>: configure --host=x86_64-unknown-freebsd9 --cache=config.cache --disable-ntlm
>--disable-otp --disable-sample --enable-gssapi --with-des=no
>--with-gss-impl=mit
That’s not an OpenSSL configuration, and the error you got is not from OpenSSL.
It would be really good if code being merged to master had --strict-warnings
and the mdebug backtrace stuff turned on. In the past few days there have been
a flurry of checkins that these flags would have caught.
Well, flurry is admittedly too strong. …
Hi All,
The OpenSSL version 1.1.1b chooses wrong AS(assembler) on running through
Cygwin in Windows. It chooses 'ml' instead of 'nasm'(but uses the syntax of
nasm) which causes OpenSSL build failure on Windows. The same works fine with
OpenSSL 1.1.0i version.
Looks like a bug with 1.1.1b
clause 9, then moved to clause 6.1 in 2000, and clause 6.4 in 2012).
RFC5280 is far from being that clear.
OpenSSL added some checks on GeneralizedTime/UTCTime, by enforcing RFC5280
rules. I haven't followed the source code to see if these checks also apply to
data types other than RFC5280 certi
On 06/03/2019 18:38, Jordan Brown wrote:
On 3/5/2019 1:16 PM, Yann Ylavic wrote:
Furthermore, if that scenario were a real use case, it'd mean that
libldap could initialize openssl with no regard to httpd needs,
Everybody has to play nice, but ... yes. Random libraries might need
OpenSSL
On 06/03/2019 16:17, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Richard Levitte
Sent: Wednesday, March 06, 2019 03:07
On Wed, 06 Mar 2019 10:52:44 +0100,
Jan Just Keijser wrote:
as a follow-up: Richard's analysis/suspicion was spot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [6 March 2019]
ChaCha20-Poly1305 with long nonces (CVE-2019-1543)
==
Severity: Low
ChaCha20-Poly1305 is an AEAD cipher
the default
mid-series is probably not a good idea.
Changing the default could be considered for 3.0.
Yes please, as it stands the 1.1 series is unloadable on the most
used
openssl libraries, distros'. I find this a bit unfortunate, and more
#ifdef-ery to come (though I'd like the OPENSSL_INIT_[NO_
Can we take OpenBSD code and put it under the Apache license?
On 01/03/2019 12:38, Chethan Kumar wrote:
Dear all,
In need of some assistance. I compiled openssl1.1.1b on Debian and
executed openssl commands on another Debian machine.
Its giving below error:
openssl: */lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not
found (required by /home
Hi,
Earlier our application used OpenSSL version 1.0.2n. Now we wanted to
upgrade to 1.1.1b.
After upgrade when i compile OpenSSL, i see the following errors:
Tried to generate the Makefile with both the ways mentioned below..
But getting compilation errors as attached mainly at places
where
at libcrypto could "magically" combine two
different FIPS providers, which would be none of the two options
mentioned above.
Yes. I believe this is okay, but also that OpenSSL is not going to support
this.
>Huh? From the design document, section "Example dynamic views of
algorithm selection", after the second diagram:
An EVP_DigestSign* operation is more complicated because it
involves two algorithms: a signing algorithm, and a digest
algorithm. In general those
>I always understood "FIPS-capable OpenSSL" to refer specifically to an
OpenSSL compiled with the options to incorporate the FIPS canister
module, not just any OpenSSL build that might be used in FIPS compliant
applications (as that would be any OpenSSL
On 27/02/2019 22:18, Richard Levitte wrote:
On Wed, 27 Feb 2019 21:55:29 +0100,
Jakob Bohm via openssl-users wrote:
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validation.
I believe the context here is one I also mentioned in my comment on
the 3.0 draft spec:
- OpenSSL FIPS
If you change a single line of code or do not build it EXACTLY as documented,
you cannot claim to use the OpenSSL validation.
PREFIX/bin/openssl{.exe,}) link to the
shared library in the build tree whenever the target allows
this.
Some examples:
- Windows(all versions): This is already the system default
if the shared libraries are copied into the test program
directory, even in Windows versions that don't search th
No.
The OpenSSL FIPS Module is not written that way. It should not be permitting
any non-FIPS implementations (see Rich's email regarding a bug).
You could write your own engine, get that FIPS certified, and run it with
plain, vanilla OpenSSL.
