Re: [openssl-users] How do I uninitialize OpenSSL properly?
According to the answer I received at http://stackoverflow.com/questions/29845527/how-to-properly-uninitialize-openssl there is apparently a ticket with my problem out there already, namely the one here: https://rt.openssl.org/Ticket/Display.html?id=2561 The newest answer even references my thread. I know some people dont like removing memory leaks of objects that get initialized only once and are being used until shutdown, but if the solution Mat proposed really does the trick, I would really appreciate it if someone(tm) could take the time to put this seemingly small fix in the code. Cheers Alex Gesendet:Dienstag, 28. April 2015 um 20:06 Uhr Von:Salz, Rich rs...@akamai.com An:openssl-users@openssl.org openssl-users@openssl.org Betreff:Re: [openssl-users] How do I uninitialize OpenSSL properly? Unfortunately this didnt solve my problem, but at least I narrowed it down. The leaks are caused by my call to SSL_CTX_load_verify_locations, which is essentially X509_STORE_load_locations. Doesnt freeing the SSL_CTX_free release that data? If not, please file an RT ticket. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Implementing the rsa_sign callback
Hello all! I'm implementing a custom engine providing its own RSA method. I need to provide the rsa_sign callback, which is required to call my own code in case when ex_data is set and call a default callback otherwise. For other callbacks I use the appropriate callbacks from the rsa_pkcs1_eay_meth, as other engines do. But the rsa_pkcs1_eay_meth does not provide a rsa_sign callback. What is the correct way to implement the rsa_sign callback? Thank you! -- SY, Dmitry Belyavsky ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
This might not be very relevant to OpenSSL, but I'm not sure if there is any better list for this question... My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbtFVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D%3D HTTP/1.1 301 184 - ocspd/1.0.3 ocsp.omniroot.com 222.161.249.75 - - [30/Apr/2015:19:24:33 +0200] GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D HTTP/1.1 301 184 - Microsoft-CryptoAPI/6.1 If I understand it right, because the query was sent to my server (China's Great Firewall DNS poisoning at works), and not to original ocsp.omniroot.com, somebody's browser or device was not able to verify if the certificate is still valid or not - am I correct here? Is it possible to say what Common name / fqdn / certificate is queried in such requests? Tomasz Chmielewski ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Is it possible to add a Client Hostname to an SSL Client Certificate?
Alexandre Arantes wrote: one of them asked me why did I choose not to add the client hostname to the Client Certificate, thus making it usable only by that specific client. There are no standardized naming rules for client certs like the TLS server hostname check implemented at the client side. You have to define and implement your own naming/mapping rules at the server side. And so I started searching online for ways to do it, but found nothing. No wonder because there's no standard way. Several possibilites for client cert names: - subject DN - issuer-DN + serial no. - cert fingerprint - Any naming convention stuffed into subjectAltName extension Some inspiration in various server software: FakeBasicAuth in Apache's mod_ssl: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#ssloptions Certificate Mappers in OpenDJ: http://docs.forgerock.org/en/opendj/2.6.0/configref/certificate-mapper.html Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
Bonjour, Le 30/04/2015 19:44, Tomasz Chmielewski a écrit : This might not be very relevant to OpenSSL, but I'm not sure if there is any better list for this question... My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbtFVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D%3D HTTP/1.1 301 184 - ocspd/1.0.3 ocsp.omniroot.com 222.161.249.75 - - [30/Apr/2015:19:24:33 +0200] GET /baltimoreroot/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACBAcnqkc%3D HTTP/1.1 301 184 - Microsoft-CryptoAPI/6.1 If I understand it right, because the query was sent to my server (China's Great Firewall DNS poisoning at works), and not to original ocsp.omniroot.com, somebody's browser or device was not able to verify if the certificate is still valid or not - am I correct here? I don't remember the exact behaviour of the first client (I guess it's an Apple machine) on receiving this answer. For the Microsoft one, the client will try to get the CRL, and should also try a POST request to the OCSP responder, but I don't remember which one is tried first. Is it possible to say what Common name / fqdn / certificate is queried in such requests? Not directly. The first request asks for the status of certificate whose serial number is 0x0727A46A, the second for the certificate with serial number 0x0727AA47, both certificates are issued under the same CA, this CA is the root C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root. If you can crawl a certificates database (there are several out there), you can probably find the exact requested certificate (it should be a CA, too). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OCSP: ocsp.omniroot.com/baltimore/... - what is it exactly?
