date:20160201

[openssl-dev] (no subject)

2016-02-01 Thread kong don


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1534] [Bug report] Verification fails caused by too many CA certs

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1584] INSTALL.W32 Configure prefix must be unix format directory delimeters

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2500] [bug-report] Configure with shared option on BSD systems

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Rich Salz via RT

there does not seem to be anything for openssl to do here. also the
verify_chain code is changigng a lot in 1.1
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4211] Document Perl requirements for OpenSSL 1.1.0

2016-02-01 Thread Rich Salz via RT

Fixed, please see README.PERL now.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2108] [PATCH] Message digest functions

2016-02-01 Thread Rich Salz via RT

The conditional compiliation is correct. The manpages are now "generic"
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2316] Build issue on Tru64 (Dl_info must specify a type)

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1729] Bug in add_cert_dir - crypto/x905/by_dir.c

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work properly on HPUX 11.23 IA for 32bits mode

2016-02-01 Thread Rich Salz via RT

Andy, I assume you're not going to fix this or it's no longer a problem.

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1852] [BUG] Invalid Proxy Certificates Pass Validation

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work properly on HPUX 11.23 IA for 32bits mode

2016-02-01 Thread Nich Ramsey

Haha yeah I AM getting messages, a whole fuckton of them.

I'll try to ignore the flurry, I know you guys just had a new release.

Outside of this small annoyance, keep up the awesome work, I love what you
soon are doing!!
On Feb 1, 2016 11:15 AM, "Salz, Rich"  wrote:

> But you ARE getting messages.  You quoted it below. J
>
>
>
> Sorry for the flurry of bug activity.  We’re cleaning up ticket list.
>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> IM: richs...@jabber.at Twitter: RichSalz
>
>
>
> *From:* Nich Ramsey [mailto:onicr...@gmail.com]
> *Sent:* Monday, February 01, 2016 2:13 PM
> *To:* r...@openssl.org; openssl-dev@openssl.org
> *Subject:* Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT
> work properly on HPUX 11.23 IA for 32bits mode
>
>
>
> I'm continually getting repeat messages and messages with no text body. So
> annoying, please make it stop!!
>
> On Feb 1, 2016 11:10 AM, "Rich Salz via RT"  wrote:
>
> Andy, I assume you're not going to fix this or it's no longer a problem.
>
> This is reported against 0.9.8; please open a new ticket if still a problem
> with current releases.
> --
> Rich Salz, OpenSSL dev team; rs...@openssl.org
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
> 
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1848] Bug found in BN_is_prime_fasttest_ex( )

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2437] [PATCH] config on aix assumes cc is not gcc, can cause build to fail

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2824] Bug ? - Not Thread-safety for SSL Key usage im requests ?

2016-02-01 Thread Rich Salz via RT

The objects are not MT-safe.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Fwd: latest OpenSSL causes OpenSMTPD to segv

2016-02-01 Thread Loganaden Velvindron

Hi guys,

Any place where this API change is documented ?

It would be nice if each release came with a list of API changes.

-- Forwarded message --
From: Gilles Chehade 
Date: Mon, Feb 1, 2016 at 8:10 PM
Subject: latest OpenSSL causes OpenSMTPD to segv
To: m...@opensmtpd.org

Hi,

It seems that the OpenSSL guys have managed to slip an API change inside
their latest "patchlevel" release and this unsurprisingly breaks our RSA
engine...

This impact all users who upgrade to OpenSSL 1.0.2f and will cause smtpd
to crash as soon as the RSA engine is used (ie: whenever there's crypto)

A quick workaround is to not upgrade to 1.0.2f yet and maybe ask OpenSSL
why a "patchlevel" release contains more than patches.

Meanwhile, we're investigating how we're going to unfuck this.

--
Gilles Chehade

https://www.poolp.org  @poolpOrg

--
You received this mail because you are subscribed to m...@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1327] Bug in openssl/util/mkdef.pl (HEAD)

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
Also we're changing the build process for the next release as well.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1482] [PATCH] add "ciphertext stealing" support to the EVP library

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
It's been eight years, unlikely to happen with a new patch.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1802] Bug report: Persistent memory leak that cannot be freed

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2018] BUG: rsautl reports "RSA operation error" when decryption output is empty

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2361] win32: non-blocking BIO_do_connect() returns wrong value

2016-02-01 Thread Rich Salz via RT

as andy said, the work-around is really the right thing to do.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2362] Bug report

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2610] Bug(?): both the "!SSLv3" and the "!TLSv1" cipher strings seem to mutually delete the ciphersuites from the other set as well

2016-02-01 Thread Rich Salz via RT

Not a bug. It's when the ciphers were first defined, not the name of them.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2631] Incompatibility with iOS 5 ?

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3663] [PATCH] clarify 'verify' command operation

2016-02-01 Thread Rich Salz via RT

fixed in master by viktor
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work properly on HPUX 11.23 IA for 32bits mode

2016-02-01 Thread Richard Levitte

Could it be the empty message from kong don ?  I'm
seeing them too, that subscription is going.  3...  2...  1...  gone

In message 
<771c166256b14b789991b53780291...@usma1ex-dag1mb1.msg.corp.akamai.com> on Mon, 
1 Feb 2016 19:14:56 +, "Salz, Rich"  said:

rsalz> But you ARE getting messages. You quoted it below. J
rsalz> 
rsalz> Sorry for the flurry of bug activity. We’re cleaning up ticket list.
rsalz> 
rsalz> --
rsalz> 
rsalz> Senior Architect, Akamai Technologies
rsalz> 
rsalz> IM: richs...@jabber.at Twitter: RichSalz
rsalz> 
rsalz> From: Nich Ramsey [mailto:onicr...@gmail.com]
rsalz> Sent: Monday, February 01, 2016 2:13 PM
rsalz> To: r...@openssl.org; openssl-dev@openssl.org
rsalz> Subject: Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT
rsalz> work properly on HPUX 11.23 IA for 32bits mode
rsalz> 
rsalz> I'm continually getting repeat messages and messages with no text
rsalz> body. So annoying, please make it stop!!
rsalz> 
rsalz> On Feb 1, 2016 11:10 AM, "Rich Salz via RT"  wrote:
rsalz> 
rsalz> Andy, I assume you're not going to fix this or it's no longer a
rsalz> problem.
rsalz> 
rsalz> This is reported against 0.9.8; please open a new ticket if still a
rsalz> problem
rsalz> with current releases.
rsalz> --
rsalz> Rich Salz, OpenSSL dev team; rs...@openssl.org
rsalz> 
rsalz> ___
rsalz> openssl-dev mailing list
rsalz> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
rsalz> 
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2348] OpenSSL doesn't work with Linksys WRT54G

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2349] build problems with 1.0.0a windows 64 bit AMD

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Viktor Dukhovni

On Mon, Feb 01, 2016 at 08:34:44PM +, Alex Rousskov via RT wrote:

> On 02/01/2016 12:40 PM, Rich Salz via RT wrote:
> > there does not seem to be anything for openssl to do here. 
> 
> OpenSSL can do one of these two things (at least):
> 
> * Start reporting post-X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE errors
> to callbacks [instead of hiding them].

This error is only reported when the chain contains exactly one
certificate that is not self-issued.  It is hard to see what other
errors you might hope to see reported, since there's nothing else
in the chain.

The error is reported late in chain construction, when all other
errors have been reported, so it is naturally the last one reported.

> * Adjust SSL_CTX_set_verify documentation to indicate that no errors are
> reported to callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
> [instead of saying that all errors are reported].

All errors were reported.

> > also the verify_chain code is changigng a lot in 1.1
> 
> I hope this problem will be taken into consideration during the rewrite.

Please be more explicit about what errors you feel were not reported.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2357] openssl-1.0.0a -- PATCH for 'make -n install'

2016-02-01 Thread Rich Salz via RT

If still an issue with the current release please open a new ticket.
We are rewriting the make system for 1.1.

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1292] SSL_add_dir_cert_subjects_to_stack does not check for read access of file, breaking TLS enabled LDAP clients

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1378] Contribution: twopipe patch for speed test

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.

Also, spawning way more procseses than your system can handle isn't really
openssl's fault :)

--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1444] Insufficient error reporting in openssl ca

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
also not enough information to reproduce the condition.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1816] bug in DES_xcbc_encrypt() for decrypting 8 bytes of input (?)

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2392] Haiku patch for openssl-1.0.0c

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2615] BIO_flush segmentation fault with SSL BIO

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3028] PEM_X509_INFO_read_bio() fails to process RSA private key if in initial position (regression in OpenSSL 1.0.0 and later)

2016-02-01 Thread Rich Salz via RT

clmments in the ticket indicate this has been fixed.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3072] Strange behaviour when talking to microsoft exchange

2016-02-01 Thread Rich Salz via RT

protocol limit in MSFT TLS implementation, not an openssl bug.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Fwd: latest OpenSSL causes OpenSMTPD to segv

2016-02-01 Thread Salz, Rich

> This impact all users who upgrade to OpenSSL 1.0.2f and will cause smtpd
> to crash as soon as the RSA engine is used (ie: whenever there's crypto)

It would be interesting to see what they think was wrong.

Our intent is to NOT change API's across letter releases.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4285] SSL_CTX_load_verify_locations() fails without error with invalid files

2016-02-01 Thread Timo Sirainen via RT

If loaded file isn't valid, SSL_CTX_load_verify_locations() returns 0,
but ERR_get_error() reports 0.

Debian unstable
Version: 1.0.2f-2

Example:

// create "empty-file" by e.g. touching it (or containing whatever garbage)
#include 
#include 

int main(void)
{
SSL_CTX *ssl_ctx;

SSL_library_init();
SSL_load_error_strings();

ssl_ctx = SSL_CTX_new(SSLv23_server_method());
if (!SSL_CTX_load_verify_locations(ssl_ctx, "empty-file", NULL)) {
printf("error = %lu\n", ERR_get_error());
}
return 0;
}


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1365] PATCH: Adding IPv6 support to s_client and s_server

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1328] FW: (Repost) SSL_shutdown and SSL_free issues

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1400] spurious CRs in S/MIME clearsigned mails

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
also not clear it was really an interop problem at all.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1470] [PATCH] fix some memory leaks in asn1 crypto

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work properly on HPUX 11.23 IA for 32bits mode

2016-02-01 Thread Salz, Rich

But you ARE getting messages.  You quoted it below. ☺

Sorry for the flurry of bug activity.  We’re cleaning up ticket list.

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz

From: Nich Ramsey [mailto:onicr...@gmail.com]
Sent: Monday, February 01, 2016 2:13 PM
To: r...@openssl.org; openssl-dev@openssl.org
Subject: Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work 
properly on HPUX 11.23 IA for 32bits mode


I'm continually getting repeat messages and messages with no text body. So 
annoying, please make it stop!!
On Feb 1, 2016 11:10 AM, "Rich Salz via RT" 
> wrote:
Andy, I assume you're not going to fix this or it's no longer a problem.

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-dev
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] (no subject)

2016-02-01 Thread kong don


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2417] [Enhancement] X509 verification with OCSP support

2016-02-01 Thread Rich Salz via RT

Thnanks for the patch. Sorry it took so long to reply, but its' been five years
and having the openssl runtime connect out to servers (ocsp even) is not
supported.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3915] BUG/PATCH: ssl_sess.c no longer compiles when no-tlsext is specified

2016-02-01 Thread Rich Salz via RT

old unsupported release, and unsupportd build option.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3420] Magic constants in SSL_CTX_set_tlsext_ticket_key_cb() and .pod

2016-02-01 Thread Rich Salz via RT

16 is the defined size (RFC 5077) so closing this.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1497] Issue: PKCS#12 export with empty password produces incorrect encoding of MacData in PFX object

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1491] [BUG][PATCH] malloc and friends returns not checked

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1642] patch purify errors

2016-02-01 Thread Rich Salz via RT

Dear Mr Hudson,

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.

On the other hand, since you're a member of the dev team... fix it yourself :)
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1808] enc(1) Salt option: -S

2016-02-01 Thread Rich Salz via RT

--
Rich Salz, OpenSSL dev team; rs...@openssl.org
This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2185] security vulnerability fixed

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2201] 1.0 beta5, Solaris cc compile options

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2298] Build failure on WinCE platform openssl-1.0.0 & 1.0.0a

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2597] bug report (pkcs12.c)

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1424] Re: CRL update revision for X509_add_crl

2016-02-01 Thread Rich Salz via RT

It's been nearly 10 years, this isn't going to happen.
If still desired please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1670] SSL_CTX_load_verify_locations() fails without error with invalid files

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] (no subject)

2016-02-01 Thread kong don


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1656] Clients compiled with tls extention can't talk to some servers.

2016-02-01 Thread Rich Salz via RT

Kurt,

I assume this isn't an issue or you would have fixed it :)

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work properly on HPUX 11.23 IA for 32bits mode

2016-02-01 Thread Nich Ramsey

I'm continually getting repeat messages and messages with no text body. So
annoying, please make it stop!!
On Feb 1, 2016 11:10 AM, "Rich Salz via RT"  wrote:

> Andy, I assume you're not going to fix this or it's no longer a problem.
>
> This is reported against 0.9.8; please open a new ticket if still a problem
> with current releases.
> --
> Rich Salz, OpenSSL dev team; rs...@openssl.org
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1682] BIO_snprintf can NOT work properly on HPUX 11.23 IA for 32bits mode

2016-02-01 Thread Nich Ramsey via RT

I'm continually getting repeat messages and messages with no text body. So
annoying, please make it stop!!
On Feb 1, 2016 11:10 AM, "Rich Salz via RT"  wrote:

> Andy, I assume you're not going to fix this or it's no longer a problem.
>
> This is reported against 0.9.8; please open a new ticket if still a problem
> with current releases.
> --
> Rich Salz, OpenSSL dev team; rs...@openssl.org
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2692] [OpenSSL 1.0.1 beta 2] SHLIB_VERSION_NUMBER

2016-02-01 Thread Rich Salz via RT

the version number is not being changed. in 1.1 things "get better"
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2960] protocol bug in s2_pkt.c

2016-02-01 Thread Rich Salz via RT

SSLv2 is no longer supported.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Alex Rousskov via RT

On 02/01/2016 12:40 PM, Rich Salz via RT wrote:
> there does not seem to be anything for openssl to do here. 

OpenSSL can do one of these two things (at least):

* Start reporting post-X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE errors
to callbacks [instead of hiding them].

* Adjust SSL_CTX_set_verify documentation to indicate that no errors are
reported to callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
[instead of saying that all errors are reported].

> also the verify_chain code is changigng a lot in 1.1

I hope this problem will be taken into consideration during the rewrite.

Thank you,

Alex.

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1449] [PATCH] Suspend and reinstate certificates in CA application

2016-02-01 Thread Rich Salz via RT

It's been almost ten years, this is unlikely to happen.
Please open a new ticket if still desired.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1608] [BUG] SSL_get_error returns SSL_ERROR_SSL if read() returns -1 / EINTR

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.8; please open a new ticket if still a problem
with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1832] PATCH: force IPv4/IPv6 for s_client

2016-02-01 Thread Rich Salz via RT

openssl 1.1 will have full ipv6 support.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2512] [PATCH] Fix for BIO_new_accept()

2016-02-01 Thread Rich Salz via RT

ipv6 support will be in openssl 1.1
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2699] openssl dgst -sha1 -verify ... sais verification failure whet it is ok in a concrete set of data

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2718] openssl-fips-1.2.3: testsuite failures (SIGILL / Illegal instruction)

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2944] PVS-Studio and OpenSSL

2016-02-01 Thread Rich Salz via RT

This is reported against 0.9.x and/or 1.0.0; please open a new ticket if still
a problem with current releases.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] openssl-1.1.0-pre2 make failure with perl-5.8.8 on Linux

2016-02-01 Thread Richard Levitte

In message  
on Tue, 2 Feb 2016 00:04:57 +0530, J Mohan Rao Arisankala  
said:

mohan> I have a development environment, which uses a very old perl version
mohan> (5.8.8).

That is a very old perl indeed.

That particular issue has been fixed.  However, with such an old perl
version, you might end up in more trouble when testing...  nothing
that can't be fixed with a CPAN install, but...

Is that something that we need to talk about?