There's a design spec out for OpenSSL 3.0.0
On 2/26/2019 6:28 PM, Hong Cho wrote:
> I see no code change between 1.0.2q and 1.0.2r.
>
> --
> # diff -dup openssl-1.0.2q openssl-1.0.2r |& grep '^diff' | awk
> '{print $4}'
> openssl-1.0.2r/CHANGES
> openssl-1.0.2r/Makefile
> openssl-1.0.2r/Makefile.org
>
-validated code,
which means that you *have* to use the OpenSSL implementation.
If you do not use the OpenSSL implementation, then you cannot claim to be FIPS
validated, and you must get your validation for your implementation.
et."
On Feb 26, 2019, at 10:40 AM, Matt Caswell
mailto:m...@openssl.org>> wrote:
On 26/02/2019 15:03, Short, Todd via openssl-users wrote:
The latest security advisory:
https://www.openssl.org/news/secadv/20190226.txt
mentions stitched vs. non-stitched ciphersuites, but doesn’t really
The latest security advisory:
https://www.openssl.org/news/secadv/20190226.txt
mentions stitched vs. non-stitched ciphersuites, but doesn’t really elaborate
on which ciphersuites are stitched and non-stitched.
"In order for this to be exploitable "non-stitched" ciphersuites must be in
use.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [26 February 2019]
0-byte record padding oracle (CVE-2019-1559)
Severity: Moderate
If an application encounters a fatal protocol
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1b released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1b of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.0.2r released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.2r of our open
: login (584) PC=0xb6e6ab00 Instr=0xe5951000
Address=0xd27cdc63 FSR 0x001
Kernel panic - not syncing: Attempted to kill init! exitcode=0x000b
that doesn't look like openssl problem at all, openssl may trigger it, but
only because it's using the system to its fullest potential, not because
(Resend from correct account)
On 15/02/2019 18:35, Salz, Rich via openssl-users wrote:
(as for "possibly not the FIPS provider", that's exactly right. That
one *will* be a loadable module and nothing else, and will only be
validated as such... meaning that noone can stop you fr
On 17/02/2019 14:26, Matt Caswell wrote:
On 16/02/2019 05:04, Sam Roberts wrote:
On Fri, Feb 15, 2019 at 3:35 PM Matt Caswell wrote:
On 15/02/2019 20:32, Viktor Dukhovni wrote:
On Feb 15, 2019, at 12:11 PM, Sam Roberts wrote:
OpenSSL could delay the actual shutdown until we're about
On 16/02/2019 00:02, Richard Levitte wrote:
On Fri, 15 Feb 2019 18:33:30 +0100, Lewis Rosenthal wrote:
...
I strongly encourage you to re-think this. Everyone else on this list
whose server has been properly configured to not trash legitimate
messages must now be inconvenienced by the needs of
t
invalid re FIPS)
To be pedantic: this is true only *if you are using the OpenSSL validation.*
If you are getting your own validation (such as using OpenSSL in an HSM device
or whatnot), this is not true.
> - If permitted by the CMVP rules, allow an option for
> a
On 15/02/2019 12:23, Matt Caswell wrote:
On 15/02/2019 03:55, Jakob Bohm via openssl-users wrote:
These comments are on the version of the specification released on
Monday 2019-02-11 at https://www.openssl.org/docs/OpenSSL300Design.html
General notes on this release:
- The release
extra decoration of the
messages, i.e. the list footer that's usually added and the subject
tag that indicates what list this is (I added the "openssl-users:"
that you see manually).
So IF you're filtering the messages to get list messages in a
different folder, based on the subject
These comments are on the version of the specification released on
Monday 2019-02-11 at https://www.openssl.org/docs/OpenSSL300Design.html
General notes on this release:
- The release was not announced on the openssl-users and
openssl-announce mailing lists. A related blog post was
announced
>Yes - I do expect you to be able to build just the validated source
independently of the rest of the tarball so that you could (for example)
run the
latest main OpenSSL version but with an older module.
Which means that this doesn't have to happen in the first release si
.0 code drop to start porting and a looming deadline for the
1.0.x API.
You get what you pay for. I can be harsh because I am not a member of the
OpenSSL project.
