> From: Matt Caswell
> Subject: Re: Using SSL_CTX_set_min_proto_version
> Date: April 6, 2021 at 2:13:02 PM EDT
> To: openssl-users@openssl.org
>
>
> On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote:
>> Hello,
>> In our client application we are try
Hello,
In our client application we are trying to set TLS 1.2 in ClientHello message.
The OpenSSL version is 1.1.1h
We use the function
SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
If I test the version right after setting it does return 1.2
SSL_CTX_get_proto_version(ssl-&
Dear Users,
I have released version 5.59 of stunnel.
### Version 5.59, 2021.04.05, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.1.1k.
* New features
- Client-side "protocol = ldap" support (thx to Bart
Dopheide and Seth Grover).
* Bugfixes
- The
it describes ALL required modification?
On Monday, April 5, 2021, 03:57:36 PM EDT, Viktor Dukhovni
wrote:
> On Apr 5, 2021, at 11:16 AM, Boris Shpoungin via openssl-users
> wrote:
>
> Is there minimal requirements for Linux kernel for usage of openssl library
> version 1.1
Hello,
Is there minimal requirements for Linux kernel for usage of openssl library
version 1.1.1?
I have old application based on Linux kernel 3.0.8 which uses openssl version
1.0.2. My question is whether it is possible to port this application to use
openssl version 1.1.1 in Linux 3.0.8
...I do actually
have Australian Department of Defence, Defence Export Control, approval
for FooStegCypher.
FooCrypt.6.0.0.Core provides you with the total peace of mind over the
SECURITY & PRIVACY of YOUR DATA.
FooCrypt.6.0.0.OpenSSL utilises OpenSSL 1.1.1(a-k) & 3.0.0.Alpha
ail:crypto/provider_core.c:557:name=fips
00FFF2406000:error:076D:configuration file routines:(unknown
function):module initialization
error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect
retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021
~ # ls -lrt providers/
-rwxrwxrwx
Hi All,
This is a basic question regarding FIPs algorithm code in OpenSSL 3.0, can you
kindly let me know:
1> Can you please help to understand the differences in the FIPs algorithm
implementation code vs default?
Are there additional validations performed in FIPs code?
Can
Hi All,
We build the "crypto" code in OpenSSL to generate "libcrypto.a" for MIPs
platform.
Our application links statically with "libcrypto.a" and uses the OpenSSL crypto
API's accordingly.
With this compilation model, will it be feasible to integrate with the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [25 March 2021]
=
CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
Severity: High
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1k released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1k of our open
Hi All,
In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.
Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for
entropy and nonce generation.
How can this be achieved with EVP_RAND implementation i.e. does it allow
entropy to b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 13 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 13 has now been made
VP_PKEY with
> > EC group parameters at
> > https://github.com/openssl/openssl/issues/14258#issuecomment-783351031
> > but the translation to also specify OSSL_PKEY_PARAM_PRIV_KEY
> > (and possibly OSSL_PKEY_PARAM_PUB_KEY; I forget if you need
> > to pass both) shoul
Hi Stephen :)
The API you'll want to use is EVP_PKEY_fromdata(); there's
a stubbed out example of using it to make an EVP_PKEY with
EC group parameters at
https://github.com/openssl/openssl/issues/14258#issuecomment-783351031
but the translation to also specify OSSL_PKEY_PARAM_PRIV_KEY
if (calist == NULL) {
/* log error loading client CA names */
}
SSL_CTX_set_client_CA_list(server_ctx, calist);
If yes, Is it expected to do the IP or hostname validation?
Neither, authorization of the client is up to you. OpenSSL will check
the dates, validity of the signatures
On Thu, Feb 25, 2021 at 03:30:43PM -0800, Frank Liu wrote:
> Looking at test cases
> https://urldefense.com/v3/__https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/test/recipes/04-test_pem.t__;!!GjvTz_vk!A42D2c2brOwptas6T1iBt9i7pMWhwehkKAmeCuILgR-6iv5n0TQPQ6tkkVgG9A$
>
&g
.
