:4d:06:fe:97:25:73:c1:fd:09:e9:09:
                    b2:a3:11:6d:76:5d:4d:d7:da:69:21:14:a3:e4:4a:
                    c8:e9:b4:90:b5:de:c0:6e:81:3f:63:98:a8:93:b0:
                    18:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         a1:0c:7e:5f:bf:f1:90:19:4d:f6:95:24:33:94:d3:ee:cb:a2:
         2f:b3:6f:65:70:90:a2:2e:2d:69:16:2c:ef:85:00:41:47:ee:
         1a:0d:d6:89:09:41:0b:7e:de:b5:5d:33:53:f6:98:dd:3b:f4:
         c9:a3:9e:d1:f6:e6:72:47:16:ed:1a:b9:90:5a:eb:9b:3d:64:
         a8:66:2d:15:34:99:af:c1:fb:f5:32:9d:6c:00:ee:3b:d9:3c:
         dc:1b:e0:a4:b1:99:26:ef:be:76:69:71:90:34:b6:8b:25:08:
         44:3d:4c:42:8f:2c:5e:ad:c1:28:b5:0d:49:65:72:1b:63:10:
         a4:8e:31:15:ab:2f:2f:89:79:df:58:60:c9:3c:62:cd:f0:e3:
         75:62:85:4e:90:9a:ae:47:48:0d:d8:d6:ef:bd:3b:84:4b:b0:
         ba:fe:ff:b9:30:33:24:32:a8:91:7a:9a:f5:8a:7f:81:84:c1:
         55:76:af:ca:7a:aa:9f:14:03:16:62:b6:e2:17:1a:a4:24:a7:
         8d:6f:ea:6a:7c:d5:97:1b:c3:f1:25:f7:34:df:77:64:fe:7b:
         a1:9f:a0:a4:e5:c0:44:d8:83:dd:4e:b9:78:0d:14:42:9e:96:
         c3:cd:2b:f1:d6:f4:2d:49:51:68:11:75:32:e5:7a:0f:45:52:
         bd:8e:b2:89
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIJAL5gwEDWIgDyMA0GCSqGSIb3DQEBBQUAMIGTMSYwJAYD
VQQDDB1DaGFybGVzIE1pbGxzIENvbnN1bHRpbmcsIExMQzETMBEGA1UECAwKQ2Fs
aWZvcm5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG9w0BCQEWEGNoYXJsZXNtQG1j
bi5vcmcxJjAkBgNVBAoMHUNoYXJsZXMgTWlsbHMgQ29uc3VsdGluZywgTExDMB4X
DTE0MTExOTE2NTUxNVoXDTI0MTExNjE2NTUxNVowgZMxJjAkBgNVBAMMHUNoYXJs
ZXMgTWlsbHMgQ29uc3VsdGluZywgTExDMRMwEQYDVQQIDApDYWxpZm9ybmlhMQsw
CQYDVQQGEwJVUzEfMB0GCSqGSIb3DQEJARYQY2hhcmxlc21AbWNuLm9yZzEmMCQG
A1UECgwdQ2hhcmxlcyBNaWxscyBDb25zdWx0aW5nLCBMTEMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC/0IgsUKGZaAEJHJCbDllLUj2XePIfzPi5YzlU
7jxbOmXL2uGlOik/YbYdhBe+ywCQ+bmEWgL0fSU6xIWXFAuo9JQpIAnSvtJ8SeyV
uh6PIKn4as8IV1IuS9QZqz2VaAuW63oGuQvevaA74EnYud39gDKkKfAxnCgPWbgQ
q4T3tQFBM89X6k2+VvyNZARD9JyXUeMUS2p1xL7hZuPouUVlEeCLWq56L9YFHXAy
Re7Wub3+x/LJeqR93mNNiMuH1zEOqfeequSmlnj3PucWegn68Q56l65NBv6XJXPB
/QnpCbKjEW12XU3X2mkhFKPkSsjptJC13sBugT9jmKiTsBgPAgMBAAGjEDAOMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKEMfl+/8ZAZTfaVJDOU0+7L
oi+zb2VwkKIuLWkWLO+FAEFH7hoN1okJQQt+3rVdM1P2mN079MmjntH25nJHFu0a
uZBa65s9ZKhmLRU0ma/B+/UynWwA7jvZPNwb4KSxmSbvvnZpcZA0toslCEQ9TEKP
LF6twSi1DUllchtjEKSOMRWrLy+Jed9YYMk8Ys3w43VihU6Qmq5HSA3Y1u+9O4RL
sLr+/7kwMyQyqJF6mvWKf4GEwVV2r8p6qp8UAxZituIXGqQkp41v6mp81Zcbw/El
9zTfd2T+e6GfoKTlwETYg91OuXgNFEKelsPNK/HW9C1JUWgRdTLleg9FUr2Osok=
-----END CERTIFICATE-----

DH:

   PKCS#3 DH Parameters: (1024 bit)
        prime:
            00:98:61:e7:82:f2:0a:00:cd:9a:26:7d:e3:e1:f2:
            fa:64:53:00:f4:ea:ce:eb:fe:a8:59:7c:47:f8:44:
            e2:93:26:69:33:4f:4a:fb:01:f4:67:90:f5:1c:d0:
            4f:ce:d7:1f:33:8b:60:35:49:fa:94:dd:3e:1a:58:
            6e:ef:4c:88:d4:93:c7:af:a1:7a:f3:d7:9c:f0:4a:
            2a:0b:cc:04:bd:a0:61:08:37:ac:8c:c7:67:dc:82:
            a2:b5:be:97:b9:0d:c3:bf:15:fd:c6:c0:21:0b:e4:
            e9:e9:ff:c2:5c:8a:49:15:8d:af:99:f9:4d:17:2e:
            3f:63:1f:34:bc:1b:08:49:07
        generator: 5 (0x5)
-----BEGIN DH PARAMETERS-----
MIGHAoGBAJhh54LyCgDNmiZ94+Hy+mRTAPTqzuv+qFl8R/hE4pMmaTNPSvsB9GeQ
9RzQT87XHzOLYDVJ+pTdPhpYbu9MiNSTx6+hevPXnPBKKgvMBL2gYQg3rIzHZ9yC
orW+l7kNw78V/cbAIQvk6en/wlyKSRWNr5n5TRcuP2MfNLwbCEkHAgEF
-----END DH PARAMETERS-----

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, November 19, 2014 4:35 PM
To: [hidden email]
Subject: Re: SSL alert number 51

On Wed, Nov 19, 2014, Matt Caswell wrote:

>
>
> On 19/11/14 22:57, Charles Mills wrote:
>
> > User response: If the error occurred while executing in FIPS mode,
> > check that only FIPS key sizes are used.
> > Collect a System SSL trace containing the error and then contact
> > your service representative.
> >
> > I can connect between the client and the server using the set of
> > parameters under test. They negotiate TLSV1.1 and what you call
> > DHE-RSA-AES256-SHA and
>
> FIPS 140-2 places restrictions on the size of the RSA key that you can
> use. I'm not a FIPS 140-2 expert but I believe you have to be
> compliant with the various other FIPS standards including FIPS 186-4(?):
>
> "This Standard specifies three choices for the length of the modulus
> (i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities
> shall generate digital signatures using one or more of these choices."
>
> So how big is your RSA key on the server? Are you able to post the
> certificate?
>

Also the DH parameter size should be at least 1024 bits.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
In reply to this post by Matt Caswell-2
I posted the certificates. What's next?

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Matt Caswell
Sent: Wednesday, November 19, 2014 3:35 PM
To: [hidden email]
Subject: Re: SSL alert number 51



On 19/11/14 22:57, Charles Mills wrote:

> Dave -
>
> Thanks much.
>
>> Either there's a bug somewhere or you are being attacked (MitM'ed).
>
> Unlikely I am being MitM'ed -- the connection is over a VPN. (Why TLS
> when there is already a VPN in place? I am testing TLS software and
> the VPN is a fact of life and my only client to server link.
>
>> Do you mean the server, running 1.0.1h on Win7, produced this error
> message, or some client talking *to* such a server produced the error?
>
> Statement was kind of ambiguous, wasn't it? The server, which is
> OpenSSL 1.0.1h 5 Jun 2014, produced this message, when the client
> attempted to connect.
>
> The client is application software that uses the IBM GSK crypto
> library on z/OS. The error message at the client end is Error code 9
> returned from GSK function gsk_secure_socket_init(): Cryptographic
> processing error. It is my code that produces that exact message, but
> the 9 comes back from the indicated method and the text comes from a
system function, gsk_strerror(9).
> The documentation says
>
> 9 Cryptographic processing error.
> Explanation: An error is detected by a cryptographic function. This
> error may also occur if key sizes that are non-FIPS are used during an
> SSL handshake while operating in FIPS mode.

