Re: [openssl-dev] OpenSSL 1.1.0 Release Timetable

On 16/09/15 16:15, John Foley wrote: > Is the "Async support" you have listed the same code that Intel > developed for Cave Creek? Or is the Intel contribution planned for a > follow-on release? It is all new code. However I have been developing it in collaboration with Intel. Matt

Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method

On 17/09/15 19:34, Ian McFadries (imcfadri) wrote: > I see this fix will be in 1.0.1q. Do you know when 1.0.1q will be released? We don't have a fixed timetable for bug fix releases. It is normally driven by what ever security issues we have to respond to - so unfortunately I don't know when

Re: [openssl-dev] Some tests fail on the current/latest SNAP

Hmmm. I cannot reproduce this. Is anyone else seeing this? Matt On 17/09/15 20:15, Blumenthal, Uri - 0553 - MITLL wrote: > $ apps/openssl$ openssl version > OpenSSL 1.1.0-dev xx XXX > $ make test > testing... > make[1]: Entering directory `/media/uri/Src/openssl/test' > make[2]: Entering

[openssl-dev] State machine rewrite

I've just opened a github pull request to show recent work I have been doing on rewriting the OpenSSL state machine (for version 1.1.0). See: https://github.com/openssl/openssl/pull/394 My objectives for the rewrite were: - Remove duplication of state code between client and server - Remove

Re: [openssl-dev] State machine rewrite

On 12/09/15 11:22, Kurt Roeckx wrote: > On Sat, Sep 12, 2015 at 12:20:52AM +0100, Matt Caswell wrote: >> Dependant on the preceding messages we >> might need to have a CertificateVerify next. So transitions are actually >> "guarded" - there is logic which determ

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

On 30/09/15 10:22, Alessandro Ghedini via RT wrote: > On Wed, Sep 30, 2015 at 02:01:54am +, Rich Salz via RT wrote: >> We fixed this in a slightly different way. We made BIO_new_file and >> BIO_s_file >> return an alternate implementation that returns run-time failures. Almost all >> of the

Re: [openssl-dev] [openssl.org #4066] bug: openssl clean up crash

On 30/09/15 16:06, Haiyang Yin via RT wrote: > Hello, I am using memory-based bio to handle dtls sessions. Crash > happened after close notify received and SSL was cleaned up ? OpenSSL > version is 1.0.2d. If more detailed information required, pls. let me > known. Your gdb output is impossible

Re: [openssl-dev] Some tests fail on the current/latest SNAP

I've just pushed a partial fix for this issue. The TLS tests should now pass for you in the latest master version in git. The new TLS test proxy we are using does not support compression, but was failing to switch it off if OpenSSL is configured for it. However, this one is a different problem:

Re: [openssl-dev] Some tests fail on the current/latest SNAP

On 18/09/15 20:46, Richard Levitte wrote: > In message on Fri, 18 Sep 2015 19:23:09 > +, "Blumenthal, Uri - 0553 - MITLL" said: > > uri> On 9/18/15, 15:15 , "Richard Levitte" wrote: > uri> > uri> >Did you apply the

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On 25/09/15 17:05, Alessandro Ghedini via RT wrote: > On Fri, Sep 25, 2015 at 03:02:27pm +, Hubert Kario via RT wrote: >> On Friday 25 September 2015 14:51:17 Alessandro Ghedini via RT wrote: >>> As a matter of test I changed the ssl_get_message() in >>> ssl3_get_client_hello() to use

Re: [openssl-dev] [openssl.org #4065] Re: Client Hello longer than 2^14 bytes are rejected

On 25/09/15 20:19, Kurt Roeckx wrote: > On Fri, Sep 25, 2015 at 04:23:27PM +, Hubert Kario via RT wrote: >> >> Given that TLSv1.3 has a 1RTT mode planned (so Client Key Exchange ends >> up as an extension, possibly multiple ones), and that quantum computing >> resistant algorithms usually

Re: [openssl-dev] Some tests fail on the current/latest SNAP

On 18/09/15 23:23, Blumenthal, Uri - 0553 - MITLL wrote: > I compiled with > > ./config threads shared zlib > > Should I drop zlib and try again...? Yes please. Thanks Matt ___ openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] Some tests fail on the current/latest SNAP

On 18/09/15 21:24, Blumenthal, Uri - 0553 - MITLL wrote: > On 9/18/15, 15:54 , "Matt Caswell" <m...@openssl.org> wrote: > Received server packet > Packet length = 1113 > Processing flight 1 > Record 1 (server -> client) > Content type: HANDSHAKE >

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

On 25/09/15 11:25, Hubert Kario via RT wrote: > > A Finished message is always sent immediately after a change > cipher spec message to verify that the key exchange and > authentication processes were successful. This is perhaps the key statement. It could do with being more

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

On 25/09/15 11:25, Hubert Kario via RT wrote: > On Friday 25 September 2015 10:47:42 Matt Caswell wrote: >> However, I have some concerns with the wording of the RFC. It seems to >> place no limits whatsoever on when it is valid to receive app data in >> the handshake. By t

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

ed is processed that we verify the handshake data MAC - and yet we could already have acted upon app data received. I assume the intent was to allow the interleaved app data only up until the point that the CCS is received. I have attached a patch for 1.0.2 that implements that logic. Matt From

Re: [openssl-dev] EAP-FAST and OpenSSL 1.1.x with new client TLS state machine

ou get on. Thanks Matt From 07315256ab0a97e1172304a098c262a845833206 Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Fri, 4 Dec 2015 10:18:01 + Subject: [PATCH] Fix EAP FAST in the new state machine The new state machine code missed an allowed transition when resumi

Re: [openssl-dev] test_ordinals causes make update to fail after make clean

On 04/12/15 15:41, Adam Eijdenberg wrote: > On Thu, Dec 3, 2015 at 9:47 PM Viktor Dukhovni > > wrote: > > On Fri, Dec 04, 2015 at 03:05:28AM +, Adam Eijdenberg wrote: > > > When I'm preparing a patch I've gotten myself

Re: [openssl-dev] EAP-FAST and OpenSSL 1.1.x with new client TLS state machine

On 04/12/15 13:08, Jouni Malinen wrote: > On Fri, Dec 04, 2015 at 10:27:48AM +0000, Matt Caswell wrote: >> EAP-FAST is very strange. Normally you know whether you are resuming a >> session or not based on the session id returned from the server. However >> that's not the cas

Re: [openssl-dev] OpenSSL version 1.0.1q released (corrected download)

On 03/12/15 19:10, Quanah Gibson-Mount wrote: > make[5]: *** No rule to make target `../../include/openssl/idea.h', > needed by `e_idea.o'. Stop. Hmmm. I don't get that. Can you post your build steps? Matt ___ openssl-dev mailing list To

[openssl-dev] OpenSSL version 1.0.0t released (corrected download)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 1.0.0t released

[openssl-dev] OpenSSL version 1.0.1q released (corrected download)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 1.0.1q released

[openssl-dev] OpenSSL version 0.9.8zh released (corrected download)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Due to an error in the release process the original distribution downloads were failing to build. New downloads have now been made available on the website. Corrected checksums are given below. OpenSSL version 0.9.8zh released

Re: [openssl-dev] OpenSSL version 1.0.1q released (corrected download)

On 03/12/15 19:28, Quanah Gibson-Mount wrote: > --On Thursday, December 03, 2015 7:18 PM +0000 Matt Caswell > <m...@openssl.org> wrote: > >> >> >> On 03/12/15 19:10, Quanah Gibson-Mount wrote: >>> make[5]: *** No rule to make target `../../includ

[openssl-dev] OSTIF

Hi all I've had some emails recently from Derek at OSTIF who has been talking to me about their plans to do an audit (separate to the current CII one) of OpenSSL next year. OSTIF is not associated or affiliated with OpenSSL, but if you're interested you can learn more here: https://ostif.org/

Re: [openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption

On 06/01/16 06:14, Zi Lin wrote: > Hi Matt, > > thanks for your time. I am glad to see the big efforts done to make > OpenSSL code better in the master branch (and v1.1.0+). I will find a > way to start working on the master branch. A quick glance into the > master branch state machine: the

Re: [openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption

On 05/01/16 22:44, Zi Lin wrote: > Hi OpenSSL devs, > > I want to propose a patch that makes OpenSSL compatible with > asynchronous session lookup during session resumption. Currently, the > session lookup expects the session callback to return immediately with > success or failure. Now consider

Re: [openssl-dev] [openssl.org #4198] BUG: READ_STATE_MACHINE:excessive message size during handshake

On 23/12/15 17:21, Viktor Dukhovni wrote: > On Wed, Dec 23, 2015 at 04:48:20PM +0000, Matt Caswell via RT wrote: > >> The problem is that the server has been configured to allow client auth. The >> CertificateRequest message coming from the server seems very lo

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On 23/11/15 17:49, Nico Williams wrote: > [Resend, with slight edits.] > > [Viktor asked me for my advice on this issue and bounced me the post > that I'm following up to. -Nico] > > The summary of what I've to say is that making libcrypto and libssl need > -lpthread is something that does

[openssl-dev] Forthcoming OpenSSL releases

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forthcoming OpenSSL releases The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2e, 1.0.1q, 1.0.0t and 0.9.8zh. These releases will be made available on 3rd December between

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On 23/11/15 21:56, Paul Dale wrote: > Somewhat tangentially related to this is the how thread locking in > OpenSSL is slowing things up. Alessandro has submitted an interesting patch to provide a much better threading API. See: https://github.com/openssl/openssl/pull/451 I'm not sure what the

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On 24/11/15 15:16, Jonathan Larmour wrote: > On 23/11/15 20:34, Matt Caswell wrote: >> On 23/11/15 17:49, Nico Williams wrote: >> >>> Still, if -lpthread avoidance were still desired, you'd have to find an >>> alternative to pthread_key_create(), pthread_getsp

Re: [openssl-dev] [openssl.org #4496] [PATCH] ssl_cert: use the recommended minimum hash from RFC 5480 for EC

On 08/06/16 11:25, Hubert Kario wrote: > On Tuesday 07 June 2016 19:22:00 Matt Caswell via RT wrote: >> On Sat Apr 02 14:05:50 2016, sebast...@breakpoint.cc wrote: >>> A TLS1.2 connetion with openssl server and gnutls-cli using a >>> SECP384R1 >>> key ends

Re: [openssl-dev] CNG support for OpenSSL CAPI Engine

On 10/06/16 10:00, Matt Hart wrote: > Hi, > > I took the CAPI engine and extended it to give preference to NCrypt, > otherwise to revert to Crypto API. Implemented for RSA so far (no DSA or ECC > support though BoringSSL have done some ECC work for Windows I could look > at). Tested with RSA,

Re: [openssl-dev] DTLS retransmission api

On 03/06/16 10:52, Alfred E. Heggestad wrote: > Hi Matt, > > thanks for the suggested API and code. Please find below a suggested > patch that implements this new callback. > > > the patch is based on 1.0.2-dev from GIT: > > url: git://git.openssl.org/openssl.git > branch:

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

On 15/06/16 13:09, Salz, Rich via RT wrote: > So are we still fixing SSLv2 bugs? Or are they too low on the priority list? They're certainly low priority, but we are still fixing them. Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

On 15/06/16 16:31, Daniel Kahn Gillmor wrote: > On Wed 2016-06-15 09:51:37 -0400, Salz, Rich wrote: >> I think OpenSSL needs to decide if SSLv2 bugs will be getting fixed. >> Matt and I disagree :) > > Isn't the existence of SSLv2 a bug? ;) Fixed in OpenSSL 1.1.0 :-) Matt -- openssl-dev

Re: [openssl-dev] [openssl.org #4255] OpenSSL-1.1.0-pre2 failures using MinGW-W64

On 28/05/16 16:49, sav...@ukr.net wrote: > > > --- Исходное сообщение --- > От кого: "Matt Caswell" <m...@openssl.org> > Дата: 27 мая 2016, 18:03:50 > > > 2. Results for some tests using MSVC there are: > > > > skipped: TLSPro

Re: [openssl-dev] [openssl.org #4545] Crash in crypto/rand/md_rand.c

On 27/05/16 11:07, Mick Saxton via RT wrote: > Hi Matt > > The test program runs against our major new development so I cannot share it > as is. > > I will try to produce a skeleton version which I could let you have. > > - But that will be end if next week as I am away for a few

Re: [openssl-dev] [openssl.org #4255] OpenSSL-1.1.0-pre2 failures using MinGW-W64

On 27/05/16 15:58, sav...@ukr.net wrote: > > > --- Исходное сообщение --- > От кого: "Matt Caswell via RT" <r...@openssl.org> > Дата: 27 мая 2016, 17:45:28 > > The "make test" hang issue on mingw should now be resolved in the head of >

Re: [openssl-dev] DTLS retransmission api

On 02/06/16 14:33, Alfred E. Heggestad wrote: > > > On 01/06/16 13:58, Matt Caswell wrote: >> >> >> On 01/06/16 11:15, Alfred E. Heggestad wrote: >>> hi, >>> >>> we are using DTLS from OpenSSL to implement DTLS-SRTP in our >>> prod

Re: [openssl-dev] How to get SSL version from SSL_SESSION using OpenSSL-1.1.x?

On 26/05/16 22:48, TJ Saunders wrote: > > >>> I'm currently working on updating proftpd and its various modules to >>> work with the changed APIs in OpenSSL-1.1.x. My current obstacle(?) is >>> to determine the SSL protocol version, given an SSL_SESSION pointer. >>> >>> Using OpenSSL-1.0.x, I

Re: [openssl-dev] How to get SSL version from SSL_SESSION using OpenSSL-1.1.x?

On 26/05/16 22:27, TJ Saunders wrote: > > I'm currently working on updating proftpd and its various modules to > work with the changed APIs in OpenSSL-1.1.x. My current obstacle(?) is > to determine the SSL protocol version, given an SSL_SESSION pointer. > > Using OpenSSL-1.0.x, I currently

Re: [openssl-dev] DTLS retransmission api

On 01/06/16 11:15, Alfred E. Heggestad wrote: > hi, > > we are using DTLS from OpenSSL to implement DTLS-SRTP in our > product (Wire.com) .. The code and implementation works really well > and is very robust. We are using OpenSSL version 1.0.2g > > > since our product is deployed globally on

Re: [openssl-dev] Backporting opaque struct getter/setter functions

On 11/01/16 18:29, Viktor Dukhovni wrote: > >> On Jan 11, 2016, at 5:23 AM, Tomas Mraz wrote: >> >> On Po, 2016-01-11 at 01:09 +, Peter Waltenberg wrote: >>> The point of using accessor FUNCTIONS is that the code doesn't break >>> if the structure size or offsets of

Re: [openssl-dev] 1.1 release being delayed

On 24/06/16 22:28, Jouni Malinen wrote: > On Mon, May 23, 2016 at 01:15:45PM +, Salz, Rich wrote: >> ... in case you haven't noticed :) Our announced release date for 1.1 has >> come and gone. >> >> We want to close many more bugs before we release it. In the meantime, >> please test

Re: [openssl-dev] Feedback on BIO API changes in 1.1

On 27/06/16 21:56, Timothy B. Terriberry wrote: >> Did you see BIO_meth_set_write etc ? > > I did. I also saw that exactly no code in OpenSSL itself uses this API. Not strictly true. s_server uses it as does asynciotest. We also use the similar RSA_METHOD functions and DSA_METHOD functions in

Re: [openssl-dev] Feedback on BIO API changes in 1.1

On 27/06/16 21:56, Timothy B. Terriberry wrote: > Because I am writing a library, which I > intend to be re-entrant, but which does not have any explicit threading > support (or dependencies), I don't have any convenient global place to > cache it. I haven't needed one for anything else. You

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 15:46, Viktor Dukhovni wrote: > >> On Feb 8, 2016, at 9:49 AM, Matt Caswell <m...@openssl.org> wrote: >> >> Actually, yes that is a good point. There could be some subtle security >> issues there. You probably need to additionally check th

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 12:11, Rainer Jung wrote: > I'm adding support for OpenSSL 1.1.0 to the Apache web server. > > I struggle to migrate the renegotiation code in the case wehere we want > the client to send a client cert. The current code works like explained in > >

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 12:34, Matt Caswell wrote: > > > On 08/02/16 12:11, Rainer Jung wrote: >> I'm adding support for OpenSSL 1.1.0 to the Apache web server. >> >> I struggle to migrate the renegotiation code in the case wehere we want >> the client to send a client

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

On 06/02/16 04:24, Fedor Indutny via RT wrote: > On Fri, Feb 5, 2016 at 7:14 PM, Matt Caswell <m...@openssl.org> wrote: > >> >> >> On 05/02/16 22:42, Fedor Indutny wrote: >>> Matt, >>> >>> I have looked through the APIs. Will have t

Re: [openssl-dev] version script

On 08/02/16 13:41, Catalin Vasile wrote: > I'm trying to compile a custom OpenSSL library to work with nginx. > nginx requires that the SSL library have version data included in the .so > files, so I'm using this patch[1] for this. > The problem is that if I set the library versiont to 1.0.1

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 14:36, Viktor Dukhovni wrote: > >> On Feb 8, 2016, at 9:26 AM, Matt Caswell <m...@openssl.org> wrote: >> >> SSL_renegotiate(ssl); >> SSL_do_handshake(ssl); >> do { >>read_some_app_data(); >>if(no_client_cert_yet())

Re: [openssl-dev] How to do reneg with client certs in 1.1.0 API

On 08/02/16 13:45, Tomas Mraz wrote: > On Po, 2016-02-08 at 12:34 +0000, Matt Caswell wrote: >> >> On 08/02/16 12:11, Rainer Jung wrote: >>> >> Renegotiation isn't entirely within the control of the server. A >> server >> can request that a renegot

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

On 04/02/16 05:49, Rich Salz via RT wrote: > currently in master, planned for 1.1 scheculed for april 2017 That would be April 2016!! Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

On 04/02/16 06:34, Salz, Rich via RT wrote: > It’s late and my response was incomplete. > The other part has already landed in master, and that's the "async engine" > support. See: https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html

Re: [openssl-dev] openssl-SNAP-20160212 issue

On 12/02/16 14:31, The Doctor wrote: > Here is another fix needed: > > making all in ssl... > gcc -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_EXPERIMENTAL_JPAKE > -DOPENSSL_THREADS -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

; On Thu, Feb 4, 2016 at 4:56 AM, Fedor Indutny via RT <r...@openssl.org > <mailto:r...@openssl.org>> wrote: > > Thank you very much, Matt, Rich. > > I will read through these docs tomorrow. > > On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT <r.

Re: [openssl-dev] SSL_R_HTTP_REQUEST no longer supported in 1.1.0

On 08/02/16 20:49, Rainer Jung wrote: > The constant SSL_R_HTTP_REQUEST is still defined, but I can't find code > that sets it and practical experiments indicate it is no longer set. > > In Apache land we use it to detect "HTTP spoken on HTTPS port". OpenSSL > 1.0.2 has code in

Re: [openssl-dev] memory leaks detected using libSSL 1.1

well! Anyway, please try the attached patch to see if that helps. Let me know how you get on. Thanks Matt >From a47094a928f56cb62d57d4b53f2e4e20f9a0a031 Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Sat, 13 Feb 2016 23:22:45 + Subject: [PATCH] Fix memory lea

Re: [openssl-dev] 1.0.1r release not committed to git repo

On 28/01/16 16:40, John Foley wrote: > I just cloned the OpenSSL git repo at > git://git.openssl.org/openssl.git. Looking at the OpenSSL_1_0_1-stable > branch, the fix for CVE-2015-3197 still isn't in the repo. The most > recent commit is: > > foleyj@hobknob:~/gitsync/ossl/openssl$ git log >

Re: [openssl-dev] OpenSSL Security Advisory

On 02/02/16 21:34, Rainer Jung wrote: > Hi there, > > reading the last advisory again, I noticed, that there's one logical > inconsistency. > > First: > > OpenSSL before 1.0.2f will reuse the key if: > ... > - Static DH ciphersuites are used. The key is part of the certificate > and so it

Re: [openssl-dev] [openssl.org #4289] OpenSSL 1.0.2f serious bug in Win32 makefiles, easy to fix, solution provided

On 03/02/16 19:43, Salz, Rich via RT wrote: >> The diff works perfectly on master, but exposed a new bug (bare snprintf). >> The following patch fixes it. I can make a PR (or add it to my existing PR >> #512) >> if you'd like. > > Please do as a separate PR. Thanks. I think Richard is

Re: [openssl-dev] MSVC 2015 internal compiler error

On 24/02/16 10:29, Gisle Vanem wrote: > Matt Caswell wrote: > >> The attached seems to avoid the problem - but then for reasons I cannot >> understand link errors result later on in the build. > > I too can confirm that your patch fixes MSVC-2105 compila

Re: [openssl-dev] SSL_library_init

On 24/02/16 15:50, The Doctor wrote: > As of 2106-20-24 SSL_librbary_init may not be avialable in the libssl.so . > > Is their a workaround for this? > SSL_library_init is still available in ssl.h as a compatibility macro: #if OPENSSL_API_COMPAT < 0x1010L # define SSL_library_init()

Re: [openssl-dev] MSVC 2015 internal compiler error

On 24/02/16 16:48, Gisle Vanem wrote: > Matt Caswell wrote: > >> The complete patch is attached. This is currently going through review, >> and solves the link issue. > > That brought MSVC-2015 back on track. Thanks! > This has now been committed, so hopefully

Re: [openssl-dev] Ubsec and Chil engines

On 23/02/16 16:38, Sander Temme wrote: > All, > > I toyed over the weekend with resurrecting CHIL: intermediate result > here https://github.com/sctemme/openssl/tree/rescue-chil and I AM NOT > PROUD OF THIS but have no cycles to clean it up for at least a couple > of days to come. It builds now

Re: [openssl-dev] MSVC 2015 internal compiler error

513236b6e0ffd5290d0f53b71f56c9 Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Tue, 23 Feb 2016 15:27:05 + Subject: [PATCH] Workaround for VisualStudio 2015 bug VisualStudio 2015 has a bug where an internal compiler error was occurring. By reordering the DEFINE_STACK_

Re: [openssl-dev] MSVC 2015 internal compiler error

On 23/02/16 15:59, Matt Caswell wrote: > > > On 23/02/16 01:55, Bill Bierman wrote: >> The Microsoft compiler team has suggested removing the include of ssl.h >> from srtp.h as it creates a circular reference which is likely confusing >> the compiler. >> &

Re: [openssl-dev] version script patch from Debian

On 21/01/16 16:53, Tom Kacvinsky wrote: > I ran into this problem with the OpenSSL 1.0.1e I built from source on a > Debian based system (Ubuntu): > > libssl.so.1.0.0: no version information available (required by python) > > Found this page: > >

Re: [openssl-dev] OpenSSL 1.1 SSL_CTX issues

On 21/01/16 17:57, Viktor Dukhovni wrote: > On Thu, Jan 21, 2016 at 05:33:51PM +, Howard Chu wrote: > >> In OpenLDAP we've been using >> CRYPTO_add(>references, 1, CRYPTO_LOCK_SSL_CTX) >> to manage our own SSL_CTXs but this is not possible with current 1.1. Making >> the structures opaque

[openssl-dev] Pipelining

I have just pushed to github some code that I have been working on to implement a feature I have called "pipelining". This is still WIP, although is fairly well advanced. I am keen to hear any feedback. You can see the PR here: https://github.com/openssl/openssl/pull/682 The idea is that some

Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published

On 15/02/16 20:52, Jouni Malinen wrote: > On Mon, Feb 15, 2016 at 07:04:20PM +, OpenSSL wrote: >>OpenSSL version 1.1.0 pre release 3 (alpha) >> >>OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 3 has now >>been made available. For details of changes and known

Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published

On 15/02/16 21:25, Jouni Malinen wrote: > On Mon, Feb 15, 2016 at 10:52:27PM +0200, Jouni Malinen wrote: >> On Mon, Feb 15, 2016 at 07:04:20PM +, OpenSSL wrote: >>>OpenSSL version 1.1.0 pre release 3 (alpha) > >> It looks like something in pre release 3 has changed behavior in a way >>

Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published

On 15/02/16 21:50, Jouni Malinen wrote: > On Mon, Feb 15, 2016 at 09:34:33PM +0000, Matt Caswell wrote: >> On 15/02/16 21:25, Jouni Malinen wrote: >>> Is this change in OpenSSL behavior expected? Is it not allowed to call >>> EVP_cleanup() and then re

Re: [openssl-dev] memory leaks detected using libSSL 1.1

p:\mes programmes\shared\ocrypto-11\tls.cpp (1017): > TestsTLS-11.exe!OTLS::TLSSss::DoHandshake() + 0xC bytes > p:\mes programmes\tests\_testsshared\teststls-11-leak\clttasks.cpp (63): > TestsTLS-11.exe!CltThread::Main() + 0xB bytes > p:\mes programmes\shared\sthread.cpp (17): > Tests

Re: [openssl-dev] OpenSSL version 1.1.0 pre release 3 published

On 16/02/16 16:17, David Woodhouse wrote: > On Mon, 2016-02-15 at 22:17 +0000, Matt Caswell wrote: >> >> Maybe EVP_cleanup() and other similar explicit deinit functions should >> be deprecated, and do nothing in 1.1.0? The auto-deinit capability >> should handle it.

Re: [openssl-dev] memory leaks detected using libSSL 1.1

> f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): TestsTLS-11.exe!malloc() > + 0x15 bytes > e:\openssl-1.1.git\crypto\mem.c (138): TestsTLS-11.exe!CRYPTO_malloc() + > 0x9 bytes > e:\openssl-1.1.git\crypto\mem.c (158): TestsTLS-11.exe!CRYPTO_zalloc() + > 0x11 bytes >

Re: [openssl-dev] memory leaks detected using libSSL 1.1

hread. > Both of them have OPENSSL_thread_stop() in their [pre-]exit member function. > > Michel. > > -Message d'origine- > De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Matt > Caswell > Envoyé : mercredi 17 février 2016 17:23 > À :

Re: [openssl-dev] memory leaks detected using libSSL 1.1

err.c (598): > TestsTLS-11.exe!ERR_clear_error() + 0x5 bytes > e:\openssl-1.1.git\ssl\statem\statem.c (279): > TestsTLS-11.exe!state_machine() > e:\openssl-1.1.git\ssl\statem\statem.c (222): > TestsTLS-11.exe!ossl_statem_accept() + 0xB bytes > e:\openssl-1.1.git\ssl\ssl_

Re: [openssl-dev] memory leaks detected using libSSL 1.1

On 18/02/16 13:59, Michel wrote: > Yes ! > With your 2 patches applied, tls_decrypt_ticket.patch and > fix-win-thread-stop.patch, > (looks like I lost the first one yesterday), > none of my tests programs using libSSL v1.1 reports leaks. > > I feel better. :-) Great. I'll get those reviewed

[openssl-dev] Ubsec and Chil engines

Hi all The ubsec and chil engines are currently disabled in 1.1.0 and do not build. As far as ubsec is concerned I understand that this is an engine for broadcom cards. There has been very little activity with this engine since it was first introduced. Google brings up some very old historic

Re: [openssl-dev] Ubsec and Chil engines

On 19/02/16 13:11, Jaroslav Imrich wrote: > Hello Matt, > > If I don't hear from anyone I will remove these. > > > I can confirm that CHIL engine is actively used with OpenSSL 1.0.* by > the owners of nCipher/THALES nShield HSMs. > > I have notified vendor support about this thread. >

Re: [openssl-dev] [openssl.org #4437] invalid free() by ENGINE_cleanup()

On 17/03/16 10:49, Daniel Stenberg via RT wrote: > Hey, > > In curl we call ENGINE_cleanup() as part of our OpenSSL specific cleanup > function. When I do this with OpenSSL from git master as of right now > (OpenSSL_1_1_0-pre4-7-ga717738) valgrind catches an illegal free: Auto deinit

Re: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'"

On 14/03/16 14:57, Andy Polyakov via RT wrote: >> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >> 32-bit tests OK. >> >> The relevant snippets are: >> >> $ make test >> ... >> ../test/recipes/90-test_async.t ... 1/1 >> # Failed test 'running asynctest' >> #

Re: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'"

rk out we're >> on ppc64 then we default to ASYNC_NULL? > > #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) > > So something like the attached? Jeff, can you test this? Matt >From e30be0c1c51cc7da06f103a07d6b4b9757838867 Mon Sep 17 0

Re: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two

On 11/03/16 01:03, Jeffrey Walton wrote: > Hi Everyone, > > Testing master on real hardware is showing some minor issues on a few > platforms, including ARM32, ARM64, PowerPC and i686. In addition, > there seems to be one-off issues on other combinations, like VIA's C7 > processor on Linux. >

Re: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t

On 12/03/16 00:12, noloa...@gmail.com via RT wrote: >>> What is actually running? How can I get it under a debugger? >> >> >> $ ./config -d >> $ make >> $ make test/afalgtest >> $ cd test >> $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest >> > > Ooh, -d looks like a new option. Would that be

Re: [openssl-dev] OPENSSL_cleanup new issue

Hi Roumen On 10/03/16 22:21, Roumen Petrov wrote: > Hello, > > With new thread model in some configurations openssl hands on unload of > engine. I just pushed commit 773fd0bad4 to master which should hopefully resolve this issue. Matt -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t

On 11/03/16 19:38, noloa...@gmail.com via RT wrote: > On Thu, Mar 10, 2016 at 2:29 PM, noloa...@gmail.com via RT > wrote: >> Working from Master: >> > > It looks like the hang is still present as of 603358d. > > When the following runs: > >

Re: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng

On 18/03/16 12:52, noloa...@gmail.com via RT wrote: > I've configured with: > > ./config enable-afalgeng > > When I run the self tests, I see: > > ../test/recipes/30-test_afalg.t ... skipped: test_afalg not > supported for this build You should not need to use enable-afalgeng

Re: [openssl-dev] configure results in conflicting CRT switches for win DLL

894a00c3f76c47 Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Thu, 17 Mar 2016 10:14:30 + Subject: [PATCH 1/3] Fix no-rc2 in the CMS test The CMS test uses some RC2 keys which should be skipped if the RC2 is disabled. --- test/recipes/80-test_cms.t | 14 +

Re: [openssl-dev] libcryto 1.1 leaks since old locks are removed

0xF bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2367): > TestsTLS-11.exe!SSL_CTX_new() + 0x5 bytes > > p:\mes programmes\shared\ocrypto-11\tls.cpp (95): > TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes > > p:\mes programmes\tests\_testsshared

Re: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng

On 18/03/16 22:59, Kurt Roeckx via RT wrote: > On Fri, Mar 18, 2016 at 01:18:04PM +0000, Matt Caswell wrote: >> >> >> On 18/03/16 12:52, noloa...@gmail.com via RT wrote: >>> I've configured with: >>> >>> ./config enable-afalgeng >>>

Re: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'"

On 14/03/16 15:21, Matt Caswell via RT wrote: > > > On 14/03/16 15:05, Andy Polyakov via RT wrote: >>>>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>>>> 32-bit tests OK. >>>>> >>>>> The relevant

Re: [openssl-dev] no-ui, warnings and errors

On 27/03/16 00:16, Jeffrey Walton wrote: > Is this a supported configuration (no-ui and apps)? Co-incidentally, Richard has a patch for no-ui that fixes these problems that is currently in review. Matt > > There's a fair number of warnings when configuring with no-ui: > >

Re: [openssl-dev] 1.0.1t ?

On 23/03/16 16:00, Suarez, Miguel wrote: > Hi > > > > Can you tell me when 1.0.1t release or later will be made available with > fixes for the following issues (see below). 1.0.1t does not currently have a planned release date. Releases are scheduled on an as-needed basis, typically

Re: [openssl-dev] [openssl.org #4434] Gentoo 13, x86_64: 4 failed self tests

What happens if you run the afalgtest directly? $ cd test $ ./afalgtest Matt On 16/03/16 13:52, noloa...@gmail.com via RT wrote: > Working from Master on a Gentoo 13 machine, x86_64. The test was run > as root which explains one of the failures (I don't have users or SSH > set up yet). > >

Re: [openssl-dev] Running against BoringSSL's SSL test suite

On 07/03/16 21:49, David Benjamin wrote: > Hi folks, > > So, we've by now built up a decent-sized SSL test suite in BoringSSL. I > was bored and ran it against OpenSSL master. It revealed a number of > bugs. One is https://github.com/openssl/openssl/pull/603. I'll be filing > tickets shortly

<    1   2   3   4   5   6   7   8   9   10   >