Re: [openssl-users] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

2015-11-15 Thread Hooman Fazaeli
On 11/13/2015 5:10 PM, Emilia Käsper wrote: Hi all, We are considering removing from OpenSSL 1.1 known broken or outdated cryptographic primitives. As you may know the forks have already done this but I'd like to seek careful feedback for OpenSSL first to ensure we won't be breaking any major

[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi All, In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a check * if (params->trust >0)* before invoking check_trust function. This has been removed in OpenSSL 1.0.2d. Does it mean applications are expected to set the X509_VERIFY_PARAM properly? Our application works

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Viktor Dukhovni
On Sun, Nov 15, 2015 at 07:00:06PM +0530, Jayalakshmi bhat wrote: > In earlier version of OpenSSL (i.e OpenSSL 1.0.1c) X509_verify_cert had a > check * if (params->trust >0)* before invoking check_trust function. The OpenSSL source code is available via git:

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi Viktor, Thank you for the response. This is the code snippet from OpenSSL 1.0.2d. int X509_verify_cert(X509_STORE_CTX *ctx) { /* we now have our chain, lets check it... */ i =

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Viktor Dukhovni
> On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat > wrote: > > This is code snippet from OpenSSL 1.0.1c > > int X509_verify_cert(X509_STORE_CTX *ctx) { > > > > > /* The chain

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi Victor, Thanks a lot for details explanation. Our device acts as TLS/SSL client. The device receives chain of certificates as part of SSL handshake, when it is trying to get connected to TLS/SSL server like sharepoint 365. While validating the certificate chain from server, "*check_trust"

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Viktor Dukhovni
On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote: > > You should probably explain what you're doing, and in what way OpenSSL 1.0.2 > > (all upstream versions) is not working the way you expect. On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote: > Our device acts as

Re: [openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

2015-11-15 Thread Jayalakshmi bhat
Hi Victor, First thing kindly note that I am talking about *OpenSSL-1.0.1c* not about OpenSSL 1.0.2c. So far we were using *OpenSSL-1.0.1c* and server validation was working fine. Recently we upgraded the OpenSSL library to *OpenSSL-1.0.2d. * Also we have not done any modification to the SSL