Not sure about how to completely solve the problem. As the
function
X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
is called, crit is not actually used.
(e.g., in v3_purp.c, line 462)
x-akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
If the value
Hello Users,
Just want to understand the impact of openssl for RC4 Bar mitzvah attack.
Please correct me if my understanding is wrong, basically this attack is
triggered based on the design of RC4.
openssl is one of the implementers of RC4 algo.
I am not sure if there will be any design change
On Mon, Apr 06, 2015 at 06:40:28PM +0200, Erwann Abalea wrote:
What makes you think it is incorrect to check the Key
Identifier (where present) before checking a signature
against a key?
Because the presented file4.pem is a valid issuer certificate for the one
found in file3.pem?
RFC5280
On 04/06/2015 10:59 AM, Nicolae Rosia wrote:
I see. Still, the documentation sent to the lab would be helpful to
the community to better understand/review the existing code.
We don't send any documentation to the test labs unless they are
performing validations actions for us, for which we must
What does the ${ip} mean?
//SIGNED//
Andy Magaña
UNIX Systems Administrator
Diligent Contractor, 72nd Air Base Wing
Tinker Air Force Base, Oklahoma
Commercial: (405) 734-0341
-Original Message-
From: mike nicholas [mailto:xmikenichol...@gmail.com]
Sent: Monday, April 06, 2015 10:58
Bar Mitzvah is an improvement on existing attacks against RC4. It's a credible
exposure under some threat models. Primarily it's an issue for sites with a lot
of RC4 conversations, since it depends on the use of weak keys, which are a
large subset of all RC4 keys. When a conversation (randomly)
As Jeffrey Walton's comment, the standard is
very malleable, making cert path validation a
little unpredictable.
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
There might be people on the OpenSSL list who can answer this, but your
question is really about Apache configuration or installation. You'll
probably get more knowledgable answers on an Apache list.
Regards,
jjf
On 06/04/2015 17:04, Cathy Fauntleroy wrote:
A
I've posed the same question on the Apache user forum but have not received
any responses.
Thanks.
Cathy
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jeremy Farrell
Sent: Monday, April 6, 2015 1:55 PM
To: openssl-users@openssl.org
Subject: Re:
Have you recompiled Apache? Or did you only recompile OpenSSL 1.0.2a?
There is no binary compatibility between 0.9.8 and 1.0.2. You'll need
to recompile Apache if you haven't done this. Or, possibly a newer
Apache binary (2.4.12) would work with your OpenSSL 1.0.2a build.
On 04/06/2015
Please correct me if my understanding is wrong, basically this attack is
triggered based on the design of RC4.
openssl is one of the implementers of RC4 algo.
There are biases in the stream created by RC4. In theory, and
adversary could use the biases to as a launchpad to recover plain text
Perhaps you don't want to post this kind of thing to a global mailing list for
all users of openssl?
--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
-Original Message-
From: MAGANA, ANDREAS S I CTR USAF AFMC 72 ABW/SCOOT
On Mon, Apr 6, 2015 at 2:42 PM, Yuting Chen che...@cs.sjtu.edu.cn wrote:
As Jeffrey Walton's comment, the standard is
very malleable, making cert path validation a
little unpredictable.
Generally speaking, RFC 6125 is used to validate a PKIX certificate.
Unfortunately, the RFC does not mention
James, thanks for the reply.
At this point I am using compiled Windows binaries, and am running a compiled
Windows application that uses the SSL DLLs. The Windows application does let
me specify a cipher list, but I do not have source to that application to
re-build.
I don’t think that
I would like to disable SSL3 (to prevent POODLE attacks), but I would like
to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
AES256-SHA).
However disabling SSL3 with !SSLv3 disables TLSv1 also. Furthermore,
disabling SSL3 with -SSLv3 then adding in individual ciphers such as
Hi,
Can you try this option
SSL_CTX_set_options(m_SslCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
instead of disabling using the cipher list
regards,
James Arivazhagan
On Tue, Apr 7, 2015 at 5:41 AM, David Rueter drue...@assyst.com wrote:
I would like to disable SSL3 (to prevent POODLE
On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote:
I would like to disable SSL3 (to prevent POODLE attacks), but I would like
to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
AES256-SHA).
