Re: openssl 1.0.2 with TLS 1.2

* I can’t find documentation on how to tell TLS where to look. Not sure about 1.0.2, but “openssl version -a” should show you the CERT directory. BTW, that’s an old release, you should upgrade if possible.

openssl 1.0.2 with TLS 1.2

I built openssl 1.0.2 from the tar.gz file. I am trying to verify a connection, but TLS does not find the ca-bundle.crt unless it is on the command line: /usr/local/openssl/bin/openssl s_client -showcerts -connect mta3.edu:25 -starttls smtp New, TLSv1/SSLv3, Cipher is

Re: Should SSL_get_servername() depend on SNI callback (no-)ACK?

Hiya, On 22/10/2019 17:09, Yann Ylavic wrote: > Sorry for the shortcut, by "tlsext_hostname" I meant the name of the > field in SSL_SESSION_ASN1. > My observation is that when browsers resume a session, s->hit is set > but s->session->ext.hostname is NULL, which I interpret as no SNI > found in

Re: Should SSL_get_servername() depend on SNI callback (no-)ACK?

On Tue, Oct 22, 2019 at 5:09 PM Benjamin Kaduk wrote: > > There's some (additional?) discussion on this topic in > https://github.com/openssl/openssl/pull/10018 . A couple comments inline, > though... Thanks, will look at it. More comment below too... > On Tue, Oct 22, 2019 at 02:30:37PM

RE: openssl and external card reader support in TLS

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > tobias.w...@t-systems.com > Sent: Tuesday, October 22, 2019 07:03 > I need to implement support for the external authentication of a card reader > within a > TLS handshake. We did this already with PKCS11 using the

Re: Should SSL_get_servername() depend on SNI callback (no-)ACK?

There's some (additional?) discussion on this topic in https://github.com/openssl/openssl/pull/10018 . A couple comments inline, though... On Tue, Oct 22, 2019 at 02:30:37PM +0200, Yann Ylavic wrote: > Hi, > > in master (and 1.1.1), SSL_get_servername() returns either >

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

The FIPS module source code can’t be changed without losing validation. Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic Foundations Phone +61 7 3031 7217 Oracle Australia > On 22 Oct 2019, at 11:46 pm, Salman Baset wrote: > > Thank you very much. This is helpful. Will the

Re: OpenSSL 1.0.2 EOL and new FIPS-validated crypto module

Thank you very much. This is helpful. Will the support also include any updates to the FIPS compatible part, or is that out of scope because any update essentially invalidates existing FIPS cert for potential use? On Mon, Oct 21, 2019 at 11:56 AM Dr Paul Dale wrote: > The EOL date for OpenSSL

openssl and external card reader support in TLS

I need to implement support for the external authentication of a card reader within a TLS handshake. We did this already with PKCS11 using the C_Sign function and it is working fine. Now I need to implement the same functionality in another use case with openssl for TLS handshake. My Question

Should SSL_get_servername() depend on SNI callback (no-)ACK?

Hi, in master (and 1.1.1), SSL_get_servername() returns either s->session->ext.hostname (when s->hit == 1), or s->ext.hostname (otherwise). It seems, according to final_server_name(), that s->session->ext.hostname is set only: if (sent && ret == SSL_TLSEXT_ERR_OK && (!s->hit ||

RE: OpenSSL compilation errors in Windows

Hi Matt, Could you please help to get any clue on the ACCESSOR APIs of the following. I tried searching APIs. Not getting exact matches. Referred the below links. https://www.openssl.org/docs/man1.1.1/man3/SSL_set_info_callback.html https://www.openssl.org/docs/man1.1.1/man3/EVP_md5.html

OpenSSL blog post by APNIC

An APNIC article loosely based on the OpenSSL presentation at AusCERT earlier this year: https://blog.apnic.net/2019/10/21/openssl-3-0-accelerating-forwards/ Pauli -- Dr Paul Dale | Distinguished Architect | Cryptographic