OpenSSL: Enabling ciphers / algorithms

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL: Enabling ciphers / algorithms

jtuchel
Hi there,

this is a little bit off-topic, because I am sure this is more of a Linux/OpenSSL question than Smalltalk related.

We develop on WIndows and use idea_ecb for encrypting some data. On Windows, all is fine with this call and subsequent operations:

 
    cipher := OSSslCipher idea_ecb.


On our Linux (Ubuntu 14.04) machines, the result of the call is this:

    Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_idea_ecb'
    AuxiliaryData: nil


So I guess I need to add some ciphers to OpenSSL on the Linux box, but all I find on the covers C code and include files and such. And to be honest, I am not even sure whether this is more a problem of using calls like add_all_algorithms or if I am missing any Ubuntu/OpenSSL packages on the target machine.

Do people here have any hints for me? I've tried googling for a while and had no success so far.

Joachim

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Wayne Johnston
I don't know much, but I suspect it's important to know whether you are on VA 8.6.3 with your own (which?) version of OpenSSL, versus older VA with its own OpenSSL 0.9.8.

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Seth Berman
Hello Joachim,

Please report to me the following info from the Ubuntu machine in a development image with the openssl libraries that you are using.

| libVersion |

libVersion := OSSslVersion getLibraryVersion.
libVersion version.               "What's this report?"
libVersion compilerFlags     "What's this report?"

--Seth

On Saturday, July 29, 2017 at 7:44:56 AM UTC-4, Wayne Johnston wrote:
I don't know much, but I suspect it's important to know whether you are on VA 8.6.3 with your own (which?) version of OpenSSL, versus older VA with its own OpenSSL 0.9.8.

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Seth Berman
My suspicion is that IDEA cipher is disabled in Ubuntu's build of OpenSSL.
What does 'openssl list -disabled' report?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

jtuchel
In reply to this post by Seth Berman
Hi Seth,

the Linux box is headless. But I begin to realize that XD packaging and only testing on a production-like headless Linux is not a concept that gets us far enough...

I will add this to one of our "debug screens" and see what the headless machine tells us...

Joachim



Am Samstag, 29. Juli 2017 15:40:31 UTC+2 schrieb Seth Berman:
Hello Joachim,

Please report to me the following info from the Ubuntu machine in a development image with the openssl libraries that you are using.

| libVersion |

libVersion := OSSslVersion getLibraryVersion.
libVersion version.               "What's this report?"
libVersion compilerFlags     "What's this report?"

--Seth

On Saturday, July 29, 2017 at 7:44:56 AM UTC-4, Wayne Johnston wrote:
I don't know much, but I suspect it's important to know whether you are on VA 8.6.3 with your own (which?) version of OpenSSL, versus older VA with its own OpenSSL 0.9.8.

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

jtuchel
In reply to this post by Seth Berman
Seth

Again, thanks for answering.

I guess you are right. There is no list -disabled command, but openssl ciphers doesn't show any IDEA algos, even not on 16.04.

Since we can choose the algrithm, we'll switch to another one that's avaliable on Ubuntu. We won't go through the recompilation game for openssl if it's not absolutely necessary...

Joachim





Am Samstag, 29. Juli 2017 19:15:12 UTC+2 schrieb Seth Berman:
My suspicion is that IDEA cipher is disabled in Ubuntu's build of OpenSSL.
What does 'openssl list -disabled' report?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

jtuchel
So things seem to be not so easy.

I tried switching to

OSSslCipher aes_256_gcm

And the result is the very same:

    Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_gcm'
    AuxiliaryData: nil

Now I wonder: what does the cipher have to look like in the command 'openssl ciphers'?
Doing 'openssl ciphers | grep EVP' yields no results.


Here is what 'openssl ciphers' displays on our target machine:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA


I am simply looking for a way to encrypt and decrypt a String... Seems this is not so easy on Ubuntu 14.04...