My webserver is getting flooded with queries like: ocsp.omniroot.com 124.205.254.7 - - [30/Apr/2015:19:24:30 +0200] GET /baltimoreroot/MEowSKADAgEAMEEwPzA9MAkGBSsOAwIaBQAEFMEvRXbt FVnssF26ib%2BdgHjlI9QTBBTlnVkwgkdYzKz6CFQ2hns6tQRN8AIEByekag%3D %3D HTTP/1.1 301 184 - ocspd/1.0.3 Well, that stinks. url-decoding (%2b is + and %3d is =), and then base64 decoding it can give you the OCSP request: ; ./openssl ocsp -text -reqin x.der OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: C12F4576ED1559ECB05DBA89BF9D8078E523D413 Issuer Key Hash: E59D5930824758CCACFA085436867B3AB5044DF0 Serial Number: 0727A46A Is it possible to say what Common name / fqdn / certificate is queried in such requests? Not really. The protocol assumes that the requestor has the cert, and the server has the serial#, so the protocol sends the minimal information. Sorry. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Error signing document
Dear Openssl, I have the following case: I am trying to sign a file with a private key from an CA. I converted the pfx file to a pem file using the following command openssl pkcs12 -in CustKeyIcBD001.pfx -out CustKeyIcBD001.pem -nodes After this I trying to sign a file using this key with the following command openssl cms -sign -in TestfileIN.txt -out TestfileSign.tmp -outform DER -binary -nodetach -md SHA1 –signer CustKeyIcBD001.pem However I keep getting the message No signer certificate specified I have put all files in the same directory and don't see why this is going wrong. Can anybody help me out on this? Regards, Mark ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] SHA256() to EVP_* ?
From: openssl-users On Behalf Of jonetsu Sent: Wednesday, April 29, 2015 10:07 snip The man page (the one online from OpenSSL project - SHA256.html) gives a description using SHA1() which computes a message digest. Note this is the same page for SHA{1,224,256,384,512}{,_Init,_Update,_Final}.html and is the same content that is provided as 'man' pages on a Unix install of OpenSSL. On Unix systems a man page for several related routines (or types/structures etc) can actually be one file with multiple links to it, but the website doesn't bother. Being generally new to OpenSSL at that level, what is then the difference between using, say, SHA1() vs. using SHA1_Init, SHA1_Update and SHA1_Final ? Is it only that the latter allows for continuously add data until _Final is called ? Very nearly. The 'all-in-one' routine SHA1() consists of: - declare (thus implicitly allocate) CTX - provide a static buffer by default (for legacy but this is a bad idea, it is unsafe for threads or recursion, and should not be used today) - do SHA1_Init and test for error (error won't actually occur but this preserves a consistent structure with other algorithms that might) - do EXACTLY ONE SHA1_Update - do SHA1_Final - cleanse the CTX to prevent leakage of data that might be sensitive (whether it actually is sensitive depends on what the data is, but to be on safe side always cleanse) and implicitly deallocate and similarly for the other algorithms. So the difference using separate calls is: you can do multiple _Update steps/buffers, and you must handle the CTX and output buffer. And you can do more flexible things like compute both SHA1 and MD5 for the same data concurrently, without needing to buffer all the data (which in some applications might exceed your memory) or reread it (which may be impossible in some applications like streaming video). You may be thinking: this is just a small convenience, it's not hard to do the separate routines. You're right, it's not. But if it happens 10 or 20 or 50 places in your code, saving 10 lines 50 times is 500 lines you don't have to write, read, keep in source control, compile every build, cover in your test strategy and coverage reports, etc. Even a small convenience is still a convenience. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Error signing document
