Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

On Mon, May 30, 2016 at 5:58 PM, Viktor Dukhovni wrote: > Name constraints in the X.509v3 PKI have not worked well, and are > rarely used. The attack requires a issuing CA to be willing to > issue certificates beyond its constraints, that would be quite > noticeable

[openssl-dev] [openssl.org #4480] Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi"

I am confused; what is left to be done here? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4457] apps/apps.c and apps/ocsp.c needs for fd_set

Since it 'just works' for now, maybe remove the 1.1 milestone? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4457 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4502] CT todos

Viktor did the work. Whether or not I'm stupid is a separate ticket :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4502 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4364] [PATCH] ASN1_get_object should not accept large universal tags.

Fixed slightly differently by Steve. Closing. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4364 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi"

So what is left to do here, or should this ticket be closed? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4479 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4457] apps/apps.c and apps/ocsp.c needs for fd_set

On Tue May 31 18:04:39 2016, rsalz wrote: > Is this *literally* a Fedora 1 machine? If so, then I'm inclined to > close this > as it went end-of-life more than 12 years ago. On the other hand, according to The Open Group, sys/select.h should be included to get select() and all things belonging

[openssl-dev] [openssl.org #4457] apps/apps.c and apps/ocsp.c needs for fd_set

On Tue May 31 18:26:56 2016, rs...@akamai.com wrote: > Since it 'just works' for now, maybe remove the 1.1 milestone? > I agree. Making it post-1.1.0 -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4457 Please log in as guest with password

[openssl-dev] [openssl.org #4457] apps/apps.c and apps/ocsp.c needs for fd_set

Is this *literally* a Fedora 1 machine? If so, then I'm inclined to close this as it went end-of-life more than 12 years ago. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4457 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4539] Documentation - Cipher names changed between 1.0.2 & 1.1.0-pre

Added a sub-section to ciphers.pod in commit 6d1e770. Thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4539 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4164] bctest and pod2mantest missing in openssl-1.0.2e

I see both test/bctest and util/pod2mantest. Not sure why you didn't ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4164 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4502] CT todos

> On May 31, 2016, at 1:15 PM, Rich Salz via RT wrote: > > I do not understand what should be done for this ticket. Call me stupid :) I took care of the requisite changes already. Feel free to close the ticket. -- Viktor. -- Ticket here:

Re: [openssl-dev] Does OpenSSL support ECC-based S/MIME as defined in RFC 5753?

On Tue, May 31, 2016, Blumenthal, Uri - 0553 - MITLL wrote: > Does OpenSSL support ECC-based S/MIME as defined in RFC 5753? > > I was trying to create an encrypted S/MIME message using OpenSSL-1.0.2h, > and got the following: > > $ openssl smime -encrypt -aes128 -inform SMIME -in

[openssl-dev] [openssl.org #4487] Dirty compile under Windows 7 and MSVC 2012 (four to six non-trivial)

We fixed the naming issue for unlink et al. Can this ticket be closed? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4487 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler

We have rejected it a number of times. Doing so again. Please do not respond to this ticket again. On Tue May 31 17:00:39 2016, rsalz wrote: > So this got tagged with the 1.1 milestone. What exactly is there for > us to do > here? > The header files without 'extern "C"' are all okay, they just

[openssl-dev] [openssl.org #4487] Dirty compile under Windows 7 and MSVC 2012 (four to six non-trivial)

On Tue May 31 17:14:12 2016, rsalz wrote: > We fixed the naming issue for unlink et al. Can this ticket be closed? I'll do another check, just to make sure. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4487 Please log in as guest with

[openssl-dev] [openssl.org #4550] hppa assembler problem

Per Kurt, closing this as asm isn't supported on that platform variant. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4550 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler

So this got tagged with the 1.1 milestone. What exactly is there for us to do here? The header files without 'extern "C"' are all okay, they just have pre-processor directives in them. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if

[openssl-dev] [openssl.org #4502] CT todos

I do not understand what should be done for this ticket. Call me stupid :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4502 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2378] Bug report: interoperability problem

No, PRINTABLESTRING and UTF8STRING are not the same. This old mail thread might be useful: http://openssl.6102.n7.nabble.com/utf8string-vs-printablestring-mismatch-in-certificate-checking-td25810.html -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2378 Please log in as guest with

[openssl-dev] openssl.cnf causes Segmentation fault

Hi everyone. My intention is to modify the openssl.cnf file in order to add a new RSA ENGINE, dynamicaly. I have found the /etc/ssl/openssl.cnf file and after my modifications it looks like this: #openssl.cnf ### # # OpenSSL example

Re: [openssl-dev] [openssl.org #4551] TCP re-transmissions are seen for every transfer with the Openssl version OpenSSL 1.0.2g

On Tue, May 31, 2016 at 04:21:13PM +, ajai.mat...@wipro.com via RT wrote: > Hi, > We are facing an issue from the OpenSSL 1.0.2g ,after upgraded from OpenSSL > 1.0.0s . [Linux version 2.6.24] > When a https file transfer started with a Windows 7 application, we notice > many TCP

[openssl-dev] [openssl.org #4552] Bug report: hex string is too long, problem in set_hex()?

Classification: Public OS: SUSE Linux Enterprise Server 11 SP2 (x86_64) OpenSSL: versions 1.0.1m, 1.1.0-pre5 Using this command sequence: echo WuNhPwuWAOiG86RfO4A5jITR9WZ+kF1L+iBgGPQJ4dEJk8Sxiqb014bJsEGDbCfk | $ssl/bin/openssl enc -aes128 -d -a -iv 57fd56a7e47b9482096ab4707ca9d383 -K

Re: [openssl-dev] [openssl.org #4552] Bug report: hex string is too long, problem in set_hex()?