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2232] OpenSSL 1.0.0 - Mac OS X Univesal Binary Build Link errors

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2494] [SEC FIX]: Add premaster cleaning for GOST ciphersuites: All platforms, 1.0.0d

2016-02-01 Thread Rich Salz via RT

GOST is now a separately maintained engine.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2479] Fix for runtime exception when linking against win64a static libraries

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2643] Possible bug in 1.0.0e - make fails when using "no-ecdh" config option

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2916] EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4286] Debug in OpenSSL

2016-02-01 Thread Kurt Roeckx via RT

On Mon, Feb 01, 2016 at 10:21:30PM +, Tiantian Liu via RT wrote:
> Hi, ALL,
> 
> I am software developer who is struggling with encryption and decryption 
> issues in my application.
> 
> Our customer complained our application crashed at the point where OpenSSL 
> method,  PEM_read_RSAPrivateKey, being called.
> 
> While I can't duplicate the crash in my machine. So I want to enable debug in 
> OpenSSL and core dumping on their machine, then I can get the core dump file 
> upon the crash on customer's side. And I can use GDB to debug the core dump 
> to see what happened in side the so-called PEM_read_RSAPrivateKey.
> 
> Today, I re-compiled my OpenSSL (version openssl-1.0.1p). However, when I set 
> the breakpoint at PEM_read_RSAPrivateKey, my GDB can't step into that 
> function, just bypassed directly.
> My machine is 32-bit RedHat Enterprise 5. What I did in configure and 
> installation:
> 
> #./Configure -g debug-linux-elf -prefix=/usr shared
> # make
> # make install

Are you sure it doesn't get stripped at some point?  Can you check
that the files actually contain debug info?  Try:
readelf -S /usr/lib/libcrypto.so.1.0.0


Kurt



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Fwd: latest OpenSSL causes OpenSMTPD to segv

2016-02-01 Thread Richard Levitte

In message <20160201231650.gf4...@mournblade.imrryr.org> on Mon, 1 Feb 2016 
23:16:50 +, Viktor Dukhovni  said:

openssl-users> On Mon, Feb 01, 2016 at 10:52:56PM +, Viktor Dukhovni wrote:
openssl-users> 
openssl-users> > The only thing I see that's plausibly pertinent is:
openssl-users> > 
openssl-users> > commit 6656ba7152dfe4bba865e327dd362ea08544aa80
openssl-users> > Author: Dr. Stephen Henson 
openssl-users> > Date:   Sun Dec 20 18:18:43 2015 +
openssl-users> > 
openssl-users> > Don't check RSA_FLAG_SIGN_VER.
openssl-users> > 
openssl-users> > Reviewed-by: Richard Levitte 
openssl-users> > 
openssl-users> 
openssl-users> This is related to:
openssl-users> 
openssl-users> commit 1c80019a2c8f59410552197723829fd72ab45a5e
openssl-users> Author: Dr. Stephen Henson 
openssl-users> Date:   Sat Sep 18 22:37:44 1999 +
openssl-users> 
openssl-users>  Add new sign and verify members to RSA_METHOD and change SSL 
code to use sign
openssl-users>  and verify rather than direct encrypt/decrypt.
openssl-users> 
openssl-users> Which was already present in 0.9.7.  Thus, presumably engines 
have
openssl-users> been expected to implement the "new" methods, if they were ported
openssl-users> to OpenSSL 0.9.7 or later.
openssl-users> 
openssl-users> It seems that perhaps the need to implemnt sign/verify and not 
just
openssl-users> encrypt/decrypt has not been communicated to the engine 
maintainers.
openssl-users> 
openssl-users> The master branch has:
openssl-users> 
openssl-users> commit 19c6d3ea2d3b4e0ad3e978e42cc7cbdf0c09891f
openssl-users> Author: Dr. Stephen Henson 
openssl-users> Date:   Wed Dec 2 14:30:39 2015 +
openssl-users> 
openssl-users>  Remove RSA_FLAG_SIGN_VER flag.
openssl-users> 
openssl-users>  Remove RSA_FLAG_SIGN_VER: this was origininally used to retain 
binary
openssl-users>  compatibility after RSA_METHOD was extended to include rsa_sign 
and
openssl-users>  rsa_verify fields. It is no longer needed.
openssl-users> 
openssl-users>  Reviewed-by: Richard Levitte 
openssl-users> 
openssl-users> And while indeed the structure has been stable with sign/verify
openssl-users> methods for ages, engines that don't implement sign/verify may 
well
openssl-users> exist, so dropping the flag check can break some engines.

