Re: Question in regards to early warning about new openssl versions

On Wed, Aug 13, 2014 at 01:12:12PM -0400, Henning Horst wrote: Dear OpenSSL-Team, First of all, thank you for your great work! I hope openssl-dev is the right list for the following request: Many projects rely on OpenSSL of course and whenever a new version is published fixing security

Re: [openssl.org #3507] [PATCH] Fix memory leaks.

On Thu, Aug 28, 2014 at 03:11:14PM +0200, Kurt Cancemi via RT wrote: The attached updated patch fixes a style error. I still have a bunch of other patches like this to go thru, but did a quick look at this, and at least this looks weird: --- a/crypto/objects/obj_xref.h +++

Re: Still one outstanding issue sine 20140909 releases

On Thu, Sep 11, 2014 at 12:20:47PM -0600, The Doctor wrote: ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem ls: error initializing month strings ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit) error

Re: Openssl IPv6 Support

On Wed, Nov 05, 2014 at 02:07:16PM -0500, Salz, Rich wrote: It boggles the mind that to this day that patch has not been integrated in the 5 years since the bug was opened. So many things about openssl can boggle the mind :) In this particular case, I think the issue is that adding

TLS/SSL methods and protocol version selection

There seems to be great confusion on which method to use set up a TLS/SSL connection and I guess most of that has to do with history. I would like to simplify things. We currently seem to have methods for SSLv2, SSLv3, TLSv1 documented, and TLSv1_1 and TLSv1_2 undocumented, and then a SSLv23

Re: TLS/SSL methods and protocol version selection

On Mon, Nov 10, 2014 at 02:02:35PM +0100, Tomas Mraz wrote: I'd recommend doing all this but with such correction that the new result will not break API/ABI backwards compatibility to OpenSSL 1.0.x so it can be applied in some future 1.0.x branch. Basically things should not be removed but

Re: Query regarding SSLv23 methods

On Fri, Nov 14, 2014 at 06:35:51AM +, Viktor Dukhovni wrote: On Fri, Nov 14, 2014 at 06:26:24AM +, Vaghasiya, Nimesh wrote: [ It is rude to ask user questions on the dev list (moved to Bcc). ] We are in process of disabling SSLv3 and SSLv2 protocols from all of our FreeBSD based

Re: [openssl.org #3602] [PATCH]

On Sun, Nov 16, 2014 at 09:11:42PM +0100, Matt Caswell via RT wrote: Unfortunately I don't think it is as simple as that. If I understand the previous change correctly, Emilia has deliberately removed the error message as part of work to protect against timing attacks. The very act of adding

Re: Memory Leak when Using Openssl

On Wed, Dec 03, 2014 at 04:04:16PM +0530, T@Run..! Polisetty wrote: Hai All, We are using Openssl for DTLS Negotiations. When we run the Valgrind with this setup. We are finding some major loss of memory at one place. Can you check with a current git version? There have been

[PATCH] Add API to set minimum and maximum protocol version.

This is an initial patch to support being able to set the minimum and maximum protocol version. The patch is currently untested, that will happen as I rewrite other things. But I'm looking for feedback. Kurt diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index ab8730c..6a016f0 100644 ---

Re: [PATCH] Add API to set minimum and maximum protocol version.

On Thu, Dec 04, 2014 at 10:16:47AM +0100, Tomas Hoger wrote: On Wed, 3 Dec 2014 22:55:06 +0100 Kurt Roeckx wrote: This is an initial patch to support being able to set the minimum and maximum protocol version. The patch is currently untested, that will happen as I rewrite other things

Re: link for binaries.html not working

On Thu, Dec 04, 2014 at 08:16:14AM +, Sunil Kerur wrote: Dear Sir, I wanted to downloaded a binary from the follow link. https://www.openssl.org/related/binaries.html Where did you find a link to that page? It has moved to: https://www.openssl.org/about/binaries.html Kurt

Re: [PATCH] Add API to set minimum and maximum protocol version.

On Fri, Dec 05, 2014 at 02:14:54PM +0100, Tomas Hoger wrote: On Thu, 4 Dec 2014 10:57:11 +0100 Kurt Roeckx wrote: It seems *TLS*_VERSION constants are meant to be used to set minimum / maximum. A drawback of such approach is that applications need to be recompiled and/or modified when

Re: [openssl-dev] Under-utilization of const in prototyping?