> If the size multiplier is changed to, say, 4, then the problem goes away with > no apparent ill effects. Reading the code for set_hex() and its caller, it > does > not appear that the size multiplier is related to a buffer size or some other > limitation. Yes it is, it's the size of the buffer

Re: [openssl-dev] [openssl.org #4552] Bug report: hex string is too long, problem in set_hex()?

Classification: Public Hello. Thanks for responding so quickly. Could you perhaps then tell us why the difference in behavior between version 1.0.1m and later versions, and why we would get "hex string is too long"? Kind Regards, David -Original Message- From: Salz, Rich via RT

[openssl-dev] [openssl.org #4552] Bug report: hex string is too long, problem in set_hex()?

As I said, I think there was a bug in previous versions that got the 'too long' check wrong. The command line that you posted is in error. There are two extra characters. As the message says :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4552 Please log in as guest with password

[openssl-dev] [openssl.org #4552] Bug report: hex string is too long, problem in set_hex()?

That hex key string looks off. It seems to include an ending \n (0a), which I suspect is because at an earlier time, someone forgot to peal off the ending linefeed. Take away the endine 0a and I'm sure things will be fine. The 'set_hex' check is exactly the same in the 1.0.1, 1.0.2 and upcoming

[openssl-dev] [OpenSSL][1.0.2h] Memory leaks

Ciao. Just built OpenSSL 1.0.2h from source and when running the tests I can see some memory leaks. The same did not happen when building previous versions on the same environment and same command line options. Thanks in advance. Find below the last bit of a long long long test output: ...

[openssl-dev] Null Ciphers in FIPS mode

Hi, Does Openssl allows NULL ciphers when we put openssl in FIPS mode? Thanks Darshan -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4456] Fedora 1, i386: error: field `next_timeout` has incomplete type

Re-Ping Jeff to take a look and see if things are fixed now. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4456 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

On Tue, May 31, 2016 at 02:49:05PM +, Blumenthal, Uri - 0553 - MITLL wrote: > >Could you explain your point in more detail than putting "wrong" > >in bold text? Though ad-hoc, it seems about the best one can do, > >absent additional information. > > IMHO allowing CN to be interpreted as a

Re: [openssl-dev] [openssl.org #4149] Resolved: [PATCH] ssl_set_pkey() unnecessarily updates certificates

I also closed out GH478 (which was a fix for RT4149). -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On May 31, 2016, at 9:29 AM, Matt Caswell via RT > wrote: According to our

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

>> What other implementations, and what did they do? Always treating a CN as a >> DNS name? We can't. > > As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif there > is no subjectAltName extension and iif the CN is a valid dNSNa/iPAddress > syntactically. That approach seems

[openssl-dev] [openssl.org #4149] [PATCH] ssl_set_pkey() unnecessarily updates certificates

Steve fixed this via commit f72f00d495. Closing. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4149 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

> On May 31, 2016, at 9:54 AM, Blumenthal, Uri - 0553 - MITLL > wrote: > >> As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif there >> is no subjectAltName extension and iif the CN is a valid dNSNa/iPAddress >> syntactically. > > That approach seems

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

I completely agree that nameconstraints are going to become a bigger deal, likely in the next 12-24 months, and certainly during the peak usage time of OpenSSL 1.1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3502 Please log in as guest with password guest if prompted --

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

> On May 31, 2016, at 2:43 AM, Brian Smith wrote: > > Not too long ago, there were changes to the CABForum rules about certificates > to make it easier for any website to get a CA certificates constrained to its > domain name. There were some problems with the loosening

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

>> What other implementations, and what did they do? Always treating a CN as a >> DNS name? We can't. > > As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif there > is no subjectAltName extension and iif the CN is a valid dNSNa/iPAddress > syntactically. That approach seems

[openssl-dev] Does OpenSSL support ECC-based S/MIME as defined in RFC 5753?

Does OpenSSL support ECC-based S/MIME as defined in RFC 5753? I was trying to create an encrypted S/MIME message using OpenSSL-1.0.2h, and got the following: $ openssl smime -encrypt -aes128 -inform SMIME -in Cyph_Bot_test.eml -outform SMIME -out Cyph_Bot_test.smime.eml -subject SMIME_ECC

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

Here's a set of obvious questions: -- What is the current design? Is there a concise-and-complete statement somewhere? -- What are the design constraints? What is it that openssl MUST do? What is it that openssl MUST NOT do? -- What information is available? -- What

Re: [openssl-dev] [openssl.org #3502] nameConstraints bypass bug

>>On May 31, 2016, at 9:54 AM, Blumenthal, Uri - 0553 - MITLL >> wrote: >> >>> As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif >>>there is no subjectAltName extension and iif the CN is a valid >>>dNSNa/iPAddress syntactically. >> >> That approach seems

[openssl-dev] [openssl.org #4551] TCP re-transmissions are seen for every transfer with the Openssl version OpenSSL 1.0.2g

Hi, We are facing an issue from the OpenSSL 1.0.2g ,after upgraded from OpenSSL 1.0.0s . [Linux version 2.6.24] When a https file transfer started with a Windows 7 application, we notice many TCP re-transmission request from Linux and finally the file transfer getting failed. we are yet to get

[openssl-dev] [openssl.org #4551] TCP re-transmissions are seen for every transfer with the Openssl version OpenSSL 1.0.2g

Asking general support issues != a bug :) Closing this. Please discuss on the mailing lists. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4551 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #3738] [PATCH] tell make running subcommands are make based

In 1.1 this is fixed by a rewrite of the build system. In 1.0.2, we don't mandate/require Posix and I have portability concerns about this so we won't do it, sorry. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3738 Please log in as guest with password guest if prompted --