Hold on a minute...  there is a test that the function pointer is
assigned:

if (rsa->meth->rsa_sign) {
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
}

So what I can conclude without looking is that one of two things have
happened:

1. the RSA_METHOD hasn't been fully initialised, so the rsa_sign
   pointer is garbage.

2. the function that rsa_sign points as is faulty in some way, but has
   never been called before now because there was no RSA_FLAG_SIGN_VER
   bit present.

I just downloaded the latest portable OpenSMTPD and am noticing that
rsa_sign, rsa_verify and rsa_keygen are filled in (with rsae_sign,
rsae_verify and rsae_keygen), but that there are no bits at all
assigned to the flags field.  As far as I can see, this means that
these functions have never been called...  before now.

Ref: opensmtpd-5.7.3p1.tar.gz, smtpd/ca.c

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Viktor Dukhovni

On Mon, Feb 01, 2016 at 11:38:49PM +, Alex Rousskov via RT wrote:

> On 02/01/2016 02:32 PM, openssl-dev@openssl.org via RT wrote:
> 
> > Please be more explicit about what errors you feel were not reported.
> 
> One specific error mentioned during the previous discussion was "expired
> certificate". This was ~four years ago, so my recollection may be
> faulty, but I believe that was _not_ the only hidden error.

Expiration makes no sense for a certificate at the top of the chain,
it has no issuer, so the date is unsigned and meaningless.

> Back then, Stephen Henson semi-confirmed that some errors were hidden
> [because they were considered meaningless], so I hope we did not
> misdiagnose the issue. I do not know whether the code has changed since
> then.

I agree that the date is meaningless.  I do not agree that not
reporting "expiration" of such certificates is "hiding" an error.

IMHO, the code is correct as it stands.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2317] Whitespace bug in ./config for Openssl 1.0.0a (OS X 10.6.4)

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2498] [PATCH] iOS Support

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2581] bug: Why do these 12 lines of Win32 code work on XP but hang forever in Vista and Windows 7?

2016-02-01 Thread Rich Salz via RT

Old release, but also poitns to a possible firewall in the way.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2583] confusing output on windows build in openssl1.0.0d

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2674] [PATCH] Fix compilation on GNU/Hurd and GNU/kFreeBSD

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4285] SSL_CTX_load_verify_locations() fails without error with invalid files

2016-02-01 Thread Viktor Dukhovni

On Mon, Feb 01, 2016 at 08:56:28PM +, Timo Sirainen via RT wrote:

> If loaded file isn't valid, SSL_CTX_load_verify_locations() returns 0,
> but ERR_get_error() reports 0.

Actually, the processing of invalid files (that contain malformed
data) will push errors onto the error stack, but the processing of
*empty* files does not.

When a file is valid, but contains no objects the return value of
X509_load_cert_crl_file(), which is the number of objects loaded,
will be 0, this ultimately becomes the return value of
X509_LOOKUP_load_file(), and SSL_CTX_load_verify_locations() returns
early.

So indeed we should either decide that empty CAfiles or CRLfiles
are OK, or push a suitable error onto the stack if we found nothing
in the file at all.

I think that an empty CAfile is still a CAfile, that happens to
trust an empty set of CAs (mathematically sound degenerate case),
but that may not be the most useful behaviour in real life.

I'll leave it to others to decide what to do.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] RT purge done

2016-02-01 Thread Salz, Rich

Thanks for your patience, and your mailbox's understanding.


--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Fwd: latest OpenSSL causes OpenSMTPD to segv

2016-02-01 Thread Viktor Dukhovni

On Mon, Feb 01, 2016 at 08:56:16PM +, Salz, Rich wrote:
> > This impact all users who upgrade to OpenSSL 1.0.2f and will cause smtpd
> > to crash as soon as the RSA engine is used (ie: whenever there's crypto)
> 
> It would be interesting to see what they think was wrong.
> 
> Our intent is to NOT change API's across letter releases.

