Re: [openssl-users] Spam
> the wider problem case is how non-subscribers are given two-way access to the > list that exposes so much subscriber info (name, professional affiliation, > email addr, ...) to whomever. i cannot fathom why the list does not make use > of aliases so that each subscriber can control what they want to make public > via their alias profile. List membership is not public . Only members can post to the list. Not sure what else you think we are doing wrong. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] THREAD CLOSED: (was: Spam)
Folks, we're here to discuss using OpenSSL, not email list management. Junk mail is a a negligible issue for this list. Discussion of junk mail causes a lot more distraction that the junk mail itself. Therefore, unless the list becomes substantially dominated by junk mail, please keep your thoughts about junk email off this list. Thanks. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Spam
Can the spam filters on the listserv be updated? Got two today in Spanish and Portuguese for monetary scams. Anyone else getting these? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Cielo - Confirme sua participa��o (Premia��o N� 00003881) (21989)
Title: Mensagem Cielo Nada supera essa máquina! PROGRAMA DEVANTAGENS DA CIELO Na sua próxima compra a partir de 25,00R$ com qualquer cartão de crédito ou débito na máquina da Cielo, você concorre a sorteios semanais de prêmios. São R$ 50mil sorteados durante 1 ano e mais 30 superprêmios de R$ 25mil toda semana PARTICIPAR A Compra Premiada Cielo não inclui taxas na fatura do cartão. Prêmios pagos em dinheiro diretamento ao contemplado. Valores líquidos de Impostos de Renda, conforme legislação vigente, Lastreados por Títulos de Capitalização da Brasilcap Capitalização S.A., CNPJ 15.138.043/0001-05, aprovados pela SUSEP, Processos nº 19501.002814/2013-61 (cliente Cielo), nº 19501.002831/2013-92 (logistas) e nº 19501.002831/2013-25 (vendedores). A aprovação desses títulos pela SUSEP não implica, por parte da Autarquia, incentivo ou recomendação à sua aquisição, representando, exclusivamente, sua adequação às normas em vigor. Consulte o regulamento no site. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Banco do Brasil - Chamado 332016501 (Comunicado) (62759)
Title: Documento sem título Banco do Brasil Comunicado Prezado(a) Cliente, O Banco do Brasil vem mudando para melhorar sua vida, e está disponibilizando mais uma solução para suas realizações oferecendo-lhe mais conforto e praticidade. Conheça o Novo Banco do Brasil O Banco do Brasil é o segmento para clientes de grande potencial, com maiores linhas de créditos, atendimento e agências exclusivas e seu gerente disponível 24 horas por dia na central de relacionamento. O que inclui nessa nova versão? - Melhorias no sistema de segurança; - Correção de falhas em seu certificado de segurança; - Acesso às agências exclusivas sem filas; - Insenção de taxas para cartão de crédito e conta-corrente; - Cartões de Crédito (MasterCard® Black e Visa Infinite) sem taxa de adesão e anunidade; - Aumento de limites de cheque especial com juros de 1,2% ao mês; - Crédito Imobiliário com juros de 6% ao ano e carência de até 12 meses para começar a pagar; - Financiamentos com juros de 6% ao ano e carência de até 12 meses para começar a pagar. Essa nova modalidade já está liberada para você, basta apenas confirmar a solicitação. Confirmar Mais Informações -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.1.0 pre release 5 published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.1.0 pre release 5 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in beta. OpenSSL 1.1.0 pre release 5 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre5.tar.gz Size: 5289112 SHA1 checksum: 1cbc066e471c831ae8c0661abb80361b4d211a70 SHA256 checksum: 25acbdfa5e0259ed20159670e88ddb4257970f80ce923427bd201133e6e580db The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre5.tar.gz openssl sha256 openssl-1.1.0-pre5.tar.gz Please download and check this beta release as soon as possible. Bug reports should go to r...@openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJXFkd3AAoJENnE0m0OYESRpHgIAIZpsbqsYSpoHzkT8TtJ8C83 I8pi4lgq3vWvQddKpM+iUqgeOzUUeQaCqFZmdoF2nvD+cqxlG58q9hUvm8hmbxF+ FN9a1n4WlihR626cipxBbOQz4WfFw7zmszCSYuEPT5MMFRQQR0fRgGidn6eBbAQk 37q6RDWHpwHvqIwNgwxH3qzmoV+jzqGYfZIBV/JrT2KL4M4x6L/Y5/g9WrubkHQe oi/QjIKsXNA+bb+E0zUzhA1Yxvgz+x/VJ96yrGFrzotqLzuHR6w2TVSh4Mx/LxS0 LAdEn8h62Ts04HMyS1+9Tj6pAmJf3cq2EtR6QA+vzNgqfmA8K0jPCdzUSklgqzE= =Wv2a -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS compile issue with Perl on Windows
On 04/19/2016 10:43 AM, Jakob Bohm wrote: > On 19/04/2016 16:31, Steve Marquess wrote: >> On 04/19/2016 09:16 AM, Jakob Bohm wrote: >>> On 19/04/2016 13:44, Leaky wrote: Thanks, but I am still scratching my head as to if that is even possible on Windows, which would mean you can't actually compile the FIPS canister on Windows and meet the security policy. ... > >> As documented in Appendix A of the Security Policy, for Windows the >> required canonical build commands are: >> >>ms\do_fips no-asm >> >> or >> >>ms\do_fips >> >> instead of the "./config ...; make" used for *nix style platforms. The >> >>gunzip -c openssl-fips-2.0.N.tar.gz | tar xf - >>cd openssl-fips-2.0.N >> >> is still required, which as you noted can be done with a third party >> "gunzip", e.g. from Cygwin. >> >> Note that from a software engineering viewpoint it doesn't make much >> sense to require that a "gunzip" command