ntical between the systems/combinations of
> > OpenSSL that work and those that don't.
>
> Do you know that for certain? There's no openssl.cnf from some other
> source being picked up on the non-working system?
I'm pretty certain, but I'll get the customer to double-check.
Cheers!
-- David --
o look into this for me Richard.
Cheers!
-- David --
ed digging much deeper; it's altogether possible that I
might
just have to write this one off to experience and tell the user to use a 1.1.1g
build
of OpenSSL (which I build exactly the same way, and which works correctly in
the same setup).
Thanks for the help - appreciated.
Cheers!
-- David --
in Google but couldn't find anything that
seemed relevant.
Thanks in advance for any advice.
Cheers!
-- David --
Background, earlier versions of my project were using OpenSSL 1.n.n, the output
stayed within it's checkout directory, and the .DLLs deployed to where-ever the
project was deployed.
Now trying to implement OpenSSL 3, after compiling it seems to be keep
referring to the directories it was
//datatracker.ietf.org/doc/html/draft-ietf-lamps-cmp-algorithms
Cheers,
David
.
David
On Mon, 2022-10-03 at 19:48 +, Blumenthal, Uri - 0553 - MITLL wrote:
David,
Thank you! That’s a great answer. It looks like OpenSSL does support CRMF?
Would you or somebody else have an example of how to work with CRMF (to create
it, and to process/sign it)?
Do you happen
be returned by the CA in
encrypted form (using the new public key) to the EE,
and the EE will only be able to make use of the cert if it is able to decrypt
it, which proves possession of the private key.
David
On Mon, 2022-10-03 at 15:11 +, Blumenthal, Uri - 0553 - MITLL wrote:
> TLDR;
>
xtra option: "subjectKeyIdentifier=hash"
req: Use -help for summary.
and this will be available with OpenSSL 3.1.
BTW, if you want a validity period of exactly 100 years, you need to take into
account 24 leap days/years,
so better use "-days 36524" than "-days 36500".
Hi, I'm not an expert on this topic, but this is looks like of interest here:
https://stackoverflow.com/questions/58488774/configure-tomcat-hibernate-to-have-a-cryptographic-provider-supporting-1-2-840-1
23 Aug 2022 10:34:51 李周华 :
> Hi , guys
>
>
> I have use the follow openssl commands to
that
represents the trust anchor for the chain.
Some information on the OpenSSL view on trusted/untrusted certs can be
fount
at
https://beta.openssl.org/docs/manmaster/man1/openssl-verification-options.html
David
On Fri, 2022-07-15 at 22:38 +0200, Kamil Jońca wrote:
>
> I have freeradius server conf
Yes, the TLS diagnostics can be confusing:
it reports "wrong version" also when there is no TLS (version) being
used by the peer at all.
David
On Mon, 2022-07-11 at 00:16 -0400, Viktor Dukhovni wrote:
> On Sun, Jul 10, 2022 at 02:41:23PM +, loic nicolas wrote:
>
> >
Hi again Beni,
On Wed, 2022-06-22 at 08:29 +0200, Benedikt Hallinger wrote:
> Hi David and thank you for your advice and example.
my pleasure.
I was about to send a slightly improved version of my example code
regarding the use of proxies and the expected content type - see
attac
mmand does not have an -
outform option.
And for those having it such as openssl x509, it is not needed because
PEM is the default.
Regards,
David
>
> From: openssl-users On Behalf Of
> Beilharz, Michael
> Sent: Wednesday, May 25, 2022 3:10 AM
> To: 'openssl-users@openssl.
ey -subj "/CN=test" -addext
"subjectAltName = IP:1.2.3.4, DNS:test.com" -out ee.crt
HTH,
David
On Sat, 2022-05-21 at 06:45 -0400, Michael Richardson wrote:
>
> Henning Svane wrote:
> > I am using OpenSSL 1.1.1f Is there a way to make a SAN
> certificate
>
Hi Philip,
I just had a look a look at the commit you referenced.
Indeed this bug got fixed there, apparently without this fact being mentioned
there. This commit was part of OpenSSL_1_1_0-pre1, so presumably it was
released with 1.1.0.
15 May 2022
en one of their security(?) experts did not get my point and
refused support.
David
On 22.12.21 22:13, Jordan Brown wrote:
On 12/22/2021 1:08 PM, Philip Prindeville wrote:
I see there being limited application (utility) of self-signed certs, since
they're pretty much useless from a security persp
en one of their security(?) experts did not get my point and
refused support.
David
On 22.12.21 22:13, Jordan Brown wrote:
On 12/22/2021 1:08 PM, Philip Prindeville wrote:
I see there being limited application (utility) of self-signed certs, since
they're pretty much useless from a security persp
but so
far the project members have not
found time for this. Later I re-phrased the issue later as a major FR:
https://github.com/openssl/openssl/issues/13440
<https://github.com/openssl/openssl/issues/13440>
Regards,
David
On 22.12.21 19:58, Kyle Hamilton wrote:
From a conceptual pe
but so
far the project members have not
found time for this. Later I re-phrased the issue later as a major FR:
https://github.com/openssl/openssl/issues/13440
<https://github.com/openssl/openssl/issues/13440>
Regards,
David
On 22.12.21 19:58, Kyle Hamilton wrote:
From a conceptual pe
ted on
Solaris, but no releases after that are? Or something else?
Thanks,
David
options, which also
holds for apps/req.c .
You can follow there the code sections starting with the call to
X509_REQ_new_ex().
Sometimes interesting code snippets may be found also in test/ , but not
for CSR generation.
David
options, which also
holds for apps/req.c .
You can follow there the code sections starting with the call to
X509_REQ_new_ex().
Sometimes interesting code snippets may be found also in test/ , but not
for CSR generation.
David
-threading, but
very likely not.
David
On 31.08.21 03:19, 青木寛 / AOKI,HIROSHI wrote:
> I would like some advice as to why I am getting NULLs returned as a result of
> calling SSL_CTX_new.
>
> The library I'm using is OpenSSL 1.1.1k.
> The argument to SSL_CTX_new is TLS_serve
CRLs are not trusted by themselves.
So the above sentence is in fact a bit misleading
and should better be re-phrased to: "Untrusted certificates should
not be added in this way."
Regards,
David
On 28.08.21 03:52, bl4ck ness wrote:
>
> Hello,
>
> I'm trying to u
* We have a server that has around 2025 clients connected at any instant.
* Our application creates a Server /Listener socket that then is converted
into a Secure socket using OpenSSL library. This is compiled and built in a
Windows x64 environment. We also built the OpenSSL for the
if canmulti
* and characters may be escaped by \
*/
X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const
char *desc)
Would be good to have such a function as part of the X.509 API.
David
On 23.07.21 07:49, Viktor Dukhovni wrote:
>> On 22 Jul 2021, at 9:29 pm,
org.openssl.engine:pkcs11:
should work, rather than
-engine pkcs11 -keyform engine
because the latter pertains to all key options used, including -key,
which is not what you want.
HTH,
David
On 25.03.21 18:56, mbalembo wrote:
>
> Hello all,
>
>
> I'm trying to do a CMP request using openssl
.
Kind regards,
David
On 08.07.21 13:17, Petr Gotthard wrote:
>
> Hello,
>
>
>
> I am trying to renew a certificate via CMP and authenticate the
> request using the same cert.
>
>
>
> I start the mock server:
>
> openssl cmp -port 8080 -srv_trusted test
ider interface will likely
lift the limitation regarding RSA-PSS support, which lacks just due to
the engine interface.
Cheers,
David
On 01.07.21 19:49, Reinier Torenbeek wrote:
> Hi,
>
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1,
> you may want to check out this
he-point
hint if an unsuitable one is used.
> I do not have access to nmake.exe.
Everyone who uses a VC-* configuration should have access to cl.exe and
nmake.exe.
David
On 01.07.21 16:55, Joe Carroll wrote:
> Thanks Matt. That clears it up.
>
>
>
> -Original Mes
is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
-
Le mar. 29 juin 2021 à 18:06, Jan Just Keijser a écrit :
> On 29/06/21 11:58, david raingeard wrote:
> > Hel
Hello,
Technically, why prevents openssl 1.1.1g from compiling correctly on some
operating systems like Solaris 2.6, CentOS 7.8,... ?
thank you !
hello
is it possible to have some kind of debug server which will always use the
same data, so i can debug the code ?
i mean i have openssl working with tls 1.3 and ssl3 on unbuntu, which i
could compare the logs with the ones on the sparc, so i can find out where
it goes wrong ?
thank you
Hello,
I compiled it using sun compiler, with some modifications to the source
code.
However :)
openssl s_client -connect google.com:443 -tls1_2
works fine !
But
openssl s_client -connect google.com:443 -tls1_3
fails on CRYPTO_memcmp.
For easy debugging, I have made a copy of
print STDERR "## $ARGV ##\n";
> system "echo '$_' | openssl x509 -noout -text";
> }
> }
which unfortunately does not work with "TRUSTED CERTIFICATE".
I think the x509 command should be extended to print all certs.
des in the error queue not only
the error code and string, but also the cert for which the error occurred
as well as the set of untrusted certs and the set of trust anchor certs
that were available for chain building in the current X509_STORE_CTX.
Regards,
David
On 31.03.21 07:49, Nan Xi
tly discussing how to handle version
compatibility issues
with the upcoming version 3.0 at
https://github.com/openssl/openssl/issues/14628.
Can you give some concrete typical examples which exact issues you are
facing?
David
On 25.03.21 13:58, Floodeenjr, Thomas wrote:
> If your p
This question may be considered off-topic, since is not directly about
using the OpenSSL library. Let me know if you want me to delete this
posting.
I have a question about uploading a file (text.txt) securely in PHP
using the SFTP protocol and a public/private key pair. I have posted
this
ASN.1 entangled
libcrypto code)
to build OpenSSL without any ASN.1 support, which should reduce code
size drastically.
I suggest opening a feature request at
https://github.com/openssl/openssl/issues
Regards,
David
On 21.01.21 02:07, Blumenthal, Uri - 0553 - MITLL wrote:
> On 1/20/21, 19
On 01.01.21 08:07, 定平袁 wrote:
> @David von Oheimb <mailto:d...@ddvo.net>
> Thank you so much for your deep investigation!
My pleasure!
> With subjectKeyIdentifier and authorityKeyIdentifier extensions, it
> works like a charm!
Good to hear.
I've meanwhile submitted a pull
On 25.12.20 00:35, 定平袁 wrote:
> @David von Oheimb <mailto:d...@ddvo.net> I will update to a new version
> and try again.
Good. Ideally try also a current 3.0.0 alpha release because there have
been some changes to cert chain building and verification recently.
> To append cert
ing it,
or even better, remove the old (non-matching) certificate from that file.
Hope this helps,
David
P.S.: I will be unavailable for several days, too.
On 23.12.20 04:15, 定平袁 wrote:
> @David Thanks for you help!
> This is my openssl version, and the self compiled curl backend
> ```
> On Mon, Aug 31, 2020 at 11:00:31PM -0500, David Arnold wrote:
>
> > 1. Construe symlinks to current certs in a folder (old or new / file by
> file)
> > 2. Symlink that folder
> > 3. Rename the current symlink to that new symlink atomically.
>
> This is fine, but
1. Construe symlinks to current certs in a folder (old or new / file by
file)
2. Symlink that folder
3. Rename the current symlink to that new symlink atomically.
On OpenSSL side statd would have to follow through on symlinks - if it
shouldnt do so.
This is +- how kubernetes atomically
-Kyle H
On Sun, Aug 30, 2020, 18:36 Viktor Dukhovni
mailto:openssl-us...@dukhovni.org>>
wrote:
On Sun, Aug 30, 2020 at 05:45:41PM -0500, David Arnold wrote:
> If you prefer this mailing list over github issues, I still want
to ask
> for comments on:
>
> Certificate h
mments!
BR, David A
that it's not going to get more deprecated than it
apparently is at present (based on the comments in INSTALL).
If anyone on the list has a NASM account or knows any of the maintainers,
could they pass this on? They really should be aware of it.
Cheers!
-- David --
versions,
the
code is a little bigger, but there's no redistributable installation required
and I
never run into rights issues.
Again, thank you for the assistance, Matt - I appreciate it.
Cheers!
-- David --
tream.
Anyone have any insights into what I'm doing wrong, or what I can do about
this? I'm
very reluctant to use the software in production if it can't pass its own
self-test
regime, even if it appears to work normally otherwise.
Comments most welcome.
Cheers!
-- David --
it directly from configure ?
Thanks all !
--
*Have a nice day David Barishev.*
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 15-Sep-2017 06:24, Richard Olsen wrote:
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An
Back on 13 May 2016 I had proposed by email to a couple of people
including Rich Salz
a third library level (on top of crypto and ssl) with more high-level,
application-oriented code.
