, and the encoded public key), and finally the BIT STRING encapsulation.
The OCTET STRING is wrong here.
Cordialement,
Erwann Abalea
Le 08/08/2020 14:24, « openssl-users au nom de Dirk-Willem van Gulik »
a écrit :
The key is generated by a lovely HSM - which is by its nature a bit
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 6 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 6 has now been made available
pile error due to inconsistent input
to the preprocessor conditionals. Would linux-x86_64 be more appropriate
for your system?
-Ben
On Thu, Aug 06, 2020 at 02:23:40AM +0530, prudvi raj wrote:
> Another thing , 'make && make all ' is successful , but the same openssl
> files when comp
On Wed, Aug 05, 2020 at 10:28:26PM +0200, Patrick Mooc wrote:
> Thank you very much Kyle for your quick and clear answer.
>
> The reason why I want to upgrade OpenSSL version, is that I encounter a
> problem with 1 frame exchange between client and server.
>
> This frame is the
On Thu, Aug 06, 2020 at 01:51:35AM +0530, prudvi raj wrote:
> Hi there,
>
> I got this error during compilation , in file b_addr.c :
> In function 'BIO_lookup_ex':
> /b_addr.c:748:9: error: unknown type name 'in_addr_t'
>
> I see that "in_addr_t" is defined in "netinet/in.h" & "arpa/inet.h" in
>
On 2020-07-26 01:56, Jan Just Keijser wrote:
On 23/07/20 02:35, Jakob Bohm via openssl-users wrote:
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Thanks, I somehow missed that document as I was grepping the code
The OPENSSL_ia32cap_P variable, its bitfields and the code that sets
it (in assembler) seemto have no clear documentation.
Looking at x86_64cpuid.pl, I see jumps to ".Lintel" etc. being conditional
on stuff other than the CPU being an Intel CPU, while the code in there is
generally unreadable
No memory leakage, if I comment out all SSL related constructs from my code.
Thus, the SSL related code parts seem to be the cause of this leak.
What is the issue here?
Makefile:
CC=clang
CFLAGS=-g -Wextra -Wall -Werror -pedantic -std=c89 -lssl -fsanitize=address
-fno-omit-frame-pointer
.PHONY:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 3.0 alpha 5 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 5 has now been made available
On Tue, Jul 14, 2020 at 09:08:10PM +0200, shivaramakrishna chakravarthula wrote:
> This is exactly similar to what I am looking for. I am using 1.0.2J version
> and there are some changes in the next version onwards that causes problems
> in SSL connections to older versions when DH key = 256
On Tue, Jul 14, 2020 at 04:58:38PM +0200, shivaramakrishna chakravarthula wrote:
> Hi,
>
> I have compatibility issues for my application with new versions of OpenSSL
> and I want to use the older version of OpenSSL with my application. So, I
> want to link my application with an
ent).
> With Java, we use the native SSLSocket implementation, in Windows we use
> Schannel and in Linux we use OpenSSL 1.1.1g. It seems to work and even
> interoperability
> did not show issues on some initial testing.
>
> I was curious about SSL_key_update. I read that o
On 08.07.20 17:57, Matt Caswell wrote:
>
>
> On 08/07/2020 17:48, Klaus Umbach via openssl-users wrote:
> > On 08.07.20 12:21, Viktor Dukhovni wrote:
> >> On Wed, Jul 08, 2020 at 04:36:55PM +0100, Matt Caswell wrote:
> >>
> >>> On 08/07/2020 16:28, V
; > >
> > > AFAIK, that's not presently possible. You can specify application
> > > profiles, for applications that specify an application name when
> > > initializing OpenSSL. Or use the OPENSSL_CONF environment variable to
> > > select an alternat
Hi,
when I set "MinProtocol" to "TLSv1.2" in openssl.cnf, DTLSv1.2 doesn't work for
the client (in my specific case openconnect).
According to https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html,
only one value is possible, so I can't set both. The usage of "Protocol",
where I could use
Thanks Murugesh. I just wanted to add that the FOM (OpenSSL FIPS object
module) is built using the instructions provided by the User Guide:
./config
make
make install
The built fipscanister.o is integrated into the OpenSSL distribution via
our own build infrastructure by mimicking the OpenSSL
Hi All,
We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
compliance. Post integration, we have been able to run in FIPS mode, with
all self-tests passing as well. However, we seem to be encountering issues
in creation and parsing of ECDSA keys.
A little background on how
/blog/blog/2019/05/23/f2f-committers-day/
[3] https://github.com/openssl/openssl/pull/12089
Running apps/openssl genrsa -provider fips results in the following error …
genrsa: unable to load provider fips
C0FDC40A0100:error::common libcrypto routines:provider_activate:init
fail:crypto/provider_core.c:503:
What am I missing?