Thanks,
John
On Thu, 25 Feb 2021 at 17:29, Benjamin Kaduk wrote:
> That sounds like the certificate is encoded using ASN.1 BER rules, that
> openssl
> accepts, but the python library is insisting on DER encoding (per the
> spec).
>
> -Ben
>
> On Thu, Feb 25, 2021 at 05:19
That sounds like the certificate is encoded using ASN.1 BER rules, that openssl
accepts, but the python library is insisting on DER encoding (per the spec).
-Ben
On Thu, Feb 25, 2021 at 05:19:32PM +, John Robson via openssl-users wrote:
> Hi all,
>
> I'm encountering an error c
('asn1 encoding routines',
> 'asn1_template_noexp_d2i', 'nested asn1 error'), ('asn1 encoding routines',
> 'asn1_template_noexp_d2i', 'nested asn1 error'), ('SSL routines',
> 'tls_process_server_certificate', 'ASN1 lib')]
However if I run the following:
# openssl s_client -connect : /dev/null
(thx to Martin Stein).
- Fixed a double free with OpenSSL older than 1.1.0 (thx to
Petr Strukov).
- OpenSSL DLLs updated to version 1.1.1j.
* New features
- New 'protocolHeader' service-level option to insert custom
'connect' protocol negotiation headers. This feature can
be used
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 12 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 12 has now been made
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [16 February 2021]
Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
Severity: Moderate
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1j released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1j of our open
: *openssl-users-bounce on
behalf of openssl-users
*Organization: *WiseMo A/S
*Reply-To: *Jakob Bohm
*Date: *Thursday, January 28, 2021 at 21:10
*To: *openssl-users
*Subject: *Re: Encoding of AlgorithmIdentifier with NULL parameters
Also note that the official ASN.1 declaration
to provide a test certificate generated by
openssl-3.0.0-alpha10 to a third party certificate parser/manager.
This software expects AlgorithmIdentifier to either have parameters or
to have null encoded (05 00) parameters which seems to be missing in
the certificate.
Certificate generated
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 3.0 alpha 11 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 11 has now been made
If that is a hypothetical context, what context is the official design
goal of the OpenSSL Foundation for their validation effort?
On 2021-01-28 11:26, Tomas Mraz wrote:
This is a purely hypothetical context. Besides, as I said below - the
PKCS12KDF should not be used with modern PKCS12 files
If the context does not limit the use of higher level compositions, then
OpenSSL 3.0 provides no way to satisfy the usual requirement that a
product can be set into "FIPS mode" and not invoke the non-validated
lower level algorithms in the "default" provider.
The usual contex
S mode can
be easily achieved with OpenSSL 3.0 - either by loading just the fips
and base provider, or by loading both default and fips providers but
using the "fips=yes" default property (without the "?").
The PKCS12KDF does not work because it is not an FIPS approved KDF
algo
Does that mean that OpenSSL 3.0 will not have a true "FIPS mode" where
all the non-FIPS algorithms are disabled, but the FIPS-independent
schemes/protocols in the "default" provider remains available?
Remember that in other software systems, such as OpenSSL 1.0.x and MS
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse,
PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips
provider. It looks like that is because they try to load PKCS12KDF
which is not implemented in the fips provider
t certificates).
>
> Thanks
>
> Regards,
> Uri
>
> > On Jan 20, 2021, at 19:26, Kaduk, Ben wrote:
> >
> > No. OpenSSL does not include any CBOR protocol support.
> > I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
> >
No. OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a work in progr
ck with the Finished-based channel bindings; the exporter
> > interface is a new protocol mechanism and the whole protocol/ecosystem has
> > to be expecting to use it.
>
> Right. So we have implementations out there using it; will the OpenSSL
> project consider promoting it to suppor
On Mon, Jan 11, 2021 at 09:26:30PM +, Jeremy Harris wrote:
> On 11/01/2021 08:20, Benjamin Kaduk wrote:
> > Current recommendations are not to use the finished message as the channel
> > binding but instead to define key exporter label for the given usage
> > (see
> >
On Sun, Jan 10, 2021 at 02:44:38PM +, Jeremy Harris wrote:
> Hi,
>
> What is the status of SSL_get_finidhed() / SSL_get_peer_finished() ?