My guess is that this last sentence is the cause of your problem.

> User response: If the error occurred while executing in FIPS mode,
> check that only FIPS key sizes are used.
> Collect a System SSL trace containing the error and then contact your
> service representative.
>
> I can connect between the client and the server using the set of
> parameters under test. They negotiate TLSV1.1 and what you call
> DHE-RSA-AES256-SHA and

FIPS 140-2 places restrictions on the size of the RSA key that you can use.
I'm not a FIPS 140-2 expert but I believe you have to be compliant with the
various other FIPS standards including FIPS 186-4(?):

"This Standard specifies three choices for the length of the modulus
(i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities shall
generate digital signatures using one or more of these choices."

So how big is your RSA key on the server? Are you able to post the
certificate?

Matt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 51

Matt Caswell-2


On 21/11/14 14:43, Charles Mills wrote:
> I posted the certificates. What's next?
>
> Charles

The key sizes look ok to me. As I said I'm no FIPS expert, but this page
http://wiki.openssl.org/index.php/FIPS_mode_and_TLS

says the following:
"The RSA key in the certificate has to be of suitable size (2048 bits
minimum) as do all other keys in the chain and none of the CAs can sign
using SHA1."

But your certificates say:
Signature Algorithm: sha1WithRSAEncryption

So I'm wondering if that is the problem? Failing that you may need to
approach IBM since the alert is being generated from their code.

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 51

Dr. Stephen Henson
On Fri, Nov 21, 2014, Matt Caswell wrote:

>
>
> On 21/11/14 14:43, Charles Mills wrote:
> > I posted the certificates. What's next?
> >
> > Charles
>
> The key sizes look ok to me. As I said I'm no FIPS expert, but this page
> http://wiki.openssl.org/index.php/FIPS_mode_and_TLS
>
> says the following:
> "The RSA key in the certificate has to be of suitable size (2048 bits
> minimum) as do all other keys in the chain and none of the CAs can sign
> using SHA1."
>
> But your certificates say:
> Signature Algorithm: sha1WithRSAEncryption
>
> So I'm wondering if that is the problem? Failing that you may need to
> approach IBM since the alert is being generated from their code.
>

The rules changed some time after the release of the current OpenSSL FIPS
module.

In the original version SHA1 was allowed and keysizes for RSA, DH had to be
1024 bits minimum.

The new version disallows SHA1 for digital signatures and has the 2048 bit
limit. Depending on the interpretation it might effectively ban anything
other than TLS 1.2 (previous versions of TLS use MD5+SHA1 for RSA signatures).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
In reply to this post by Matt Caswell-2
Thanks. I guess I may have to open a problem with IBM. The IBM documentation
clearly lists a number of "cipher suites" (at they call them) that use SHA1
(including the one we (IBM+OpenSSL) default to as being FIPS 140-2
compliant.

GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly not FIP
140-2 compliant.

Hmm. I had this note partly composed when Dr. Henson's reply came in. I am
thoroughly mystified.

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Matt Caswell
Sent: Friday, November 21, 2014 7:04 AM
To: [hidden email]
Subject: Re: SSL alert number 51



On 21/11/14 14:43, Charles Mills wrote:
> I posted the certificates. What's next?
>
> Charles

The key sizes look ok to me. As I said I'm no FIPS expert, but this page
http://wiki.openssl.org/index.php/FIPS_mode_and_TLS

says the following:
"The RSA key in the certificate has to be of suitable size (2048 bits
minimum) as do all other keys in the chain and none of the CAs can sign
using SHA1."

But your certificates say:
Signature Algorithm: sha1WithRSAEncryption

So I'm wondering if that is the problem? Failing that you may need to
approach IBM since the alert is being generated from their code.