The only thing I see that's plausibly pertinent is:

commit 6656ba7152dfe4bba865e327dd362ea08544aa80
Author: Dr. Stephen Henson 
Date:   Sun Dec 20 18:18:43 2015 +

Don't check RSA_FLAG_SIGN_VER.

Reviewed-by: Richard Levitte 

diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 82ca832..ed63a1d 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int 
m_len,
 return 0;
 }
 #endif
-if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
+if (rsa->meth->rsa_sign) {
 return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
 }
 /* Special case: SSL signature, just check the length */
@@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned 
int m_len,
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
 {

-if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
+if (rsa->meth->rsa_verify) {
 return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
 }


-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2414] [critical bug]openssl1.0.0c coredump, if compile option "shared" is enabled

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2653] [BUG] OpenSSL 1.0.1 OpenVMS issues on VAX

2016-02-01 Thread Rich Salz via RT

master is building on vms and passing tests. so closing this.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2889] safestack macros fail for C++ compilers that care about extern "C" function types

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2904] genpkey ignores "-outform DER"

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2445] openssl-1.0.0c loses base64 data if newline missing

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2669] make test failure

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3186] Problem in configuring SSL in OPENLDAP

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3167] openssl pkcs8 does not convert from PKCS8 to "traditional format private key"

2016-02-01 Thread Rich Salz via RT

This is an issue reported against 0.9.x/1.0.0 If still an issue with current
release, please open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4286] AutoReply: Debug in OpenSSL

2016-02-01 Thread Tiantian Liu via RT

Thanks for open the ticket  [openssl.org #4286] for me.
Thanks,
Tyler 

-Original Message-
From: The default queue via RT [mailto:r...@openssl.org] 
Sent: February-01-16 5:21 PM
To: Tiantian (Tyler) Liu
Subject: [openssl.org #4286] AutoReply: Debug in OpenSSL

Greetings,

This message has been automatically generated in response to the creation of a 
trouble ticket regarding:
"Debug in OpenSSL",
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been 
assigned an ID of [openssl.org #4286].

Please include the string:

 [openssl.org #4286]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

Thank you,
r...@openssl.org

-
Hi, ALL,

I am software developer who is struggling with encryption and decryption issues 
in my application.

Our customer complained our application crashed at the point where OpenSSL 
method,  PEM_read_RSAPrivateKey, being called.

While I can't duplicate the crash in my machine. So I want to enable debug in 
OpenSSL and core dumping on their machine, then I can get the core dump file 
upon the crash on customer's side. And I can use GDB to debug the core dump to 
see what happened in side the so-called PEM_read_RSAPrivateKey.

Today, I re-compiled my OpenSSL (version openssl-1.0.1p). However, when I set 
the breakpoint at PEM_read_RSAPrivateKey, my GDB can't step into that function, 
just bypassed directly.
My machine is 32-bit RedHat Enterprise 5. What I did in configure and 
installation:

#./Configure -g debug-linux-elf -prefix=/usr shared # make # make install

All the new generated libs were installed under /usr/lib

I use GDB command to check my setup. It looks like my GDB can recognize all the 
OpenSSL source code and loaded OpenSSL shared library symbols. I post the part 
of information from GDB:
(gdb) info sharedlibrary
>FromTo  Syms Read   Shared Object Library
0x00561a30  0x005c6364  Yes /usr/lib/libkrb5.so.3
0x0064f590  0x00666e94  Yes /usr/lib/libk5crypto.so.3
0x002407c0  0x004446c4  Yes /usr/lib/libptcoresdk.so.2
0x0070a7f0  0x0070af84  Yes /lib/libcom_err.so.2
0x008c55d0  0x00940594  Yes /usr/lib/libstdc++.so.6
0x005e86b0  0x00631eb4  Yes /usr/lib/libssl.so.1.0.0
0x00a73f00  0x00b81704  Yes /usr/lib/libcrypto.so.1.0.0
0x004f7a50  0x004f8a64  Yes /lib/libdl.so.2
0x004ff210  0x00509e34  Yes /lib/i686/nosegneg/libpthread.so.0
0x00722bd0  0x0081a7d0  Yes /lib/i686/nosegneg/libc.so.6
0x00513430  0x00517794  Yes /usr/lib/libkrb5support.so.0
0x0053f0d0  0x0054a064  Yes /lib/libresolv.so.2
0x0085a670  0x00861ea4  Yes /lib/libgcc_s.so.1
0x00675410  0x00690654  Yes /lib/i686/nosegneg/libm.so.6
0x00a1c7f0  0x00a3172f  Yes /lib/ld-linux.so.2

