This idea comes via https://bugzilla.mozilla.org/show_bug.cgi?id=1083767
(which I realize isn't on openssl's rt, but given the enormity of the
security problem I hope you'll forgive me). The proposal at that bug is
to create an environment variable for NSS to enforce disablement of
particular
applicable in areas where there are no error returns.
(A lack of error returns is often cited as a security liability in any
case.)
-Kyle H
On 7/11/2014 6:22 AM, balaji marisetti wrote:
@Kyle Hamilton
So should all the new programs stick to the idiom or check for -1 return code?
On 11 July
EC_POINT_is_on_curve is documented to return -1 on error, 0 if it's not
on the curve, and 1 if it is on the curve.
However, this breaks the standard idiom if(!EC_POINT_is_on_curve()) {
return BAD_KEY; }, because it requires an additional test for an error
condition.
I don't know what the best
http://opensslrampage.org/post/88383880093
I don't know if this has in fact been given to the OpenSSL team yet. I
am not jsing, and I am not involved in the OpenBSD audit.
However, this is important. If MD5 passes, but SHA1 fails, then the MAC
verification will pass. This reduces the security
If you are using the same fipscanister (that was properly built), there is
no need to revalidate. Any other situation that has a validation doesn't
follow the supported validation, and the answer cannot be found here.
-Kyle H
On Jan 29, 2014 10:24 PM, sam1982 ajay_sonaw...@symantec.com wrote:
1.3.6.1.4.1.22232.15.0: Curve25519 (That's out of my arc)
X coordinate is an OCTET STRING.
Y coordinate is a 0-byte OCTET STRING (since it's not defined as optional
in ASN.1, it must be present -- but how can you compress what doesn't
exist?)
When does the Point Compression patent expire,
Curve25519 public keys are 32-byte strings of digits. Private keys are
32-byte strings of digits. The agreement algorithm doesn't use the Y
coordinate at all.
djb has a fixed-clock-cycle algorithm he wrote in GNU assembly for Athlon.
I am unhappy with his insistence that nobody should try to
Sure, but you probably also didn't have them in /usr/local/ssl/man, instead
of /usr/local/man or /usr/man.
They need to go somewhere that the default man configuration on most
Linuxes will get to them, if not the BSDs.
-Kyle H
On Sat, Feb 16, 2013 at 6:41 AM, Kurt Roeckx via RT
Suggestions from my experience:
-Failing to verify the certificate after calling SSL_accept()
-Failing to verify minimum cipher strength for the application
-Failing to understand that the NULL suites give nothing and only take
extra bytes
-Misunderstanding that DN=CN:CA1;DN=CN:you does NOT match
See also http://egd.sourceforge.net/ (Entropy Gathering Daemon, written in perl)
-Kyle H
On Thu, Aug 11, 2011 at 12:33 PM, Vegard Nossum vegard.nos...@gmail.com wrote:
Hi,
I've written a small program that gathers randomness from the
uncertainty of scheduling between threads/cores in a
The names of the CAs accepted are already supposed to be sent as part of the
negotiation. It wasn't until after TLSv1.0 that the spec permitted a wildcard
CA name list.
This kind of information-leakage being a vulnerability also depends on the
application being authentication-naive. A web
The Security Policy is the document you need. Please see Steve
Marquess's link to the official copy at NIST. The Security Policy
explains everything, including what file you need to obtain, its HMAC,
how to verify it, what you must do to retain validation of the
canister, how to build the
A Gmail account, which allows you to send file attachments through
Google's smtp server up to 10MB in size, is free.
-Kyle H
On Sat, Sep 18, 2010 at 6:11 PM, Harold S. Henry har...@talerian.com wrote:
No luck sending to r...@openssl.org; the mail server still said the .chm file
exceeded its
Please send this to r...@openssl.org so that it goes into the request
tracker, or else it will likely be lost in the shuffle.
-Kyle H
On 9/7/10 1:56 PM, Vincent Labie wrote:
Hi,
Please find attached a BN/AES/SHA1 asm implementation for SH4 and MIPS32 little
endian systems (common CPUs in
certificates).
Kyle Hamilton wrote:
I was asked this morning where to find the X.509 specification,
since http://itu.int/ is such a messy website.
It's sad the 2008 version is only available for a fee.
