[openssl-users] stunnel 5.28 released

2015-12-11 Thread Michal Trojnara
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dear Users, I have released version 5.28 of stunnel. This is a bugfix release. I highly recommend upgrading your stunnel. The ChangeLog entry: Version 5.28, 2015.12.11, urgency: HIGH * New features - Build matrix (.travis.yml) extended with

Re: [openssl-users] OCSP service dependant on time valid CRLs

2015-12-11 Thread Erwann Abalea
Bonjour, The problem with signing with a default certificate is that the response certainly won’t be accepted by the client (see RFC6960 section 4.2.2.2, this responder certificate doesn’t follow criteria 1 and 2, and certainly not criteria 3), so you’re performing a signature knowing it will

Re: [openssl-users] sign sub CA issue

2015-12-11 Thread Ben Humpert
Tell the person who created the CSR that the value of the stateOrProvinceName field has to be HK. If that is not possible because the subCA is in a different country you can change your openssl.cnf to allow different values in that field so instead of stateOrProvinceName = match you have to use at

Re: [openssl-users] sign sub CA issue

2015-12-11 Thread Mohammad Jebran
Please can I have some advise on this query. Regards, Jebran. On Tue, Dec 8, 2015 at 11:18 AM, Mohammad Jebran wrote: > I have to sign a sub-CA through my current root CA using openSSLeverything > I have configured as per instructions but still getting an error that >

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-11 Thread Andy Polyakov
>>> static inline unsigned int constant_time_msb(unsigned int a) { >>> -*return 0 - (a >> (sizeof(a) * 8 - 1));* >>> + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1; >>> } >> >> >> ... Both versions >> look reasonable to me (ignoring the hardcoded 8 - implying a char is 8 >> bits).

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-11 Thread Andy Polyakov
>> static inline unsigned int constant_time_msb(unsigned int a) { >> -*return 0 - (a >> (sizeof(a) * 8 - 1));* >> + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1; >> } > > > ... Both versions > look reasonable to me (ignoring the hardcoded 8 - implying a char is 8 > bits).

[openssl-users] OSTIF

2015-12-11 Thread Matt Caswell
Hi all I've had some emails recently from Derek at OSTIF who has been talking to me about their plans to do an audit (separate to the current CII one) of OpenSSL next year. OSTIF is not associated or affiliated with OpenSSL, but if you're interested you can learn more here: https://ostif.org/

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-11 Thread Michael Wojcik
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Andy Polyakov > Sent: Friday, December 11, 2015 10:07 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in > OpenSSL 1.0.2d > > >> static inline unsigned int

Re: [openssl-users] sign sub CA issue

2015-12-11 Thread Mohammad Jebran
Thanks guys, Its done. ​ Regards, Jebran. On Fri, Dec 11, 2015 at 7:18 PM, Mohammad Jebran wrote: > Please can I have some advise on this query. > > Regards, > Jebran. > > On Tue, Dec 8, 2015 at 11:18 AM, Mohammad Jebran > wrote: > >> I have to sign a

Re: [openssl-users] sign sub CA issue

2015-12-11 Thread Jakob Bohm
1. Check if the certificate for your root CA specifies any "path restrictions" or similar that says that it cannot validly sign certificates outside some state or province. Having such restrictions in a root CA is GOOD whenever possible, because it limits the damage that can be done if

Re: [openssl-users] Build failure with OpenSSL version 1.0.2e in Win32 platform

2015-12-11 Thread Matt Caswell
On 11/12/15 15:46, Abdul Razik wrote: > Hello > > Can someone please help with this issue? I am trying to build version > 1.0.2e with VS 2015 and got the following build error with 32 bit, 64 > bit builds fine , > > searching online it seems to have been resolved, not sure how to get > the fix

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-11 Thread Andy Polyakov
>>> C does not make such a guarantee, though recent-ish POSIX does. (This >>> system is a windows one, thought, right?) >> There are DSPs that only support 32 bit, they don't have a concept >> of 8 bit. But I think there is various code that assumes that >> char is 8 bit, and I doubt you can get

[openssl-users] Build failure with OpenSSL version 1.0.2e in Win32 platform

2015-12-11 Thread Abdul Razik
Hello Can someone please help with this issue? I am trying to build version 1.0.2e with VS 2015 and got the following build error with 32 bit, 64 bit builds fine , searching online it seems to have been resolved, not sure how to get the fix and which files are affected by the fix. Can someone

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-11 Thread Andy Polyakov
On 12/11/15 17:41, Michael Wojcik wrote: >> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf >> Of Andy Polyakov >> Sent: Friday, December 11, 2015 10:07 >> To: openssl-users@openssl.org >> Subject: Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in >>

Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

2015-12-11 Thread Jeffrey Walton
> 3. The compiler wasn't written by a fanatic who put > the "right shift of negative signed values is > undefined" rule above common sense. > > This is only implementation-defined behavior, not undefined behavior. It is > not permitted to crash the system or launch the missiles. (n1256.pdf