On 10/10/2018 13:55, RudyAC wrote:
Hello,
when verifying a signed email with CMS_verify() the verification failed.
That is not the main problem.
My problem is that the out data is empty. Using the library I got following
error:
OpenSSL Error code all:<772382878d>
OpenSSL Error co
As with essentially all open source software, there is no warranty with OpenSSL.
Having said that, people use the OpenSSL applications for all sorts of things,
including what you are doing.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
a client may resume with a different session, and therefore
prevent an observer from “linking” two different activities.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>The capi engine is still broken, however
That is windows-only, using the MSFT CryptoAPI.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>This begs the question: what does openssl_encrypt actually do with just a
> string
of random bytes passed as the "key". I can't find anything in the OpenSSL or
PHP/openssl source code that clearly identifies any particular action
There is no such name (git grep -I
* Gotcha. But why doesn't it work on Mac?
The CAPI engine uses Microsoft libraries that are part of windows.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>Gotcha. In that case why does it get built on Mac? I.e., why doesn’t the build
>process exclude it automatically?
Beats me. It ends up being a zero-length object file, more or less. Perhaps
Richard Levitte knows.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/m
)
Result: FAIL
make[1]: *** [_tests] Error 1
make: *** [tests] Error 2
I first ran:
./Configure --prefix=/usr/local shared darwin64-x86_64-cc
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
then
make depend
then: make test
macOS X 10.7.5
Any suggestions?
Thanks,
James.--
openssl-users mailing
t 1:04 PM, Viktor Dukhovni
mailto:openssl-us...@dukhovni.org>> wrote:
On Sep 16, 2018, at 11:44 AM, Murugaiyan Perumal via openssl-users
mailto:openssl-users@openssl.org>> wrote:
dso_dlfcn.c:84:12: fatal error: dlfcn.h: No such file or directory
# include
http://w
if by land, two if by sea, three if by the Internet."
On Sep 17, 2018, at 4:20 PM, Neil Craig
mailto:neil.cr...@bbc.co.uk>> wrote:
Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running
It's hard enough for the openssl team to document the basic config/build
things, let alone all the operating systems and vendor-supplied stuff.
Perhaps a wiki page, that the community could help maintain?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
>The users who delay or block automatic updates tend to greatly overlap
with the users who actively block remote telemetry of their update
habits, thus skewing such statistics of "get almost full coverage within
a month or two".
But not downloads. :)
Shrug.
--
On 29/12/2018 14:19, C.Wehrmeyer wrote:
I don't have access to the actual testing environments until Wednesday
next year, so I've had to create a private account.
> Which version of OpenSSL is this? (I don't remember if you said this
> already).
I'm not entirely sure, but I *think* it's
On 29/12/2018 07:42, carabiankyi wrote:
Thanks for your advice.
I get early data when I configure nginx ssl_early_data on.
But I only get early data for get method.
When using post method, the server terminate connection. Is it related
with openssl? If so, how can I do to allow post method
tion now.
PKCS#7 also known as CMS or (in OpenSSL) SMIME, doesn't just pad. It
generates a random key and encrypts it with the recipients key (usually
a public key from a certificate, but there may be a symmetric variant).
Thus to do PKCS#7 with OpenSSL, you need to use the "
y on rails
[
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> I didn't bother looking up what freeing entails - it's obvious to
> anyone at this point that OpenSSL is a severe victim of feature creep,
> that its memory allocation scheme is a mess, and long story short: I
> will NOT free a perfectly fine object just because of
* But I only get early data for get method.
* When using post method, the server terminate connection. Is it related
with openssl? If so, how can I do to allow post method?
Early data can be replayed. It is only safe to use early data when the request
is idempotent, like GET. You
rts NUL bytes at the end of each array, changing
sizeof(array) as well as cache access patterns (and thus side
channel effects).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
Look at the tricks openssl has to do in order to properly zeroized memory and
avoid having the compiler optimize it away.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> On Jan 7, 2019, at 11:52, Chris Fernando via openssl-users
> wrote:
>
>>
>> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users
>> wrote:
>>
>> I perused the list archives for all of 2018 and did not see anything current
>> relat
eed and open an issue on github? Yes, this
would be a bug-fix because "going opaque" made some things not possible.
Thanks.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
.