I always thought the free 2005 version (and corresponding X.5xx
standards covering other
I was asked this morning where to find the X.509 specification, since
http://itu.int/ is such a messy website.
I'll point you to the general location, because it's a better piece of information to
have than the exact location. (There are other recommendations that X.509 refers to, and
being
The OpenSSL development team typically don't comment on a request until
they've fixed it. (I believe this is poor customer service, but I
also believe that I'm not entitled to good customer service until I've
paid for it.)
What appears to happen is this:
1) bug submitter sends an email to
I don't particularly like advocating other products here, but NSS
(from Mozilla) has a (relatively) secure PKCS#11 softoken
implementation, and it can interface with other PKCS#11 middleware.
The softoken has been FIPS-validated, at certain versions.
-Kyle H
On Thu, Jun 3, 2010 at 3:15 AM,
Please send patches (as attachments) to r...@openssl.org, so they can be
tracked. (rt will automatically assign a request number, and echo the
main content of the mail to openssl-dev.)
(Please note that I'm not a core developer, have no direct contact
with any of the core developers, and am
I think that line should be ret-options |=
SSL_OP_LEGACY_SERVER_CONNECT;, not simply an =.
-Kyle H
On Wed, Feb 17, 2010 at 10:03 AM, Tomas Hoger via RT r...@openssl.org wrote:
Hi!
SSL_CTX_new currently contains:
/* Setup RFC4507 ticket keys */
if
If you're going to send a patch, please send it to r...@openssl.org.
That gets the patch into the request tracker, and gets it into the
(relatively) formal review process.
-Kyle H
On Thu, Jan 28, 2010 at 4:54 PM, NARUSE, Yui nar...@airemix.jp wrote:
How about my previous patch, which lookup
Really, what needs to happen is that, in the case of VMS with a
limited C compiler that doesn't handle long symbols, the long symbols
need to be truncated in the *.num files. (This shouldn't need to be
done for any other platform at this instant, but...)
There's currently no conflict, so there's
On Fri, Jan 22, 2010 at 2:54 PM, Steven M. Schweda s...@antinode.info wrote:
SSL_set_session_ticket_ext_cb 308 EXIST::FUNCTION:
SSL_set1_param 309 EXIST::FUNCTION:
SSL_CTX_set1_param 310 EXIST::FUNCTION:
My understanding is that OpenSSL doesn't really use the trusted
certificate system, which contains the information about what a
certificate is trusted for. Further, the bits available for the
Windows store don't have an isomorphic mapping within the trust
parameters that OpenSSL provides.
Is
Er, *why* are you dropping the connection when renegotiation is tried?
The appropriate response, per RFC, if you don't want to renegotiate
is to send a warning no_renegotiation alert.
-Kyle H
On Mon, Nov 16, 2009 at 10:40 PM, joshi chandra
joshichandran...@gmail.com wrote:
Hi ,
I have lot
How about something like '-certopt none,ext'? I'd like to see an
option where 'none' automatically says 'no_header, no_sigdump,
no_version, no_subject, no_issuer, no_validity, no_serial, no_pubkey,
no_signame, no_ext', and anything after it is used to add to the
set... rather like how ciphers are
You may use an SSL_CTX object to create multiple sessions under multiple
threads. Each session must have all of its I/O done in one thread (due to
some rather nasty locking issues), but the SSL_CTX, once created and
populated, is generally not updated -- which means that it's safe to perform
Because the 'fipsld' script isn't actually necessary to pass FIPS
validation. The steps that that script does are necessary to maintain
validation, but they can be done by anything (once the FIPS canister
is created, anyway). Try setting OPENSSL_FIPS=1 in your
environment, and make sure that the
It goes without saying that any changes you have to make to the FIPS
module would be quite welcome if you passed them along upstream, along
with any information about the Priesthood of the CMVP that you're
dealing with which required the change, and why.
Then again, I don't know if there's an NDA
You forgot:
./config fipscanisterbuild asm
Since you're on an x86_64 platform, you can benefit a lot from the asm speedups.
-Kyle H
On Fri, Aug 28, 2009 at 2:48 AM, Mark Phalanmark.pha...@sun.com wrote:
On Thu, 2009-08-27 at 10:23 -0400, Steve Marquess wrote:
Mark Phalan wrote:
I've been
Don't worry 'bout it too much.
