[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers

To: openssl-gost@lists.wagner.pp.ru
Subject: Re: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
From: Victor Wagner <vitus@wagner.pp.ru>
Date: Tue, 22 May 2018 13:39:16 +0300
In-reply-to: <87h8n0ypo5.fsf@gmail.com>
List-help: <mailto:openssl-gost+help@lists.wagner.pp.ru>
List-id: <openssl-gost.lists.wagner.pp.ru>
List-post: <mailto:openssl-gost@lists.wagner.pp.ru>
List-subscribe: <mailto:openssl-gost+subscribe@lists.wagner.pp.ru>
List-unsubscribe: <mailto:openssl-gost+unsubscribe@lists.wagner.pp.ru>
List-url: <http://www.wagner.pp.ru/lists-archives/openssl-gost>
References: <152646297497.18763.10165346300841312693.reportbug@rhovanion.lumag.spb.ru> <87h8n0ypo5.fsf@gmail.com>

On Tue, 22 May 2018 13:01:46 +0300
Wartan Hachaturow <wartan.hachaturow@gmail.com> wrote:

> 
> On 2018-05-16T12:29:34+0300, Dmitry Eremin-Solenikov wrote:
> 
>  > Package: libengine-gost-openssl1.1
>  > Version: 1.1.0.1-1
>  > Severity: normal
> 
>  > Connecting to CryptoPro test servers does not seem to work. No
>  > additional configuration was done to openssl.cnf.
> 
>  > $ openssl s_client -engine gost -connect
>  > tlsgost-2001.cryptopro.ru:443 engine "gost" set.
>  > CONNECTED(00000003)
>  > 140418489987264:error:141710F8:SSL
>  > routines:tls_process_server_hello:unknown cipher

Странно. Там должно быть:


engine "gost" set.
CONNECTED(00000003)
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
   i:/emailAddress=support@cryptopro.ru/C=RU/L=Moscow/O=CRYPTO-PRO LLC/CN=CRYPTO-PRO Test Center 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDiTCCAzigAwIBAgITEgAnODsBYvTgqoJ+kQAAACc4OzAIBgYqhQMCAgMwfzEj
MCEGCSqGSIb3DQEJARYUc3VwcG9ydEBjcnlwdG9wcm8ucnUxCzAJBgNVBAYTAlJV
MQ8wDQYDVQQHEwZNb3Njb3cxFzAVBgNVBAoTDkNSWVBUTy1QUk8gTExDMSEwHwYD
VQQDExhDUllQVE8tUFJPIFRlc3QgQ2VudGVyIDIwHhcNMTgwMzMxMTk1MDIzWhcN
MTgwNjMwMjAwMDIzWjA/MT0wOwYDVQQDDDRpZC1Hb3N0UjM0MTAtMjAwMS1Dcnlw
dG9Qcm8tWGNoQS1QYXJhbVNldF8yMDAxbm9hdXRoMGMwHAYGKoUDAgITMBIGByqF
AwICJAAGByqFAwICHgEDQwAEQEVqMEvyRSYwpCvfAz3gzMsdMc85fhK5ieOIvws4
Y+m0NAbTK/2ULuiWbfPQ4oJMaQr/UXqzGb7uVHxC33EFBAijggHJMIIBxTATBgNV
HSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwWgYDVR0RBFMwUYIZdGxzZ29z
dC0yMDAxLmNyeXB0b3Byby5ydYIcdGxzZ29zdC12Ni0yMDAxLmNyeXB0b3Byby5y
dYcEwSWdVocQIALBJZ1WAAAAAAAAwSWdVjAdBgNVHQ4EFgQUSD2Gl0I4zIqRrm5M
O2w9bEqroyYwHwYDVR0jBBgwFoAUFTF8sI0a3mbXFZxJUpcXJLkBeoMwWQYDVR0f
BFIwUDBOoEygSoZIaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8ucnUvQ2VydEVucm9s
bC9DUllQVE8tUFJPJTIwVGVzdCUyMENlbnRlciUyMDIuY3JsMIGpBggrBgEFBQcB
AQSBnDCBmTBhBggrBgEFBQcwAoZVaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8ucnUv
Q2VydEVucm9sbC90ZXN0LWNhLTIwMTRfQ1JZUFRPLVBSTyUyMFRlc3QlMjBDZW50
ZXIlMjAyLmNydDA0BggrBgEFBQcwAYYoaHR0cDovL3Rlc3RjYS5jcnlwdG9wcm8u
cnUvb2NzcC9vY3NwLnNyZjAIBgYqhQMCAgMDQQDloK6gpakDhfiLfwWCJRvlpOgR
aao7Na6WT7K9/L62k16nAGd0TAi3az72YCuwKgR8knvXwC91hH6uTt/Mxg9b
-----END CERTIFICATE-----
subject=/CN=id-GostR3410-2001-CryptoPro-XchA-ParamSet_2001noauth
issuer=/emailAddress=support@cryptopro.ru/C=RU/L=Moscow/O=CRYPTO-PRO LLC/CN=CRYPTO-PRO Test Center 2
---
No client certificate CA names sent
---
SSL handshake has read 1040 bytes and written 396 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : GOST2012-GOST8912-GOST8912
    Session-ID: BA10F4E127B7C5F5B50BF35B8ABD10A003A3EB5A4908FF8F7767ECF3D1DD67A9
    Session-ID-ctx: 
    Master-Key: 4DEF74E5BA30D4198019DA8B767FAA00A0ABDA098C852B641AFC9D9201A4FDF957D561144C4A98BB22C4DDB46C647252
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1526985064
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

Это у меня stable, 

openssl version -a
OpenSSL 1.1.0f  25 May 2017
built on: reproducible build, date unspecified
platform: debian-amd64
compiler: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/lib/ssl\"" -DENGINESDIR="\"/usr/lib/x86_64-linux-gnu/engines-1.1\"" 
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"

Follow-Ups:
- Re: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
  - From: Wartan Hachaturow <wartan.hachaturow@gmail.com>

References:
- [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
  - From: Wartan Hachaturow <wartan.hachaturow@gmail.com>

Prev by Date: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
Next by Date: Re: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
Previous by thread: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
Next by thread: Re: [openssl-gost] Re: Bug#898823: does not work for cryptopro test servers
Index(es):
- Date
- Thread