From: openssl-users On Behalf Of m.de.groot Sent: Thursday, April 30, 2015 14:46 I converted the pfx file to a pem file using the following command openssl pkcs12 -in CustKeyIcBD001.pfx -out CustKeyIcBD001.pem -nodes After this I trying to sign a file using this key with the following command openssl cms -sign -in TestfileIN.txt -out TestfileSign.tmp -outform DER - binary -nodetach -md SHA1 -signer CustKeyIcBD001.pem However I keep getting the message No signer certificate specified If you have accurately copied your command to the email, you are using a Windows-cp1252 dash character (hex code 96) not a hyphen (2D) for the -signer option. Use the classic traditional ASCII hyphen. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CMS questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 4/30/15 6:32 PM, Richard Welty wrote: 1) the documentation on d2i_CMS_ContentInfo() is a bit light on details about the parameters. what should the first parameter be, a certificate as with d2i_X509? ok, figured this one out for myself, should have read the d2i_X509 documentation more carefully. richard -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQrNNAAoJEBg+LdNh/YEcDggQALFImQPZ/MlvBbOnMvELkFxM eCwZxE+BnwVpMgRnsVaTM0z2r9hY44V1jGZrw+Xfj4YXkaAXs6iIarptdg+IL9dX bNi4haTy4QMF8Uu5mvWCSLcsIO/1obXnH5FE9Ri2QMK6Jysp4vPiC379sBQyGGRm o+gF3cnpYF0+VKQX858KjE8sChJMCHgfdDU3Z79S9iEdeUeZ0ILESLRQcy8OEywp iToW6FRQuaCK36bn+23ApxUUuQIkPGcqoDDvOPSXVuTMjYLSzfFzsTXfu42yY56G Rmxg9TFfPL6WdLJb/BQoBvA6u4HWo7pZdpFUymShhezTlM5jvVAHXeHq6PZjJx8J g7bpPH6mu17ILdJMQqVo3kWhGnQVZMuR12BY6qHaBvOWxJ7lAEYjjlu+pVtgWlp3 vRbWwGfApC36UziRJpmZIYgz1e7hUrB8Mqg78f3SPK1fcWKSYV1IkRnxM7Py+PnT ISXAi6VTRmg1rNc0cnfrhegcTcwUFJVyCTCKWR4i7NlUDSHSThcmMKW5muasjL11 cr4OPfDStI7okM4GpPADL09ZnRK7J+D+UYXZYq37XnokekqAZ1/Bjs5VDKKzlfv0 7lTMxLaZ5jeIwBM4KdTn4ThFVg5Huz1lsI7yP4J2kwkdA9RIcz2jmkhvS/8N5V/F HLbQJyfjWnFX5PlAUL5u =UfG4 -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Trying to understand DTLS (as it applies to webrtc)
Hi everyone, This is my first time posting to this list - so if theres a better place for this question please let me know. The problem I'm trying to fix applies to the Janus webrtc gateway ( https://github.com/meetecho/janus-gateway) and my application which is using native C++ webrtc. What happens is that after hundreds of successful connections, sometimes the Janus server is unable to negotiate a DTLS handshake and after a key exchange the webrtc client replied with a DTLS Alert: Decrypt failed message. I'm attaching a wireshark trace of the issue happening and one for the correct negotiation. The problem refuses to fix itself till Janus is restarted. Both installations are using Openssl. Janus is compiled with version 1.0.1f If someone can help explain how DTLS key exchange works and whats going wrong in the above trace it would be great! I'm completely at a loss as far as this is concerned! Thanks all! WebrtcDTLSNegotation.pcapng Description: Binary data janusbaddtlsnegotiation.pcapng Description: Binary data ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Performance problems with OpenSSL and threading
(plain text and removed most of the history) John if you don’t mind reviewing my change to Apache Traffic Server. It seems to be working very well. Thank you again! https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=blobdiff;f=iocore/net/SSLUtils.cc;h=0b732440636ab4e9eaedf237a5674bdc790c3e73;hp=2fae4820d7bab301340368e6be22445476d8d948;hb=d41e96f;hpb=ba1d6f7c9394c5efadb68cf9cf06f9b90f267b09 -Bryan On Apr 30, 2015, at 3:52 PM, Bryan Call bc...