OpenSSL: Enabling ciphers / algorithms
Locked
 
|
Hi there,
-- this is a little bit off-topic, because I am sure this is more of a Linux/OpenSSL question than Smalltalk related. We develop on WIndows and use idea_ecb for encrypting some data. On Windows, all is fine with this call and subsequent operations: cipher := OSSslCipher idea_ecb. On our Linux (Ubuntu 14.04) machines, the result of the call is this: Error Code: nil Error Object: (Signal on Exception: (ExError) An error has occurred.) Error String: nil Error Hint: 'Function not in library: EVP_idea_ecb' AuxiliaryData: nil So I guess I need to add some ciphers to OpenSSL on the Linux box, but all I find on the covers C code and include files and such. And to be honest, I am not even sure whether this is more a problem of using calls like add_all_algorithms or if I am missing any Ubuntu/OpenSSL packages on the target machine. Do people here have any hints for me? I've tried googling for a while and had no success so far. Joachim You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
I don't know much, but I suspect it's important to know whether you are on VA 8.6.3 with your own (which?) version of OpenSSL, versus older VA with its own OpenSSL 0.9.8.
-- You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
Hello Joachim,
-- Please report to me the following info from the Ubuntu machine in a development image with the openssl libraries that you are using. | libVersion | libVersion := OSSslVersion getLibraryVersion. libVersion version. "What's this report?" libVersion compilerFlags "What's this report?" --Seth On Saturday, July 29, 2017 at 7:44:56 AM UTC-4, Wayne Johnston wrote:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
My suspicion is that IDEA cipher is disabled in Ubuntu's build of OpenSSL.
What does 'openssl list -disabled' report? -- You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
|
|
In reply to this post by Seth Berman
Hi Seth,
-- the Linux box is headless. But I begin to realize that XD packaging and only testing on a production-like headless Linux is not a concept that gets us far enough... I will add this to one of our "debug screens" and see what the headless machine tells us... Joachim Am Samstag, 29. Juli 2017 15:40:31 UTC+2 schrieb Seth Berman:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
|
|
In reply to this post by Seth Berman
Seth
-- Again, thanks for answering. I guess you are right. There is no list -disabled command, but openssl ciphers doesn't show any IDEA algos, even not on 16.04. Since we can choose the algrithm, we'll switch to another one that's avaliable on Ubuntu. We won't go through the recompilation game for openssl if it's not absolutely necessary... Joachim Am Samstag, 29. Juli 2017 19:15:12 UTC+2 schrieb Seth Berman: My suspicion is that IDEA cipher is disabled in Ubuntu's build of OpenSSL. You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
|
|
So things seem to be not so easy.
-- I tried switching to OSSslCipher aes_256_gcm And the result is the very same: Error Code: nil Error Object: (Signal on Exception: (ExError) An error has occurred.) Error String: nil Error Hint: 'Function not in library: EVP_aes_256_gcm' AuxiliaryData: nil Now I wonder: what does the cipher have to look like in the command 'openssl ciphers'? Doing 'openssl ciphers | grep EVP' yields no results. Here is what 'openssl ciphers' displays on our target machine: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA I am simply looking for a way to encrypt and decrypt a String... Seems this is not so easy on Ubuntu 14.04... Joachim Am Sonntag, 30. Juli 2017 10:57:43 UTC+2 schrieb Joachim Tuchel:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
It would be good to know what version of the library you are using. GCM mode was not available in all versions of openssl.