His response was:
> That is a really interesting idea. Please bring this up on openssl-dev
> mailing list.
Then
on developers?
Maybe other OpenSSL users have specific experience on error and timeout
handling for BIO_do_connect() etc.
and can comment in more detail on the (approximate) solution,
bio_connect(), that I gave below?
On 28.08.2017 13:46, David von Oheimb wrote:
> Hi all,
>
> I'
re options or is there
some other problem?
Thanks,
David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi Jeff,
I am not sure I can post the entire cert here. Is there any part in
particular that would be useful to debug the Alert Number 43 problem?
David
On Tue, Nov 1, 2016 at 8:07 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
>> When I tested a remote server using s_client,
failure:s3_pkt.c:598:
I found the the following URL about this:
http://stackoverflow.com/questions/14435839/ssl-alert-43-when-doing-client-authentication-in-ssl?answertab=oldest#tab-top
My question: Does this indicate something wrong with server side
certificate like the URL said?
Thanks.
David
penssl.org/source/. Is there such a document? For instance, is the
list of tags in Github appropriately reliable?
If not, could such a document be created?
Many thanks,
--
David Turner
Principal Developer
Operations & Planning Systems Division
Tracsis
Tracsis Operations and Planning Sy
At 09:25 AM 9/5/2016, you wrote:
david wrote:
> On the client:
> openssl enc -salt -a -A -aes128 -pass pass:123
>
> On the server:
> openssl enc -d -salt -a -A -aes128 -pass pass:123
>
> When the ENCRYPTING software is 1_0_2h and the
> decrypting software is 1_0_1e on Li
_0, or
both 1_0_2(e..h), the decryption succeeded. If the versions were
different, it failed.
Is this a feature or a bug? Is there some setting I should have different?
Thanks in advance
David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 02/09/2016 16:39, Dr. Stephen Henson wrote:
> On Tue, Aug 30, 2016, David wrote:
>> How can I obtain the length of the overall sequence which contains PKCS7
>> signed data? This is important because the length I already have may be
>> longer than the actual PKCS7 data.
>
7
signed data? This is important because the length I already have may be
longer than the actual PKCS7 data.
David
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
What configuration parameters (NO-XXX) should be passed for the
openssl library to be built to support standard TLS/SSL required for
sending emails through the public smtp servers but at the least amount
of code needed.I have it working (only calls a few BIO_ and/or
SSL_ functions) but
Apparently it is OpenSSL bug/ticket number 2288.
Hopefully fixed sometime...
Regards,
David
On 12 February 2016 at 18:09, David Balažic <xerces9+...@gmail.com> wrote:
> Hi!
>
> Tomcat released version 8.0.32 which bundles OpenSSL 1.0.2e (see below)
> The issue remains (with t
):
Loaded APR based Apache Tomcat Native library 1.2.4 using APR version 1.5.1.
OpenSSL successfully initialized (OpenSSL 1.0.2e 3 Dec 2015)
Regards,
David
On 8 January 2016 at 17:02, David Balažic <xerces9+...@gmail.com> wrote:
> Hi!
>
> I encounter this issue when using Firefox t
est tested configuration:
tomcat 8.0.30, using OpenSSL 1.0.1m 19 Mar 2015
Firefox 43.0.4
OS: Windows 7 Pro SP1 64bit
The tomcat bug with much details:
https://bz.apache.org/bugzilla/show_bug.cgi?id=58244
Firefox bug report (not much details):
https://bugzilla.mozilla.org/show_bug.cgi?id=1231406
Rega
v1.1.0-pre1 on linux
(1) Compiling with "no-threads " gives error on lines 173 and 379 in async.c.
possible cause: async_fibre_makecontext() function
async_posix.h @ line 57: #if defined(OPENSSL_SYS_UNIX) &&
defined(OPENSSL_THREADS)
seems threads is required?
(2) Compiling with no-psk and
:00 Viktor Dukhovni <openssl-us...@dukhovni.org>:
> On Wed, Nov 25, 2015 at 11:14:48AM +0100, David García wrote:
>
> > Viktor, you pointed me to the right way. I was missing the -nopad flag in
> > the openssl command.