>
> I do not find them documented at
>
>
On 2021-01-07 18:05, Ken Goldman wrote:
On 1/7/2021 10:11 AM, Michael Wojcik wrote:
$ cat /etc/redhat-release && openssl version
CentOS Linux release 7.9.2009 (Core)
OpenSSL 1.0.2k-fips 26 Jan 2017
Ugh. Well, OP should have made that clear in the original message.
And thi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 10 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 10 has now been made
computer with OpenSSL 1.1.1i for root CA key
generation and intermediate CA signing, not WSL.
I'm trying to sign the intermediate certificate, but I get this error:
$ openssl ca -batch -in subca.req -extensions v3_subca -config ca.conf
Using configuration from ca.conf
Error Loading extension section
/private
keypair and then overrides it with the server public key, so the
generation was a waste anyway. Instead, it should create a
parameters-only EVP_PKEY.
(This is a consequence of OpenSSL using the same type for empty key,
empty key with key type, empty key with key type + parameters, public
key
Hi all,
I've been tasked with making some modifications to OpenSSL 1.1.1 in order
to bring it into compliance with FIPS 140-2. One of the items on the to-do
list was to implement the required key agreement scheme assurances
specified in NIST SP.800-56Ar3 Section 9. This involves performing some
Hi all,
According to the manpage at
https://www.openssl.org/docs/man1.1.0/man3/BIO_s_file.html the macro BIO_tell()
casts to int:
/opt/local/include//openssl/bio.h:# define BIO_tell(b)
(int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
What happens if the file being parsed is larger than can fit
From: Narayana, Sunil Kumar
Sent: Thursday, December 17, 2020 8:17 AM
To: Sands, Daniel ; openssl-users@openssl.org
Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0
Hi,
For the equivalent replacement of DH_compute_key in 3.0, we
tried to perform the steps
version. Note that the inputs are same in both scenario.
The generated key should be random. So unless you seed your PRNG with a
constant value, you should always generate a different public/private keypair.
Between OpenSSL versions, the PRNG may have changed, so I would not depend on
them
Hello, everyone!
I'm creating a p12 bundled certificate (I used it for Android phone). Used both
easyrsa command and, alternatively, openssl command as shown in many manuals,
like this:
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name
"name" -out client_a
We do have generated the key using EVP_PKEY_gen as suggested in earlier emails,
but since this was a non-ephemeral and we wanted to store the key in "raw"
octet bytes, so we did extracted the whole DH priv/pub key pair out from the
key generated via EVP_PKEY_gen ( using as suggested…
to exactly replace this we are generating “pubparam_key/priparam_key” using
bn_publicKey/dh->priv_key as below
OSSL_PARAM_BLD *pubparamsbld = NULL, priparamsbld = NULL;
OSSL_PARAM *pubparams = NULL, priparams = NULL;
EVP_PKEY *pubparam_key = NULL, *priparam_key = NULL;
EVP_PKEY_CTX *pubctx =
rd party and same connection type
> but not reported this issue.
>
> Has anyone got any clue as to what might be causing this type of
> intermittent connection issue ?
As was already noted, this is not an error generated by OpenSSL.
More concretely, RFC 8152 is for CBOR Object Signing and E
Dear openssl team,
While migrating from 1.0.2 to 3.0, we found that
DH_generate_key() has be deprecated. And as per the man page, it is advised to
use
EVP_PKEY_derive_init<https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive_init.html>
&
EVP_PKEY_de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [08 December 2020]
EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
==
Severity: High
The X.509 GeneralName type
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1i released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1i of our open
On 07/12/2020 12:39, Matt Caswell wrote:
On 04/12/2020 13:28, Narayana, Sunil Kumar wrote:
Hi,
We are trying to upgrade our application from openssl
usage of 1.0.2 to openssl 3.0, during which we observe following errors.