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old -- You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
|
|
Seth,
-- Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman: It would be good to know what version of the library you are using. GCM mode was not available in all versions of openssl. openssl version -a says: OpenSSL 1.0.1f 6 Jan 2014 built on: Mon Jan 30 20:38:38 UTC 2017 platform: debian-amd64 options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer. Try OSSslCipher aes_256_cbc...if you don't have that then it must really old Error Code: nil Error Object: (Signal on Exception: (ExError) An error has occurred.) Error String: nil Error Hint: 'Function not in library: EVP_aes_256_cbc' AuxiliaryData: nil I am a bit lost here... Joachim You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
Hi Joachim,
-- Ok...so now the question is....is this the version of openssl that your runtime image is actually binding to. For that, I would need to see the output of what I previously suggested. | libVersion | libVersion := OSSslVersion getLibraryVersion. libVersion version. "What's this report?" libVersion compilerFlags "What's this report?" -- Seth On Monday, July 31, 2017 at 11:51:35 AM UTC-4, Joachim Tuchel wrote:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
Hi Joachim,
-- Something else to try is to adjust your ini file to point to the absolute path of CRYPTO_LIB and SSL_LIB so we can remove shared library resolution out of the equation. For example, mine would read CRYPTO_LIB=/lib/i386-linux-gnu/libcrypto.so SSL_LIB=/lib/i386-linux-gnu/libssl.so On Monday, July 31, 2017 at 11:54:25 AM UTC-4, Seth Berman wrote:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
Administrator
|
In reply to this post by jtuchel
From OpenSSL's pages"
-- 02-Jan-2017: The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2. On Monday, July 31, 2017 at 8:51:35 AM UTC-7, Joachim Tuchel wrote:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
|
|
Richard,
-- Canonical decided to backport the Heartbleed and other fixes to the 1.0.1 series. 1.01f still is the supported version on Ubuntu 14.04. as I said, apt-get upgrade doesn't install anything newer, and 14.0.4 is still supported. We get security updates several times a week. Joachim Am Montag, 31. Juli 2017 19:12:24 UTC+2 schrieb Richard Sargent:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
|
|
In reply to this post by Seth Berman
Seth,
-- thank you very much, you asked the perfect questions and helped me find the solution. As I guessed, it was not a VAST problem at all. Our Ubuntu box was missing a few important parts ;-) If anybody here is interested in the way I found the solution with Seth's help, here is what I did. I tried these: find / -name libssl.so /usr/local/vast860/bin/libssl.so find / -name libcrypto.so /usr/local/vast860/bin/libcrypto.so But I am not using the binaries in vast860 any more. So I seem to neither have libssl nor libcrypto. Which is hard to believe since Apache serves pages using SSL on the very same machine... So I found out I need to install libssl-dev in order to get libcrypto (not sure I understand, but...). Then I installed it (apt-get install libssl-dev) and now I see this: root@dbsrv:/usr/bin# find / -name libssl.so /usr/lib/x86_64-linux-gnu/libssl.so /usr/local/vast860/bin/libssl.so root@dbsrv:/usr/bin# find / -name libcrypto.so /usr/lib/x86_64-linux-gnu/libcrypto.so /usr/local/vast860/bin/libcrypto.so The smalltalk image cannot find libcrypto: (ExError) An error has occurred.: Primitive failed calling 'CRYPTO_LIB':SSLeay_version from PlatformFunction>>#primitiveAsyncCallSetUp:asyncBlock:inFuture: due to OS error1 .. which sounds reasonable, since I still only have the 64-bit variants of the libs installed. So I did: apt-get install libssl-dev:i386 and voila: The libs are there root@dbsrv:/usr/bin# find / -name libssl.so /usr/lib/i386-linux-gnu/libssl.so /usr/lib/x86_64-linux-gnu/libssl.so /usr/local/vast860/bin/libssl.so root@dbsrv:/usr/bin# find / -name libcrypto.so /usr/lib/i386-linux-gnu/libcrypto.so /usr/lib/x86_64-linux-gnu/libcrypto.so /usr/local/vast860/bin/libcrypto.so So now I get an output for the libversion from within the Smalltalk image:
.... and now I can get the ciphers I need. Finally. the issue is solved, it was, of course, an Ubuntu installation problem and not a VAST problem. Thanks to all who answered and helped. You helped me look at the right things! Joachim Am Montag, 31. Juli 2017 17:54:25 UTC+2 schrieb Seth Berman:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
Re: OpenSSL: Enabling ciphers / algorithms
|
|
Hi Joachim,
-- Great news...glad to help. -- Seth On Tuesday, August 1, 2017 at 1:06:28 AM UTC-4, Joachim Tuchel wrote:
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email]. To post to this group, send email to [hidden email]. Visit this group at https://groups.google.com/group/va-smalltalk. For more options, visit https://groups.google.com/d/optout. |
«
Return to Instantiations
|
1 view|%1 views
| Free forum by Nabble | Edit this page |