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SSL alert number 51

Dr. Stephen Henson
On Fri, Nov 21, 2014, Charles Mills wrote:

> Thanks. I guess I may have to open a problem with IBM. The IBM documentation
> clearly lists a number of "cipher suites" (at they call them) that use SHA1
> (including the one we (IBM+OpenSSL) default to as being FIPS 140-2
> compliant.
>
> GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly not FIP
> 140-2 compliant.
>
> Hmm. I had this note partly composed when Dr. Henson's reply came in. I am
> thoroughly mystified.
>

Could try to connect your client to OpenSSL's s_server utility with the -state
(or for 1.0.2 -trace)? If we can find out what message is triggering that
error it might give some hints.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
Thanks guys for all of the clues! I got it working! Long story. Wow, FIPS is
a moving target. I re-did my root CA with SHA 256, and my server
certificate. I had to move my testing from z/OS V1R13 to z/OS V2R1 --
*apparently* V1R13 does not support TLS V1.2 which as you intimated at some
point may be required for things that FIPS requires. (A corollary would seem
to be that z/OS V1R13 does not support current FIPS requirements but don't
quote me on that.)

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Friday, November 21, 2014 11:00 AM
To: [hidden email]
Subject: Re: SSL alert number 51

On Fri, Nov 21, 2014, Charles Mills wrote:

> Thanks. I guess I may have to open a problem with IBM. The IBM
> documentation clearly lists a number of "cipher suites" (at they call
> them) that use SHA1 (including the one we (IBM+OpenSSL) default to as
> being FIPS 140-2 compliant.
>
> GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly
> not FIP
> 140-2 compliant.
>
> Hmm. I had this note partly composed when Dr. Henson's reply came in.
> I am thoroughly mystified.
>

Could try to connect your client to OpenSSL's s_server utility with the
-state (or for 1.0.2 -trace)? If we can find out what message is triggering
that error it might give some hints.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Charles Mills
To set the record straight, I am told that a PTF (IBMese for patch) is
required for z/OS V1R13 to support TLS v1.2.

Charles

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Charles Mills
Sent: Friday, November 21, 2014 12:07 PM
To: [hidden email]
Subject: RE: SSL alert number 51

Thanks guys for all of the clues! I got it working! Long story. Wow, FIPS is
a moving target. I re-did my root CA with SHA 256, and my server
certificate. I had to move my testing from z/OS V1R13 to z/OS V2R1 --
*apparently* V1R13 does not support TLS V1.2 which as you intimated at some
point may be required for things that FIPS requires. (A corollary would seem
to be that z/OS V1R13 does not support current FIPS requirements but don't
quote me on that.)

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SSL alert number 51

Dave Thompson-5
In reply to this post by Charles Mills
> From: [hidden email] On Behalf Of Charles Mills
> Sent: Friday, November 21, 2014 12:30

> Thanks. I guess I may have to open a problem with IBM. The IBM
> documentation
> clearly lists a number of "cipher suites" (at they call them) that use
SHA1
> (including the one we (IBM+OpenSSL) default to as being FIPS 140-2
> compliant.
>
"cipher suite(s)" is the official term in the TLS standards,
mostly two words but sometimes hyphenated or run together,
so not surprisingly most implementations use it or a variant.
The "SHA" at the end a suite name defined before TLS1.2
is actually SHA1 used within HMAC for integrity check.
(HMAC is a generic MAC-from-hash construction.)
The new suites defined in or after TLS1.2 use SHA256 or SHA384
for HMAC, or are authenticated-encryption with *no* HMAC,
although they still vary the hash used in the PRF for key derivation.

> GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly not
> FIP 140-2 compliant.
>
(That's a typo. SSL/TLS never used MD4, or MD2. It did use RC4 and RC2.)

Not quite, the picture is more nuanced. Although if you *can*
go to TLS1.2 and a SHA256 or SHA384 suite that is Best Practice.

800-131A (Jan 2011) "codified" in 800-57 part1 rev3 (July 2013)
prohibits SHA1 *for signature and hash-only* (which are assumed
subject to collision attack) after 2013. It is still allowed for HMAC
and some other uses that protect against collision. (Even after 2030
when 3TDEA, SHA-224, IFC&FFC 2048, and ECC 224 are scheduled
to go away, although they may well re-think before then.)

In particular, draft 800-52 rev1 (Jan 2013) allows the TLS1.0&1.1
PRF (key derivation) with SHA1-xor-MD5; MD5 is not Approved
at all but this construction doesn't rely on it and SHA1 *for KDF*
is okay. However TLS1.0 is disallowed for another reason.

Similarly in non-FIPS situations the two (HMAC-)MD5 suites
that are not SSLv2-only and not export-weakened are still  
mostly considered acceptable, though at the same time
certs *signed* with MD5 are not, and certs signed with SHA1
won't be within a year or two. Not that this really matters,
since you practically always have a better option.




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]