You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. To disable
the
Hi,
Some time back, to fix POODLE, I tried to fix with cipher suite, but still
I can use the the protocol SSLv3.
The server responds with
openssl s_client -connect ip:port -ssl3
So The fix should come using SSL_CTX_set_options. I understand since you
are using the compiled binary, you may not be
Great, that works, thank you. Is this the default behavior when using the C
API?
Thanks,
David
On Sunday, April 5, 2015, Matt Caswell m...@openssl.org wrote:
On 05/04/15 23:42, Matt Caswell wrote:
On 05/04/15 22:04, David Rufino wrote:
Hello,
It's possible I'm doing something
On 04/05/2015 09:13 PM, Aaron wrote:
Hello,
We are porting our products to Linux-aarch64. Our products are using OpenSSL
with FIPS. I know that OpenSSL 1.0.2 started to support Linux-aarch64, but
our products need OpenSSL FIPS as well.
My question is when OpenSSL FIPS will be supported
Hello,
We are using Openssl-1.0.2a with FIPS 2.0.9 on Linux PPC environment. We have
code that we assume needs updating,
to avoid using low level routines in FIPS. For example, our snmp v3
implementation currently decrypts/encrypts using
AES_set_encrypt_key() and AES_cfb128_encrypt().
The old
Is the documentation for the current validation available? Maybe
someone can pick it up and work from there.
On Mon, Apr 6, 2015 at 4:54 PM, Steve Marquess marqu...@openssl.com wrote:
On 04/05/2015 09:13 PM, Aaron wrote:
Hello,
We are porting our products to Linux-aarch64. Our products are
I see. Still, the documentation sent to the lab would be helpful to
the community to better understand/review the existing code.
On Mon, Apr 6, 2015 at 5:44 PM, Steve Marquess marqu...@openssl.com wrote:
On 04/06/2015 10:09 AM, Nicolae Rosia wrote:
Is the documentation for the current
//SIGNED//
Andy Magaña
UNIX Systems Administrator
Diligent Contractor, 72nd Air Base Wing
Tinker Air Force Base, Oklahoma
Commercial: (405) 734-0341
-Original Message-
From: mike nicholas [mailto:xmikenichol...@gmail.com]
Sent: Monday, April 06, 2015 10:48 AM
To: MAGANA, ANDREAS S I
Hello,
I would like to retract my previous email on this subject.
I found the routine EVP_CIPHER_CTX_set_key_length(), and have successfully
implemented.
I apologize for wasting anyone's time who may have read the original email.
Thanks,
Phil
From: openssl-users
On 04/06/2015 10:09 AM, Nicolae Rosia wrote:
Is the documentation for the current validation available? Maybe
someone can pick it up and work from there.
It doesn't work that way. With FIPS 140-2 the software itself is never
the problem, it's everything else.
The OpenSSL FIPS Object Module is
Thank you Don and Matt and Mike,
Your help got me here and I learned so much and there is much more to learn but
I enjoy it. My script has a list of four Solaris 10 servers. Launching the perl
expect.pm script from a Red Hat server it went to each box and changed my
password with no
Hello Users,
I am in need of some assistance/documentation. My current setup is:
Windows 2008 R2, Apache 2.2.25 w/OpenSSL 0.9.8. I need to enable TLS1.1,
1.2 but understand that 0.9.8 does not support those protocols. So, I
installed OpenSSL 1.0.2a and made system environment mappings to
A follow-up question.Should I have installed Apache 2.2.25 with no OpenSSL
(instead of the one I did install with OpenSSL 0.9.8)? I'm thinking that
perhaps with the no ssl install, Apache would more easily recognize my
OpenSSL 1.0.2 instance. I appreciate your thoughts and suggestions.
Le 04/04/2015 05:31, Jakob Bohm a écrit :
(top posting like the rest of the thread)
(I don't like it either, but that's what Thunderbird proposes by default).
What makes you think it is incorrect to check the Key
Identifier (where present) before checking a signature
against a key?
30 matches
Mail list logo