Could you please create that as a .diff file and attach it to an email
to r...@openssl.org? The rt system creates a case that can be tracked.
-Kyle H
On Mon, Jul 27, 2009 at 3:26 PM, Ben Nasonbna...@netflix.com wrote:
Hi,
I am new to the list, so apologies if
Please mail these each as attachments to r...@openssl.org. This will
ensure that each gets entered into a trackable state, and also ensures
that the formatting for the patch files stays consistent.
-Kyle H
On Mon, Jun 29, 2009 at 7:54 PM, David
McCulloughdavid_mccullo...@securecomputing.com
OpenSSL is distributed under a clause in US law which allows
openly-available cryptographic software to be exempt from ECCN filing,
under exemption TSU (EAR, section 740.13(e)).
It is very possible that what you are doing with it falls under ECCN
5D002 or another in the 5Dnnn series.
I am not a
To get zlib, use MacPorts. Then, './config --with-zlib=/opt/local/lib/'.
MacOS already has a supplicant, though, yes?
-Kyle H
On Tue, Jun 23, 2009 at 7:28 PM, loubotloubot.l...@quantatw.com wrote:
I have port the supplicant with openssl.0.9.8k on Linux platform, and it's
working ok.
I test
The PrivateKey structure includes both the private and the public
parts. Once you read the private key, you don't need to separately
load the public.
-Kyle H
On Thu, Jun 18, 2009 at 3:36 AM, Vadim Lebedevva...@mbdsys.com wrote:
Hello,
I wonder if somebody can enlighten me:
At Page 283 of
openssl-1.0.0-beta2 has the following output:
==
=== SANITY TESTING!
=== No configuration will be done, all other arguments will be ignored!
==
SANITY ERROR:
These scripts pull the latest version of the Mozilla-approved CAs.
OpenSSL is not in the business of making CA certificates available,
but having the ability to do this in the stock package might be very
good for the users. (Make sure that such a tool warns the user that
the CA certificates are
Please, read INSTALL.W32. Also, please read
http://openssl.org/support/faq.html#PROG2 for more information. (This
is one of the most frequently asked questions.)
If you can, build OpenSSL yourself. This may not necessarily be
practical for you, but if you can it should help a lot.
-Kyle H
On
The pre-built OpenSSL library is provided by someone else. If you
want to get debug libraries for OpenSSL, you can compile them
yourself. Please see the FAQ, however; there are a couple of gotchas
on Windows systems which need to be addressed within your environment
during the compilation and
Hey all,
I'm trying to figure out (for my own reference) what functions I need
to provide for:
1) Implementing a new stream cipher
2) Implementing a new block cipher
3) Implementing a new asymmetric cipher
4) Implementing a new hash
5) Implementing a new mode (ECB, CFB, etc)
6) Implementing a
This is actually an openssl-users question, but don't worry too much
about it. :)
genrsa generates both the public and the private keys in the same
structure (PKCS#1). The command 'openssl rsa -in domainname.key
-pubout -out domainname.pub' will take the portion that has been
designated as the
Most of the OpenSSL functions and structures are generated by macros.
(OpenSSL is the most lispish C I've ever seen.) Look at apps/cms.c
for information on how to use them; in its basic configuration, it has
no dependencies on anything external. (It can be built to have
dependencies on external
http://www.ietf.org/internet-drafts/draft-ietf-tls-extractor-05.txt is
the current draft, and its name has now been changed to tls
exporter.
-Kyle H
On Thu, Jan 29, 2009 at 4:30 AM, Robin Seggelmann via RT r...@openssl.org
wrote:
This patch adds the TLS key material extractor described in
I'd prefer that IBM release whatever library they're using to identify
and handle Julian days. ;)
-Kyle H
On Thu, Apr 2, 2009 at 12:17 PM, Michael Tüxen
michael.tue...@lurchi.franken.de wrote:
Hi Steve,
Robin will port all the patches from
http://sctp.fh-muenster.de/dtls-patches.html
to the
If SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE are returned, the
arguments *must* be *exactly* the same. This includes the data
pointed to by the buffer. There is a way to set a mode on the SSL
connection to allow a moving buffer, but that's it. SSL will not
buffer the data passed to it.