@apache.org wrote: This is for Apache Traffic Server and we have no knobs for turning on/off FIPS. I am thinking about always disabling FIPS right now and that would happen before we create the threads. I was able to get rid of all the FIPS lock connection with the changes you recommend (Big Thanks!). The big one now is type 1. I am printing out the log every time the contention total is mod 1M. Are there any tricks I can do for type 1 locks? [Apr 30 22:46:49.549] Server {0x7f1e4531d700} ERROR: contention for lock - total contention: 400 waiting: 1 file: pmeth_lib.c line: 185 type: 10 [Apr 30 22:46:49.688] Server {0x7f1e45822700} ERROR: contention for lock - total contention: 1100 waiting: 2 file: err.c line: 469 type: 1 [Apr 30 22:46:50.406] Server {0x7f1e45c26700} ERROR: contention for lock - total contention: 400 waiting: 0 file: ex_data.c line: 304 type: 2 [Apr 30 22:46:50.932] Server {0x7f1e45b25700} ERROR: contention for lock - total contention: 1200 waiting: 5 file: err.c line: 446 type: 1 [Apr 30 22:46:52.001] Server {0x7f1e45721700} ERROR: contention for lock - total contention: 100 waiting: 0 file: rand_lib.c line: 212 type: 19 -Bryan ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Performance problems with OpenSSL and threading
This is for Apache Traffic Server and we have no knobs for turning on/off FIPS. I am thinking about always disabling FIPS right now and that would happen before we create the threads. I was able to get rid of all the FIPS lock connection with the changes you recommend (Big Thanks!). The big one now is type 1. I am printing out the log every time the contention total is mod 1M. Are there any tricks I can do for type 1 locks? [Apr 30 22:46:49.549] Server {0x7f1e4531d700} ERROR: contention for lock - total contention: 400 waiting: 1 file: pmeth_lib.c line: 185 type: 10 [Apr 30 22:46:49.688] Server {0x7f1e45822700} ERROR: contention for lock - total contention: 1100 waiting: 2 file: err.c line: 469 type: 1 [Apr 30 22:46:50.406] Server {0x7f1e45c26700} ERROR: contention for lock - total contention: 400 waiting: 0 file: ex_data.c line: 304 type: 2 [Apr 30 22:46:50.932] Server {0x7f1e45b25700} ERROR: contention for lock - total contention: 1200 waiting: 5 file: err.c line: 446 type: 1 [Apr 30 22:46:52.001] Server {0x7f1e45721700} ERROR: contention for lock - total contention: 100 waiting: 0 file: rand_lib.c line: 212 type: 19 -Bryan On Apr 29, 2015, at 11:37 AM, John Foley fol...@cisco.com wrote: Correct. Locks 39/40 are only useful while the POST is running. Once the POST completes, the POST status never changes again unless the POST runs again. The only way to run the POST is by invoking FIPS_mode_set(1). But there should be no reason to invoke FIPS_mode_set(1) more than once unless you want to provide some sort of run-time FIPS mode toggle capability. You're asking in the context of Apache, right? Apache just has a global FIPS on/off knob in the config. If set, FIPS is enabled for the lifetime of the process and never disabled/re-enabled. You would invoke FIPS_mode_set(1) once prior to spinning up the worker threads. Therefore, the POST would be finished prior to any multi-threaded processing. On 04/29/2015 01:53 PM, Bryan Call wrote: Can I safely assume that if I call FIPS_mode_set(0) and get a successful return value then I don’t need to lock when there are callbacks for type 39 and 40 locks (for OpenSSL 1.0.1 and 1.0.2)? -Bryan On Apr 28, 2015, at 10:22 AM, John Foley fol...@cisco.com mailto:fol...@cisco.com wrote: In the context of OpenSSL 1.0.1 or 1.0.2, this means FIPS_mode_set(1) has returned with a successful return value. In the future, this may change if/when OpenSSL does another FIPS validation. CMVP has changed the implementation guidance that requires the POST to run automatically without user intervention. Any future FIPS validations would be subject to the new rules. Hence, the behavior of FIPS_mode_set() may change in the future if OpenSSL decides to pursue another validation. On 04/28/2015 12:43 PM, Bryan Call wrote: What do you mean by “FIPS POST has completed”? -Bryan On Apr 24, 2015, at 4:17 PM, John Foley fol...@cisco.com mailto:fol...