On Fri, Dec 05, 2014 at 05:15:24PM +, Viktor Dukhovni wrote: On Fri, Dec 05, 2014 at 05:07:04PM +0100, Kurt Roeckx wrote: On Fri, Dec 05, 2014 at 10:40:07AM -0500, Daniel Kahn Gillmor wrote: (of course it would probably end up modifying some public interfaces, so it would need

Re: [openssl-dev] More POODLE issues

On Wed, Dec 10, 2014 at 09:51:15AM -0700, The Doctor wrote: Now POODLE is hitting TLS http://www.computerworld.com/article/2857274/security0/poodle-flaw-tls-itbwcw.html Any fixes in the works? As already said previously, openssl is not affected by this. kurt

Re: [openssl-dev] Circumstances cause CBC often to be preferred over GCM modes

On Tue, Dec 16, 2014 at 06:56:14PM +, Viktor Dukhovni wrote: And the browsers should implement SHA-384, and why the hell are we using SHA-384 with AES256-GCM instead of SHA-256 anyway? Surely the SHA256 HMAC construction has adequate strength in this context? With GCM the collision

Re: [openssl-dev] OpenSSL and certain PEM formats

On Wed, Dec 17, 2014 at 02:37:08AM -0800, Sean Leonard wrote: Hi OpenSSL devs: I am putting the finishing touches on an Internet-Draft for textual encodings of security structures http://tools.ietf.org/html/draft-josefsson-pkix-textual-09, which OpenSSL refers to as the PEM format. While

Re: [openssl-dev] OpenSSL and certain PEM formats

On Wed, Dec 17, 2014 at 08:34:52PM +0100, Erwann Abalea wrote: Le 17/12/2014 20:17, Viktor Dukhovni a écrit : On Wed, Dec 17, 2014 at 10:56:34AM -0800, Sean Leonard wrote: For reference for the group (in case you didn't take a look at the draft), the draft documents the following labels:

Re: [openssl-dev] OpenSSL and certain PEM formats

On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: Does OpenSSL have documented someplace exactly what it means to have a TRUSTED CERTIFICATE? It is a certificate + auxiliary data which specifies a

Re: [openssl-dev] OpenSSL and certain PEM formats

On Sat, Dec 20, 2014 at 02:29:44PM +, Dr. Stephen Henson wrote: On Fri, Dec 19, 2014, Sean Leonard wrote: On Dec 19, 2014, at 11:35 AM, Kurt Roeckx k...@roeckx.be wrote: On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: On Fri, Dec 19, 2014 at 08:47:55AM -0500

Re: [openssl-dev] OpenSSL Release Strategy and Blog

On Wed, Dec 24, 2014 at 12:38:16AM +, Dominyk Tiller wrote: Hey Matt, For some reason, this email is getting flagged as a bad signature by Enigmail. All of your previous emails checked out fine, but this one checked in with a big purple banner on it. It verified without problems here

Re: [openssl-dev] Constness in SSL_CTX_set_srp_username and SSL_CTX_set_srp_password functions

On Mon, Feb 16, 2015 at 04:29:36PM +0100, Krzysztof Kwiatkowski wrote: Hi, Currently SSL_CTX_set_srp_username/password functions take char* argument for username/password value. In an application level code those values are very often const (user provided data). In such cases, when passing

Re: [openssl-dev] OpenSSL patches and enhancements from Akamai

On Fri, Feb 13, 2015 at 09:05:53AM -0600, Short, Todd wrote: Hello openssl-dev: We at Akamai have a number of enhancements and fixes for OpenSSL that we would like to contribute. Before I inundate r...@openssl.orgmailto:r...@openssl.org and openssl-dev mailing lists, I am asking if

Re: [openssl-dev] Poodle Vulnerable

On Thu, Jan 29, 2015 at 07:28:45PM +, Salz, Rich wrote: You are misunderstanding him. The version you have is patched. The poodle detection script you are using is buggy. Just to clarify, poodle is something that can not be fixed in SSLv3. If you allow SSLv3 you are affected by

Re: [openssl-dev] Cannot find the function int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)

On Sat, Mar 14, 2015 at 02:46:52PM -0700, ??? wrote: Hello, can anyone help me to find where the function get_issuer (...) is defined? Sorry for the naïve question. The function is referred in crypto/x509/x509_vfy.c 290 /* If we are self signed, we break */ 291 if

Re: [openssl-dev] [openssl.org #3717] Patch for IPv6 support in s_client/s_server

On Tue, Mar 24, 2015 at 10:09:18PM +0100, Salz, Rich via RT wrote: The short answer is that nobody has come up with comprehensive cross-platform IPv6 support. Fixing the apps isn't enough; how does a server listen on IPv4, v6, both -- and make it work on our supported platforms? What should

[openssl-dev] Fwd: [Ach] Twitter Cloudflare TLS config + patches

---BeginMessage--- Hi, Twitter released their TLS server config as well as some patches to OpenSSL. One of them does Key Rotation for Session Tickets, quite nice. https://github.com/twitter/sslconfig A similar repository is maintained by Cloudflare (with patches for optimized ChaCha20):

Re: [openssl-dev] Suspicious crash in 1.0.2

On Fri, Feb 27, 2015 at 10:53:05PM -0800, Erik Forsberg wrote: Hi. I seem to have run into a really hard to pin down issue in OpenSSL 1.0.2. Normally, it simply causes an EFAULT during a write syscall, which makes me close the connection, but to investigate, I added a core dump at that time.

Re: [openssl-dev] s_server does not work over localhost.

On Sun, Mar 01, 2015 at 05:41:03PM +0530, dE wrote: Hi! gethostbyname failure This probably means that you don't have localhost in /etc/hosts Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] s_server does not work over localhost.

On Sun, Mar 01, 2015 at 08:12:25PM +0530, dE wrote: On 03/01/15 20:07, Kurt Roeckx wrote: On Sun, Mar 01, 2015 at 05:41:03PM +0530, dE wrote: Hi! gethostbyname failure This probably means that you don't have localhost in /etc/hosts 127.0.0.1 DESKTOP_MINER localhost.localdomain

Re: [openssl-dev] Poodle Vulnerable

On Thu, Jan 29, 2015 at 07:28:45PM +, Salz, Rich wrote: You are misunderstanding him. The version you have is patched. The poodle detection script you are using is buggy. Just to clarify, poodle is something that can not be fixed in SSLv3. If you allow SSLv3 you are affected by

Re: [openssl-dev] openssl-1.0.2-stable-SNAP-20150504 error

On Mon, May 04, 2015 at 07:21:11AM -0600, The Doctor wrote: This also occured in openssl-1.0.2-stable-SNAP-20150503 This will most likely be fixed in the next snapshot. Kurt ___ openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] removing compression?

On Fri, Apr 03, 2015 at 07:53:59PM +, Salz, Rich wrote: And the best practice these days is to do it at the application layer, and feed the compressed bytes down to TLS. The BREACH attack makes use of that. Kurt ___ openssl-dev mailing list

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

On Tue, May 19, 2015 at 05:03:12PM +0100, Matt Caswell wrote: No. The change is not a property of the version number. I have OpenSSL 0.9.7 (plus patches...) without SSLv{2,3}. Index: HTTP.c === RCS file:

Re: [openssl-dev] Weak DH and the Logjam

On Wed, May 20, 2015 at 07:11:42AM +, mancha wrote: Hello. Given Adrien et al. recent paper [1] together with their proof-of-concept attacks against 512-bit DH groups [2], it might be a good time to resurrect a discussion Daniel Kahn Gillmor has started here in the past. Please see

Re: [openssl-dev] Weak DH and the Logjam

On Wed, May 20, 2015 at 08:58:54PM +, mancha wrote: On Wed, May 20, 2015 at 07:17:43PM +0200, Kurt Roeckx wrote: On Wed, May 20, 2015 at 07:11:42AM +, mancha wrote: Hello. Given Adrien et al. recent paper [1] together with their proof-of-concept attacks against 512-bit DH

Re: [openssl-dev] ssl_sess.c : compilation error

On Sun, Jun 07, 2015 at 09:36:20PM +0300, Zvi Vered wrote: Hi Kurt, I think I have a C problem. I do not understand how the compiler enable to use the pointer ctx. ctx is not declared in the routine parameters nor in the routine body. As I already explained, ctx *is* the only parameter to

Re: [openssl-dev] [openssl.org #3897] request: add BLAKE2 hash function (let's kill md5sum!)

On Fri, Jun 05, 2015 at 04:39:36PM +, Zooko Wilcox-OHearn via RT wrote: One of the coreutils maintainers suggested that we should ask OpenSSL to add BLAKE2, because coreutils itself will probably just use a portable C implementation, but it would use an optimized implementation if

Re: [openssl-dev] [openssl.org #3894] AutoReply: PATCH: EVP_PKEY_get_type (new function)

On Thu, Jun 04, 2015 at 04:52:22PM -0400, Jeffrey Walton wrote: Thanks Kurt. I think I'll need to think about this some more because I don't recall EVP_PKEY_id. I think I never considered it because I could not find it when searching for something to return the inner type ('id' does not make

Re: [openssl-dev] ssl_sess.c : compilation error

On Sun, Jun 07, 2015 at 12:17:06AM +0300, Zvi Vered wrote: Dear Members, In the file openssl-1.0.1g\ssl\ssl_sess.c contains the following code: int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) { return ctx-new_session_cb; } The return value of this

Re: [openssl-dev] [openssl.org #3897] request: add BLAKE2 hash function (let's kill md5sum!)

On Tue, Jun 09, 2015 at 12:19:56AM +, Zooko Wilcox-OHearn wrote: I'd support adding 2b and 2s, in spite of the fact that the names are really really bad. I'm less interested in seeing the parallel variants added. FWIW. Well, the reason I'm here is that the GNU coreutils

Re: [openssl-dev] [openssl.org #3897] request: add BLAKE2 hash function (let's kill md5sum!)

On Fri, Jun 05, 2015 at 04:39:36PM +, Zooko Wilcox-OHearn via RT wrote: We, the BLAKE2 maintainers, offer both reference C code and optimized implementations: https://blake2.net/#dl . There are also other implementations with various virtues available: https://blake2.net/#sw So it's my

Re: [openssl-dev] [openssl.org #3894] AutoReply: PATCH: EVP_PKEY_get_type (new function)

On Wed, Jun 03, 2015 at 08:50:25PM +, noloa...@gmail.com via RT wrote: Here's an updated patch that includes the documentation changes. `git diff master` is needed after `git add` because adding doesn't seem to really add things for git :) riemann::openssl-git$ cat evp_pkey_get_type.diff

Re: [openssl-dev] A new openssl engine

On Thu, Jun 25, 2015 at 11:36:58PM +0300, Dmitry Belyavsky wrote: BTW, what does the OpenSSL Team plan regarding the GOST engine? I think some of us want to get rid of it, because it's rather crappy code. Kurt ___ openssl-dev mailing list To

Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

On Thu, Jun 11, 2015 at 09:43:24PM +, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) wrote: Hi All, To resolve openSSL POODLE vulnerability we need to disable the SSLv3. In our application we have using openSSL through Apache. We have disabled using the below

Re: [openssl-dev] available tests drivers for OpenSSL

On Mon, Jun 15, 2015 at 12:14:47PM +, Pascal Cuoq wrote: Hello, I am working on a C interpreter that uses existing tests to find more issues than simple execution does. In that it is comparable to Valgrind or UBSan. It has different enough strengths and weaknesses compared to these

Re: [openssl-dev] [openssl.org #3879] [BUG] opennssl 1.0.1g cause the system crash (obj_xref.c)

On Fri, May 29, 2015 at 02:58:32PM +0200, Matt Caswell via RT wrote: On Fri May 29 07:06:02 2015, joy...@moxa.com wrote: Hi, I am porting openssl_1.0.1g to our private OS. But we meet some problem, could you please give me a favor. The issue is described below. Inside the file

Re: [openssl-dev] [openssl.org #3879] [BUG] opennssl 1.0.1g cause the system crash (obj_xref.c)

On Sat, May 30, 2015 at 01:49:30AM +, Joy Tu (???) wrote: So the solution is to initialize the variable by myself or update the compiler to conformant with the C90 spec or force those global variable in the bss segment to be all 0's on my private OS? Most likely your compiler will already

Re: [openssl-dev] Openssl Poodle Vulnerability Clarification

On Sat, Jul 04, 2015 at 07:02:50PM +, Kannan Narayanasamy -X (kannanar - HCL TECHNOLOGIES LIMITED at Cisco) wrote: Hi Joy, Thanks for the steps. I have tried with exclusion option(Command used: ./config no-idea no-ssl3 shared --prefix=/Openssl-1/) and getting the below error while

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

On Tue, May 19, 2015 at 08:03:05PM +0200, Steffen Nurpmeso wrote: Steffen Nurpmeso sdao...@yandex.com wrote: |Kurt Roeckx k...@roeckx.be wrote: ||I think that we should just provide the SSLv23_client_method define ||without the need to enable something, and I guess I missed ||something

Re: [openssl-dev] common factors in (p-1) and (q-1)

On Fri, Jul 31, 2015 at 02:36:03AM +, p...@securecottage.com wrote: I have looked at your latest source to see if you have a possible common factor for (p-1) and (q-1) in your RSA key generation code. I've seen various proposals heres to generate what might be stronger RSA keys. But 1

Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM

On Mon, Aug 17, 2015 at 10:55:53AM -0700, Quanah Gibson-Mount wrote: However, there are two solutions to that allow adding a footer when list subscribers may have DKIM signed email: a) As noted in the OpenDKIM README, in the Mailing Lists section, if the list traffic is itself has DKIM

Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM

On Wed, Aug 05, 2015 at 06:54:33AM -0700, Quanah Gibson-Mount wrote: Yesterday, I was alerted by a member of the list that my emails to openssl-dev are ending up in their SPAM folder. After examining my emails as sent out by OpenSSL's mailman, I saw that it is mucking with the headers,

Re: [openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM

On Wed, Aug 05, 2015 at 04:54:57PM +, mancha wrote: I interpret the comment to mean that, because OpenSSL lists modify messages (see below), they should strip DKIM headers (see above) before distribution to prevent false negatives in recipient implementations. Won't that always give DKIM

Re: [openssl-dev] 1.0.2 long term support

On Tue, Aug 11, 2015 at 07:55:33PM +0200, stefan.n...@t-online.de wrote: Hi, Kurt Roeckx wrote: 1.0.2 long term support === The OpenSSL project team would like to announce that the 1.0.2 version will be supported until 2019-12-31. Looking

[openssl-dev] SHA-3 standard

The SHA-3 standard seems to be out: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] 1.0.2 long term support

1.0.2 long term support === The OpenSSL project team would like to announce that the 1.0.2 version will be supported until 2019-12-31. Further details about the OpenSSL Release Strategy can be found here: https://www.openssl.org/about/releasestrat.html The OpenSSL Project

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

On Wed, Jul 22, 2015 at 04:36:27PM +0100, David Woodhouse wrote: On Wed, 2015-07-22 at 14:52 +, Tim Hollebeek wrote: The way this is supposed to work is by using a timestamp from a trusted timestamp server to show the certificate was valid at the time the code was signed. That

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

On Wed, Jul 22, 2015 at 03:36:40PM +, David Woodhouse via RT wrote: FWIW the Linux kernel also specifically avoids checking timestamps altogether when validating signed modules. What do you mean wit timestamps? The trusted timestamp, or the validity period? Any idea why they don't check

Re: [openssl-dev] [openssl.org #3956] SSL_accept() crashed in SSLv3 processing

On Fri, Jul 24, 2015 at 10:25:04AM +, ice via RT wrote: What openssl version/platform are you using? $ openssl version OpenSSL 1.0.1j 15 Oct 2014 You seem to be affected by CVE-2014-3569 that only affects the 1.0.1j version. Kurt ___

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote: The more I look at this 'signed timestamp' scheme, the more pointless it seems in this situation. We basically don't *care* about the wall -clock time, *and* we don't really know it. If we're going to trust anyone to say THIS

Re: [openssl-dev] [openssl.org #3951] [RFC][PATCH] Allow certificate time checks to be disabled

On Wed, Jul 22, 2015 at 10:34:53PM +0100, David Woodhouse wrote: On Wed, 2015-07-22 at 23:29 +0200, Kurt Roeckx wrote: On Wed, Jul 22, 2015 at 09:56:24PM +0100, David Woodhouse wrote: The whole point of this signed timestamp is that the signature doesn't expire and that you don't have

Re: [openssl-dev] Improving OpenSSL default RNG

On Sat, Oct 24, 2015 at 04:22:38PM +0200, Alessandro Ghedini wrote: > > So at some point I'd like to > try and make OPENSSL_malloc & co. aliases for malloc(), realloc() and free() > and remove (or deprecate) the custom memory functions... but that's probably a > whole different discussion.

Re: [openssl-dev] Improving OpenSSL default RNG

On Fri, Oct 23, 2015 at 03:22:39PM +0200, Alessandro Ghedini wrote: > Hello everyone, > > (sorry for the wall of text...) > > one of the things that both BoringSSL and LibreSSL have in common is the > replacement of OpenSSL's default RNG RAND_SSLeay() with a simpler and saner > alternative.

Re: [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On Tue, Nov 17, 2015 at 07:10:00PM +0100, Florian Weimer wrote: > * Viktor Dukhovni: > > > If I were to guess, it would be that the base crypto implementations > > of IDEA, SEED and binary elliptic curves need to stay. We could > > perhaps get away with removing CAST and RIPEMD. > > Just one

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote: > In a well-behaved program there is no undefined behaviour. The "buf + > len < buf" check will always evaluate to false, so in that sense is > useless but it *is* well defined. The defined behaviour for the "buf + len" part is

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 05:19:06PM +, Alessandro Ghedini via RT wrote: > The problem most likely happens with SSLv2 backwards compatible ClientHello as > well, but that seems to be easier to fix... or maybe it's time to just drop > that compatibility code for v1.1? I would love to have

Re: [openssl-dev] interaction between --strict-warnings and disabled features

On Fri, Sep 11, 2015 at 05:46:13PM +, Salz, Rich wrote: > > When I configure with --strict-warnings and, say, no-seed, my build fails > > due > > to an empty compilation unit e_seed.c. > > Does just putting an extern declaration in the file work? Or do we need > something like "#if

Re: [openssl-dev] State machine rewrite

On Sat, Sep 12, 2015 at 12:20:52AM +0100, Matt Caswell wrote: > Dependant on the preceding messages we > might need to have a CertificateVerify next. So transitions are actually > "guarded" - there is logic which determines whether a particular event > is "allowed" in the current scenario or not.

Re: [openssl-dev] [openssl.org #4065] Re: Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 04:23:27PM +, Hubert Kario via RT wrote: > > Given that TLSv1.3 has a 1RTT mode planned (so Client Key Exchange ends > up as an extension, possibly multiple ones), and that quantum computing > resistant algorithms usually require fairly large key sizes (large >

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On Tue, Dec 15, 2015 at 09:57:32AM -0600, Benjamin Kaduk wrote: > On 12/15/2015 06:43 AM, Kurt Roeckx wrote: > > On Tue, Dec 15, 2015 at 01:24:12PM +0100, Florian Weimer wrote: > >> * Nico Williams: > >> Not on Windows. > >> > >>> What's the al

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On Tue, Dec 15, 2015 at 01:24:12PM +0100, Florian Weimer wrote: > * Nico Williams: > > > On Tue, Dec 08, 2015 at 11:19:32AM +0100, Florian Weimer wrote: > >> > Maybe http://trac.mpich.org/projects/openpa/ would fit the bill? > >> > >> It seems to have trouble to keep up with new architectures. >

Re: [openssl-dev] [openssl.org #4172] SRP VBASE stuff still leaking memory

On Thu, Dec 10, 2015 at 12:17:04PM +, Kurt Roeckx via RT wrote: > On Mon, Dec 07, 2015 at 03:47:56PM +, Michel via RT wrote: > > Hi, > > > > Following my previous mail, here attached is an updated patch against 1.02e > > to fix the SRP VBASE memory

Re: [openssl-dev] [openssl-users] OPenssl and dependencies such as openssh

On Tue, Jan 05, 2016 at 03:40:03PM -0700, The Doctor wrote: > tls.o(.text+0xf32): undefined reference to `SSLv23_server_method' Are you sure it's finding the correct headers? Kurt ___ openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl-users] OPenssl and dependencies such as openssh

On Wed, Jan 06, 2016 at 01:17:27AM -0500, Viktor Dukhovni wrote: > > > On Jan 6, 2016, at 1:14 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > > > On Tue, Jan 05, 2016 at 03:40:03PM -0700, The Doctor wrote: > >> tls.o(.text+0xf32): undefined reference to `SSLv23_

Re: [openssl-dev] about "Rename some BUF_xxx to OPENSSL_xxx"

On Tue, Dec 22, 2015 at 09:52:05AM +0200, Roumen Petrov wrote: > Hello, > > After modification OPENSSL_strlcpy is declared twice. Patch applied. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] __STDC_VERSION__ is not defined

On Tue, Dec 22, 2015 at 09:46:37AM +0200, Roumen Petrov wrote: > Hello, > > Compilation of an application with current master branch and c89 compiler > produce a lot of warnings. > Proposed patch > "0001-__STDC_VERSION__-is-not-defined-for-c89-compilers.patch" fix them. Patch applied. Kurt

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On Wed, Nov 25, 2015 at 01:02:29PM +0100, Florian Weimer wrote: > On 11/23/2015 11:08 PM, Kurt Roeckx wrote: > > > I think that we currently don't do any compile / link test to > > detect features but that we instead explicitly say so for each > > platform.