If
Submit your patch to r...@openssl.org, and it'll go into the request
tracking system. I would also recommend that you wait for a bit more
than a single day before getting irritated with people who work on
this in their spare time, and have day jobs.
-Kyle H
On Wed, Apr 1, 2009 at 1:48 AM, Marc
that is used by the core
developers.
-Kyle H
On Wed, Apr 1, 2009 at 1:59 AM, Marc Haisenko haise...@comdasys.com wrote:
On Wednesday 01. April 2009 10:54:39 Kyle Hamilton wrote:
Submit your patch to r...@openssl.org, and it'll go into the request
tracking system. I would also recommend that you
On Wed, Apr 1, 2009 at 2:12 AM, Marc Haisenko haise...@comdasys.com wrote:
On Wednesday 01. April 2009 11:03:55 Kyle Hamilton wrote:
I was refering to the two threads cited in my patch e-mail:
[1] - http://marc.info/?l=openssl-devm=123754568501758w=2
[2] - http://marc.info/?l=openssl-usersm
I hope the test reports I sent to -bugs are useful. I'm on a Mac OSX
10.5.6 machine, Intel-based, and I ran tests in both 32 and 64 bit
modes, both without and with the optional features. I do not have gmp
installed, nor zlib, so I cannot vouch for their usability; I did not
test krb5, and I
On Wed, Apr 1, 2009 at 4:55 AM, Lutz Jaenicke l...@lutz-jaenicke.de wrote:
Hi Kyle,
thank you very much for reports, they are currently sitting in the
moderation queue. I would kindly ask you and other testers to either
* send success messages to the list with just the platform mentioned
*
This list is *not* supposed to be a platform for trying to sell
product. Or even advocating for product.
You come in here, complaining about how a particular feature used in
one of the libraries breaks one of your instrumentation programs.
Okay, fine. We'll try to work with you on that.
But
OCSP is not part of the SSL handshake (except, as you mention, for
OCSP stapling).
You can look at apps/ocsp.c for information on how to use the OCSP
API. The best place to use it would be in the callback called by
SSL[_CTX]_set_verify().
-Kyle H
On Sun, Mar 29, 2009 at 11:02 PM, Yaweh
The best way to submit patches is to email them as attachments to
r...@openssl.org. That is the Request Tracker, and it makes things a
lot easier for the developers to keep track of.
-Kyle H
On Thu, Mar 26, 2009 at 2:59 AM, Ilya O. vrgh...@gmail.com wrote:
On Wed, Mar 25, 2009 at 5:37 PM,
This is a -users question, not a -dev question.
If openssl was installed from a package provided by or in the format
of your OS vendor, uninstall it using the vendor's packaging tools.
I've attached a list of files that are installed on my MacOSX machine
by 'make install'. (the './' at the
There is no such message in OpenSSL. That looks like it's a
diagnostic message from libcurl (or whatever component it uses to
perform its FTP functionality.)
-Kyle H
2009/3/18 曹婷 bupt_caot...@hotmail.com:
Hi developer,
OPENSSL_0.9.8A_AIX5.3_64BIT is the version installed on my working
You need to get off your high-horse.
-Kyle H
On Mon, Mar 16, 2009 at 2:23 PM, Kenneth Robinette
supp...@securenetterm.com wrote:
You need to take this discussion offline.
Ken
--- On Mon, 3/16/09, Allan K Pratt apr...@us.ibm.com wrote:
From: Allan K Pratt apr...@us.ibm.com
Subject: Re:
-create_serial does not exist in CA.sh, either.
-Kyle H
On Tue, Feb 24, 2009 at 1:46 PM, Nguyen, Kim via RT r...@openssl.org wrote:
The CA.sh script in 0.9.8j is missing the -extensions v3_ca flag. This
doesn't seem to be a problem in CA.pl
In comparision, CA.pl has:
print Making CA
-- automatically
sends a mail to openssl-dev when a new request is submitted -- which
allows for the discussion that you're looking for to take place.
-Kyle H
On Mon, Mar 9, 2009 at 4:52 PM, Allan K Pratt apr...@us.ibm.com wrote:
Kyle Hamilton aerow...@gmail.com wrote:
The best way is to send
The best way is to send a patch (unified diff) to r...@openssl.org.
This allows for ease of patching, and ensuring that the actual intent
of the patch is preserved at the source level.
The module owner will review the patch and apply it if appropriate,
and your name (and the fact that IBM
Please send this patch as an attachment to r...@openssl.org. This will
track it as a ticket.
-Kyle H
On Tue, Mar 3, 2009 at 2:37 PM, Oliver Martin oli...@volatilevoid.net wrote:
Hello,
this patch adds support for GeneralizedTime for startdate/enddate in
openssl ca. I submitted an earlier
This is a question that should go on openssl-users, since it does not
relate to the development of the library itself. However, since it's
asked here, I'll answer.
apps/dgst.c has the appropriate code.
Most of the OpenSSL public API documentation is poorly-written and
out-of-date. I wish there
If you have an IANA Private Enterprise Number, you can invent your
own OID (since you own an OID tree).
For example, mine is 1.3.6.1.4.1.22232. (To be explicit: you are NOT
authorized to invent any OID under this tree, as it belongs to me, not
you.)
http://pen.iana.org/pen/PenApplication.page
*** virgin/crypto/objects/obj_xref.h2009-02-10 05:01:06.0 -0800
--- openssl-SNAP-20090207/crypto/objects/obj_xref.h 2009-02-10
05:02:43.0 -0800
***
*** 1,4
! /* AUTOGENERATED BY objxref.pl, DO NOT EDIT */
typedef struct
{
--- 1,4
! /*
. Stephen Henson st...@openssl.org wrote:
On Sat, Feb 07, 2009, The Doctor wrote:
On Sat, Feb 07, 2009 at 12:46:52PM -0800, Kyle Hamilton wrote:
The bug does appear on OSX 10.5.6 (openssl-SNAP-20090207) with the
following command line: ./config threads shared no-sse2
enable-whrlpool enable-montasm
, 2009 at 2:30 AM
Subject: Re: Openssl-SNAP still erroring out
To: openssl-dev@openssl.org
On Fri, Feb 06, 2009, Kyle Hamilton wrote:
This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
./config threads shared no-sse2 enable-whrlpool enable-montasm
enable-capieng enable
This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
./config threads shared no-sse2 enable-whrlpool enable-montasm
enable-capieng enable-cms enable-seed enable-tlsext enable-camellia
enable-rfc3779 enable-mdc2 enable-rc5 zlib-dynamic
--prefix=/usr/contrib
Does the release of 0.9.8j also include the FIPS module support?
(i.e., is this a bug-fix only release, or does this include what you
have been working on for the past few months as well?)
-Kyle H
On Wed, Jan 7, 2009 at 4:10 AM, Dr. Stephen Henson st...@openssl.org wrote:
-BEGIN PGP SIGNED
SSL_get_peer_certificate(3ssl), SSL_get_peer_cert_chain(3ssl) will get
the certificate and certificate chain, respectively.
To control the verification process, you can use SSL_set_verify(3ssl)
and/or SSL_CTX_set_verify(3ssl). Note that the server must present a
certificate if it wants to ask
Not at all, sorry. OpenSSL is entirely C, and has no relation at all with C#.
-Kyle H
On Mon, Dec 22, 2008 at 12:33 PM, Steven MacLeod
steven.macl...@syfir.com wrote:
Hello, I have a quick question regarding open ssl, which so far I haven't
been able to make head or tail of. I have a .net win
You are cross-compiling, which means that the platform that you're on
cannot actually run the binaries that it builds.
If you do not have any .so files, it may not be able to create shared
libraries in that environment. The .a files, in that case, are static
libraries.
-Kyle H
On Sun, Dec 21,
Can the source be made available? I would like to use it on MacOSX.
-Kyle H
On Fri, Dec 19, 2008 at 11:43 PM, Shahin Khorasani
khoras...@amnafzar.com wrote:
Hi,
You can download simple utility to transform PKCS#1 RSA public key to
opnessh public key format from here:
forwarding from -users for a query.
This is the second time that I've heard of bad end line or could
not decode base64 today. Did a change go into 0.9.8i that changed
base64 handling?
