Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

Why do you have to trust root CAs? Why can't you trust at a lower level, e.g. an intermediate CA or even a leaf certificate that is not a CA at all? Allowing this should inject no security issue and in fact enhance security by allowing you to be more restrictive in what you are willing to trust.

[openssl-dev] Partially- vs. full- reduced inputs to ecp_nistz256_neg

I was curious about the function ecp_nistz256_neg. This function seems to work exactly how I expect for reduced inputs; i.e. inputs in the range [0, P). And, it also seems to work how I expect for P: ecp_nistz256_neg(P) == ecp_nistz256_neg(0) == 0. So, everything seems fine for inputs in the range

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

On Tue, 2016-08-09 at 02:08 +, Viktor Dukhovni wrote: > On Tue, Aug 09, 2016 at 01:45:24AM +, William M Edmonds via RT wrote: > > > > > If I specify a CAfile that includes the leaf certificate and/or > > intermediate CA certificates, but not the root certificate, then > > verification

Re: [openssl-dev] OPENSSL provided by Cavium

I think this question is better directed at Cavium support centre. >I wanted to ask whether we can install Cavium OPENSSL Toolkit on >Linux OS (on Cavium hardware), just as we install a standard OPENSSL? Yes. You can install it as normal OpenSSL on Linux OS and all your applications should work

Re: [openssl-dev] [openssl.org #4643] [patch] pass EVP_MD to engines verifyctx_init and signctx_init

On Mon Aug 08 13:52:12 2016, Stephen Henson wrote: >> for some engine-implementations one needs the possibility to change >> the EVP_MD used in signctx_init and verifyctx_init. >> (because different EVP_MD are needed for standalone calculating of the >> digest and calculating the digest during

[openssl-dev] [openssl.org #4643] [patch] pass EVP_MD to engines verifyctx_init and signctx_init

Closing per original poster. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4643 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

On Tue, Aug 09, 2016 at 10:53:59AM +0100, David Woodhouse wrote: > > As expected, unless you use the "-partial" flag in the command-line > > utilities, or use the X509_VERIFY_PARAM_set_flags() to set the > > X509_V_FLAG_PARTIAL_CHAIN flag when using the API. > > Is there an equivalent for 1.0.1?

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

Hi, As I obviously needed to improve my test program, I am now encrypting and decrypting files trying all ciphers in all their available modes. ( ChaCha20, AES-128, AES-192, AES-256, Blowfish, Cast5, Camellia-128, Camellia-192, Camellia-256, IDEA, Seed, 3 Keys Triple-DES, 2 Keys Triple-DES ) (

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

> On Aug 9, 2016, at 2:52 PM, Salz, Rich via RT wrote: > > As Viktor pointed out, this doesn't work in 1.0.1 The story is a bit more complicated. What's really going on is that root (self-signed) CAs in the trust store are backwards-compatible implicit trust-anchors for all

Re: [openssl-dev] [openssl.org #4644] bug: cert verification always examining entire chain

> Why do you have to trust root CAs? Why can't you trust at a lower level, e.g. > an intermediate CA or even a leaf certificate that is not a CA at all? I said CA's, not root CA's. As Viktor pointed out, this doesn't work in 1.0.1 -- Ticket here: