Re: SSL_library_init() & EVP_sha256

2009-06-15 Thread Bodo Moeller
On Mon, Jun 15, 2009 at 5:46 AM, Phil Pennock wrote: > When RFC 5246 came out, specifying TLS 1.2 and having all mandated > cipher suites use SHA-256, we assumed that to aid the transition OpenSSL > would add EVL_sha256() to the list of digests initialised in > SSL_library_init(), even before supp

SSL: problem with bio in 0.9.9?

2009-06-15 Thread Emanuele Cesena
Hi all, I was trying curl/libcurl compiled against OpenSSL 0.9.9. I noticed a very strange behaviour that I was able to workaround with a couple of sleep(). Curl fails to connect with: curl: (52) SSL read: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message, errno 11 The b

Re: SSL: problem with bio in 0.9.9?

2009-06-15 Thread Dr. Stephen Henson
On Mon, Jun 15, 2009, Emanuele Cesena wrote: > Hi all, > > I was trying curl/libcurl compiled against OpenSSL 0.9.9. > I noticed a very strange behaviour that I was able to workaround with a > couple of sleep(). > > Curl fails to connect with: > curl: (52) SSL read: error:140943F2:SSL routines:S

Re: SSL: problem with bio in 0.9.9?

2009-06-15 Thread Emanuele Cesena
On Mon, 2009-06-15 at 14:30 +0200, Dr. Stephen Henson wrote: > > I was trying curl/libcurl compiled against OpenSSL 0.9.9. > > I noticed a very strange behaviour that I was able to workaround with a > > couple of sleep(). > > > > Curl fails to connect with: > > curl: (52) SSL read: error:140943F2:

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Maarten Litmaath via RT
Hi Stephen, > I can't see how anything could cause an issue with 85 CAs. The attached > descriptions imply it might be a mod_ssl issue (not reproducible with > s_server). There is a bit more information now in our ticket: https://savannah.cern.ch/bugs/?48458 Romain Wartel wrote: > So 4 c

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Maarten Litmaath
Hi Stephen, I can't see how anything could cause an issue with 85 CAs. The attached descriptions imply it might be a mod_ssl issue (not reproducible with s_server). There is a bit more information now in our ticket: https://savannah.cern.ch/bugs/?48458 Romain Wartel wrote: > So 4 condit

Re: OpenSSL code on Windows crashes.

2009-06-15 Thread patfla
Hi Kyle, My OpenSSL installation has been on my machine a while and I'm not sure that it's my installation that's at fault. This, https://launchpad.net/pyopenssl , has already built and run successfully again my installation. Python interface for OpenSSL. I'm guessing that the test code I used

Re: SSL_library_init() & EVP_sha256

2009-06-15 Thread Phil Pennock
On 2009-06-15 at 11:02 +0200, Bodo Moeller wrote: > On Mon, Jun 15, 2009 at 5:46 AM, Phil Pennock wrote: > > > When RFC 5246 came out, specifying TLS 1.2 and having all mandated > > cipher suites use SHA-256, we assumed that to aid the transition OpenSSL > > would add EVL_sha256() to the list of d

RE: SSL_library_init() & EVP_sha256

2009-06-15 Thread David Schwartz
Phil Pennock wrote: > The approach of the Exim MTA to cryptography is simple -- don't > second-guess the SSL library developers when it comes to choosing which > algorithms/digests/etc to load, and provide a knob > ("tls_require_ciphers") for administrators to restrict what can be > loaded. The

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Roumen Petrov
Maarten Litmaath wrote: Hi Stephen, I can't see how anything could cause an issue with 85 CAs. The attached descriptions imply it might be a mod_ssl issue (not reproducible with s_server). There is a bit more information now in our ticket: https://savannah.cern.ch/bugs/?48458 Romain War

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Roumen Petrov via RT
Maarten Litmaath wrote: > Hi Stephen, > >> I can't see how anything could cause an issue with 85 CAs. The attached >> descriptions imply it might be a mod_ssl issue (not reproducible with >> s_server). > > There is a bit more information now in our ticket: > > https://savannah.cern.ch/bugs/?

Re: SSL_library_init() & EVP_sha256

2009-06-15 Thread Phil Pennock
On 2009-06-15 at 14:17 -0700, David Schwartz wrote: > Phil Pennock wrote: > > The approach of the Exim MTA to cryptography is simple -- don't > > second-guess the SSL library developers when it comes to choosing which > > algorithms/digests/etc to load, and provide a knob > > ("tls_require_ciphers"

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Maarten.Litmaath
Hi Roumen, > > > it hangs the same , remove a few cas and it works. > > > > > > # rpm -q httpd mod_ssl openssl fedora-release > > > httpd-2.2.11-8.x86_64 > > > mod_ssl-2.2.11-8.x86_64 > > > openssl-0.9.8k-4.fc11.x86_64 > > > fedora-release-11-1.noarch > [...] > > May be problem is in 64-bi

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Maarten Litmaath via RT
Hi Roumen, > > > it hangs the same , remove a few cas and it works. > > > > > > # rpm -q httpd mod_ssl openssl fedora-release > > > httpd-2.2.11-8.x86_64 > > > mod_ssl-2.2.11-8.x86_64 > > > openssl-0.9.8k-4.fc11.x86_64 > > > fedora-release-11-1.noarch > [...] > > May be problem is in 64-bi

RE: SSL_library_init() & EVP_sha256

2009-06-15 Thread David Schwartz
Phil Pennock wrote: > > That just won't work. Cryptography is not a "drop in a library > > and mark a > > checkbox on your product" thing. It has to be properly integrated in an > > application with decisions made as to what the application > > actually needs, > > what threat models it faces, an

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Guenter
Hi, Roumen Petrov schrieb: > In the past we can download a file with CA certificates ( > ca-bundle.crt.tar.gz ) from mod_ssl site. Now file is removed but it > contain more then 90 certificates (PEM format concatenated together). many use the Perl script I've hacked for cURL to create a ca-bundle.c

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Kyle Hamilton
These scripts pull the latest version of the Mozilla-approved CAs. OpenSSL is not in the business of making CA certificates available, but having the ability to do this in the stock package might be very good for the users. (Make sure that such a tool warns the user that the CA certificates are th

Best version for submitting patches ?

2009-06-15 Thread David McCullough
Hi openssl-devs, Just wanted to query the best openssl version for basing patches on. I have a number of patches relating to the ocf-linux project and other embedded linux work that I'd like to post for review and/or inclusion. I am currently based on 0.9.8k, but 1.0.0 beta or a snapshot is no