Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. dev
[Bug 674] exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
eximBugzilla at kaiser
Feb 22, 2008, 4:04 AM
Post #1 of 4 (1637 views)
Permalink
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #3 from Martin Kaiser <eximBugzilla@kaiser.cx> 2008-02-22 12:04:09 ---
(In reply to comment #1)

I saw your follow-up, anyway I'll add some infos for completeness.

> Which version of OpenSSL is this? ("openssl version" command)
>
> I'm running OpenSSL 0.9.8g and the man-page for SSL_library_init() states:

I'm also running 0.9.8g.
SSL_library_init() is the same in the current 0.9.9 snapshot

It only initializes MD5, SHA-1 and DSA with SHA1.

Thinking about this, I get the impression that SHA256 should be added there.

Martin


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 674] exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL [ In reply to ]
exim-dev at spodhuis
Feb 22, 2008, 2:00 AM
Post #2 of 4 (1568 views)
Permalink
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674

Phil Pennock <exim-dev@spodhuis.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |exim-dev@spodhuis.org




--- Comment #1 from Phil Pennock <exim-dev@spodhuis.org> 2008-02-22 10:00:36 ---
Which version of OpenSSL is this? ("openssl version" command)

I'm running OpenSSL 0.9.8g and the man-page for SSL_library_init() states:

SSL_library_init() registers the available ciphers and digests.

OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are
synonyms for SSL_library_init().
...
EXAMPLES
A typical TLS/SSL application will start with the library
initialization, will provide readable error messages and will seed the
PRNG.

SSL_load_error_strings(); /* readable error messages */
SSL_library_init(); /* initialize library */
actions_to_seed_PRNG();

So whilst I'm not disputing that in your version it's needed, in my version
that would appear to result in a double initialisation (perhaps harmless?) and
it would be good to track down what version dependencies there are.

Looking for the first TLS instance in today's mainlog, I see:
X=TLSv1:DHE-RSA-AES256-SHA:256
so Exim 4.69 with OpenSSL 0.9.8g is getting the SHA256 digest function.
(FreeBSD 6.2, FWIW).

Thanks


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 674] exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL [ In reply to ]
exim-dev at spodhuis
Feb 22, 2008, 2:18 AM
Post #3 of 4 (1577 views)
Permalink
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #2 from Phil Pennock <exim-dev@spodhuis.org> 2008-02-22 10:18:36 ---
No, I take back the part about it being present for me. I misread the cipher
string. The :256 is from Exim and is the 256 returned by SSL_CIPHER_get_bits()
and so is just repeating the 256 in AES256.

So I don't have contrary evidence, merely contrary documentation, which is a
whole different animal. Alas.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 674] exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL [ In reply to ]
dot at dotat
Feb 25, 2008, 4:28 AM
Post #4 of 4 (1562 views)
Permalink
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #4 from Tony Finch <dot@dotat.at> 2008-02-25 12:28:43 ---
On Thu, 21 Feb 2008, Martin Kaiser wrote:
>
> +OpenSSL_add_all_digests();

Does this add less secure digests as well as SHA256?
Why isn't this a bug in OpenSSL?

Tony.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal