OpenSSL: Enabling ciphers / algorithms
756 views
Skip to first unread message
Joachim Tuchel
Jul 29, 2017, 2:49:14 AM7/29/17
to VA Smalltalk
Hi there,
this is a little bit off-topic, because I am sure this is more of a Linux/OpenSSL question than Smalltalk related.
We develop on WIndows and use idea_ecb for encrypting some data. On Windows, all is fine with this call and subsequent operations:
cipher := OSSslCipher idea_ecb.
On our Linux (Ubuntu 14.04) machines, the result of the call is this:
Error Code: nil
Error Object: (Signal on Exception: (ExError) An error has occurred.)
Error String: nil
Error Hint: 'Function not in library: EVP_idea_ecb'
AuxiliaryData: nil
So I guess I need to add some ciphers to OpenSSL on the Linux box, but all I find on the covers C code and include files and such. And to be honest, I am not even sure whether this is more a problem of using calls like add_all_algorithms or if I am missing any Ubuntu/OpenSSL packages on the target machine.
Do people here have any hints for me? I've tried googling for a while and had no success so far.
Joachim
this is a little bit off-topic, because I am sure this is more of a Linux/OpenSSL question than Smalltalk related.
We develop on WIndows and use idea_ecb for encrypting some data. On Windows, all is fine with this call and subsequent operations:
cipher := OSSslCipher idea_ecb.
On our Linux (Ubuntu 14.04) machines, the result of the call is this:
Error Code: nil
Error Object: (Signal on Exception: (ExError) An error has occurred.)
Error String: nil
Error Hint: 'Function not in library: EVP_idea_ecb'
AuxiliaryData: nil
So I guess I need to add some ciphers to OpenSSL on the Linux box, but all I find on the covers C code and include files and such. And to be honest, I am not even sure whether this is more a problem of using calls like add_all_algorithms or if I am missing any Ubuntu/OpenSSL packages on the target machine.
Do people here have any hints for me? I've tried googling for a while and had no success so far.
Joachim
Message has been deleted
Seth Berman
Jul 29, 2017, 9:40:31 AM7/29/17
to VA Smalltalk
Hello Joachim,
On Saturday, July 29, 2017 at 7:44:56 AM UTC-4, Wayne Johnston wrote:
Please report to me the following info from the Ubuntu machine in a development image with the openssl libraries that you are using.
| libVersion |
libVersion := OSSslVersion getLibraryVersion.
libVersion version. "What's this report?"
libVersion compilerFlags "What's this report?"
--Seth
On Saturday, July 29, 2017 at 7:44:56 AM UTC-4, Wayne Johnston wrote:
I don't know much, but I suspect it's important to know whether you are on VA 8.6.3 with your own (which?) version of OpenSSL, versus older VA with its own OpenSSL 0.9.8.
Seth Berman
Jul 29, 2017, 1:15:12 PM7/29/17
to VA Smalltalk
My suspicion is that IDEA cipher is disabled in Ubuntu's build of OpenSSL.
What does 'openssl list -disabled' report?
What does 'openssl list -disabled' report?
Joachim Tuchel
Jul 30, 2017, 3:56:11 AM7/30/17
to VA Smalltalk
Hi Seth,
the Linux box is headless. But I begin to realize that XD packaging and only testing on a production-like headless Linux is not a concept that gets us far enough...
I will add this to one of our "debug screens" and see what the headless machine tells us...
Joachim
the Linux box is headless. But I begin to realize that XD packaging and only testing on a production-like headless Linux is not a concept that gets us far enough...
I will add this to one of our "debug screens" and see what the headless machine tells us...
Joachim
Joachim Tuchel
Jul 30, 2017, 4:57:43 AM7/30/17
to VA Smalltalk
Seth
Again, thanks for answering.
I guess you are right. There is no list -disabled command, but openssl ciphers doesn't show any IDEA algos, even not on 16.04.
Since we can choose the algrithm, we'll switch to another one that's avaliable on Ubuntu. We won't go through the recompilation game for openssl if it's not absolutely necessary...
Joachim
Again, thanks for answering.
I guess you are right. There is no list -disabled command, but openssl ciphers doesn't show any IDEA algos, even not on 16.04.
Since we can choose the algrithm, we'll switch to another one that's avaliable on Ubuntu. We won't go through the recompilation game for openssl if it's not absolutely necessary...
Joachim
Joachim Tuchel
Jul 30, 2017, 9:30:21 AM7/30/17
to VA Smalltalk
So things seem to be not so easy.
I tried switching to
OSSslCipher aes_256_gcm
And the result is the very same:
I tried switching to
OSSslCipher aes_256_gcm
And the result is the very same:
Error Code: nil
Error Object: (Signal on Exception: (ExError) An error has occurred.)
Error String: nil
Error Hint: 'Function not in library: EVP_aes_256_gcm'
AuxiliaryData: nil
Now I wonder: what does the cipher have to look like in the command 'openssl ciphers'?
Doing 'openssl ciphers | grep EVP' yields no results.
Here is what 'openssl ciphers' displays on our target machine:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
I am simply looking for a way to encrypt and decrypt a String... Seems this is not so easy on Ubuntu 14.04...
Joachim
AuxiliaryData: nil
Now I wonder: what does the cipher have to look like in the command 'openssl ciphers'?
Doing 'openssl ciphers | grep EVP' yields no results.
Here is what 'openssl ciphers' displays on our target machine:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
I am simply looking for a way to encrypt and decrypt a String... Seems this is not so easy on Ubuntu 14.04...
Joachim
Seth Berman
Jul 30, 2017, 9:58:12 AM7/30/17
to VA Smalltalk
It would be good to know what version of the library you are using. GCM mode was not available in all versions of openssl.
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old
Joachim Tuchel
Jul 31, 2017, 11:51:35 AM7/31/17
to VA Smalltalk
Seth,
Am Sonntag, 30. Juli 2017 15:58:12 UTC+2 schrieb Seth Berman:
It would be good to know what version of the library you are using. GCM mode was not available in all versions of openssl.
openssl version -a says:
OpenSSL 1.0.1f 6 Jan 2014
built on: Mon Jan 30 20:38:38 UTC 2017
platform: debian-amd64
options: bn(64,64) rc4(8x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
Even though this sounds extremely old, apt-get upgrade and apt-get dist-upgrade don't find anything newer.
Try OSSslCipher aes_256_cbc...if you don't have that then it must really old
Error Code: nil
Error Object: (Signal on Exception: (ExError) An error has occurred.)
Error String: nil
Error Hint: 'Function not in library: EVP_aes_256_cbc'
AuxiliaryData: nil
I am a bit lost here...
Joachim
AuxiliaryData: nil
I am a bit lost here...
Joachim
Seth Berman
Jul 31, 2017, 11:54:25 AM7/31/17
to VA Smalltalk
Hi Joachim,
Ok...so now the question is....is this the version of openssl that your runtime image is actually binding to.
For that, I would need to see the output of what I previously suggested.
| libVersion |
libVersion := OSSslVersion getLibraryVersion.
libVersion version. "What's this report?"
libVersion compilerFlags "What's this report?"
-- Seth
Seth Berman
Jul 31, 2017, 12:22:46 PM7/31/17
to VA Smalltalk
Hi Joachim,
Something else to try is to adjust your ini file to point to the absolute path of CRYPTO_LIB and SSL_LIB
so we can remove shared library resolution out of the equation.
so we can remove shared library resolution out of the equation.
For example, mine would read
CRYPTO_LIB=/lib/i386-linux-gnu/libcrypto.so
SSL_LIB=/lib/i386-linux-gnu/libssl.so
SSL_LIB=/lib/i386-linux-gnu/libssl.so
Richard Sargent
Jul 31, 2017, 1:12:24 PM7/31/17
to VA Smalltalk
From OpenSSL's pages"
02-Jan-2017: The OpenSSL 1.0.1 series of releases are now out of support. Please upgrade to 1.1.0 or 1.0.2.
Joachim Tuchel
Aug 1, 2017, 12:05:12 AM8/1/17
to VA Smalltalk
Richard,
Canonical decided to backport the Heartbleed and other fixes to the 1.0.1 series. 1.01f still is the supported version on Ubuntu 14.04.
as I said, apt-get upgrade doesn't install anything newer, and 14.0.4 is still supported. We get security updates several times a week.
Joachim
Canonical decided to backport the Heartbleed and other fixes to the 1.0.1 series. 1.01f still is the supported version on Ubuntu 14.04.
as I said, apt-get upgrade doesn't install anything newer, and 14.0.4 is still supported. We get security updates several times a week.
Joachim
Joachim Tuchel
Aug 1, 2017, 1:06:28 AM8/1/17
to VA Smalltalk
Seth,
thank you very much, you asked the perfect questions and helped me find the solution. As I guessed, it was not a VAST problem at all. Our Ubuntu box was missing a few important parts ;-)
If anybody here is interested in the way I found the solution with Seth's help, here is what I did.
I tried these:
find / -name libssl.so
/usr/local/vast860/bin/libssl.so
find / -name libcrypto.so
/usr/local/vast860/bin/libcrypto.so
But I am not using the binaries in vast860 any more. So I seem to neither have libssl nor libcrypto. Which is hard to believe since Apache serves pages using SSL on the very same machine...
So I found out I need to install libssl-dev in order to get libcrypto (not sure I understand, but...). Then I installed it (apt-get install libssl-dev) and now I see this:
root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so
root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so
The smalltalk image cannot find libcrypto: (ExError) An error has occurred.: Primitive failed calling 'CRYPTO_LIB':SSLeay_version from PlatformFunction>>#primitiveAsyncCallSetUp:asyncBlock:inFuture: due to OS error1
.. which sounds reasonable, since I still only have the 64-bit variants of the libs installed.
So I did:
apt-get install libssl-dev:i386
and voila: The libs are there
root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/i386-linux-gnu/libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so
root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/i386-linux-gnu/libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so
So now I get an output for the libversion from within the Smalltalk image:
thank you very much, you asked the perfect questions and helped me find the solution. As I guessed, it was not a VAST problem at all. Our Ubuntu box was missing a few important parts ;-)
If anybody here is interested in the way I found the solution with Seth's help, here is what I did.
I tried these:
find / -name libssl.so
/usr/local/vast860/bin/libssl.so
find / -name libcrypto.so
/usr/local/vast860/bin/libcrypto.so
But I am not using the binaries in vast860 any more. So I seem to neither have libssl nor libcrypto. Which is hard to believe since Apache serves pages using SSL on the very same machine...
So I found out I need to install libssl-dev in order to get libcrypto (not sure I understand, but...). Then I installed it (apt-get install libssl-dev) and now I see this:
root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so
root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so
The smalltalk image cannot find libcrypto: (ExError) An error has occurred.: Primitive failed calling 'CRYPTO_LIB':SSLeay_version from PlatformFunction>>#primitiveAsyncCallSetUp:asyncBlock:inFuture: due to OS error1
.. which sounds reasonable, since I still only have the 64-bit variants of the libs installed.
So I did:
apt-get install libssl-dev:i386
and voila: The libs are there
root@dbsrv:/usr/bin# find / -name libssl.so
/usr/lib/i386-linux-gnu/libssl.so
/usr/lib/x86_64-linux-gnu/libssl.so
/usr/local/vast860/bin/libssl.so
root@dbsrv:/usr/bin# find / -name libcrypto.so
/usr/lib/i386-linux-gnu/libcrypto.so
/usr/lib/x86_64-linux-gnu/libcrypto.so
/usr/local/vast860/bin/libcrypto.so
So now I get an output for the libversion from within the Smalltalk image:
| OpenSSL 1.0.1f 6 Jan 2014 |
| compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM | |
| OPENSSLDIR: "/usr/lib/ssl" |
.... and now I can get the ciphers I need. Finally. the issue is solved, it was, of course, an Ubuntu installation problem and not a VAST problem.
Thanks to all who answered and helped. You helped me look at the right things!
Joachim
Seth Berman
Aug 1, 2017, 8:55:28 AM8/1/17
to VA Smalltalk
Hi Joachim,
Great news...glad to help.
-- Seth
Reply all
Reply to author
Forward
0 new messages