Looks like the below #def been removed from 1.1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 9 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 9 has now been made available
Hi,
I am trying to use openssl to implement a client-side TLS connection with
Client Authentication on Windows, using a non-exportable private key stored
in the Windows Certificate Store. Currently, our code can use a private
key stored in a local file, and if the key in the Windows store
. 2020 à 15:43, Michael Wojcik
mailto:michael.woj...@microfocus.com>>
a écrit :
> From: openssl-users mailto:openssl-users-boun...@openssl.org>> On Behalf Of Brice André
> Sent: Friday, 13 November, 2020 05:06
> ... it seems that in some rare execution cases, the server
performs a
I'm using an OpenSSL engine that uses the RSA_FLAG_SIGN_VER flag and implements
RSA_METHOD.rsa_sign() instead rsa_priv_enc(). This is mainly because of the
requirement that it work with Windows CryptoAPI which does not support
low-level RSA signing (see CAPI engine). Everything works
On 2020-11-09 09:58, Venkata Mallikarjunarao Kosuri via openssl-users wrote:
Hi
We are trying to work scenario to openssl OCSP responder busy, but we
are not sure how to make OCSP responder busy could please throw some
pointer to work on.
Ref https://www.openssl.org/docs/man1.0.2/man1
Hi
We are trying to work scenario to openssl OCSP responder busy, but we are not
sure how to make OCSP responder busy could please throw some pointer to work on.
Ref https://www.openssl.org/docs/man1.0.2/man1/ocsp.html
Thanks
Malli
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 8 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 8 has now been made available
Hello, how does openSSL determine the Record Layer Version used to initiate
a ClientHello message to the server? I believe the determination is made at
this level.
When testing using multiple implementations (Python Requests on a Debian
machine and `cURL --tlsv1.2 --tls-max 1.2` from macOS) I
warning, I checked what the OpenSSL code does, and it
seems
to be a bit more buggy:
x509_vfy.c seems to be a bit ambivalent if certificate validity should be
inclusive or exclusive of the time values in the certificate.
apps.c seems to convert the validity duration in days as if the notAfter
field is
handle only the
client authentication. As you understand it, would the problem breaking
server verification also preclude client authentication with the capi
engine?
From the content of your mails, I inferred that whatever you tried to
do caused OpenSSL to attempt to generate PSS signatures
s probably the following issue:
https://github.com/openssl/openssl/issues/8872
Matt
Looking at the brutal wontfixing of that bug, maybe reconsider if the
existing engine interface can do PSS by simply having the CAPI/CAPIng
engine export the generic PKEY type for PSS-capable RSA keys. Also,
maybe
Hi All,
As Apple is moving from Intel to ARM architecture, does OpenSSL support
cross-compiling(using Xcode 12.2) on MacOS Big Sur for Apple silicon(ARM
architecture)?If not, any expected date?
Thanks,Vinay
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 7 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 7 has now been made available
yChain = yes" (thx to Rob Hoes).
- OpenSSL DLLs updated to version 1.1.1h.
* New features
- New securityLevel configuration file option.
- FIPS support for RHEL-based distributions.
- Support for modern PostgreSQL clients (thx to Bram Geron).
- Windows tooltip texts updated to
tl;dr: Found an issue with update-ca-trust extract
OpenSSL doing what it should, but update-ca-trust is only pushing the cert
into some of the trust stores.
Thanks Tomas
On Tue, 29 Sep 2020 at 07:06, Tomas Mraz wrote:
>
> On Mon, 2020-09-28 at 22:35 +0100, John Robson via openssl-users
extract`).
After this curl no longer complains about the certificate from the web
server (expected).
However OpenSSL still does (unexpected), and I presume that for the same
reason(s) urllib in Python also doesn't accept the certificate.