And I also ran command:
(gdb) info source
.
pem_pkey.c, /home/tyler28/openssl-1.0.1p/crypto/pem/pem_pkey.c, pem_pk8.c, 
/home/tyler28/openssl-1.0.1p/crypto/pem/pem_pk8.c,
pem_oth.c, /home/tyler28/openssl-1.0.1p/crypto/pem/pem_oth.c, pem_xaux.c, 
/home/tyler28/openssl-1.0.1p/crypto/pem/pem_xaux.c,
pem_x509.c, /home/tyler28/openssl-1.0.1p/crypto/pem/pem_x509.c, pem_err.c, 
/home/tyler28/openssl-1.0.1p/crypto/pem/pem_err.c,
pem_all.c, /home/tyler28/openssl-1.0.1p/crypto/pem/pem_all.c, pem_lib.c, 
/home/tyler28/openssl-1.0.1p/crypto/pem/pem_lib.c,
pem_info.c, /home/tyler28/openssl-1.0.1p/crypto/pem/pem_info.c, pem_seal.c, 
/home/tyler28/openssl-1.0.1p/crypto/pem/pem_seal.c,
pem_sign.c, /home/tyler28/openssl-1.0.1p/crypto/pem/pem_sign.c, asn_moid.c, 
/home/tyler28/openssl-1.0.1p/crypto/asn1/asn_moid.c,
...

Then during debug, my GDB showed:
(gdb) break PEM_read_RSAPrivateKey
Breakpoint 2 at 0xb373fd: file pem_all.c, line 184.
(gdb) c
Continuing.
[Switching to Thread 14957456 (LWP 8796)]

Breakpoint 1, createRSAWithFilename (filename=0x82ef65a "out/private.pem", 
diag=0xe3ebdc "/MerchantConnectMulti/log/262.dg",
public=0) at ../multi_client/source_Host_C_Code/ssl_open.c:1385
1385FILE * fp = fopen(filename,"rb");
(gdb) n
1387if(fp == NULL)
(gdb) n
1393RSA *rsa= RSA_new() ;
(gdb) n
1394if(diag) SerialWriteTestLine_string_Time("FILE open on:", filename, 
diag);
(gdb) n
1395if(diag) SerialWriteTestLine_Time("after RSA_new", diag);
(gdb) n
1398if (rsa == NULL) {
(gdb) n
1408if(public >0)
(gdb) n
1415rsa = PEM_read_RSAPrivateKey(fp, ,NULL, NULL);
(gdb) s   -- GDB bypassed, I can't 
step into the function!
1419if(diag) SerialWriteTestLine_Time("after 
PEM_read_RSAPrivateKey/PEM_read_RSA_PUBKEY", diag);

Beside that function, I found I can't step into any OpenSSL

Re: [openssl-dev] [openssl.org #2768] Bug: internal_verify() hides errors from callbacks after X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE

2016-02-01 Thread Alex Rousskov via RT

On 02/01/2016 02:32 PM, openssl-dev@openssl.org via RT wrote:

> Please be more explicit about what errors you feel were not reported.

One specific error mentioned during the previous discussion was "expired
certificate". This was ~four years ago, so my recollection may be
faulty, but I believe that was _not_ the only hidden error.

Back then, Stephen Henson semi-confirmed that some errors were hidden
[because they were considered meaningless], so I hope we did not
misdiagnose the issue. I do not know whether the code has changed since
then.


If you have not seen the previous discussion, you can see it at [1] but
there is probably a better/RT-specific place for that (which I do not
have access to).

[1]
http://openssl.6102.n7.nabble.com/openssl-org-2768-Bug-internal-verify-hides-errors-from-callbacks-after-X509-V-ERR-UNABLE-TO-VERIFY-LE-td34778.html


HTH,

Alex.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

1 2 >

1 - 100 of 150 matches

Mail list logo