Re: Listing TLS 1.3 Ciphers

On Wed, 10 Apr 2019 at 17:25, Benjamin Kaduk via openssl-users < openssl-users@openssl.org> wrote: > On Wed, Apr 10, 2019 at 12:13:27PM -0400, Dennis Clarke wrote: > > > Very odd. I thought that there were more at one point. > > The ones with truncated (8-byte) authentication tag are not intended

Listing TLS 1.3 Ciphers

Hi All, I haven't found a way to list the supported openssl ciphers from the command line (i.e. get the list of potential values for -ciphersuites). I understand that currently there are only 5 options however this could change over time, so I wanted to avoid hard coding the list in a script. Am

Re: cURL with openSSL 1.1.1 version

On Tue, 19 Mar 2019 at 07:56, Swamy J-S wrote: > Right now my code uses curl library with libcurl4 and gnuTLS as SSL > backend. Am using many curl options such as CURLOPT_SSL_VERIFYPEER , > If you use gnuTLS as your SSL backend then this is nothing to do with openssl at all. Kind Regards Rich

Re: [openssl-users] Openssl 1.1 / TLS 1.3

On 14 February 2018 at 16:34, Matt Caswell <m...@openssl.org> wrote: > > > On 14/02/18 16:27, Richard Moore wrote: > > If I run the following: > > > > openssl-1.1.1pre1 ciphers -tls1_3 -v > > The man page says this about the "-tls1_3" option

[openssl-users] Openssl 1.1 / TLS 1.3

If I run the following: openssl-1.1.1pre1 ciphers -tls1_3 -v Then I get lots of ciphers, for example AES128-SHA however the latest draft TLS 1.3 RFC states: The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On 26 September 2017 at 02:36, Kyle Hamilton <aerow...@gmail.com> wrote: > On Fri, Sep 22, 2017 at 9:32 AM, Richard Moore <richmoor...@gmail.com> > wrote: > > > > It's also worth pointing out that CAs are banned from running OCSP > servers over HTTPS anyway and it

Re: [openssl-users] How can I sstart openssl ocsp in secure mode using TLS/SSL

On 22 September 2017 at 15:08, Salz, Rich via openssl-users < openssl-users@openssl.org> wrote: > Openssl 0.9.8 is old and obsolete and has security issues; you should > upgrade. > > > > But even if you upgrade, the ocsp command will not listen on HTTPS; that > is not supported. > > > ​It's also

Re: [openssl-users] openssl verify with 1B certificates

Depends what information you need - if you just need a binary valid/not valid then prune it first then verify. If you want a more fine grained data set then don't. Write some code - forking and running openssl verify each time will be insanely slow - don't do that. I doubt you really have a

Re: [openssl-users] OpenSSL with Qt5 on Win7

On 3 November 2016 at 11:59, Peissert, Roland (ext) < roland.peissert@siemens.com> wrote: > 3. Next I download OpenSSL openssl-1.1.0b.tar.gz from here: > http://www.openssl.org/source >

Re: [openssl-users] Porting to OpenSSL 1.1

Hi Bero, Just based on the questions it sounds like you might be trying to port Qt. I've already done this, and the branch is here: https://github.com/richmoore/qtbase/commits/openssl11 It'll be added as a new backend once the configure changes that are underway are completed. See

Re: [openssl-users] About no-ssl2

On 16 March 2016 at 22:39, Viktor Dukhovni wrote: > On Wed, Mar 16, 2016 at 11:32:28PM +0100, Michel wrote: > OpenSSL 1.1.0 has no vestigial SSLv2 code, and so nothing to disable > with OPENSSL_NO_SSL2. The "OPENSSL_NO_..." macros specify disabled > features, not

Re: [openssl-users] About no-ssl2

On 16 March 2016 at 22:58, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > On Wed, Mar 16, 2016 at 10:52:39PM +, Richard Moore wrote: > > > On 16 March 2016 at 22:39, Viktor Dukhovni <openssl-us...@dukhovni.org> > > wrote: > > > > > On Wed, M

Re: [openssl-users] [Question] What are the current secure Configure Parameter?

On 14 March 2016 at 21:19, Oliver Niebuhr <googleers...@oliverniebuhr.de> wrote: > Am 14.03.2016 um 21:43 schrieb Richard Moore: > > On 10 March 2016 at 04:42, Oliver Niebuhr <googleers...@oliverniebuhr.de > > <mailto:googleers...@oliverniebuhr.de>> wrote: >

Re: [openssl-users] [Question] What are the current secure Configure Parameter?

On 10 March 2016 at 04:42, Oliver Niebuhr wrote: > Hello. > > I am using OpenSSL from within the Qt Project / QtWebEngine. > > The Qt Wiki says, the following Parameters are minimum recommended: > no-ssl2 no-ssl3 no-idea no-mdc2 no-rc5 > ​Please could you provide

Re: [openssl-users] explicitly including other ciphers.

On 2 December 2015 at 17:53, Ron Croonenberg wrote: > So the idea is to use an object store on an isolated network and push and > get objects out of it using https. > > ​If network is fully isolated you could use plain text. Using 'https' and null encryption is basically just

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On 18 November 2015 at 17:57, Hubert Kario wrote: > On Wednesday 18 November 2015 11:12:59 Benjamin Kaduk wrote: > > On 11/18/2015 07:05 AM, Hubert Kario wrote: > > > So, a full CAdES-A, XAdES-A or PAdES-A implementation _needs_ to > > > support both relatively modern TLS with

Re: [openssl-users] [openssl-dev] Removing obsolete crypto from OpenSSL 1.1 - seeking feedback

On 16 November 2015 at 19:05, Hubert Kario wrote: > Example: CAdES V1.2.2 was published in late 2000, the first serious > attacks on MD2 were not published until 2004. I think it is not > unreasonable for CAdES-A documents to exist today which were originally > signed with MD2

Re: [openssl-users] s_server (and maybe s_client) misbehaves with binary data

There have always been special commands making s_client unsuitable for this usage - for example R followed by a newline will renegotiate, and Q will quit. According to the docs these can be disabled by -quiet and -ign_eof though I've never tested that myself. Cheers Rich. On 2 November 2015 at

Re: [openssl-users] s_server (and maybe s_client) misbehaves with binary data

On 2 November 2015 at 15:36, Richard Moore <richmoor...@gmail.com> wrote: > > > On 2 November 2015 at 15:33, Jakob Bohm <jb-open...@wisemo.com> wrote: > >> On 02/11/2015 16:13, Richard Moore wrote: >> >> There have always been special commands ma

Re: [openssl-users] s_server (and maybe s_client) misbehaves with binary data

On 2 November 2015 at 15:33, Jakob Bohm <jb-open...@wisemo.com> wrote: > On 02/11/2015 16:13, Richard Moore wrote: > > There have always been special commands making s_client unsuitable for > this usage - for example R followed by a newline will renegotiate, and Q >

Re: [openssl-users] [openssl-announce] Website changing this weekend

On 21 August 2015 at 03:36, Salz, Rich rs...@akamai.com wrote: Many of the changelogs have disappeared - for example try finding the changelog between 0.9.8n and 0.9.8o on https://www.openssl.org/news/changelog.html. This applies to lots of other releases too. Thanks. It seems that the

Re: [openssl-users] [openssl-announce] Website changing this weekend

On 14 August 2015 at 21:20, Salz, Rich rs...@akamai.com wrote: We’re bringing up a new website this weekend. Please be patient if you have problems. If you notice any broken links, let us know. ​Many of the changelogs have disappeared - for example try finding the changelog between 0.9.8n

Re: [openssl-users] Verifying a signature - format problems

On 27 July 2015 at 17:30, Andrew Carpenter andrewc...@gmail.com wrote: Thanks again Richard for your help. I found out that I was using std::string::append in my code, and that append stopped reading when it reached a NULL byte in the signature(which is a valid byte given the hash function)

Re: [openssl-users] Verifying a signature - format problems

On 24 July 2015 at 13:32, Andrew Carpenter andrewc...@gmail.com wrote: So my question is: What format should the signature file be in? base64? DER? PKCS7? raw binary? Specifically I am talking about the function EVP_DigestVerifyFinal(), What format should the *sig parameter be in? The

Re: [openssl-users] Verifying a signature - format problems

On 24 July 2015 at 19:30, Andrew Carpenter andrewc...@gmail.com wrote: Well That's interesting. when I download and use your .sig file, I get the same errors. How do you go about picking up your signature form the file system? ​Nothing special:

Re: [openssl-users] Vulnerability Disclosures

On 12 July 2015 at 03:31, Salz, Rich rs...@akamai.com wrote: I'd be concerned about doing that. While this one seemed pretty rare -- only folks running a release less than 30 days old in production -- as a general rule, it's impossible to tell. For example, we THINK that PSK isn't used

Re: [openssl-users] libtlssep

On 30 June 2015 at 14:55, W. Michael Petullo m...@flyn.org wrote: and a research prototype at: https://www.flyn.org/projects/libtlssep/ The libtlssep website. We would love to hear any constructive comments you might have, and would be interested in hearing about any possibility

Re: [openssl-users] removing compression?

On 7 April 2015 at 17:49, Jakob Bohm jb-open...@wisemo.com wrote: It also appears the HTTP/2.0 draft aka SPDY requires compression to be enabled, though I don't know if that is at the TLS or HTTP level. HTTP/2 does not require TLS compression. It does however use it's own compression for

Re: [openssl-users] Encryption length, OpenSSL_add_all_algorithms, and OpenSSL_add_all_ciphers questions

On 26 March 2015 at 14:53, Philip Bellino pbell...@mrv.com wrote: I am using OpenSSL-1.0.2a EVP routines to encrypt and decrypt passwords with cipher des_ede3_cbc as follows: Your design is fundamentally flawed. You should be hashing passwords using bcrypt, pbkdf or similar not encrypting

Re: [openssl-users] Getting info on the ciphers supported by a client

On 6 March 2015 at 14:05, Christian Georg christian.ge...@cologne-intelligence.de wrote: The tricky part are the supported cipher suites. When using the -www option I can return a website to the client showing the cipher suites that provide a match, which gets pretty close to what I want in

Re: [openssl-users] has anyone developed a standalone test for CVE-2014-8730?

I wrote a test using tlslite - only a few lines of code, so it should be pretty easy to reproduce. Rich. On 27 February 2015 at 18:31, Brian Reichert reich...@numachi.com wrote: I've found one on-line tester for CVE-2014-8730 here: https://www.ssllabs.com/ssltest/ But, I was looking for

Re: [openssl-users] [openssl-dev] The evolution of the 'master' branch

On 3 February 2015 at 22:02, Rich Salz rs...@openssl.org wrote: As we've already said, we are moving to making most OpenSSL data structures opaque. We deliberately used a non-specific term. :) As of Matt's commit of the other day, this is starting to happen now. We know this will

Re: [openssl-users] [openssl-dev] The evolution of the 'master' branch

On 7 February 2015 at 17:22, Dr. Stephen Henson st...@openssl.org wrote: On Sat, Feb 07, 2015, Richard Moore wrote: I've documented what got broken in Qt by the changes so far. I've listed the functions I think we can use instead where they exist, and those where there does not appear

Re: [openssl-users] [openssl-dev] The evolution of the 'master' branch

On 8 February 2015 at 00:19, Matt Caswell m...@openssl.org wrote: On 07/02/15 14:41, Richard Moore wrote: On 3 February 2015 at 22:02, Rich Salz rs...@openssl.org mailto:rs...@openssl.org wrote: As we've already said, we are moving to making most OpenSSL data structures

Re: [openssl-users] missing default /usr/local/ssl/openssl.cnf causes failure on AIX, warning on all others

On 23 January 2015 at 15:04, Michael Wojcik michael.woj...@microfocus.com wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Koehne Kai Sent: Friday, January 23, 2015 04:03 To: openssl-users@openssl.org Subject: Re: [openssl-users] missing default

Re: [openssl-users] missing default /usr/local/ssl/openssl.cnf causes failure on AIX, warning on all others

The ones I can find are: http://rt.openssl.org/Ticket/Display.html?id=3263 http://rt.openssl.org/Ticket/Display.html?id=2644 http://rt.openssl.org/Ticket/Display.html?id=3488 Two which seem to be suggesting the same fix. I'm also aware of bugs in the Qt bug tracker, my work's internal bug