Thanks,
Norman
perl configdata.pm --dump
Command line
ignature that
causes the certificates to do anything meaningful, so I would expect all
but the most crappy clients to check it and make a very serious error
message "SOMEONE IS HACKING YOUR CONNECTION, PULL THE PLUG NOW!" or
something equally serious.
On 2020-06-25 19:09, Bruce Cloutier wrote:
On 2020-06-25 13:25, Hubert Kario wrote:
On Thursday, 25 June 2020 12:15:00 CEST, Angus Robertson - Magenta
Systems Ltd wrote:
A client is having problems reading Polish Centum issued personal
certificates with OpenSSL 1.1.1, which read OK with 1.1.0 and earlier,
mostly.
Using PEM_read_bio_X509
The second certificate seems garbaged at the 4th RDN of the issuerName.
The Base64 edition might have added or deleted some characters.
Cordialement,
Erwann Abalea
Le 25/06/2020 16:00, « openssl-users au nom de Angus Robertson - Magenta
Systems Ltd »
a écrit :
More information
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 4 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 4 has now been made available
C mandates that any “missing” initializers are as if 0/null were present.
{NULL, -1, 'Q', "unused end of list"} this is the change I’d like to offer
Turn off the warning.
On 2020-06-18 18:13, Salz, Rich via openssl-users wrote:
BN_bin2bn assumes that the size of a BN_ULONG (the type of a bn->d) is
BN_BYTES. You have already told us that sizeof(*d) is 4. So BN_BYTES
should also be 4. If BN_BYTES is being incorrectly set to 8 on your
platf
NOT use parameter names in public headers in OpenSSL, but sadly was not
able to persuade a majority of the team.
If this is ever reconsidered, my views have not changed. OpenSSL SHOULD
NOT include parameter names in public headers.
No sane compiler should complain about name clashes between
>BN_bin2bn assumes that the size of a BN_ULONG (the type of a bn->d) is
BN_BYTES. You have already told us that sizeof(*d) is 4. So BN_BYTES
should also be 4. If BN_BYTES is being incorrectly set to 8 on your
platform then that would explain the discrepancy. Can you check?
This
I dlon't lnow about Python's freefunc, no idea what it is, but the OpenSSL line
is defining a function with a local parameter named freefunc. Those names
shouldn't clash; what compiler and flags?
It should be possible to rename the one in safestack.h to be "freefuncarg" or
something
On Mon, Jun 08, 2020 at 06:53:32PM +, Neil Proctor via openssl-users wrote:
> Hello,
>
> Specific to OpenSSL v1.0.2p and TLS1.2 are there any flags or options like,
> SSL_CERT_FLAG_TLS_STRICT, that set whether or not the client handshake
> finished hash is verifie
Hello,
Specific to OpenSSL v1.0.2p and TLS1.2 are there any flags or options like,
SSL_CERT_FLAG_TLS_STRICT, that set whether or not the client handshake finished
hash is verified by the server? Or is this always performed regardless of
configuration?
During some of our testing, it seems
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 3 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 3 has now been made available
On Wed, Jun 03, 2020 at 07:05:32PM +0200, Claus Assmann wrote:
> Just curious: Why is the output of
> openssl ciphers MEDIUM
> "empty" for 3.0.0.a2?
There are no ciphers available by default that are at the MEDIUM
level (which, to be honest, does not make a huge amount of
* >FIPS ciphers are a subset of the ciphers that OpenSSL supports.
* Is this true of both OpenSSL 2.0 FIPS version and OpenSSL 3.0 FIPS
version. (I suppose yes). But still your confirmation will be helpful.
Yes it is true for both.
* Also, current version is considered outda
of 3.0
FIPS ciphers are a subset of the ciphers that OpenSSL supports.
the
data, looks like an RSA signature, then when enough have been done, combine
them and it matches the original pre-split public key. That, and the followon
patents, are cool. Don’t know if they’re expired or not.
To answer the main question: OpenSSL doesn’t do anything remotely in this area
* application/pkix-pkipath
* Defined in RFC4366 (section 8) and RFC6066 (section 10.1)
I doubt that it is worth doing this. First, because OpenSSL doesn’t support it
now, then CURL (what the original poster was talking about) can’t use it when
using OpenSSL. Instead, as others have
According to the documentation, cURL can use p12 files just fine.
curl --cert bob.p12:bobspassword --cert-type p12 https://some.secure.site
Or you can omit the password part and use -key mykey with your password in the
mykey file, in order to hide the password from PS queries.