If I manually feed `openssl verify` the certificates
Hi,I have just started using openssl for my project. I'm building small server
application using intel QAT engine.1) I'm trying to find benchmark numbers for
pure hardware based comparison between with or without QAT engine. I mmap the
file which server will send (to eliminate disk performance
> No, but show us your ./Configure line.
> I regularly build into other directories.
>
> For instance:
> ./Configure --prefix=/sandel/3rd/openssl-dtls-api linux-x86_64
>
Thank you for the reply. I did go looking into the resultant Makefile
and there I did see that the
e for each function it appears in
make[1]: *** [Makefile:5104: crypto/threads_pthread.o] Error 1
make[1]: Leaving directory
'/opt/bw/build/openssl-1.1.1h_debian_sid_5.8.0-2-amd64.004'
make: *** [Makefile:174: all] Error 2
Command exited with non-zero status 2
Why should the include of pthread.h be absent he
I have been trying to build a debug version with no-asm into a /opt/foo
directory but I always see :
-DOPENSSLDIR="\"/usr/local/ssl\""
and
-DENGINESDIR="\"/usr/local/lib/engines-1.1\""
during the compile.
Are these hard coded in somewhere ?
--
Dennis Clarke
Thanks Michael,
I tried to invoke SM3 algorithm in command "openssl req -new -key eckey.pem
-x509 -sm3 -nodes -days 365 -out cert.csr", unfortunately got the following
error:
140320586413888:error:100C508A:elliptic curve
routines:pkey_ec_ctrl:invalid digest type:crypto/ec/
Hello everybody,
Is there a way to generate a ECDSA certificate with SM2 typed public key and
ecdsa-with-SM3 as the signature algorithm in openssl 1.1.1x version?
Thank you very much!
Bob
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1h released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1h of our open
Hi,
We have been using a wrapper DLL on top of OpenSSL library in our product.
While migrating to 1.0.2t, we are facing the initialization problem in FIPs
mode. After analysis we found the following information in openssl
guide.The standard OpenSSL build with the fips option
On 2020-09-10 09:03, Tomas Mraz wrote:
On Wed, 2020-09-09 at 22:26 +0200, Jakob Bohm via openssl-users wrote:
Wouldn't a more reasonable response for 1.0.2 users have been to
force on
SSL_OP_SINGLE_DH_USE rather than recklessly deprecating affected
cipher
suites
and telling affected people
On 2020-09-09 14:39, OpenSSL wrote:
OpenSSL Security Advisory [09 September 2020]
=
Raccoon Attack (CVE-2020-1968)
==
Severity: Low
The Raccoon attack exploits a flaw in the TLS specification which can lead to
an attacker
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [09 September 2020]
=
Raccoon Attack (CVE-2020-1968)
==
Severity: Low
The Raccoon attack exploits a flaw in the TLS specification which can lead
Viktor,
Thank you.
Yury
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Tuesday, September 8, 2020 10:56 AM
To: openssl-users@openssl.org
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL
option
On Tue, Sep 08, 2020
Hello,
I have a question based on the response provided to me:
My question is why following openssl commands (version 1.1.1f) return those
TLSv1.3 ciphers as offering no authentication and no encryption?
C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>open
Hello,Is it possible to tunnel a connection by OpenSSL? For example, use
OpenSSL and a browser to encrypt browsing.
Thank you.
Viktor,
Thank you for clarifying it.
Yury
From: openssl-users on behalf of Viktor
Dukhovni
Sent: Friday, September 4, 2020 12:10 PM
To: openssl-users@openssl.org
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL
option
On Fri
Thank you Benjamin,
According to OpenSSL , aNULL stands for no-authentication.
NULL-ciphers that you mention would be part of eNULL group, that offer no
encryption.
Does it mean that all 3 default protocols of TLS 1.3 offer no authentication
(because they are listed under command
openssl
Hello,
I think “localhost.crt” and “localhost.key” files using by Apache and they are
mandatory for get a HTTPS certificate. Some tools like "Certbot" need them.
If these files deleted then how can I regenerate them? Is below command OK?