Joachim











Am Sonntag, 30. Juli 2017 10:57:43 UTC+2 schrieb Joachim Tuchel:
Seth

Again, thanks for answering.

I guess you are right. There is no list -disabled command, but openssl ciphers doesn't show any IDEA algos, even not on 16.04.

Since we can choose the algrithm, we'll switch to another one that's avaliable on Ubuntu. We won't go through the recompilation game for openssl if it's not absolutely necessary...

Joachim





Am Samstag, 29. Juli 2017 19:15:12 UTC+2 schrieb Seth Berman:
My suspicion is that IDEA cipher is disabled in Ubuntu's build of OpenSSL.
What does 'openssl list -disabled' report?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Seth Berman
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

jtuchel
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim



--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Seth Berman
Hi Joachim,

Ok...so now the question is....is this the version of openssl that your runtime image is actually binding to.
For that, I would need to see the output of what I previously suggested.


| libVersion |

libVersion := OSSslVersion getLibraryVersion.
libVersion version.               "What's this report?"
libVersion compilerFlags     "What's this report?"

-- Seth

On Monday, July 31, 2017 at 11:51:35 AM UTC-4, Joachim Tuchel wrote:
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim



--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Seth Berman
Hi Joachim,

Something else to try is to adjust your ini file to point to the absolute path of CRYPTO_LIB and SSL_LIB
so we can remove shared library resolution out of the equation.

For example, mine would read
CRYPTO_LIB=/lib/i386-linux-gnu/libcrypto.so
SSL_LIB=/lib/i386-linux-gnu/libssl.so


On Monday, July 31, 2017 at 11:54:25 AM UTC-4, Seth Berman wrote:
Hi Joachim,

Ok...so now the question is....is this the version of openssl that your runtime image is actually binding to.
For that, I would need to see the output of what I previously suggested.


| libVersion |

libVersion := OSSslVersion getLibraryVersion.
libVersion version.               "What's this report?"
libVersion compilerFlags     "What's this report?"

-- Seth

On Monday, July 31, 2017 at 11:51:35 AM UTC-4, Joachim Tuchel wrote:
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim



--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Richard Sargent
Administrator
In reply to this post by jtuchel
From OpenSSL's pages"
02-Jan-2017: The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2.

On Monday, July 31, 2017 at 8:51:35 AM UTC-7, Joachim Tuchel wrote:
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim



--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

jtuchel
Richard,

Canonical decided to backport the Heartbleed and other fixes to the 1.0.1 series. 1.01f still is the supported version on Ubuntu 14.04.
as I said, apt-get upgrade doesn't install anything newer, and 14.0.4 is still supported. We get security updates several times a week.

Joachim


Am Montag, 31. Juli 2017 19:12:24 UTC+2 schrieb Richard Sargent:
From OpenSSL's pages"
02-Jan-2017: The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2.

On Monday, July 31, 2017 at 8:51:35 AM UTC-7, Joachim Tuchel wrote:
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim



--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

jtuchel
In reply to this post by Seth Berman
Seth,

thank you very much, you asked the perfect questions and helped me find the solution. As I guessed, it was not a VAST problem at all. Our Ubuntu box was missing a few important parts ;-)

If anybody here is interested in the way I found the solution with Seth's help, here is what I did.

I tried these:

find / -name libssl.so
/usr/local/vast860/bin/libssl.so

find / -name libcrypto.so
/usr/local/vast860/bin/libcrypto.so


But I am not using the binaries in vast860 any more. So I seem to neither have libssl nor libcrypto. Which is hard to believe since Apache serves pages using SSL on the very same machine...


So I found out I need to install libssl-dev in order to get libcrypto (not sure I understand, but...). Then I installed it (apt-get install libssl-dev) and now I see this:
root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so


root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so


The smalltalk image cannot find libcrypto: (ExError) An error has occurred.: Primitive failed calling 'CRYPTO_LIB':SSLeay_version from PlatformFunction>>#primitiveAsyncCallSetUp:asyncBlock:inFuture: due to OS error1

.. which sounds reasonable, since I still only have the 64-bit variants of the libs installed.

So I did:

apt-get install libssl-dev:i386

and voila: The libs are there

root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/i386-linux-gnu/libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so

root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/i386-linux-gnu/libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so



 So now I get an output for the libversion from within the Smalltalk image:

OpenSSL 1.0.1f 6 Jan 2014
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


.... and now I can get the ciphers I need. Finally. the issue is solved, it was, of course, an Ubuntu installation problem and not a VAST problem.


Thanks to all who answered and helped. You helped me look at the right things!


Joachim









Am Montag, 31. Juli 2017 17:54:25 UTC+2 schrieb Seth Berman:
Hi Joachim,

Ok...so now the question is....is this the version of openssl that your runtime image is actually binding to.
For that, I would need to see the output of what I previously suggested.


| libVersion |

libVersion := OSSslVersion getLibraryVersion.
libVersion version.               "What's this report?"
libVersion compilerFlags     "What's this report?"

-- Seth

On Monday, July 31, 2017 at 11:51:35 AM UTC-4, Joachim Tuchel wrote:
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim




--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL: Enabling ciphers / algorithms

Seth Berman
Hi Joachim,

Great news...glad to help.

-- Seth

On Tuesday, August 1, 2017 at 1:06:28 AM UTC-4, Joachim Tuchel wrote:
Seth,

thank you very much, you asked the perfect questions and helped me find the solution. As I guessed, it was not a VAST problem at all. Our Ubuntu box was missing a few important parts ;-)

If anybody here is interested in the way I found the solution with Seth's help, here is what I did.

I tried these:

find / -name libssl.so
/usr/local/vast860/bin/libssl.so

find / -name libcrypto.so
/usr/local/vast860/bin/libcrypto.so


But I am not using the binaries in vast860 any more. So I seem to neither have libssl nor libcrypto. Which is hard to believe since Apache serves pages using SSL on the very same machine...


So I found out I need to install libssl-dev in order to get libcrypto (not sure I understand, but...). Then I installed it (apt-get install libssl-dev) and now I see this:
root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so


root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so


The smalltalk image cannot find libcrypto: (ExError) An error has occurred.: Primitive failed calling 'CRYPTO_LIB':SSLeay_version from PlatformFunction>>#primitiveAsyncCallSetUp:asyncBlock:inFuture: due to OS error1

.. which sounds reasonable, since I still only have the 64-bit variants of the libs installed.

So I did:

apt-get install libssl-dev:i386

and voila: The libs are there

root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/i386-linux-gnu/libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so

root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/i386-linux-gnu/libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so



 So now I get an output for the libversion from within the Smalltalk image:

OpenSSL 1.0.1f 6 Jan 2014
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


.... and now I can get the ciphers I need. Finally. the issue is solved, it was, of course, an Ubuntu installation problem and not a VAST problem.


Thanks to all who answered and helped. You helped me look at the right things!


Joachim









Am Montag, 31. Juli 2017 17:54:25 UTC+2 schrieb Seth Berman:
Hi Joachim,

Ok...so now the question is....is this the version of openssl that your runtime image is actually binding to.
For that, I would need to see the output of what I previously suggested.


| libVersion |

libVersion := OSSslVersion getLibraryVersion.
libVersion version.               "What's this report?"
libVersion compilerFlags     "What's this report?"

-- Seth

On Monday, July 31, 2017 at 11:51:35 AM UTC-4, Joachim Tuchel wrote:
Seth,


Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using.  GCM mode was not available in all versions of openssl.


openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options:  bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"


Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.

 
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old


Error Code: nil
    Error Object: (Signal on Exception: (ExError) An error has occurred.)
    Error String: nil
    Error Hint: 'Function not in library: EVP_aes_256_cbc'
    AuxiliaryData: nil


I am a bit lost here...


Joachim




--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.