Re: [openssl-dev] PBE_UNICODE

On Thu, Nov 19, 2015 at 11:16:23PM +0100, Andy Polyakov wrote: > > The way I read PKCS12 the string should be big-endian UTF-16 one. [...] > Correct procedure should be to convert it to wchar_t and > then ensure correct endianness. Please note that wchar_t itself might not have any relation with

Re: [openssl-dev] We're working on license changes

On Sat, Nov 21, 2015 at 11:07:36AM -0800, Quanah Gibson-Mount wrote: > --On Saturday, November 21, 2015 12:50 PM +0100 Kurt Roeckx <k...@roeckx.be> > wrote: > > > > >I would like to point out that GPLv2 also isn't compatible with > >GPLv3, and that that

Re: [openssl-dev] We're working on license changes

On Sat, Nov 21, 2015 at 10:09:51PM +, Ben Laurie wrote: > On Sat, 21 Nov 2015 at 21:14 Kurt Roeckx <k...@roeckx.be> wrote: > > > On Sat, Nov 21, 2015 at 12:02:22PM -0800, Quanah Gibson-Mount wrote: > > > --On Saturday, November 21, 2015 8:24 PM +0100 Kurt

Re: [openssl-dev] We're working on license changes

On Sat, Nov 21, 2015 at 12:02:22PM -0800, Quanah Gibson-Mount wrote: > --On Saturday, November 21, 2015 8:24 PM +0100 Kurt Roeckx <k...@roeckx.be> > wrote: > >>So the MPLv2 is compatible with the APLv2. The MPLv2 is compatible with > >>the GPLv2 and the APLv2 is cop

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On Mon, Nov 23, 2015 at 02:48:25PM -0600, Nico Williams wrote: > > I use this in an autoconf project (I know, OpenSSL doesn't use autoconf): > > dnl Thread local storage > have___thread=no > AC_MSG_CHECKING(for thread-local storage) > AC_LINK_IFELSE([AC_LANG_SOURCE([ > static __thread

Re: [openssl-dev] We're working on license changes

On Fri, Nov 20, 2015 at 01:01:37PM -0800, Quanah Gibson-Mount wrote: > --On Friday, November 20, 2015 9:47 PM +0100 Richard Levitte > wrote: > > >I would like to point out that the GNU project talks about the Apache > >v2 license in positive terms: > > >

Re: [openssl-dev] [openssl.org #4227] openssl rand 10000000000 does not produce 10000000000 random bytes

On Wed, Jan 13, 2016 at 11:00:09AM +1000, Paul Dale wrote: > On Wed, 13 Jan 2016 12:32:39 AM Viktor Dukhovni wrote: > > In most cases, just overwriting a disk with zeros is as good as > > with any other pattern. > > Peter Gutmann published a paper showing that it is possible to read zeroed >

Re: [openssl-dev] [openssl.org #4551] TCP re-transmissions are seen for every transfer with the Openssl version OpenSSL 1.0.2g

On Tue, May 31, 2016 at 04:21:13PM +, ajai.mat...@wipro.com via RT wrote: > Hi, > We are facing an issue from the OpenSSL 1.0.2g ,after upgraded from OpenSSL > 1.0.0s . [Linux version 2.6.24] > When a https file transfer started with a Windows 7 application, we notice > many TCP

Re: [openssl-dev] [openssl.org #4550] hppa assembler problem

On Mon, May 30, 2016 at 08:37:56PM +, Andy Polyakov via RT wrote: > > I'm getting assembler errors on hppa that look like: > > crypto/aes/aes-parisc.s: Assembler messages: > > crypto/aes/aes-parisc.s:3: Error: unknown pseudo-op: `.subspa' > > crypto/aes/aes-parisc.s:7: Error: Unknown opcode:

Re: [openssl-dev] '-CIPHER_DEBUG' error on 'dh_dsa'

On Sat, Jan 16, 2016 at 03:03:41PM +, Alessandro Ghedini wrote: > On Sat, Jan 16, 2016 at 01:51:28pm +0100, Gisle Vanem wrote: > > Having '-DCIPHER_DEBUG' in the CFLAGS causes this error in > > MingW (gcc 5.1): > > ssl/ssl_lib.c:2499:58: error: 'dh_dsa' undeclared (first use in this > >

Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published

On Sat, Jan 16, 2016 at 07:42:50PM +0100, Corinna Vinschen wrote: > On Jan 16 19:37, Corinna Vinschen wrote: > > On Jan 14 15:44, Richard Levitte wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > > > > >OpenSSL version 1.1.0 pre release 2 (alpha) > > >

Re: [openssl-dev] version script

On Mon, Feb 08, 2016 at 01:41:10PM +, Catalin Vasile wrote: > I'm trying to compile a custom OpenSSL library to work with nginx. > nginx requires that the SSL library have version data included in the .so > files, so I'm using this patch[1] for this. > The problem is that if I set the library

Re: [openssl-dev] Openssl SNAP 20160204 development

On Thu, Feb 04, 2016 at 06:39:19AM -0700, The Doctor wrote: > All right, I can compile,but > > test/recipes/70-test_sslcertstatus.t > > is hang in an infinite loop. > > Any explanation? That's an issue I'm not aware of yet, nor did I see it in any of our automated test runs. Can you give some

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote: > Really? > > That's all we get, a one-liner, no explanation, no rationale, response? > It's not even "brand new" functionality, Camellia as a raw cipher is already > in there, the only difference is wrapping it into GCM-based

Re: [openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format

On Thu, Feb 11, 2016 at 10:53:25PM +, Blumenthal, Uri - 0553 - MITLL wrote: > Might I suggest that the right thing in this case would be to keep generation > strict, but relax the rules on parsing? "Be conservative in what you send, > and liberal with what you receive"? This might be good

Re: [openssl-dev] MSVC 2015 internal compiler error

On Sat, Jan 16, 2016 at 11:42:52AM +0100, Gisle Vanem wrote: > While building OpenSSL from today's git-repo: > > ssl\d1_srtp.c : fatal error C1001: An internalerror has occurred in the > compiler. > (compiler file 'f:\dd\vctools\compiler\utc\src\p2\main.c', line 246) > To work around this

Re: [openssl-dev] Fwd: latest OpenSSL causes OpenSMTPD to segv

On Mon, Feb 01, 2016 at 11:16:50PM +, Viktor Dukhovni wrote: > On Mon, Feb 01, 2016 at 10:52:56PM +, Viktor Dukhovni wrote: > > > The only thing I see that's plausibly pertinent is: > > > > commit 6656ba7152dfe4bba865e327dd362ea08544aa80 > > Author: Dr. Stephen Henson

Re: [openssl-dev] OpenSSL Security Advisory

On Tue, Feb 02, 2016 at 10:34:32PM +0100, Rainer Jung wrote: > Hi there, > > reading the last advisory again, I noticed, that there's one logical > inconsistency. > > First: > > OpenSSL before 1.0.2f will reuse the key if: > ... > - Static DH ciphersuites are used. The key is part of the

Re: [openssl-dev] Fwd: CVE-2014-8730 TLS CBC Incorrect Padding Abuse Vulnerability

On Wed, Feb 03, 2016 at 05:11:34PM +0530, Shyamal Bhowmik wrote: > > /* enc_err is: > * 0: (in non-constant time) if the record is publically invalid. > * 1: if the padding is valid > * -1: if the padding is invalid */ > if (enc_err == 0) > { >

Re: [openssl-dev] OPenssl-SNAP-20160223 issue test/recipes/70-test_sslcertstatus.t

On Tue, Feb 23, 2016 at 10:00:44AM -0700, The Doctor wrote: > 136617832:error:20087002:BIO routines:BIO_lookup:system > lib:b_addr.c:711:Invali > d value for ai_flags Do you have any idea which flag it is that is causing problems? I find it rather strange that it knows about the flag, but then

Re: [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad signature

I can only find 1 place in the server that generates an SSL_R_BAD_SIGNATURE and that's in ssl3_get_cert_verify, in the case of signature algorithms are used, which is new in TLS 1.2. I don't see anything obviously wrong, and as far as I know the test suite also tests client authentication. Kurt

Re: [openssl-dev] openssl-1.0.2-stable-SNAP-20160228

On Sun, Feb 28, 2016 at 06:20:42AM -0700, The Doctor wrote: > This cropped up this morning in That was fixed an hour ago. Kurt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

<    1   2   3   4   5   6   >