This week I needed to install OpenSSL 0.9.8g on one of my servers. When I went to configure and build the libraries with the Sun C compiler, I noticed that 64-bit libraries were produced by default. It turns out that this is the default behavior if you try to build OpenSSL on a 64-bit platform. To build 32-bit shared libraries, I ran Configure with the “shared” and “solaris-x86-cc” options:

$ cd openssl-0.9.8g

$ ./Configure shared –prefix=/usr/local solaris-x86-cc

$ make

$ make install

There may be other ways to do this, but this method appears to work ok.

Posted by matty, filed under OpenSSL. Date: December 30, 2007, 3:53 pm | No Comments »

While checking my e-mail recently, I noticed that my inbox contained several new messages that were roughly 3MB in size. The quantity of messages was choking my poor text-based e-mail client, so I needed to figure out what has happening. After spending a few minutes reviewing my maillog, I noticed that my mail retrieval program was erroring out while popping the 3MB message (it transferred the message, but wasn’t issuing a dele when it finished). Since my mail retrieval program was having issues retrieivng the 3MB file, I decided to fire up openssl and delete the message myself:

$ openssl s_client -quiet -connect mail.prefetch.net:995

depth=0 /C=US/O=mail.prefetch.net/OU=https://services.choicepoint.net/get.jsp?1605445126/OU=See www.rapidssl.com/cps (c)04/OU=Domain Control Validated - StarterSSL(TM)/CN=mail.prefetch.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=mail.prefetch.net/OU=https://services.choicepoint.net/get.jsp?1605445126/OU=See www.rapidssl.com/cps (c)04/OU=Domain Control Validated - StarterSSL(TM)/CN=mail.prefetch.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=mail.prefetch.net/OU=https://services.choicepoint.net/get.jsp?1605445126/OU=See www.rapidssl.com/cps (c)04/OU=Domain Control Validated - StarterSSL(TM)/CN=mail.prefetch.net
verify error:num=21:unable to verify the first certificate
verify return:1

+OK mail.prefetch.net Cyrus POP3 v2.2.12 server ready <1499164100.1140385444@mail.prefetch.net>

user myaccount
+OK Name is a valid mailbox

pass MYSPECIALPASSWORD
+OK Mailbox locked and ready

list
+OK scan listing follows
1 1893014
2 599397
3 4219
.

dele 1
+OK message deleted

quit
+OK
read:errno=0

I really dig openssl, and find myself using it daily. Giddie up!

Posted by matty, filed under OpenSSL. Date: February 27, 2006, 8:34 pm | 1 Comment »

I use a variety of hardware in my day-to-day activities, and was curious to see how they compared to each other. While I could run a micro benchmarking tool to get detailed information on memory, cpu, network and disk throughput, I thought it would be easier to use openssl’s ’speed’ option to get a rough approximation of each machines capabilities. The results are listed below:

Ultra 10 with (1) 440 MHZ UltraSPARC IIi CPU:

$ openssl speed blowfish

Doing blowfish cbc for 3s on 16 size blocks: 3028371 blowfish cbc's in 2.98s
Doing blowfish cbc for 3s on 64 size blocks: 835818 blowfish cbc's in 2.98s
Doing blowfish cbc for 3s on 256 size blocks: 214738 blowfish cbc's in 2.99s
Doing blowfish cbc for 3s on 1024 size blocks: 54125 blowfish cbc's in 2.99s
Doing blowfish cbc for 3s on 8192 size blocks: 6279 blowfish cbc's in 2.98s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,risc1,16,long) aes(partial) blowfish(ptr)
compiler: information not available
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     16259.71k    17950.45k    18385.59k    18536.45k    17260.93k

Fujitsu 250 with (1) 900 MHZ UltraSPARC64V CPU:

$ openssl speed blowfish

Doing blowfish cbc for 3s on 16 size blocks: 4086473 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 64 size blocks: 1095008 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 256 size blocks: 278583 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 1024 size blocks: 69931 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 8192 size blocks: 8754 blowfish cbc's in 2.99s
OpenSSL 0.9.7d 17 Mar 2004
built on: Wed Mar 17 14:57:19 EST 2004
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     21794.52k    23360.17k    23772.42k    23869.78k    23984.20k

Powerbook G4 with (1) 1.5 GHZ G4:

$ openssl speed blowfish

To get the most accurate results, try to run this
program when this computer is idle.
Doing blowfish cbc for 3s on 16 size blocks: 6564697 blowfish cbc's in 2.28s
Doing blowfish cbc for 3s on 64 size blocks: 1781080 blowfish cbc's in 2.23s
Doing blowfish cbc for 3s on 256 size blocks: 482751 blowfish cbc's in 2.35s
Doing blowfish cbc for 3s on 1024 size blocks: 118350 blowfish cbc's in 2.29s
Doing blowfish cbc for 3s on 8192 size blocks: 15444 blowfish cbc's in 2.38s
OpenSSL 0.9.7g 11 Apr 2005
built on: Mon Aug 22 04:38:18 PDT 2005
options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) aes(partial) blowfish(ptr)
compiler: cc -arch i386 -arch ppc -g -Os -pipe -arch i386 -arch ppc -pipe -DOPENSSL_NO_IDEA -DFAR=
available timing options: TIMEB USE_TOD HZ=100 [sysconf value]
timing function used: getrusage
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     45997.30k    51100.78k    52532.67k    52895.72k    53053.47k

IBM HS20 Blade with (1) 3.0 GHZ Intel Xeon CPU w/ Hyperthreading:

$ /usr/sfw/bin/openssl speed blowfish

Doing blowfish cbc for 3s on 16 size blocks: 14394701 blowfish cbc's in 2.99s
Doing blowfish cbc for 3s on 64 size blocks: 3827438 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 256 size blocks: 979301 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 1024 size blocks: 250691 blowfish cbc's in 3.00s
Doing blowfish cbc for 3s on 8192 size blocks: 31586 blowfish cbc's in 3.00s
OpenSSL 0.9.7d 17 Mar 2004
built on: date not available
options:bn(64,32) md2(int) rc4(ptr,char) des(ptr,cisc,16,long) aes(partial) blowfish(ptr)
compiler: information not available
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
blowfish cbc     77028.50k    81652.01k    83567.02k    85569.19k    86250.84k

Posted by matty, filed under OpenSSL. Date: November 23, 2005, 12:09 pm | 2 Comments »

While perusing Netcraft’s website tonight, I came across the Netcraft SSL survey. It is exciting to see an upward trend in signatures by Certificate Authorities other than the big market players (e.g., Verisign, Thawte, etc.)! Giddie up!

Posted by matty, filed under OpenSSL. Date: October 16, 2005, 8:37 pm | No Comments »

Randomness is a key element in cryptography (seeds and shared secrets), TCP (ISNs), and can be useful when simulating client access patterns in test scripts. If an OS supports the /dev/random pseudo-device, the dd, od, and awk utiltiies can be used to generate random values:

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2}’
007

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2$3}’
035170

$ dd if=/dev/random count=1 2>/dev/null | od -t u1 | awk ‘NR==1 {print $2$3$4}’
018183199

This will pipe a string of entropy to od, which will use od’s type field to generate an unsigned random integer, which will then be piped into awk to print the second value in the string. You can also use openssl to generate entropy on a system:

$ openssl rand -base64 1 | od -t u1 | awk ‘NR==1 {print $2}’
51

$ openssl rand -base64 1 | od -t u1 | awk ‘NR==1 {print $2}’
120

I am sure there are more efficient ways to do this, and would love to get feedback. :)

Posted by matty, filed under OpenSSL. Date: May 7, 2005, 1:22 pm | No Comments »

I constantly find myself generating checksums, and for some reason each Operating System likes to implement their open message digest command ( if they provide one at all ). If your system is missing a digest command, you can use the openssl utility to generate one-time hashes. OpenSSL supports the SHA1, MD5 and RIPEMD160 algorithms, and accepts one or more files as arguments:

$ openssl md5 passwd
MD5(passwd)= eb1e5c787c3d85b9cf214c70c1095934

$ openssl sha1 passwd
SHA1(passwd)= 1163c343091756010a77f95068aca4c4e360b932

$ openssl rmd160 passwd
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6

$ openssl rmd160 passwd passwd /etc/services
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6
RIPEMD160(/etc/services)= c5c52bd8506740387691c4b0eb606ad0ffe778d6

$ cat passwd | openssl md5
eb1e5c787c3d85b9cf214c70c1095934

The OpenSSL source code can be downloaded from the main OpenSSL website:

http://www.openssl.org/source/

Posted by matty, filed under OpenSSL. Date: January 28, 2005, 12:13 am | No Comments »

I have an article titled debugging SSL in the December issue of SysAdmin magazine. The article covers techniques to debug SSL communications, and includes several useful examples. One of the examples shows how openssl can be used to check the operational status of a POP3s server. This is accomplished by feeding POP3 commands to openssl ( or telnet if you want eavesdroppers to learn your username and password ):

$ openssl s_client -connect prefetch.net:995
CONNECTED(00000003)

[ … ]

user ME@my.domain < ---- This is the username you login as ---->
+OK Name is a valid mailbox

pass SOMETHING_OR_ANOTHER < ---- This is your POP3 password ---->
+OK Mailbox locked and ready

list
+OK scan listing follows
1 1518

retr 1
+OK Message follows

dele 1
+OK message deleted

quit
+OK

This allows you to open an SSL connection to your mail server, “list” the messages in your inbox, “retr” message number 1, and “dele” it after you are done reviewing it’s contents. This also has the awesome feature of dumping the complete headers from the message (most email clients provide this capability as well). The headers can help you get an idea of which path a message took to get to you (when the headers have not been modified).

Posted by matty, filed under OpenSSL. Date: January 14, 2005, 12:01 am | No Comments »

I often find myself needing to protect sensitive data, and usually turn to OpenSSL for help. OpenSSL support a plethora of symmetric key encryption algorithms (AES, DES3, Blowfish, RC4), and comes with a variety of Operating Systems. To encrypt a file named private, we can pass one of the available symmetric key algorithms to OpenSSL:

$ openssl aes-256-ecb -in private -out private.aes256
enter aes-256-ecb encryption password:
Verifying - enter aes-256-ecb encryption password:

$ ls private*
private private.aes256

To decrypt the file private.aes256, the symmetric key algorithm and decryption option can be passed to OpenSSL:

$ openssl aes-256-ecb -d -in private.aes256 | tail -5
enter aes-256-ecb decryption password:
pop 109/tcp
pop3 110/tcp
imap 143/tcp
imaps 993/tcp
pop3s 995/tcp

As you can see, private wasn’t so private after all :) You can get a full list of available symmetric key ciphers by appending the help flag to openssl.

Posted by matty, filed under OpenSSL. Date: January 8, 2005, 11:54 pm | No Comments »