You can start by porting to 1.1.x now.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 13/02/2019 20:12, Matt Caswell wrote:
On 13/02/2019 17:32, Jakob Bohm via openssl-users wrote:
On 13/02/2019 12:26, Matt Caswell wrote:
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
Given this announcement
On 13/02/2019 12:26, Matt Caswell wrote:
Please see my blog post for an OpenSSL 3.0 and FIPS Update:
https://www.openssl.org/blog/blog/2019/02/13/FIPS-update/
Matt
Given this announcement, a few questions arise:
- How will a FIPS provider in the main tarball ensure compliance
OpenSSL 1.1.1.
We really don't want to create a separate socket: we'd like to support
client requests on the same socket using either the old connection
method or TLS. We also want to support "pure" TLS, rather than some
kind of wrapped connection protocol. This means we need to
Hi all,
While trying to verify a client certificate using openssl verify with
-crl_check_all and –partial_chain options set , I get the following error:
error 8 at 1 depth lookup: CRL signature failure
error client1.pem: verification failed
Here is the command used:
openssl verify -crl_check
Hi all,
So, I found some hints on stack overflow
(https://stackoverflow.com/questions/6772465/is-there-any-c-api-in-openssl-to-derive-a-key-from-given-string)
and an implementation with pyCrypto
(https://gist.github.com/mimoo/11383475).
I still can't get the expected results but these raise some
i everyone,
I am looking for some documentation on how to pad and/or derive my
message and my key (from simple password), to mimic AES 128 ECB
en/decryption.
For a decorative purpose (no security consideration in mind), I used
openssl to encrypt a small message (less than 16 bytes) with a small
On 30/01/2019 00:11, Kurt Roeckx wrote:
On Tue, Jan 29, 2019 at 02:42:48PM -0500, Viktor Dukhovni wrote:
On Jan 29, 2019, at 2:23 PM, Rich Fought wrote:
The OpenSSL 1.1.1 ciphers manpage claims that some non-ephemeral DH ciphers are
supported:
TLS1.0:
DH-RSA-AES128-SHA
DH-RSA-AES256-SHA
Since this seems to be a certificate issue, would it be possible
to make the server log all the certificate checking steps and
errors with the failing certificates.
One obvious test would be to try connecting to the "openssl s_server"
utility with a similar configuration and lot
.
As explained above, most of that storage infrastructure is in
fact in place, but the major e-mail clients lack the code to use
it. For example the "openssl cms" command (used by some unix mail
clients, such as Mutt) doesn't have an option to specify the "as of"
date extracted from
> On Jan 7, 2019, at 11:52, Chris Fernando via openssl-users
> wrote:
>
>>
>> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users
>> wrote:
>>
>> I perused the list archives for all of 2018 and did not see anything current
>> relat
Look at the tricks openssl has to do in order to properly zeroized memory and
avoid having the compiler optimize it away.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
eed and open an issue on github? Yes, this
would be a bug-fix because "going opaque" made some things not possible.
Thanks.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 10/01/2019 19:55, Corey Minyard wrote:
On 1/10/19 11:00 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
Behalf Of Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate
On 10/01/2019 18:00, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication
I would expect that smartphone clients might want to prioritize CHACHA over
AES, but I don't think Node cares about that environment.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 07/01/2019 22:26, Jordan Brown wrote:
[ Off topic for OpenSSL... ]
On 1/7/2019 8:06 AM, Jakob Bohm via openssl-users wrote:
A chroot with no other reason to open /dev/null should not contain that
file name, even on unix-like platforms (least privilege chroot design).
There's always
On 07/01/2019 22:31, Steffen Nurpmeso wrote:
> Good evening.
>
> Jakob Bohm via openssl-users wrote in <95bceb59-b299-015a-f9c2-e2487a699\
> 8...@wisemo.com>:
> |Small corrections below:
> | ...
Note that I do not represent the project at all, I am just another
Small corrections below:
On 07/01/2019 19:31, Steffen Nurpmeso wrote:
...
|> That is really bad. Of course you had to do it like this, and you
|> surely have looked around to see what servers and other software
|> which use OpenSSL do with
>
> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users
> wrote:
>
> I perused the list archives for all of 2018 and did not see anything current
> relating to this problem, so if this is a question that has been asked &
> answered, please feel free to
On 04/01/2019 22:04, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jordan Brown
Sent: Friday, January 04, 2019 13:16
If you want to, what you want is something like:
int fd;
do {
fd = open("/dev/null&quo
liar with Windows & compiling Open Source projects, but I am
having no trouble on Linux with OpenSSL + FIPS. On Windows, with Visual Studio
2017 (Community Edition), I am able to compile the FIPS 2.0.16 module and
OpenSSL 1.0.2q (NO FIPS) without issue.
