Re: [openssl-users] Openssl 1.1.0f support for building Openssh7.2p2 and above

I will check with OpenSSH team on this. Thanks for the info. Regards, Sravani On Mon, Jul 10, 2017 at 12:05 PM, Jeffrey Walton wrote: > On Mon, Jul 10, 2017 at 2:01 AM, Sravani Maddukuri via openssl-users > wrote: > > > > Is there any plans in

Re: [openssl-users] Rejecting SHA-1 certificates

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Viktor Dukhovni > Sent: Monday, July 10, 2017 13:24 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Rejecting SHA-1 certificates > > On Mon, Jul 10, 2017 at 08:19:11PM +0200, Niklas Keller wrote: > > >

Re: [openssl-users] OpenSSL 1.1.0 providing new OIDs to source code

Yes, MY_NID is really NID_whatever. I tried it with putting OPENSSL_init_crypto(0, NULL); at start of my main(). Did not make any difference… The Integer value of MY_NID will be printed out and is the correct integer value. And i tried another thing. I replaced the two dll-libraries with the

Re: [openssl-users] Rejecting SHA-1 certificates

On Mon, Jul 10, 2017 at 08:19:11PM +0200, Niklas Keller wrote: > > What's your threat model, and how does it justify this effort? > > The same as for browsers I guess. Could you explain why browsers and Java > disable SHA1, but it's not worth for me doing so? The browsers and Java do this

Re: [openssl-users] Rejecting SHA-1 certificates

On Mon, Jul 10, 2017 at 10:22 AM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > On Jul 10, 2017, at 1:12 PM, Niklas Keller wrote: > > > > It's very well worth the effort, otherwise there's a security issue, > because certificates can be forged. > > Collision

Re: [openssl-users] Rejecting SHA-1 certificates

2017-07-10 19:30 GMT+02:00 Michael Wojcik : > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Niklas Keller > > Sent: Monday, July 10, 2017 11:12 > > To: openssl-users@openssl.org > > Subject: Re: [openssl-users] Rejecting SHA-1

Re: [openssl-users] Rejecting SHA-1 certificates

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Niklas Keller > Sent: Monday, July 10, 2017 11:12 > To: openssl-users@openssl.org > Subject: Re: [openssl-users] Rejecting SHA-1 certificates > It's very well worth the effort, otherwise there's a security issue,

Re: [openssl-users] Rejecting SHA-1 certificates

> On Jul 10, 2017, at 1:12 PM, Niklas Keller wrote: > > It's very well worth the effort, otherwise there's a security issue, because > certificates can be forged. Collision attacks don't directly lead to certificate forgery. There are no known 2nd-preimage attacks on SHA-1.

Re: [openssl-users] Rejecting SHA-1 certificates

> > > On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: > > > > > > What's the best way / a working way to reject weak signature schemes in > OpenSSL 1.0.{1,2}? > > Most CAs have stopped issuing SHA-1 certificates. Any old ones will > expire over the > next year or two. While

Re: [openssl-users] Rejecting SHA-1 certificates

> On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote: > > > What's the best way / a working way to reject weak signature schemes in > OpenSSL 1.0.{1,2}? Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire over the next year or two. While Google has

Re: [openssl-users] MSVC Compiling OpenSSL on Windows 64 issues with missing libs

Ok, found what happened. For a reason that remains gloomy to me (I think this is undocumented from POCO), POCO adds the following dependencies to the vcxproj file: ws2_32.lib;iphlpapi.lib;libeay32.lib;ssleay32.lib;%(AdditionalDependencies) I have removed those dependencies and it looks to be ok

Re: [openssl-users] Default Diffie Hellman Parameters

X25519 does not use DH parameters. If you don’t set the parameters with a callback, or generate them and tell openssl to use them, then EDH will not be used. Not that EDH is *not* the same as ECDHE. Don’t use DH, use X25519, for a number of reasons. Search “25519” to find more. --

[openssl-users] Default Diffie Hellman Parameters

Hi All, In case no dh params are set and ECDHE-ECDSA type cipher is used, what is the default size of DH params (what modulus) used on TLS handshake. I see that X25519 EC is getting used but I am not sure about DH parameters in that case Thanks Best Regards, Neetish -- openssl-users mailing list

[openssl-users] Rejecting SHA-1 certificates

Morning, I'm currently trying to reject certificate chains which rely on MD5 and SHA-1 for signatures. I found SSL_get0_verified_chain which could be used to walk the chain and reject if there's any MD5 / SHA-1 certificate in there, except for the last one, which is trusted because of the public

Re: [openssl-users] Openssl 1.1.0f support for building Openssh7.2p2 and above

On Mon, Jul 10, 2017 at 2:01 AM, Sravani Maddukuri via openssl-users wrote: > > Is there any plans in the future to get the support of OpenSSL 1.1.0 for > OpenSSH? You should ask the OpenSSH folks. Jeff -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Openssl 1.1.0f support for building Openssh7.2p2 and above

Thanks for the update Jeff. Is there any plans in the future to get the support of OpenSSL 1.1.0 for OpenSSH? Regards, Sravani On Mon, Jul 10, 2017 at 9:18 AM, Jeffrey Walton wrote: > On Sun, Jul 9, 2017 at 11:31 PM, Sravani Maddukuri via openssl-users >