As explained above, most of that storage infrastructure is in
fact in place, but the major e-mail clients lack the code to use
it. For example the "openssl cms" command (used by some unix mail
clients, such as Mutt) doesn't have an option to specify the "as of"
date extracted from
sed using an
OpenSSL "engine" plugin, if instead you are inserting code in NGINX
to hand over the complete SSL/TLS record processing to the hardware,
then a different approach is needed.
OpenSSL Crypto Engines are not limited to SSL/TLS but can be used
for other tasks using the OpenSSL libcr
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* [root@puoasvorsr07 ~]# openssl version
* OpenSSL 1.1.1 FIPS 11 Sep 2018
Is that a version you built yourself, or from RedHat? I believe it is RedHat’s
version, which did their own FIPS work.
The OpenSSL FIPS module is starting development.
--
openssl-users mailing list
lly
the PKCS#7 formats) allow almost unlimited file size, and any 2GiB limit is
probably an artifact of either the openssl command line tool or some of the
underlying OpenSSL libraries.
It would be interesting to hear from someone familiar with that part of the
OpenSSL API which calls to use to actually
Hi everyone,
I have been following OpenSSL blog and know that work on new OpenSSL FIPS
module has started. Current FIPS module (v.2) has end of life (December 2019)
and I assume that new FIPS module will be by that time. but can someone tell
me - is there are approximate dates
s
> the same.
>
> Please let us know if this is an expected behavior or something should be
> done to improve the above observation.
>
> With Regards,
> Prateep
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ommand line makes no sense (no output file, wrong argument
count, auto with unrecognized file extension). Ideally this
would be in the common perl module(s), not in individual
assembler files.
Remember that keeping every patch easily audited by the wider
community is essential to the trustworthiness
* Please find the above previous mail.
I am not sure what this means. I guess you are referring to earlier email in
the thread. I gave you my suggestion, good luck.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* Please let me know if we have any update on this.
This is a volunteer effort. :)
My *GUESS* is that the CRL data isn’t sorted, and it’s doing a linear search.
You should profile the code to find out where, exactly, all the time is being
spent.
--
openssl-users mailing list
On 10/12/2018 11:30, Hemant Ranvir wrote:
Dear all,
After extracting openssl-1.1.1.tar.gz, openssl can be configured
without asm by passing no-asm flag during config command.
The expanded key can be obtained like follows:
//Getting expanded key from inside openssl
//Copied from crypto
On 10/12/2018 14:41, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Michael Ströder
Sent: Saturday, December 08, 2018 06:59
On 12/7/18 11:44 PM, Michael Wojcik wrote:
Homograph attacks combined with phishing would be much cheaper and
easier
of unused bits) for a 2048bits RSA
key with 16 custom bytes.
That’s perfectly normal for OpenSSL to refuse to load that beast, and for
asn1parse to return errors (the first bytes do not represent a correct DER
encoding of anything).
Think of it as « I took a Jpeg file, replaced some bytes
want
Cordialement,
Erwann Abalea
De : prithiraj das
Date : lundi 17 décembre 2018 à 08:23
À : Erwann Abalea , "openssl-users@openssl.org"
Objet : Re: [openssl-users] RSA Public Key error
Hi Erwann/All,
Thank you for your earlier response. I have done a couple of tests on the
| Network Security & Encryption
Phone +61 7 3031 7217
Oracle Australia
From: Alibek Jorajev via openssl-users [mailto:openssl-users@openssl.org]
Sent: Tuesday, 18 December 2018 8:10 PM
To: openssl-users@openssl.org
Subject: [openssl-users] FIPS module v3
Hi everyone,
I have been following Ope
If all you need is RSA then you will probably find it easier to write a
makefile of your own. You will have to do multiple builds to get all the
missing pieces, such as the BN facility, the memory allocation, the error
stack, etc.
--
openssl-users mailing list
To unsubscribe: https
retend to be either side.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Putting the DNS name in the CN part of the subjectDN has been deprecated for a
very long time (more than 10 years), although it is still supported by many
existing browsers. New certificates should only use the subjectAltName
extension.
--
openssl-users mailing list
To unsubscribe: https
> >. New certificates should only use the subjectAltName extension.
>Are any CAs actually doing that? I thought they all still included
> subject.CN.