# openssl req -x509 -nodes -days 365 -newke
On Thu, Sep 03, 2020 at 11:45:28PM +, Yury Mazin via openssl-users wrote:
> Hello,
>
> We have a server was originaly using OpenSSL 1.0.2h.
> Server is configured to use SSL ciphers as following
> ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
> When openssl client tries to conn
Hello,
We have a server was originaly using OpenSSL 1.0.2h.
Server is configured to use SSL ciphers as following
ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
When openssl client tries to connect to this server with command
openssl s_client -connect localhost:8101-cipher aNULL
it fails, because any aNULL
On 2020-09-03 12:25, Marc Roos wrote:
Why are you defending amazon? Everyone processing significant mail and
http traffic is complaining about them. They were even listed in
spamhaus's top 10 abuse networks (until they started contributing to
them?)
Because we are sending non-spam mail from
look like
ec2-184-72-79-140.compute-1.amazonaws.com .
I am unsure how Richard's example that obviously tricked a server to
send a HTTP request to the OpenSSL mail server got past the port 25
block (this appears to be a common form of server side request forgery).
-Original Message
OpenSSL
could have an interface for loading a key and certchain from two (or
perhaps even more for the cert chain) files relative to a given
directory. I know how to do this on modern Unix systems, no idea
whether something similar is possible on Windows.
On NT-based window, the undocumented Zw family
On 2020-09-01 04:26, Viktor Dukhovni wrote:
On Aug 31, 2020, at 10:57 PM, Jakob Bohm via openssl-users
wrote:
Given the practical imposibility of managing atomic changes to a single
POSIX file of variable-length data, it will often be more practical to
create a complete replacement file
with much
higher frequency. The automation needs to be robust!
Another synchronization method would be for the application to decree a
specific order of changing the two files, such that triggering reload on
the second file would correctly load the matching contents of the other.
If a future OpenS
proper PTR record, SPF, DKIM and DMARC checks should
all pass for such posts.
Thus rather than blindly blacklisting the Amazon hosting service, maybe
make the OpenSSL mail server check those things to catch erroneous
transmissions from web servers.
-Original Message-
To: openssl-users
On Fri, Aug 21, 2020 at 05:05:51PM +0200, Detlef Vollmann wrote:
> On 2020-08-20 21:44, Detlef Vollmann wrote:
> >
> > Is there any way to set the maximum fragment size for
> > DTLS handshake with a BIO pair?
> One solution is to set the MTU and the int_bio size to
> exactly the same value.
>
The key thing to do is to make those client applications not request the
ssl23-method from OpenSSL 0.9.x .
ssl23 explicitly requests this backward-compatibility feature while
OpenSSL 3.x.x apparently deleted the
ability to respond to this "historic" TLS hello format, which is also
se
On 06/08/2020 22:17, Quanah Gibson-Mount wrote:
--On Thursday, August 6, 2020 1:21 PM -0700 Dan Kegel
wrote:
lists 861 packages, belonging to something like 400 projects, that
depend
on openssl
Unfortunately, due to Debian's odd take on the OpenSSL license, many
projects that can
Hi Tomáš,
thank you very much for the clarification.
Best regards.
Andrea
Il 14/08/2020 08:41, Tomas Mraz ha scritto:
> The server apparently doesn't support them which indicates that it is
> some older implementation but that doesn't necessarily mean it is
> non-compliant. It is just less
Hi all,
on Ubuntu 20.04 LTS 64 bit, with OpenSSL version 1.1.1f, it is not
possible to connect to a popular GIS OGC server at
gibs.earthdata.nasa.gov:443 using OpenSSL or cUrl or Wget default
parameters. The OpenSSL 1.1.1f package available for Ubuntu 20.04 is
build
On Thu, Aug 13, 2020 at 08:19:10PM +0200, Detlef Vollmann wrote:
> Hello,
>
> with the following commands:
>
> openssl s_server -accept 18010 -cert srv.crt -key test.key \
> -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2
>
> openssl s_client -connect localh
301 - 400 of 1641 matches
Mail list logo