From: openssl
>Speaking of which, I've recently discovered (a documented interface
landmine) that:
status = SSL_read(ssl, ...);
err = SSL_get_error(ssl, status);
>is an anti-pattern, because the "correct" usage is:
It's not unlike checking errno without knowing if the syscall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 2 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 2 has now been made available
There is example code for doing RSA PSS with OpenSSL at
https://www.idrix.fr/Root/Samples/openssl_pss_signature.c
On Tue, May 12, 2020 at 11:59 AM John McCabe wrote:
> Hi,
> I've searched around, but found nothing that appears to help.
>
> I'm developing some software where I
On 12/05/2020 16:01, Matt Caswell wrote:
On 12/05/2020 14:50, Jakob Bohm via openssl-users wrote:
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
Looking at the code here:
https://
When running Configure in OpenSSL 1.1.1g with various options, it sometimes
silently sets OPENSSL_NO_TESTS as reported by "perl configdata.pm -d" .
This obviously causes "make test" to do nothing with the message "Tests are
not supported with your chosen Configure
es.
> Maybe it's on RHEL8 patch (system-cipherlist.patch).
https://src.fedoraproject.org/rpms/openssl/blob/master/f/openssl-1.1.1-system-cipherlist.patch
suggests (the ssl.h chunk) that this patch does force the use of the "system
profile" as the default cipher list.
-Ben
\n", SSL_CTX_get_security_level(ctx));
> // 0--5 any
>
> i = SSL_CTX_set_ssl_version(ctx, SSLv23_client_method());
> printf("SSL_CTX_set_ssl_version result: %d\n", i);
> // i ==1; success
>
> printf("seclevel: %d\n", SSL_CTX_get_security_leve
On Wed, May 06, 2020 at 05:22:17PM -0700, Norm Green wrote:
> All tests on AIX fail like this. Is this a known issue? What debugging
> information is needed? Should I open an issue on github?
>
> Also note I had to set LD_LIBRARY_PATH to the SSL build directory to get the
> tests to run at
You might find https://github.com/openssl/openssl/issues/10923 to have some
useful information.
OpenSSL is publically available.
Hm, so DSO support is a requirement for legacy crypto now? That probably needs
to be made explicit, and see if the project gets pushback.
* I have seen scripts that have the openssl smime option of -inform, or
-outform set to DEM.
That’s an error. PEM or DER. Interesting mixup. :)
It has been done. For example, we leverage the ASYNC interface to make the
private-key operations remote. There was also an RT ticket that had an
implementation for a version years ago. (I can't find the RT but I know it was
there.) The PKCS#11 stuff might also be appropriate.
tening to "This monkeys gone to heaven"
from The Pixies (from the 80s), it seemed due :-))
Henh. I can give a boatload of Boston bands. Sometimes while working on
OpenSSL I think of https://www.youtube.com/watch?v=F6z0Cv4PYvs (
>I do not understand one thing at the moment. If i use
no-deprecated then the stack handling is not available:
If you use no-deprecated you have to use DEFINE_STACK_OF in exactly one file.
And use DECLARE_STACK in your common header file.
Let me know if this works, or not, for you.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 1 released
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 1 has now been made available
On 2020-04-22 15:22, Hubert Kario wrote:
On Tuesday, 21 April 2020 21:29:58 CEST, Jakob Bohm via openssl-users
wrote:
That link shows whatever anyone's browser is configured to handle
when clicking
the link.
The important thing is which browsers you need to support, like the
ones on
https
A few corrections:
OpenSSL included CMS (RFC3369) support since 1.0.0 (see the CHANGES
file), though for a long time, there was an arbitrary disconnect between
functions named CMS and functions named PKCS#7 even though it should
have been a continuum.
The PKCS#7 and CMS standards equally
* Sorry for being unclear, the goal would be to just not send the SCSV
value in the ClientHello.
Why?
recall any recent
changes in this area. Were you successfully able to run the tests with
previous versions of OpenSSL?
Looks like the failing call is here:
if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY,
(const void *), sizeof(on)) != 0) {
Can you provide a pointer
On Tue, Apr 21, 2020 at 09:57:02PM +0200, Mark Windshield wrote:
> Hello,
>
> I was wondering what I'd have to change in the openssl code/config before
> compiling to have renegation disabled by default, so it won't send the
> Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0
Summary: The OpenSSL 1.1.1g test suite contains at least two bugs:
TestBug#1: Test suite fails if local network has no IPv6, error message
(non-
verbose) doesn't say that's the issue. [ Testing IPv6 makes sense,
rejecting
regression tests on inadequate machines is important to avoid
On Tue, Apr 21, 2020 at 12:46:43PM -0700, Sam Roberts wrote:
> The announcement claims that this affects SSL_check_chain().
>
> Is that an exhaustive list? If an application does NOT call that
> function, does this mean the vulnerability is not exploitable?
That is correct (speaking only in
SHA384:-CAMELLIA:-ARIA:-AESCCM8
>
> How did this particular contraption become a recommended cipherlist?
To explain - this is basically autogenerated value from the crypto
policy definiton of the LEGACY crypto policy with just added the
!RC4.
> What's wrong with "DE
On Tue, Apr 21, 2020 at 07:22:38PM +0200, Claus Assmann wrote:
> Note sure whether this is already known (a search didn't bring up
> anything meaningful):
>
> ../test/recipes/80-test_ssl_old.t ..
> Dubious, test returned 1 (wstat 256, 0x100)
> Failed 1/6 subtests
> Test Summary
On Tue, Apr 21, 2020 at 10:19:28AM -0700, Quanah Gibson-Mount wrote:
> --On Tuesday, April 21, 2020 11:16 AM -0700 Benjamin Kaduk
> wrote:
>
> > The 'krb5' entry in git is a submodule, used for the external tests.
> > It's removed while preparing release tarballs, but I'm not sure what
> > you
On Tue, Apr 21, 2020 at 10:08:39AM -0700, Quanah Gibson-Mount wrote:
> The OpenSSL release tags contain an empty directory "krb5" that does not
> exist in the release tarball. This is annoying because when I go to merge
> release tags, I constantly get the following:
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [21 April 2020]
=
Segmentation fault in SSL_check_chain (CVE-2020-1967)
=
Severity: High
Server or client applications that call
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1g released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1g of our open
the client Hello with any certificates. So I see no reason for
handshake to complete without verification.
Thanks
Bran
‐‐‐ Original Message ‐‐‐
On Monday, April 20, 2020 5:35 PM, Matt Caswell wrote:
> On 20/04/2020 12:59, brandon.murphy1996 via openssl-users wrote:
>
> >
ched between psk_find_session_cb and use_session_cb, the
>handshake fails with the message:
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error
OpenSSL: openssl_handshake - SSL_connect error:141F906E:SSL
routines:tls_parse_ctos_psk:bad extension
I am not sure what am I missing here
Thanks
Bran
On Thu, Apr 16, 2020 at 09:41:23PM +0200, Harald Koch wrote:
> Am 16.04.2020 um 17:54 schrieb Tomas Mraz :
> >
> > error queue of openSSL stays empty. The same code works with
> >> openSSL with gzip support („./config enable-zlib ...“, for support of
> >> c
Hi,
For my project, I need to perform a external PSK mode TLS 1.3 handshake. As per
the documentation, I am setting up a callback on client my SSL object using the
following:
SSL_set_psk_use_session_callback(ssl, psk_use_session_cb_func)
and the callback's formal arguments are:
typedef int
On 08/04/2020 18:06, Viktor Dukhovni wrote:
> On Wed, Apr 08, 2020 at 11:47:19AM +0100, Scott Morgan via openssl-users
> wrote:
>
>> Run into an odd issue.
>>
>> Consider the following program, based on the documentation[0], using
>> OpenSSL 1.1.1f
>&
Run into an odd issue.
Consider the following program, based on the documentation[0], using
OpenSSL 1.1.1f
==BEGIN==
#include
#include
#include
int main(int argc, char** argv)
{
BIO *abio;
int res;
abio = BIO_new_accept("");
res = BIO_do_a
IETF issues a
> new RFC that says "TLS 1.3 MUST NOT use" that cipher. Should the openssl
> alias change?
>
> It can be wordy, but explicitly listing ciphers and not using aliases (HIGH
> EXPORT etc) is really better.
>
> As for ease of use, just don't allow
>- Do you think any use for supporting some kind of alias for families of
> cipher in SSL_set_ciphersuites, like for example "TLSv1.3"
Suppose someone finds out that chacha/poly is insecure and the IETF issues a
new RFC that says "TLS 1.3 MUST NOT use" that cipher.
Hi,
We are using OpenSSL 1.1.1 for quite some time, and we have been able to
migrate over time to the different version of SSL/TLS, up to TLS 1.2 with
success.
Now we wish to prepare the migration to TLS 1.3. The people used to configure
our SSL connection tries to set the cipher list
Isn't this the SSL EOF thing?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1f released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1f of our open
Just to close the loop: I decided better documentation is the only answer for
now: https://github.com/openssl/openssl/pull/11431
I'll copy the info below into a new issue.
