openssl 3.0 beta versus actual
Hello While the beta version has been released now, please let us know if there is any timeline to release the actual 3.0 version ? What changes are expected to be 3.0 version compared to its beta ? it is restricted to bug-fixes only ? Thanks Regards Sandeep
[openssl-users] FIPS certification for openssl
Hello As per this blog: https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/ Steve who is instrumental in handling FIPS certification for openssl object module is no more associated with OSF. How can we proceed for future FIPS certification ? Is there any other contact person to perform FIPS certification for openssl object module ? Thanks Regards Sandeep -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Using TLS1.3 with OpenSSL
Hello Matt Are you planning to provide TLSv1.3 support for openSSL 1.0.2 version ? Thanks Sandeep From: Matt CaswellTo: "openssl-users@openssl.org" , "openssl-...@openssl.org" Date: 05/04/2017 06:52 PM Subject:[openssl-users] Using TLS1.3 with OpenSSL Sent by:"openssl-users" Hi all OpenSSL 1.1.1, when it is released, will support TLSv1.3 and it will be binary and source compatible with OpenSSL 1.1.0. If your application already supports 1.1.0 then, in theory, all you need to do to support TLSv1.3 is to drop in the new OpenSSL version. However there are various issues that application developers and application deployers need to be aware of. I have written a blog post to cover some of those things. You can read it here: https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Does CVE-2016-7055 only impact x86_64 platform ?
Hi Can you please clarify if CVE-2016-7055 only impact x86_64 platform ? What about other platforms listed in crypto/bn/asm/ folder which has Montgomery multiplication procedure, is it impacted ? Thanks Regards Sandeep -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2177
Hi Has this been officially published in openSSL ? Haven't seen a security advisory for the same. Regards Sandeep From: "Salz, Rich"To: "openssl-users@openssl.org" Date: 08/13/2016 12:51 AM Subject:Re: [openssl-users] CVE-2016-2177 Sent by:"openssl-users" Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz From: Scott Neugroschl [mailto:scot...@xypro.com] Sent: Friday, August 12, 2016 3:11 PM To: openssl-users@openssl.org Subject: [openssl-users] CVE-2016-2177 CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. Does this mean that the fix is not applied to the 1.0.1 series (in particular 1.0.1t)? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Need more information on CVE-2016-2842
Thanks for the information Matt. Regards Sandeep From: Matt Caswell <m...@openssl.org> To: openssl-users@openssl.org Date: 04/12/2016 12:44 AM Subject:Re: [openssl-users] Need more information on CVE-2016-2842 Sent by:"openssl-users" <openssl-users-boun...@openssl.org> On 11/04/16 19:12, Sandeep Umesh wrote: > Hello > > Can someone please provide more information on CVE-2016-2842? Is this > different from CVE-2016-0799 ? Looks like this CVE information is not > captured in the advisory - > _http://openssl.org/news/secadv/20160301.txt_ > > Also, does this below patch fixes both CVE-2016-2842 and CVE-2016-0799 - > _https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73_ CVE-2016-2842 is an identifier that was not issued by the OpenSSL Project and hence does not appear in the security advisory. The OpenSSL Project assigned CVE-2016-0799 and gave it the description as it appears in the advisory. Another organisation decided to split that into two different CVEs and assigned CVE-2016-2842. Whether you think of it as one CVE or two, the fix is the same, i.e. the commit that you identified fixes both. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Need more information on CVE-2016-2842
Hello Can someone please provide more information on CVE-2016-2842? Is this different from CVE-2016-0799 ? Looks like this CVE information is not captured in the advisory - http://openssl.org/news/secadv/20160301.txt Also, does this below patch fixes both CVE-2016-2842 and CVE-2016-0799 - https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73 Thanks Regards Sandeep -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] test for DROWN CVE
Hello How can anyone test if the server is susceptible to DROWN CVE? Possibly one of the methods is to check at https://drownattack.com/#check Apart from this, will be below command also be useful to verify for the impact? - $ openssl s_client -connect : -ssl2 Regards Sandeep -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openSSL and SLOTH attack
Hello users, Is there any fixes available from openSSL community for the SLOTH attack - http://www.mitls.org/pages/attacks/SLOTH or what are the possible mitigation points? Thanks Sandeep ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Logjam impact on 0.9.8y version
Hello, I see a fix for logjam has been provided from 1.0.1 and 1.0.2 versions of openssl. https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ Does that imply 0.9.8 is not impacted by logjam? Also, Is it not required to disable export cipher suites in 0.9.8 version? Thanks Regards Sandeep___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] openssl impact on CVE-2015-2808
Hello Users, Just want to understand the impact of openssl for RC4 Bar mitzvah attack. Please correct me if my understanding is wrong, basically this attack is triggered based on the design of RC4. openssl is one of the implementers of RC4 algo. I am not sure if there will be any design change or openssl will try to disable RC4 support... But, Is disabling RC4 algo usage in the applications which are using openssl a better approach? Thanks Regards Sandeep___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
CVE-2014-5139 patch
Hello users, NVD vulnerability database confirms the below link as the patch for CVE-2014-5139 - https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0 This is indicating to CVE-2014-2970. Where as, the commit for CVE-2014-5139 seems to be - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=83764a989dcc87fbea337da5f8f86806fe767b7e Can someone please confirm the patch for this CVE? Thanks Regards, Sandeep