Re: CPU Software Engine

Hi Costas, Costas Stasimos wrote: Hello! I'm currently using the cryptodev framework-engine with openssl-1.0.1e. By run the command # openssl engine -t (cryptodev) cryptodev engine [ available ] (dynamic) Dynamic engine loading support [ unavailable ] we can see that the cryptodev

Re: [openssl-users] Jks converted to Pem error in veirfying

Hi, On 10/01/16 05:15, Anil Mathew wrote: I am a novice in terms of ssl and hence have limited knowledge in this. Please help I have been a given a jks file that has server certificate, client certificate and a key for the client certificate. I need to convert it to pem to use it in my

[openssl-users] pkcs12 oddity

what am I doing wrong here? (the command listed above is not the actual command we want to use, but it does bring out the problem very nicely) thanks for any help and pointers, JJK / Jan Just Keijser -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Certificate verification failure

Yan, Bob wrote: Dear Sir/Madam, I have an application which acting as SSL server. When the application loads the root and intermediate CA files from a CA path, the handshake between my application and openssl client was failed at the point when my application was authenticating the client’s

Re: [openssl-users] Certificate verification failure

fy -CApathclient.crt ? is that certificate correctly verified? HTH, JJK -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jan Just Keijser Sent: Monday, February 01, 2016 1:04 AM To: openssl-users@openssl.org Subject: Re: [ope

Re: [openssl-users] How to retrieve the revoked certificate list when X509_LOOKUP_hash_dir() method used

Hi Bob, Yan, Bob wrote: H All, I used the following methods to load CRL hashed-directory into a SSL_CTX object to verify the client certificate against the CRL. The code works fine and it's able to verify the client certificate against the loaded CRLs. X509_STORE *x509Store =

Re: [openssl-users] s_client/s_server trouble

Hi all, no one has seen this as well? I've seen other mails fly by on openssl-users after I posted this, yet no response to my query, nor to a previous mail I sent (about pkcs7). Should I file bug reports instead? thx, JJK / Jan Just Keijser Jan Just Keijser wrote: hi all, I've just run

Re: [openssl-users] s_client/s_server trouble

Hi all, thanks for all the pointers - it was indeed a problem with the certificates. cheers, JJK / Jan Just Keijser On 19/05/16 18:19, Viktor Dukhovni wrote: On Thu, May 19, 2016 at 05:58:11PM +0200, Jakob Bohm wrote: What kind (and size) of keys are in your certificates? That sounds like

[openssl-users] s_client/s_server trouble

s_server *or* s_client to use openssl 0.9.8 then the above commands work! What am I missing here? TIA, JJK / Jan Just Keijser -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [openssl-dev] Are you using "TLS proxy certificates"?

. regards, JJK / Jan Just Keijser Nikhef Amsterdam -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Checking for AES-NI accelration

Hi, On 10/08/16 14:25, Nagesh shamnur wrote: Hi Group, I am running an application which transfers huge chunks of data every second (850Mbps) and the same is secured using openssl. However the CPU usage on windows is very high ( ~ 100%). So as a part of the analysis, I stumbled upon the

Re: [openssl-users] Access Mozilla NSS (shared) Database / PKCS#11 Modules via OpenSSL?

Hi, On 08/11/16 17:33, Matthias Ballreich wrote: Hi there, how can i access the Mozilla NSS (shared) Database (cert8 or cert9d.db) / PKCS#11-Modules via OpenSSL? I need read & write access to the NSS User Cert Database (softokn3) and to the Built-In Cert Database (nssckbi) under Windows.

