On Wed, 10 Apr 2019 at 17:25, Benjamin Kaduk via openssl-users <
openssl-users@openssl.org> wrote:
> On Wed, Apr 10, 2019 at 12:13:27PM -0400, Dennis Clarke wrote:
>
> > Very odd. I thought that there were more at one point.
>
> The ones with truncated (8-byte) authentication tag are not intended
Hi All,
I haven't found a way to list the supported openssl ciphers from the
command line (i.e. get the list of potential values for -ciphersuites). I
understand that currently there are only 5 options however this could
change over time, so I wanted to avoid hard coding the list in a script. Am
On Tue, 19 Mar 2019 at 07:56, Swamy J-S wrote:
> Right now my code uses curl library with libcurl4 and gnuTLS as SSL
> backend. Am using many curl options such as CURLOPT_SSL_VERIFYPEER ,
>
If you use gnuTLS as your SSL backend then this is nothing to do with
openssl at all.
Kind Regards
Rich
On 14 February 2018 at 16:34, Matt Caswell <m...@openssl.org> wrote:
>
>
> On 14/02/18 16:27, Richard Moore wrote:
> > If I run the following:
> >
> > openssl-1.1.1pre1 ciphers -tls1_3 -v
>
> The man page says this about the "-tls1_3" option
If I run the following:
openssl-1.1.1pre1 ciphers -tls1_3 -v
Then I get lots of ciphers, for example AES128-SHA however the latest draft
TLS 1.3 RFC states:
The list of supported symmetric algorithms has been pruned of all
algorithms that are considered legacy. Those that remain all use
On 26 September 2017 at 02:36, Kyle Hamilton <aerow...@gmail.com> wrote:
> On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore <richmoor...@gmail.com>
> wrote:
> >
> > It's also worth pointing out that CAs are banned from running OCSP
> servers over HTTPS anyway and it
On 22 September 2017 at 15:08, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:
> Openssl 0.9.8 is old and obsolete and has security issues; you should
> upgrade.
>
>
>
> But even if you upgrade, the ocsp command will not listen on HTTPS; that
> is not supported.
>
>
>
It's also
Depends what information you need - if you just need a binary valid/not
valid then prune it first then verify. If you want a more fine grained data
set then don't. Write some code - forking and running openssl verify each
time will be insanely slow - don't do that. I doubt you really have a
On 3 November 2016 at 11:59, Peissert, Roland (ext) <
roland.peissert@siemens.com> wrote:
> 3. Next I download OpenSSL openssl-1.1.0b.tar.gz from here:
> http://www.openssl.org/source
>
Hi Bero,
Just based on the questions it sounds like you might be trying to port Qt.
I've already done this, and the branch is here:
https://github.com/richmoore/qtbase/commits/openssl11
It'll be added as a new backend once the configure changes that are
underway are completed. See
On 16 March 2016 at 22:39, Viktor Dukhovni
wrote:
> On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote:
> OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable
> with OPENSSL_NO_SSL2. The "OPENSSL_NO_..." macros specify disabled
> features, not
On 16 March 2016 at 22:58, Viktor Dukhovni <openssl-us...@dukhovni.org>
wrote:
> On Wed, Mar 16, 2016 at 10:52:39PM +, Richard Moore wrote:
>
> > On 16 March 2016 at 22:39, Viktor Dukhovni <openssl-us...@dukhovni.org>
> > wrote:
> >
> > > On Wed, M
On 14 March 2016 at 21:19, Oliver Niebuhr <googleers...@oliverniebuhr.de>
wrote:
> Am 14.03.2016 um 21:43 schrieb Richard Moore:
> > On 10 March 2016 at 04:42, Oliver Niebuhr <googleers...@oliverniebuhr.de
> > <mailto:googleers...@oliverniebuhr.de>> wrote:
>
On 10 March 2016 at 04:42, Oliver Niebuhr
wrote:
> Hello.
>
> I am using OpenSSL from within the Qt Project / QtWebEngine.
>
> The Qt Wiki says, the following Parameters are minimum recommended:
> no-ssl2 no-ssl3 no-idea no-mdc2 no-rc5
>
Please could you provide
On 2 December 2015 at 17:53, Ron Croonenberg wrote:
> So the idea is to use an object store on an isolated network and push and
> get objects out of it using https.
>
>
If network is fully isolated you could use plain text. Using 'https' and
null encryption is basically just
On 18 November 2015 at 17:57, Hubert Kario wrote:
> On Wednesday 18 November 2015 11:12:59 Benjamin Kaduk wrote:
> > On 11/18/2015 07:05 AM, Hubert Kario wrote:
> > > So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to
> > > support both relatively modern TLS with
On 16 November 2015 at 19:05, Hubert Kario wrote:
> Example: CAdES V1.2.2 was published in late 2000, the first serious
> attacks on MD2 were not published until 2004. I think it is not
> unreasonable for CAdES-A documents to exist today which were originally
> signed with MD2
There have always been special commands making s_client unsuitable for this
usage - for example R followed by a newline will renegotiate, and Q will
quit. According to the docs these can be disabled by -quiet and -ign_eof
though I've never tested that myself.
Cheers
Rich.
On 2 November 2015 at
On 2 November 2015 at 15:36, Richard Moore <richmoor...@gmail.com> wrote:
>
>
> On 2 November 2015 at 15:33, Jakob Bohm <jb-open...@wisemo.com> wrote:
>
>> On 02/11/2015 16:13, Richard Moore wrote:
>>
>> There have always been special commands ma
On 2 November 2015 at 15:33, Jakob Bohm <jb-open...@wisemo.com> wrote:
> On 02/11/2015 16:13, Richard Moore wrote:
>
> There have always been special commands making s_client unsuitable for
> this usage - for example R followed by a newline will renegotiate, and Q
>
On 21 August 2015 at 03:36, Salz, Rich rs...@akamai.com wrote:
Many of the changelogs have disappeared - for example try finding the
changelog between 0.9.8n and 0.9.8o on
https://www.openssl.org/news/changelog.html. This applies to lots of
other releases too.
Thanks.
It seems that the
On 14 August 2015 at 21:20, Salz, Rich rs...@akamai.com wrote:
We’re bringing up a new website this weekend. Please be patient if you
have problems. If you notice any broken links, let us know.
Many of the changelogs have disappeared - for example try finding the
changelog between 0.9.8n
On 27 July 2015 at 17:30, Andrew Carpenter andrewc...@gmail.com wrote:
Thanks again Richard for your help. I found out that I was using
std::string::append in my code, and that append stopped reading when it
reached a NULL byte in the signature(which is a valid byte given the hash
function)
On 24 July 2015 at 13:32, Andrew Carpenter andrewc...@gmail.com wrote:
So my question is: What format should the signature file be in?
base64? DER? PKCS7? raw binary? Specifically I am talking about the
function EVP_DigestVerifyFinal(), What format should the *sig parameter be
in? The
On 24 July 2015 at 19:30, Andrew Carpenter andrewc...@gmail.com wrote:
Well That's interesting. when I download and use your .sig file, I get
the same errors. How do you go about picking up your signature form the
file system?
Nothing special:
On 12 July 2015 at 03:31, Salz, Rich rs...@akamai.com wrote:
I'd be concerned about doing that. While this one seemed pretty rare --
only folks running a release less than 30 days old in production -- as a
general rule, it's impossible to tell. For example, we THINK that PSK
isn't used
On 30 June 2015 at 14:55, W. Michael Petullo m...@flyn.org wrote:
and a research prototype at:
https://www.flyn.org/projects/libtlssep/
The libtlssep website.
We would love to hear any constructive comments you might have, and would
be interested in hearing about any possibility
On 7 April 2015 at 17:49, Jakob Bohm jb-open...@wisemo.com wrote:
It also appears the HTTP/2.0 draft aka SPDY requires
compression to be enabled, though I don't know if that
is at the TLS or HTTP level.
HTTP/2 does not require TLS compression. It does however use it's own
compression for
On 26 March 2015 at 14:53, Philip Bellino pbell...@mrv.com wrote:
I am using OpenSSL-1.0.2a EVP routines to encrypt and decrypt passwords
with cipher des_ede3_cbc as follows:
Your design is fundamentally flawed. You should be hashing passwords using
bcrypt, pbkdf or similar not encrypting
On 6 March 2015 at 14:05, Christian Georg
christian.ge...@cologne-intelligence.de wrote:
The tricky part are the supported cipher suites. When using the -www
option I can return a website to the client showing the cipher suites that
provide a match, which gets pretty close to what I want in
I wrote a test using tlslite - only a few lines of code, so it should be
pretty easy to reproduce.
Rich.
On 27 February 2015 at 18:31, Brian Reichert reich...@numachi.com wrote:
I've found one on-line tester for CVE-2014-8730 here:
https://www.ssllabs.com/ssltest/
But, I was looking for
On 3 February 2015 at 22:02, Rich Salz rs...@openssl.org wrote:
As we've already said, we are moving to making most OpenSSL data
structures opaque. We deliberately used a non-specific term. :)
As of Matt's commit of the other day, this is starting to happen
now. We know this will
On 7 February 2015 at 17:22, Dr. Stephen Henson st...@openssl.org wrote:
On Sat, Feb 07, 2015, Richard Moore wrote:
I've documented what got broken in Qt by the changes so far. I've listed
the functions I think we can use instead where they exist, and those
where
there does not appear
On 8 February 2015 at 00:19, Matt Caswell m...@openssl.org wrote:
On 07/02/15 14:41, Richard Moore wrote:
On 3 February 2015 at 22:02, Rich Salz rs...@openssl.org
mailto:rs...@openssl.org wrote:
As we've already said, we are moving to making most OpenSSL data
structures
On 23 January 2015 at 15:04, Michael Wojcik michael.woj...@microfocus.com
wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Koehne Kai
Sent: Friday, January 23, 2015 04:03
To: openssl-users@openssl.org
Subject: Re: [openssl-users] missing default
The ones I can find are:
http://rt.openssl.org/Ticket/Display.html?id=3263
http://rt.openssl.org/Ticket/Display.html?id=2644
http://rt.openssl.org/Ticket/Display.html?id=3488
Two which seem to be suggesting the same fix. I'm also aware of bugs in
the Qt bug tracker, my work's internal bug
On 23 January 2015 at 17:22, Salz, Rich rs...@akamai.com wrote:
Thanks for the links. I understand it's a real issue. The concern is
will windows return EACCESS for cases when there really is access denied?
No, if it's file permissions you get EPERM. EACCESS is weirder things like
opening
but there
doesn't seem to be another way (unless someone can enlighten me).
Cheers
Rich.
On 28 December 2014 at 16:42, Richard Moore richmoor...@gmail.com wrote:
Hi All,
I'm trying to get some code to verify the signature of an OCSP response to
work properly and I'm hitting quite a few road blocks. I've
On 3 January 2015 at 21:45, Walter H. walte...@mathemainzel.info wrote:
On 03.01.2015 18:16, Richard Moore wrote:
I've now got this working, though to do so I seem to have to take the
certificates supplied in the OCSP response directly out of the certs field
of the OCSP_BASICRESP and add
Hi All,
I'm trying to get some code to verify the signature of an OCSP response to
work properly and I'm hitting quite a few road blocks. I've also been
talking
to the curl developers who are having the same problems and I wondered if
anyone can help us.
I've tried 3 different ways of handling
What I'd find useful would be a branch for me to test with so that I can
let you know areas where we're having to get into the guts of an openssl
structure right now that will be opaque in future. IIRC last time I tried
using the define to minimise the exposed api (I forget what it was called)
On 18 December 2014 at 02:08, Jerry OELoo oylje...@gmail.com wrote:
Hi Rich:
But why browser Chrome can show all certificate path? How did it do?
Thanks!
Browsers fix up mistakes like this in various ways - Firefox caches
intermediates and attempts to fix things by using them if the chain is
On 17 December 2014 at 08:08, Jerry OELoo oylje...@gmail.com wrote:
Hi All:
I am using openssl api to get website's certificate chain. Now, For
normal website, it works fine.
Now I encounter a website which certificate is expire,
https://soknad.sparebank1.no
The server is misconfigured and
On 11 December 2014 at 10:20, Thirumal, Karthikeyan kthiru...@inautix.co.in
wrote:
Dear team,
Can someone tell me why the error is happening as SSPI failed ? Am seeing
this new today and when I searched the internet - it says whenever there is
a BAD formed request or when there is no
On 25 October 2014 00:57, Andy Schmidt andrewrobertschm...@gmail.com
wrote:
Finally, the link you supplied requires a login. Are logins available
to the general public? ... But anyway I was not able to read the
information in that link, so I apologize for any obvious RTFM user
errors.
On 24 October 2014 09:16, Matt Caswell m...@openssl.org wrote:
I agree. This topic came up briefly at our recent OpenSSL team meeting
in Dusseldorf. I think there was a strong consensus within the team to
create a new name (probably with SSLv23_method #defined to point to
the new name). The
No objection at all. Perhaps it might be worth checking that the other
defaults are sane too at the same time though. e.g. x509 versions etc.
Rich.
On 8 September 2014 22:59, Salz, Rich rs...@akamai.com wrote:
We are considering changing the default keysize (RSA, DSA, DH) from 1K to
2K, and
On 20 May 2014 20:13, David Li dlipub...@gmail.com wrote:
So obviously my SSL_CTX object wasn't created properly. Now I have to
figure out what it means by library has no ciphers.
You haven't called the functions to initialise openssl.
Rich.
48 matches
Mail list logo