-Kyle H
On Thu, Dec 11, 2008 at 11:31 PM, Lutz Jaenicke jaeni...@openssl.org wrote:
Forwarded to
On Mon, Dec 1, 2008 at 8:53 PM, David Schwartz [EMAIL PROTECTED] wrote:
Problem Description:
When a digest has been signed and a response is produced,
the current version of openssl will not verify the contents
correctly if the certificate used to sign the digest has expired.
Solution:
When
On Mon, Dec 1, 2008 at 9:13 PM, Brad Mitchell [EMAIL PROTECTED] wrote:
I don't think there is anything in the openssl (ts) functions to accept
revocation to make this decision anyway.
External daemons do exist, such as (e.g.)
http://www.carillon.ca/tools/pathfinder.php
At the end of the day,
I'm not sure that CC is the appropriate place for fipsld. Maybe LD,
but CC has other uses.
-Kyle H
On Sat, Nov 29, 2008 at 5:41 PM, Brad House
[EMAIL PROTECTED] wrote:
Well, it's still not as finished as I'd like but since I'll be out of town
and offline until next week I'm releasing the
I dunno who I'm supposed to give feedback to, but this format of FIPS
announcement needs some work.
First, the subject line doesn't say anything about the version of the
FIPS module that has been validated. (In this case, it should be
something like OpenSSL FIPS 140-2 validation for module
Please submit your patch to [EMAIL PROTECTED] so it can be tracked in the
issue tracker?
-Kyle H
On Sun, Nov 9, 2008 at 2:37 PM, Philip Prindeville
[EMAIL PROTECTED] wrote:
This fixes the lack of tracing in Makefiles...
Replacing @ with $(Q) in all places except before '@echo' rule commands.
The algorithm for checking of the digital signature of the peer
certificate is covered in PKIX (RFC 3280, obsoleted by RFC 5280) and
the ITU standard X.509.
The library-client code for verifying a certificate can be found in
the apps/verify.c .
You might want to look at the man pages for
The GPL is explicitly not compatible with OpenSSL's license. This
makes it rather difficult to use GPL code in the project.
-Kyle H
On Mon, Oct 20, 2008 at 5:55 AM, George Romaniuk via RT [EMAIL PROTECTED]
wrote:
Do you have plans to support security engine in AMCC PPC440EPx
processor? AMCC
Fips folk: Should the 'fipsdso' target complain if it gets any other
command line arguments in ./Configure? Since specifying it means that
you're trying to build the shared object...
-Kyle H
On Sat, Sep 20, 2008 at 8:56 AM, The Doctor [EMAIL PROTECTED] wrote:
Need to split the FIPS and
ETA is Estimated Time of Arrival. Basically, he's asking when
OpenSSL 0.9.8i is going to be released.
-Kyle H
On Mon, Sep 8, 2008 at 1:39 PM, Rafael Jorge Csura Szendrodi via RT
[EMAIL PROTECTED] wrote:
Hi,
On Mon, 8 Sep 2008 16:44:43 +0200 (CEST), Steve Pincaud via RT wrote
Hi,
I have
On Mon, Sep 8, 2008 at 1:39 PM, Rafael Jorge Csura Szendrodi via RT
[EMAIL PROTECTED] wrote:
Hi,
On Mon, 8 Sep 2008 16:44:43 +0200 (CEST), Steve Pincaud via RT wrote
Hi,
I have seen the issue will be fixed in the next release, do you have an ETA
? (0.9.8i or 0.9.9 ?) , I would then ask
bn_mul_add_words is very CPU intensive, simply because the operation
it performs is very CPU-intensive. Public-key cryptography should not
be done lightly -- it should be done primarily to verify the security
of a per-session key (stream or block ciphering).
What exactly are you trying to do?
OpenSSL itself contains all sorts of apps that do it. openssl (or
openssl.exe) implements all the programs in the apps/ directory.
Also, 'make test' runs all the internal self-tests.
If you need to verify interoperability with something, figure out what
protocol it's using -- pkcs8, pkcs12, and
Option 2 works iff pthreads exists.
-Kyle H
On Thu, Aug 28, 2008 at 11:45 PM, Sander Temme via RT [EMAIL PROTECTED] wrote:
This affects OpenSSL 0.9.8 and trunk.