>
> Not using padding is fragile and can
:00 Viktor Dukhovni <openssl-us...@dukhovni.org>:
> On Wed, Nov 25, 2015 at 09:18:15AM +0100, David García wrote:
>
> > H6cr2yN8oWV6AUY/JlknQw==
>
> Decrypting in ECB mode you get:
>
> $ echo H6cr2yN8oWV6AUY/JlknQw== |
> openssl base64 -d |
>
t as with the echo command would be expected. If
> it is indeed the newline that is making the difference, you could try using
> the echo command with the '-n' option to suppress it.
>
> Jay
>
>
> On 11/24/2015 9:12 AM, David García wrote:
>
> Sorry, still not getting the same
You are right Viktor, that was my problem.
Thank you very much for your help Viktor and Michael.
2015-11-24 18:00 GMT+01:00 Viktor Dukhovni <openssl-us...@dukhovni.org>:
> On Tue, Nov 24, 2015 at 05:55:42PM +0100, David García wrote:
>
> > openssl enc -e -des-ede3-cbc
the same result if the text in the echo is between '' or is read
from a text file.
2015-11-24 18:07 GMT+01:00 David García <garcia.narb...@gmail.com>:
> You are right Viktor, that was my problem.
>
> Thank you very much for your help Viktor and Michael.
>
> 2015-11-24 1
percase K, with an actual hexadecimal argument)?
>
>
> --
> Michael Wojcik
> Technology Specialist, Micro Focus
>
> ___
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-use
8
byte[] ciphertext = desCipher.doFinal(cleartext);
new String(Base64.encodeBase64(ciphertext), "UTF-8");
Could anyone point me to what I am doing worng in this command line call?
Thanks in advance.
--
David
___
openssl-users mailing list
To unsubscribe: h
decode RSA private key"];
NS_DURING {
switch (n = RSA_check_key(r)) {
case 1: // ok
break;
default:
[NSException raise:X509CertificateExcInvalidPrivateKey
format:@"RSA_check_key() returned %d", n];
}
} NS_HANDLER
is not
readable by d2i_RSAPrivateKey? I'm running these tests on a Mac, but the same
thing happens on Ubuntu Linux.
Thank you,
David
Printout of the attached cert, which fails to parse with d2i_RSAPrivateKey:
MacBook-Air:self_signed dlobron$ openssl x509 -in cert.1024.combined -text
-noout
ernal[1234]
controlmaster connections seemed to keep working.
Thanks,
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
waited 10 min and reran the same cmd and got "OK".
I am puzzled by this. Is this a some timing issue?
My openssl version is:
OpenSSL 1.0.1e-fips 11 Feb 2013
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mail
Hi Jakob,
The computer has been up running for quite a while. I wonder if it
really needs NTP to take that long to sync up.
David
On Thu, Sep 10, 2015 at 7:20 PM, Jakob Bohm <jb-open...@wisemo.com> wrote:
> On 11/09/2015 02:13, David Li wrote:
>>
>> Hi,
>>
>> I
if you can put me
on the way.
Thank you,
Best regards,
On Mon, Aug 24, 2015 at 10:34 PM, Wim Lewis w...@omnigroup.com wrote:
On Aug 24, 2015, at 11:33 AM, David Luengo López dlue...@rti.com wrote:
439 #define DUMMY_SEED /* at least
MD_DIGEST_LENGTH */
440
that RAND_poll for
vxworks...
I'll keep investigating in all this.
Thank you in advance,
Best regards,
--
[image: RTI]
*David Luengo López*
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
From: openssl-users On Behalf Of Dr. Roger Cuypers
Sent: Monday, July 06, 2015 10:43
Follow up:
For some reason, the X509_NAME_hash function calculates a very different
hash for the server certificate:
5ad8a5d6
Renaming the certificate to 5ad8a5d6.0 causes it to be found, but I wonder
From: openssl-users On Behalf Of Salz, Rich
Sent: Sunday, July 05, 2015 11:56
[in response to message about 'ca']
the question: where does the serial number for this certificate come
from?
is it random by default when nothing is said about it?
It will be random if (a) the serial file
From: openssl-users On Behalf Of Dr. Roger Cuypers
Sent: Friday, July 03, 2015 11:01
I'm trying to do peer client verification using the
SSL_CTX_load_verify_locations function
snip: CAfile works
However, setting only CAPath will not: snip
This will result in a
From: openssl-users On Behalf Of Walter H.
