Re: [openssl-users] Evaluation of OpenSSL stack software

On Fri, Dec 22, 2017 at 8:40 PM, Viktor Dukhovni wrote: > > > > On Dec 22, 2017, at 11:33 PM, J Decker wrote: > > > > Very similar to OpenSSL 1.0.2, plus its own extensions. That's not > exactly > > "same". > > > > The same in that I can

Re: [openssl-users] Evaluation of OpenSSL stack software

> On Dec 22, 2017, at 11:33 PM, J Decker wrote: > > Very similar to OpenSSL 1.0.2, plus its own extensions. That's not exactly > "same". > > The same in that I can link/compile against either and not change any > application code... not speaking of internals, just the API.

Re: [openssl-users] Evaluation of OpenSSL stack software

On Fri, Dec 22, 2017 at 7:23 PM, Viktor Dukhovni wrote: > > > > On Dec 22, 2017, at 10:21 PM, J Decker wrote: > > > > I would also suggest check out LibreSSL which uses the same API as > OpenSSL > > Very similar to OpenSSL 1.0.2, plus its own

Re: [openssl-users] Evaluation of OpenSSL stack software

> On Dec 22, 2017, at 10:21 PM, J Decker wrote: > > I would also suggest check out LibreSSL which uses the same API as OpenSSL Very similar to OpenSSL 1.0.2, plus its own extensions. That's not exactly "same". -- Viktor. -- openssl-users mailing list To

Re: [openssl-users] Evaluation of OpenSSL stack software

On Fri, Dec 22, 2017 at 4:44 AM, Jan Graczyk wrote: > Hello OpenSSL-Users, > > > > I am actually evaluating OpenSSL stack software to be possibly used in my > company next generation products. We would like to have a secure connection > between our device TCP/IP stack and web

[openssl-users] Sudden control data sent during large transfer.

How can I know what/why openssl is sending control data? I have this Node addon that uses TLS 1.2 to communicate. I'm sending a large file transfer (100M), which is chunked into 8100 byte blocks and sent on websocket protocol. It's additionally chunked into 4327 byte blocks (which after encoding

[openssl-users] After calling SSL_Shutdown on client, server's SSL_get_shutdown still returns 0

Hi! Is this supposed to happen ? I have a SSL Server writting to a client. I was expecting that if, at a random time (user initiated) the client would call SSL_Shutdown, then the Server would `see' the shutdown by calling SSL_get_shutdown But that never happens. If I keep calling Shutdown on

Re: [openssl-users] Evaluation of OpenSSL stack software

Jan Graczyk wrote: > I am actually evaluating OpenSSL stack software to be possibly used in > my company next generation products. We would like to have a secure > connection between our device TCP/IP stack and web server which already > has SSL server

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote: > Unfortunately this didn't work either. The end result is the same; > OpenSSL still emits a "certificate signature failure" with an error > depth of 0. > In light of what Salz said about verification, could we assume that the openssl

Re: [openssl-users] [openssl-security] Openssl Vulnerability detected

> On Dec 22, 2017, at 7:03 AM, Salz, Rich wrote: > > Having said that, the answer is upgrade to a supported version, ideally 1.1.0 A better answer is typically to deploy the latest patched version from the platform vendor. And to not enable SSLv2 or SSLv3. Most

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Yes, the certificate validation was fixed, and improved, in 1.1.0. You should not use 1.0.1 if you can at all avoid it. It has many bugs, probably security issues, and missing features. Like, for example, cert validation. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Dear all, I just found out that this problem only occurs when I'm linking the executable against libssl 1.0.1k. When linking against libssl 1.1.0f, the certificate does get validated fine. Does anyone know possible reasons? Do these libssl versions differ in regard to certificate validation?

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Hi, On 22/12/17 11:14, Manuel Wagesreither wrote: Unfortunately this didn't work either. The end result is the same; OpenSSL still emits a "certificate signature failure" with an error depth of 0. here's a stripped down version of my 'grid-proxy-verify.c' that verifies a certificate loaded

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

➢So it's guaranteed for 1.1, mostly guaranteed for recent 1.0.2, but not guaranteed for older 1.0.2. yes. ➢ I also think it would be good to backport all to 1.0.2 Yes. I believe I did that, but I am not absolutely 100% positive. -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

➢ I think we fixed all such cases in 1.1.0, all *_free() functions should handle NULL. I don't think we backported to changes to 1.0.2. Yes, and we fixed the documentation. I backported all/most of them to 1.0.2 to make cherry-picking easier. I don’t know if I changed the docs.

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

On Fri, Dec 22, 2017 at 09:30:19AM -0500, Ken Goldman wrote: > On 12/22/2017 9:24 AM, Salz, Rich via openssl-users wrote: > > > if (ptr!= NULL) free(ptr); > > That shouldn’t be necessary for OpenSSL. If you find places where it is, > > please open an issue. > > OK. I'll mention a few, but

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

On 12/22/2017 9:24 AM, Salz, Rich via openssl-users wrote: if (ptr!= NULL) free(ptr); That shouldn’t be necessary for OpenSSL. If you find places where it is, please open an issue. OK. I'll mention a few, but it's a global issue. The code may handle NULL. However,

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

On Fri, Dec 22, 2017 at 01:06:20PM +, Salz, Rich via openssl-dev wrote: > Our intent is that all FREE functions can handle NULL. If you find things > missing or undocumented, please open an issue on GitHub. Thanks! I think we fixed all such cases in 1.1.0, all *_free() functions should

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

> if (ptr!= NULL) free(ptr); That shouldn’t be necessary for OpenSSL. If you find places where it is, please open an issue. ➢ BTW, "can handle" should explicitly say what happens. Perhaps use the C library text, which says: If ptr is NULL, no operation is

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

On 12/22/2017 8:06 AM, Salz, Rich via openssl-users wrote: Our intent is that all FREE functions can handle NULL. If you find things missing or undocumented, please open an issue on GitHub. Thanks! It would be great if that was documented for all _free() functions. I currently always code

Re: [openssl-users] [openssl-dev] Is X509_free(NULL) ok?

Our intent is that all FREE functions can handle NULL. If you find things missing or undocumented, please open an issue on GitHub. Thanks! -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Evaluation of OpenSSL stack software

Hello OpenSSL-Users, I am actually evaluating OpenSSL stack software to be possibly used in my company next generation products. We would like to have a secure connection between our device TCP/IP stack and web server which already has SSL server running. I am looking for a benchmarks of

Re: [openssl-users] FW: Help to understand WPACKET API

On 19/12/17 13:43, Sai Teja Chowdary wrote: > After going through the code I understand the new tls1.3 implemented > OpenSSL code is using WPACKET API to frame the records. I need help in > understanding what the following functions do. I am new to the mailing > list, thanks in advance. > >   >

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Unfortunately this didn't work either. The end result is the same; OpenSSL still emits a "certificate signature failure" with an error depth of 0. Regards, Manuel Am Do, 21. Dez 2017, um 19:27, schrieb Sands, Daniel: > I'm a fellow SSL-USER and not an expert, but my verification flow goes > as