In engines/e_chil.c around line 594, the engine checks if it has mutex
callbacks to work with and, if not, errors out with the
On Tue, Aug 19, 2008 at 5:10 PM, Steve Marquess
[EMAIL PROTECTED] wrote:
Note YOU MUST FOLLOW THE SECURITY POLICIES EXACTLY OR ELSE THE
RESULTING LIBRARY WILL NOT BE COMPLIANT. This includes shutting your
UNIX machine down to single-user mode during the build process. It
probably would not
It's FIPS validation, not certification. (Not that I'm entirely sure
what the difference is, because when a validation is completed a
certificate is issued, but I've been corrected enough times by the
reps from the Open Source Software Institute that I don't dare call it
anything else. :))
to use for cryptographic purposes.
It isn't, and I didn't then and don't now advise its use. I said it never
blocks. It doesn't. So what was incorrect?
Kyle Hamilton wrote:
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon
On Thu, Aug 7, 2008 at 6:59 AM, David Schwartz [EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon (from a cryptographic
theory perspective).
You are at least somewhat incorrect
IBM limited the C compiler on AIX to only allow a certain number of
simultaneous invocations systemwide, based on the number of licenses
that have been purchased and installed on the system. If you have 1
simultaneous-invocation license, then anyone else who invokes the
compiler will block you
David S: to my knowledge you're at least somewhat incorrect, and part
of your advice is rather dangerous to rely upon (from a cryptographic
theory perspective).
/dev/urandom will never, under normal circumstances, block -- its
output is generated algorithmically by the random/urandom device
()) to an SSL
connection. The housekeeping work is up to you as the client of the
library, though, not something that can be left to the library.
-Kyle H
On Tue, Aug 5, 2008 at 6:53 AM, Darryl Miles
[EMAIL PROTECTED] wrote:
Kyle Hamilton wrote:
I cannot find any reference to AF_INET6
If the firewall blocks FTP, and there is no proxy that responds to
requests for FTP URLs, the browser will not be able to follow the
link. Do you have a webserver (http or https) upon which you can
place the file?
-Kyle H
On Wed, Jul 30, 2008 at 2:11 AM, petekolle123 [EMAIL PROTECTED] wrote:
I cannot find any reference to AF_INET6 in the sources, though I can
find AF_INET. This means that IPv6 is not supported.
Michael: software does need to support IPv6 in order to use it without
going through a gateway of some kind. The reason is that nobody's
figured out how to fit 128 bits of
Also: My web browser does support IPv6. (kame.net shows the moving
image.) My monitor and keyboard do not create socket connections, so
they have no need to.
-Kyle H
On Wed, Jul 30, 2008 at 8:02 AM, Michael Sierchio [EMAIL PROTECTED] wrote:
Ravindra wrote:
I'm looking for information
Debian c suffered from simply removing all calls to seed the random
number generator with enough entropy to make it secure.
When it comes to entropy, every little bit helps. The calls to add
uninitialized static variable locations are never relied upon to seed
the PRNG with enough entropy, but
fips-1.1.2 does not have validation for Diffie-Hellmann.
Which version are you looking at?
-Kyle H
On Tue, Jul 8, 2008 at 2:57 AM, Nilay Tripathi [EMAIL PROTECTED] wrote:
Hi All,
I have a query regarding FIPS compliance for Diffie-Hellman api's in the
openssl stack.
FIPS uses the
deterministic to me, what is the approach which can be taken to tackle this
compliance issue.
Appreciate your help!!
Nilay
On Tue, Jul 8, 2008 at 3:48 PM, Kyle Hamilton [EMAIL PROTECTED] wrote:
fips-1.1.2 does not have validation for Diffie-Hellmann.
Which version are you looking at?
-Kyle H
With the caveat that any changes you make will not have validation,
http://www.cryptopp.com/ has a C++ library which has certain binary
versions FIPS-validated. It may be helpful as reference material.
-Kyle H
On Tue, Jul 8, 2008 at 4:06 AM, Nilay Tripathi [EMAIL PROTECTED] wrote:
Hi,
I am
It's extremely unfortunate that anyone would want to remove tracking
information about queries. I don't think it's worth fully deleting
the request -- it's important to track information about the confusion
that the current advisory wording leaves in its readers, so that
perhaps feedback can be
1 - 100 of 198 matches
Mail list logo