openssl 3.0 beta versus actual

2021-06-25 Thread Sandeep Umesh 
Hello
 
While the beta version has been released now, please let us know if there is any timeline to release the actual 3.0 version ?
 
What changes are expected to be 3.0 version compared to its beta ? it is restricted to bug-fixes only ?
 
Thanks
 
Regards
Sandeep
 

[openssl-users] FIPS certification for openssl

2017-11-29 Thread Sandeep Umesh 

Hello

As per this blog:
https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/

Steve who is instrumental in handling FIPS certification for openssl object
module is no more associated with OSF.
How can we proceed for future FIPS certification ? Is there any other
contact person to perform FIPS certification for openssl object module ?
Thanks

Regards
Sandeep

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using TLS1.3 with OpenSSL

2017-05-10 Thread Sandeep Umesh 

Hello Matt

Are you planning to provide TLSv1.3 support for openSSL 1.0.2 version ?

Thanks
Sandeep




From:   Matt Caswell 
To: "openssl-users@openssl.org" ,
"openssl-...@openssl.org" 
Date:   05/04/2017 06:52 PM
Subject:[openssl-users] Using TLS1.3 with OpenSSL
Sent by:"openssl-users" 



Hi all

OpenSSL 1.1.1, when it is released, will support TLSv1.3 and it will be
binary and source compatible with OpenSSL 1.1.0. If your application
already supports 1.1.0 then, in theory, all you need to do to support
TLSv1.3 is to drop in the new OpenSSL version. However there are various
issues that application developers and application deployers need to be
aware of. I have written a blog post to cover some of those things. You
can read it here:

https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Does CVE-2016-7055 only impact x86_64 platform ?

2017-01-30 Thread Sandeep Umesh 

Hi

Can you please clarify if CVE-2016-7055 only impact x86_64 platform ? What
about other platforms listed in crypto/bn/asm/ folder which has Montgomery
multiplication procedure, is it impacted ?
Thanks


Regards
Sandeep
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CVE-2016-2177

2016-08-16 Thread Sandeep Umesh 

Hi

Has this been officially published in openSSL ? Haven't seen a security
advisory for the same.

Regards
Sandeep




From:   "Salz, Rich" 
To: "openssl-users@openssl.org" 
Date:   08/13/2016 12:51 AM
Subject:Re: [openssl-users] CVE-2016-2177
Sent by:"openssl-users" 



Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1

--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz

From: Scott Neugroschl [mailto:scot...@xypro.com]
Sent: Friday, August 12, 2016 3:11 PM
To: openssl-users@openssl.org
Subject: [openssl-users] CVE-2016-2177

CVE 2016-2177 notes that it applies to all versions up to 1.0.2h.   Does
this mean that the fix is not applied to the 1.0.1 series (in particular
1.0.1t)?


---
Scott Neugroschl | XYPRO Technology Corporation
4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805
583-2874|Fax 805 583-0124 |


 --
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Need more information on CVE-2016-2842

2016-04-11 Thread Sandeep Umesh 
Thanks for the information Matt.

Regards
Sandeep




From:   Matt Caswell <m...@openssl.org>
To: openssl-users@openssl.org
Date:   04/12/2016 12:44 AM
Subject:Re: [openssl-users] Need more information on CVE-2016-2842
Sent by:"openssl-users" <openssl-users-boun...@openssl.org>





On 11/04/16 19:12, Sandeep Umesh wrote:
> Hello
> 
> Can someone please provide more information on CVE-2016-2842? Is this
> different from CVE-2016-0799 ? Looks like this CVE information is not
> captured in the advisory -
> _http://openssl.org/news/secadv/20160301.txt_
> 
> Also, does this below patch fixes both CVE-2016-2842 and CVE-2016-0799 -
> 
_https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73_


CVE-2016-2842 is an identifier that was not issued by the OpenSSL
Project and hence does not appear in the security advisory. The OpenSSL
Project assigned CVE-2016-0799 and gave it the description as it appears
in the advisory. Another organisation decided to split that into two
different CVEs and assigned CVE-2016-2842. Whether you think of it as
one CVE or two, the fix is the same, i.e. the commit that you identified
fixes both.

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Need more information on CVE-2016-2842

2016-04-11 Thread Sandeep Umesh 
Hello

Can someone please provide more information on CVE-2016-2842? Is this 
different from CVE-2016-0799 ? Looks like this CVE information is not 
captured in the advisory - 
http://openssl.org/news/secadv/20160301.txt 

Also, does this below patch fixes both CVE-2016-2842 and CVE-2016-0799 - 
https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73
 


Thanks

Regards
Sandeep

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] test for DROWN CVE

2016-03-03 Thread Sandeep Umesh 
Hello

How can anyone test if the server is susceptible to DROWN CVE? 

Possibly one of the methods is to check at https://drownattack.com/#check

Apart from this, will be below command also be useful to verify for the 
impact? - 
$ openssl s_client -connect : -ssl2 


Regards
Sandeep

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openSSL and SLOTH attack

2016-01-07 Thread Sandeep Umesh 
Hello users,

Is there any fixes available from openSSL community for the SLOTH attack - 

http://www.mitls.org/pages/attacks/SLOTH

or what are the  possible mitigation points?

Thanks
Sandeep


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Logjam impact on 0.9.8y version

2015-06-27 Thread Sandeep Umesh 
Hello,

I see a fix for logjam has been provided from 1.0.1 and 1.0.2 versions of 
openssl.
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

Does that imply 0.9.8 is not impacted by logjam? Also, Is it not required 
to disable export cipher suites in 0.9.8 version? Thanks

Regards
Sandeep___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl impact on CVE-2015-2808

2015-04-06 Thread Sandeep Umesh 

Hello Users,

Just want to understand the impact of openssl for RC4 Bar mitzvah attack.

Please correct me if my understanding is wrong, basically this attack is
triggered based on the design of RC4.
openssl is one of the implementers of RC4 algo.
I am not sure if there will be any design change or openssl will try to
disable RC4 support...
But, Is disabling RC4 algo usage in the applications which are using
openssl a better approach? Thanks

Regards
Sandeep___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

CVE-2014-5139 patch

2014-08-25 Thread sandeep umesh 
Hello users,

NVD vulnerability database confirms the below link as the patch for
CVE-2014-5139 -

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0

This is indicating to CVE-2014-2970.

Where as, the commit for CVE-2014-5139 seems to be -
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=83764a989dcc87fbea337da5f8f86806fe767b7e

Can someone please confirm the patch for this CVE? Thanks

Regards,
Sandeep