On 3/21/20, 9:47 AM, "Salz, Rich via openssl-users"
wrote:
Argh. Thanks for the detailed e
packet.response.SetFileData(cmsBuf.data(), cmsBuf.size());
}
ca_catch
{
packet.response.errorCode = ex;
packet.response.errorMessage = GetErrorMessage(ex);
}
}
--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>It seems some browsers open three to five sockets at the same time and
then don't complete SSL negotiation on all of them, just closing them
in various states.
Yes, this is exactly what they do.
>> The second question is somewhat related. Has there been a decision yet
> whether the FOM 3.0 will go through a 140-2 or a 140-3 validation?
>We are going through 140-2.
Has the list of validated platforms been made public yet?
For people using a different platform, will
On Mon, Mar 23, 2020 at 11:46:43PM +, Jeremy Harris wrote:
> OpenSSL 1.1.1 on Centos 8
> Ticket-based resumption
>
>
> I'm getting a repeatable error from a client call to SSL_connect()
> of "14228044:SSL routines:construct_ca_names:internal error".
>
> P
Is it possible the browsers are trying to send early data?
orMessage(ex);
}
}
Data written in the file as a result:
<http://openssl.6102.n7.nabble.com/file/t11625/res.jpg>
Data as input for Signing:
<http://openssl.6102.n7.nabble.com/file/t11625/data.jpg>
Am I missing something? Is there another way I can achieve the same thing?
Thanks
is is an unfortunate
evolutionary artefact, and is governed by very different pieces of
code.
The config.pod example revolves around subject names and the config
for 'openssl req'. The code that uses this is the function
auto_info(), found in apps/req.c.
The x509v3_config.pod exa
The doc/man5/config.pod file says to use
1.OU = “My first OU”
2.OU = “My second OU”
But doc/man5/x509v3_config.pod says to append the numeric, as in
email.1 = steve@here
email.2 = steve@there
I believe the second form is correct.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1e released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1e of our open
The TLS RFC describes the “bytes on the wire” – the syntax for how client and
server communicate, and the semantics of those exchanges.
Is it a specification or standard? Yup both.
Is OpenSSL implementation of the spec? Yup.
What language used in the spec? It’s described in the RFC; see
> Please suggest me books or tutorials to understand OpenSSL and TLS
> cryptographic protocol in detail. I look forward to hearing from you. Thanks
> in advance.
Start with the RFC’s, then look for crypto basics – there are free books online.
* I am reading this article
Perhaps someone should writeup and submit a "NOTES.zos" file to add?
On 2020-03-03 08:19, Viktor Dukhovni wrote:
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
1.1.1 there is slight change
On 2020-03-03 07:46, Phani 2004 wrote:
Hi Team,
I am trying to implement mac-then-encrypt for aes_cbc_hmac_sha1
combined cipher. From the code i could understand that the first 16
bytes were being used as explicit IV while decrypting and the hmac is
done for 13 bye AAD and 16 byte Fin record
On 2020-02-28 03:37, Salz, Rich via openssl-users wrote:
*>*Per section Supported Groups in RFC 8446 [1], FFDHE groups could be
supported.
I was wrong, sorry for the distraction.
As others have pointed out, it will be in the next (3.0) release.
Note that the group identifi
>Per section Supported Groups in RFC 8446 [1], FFDHE groups could be supported.
I was wrong, sorry for the distraction.
As others have pointed out, it will be in the next (3.0) release.
None of those choices address what happens in the 1.0.2 module goes to historic
on Sept 1. See
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules
for details.
* That's fair. So the only option is to use another module? Extended 1.0.2
support does not resolve this either, correct?
I do not think that is the only option. For example, you might be able to use
3.0 and say it’s “in evaluation.” There might be other options, that was all I
could
* The OpenSSL FIPS Object Module will be moved to the CMVP historical list
as of 9/1/2020. Since there is no OpenSSL 3.0 until Q4 2020, and a FIPS Module
will be after that sometime, where does this leave 1.0.2 users who need a FIPS
validated object module past that date?
Without
>It would probably be a good idea for us to pull together a "Getting
Started" guide on the Wiki with some basic information on how to get
things going, with some links to the various man pages etc where more
detailed information is required.
This needs to be real user
* Run the command: openssl s_client -tls1_3 -groups ffdhe2048 host:port
TLS 1.3 doesn’t have those groups.
> That's 5 weeks from now, I'd thought the basic structure might be present
> now.
It is. You probably have to look at the tests to see how to use things.
401 - 500 of 1641 matches
Mail list logo