Re: [openssl-users] missing default /usr/local/ssl/openssl.cnf causes failure on AIX, warning on all others

On 23 January 2015 at 17:22, Salz, Rich rs...@akamai.com wrote: Thanks for the links. I understand it's a real issue. The concern is will windows return EACCESS for cases when there really is access denied? No, if it's file permissions you get EPERM. EACCESS is weirder things like opening

Re: [openssl-users] Problems verifying OCSP signatures

but there doesn't seem to be another way (unless someone can enlighten me). Cheers Rich. On 28 December 2014 at 16:42, Richard Moore richmoor...@gmail.com wrote: Hi All, I'm trying to get some code to verify the signature of an OCSP response to work properly and I'm hitting quite a few road blocks. I've

Re: [openssl-users] Problems verifying OCSP signatures

On 3 January 2015 at 21:45, Walter H. walte...@mathemainzel.info wrote: On 03.01.2015 18:16, Richard Moore wrote: I've now got this working, though to do so I seem to have to take the certificates supplied in the OCSP response directly out of the certs field of the OCSP_BASICRESP and add

[openssl-users] Problems verifying OCSP signatures

Hi All, I'm trying to get some code to verify the signature of an OCSP response to work properly and I'm hitting quite a few road blocks. I've also been talking to the curl developers who are having the same problems and I wondered if anyone can help us. I've tried 3 different ways of handling

Re: [openssl-users] OpenSSL Release Strategy and Blog

What I'd find useful would be a branch for me to test with so that I can let you know areas where we're having to get into the guts of an openssl structure right now that will be opaque in future. IIRC last time I tried using the define to minimise the exposed api (I forget what it was called)

Re: [openssl-users] Why can not get certificate chain if certificate expire

On 18 December 2014 at 02:08, Jerry OELoo oylje...@gmail.com wrote: Hi Rich: But why browser Chrome can show all certificate path? How did it do? Thanks! Browsers fix up mistakes like this in various ways - Firefox caches intermediates and attempts to fix things by using them if the chain is

Re: [openssl-users] Why can not get certificate chain if certificate expire

On 17 December 2014 at 08:08, Jerry OELoo oylje...@gmail.com wrote: Hi All: I am using openssl api to get website's certificate chain. Now, For normal website, it works fine. Now I encounter a website which certificate is expire, https://soknad.sparebank1.no The server is misconfigured and

Re: [openssl-users] Error: A call to SSPI failed ...

On 11 December 2014 at 10:20, Thirumal, Karthikeyan kthiru...@inautix.co.in wrote: Dear team, Can someone tell me why the error is happening as SSPI failed ? Am seeing this new today and when I searched the internet - it says whenever there is a BAD formed request or when there is no

Re: constant_time_test.c fails to compile on SuSE Enterprise Server 10 32-bit

On 25 October 2014 00:57, Andy Schmidt andrewrobertschm...@gmail.com wrote: Finally, the link you supplied requires a login. Are logins available to the general public? ... But anyway I was not able to read the information in that link, so I apologize for any obvious RTFM user errors.

Re: Can SSL_v23_method be renamed or have additional name assigned?

On 24 October 2014 09:16, Matt Caswell m...@openssl.org wrote: I agree. This topic came up briefly at our recent OpenSSL team meeting in Dusseldorf. I think there was a strong consensus within the team to create a new name (probably with SSLv23_method #defined to point to the new name). The

Re: On 2K keys and SHA-256

No objection at all. Perhaps it might be worth checking that the other defaults are sane too at the same time though. e.g. x509 versions etc. Rich. On 8 September 2014 22:59, Salz, Rich rs...@akamai.com wrote: We are considering changing the default keysize (RSA, DSA, DH) from 1K to 2K, and

Re: Openssl crashed when loading certificates

On 20 May 2014 20:13, David Li dlipub...@gmail.com wrote: So obviously my SSL_CTX object wasn't created properly. Now I have to figure out what it means by library has no ciphers. You haven't called the functions to initialise openssl. Rich.