When I try to compile OpenSSL with the FIPS canis
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Jakob - you’re a star! Thanks so much, your suggestion works. So I added
https://mta.openssl.org/mailman/listinfo/openssl-users
.
Cheers
Neil Craig
Lead Technical Architect | Online Technology Group
Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org
On 03/01/2019, 11:02, "openssl-users on behalf of Matt Caswell"
wrote:
On 03/01/2019 10:31, Neil Craig wrote:
Hi all
Does anyon
Two of the more common causes of cron failure are
- Environment variable missing or has different value (PATH etc)
- File permissions are different if running under root vs normal
interactive user.
Hope that helps.
--
openssl-users mailing list
To unsubscribe: https
On 02/01/2019 11:18, Dennis Clarke wrote:
On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:
On 02/01/2019 10:41, Matt Caswell wrote:
On 27/12/2018 08:37, Dmitry Belyavsky wrote:
Hello,
Am I right supposing that local variables tmp1, tmp2, iv1, and iv2
are unused in
this function
.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing
rts NUL bytes at the end of each array, changing
sizeof(array) as well as cache access patterns (and thus side
channel effects).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
> I didn't bother looking up what freeing entails - it's obvious to
> anyone at this point that OpenSSL is a severe victim of feature creep,
> that its memory allocation scheme is a mess, and long story short: I
> will NOT free a perfectly fine object just because of
* But I only get early data for get method.
* When using post method, the server terminate connection. Is it related
with openssl? If so, how can I do to allow post method?
Early data can be replayed. It is only safe to use early data when the request
is idempotent, like GET. You
On 29/12/2018 14:19, C.Wehrmeyer wrote:
I don't have access to the actual testing environments until Wednesday
next year, so I've had to create a private account.
> Which version of OpenSSL is this? (I don't remember if you said this
> already).
I'm not entirely sure, but I *think* it's
tion now.
PKCS#7 also known as CMS or (in OpenSSL) SMIME, doesn't just pad. It
generates a random key and encrypts it with the recipients key (usually
a public key from a certificate, but there may be a symmetric variant).
Thus to do PKCS#7 with OpenSSL, you need to use the "
On 29/12/2018 07:42, carabiankyi wrote:
Thanks for your advice.
I get early data when I configure nginx ssl_early_data on.
But I only get early data for get method.
When using post method, the server terminate connection. Is it related
with openssl? If so, how can I do to allow post method
Great idea; https://github.com/openssl/web/issues/101
On 12/28/18, 12:39 AM, "Jakob Bohm via openssl-users"
wrote:
Consider at least including the one-line manpage summaries on the index
pages (the ones displayed by the apropos command on POSIX systems).
--
openssl-use
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
y on rails
[
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* Please let me know if we have any update on this.
This is a volunteer effort. :)
My *GUESS* is that the CRL data isn’t sorted, and it’s doing a linear search.
You should profile the code to find out where, exactly, all the time is being
spent.
--
openssl-users mailing list
* Please find the above previous mail.
I am not sure what this means. I guess you are referring to earlier email in
the thread. I gave you my suggestion, good luck.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ommand line makes no sense (no output file, wrong argument
count, auto with unrecognized file extension). Ideally this
would be in the common perl module(s), not in individual
assembler files.
Remember that keeping every patch easily audited by the wider
community is essential to the trustworthiness
s
> the same.
>
> Please let us know if this is an expected behavior or something should be
> done to improve the above observation.
>
> With Regards,
> Prateep
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
retend to be either side.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
If all you need is RSA then you will probably find it easier to write a
makefile of your own. You will have to do multiple builds to get all the
missing pieces, such as the BN facility, the memory allocation, the error
stack, etc.
--
openssl-users mailing list
To unsubscribe: https
| Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
From: Alibek Jorajev via openssl-users [mailto:openssl-users@openssl.org]
Sent: Tuesday, 18 December 2018 8:10 PM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS module v3
Hi everyone,
I have been following Ope
> >. New certificates should only use the subjectAltName extension.
>Are any CAs actually doing that? I thought they all still included
> subject.CN.
Yes, I think commercial CA's still do it. But that doesn't make my statement
wrong :)
--
openssl-users
Putting the DNS name in the CN part of the subjectDN has been deprecated for a
very long time (more than 10 years), although it is still supported by many
existing browsers. New certificates should only use the subjectAltName
extension.