Yes, I think commercial CA's still do it. But that doesn't make my statement
wrong :)
--
openssl-users
Hi All,
The 32bit OpenSSL 1.1.0i library 'libeay32.dll' fails for binscope GSCheck on
Windows.
E:\libeay32.dll: error BA2022: libeay32.dll was compiled with the following
modules for which a language could not be identified. Ensure these were
compiled with debug information and run BinScope
hat would suggest to the user that the problem might be an issue
> with the trust store.
>
My .02: The message "Self-signed certificate in certificate chain"
does make it sound like OpenSSL rejected the certificate precisely
because it's self signed, and not because it's an u
Perhaps you can build a trust store to handle your needs. I am not sure.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
the source to support it,
however.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
releases
if any to change the text, since the change may cause issues
for some users.
Sure, this is always a concern. Maybe the change could be considered for
OpenSSL 3.0, since that's a major release.
Care to create a PR against the "master" branch? Something
along the lines of:
> >
> > > I agree the text could be better, but not sure in what releases
> > > if any to change the text, since the change may cause issues
> > > for some users.
> >
> > Sure, this is always a concern. Maybe the change could be
> > considered f
On 05/12/2018 00:50, Viktor Dukhovni wrote:
On Tue, Dec 04, 2018 at 04:15:11PM +0100, Jakob Bohm via openssl-users wrote:
Care to create a PR against the "master" branch? Something
along the lines of:
"Provided chain ends with untrusted self-signed certificate&quo
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
experts.
[ Also, FWIW, Firefox uses the "nss" library, not OpenSSL. ]
However Firefox code also contains lots of idiotic usability bugs,
even in the code that talks to the TLS stack. It is quite possible
that the "OCSP must be on" rule is another bad usability hangover
On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security. So
:
...
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 28/11/2018 23:42, Jonathan Larmour wrote:
On 28/11/18 21:41, Daniel Kahn Gillmor wrote:
On Wed 2018-11-28 19:54:34 +, Jonathan Larmour wrote:
On 28/11/18 17:02, Matt Caswell wrote:
Please see the following blog post about OpenSSL Versioning and License:
https://www.openssl.org/blog
Hello,I am working on a small homework which requires convert pvk private key
to PKCS#8 format. The code is based on OpenSSL 1.0.2. I can get pvk private key
components (Public exponent, modulus, prime1, prime2, exponent1, exponent2,
coefficient, private exponent) properly, and convert
Hi Wim,Thank you for your quick response.1. Yes. I called EVP_PKEY_new()
before calling EVP_PKEY_assign_RSA(pEvpkey, rsa);
2. For your second quetion: no. I have not checked there is anything in the
openssl error stack.
I will check the openssl error stack.
3. (1). If it works
>For example, I want the string "SSL_R_TOO_MANY_WARN_ALERTS" for an
error with that value, not just the "too many alerts" description.
You're correct, it's not done.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* BIGNUM structure also has been made opaque. How to refer the members of
BIGNUM structure like bn->top ?
You cannot. That is the definition of “opaque structure.” :) Why do you need
to access “top” ?
* And I don't see this API implementation ""lh_OPENSSL_CSTRING_new
n CBC mode.
On 20/11/2018 10:54, ASHIQUE CK wrote:
Hi,
Any replys ?
On Mon, Nov 19, 2018 at 11:39 AM ASHIQUE CK <mailto:ckashique...@gmail.com>> wrote:
Also I use OpenSSL 1.1.0h.
On Mon, Nov 19, 2018 at 11:36 AM ASHIQUE CK
mailto:ckashique...@gmail.com>> wrote:
N
* I am unable to get the API to access bn->top value or any bn members in
openssl 1.1.1 .
Can you help me with the pointers to those APIs ?
They do not exist. This is the first time someone has asked for them. You
will need to open an issue on GitHub, and explain *why* you need acc
On 25/11/2018 22:30, Viktor Dukhovni wrote:
On Nov 25, 2018, at 4:23 PM, Jeremy Harris wrote:
That isn't the package name, it is text defined in openssl/opensslv.h
That happens when "OPENSSL_FIPS" is defined:
# define OPENSSL_VERSION_NUMBER 0x101000b0L
# ifdef OP
Hi,
The ability of a TLS client to optionally send a list of trusted
CAs to the TLS server is not new in TLS 1.3.
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
unique
numbers for fast lookup during application load.
There is a source file in OpenSSL giving the assigned numbers.
You will need to add numbers for you additional exports, and
deal with the risk that a future OpenSSL release uses that
number for something else.
Enjoy
Jakob
--
Jakob Bohm, CIO
If GSCheck is just a tool to check if you remembered to build
code with the buffer overflow checks that Microsoft C can
insert, then you should just treat this as a warning that the
tool doesn't know how to check code from other compilers (in
this case the manual work of the OpenSSL team).
On 28
On Wed, Nov 28, 2018 at 08:48:10PM +, Jeremy Harris wrote:
> OpenSSL 1.1.1 FIPS 11 Sep 2018
> RHEL 8.0 beta
>
> Using SSL_CTX_set_tlsext_servername_callback()
> when the called routine returns SSL_TLSEXT_ERR_NOACK
> I was expecting the handshake to fail. It carrie
This was discussed around when OpenSSL first talked about the project. You
might find it worth reading the various blog entries (and comment/responses)
https://www.openssl.org/blog/blog/categories/license/ One thing to note is that
cryptography can be a patent minefield, and the patent
>My question: How can I make LibOpenSSL-1.0.2g to send a ServerHello to the
>Client on demand? The socket should not close, nor perform a renegotiation.
You have to shutdown and restart the TLS layer. You cannot send arbitrary
ServerHello messages, it’s a protocol violation.
--
o
On 26/11/2018 20:04, Viktor Dukhovni wrote:
On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users
wrote:
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TL
I would expect that smartphone clients might want to prioritize CHACHA over
AES, but I don't think Node cares about that environment.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 10/01/2019 18:00, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication
On 04/01/2019 22:04, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Jordan Brown
Sent: Friday, January 04, 2019 13:16
If you want to, what you want is something like:
int fd;
do {
fd = open("/dev/null&quo
liar with Windows & compiling Open Source projects, but I am
having no trouble on Linux with OpenSSL + FIPS. On Windows, with Visual Studio
2017 (Community Edition), I am able to compile the FIPS 2.0.16 module and
OpenSSL 1.0.2q (NO FIPS) without issue.
When I try to compile OpenSSL with the FIPS canis
Small corrections below:
On 07/01/2019 19:31, Steffen Nurpmeso wrote:
...
|> That is really bad. Of course you had to do it like this, and you
|> surely have looked around to see what servers and other software
|> which use OpenSSL do with
>
> On Jan 7, 2019, at 09:20, Chris Fernando via openssl-users
> wrote:
>
> I perused the list archives for all of 2018 and did not see anything current
> relating to this problem, so if this is a question that has been asked &
> answered, please feel free to
On 07/01/2019 22:26, Jordan Brown wrote:
[ Off topic for OpenSSL... ]
On 1/7/2019 8:06 AM, Jakob Bohm via openssl-users wrote:
A chroot with no other reason to open /dev/null should not contain that
file name, even on unix-like platforms (least privilege chroot design).
There's always
On 07/01/2019 22:31, Steffen Nurpmeso wrote:
> Good evening.
>
> Jakob Bohm via openssl-users wrote in <95bceb59-b299-015a-f9c2-e2487a699\
> 8...@wisemo.com>:
> |Small corrections below:
> | ...
Note that I do not represent the project at all, I am just another
.
Cheers
Neil Craig
Lead Technical Architect | Online Technology Group
Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org
On 03/01/2019, 11:02, "openssl-users on behalf of Matt Caswell"
wrote:
On 03/01/2019 10:31, Neil Craig wrote:
Hi all
Does anyon
Two of the more common causes of cron failure are
- Environment variable missing or has different value (PATH etc)
- File permissions are different if running under root vs normal
interactive user.
Hope that helps.
--
openssl-users mailing list
To unsubscribe: https
On 02/01/2019 11:18, Dennis Clarke wrote:
On 1/2/19 5:14 AM, Jakob Bohm via openssl-users wrote:
On 02/01/2019 10:41, Matt Caswell wrote:
On 27/12/2018 08:37, Dmitry Belyavsky wrote:
Hello,
Am I right supposing that local variables tmp1, tmp2, iv1, and iv2
are unused in
this function
.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing
Jakob - you’re a star! Thanks so much, your suggestion works. So I added
https://mta.openssl.org/mailman/listinfo/openssl-users
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 10/01/2019 19:55, Corey Minyard wrote:
On 1/10/19 11:00 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
Behalf Of Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate
Great idea; https://github.com/openssl/web/issues/101
On 12/28/18, 12:39 AM, "Jakob Bohm via openssl-users"
wrote:
Consider at least including the one-line manpage summaries on the index
pages (the ones displayed by the apropos command on POSIX systems).
--
openssl-use
our goal, as stated.--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,Am trying to build the openssl source for QNX 6.5/6.6 OS. I have tried to
build after the instructions given in internet.
1. QNX 6.6 build environment variable is set. 2. Executed below command.
sh-3.1$ ./Configure QNX6 shared --prefix=./qnx660/release
--openssldir=./qnx660/release
3. make
Much work for little gain and purpose.
You can mix drafts, but mixing the draft and the official version is hard,
there's too many semantic changes (e.g., around fallback vs
no-fallback-protection).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
This is factually incorrect; the TLS values are lower than the FIPS values, for
example. And also, what “everyone in the know” has always stated isn’t really
true any more.
It would be nice to keep politics out of this list.
--
openssl-users mailing list
To unsubscribe: https
two, for example. Edge hasn't shipped TLS 1.3
yet. Safari encourages auto-update. That's most of the browser market.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Wed, Sep 12, 2018 at 03:50:17PM +0200, Klaus Keppler wrote:
> Hi,
>
> when I create a TLS-1.3-only "web" server with s_server (from OpenSSL
> 1.1.1-release), Firefox/Chrome can't access it.
> According to all docs I've read so far, the TLS 1.3 implementations
; > Server command: ../../util/shlib_wrap.sh ../../apps/openssl s_server
> > -max_protocol TLSv1.3 -no_comp -rev -engine ossltest -ext_cache -accept
> > [::1]:0 -cert ../../apps/server.pem -cert2 ../../apps/server.pem -naccept 1
> > -cipher AES128-SHA -ciphersuites TLS_AES_128_GCM_
On Tue, Sep 11, 2018 at 03:04:06PM -0600, The Doctor wrote:
> On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users
> wrote:
> > On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> > > On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote:
> On 13/09/2018 09:57, Klaus Keppler wrote:
> >Hi,
> >
> >thank you for all your responses.
> >
> >I've just tested with Firefox Nightly 64.0a1, and both s_server and our
> >own app (using
Since this seems to be a certificate issue, would it be possible
to make the server log all the certificate checking steps and
errors with the failing certificates.
One obvious test would be to try connecting to the "openssl s_server"
utility with a similar configuration and lot
On 02/04/2019 10:44, Matt Caswell wrote:
On 01/04/2019 22:23, Steffen wrote:
Hello,
I believe that I have narrowed the problem down to one specific version of
OpenSSL. Version 1.1.0b works as expected while OpenSSL 1.1.0c does not.
Using the cert/data files you provided me off-list (thanks
On 25/03/2019 22:53, sebastien wrote:
hi
in a terminal I've got this error with
|openssl version openssl: /usr/lib/x86_64-linux-gnu/libssl.so.1.1:
version `OPENSSL_1_1_1' not found (required by openssl) openssl:
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1'
not found
>This software however is 7 years old, we’re not in a position to drop
> everything and rewrite it.
Then don't upgrade? If it's for a CA you don't need TLS 1.3 for example.
Or take the existing OpenSSL code that works and jam it into the current
release.
On 03/04/2019 22:16, Jeremy Harris wrote:
On 02/04/2019 17:03, Viktor Dukhovni wrote:
Does the server have a temporally stable ticket decryption key?
Is this Exim? Is the server's SSL_CTX persistent and shared
across multiple connections?
Ah, right. Unlike GnuTLS, the STEK is tied to the
Hello,
I want to use OpenSSL to create an X509 request where the signature has
been calculated by an external device (ATMEL ATECC508A). With OpenSSL
1.0 I used
X509_REQ *req;
req = X509_REQ_new();
algor = X509_ALGOR_new();
algor->algorithm = OBJ_nid2
expired, but nobody really
trusts private algorithms any more. There’s too much good stuff readily
available.
To answer your other question: OpenSSL is covered by the Apache license and any
contributions should also use the same license or they will not be accepted.
And cryptography
901 - 1000 of 1635 matches
Mail list logo