be installed and used when >> another equivalent method of expanding the tarball is available, but the >> CMVP required the specification of fixed build commands from the very >> first validation. >> >> No requirement that a specific version of "gunzip" be used, so the use >> of a script would appear to be permitted. > Note that the official GNU gunzip is (as mentioned) a shell script. My point was that even more generally use of various command definitions appears to be allowed. For example, we have sometimes used such scripts and/or "CC=gcc" style aliases for formal platform testing. Cross compilations in particular generally aren't possible without such command redefinitions; for those you're usually replacing multiple native (to the build system) commands with those in the cross-compile toolkit. Use of command redefinitions to affect the behavior of the compiler (as by adding compiler options) is rather more of a dark gray area. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS compile issue with Perl on Windows
On 19/04/2016 16:31, Steve Marquess wrote: On 04/19/2016 09:16 AM, Jakob Bohm wrote: On 19/04/2016 13:44, Leaky wrote: Thanks, but I am still scratching my head as to if that is even possible on Windows, which would mean you can't actually compile the FIPS canister on Windows and meet the security policy. There are Windows ports of gzip, gunzip and tar. For example in the CYGWIN distribution (from https://cygwin.com) or MingW32 (those 2 are free), there are also commercial versions such as MKS. If you use the CYGWIN variant, but run under the Windows CMD shell, you will have to crate a .CMD equivalent of the gunzip shell script. Instead of the long winded code to output messages about what gunzip is, the following one line file should do the trick (there is no lf or crlf at the end of the line!), save this as gunzip.cmd somewhere on your PATH. @x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %* (x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN) Similarly create tar.cmd Good catch, Jakob. I missed the Windows part. I missed it too, Leaky caught it As documented in Appendix A of the Security Policy, for Windows the required canonical build commands are: ms\do_fips no-asm or ms\do_fips instead of the "./config ...; make" used for *nix style platforms. The gunzip -c openssl-fips-2.0.N.tar.gz | tar xf - cd openssl-fips-2.0.N is still required, which as you noted can be done with a third party "gunzip", e.g. from Cygwin. Note that from a software engineering viewpoint it doesn't make much sense to require that a "gunzip" command be installed and used when another equivalent method of expanding the tarball is available, but the CMVP required the specification of fixed build commands from the very first validation. No requirement that a specific version of "gunzip" be used, so the use of a script would appear to be permitted. Note that the official GNU gunzip is (as mentioned) a shell script. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS compile issue with Perl on Windows
On 04/19/2016 09:16 AM, Jakob Bohm wrote: > On 19/04/2016 13:44, Leaky wrote: >>> The Security Policy is quite specific on the requirements, which make no >>> allowance for the common sense (to a software engineer) fact that there >>> are equivalent multiple ways to accomplish each step (such as unzipping >>> the tarball). You are also specifically required to begin with the >>> official tarball. Per the Security Policy, you *must* do: >>> >>> gunzip -c openssl-fips-2.0.12.tar.gz | tar xf - >>> >>> and *not* any functionally equivalent alternative such as: >>> >>> tar -zxf openssl-fips-2.0.12.tar.gz >>> >> Thanks, but I am still scratching my head as to if that is even >> possible on >> Windows, which would mean you can't actually compile the FIPS canister on >> Windows and meet the security policy. >> > There are Windows ports of gzip, gunzip and tar. For example in the CYGWIN > distribution (from https://cygwin.com) or MingW32 (those 2 are free), there > are also commercial versions such as MKS. > > If you use the CYGWIN variant, but run under the Windows CMD shell, you > will > have to crate a .CMD equivalent of the gunzip shell script. Instead of the > long winded code to output messages about what gunzip is, the following one > line file should do the trick (there is no lf or crlf at the end of the > line!), save this as gunzip.cmd somewhere on your PATH. > > @x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %* > > (x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN) > > Similarly create tar.cmd Good catch, Jakob. I missed the Windows part. As documented in Appendix A of the Security Policy, for Windows the required canonical build commands are: ms\do_fips no-asm or ms\do_fips instead of the "./config ...; make" used for *nix style platforms. The gunzip -c openssl-fips-2.0.N.tar.gz | tar xf - cd openssl-fips-2.0.N is still required, which as you noted can be done with a third party "gunzip", e.g. from Cygwin. Note that from a software engineering viewpoint it doesn't make much sense to require that a "gunzip" command be installed and used when another equivalent method of expanding the tarball is available, but the CMVP required the specification of fixed build commands from the very first validation. No requirement that a specific version of "gunzip" be used, so the use of a script would appear to be permitted. Confusing, for sure... -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS compile issue with Perl on Windows