--
openssl-users mailing list
To unsubscribe: https
Hi everyone,
I have been following OpenSSL blog and know that work on new OpenSSL FIPS
module has started. Current FIPS module (v.2) has end of life (December 2019)
and I assume that new FIPS module will be by that time. but can someone tell
me - is there are approximate dates
lly
the PKCS#7 formats) allow almost unlimited file size, and any 2GiB limit is
probably an artifact of either the openssl command line tool or some of the
underlying OpenSSL libraries.
It would be interesting to hear from someone familiar with that part of the
OpenSSL API which calls to use to actually
want
Cordialement,
Erwann Abalea
De : prithiraj das
Date : lundi 17 décembre 2018 à 08:23
À : Erwann Abalea , "openssl-users@openssl.org"
Objet : Re: [openssl-users] RSA Public Key error
Hi Erwann/All,
Thank you for your earlier response. I have done a couple of tests on the
, bmeeke...@buckeye-express.com
>>> <mailto:bmeeke...@buckeye-express.com> wrote:
>>>
>>> I simply wanted a clear statement so I can make an informed decision
>>> whether or not I should use OpenSSL in future projects. I now have my
>>> answer. Th
* [root@puoasvorsr07 ~]# openssl version
* OpenSSL 1.1.1 FIPS 11 Sep 2018
Is that a version you built yourself, or from RedHat? I believe it is RedHat’s
version, which did their own FIPS work.
The OpenSSL FIPS module is starting development.
--
openssl-users mailing list
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
sed using an
OpenSSL "engine" plugin, if instead you are inserting code in NGINX
to hand over the complete SSL/TLS record processing to the hardware,
then a different approach is needed.
OpenSSL Crypto Engines are not limited to SSL/TLS but can be used
for other tasks using the OpenSSL libcr
of unused bits) for a 2048bits RSA
key with 16 custom bytes.
That’s perfectly normal for OpenSSL to refuse to load that beast, and for
asn1parse to return errors (the first bytes do not represent a correct DER
encoding of anything).
Think of it as « I took a Jpeg file, replaced some bytes
On 10/12/2018 14:41, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Michael Ströder
Sent: Saturday, December 08, 2018 06:59
On 12/7/18 11:44 PM, Michael Wojcik wrote:
Homograph attacks combined with phishing would be much cheaper and
easier
On 10/12/2018 11:30, Hemant Ranvir wrote:
Dear all,
After extracting openssl-1.1.1.tar.gz, openssl can be configured
without asm by passing no-asm flag during config command.
The expanded key can be obtained like follows:
//Getting expanded key from inside openssl
//Copied from crypto
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security. So
On 05/12/2018 00:50, Viktor Dukhovni wrote:
On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:
Care to create a PR against the "master" branch? Something
along the lines of:
"Provided chain ends with untrusted self-signed certificate&quo
experts.
[ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ]
However Firefox code also contains lots of idiotic usability bugs,
even in the code that talks to the TLS stack. It is quite possible
that the "OCSP must be on" rule is another bad usability hangover
Hi Wim,Thank you for your quick response.1. Yes. I called EVP_PKEY_new()
before calling EVP_PKEY_assign_RSA(pEvpkey, rsa);
2. For your second quetion: no. I have not checked there is anything in the
openssl error stack.
I will check the openssl error stack.
3. (1). If it works
Hello,I am working on a small homework which requires convert pvk private key
to PKCS#8 format. The code is based on OpenSSL 1.0.2. I can get pvk private key
components (Public exponent, modulus, prime1, prime2, exponent1, exponent2,
coefficient, private exponent) properly, and convert
Thanks again Rich. If anyone else has any ideas please share.
From: "Salz, Rich"
Date: Tuesday, December 4, 2018 at 12:56 PM
To: "anipa...@cisco.com" , "openssl-users@openssl.org"
Subject: Re: [openssl-users] OCSP response signed by self-signed trusted
respond
Perhaps you can build a trust store to handle your needs. I am not sure.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
f time. Are you
saying option 2 from the RFC is not supported within OpenSSL and would require
changes? Or am I misinterpreting option 2 above.
Lastly, I assuming my understanding is correct, I was thinking
X509_check_trust() allows for communicating this ‘out of band’ trust to OpenSSL
for vali
701 - 800 of 1641 matches
Mail list logo