Sent: Sunday, July 05, 2015 06:49
snip: CentOS default
openssl req -new -newkey rsa:2048 -subj '/CN=Squid SSL-Bump
CA/C=/O=/OU=/' -sha256 -days 365 -nodes -x509 -keyout ./squidCA.pem
-out ./squidCA.pem
the question: where does the serial number
From: openssl-users On Behalf Of Ben Humpert
Sent: Sunday, July 05, 2015 07:58
Take a look in your openssl.cnf and you should see the option serial
with a path / file specified. The serial number is taken from that
file. If the file doesn't exists or is empty when the very first
certificate
Ben,
I think you are right. My verify test is okay now if I match the
subjectAltName to the nameConstraints defined by the subCA.
Thanks.
David
On Mon, Jun 29, 2015 at 6:23 PM, Ben Humpert b...@an3k.de wrote:
Yes, because nameConstraints are inherited.
I don't know exactly where the bug
, Ben Humpert b...@an3k.de wrote:
Do you use nameConstraints or have specified IP in subjectAltName?
Because OpenSSL can't handle that correctly.
2015-06-29 22:51 GMT+02:00 David Li dlipub...@gmail.com:
Hi,
As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert
Can anyone shed light on why these APIs are disabled in FIPS mode? They
involve operations that must be implemented within the boundary of the FIPS
crypto module? It seems like disabling them is intended to prevent mistakes
from developers trying to write their own AES mode implementations?
-boun...@openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Monday, April 06, 2015 7:44 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
DES-CBC3-SHA
On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote:
I would like to disable SSL3
Dukhovni
Sent: Tuesday, April 07, 2015 8:32 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
DES-CBC3-SHA
On Tue, Apr 07, 2015 at 08:09:31AM -0700, David Rueter wrote:
You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.
Yes, I admit I
these.
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jakob Bohm
Sent: Tuesday, April 07, 2015 9:57 AM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
DES-CBC3-SHA
On 07/04/2015 17:09, David Rueter wrote:
You're
that in this situation I am able to call SSL_CTX_set_options.
I guess I might be stuck if I can’t use the cipher list to disable SSL3 while
leaving TLS1 enabled. Not the end of the world, but not ideal.
Sincerely,
David Rueter
From: openssl-users [mailto:openssl-users-boun
I would like to disable SSL3 (to prevent POODLE attacks), but I would like
to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
AES256-SHA).
However disabling SSL3 with !SSLv3 disables TLSv1 also. Furthermore,
disabling SSL3 with -SSLv3 then adding in individual ciphers such as
Great, that works, thank you. Is this the default behavior when using the C
API?
Thanks,
David
On Sunday, April 5, 2015, Matt Caswell m...@openssl.org wrote:
On 05/04/15 23:42, Matt Caswell wrote:
On 05/04/15 22:04, David Rufino wrote:
Hello,
It's possible I'm doing something
? my understanding is that openssl supports all the nist
curves.
Regards,
David
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I am trying to build Openssh 6.7p1 on a Red Hat 5.6 x86_64 system
with Red Hat openssl-0.9.8e-31, which is the latest Red Hat openssl
version. The Openssh build checks openssl versions and requires 0.9.8f.
Is there a work around for this?
Thanks.
David Flatley
I am still a little unclear by what exactly TLS_FALLBACK_SCSV option would
do.
What if the server only supports SSLv3 + TLSv1 and client only connects
with SSLv3? Without the patch, both would agree to SSLv3. So this is a
problem.
What happens with the patch only on the server? And what happens
On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning
richard.koenn...@ts.fujitsu.com wrote:
At 24.10.2014 19:03, David Li wrote:
I am still a little unclear by what exactly TLS_FALLBACK_SCSV option
would do.
What if the server only supports SSLv3 + TLSv1 and client only connects
with SSLv3
On Fri, Oct 24, 2014 at 1:28 PM, Richard Könning
richard.koenn...@ts.fujitsu.com wrote:
Am 24.10.2014 20:47, schrieb David Li:
On Fri, Oct 24, 2014 at 11:18 AM, Richard Könning
richard.koenn...@ts.fujitsu.com
mailto:richard.koenn...@ts.fujitsu.com wrote:
At 24.10.2014 19:03, David
1 - 100 of 1731 matches
Mail list logo