On 19/04/2016 13:44, Leaky wrote: The Security Policy is quite specific on the requirements, which make no allowance for the common sense (to a software engineer) fact that there are equivalent multiple ways to accomplish each step (such as unzipping the tarball). You are also specifically required to begin with the official tarball. Per the Security Policy, you *must* do: gunzip -c openssl-fips-2.0.12.tar.gz | tar xf - and *not* any functionally equivalent alternative such as: tar -zxf openssl-fips-2.0.12.tar.gz Thanks, but I am still scratching my head as to if that is even possible on Windows, which would mean you can't actually compile the FIPS canister on Windows and meet the security policy. There are Windows ports of gzip, gunzip and tar. For example in the CYGWIN distribution (from https://cygwin.com) or MingW32 (those 2 are free), there are also commercial versions such as MKS. If you use the CYGWIN variant, but run under the Windows CMD shell, you will have to crate a .CMD equivalent of the gunzip shell script. Instead of the long winded code to output messages about what gunzip is, the following one line file should do the trick (there is no lf or crlf at the end of the line!), save this as gunzip.cmd somewhere on your PATH. @x:\SOMEPATH\CYGWIN\bin\gzip.exe -d %* (x:\DOMEPATH\CYGWIN is obviously whereever you installed CYGWIN) Similarly create tar.cmd Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS compile issue with Perl on Windows
> The Security Policy is quite specific on the requirements, which make no > allowance for the common sense (to a software engineer) fact that there > are equivalent multiple ways to accomplish each step (such as unzipping > the tarball). You are also specifically required to begin with the > official tarball. Per the Security Policy, you *must* do: > >gunzip -c openssl-fips-2.0.12.tar.gz | tar xf - > > and *not* any functionally equivalent alternative such as: > >tar -zxf openssl-fips-2.0.12.tar.gz > Thanks, but I am still scratching my head as to if that is even possible on Windows, which would mean you can't actually compile the FIPS canister on Windows and meet the security policy. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-compile-issue-with-Perl-on-Windows-tp65574p65591.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS compile issue with Perl on Windows
On 04/18/2016 08:25 PM, Jakob Bohm wrote: > On 19/04/2016 01:51, Steve Marquess wrote: >> On 04/18/2016 04:05 PM, Leaky wrote: > plus you're constrained by the > requirements of the Security Policy to build the module with precisely > the commands: > > gunzip -c openssl-fips-2.0.12.tar.gz | tar xvf - > cd openssl-fips-2.0.12 > ./config > make >>> Silly question... I know that you should only run the above commands, >>> but >>> can you deviate from the unzip tool, i.e. use 7zip? >>> >>> ... >> >> There is no point in attempting to do the usual configuration management >> and software version control on the contents of the >> openssl-fips-2.0.12.tar.gz tarball. You CANNOT change the content; there >> can be no changes to manage!!! > Almost true. If it wasn't banned by the FIPS security policy, checking in > the uncompressed tarball could be used to efficiently manage and track new > upstream releases of the tarball and to document which exact upstream FIPS > cannister source code (and hence corresponding validation date) was > incorporated into which product version (an aspect of FIPS compliance which > someone might want to audit Well, the righteous way to track the "exact upstream FIPS cannister source code" is by the SHA1 digest of the tarball that is documented in the Security Policy. > > But alas, as you clarify below, this is not permitted by the OpenSSL FIPS > security policy directly incorporated into the validation. > > The slightly less efficient idea of putting the compressed tarball into > the configuration control repository (which in this case *is* tracking the > build configuration, not the code versions) is probably (I am not sure) > againstthe policy that the tarball must be taken "securely" from the > physical CD mailed out by the OpenSSL foundation. Per the CMVP internal storage and transmission of the official tarball within the end user organization is not subject to any special requirements, once that organization has received the official snail-mailed CD disk. So for instance the east coast office of vendor XYZ could copy the openssl-fips-2.0.12.tar.gz tarball off of the official CD onto the corporate internal network, where it could be retrieved and used by the west coast office. So by that logic you could stash the complete tarball in an internal repository. That doesn't make a lot of sense, but hey it's FIPS 140-2. The CMVP was most insistent on the snail-mailed CD requirement during the #1747 validation -- resolution of that "secure distribution" issue held up the validation by a couple of months -- but I can't help but notice that several "Alternative Scenario 1A/1B" validations granted since then (which are supposedly carbon copy clones) have been allowed to omit the snail-mail CD requirement. So even the CMVP itself is confused by this requirement. > So the thing that can probably be put into a repository is the binary > FIPSCannister.o file along with copies of any documents certifying how, > where, from what and by whom said FIPS cannister was built. Exactly, and this is my recommendation (per section 5.5 of the FIPS module User Guide). -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