@cisco.com wrote: Some of the algorithms still invoke the FIPS flavor of the algorithm even when FIPS is disabled. For example, this code is from EVP_DigestUpdate(). int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) { #ifdef OPENSSL_FIPS return FIPS_digestupdate(ctx, data, count); #else return ctx-update(ctx, data, count); #endif } In 1.0.1, locks 39 and 40 are: # define CRYPTO_LOCK_FIPS39 # define CRYPTO_LOCK_FIPS2 40 You should try adding some logic to skip the lock in your lock handler when the lock ID is 39 or 40. Again, it should be safe to not lock on these two as long as the FIPS POST has completed. On 04/24/2015 05:56 PM, Bryan Call wrote: In my last email I ran the benchmark on Fedora 21 (big mistake). Here are the results when running it back on the 28/56 core RHEL 6.5 server showing contention in a different place (fips). Is there a reason it would be calling into the FIPS code to get a lock of FIPS is not enabled? Contention log: [Apr 24 21:35:09.731] Server {0x7f5529ccd700} ERROR: contention for lock - total contention: 70662 waiting: 16 file: fips.c line: 471 type: 40 [Apr 24 21:35:09.732] Server {0x7f55299ca700} ERROR: contention for lock - total contention: 71605 waiting: 2 file: fips.c line: 107 type: 39 Line in in fips that see the contention the most: [bcall@bm77 trafficserver]$ grep fips.c diags.log | cut -f 19 -d ' ' | sort | uniq -c | sort -rn 875379 471 288338 107 275472 127 Different lock types and their contention frequency (multiple benchmarks): 875379 40 - in fips.c 563810 39 - also in fips.c 440518 1 44145 18 17447 2 11356 10 1377 19 687 12 532 25 302 33 239 9 58 16 40 21 32 11 19 3 1 14 Code to diable FIPS and log: #ifdef OPENSSL_FIPS int mode = FIPS_mode();
Re: [openssl-users] CMS questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/24/15 10:10 AM, Dr. Stephen Henson wrote: On Tue, Feb 24, 2015, Richard Welty wrote: On 2/24/15 9:21 AM, Dr. Stephen Henson wrote: Typically you'd write the signed content to a memory BIO and then decrypt that. Precisely how you decrypt the enveloped data depends on the format. It might be in MIME format in which case you'd pass it through the MIME parser. Alternatively it could be enveloped data content type in which case you'd decode it as BER form. There are shortcuts you can make if, for example, you know the signed content is not detached and in BER form. it will not be detached, and will be in BER form. shortcuts (as long as they're in a documented API) are welcome as this is in a path that should be fast. So the embedded content type will be enveloped data? If so first you can check that type using CMS_get0_eContentType(). Then you can use CMS_get0_content() to retrieve the embedded content as a pointer to an OCTET STRING pointer. You should check that content is not NULL and then retrieve the encoding of the content using ASN1_STRING_data and ASN1_STRING_length. Once you have those you can decode using d2i_CMS_ContentInfo(). A couple of those functions are currently undocumented (that will be fixed) but nothing in that involves using structure internals. coming back to this after a bit of time; the project is finally getting fired up. there are two questions in front of me right now: 1) the documentation on d2i_CMS_ContentInfo() is a bit light on details about the parameters. what should the first parameter be, a certificate as with d2i_X509? 2) is there something roughly analogous for encryption? i need a fast-but-documented path for encrypting and signing data using BER on the server that will be decrypted client (and vice versa). thanks, richard -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQq2BAAoJEBg+LdNh/YEc/xwQAL2QH/aH1LUATeAmGmt2h7tk n4K5ghhrIwCOlrgqXNbSS7qEmrXdRgKPhTZkJVx/Y236hqJt/AqjyB0geCmDIuMi uOXzPXlWInj6jg9kjGq+jEMeG9Czu1i/DfSJjB01N6asEx8YKvNZUVnNqKj8fkBi iit0a5/61B26bd8oGVAFfM6gMJMBZRWqbPSFhjPyB2tMWMOfnZ7N08N66qz29/Xk vKiG1EEj6SRAPTFhzqzLzZphtShWDXeQP6pfrSRJ6AGiTfX2Gvn/7iwUiPUF3sLX 8ULskp3XyWeA/L71vLUNvo49XVdx/7lCj4o8nbCrI+/fgIREPAdI+AzvsxYv8wFH K/pSYZOL5ag+YiMBt9pfPCxhUebjz4KS9InoT4g15x8DuhosiB/6JWOFsKpHENxX 5TO/tRteopWmQ0PBCbrrBG58Gdg0t7OW6tBM0e13cYLTfUc93eOb7lJhuMOzzkqJ i6VF99Cosj8WcjZuh4hASVHe7h9pBOlabl8xHlSocbn91Q68RnwpQ12HoQMhjqze 1Za4yaQagcd8OnBoRc8gXCWUGNfLRYjEXdXaKt1AlFWQHa6h2ZcGwgoMukg+Fu1Z AyY7vaxIPa3wBR1eNhv15hrgwBmoWPzTgoupTbbiP4e5HnmcdWUcjnKvOd+kamQG SHhG4PeipRKHtJ1OzA5Q =vlyk -END PGP SIGNATURE- ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users