Re: [openssl-users] smartcard/ pkcs11 - 'bad decrypt' error after upgrade from 0.9.8 to 1.0.1

Hi, On 10/11/16 10:49, Pawel Suwinski wrote: Hello After openssl upgrade (new OS version, new machine) I get error decrypting SMIME messages using Alladin eToken SmardCard (pkcs11 engine). On old system (Debian 6.0 Squeeze-LTS)/ machine: #v+ [old]$ openssl version OpenSSL 0.9.8g

Re: [openssl-users] OpenSSL Engine for TPM

Hi, On 06/07/17 06:39, Christian Hohnstädt wrote: The trousers project has one. https://sourceforge.net/projects/trousers/files/OpenSSL%20TPM%20Engine/ agreed, but this engine does not really put the keys inside the TPM - instead it sets up a local repository that is encrypted using a key

Re: [openssl-users] ca md too weak

Hi, On 06/10/17 17:26, Fabrice Delente wrote: Hello, Until two days ago I used OpenVPN to connect to my workplace, on a non-security sensitive tunnel (just for convenience). However, OpenSSL updated on my machine (Fedora 26), and now the certificate is rejected: Fri Oct 6 17:25:06 2017

Re: [openssl-users] Storing private key on tokens

Hi, On 04/10/17 10:17, lists wrote: On 09/27/2017 11:13 PM, Ken Goldman wrote: On 9/27/2017 2:19 PM, Dirk-Willem van Gulik wrote: On 27 Sep 2017, at 20:02, Michael Wojcik The tokens / HSMs I've used don't let you generate a key somewhere else and install it on the token. They insist on

Re: [openssl-users] SSL alert number 48

Hi, On 28/11/17 11:03, wizard2...@gmail.com wrote: Hi there. I guess my problem is really related to verify callback on SSL_CTX_set_verify function. I just add to my code a dummy callback returning 1 and everything works properly. int verify_callback (int ok, X509_STORE_CTX *ctx);

Re: [openssl-users] SSL alert number 48

Hi, On 27/11/17 17:07, wizard2...@gmail.com wrote: Hi there. I'm getting this error on a TLS server that I'm implementing and I can't really understand what I'm doing wrong. 139853560931992:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1487:SSL alert number

Re: [openssl-users] SSL alert number 48

the same test using your set of certificates. HTH, JJK On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: Hi, On 28/11/17 11:03, wizard2...@gmail.com <mailto:wizard2...@gmail.com> wrote: Hi there.

Re: [openssl-users] SSL alert number 48

Hi, On 12/12/17 11:06, wizard2...@gmail.com wrote: Hi. Ok, I agree with you that the way I generate the certificates could not be the right one, but now I change the way and the problem remains. Please check the way I'm creating the certificates. I create a ROOT-CA entity and a

Re: [openssl-users] alert number 46:

Hi, On 12/11/17 05:39, Simon Matthews wrote: I have generated a new certificate for my CentOS 6/postfix server, and it seems to work with most clients, but when I try to send email using tls from my Android device, it always fails. In my postfix log, I see: warning: TLS library problem:

Re: [openssl-users] Building OpenSSL for Intel Xeon Phi

ment which only supports VC and an Intel/Xeon Phi environment which insists that you use ICC with the flag "-mmic" . The question asked by the original poster is better answered on the Intel MIC developer forum. cheers, JJK / Jan Just Keijser In message <1510585954413-0.p...@n7.nab

Re: [openssl-users] SSL alert number 48

[]: An optional company name []: Thanks. Kind regards. On Thu, Nov 30, 2017 at 2:45 PM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: Hi, On 29/11/17 14:37, wizard2...@gmail.com <mailto:wizard2...@gmail.com> wrote: Hi JJK, I test you fun

Re: [openssl-users] 2 openssl installed?

Hi, On 07/06/18 06:14, Sampei wrote: t’s a server installed many many years ago and there are applications which are no used. Server is too late and I have new server (latest Centos 6) for migrating where I installed latest version. I’d like to take to new server all certificate database

Re: [openssl-users] database openssl

Hi, On 29/05/18 09:47, Sampei wrote: I'm using Linux server to create temporary CA and I know openssl maintains a text database of issued certificates and their status. Now I need to migrate this server to another one, so I ask myself how can I export this db. thanks the openssl CA

Re: [openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Hi, On 22/12/17 11:14, Manuel Wagesreither wrote: Unfortunately this didn't work either. The end result is the same; OpenSSL still emits a "certificate signature failure" with an error depth of 0. here's a stripped down version of my 'grid-proxy-verify.c' that verifies a certificate loaded

Re: [openssl-users] Add OpenSSL-support to a project

On 05/11/18 23:58, Thomas Schmiedl wrote: Hello, I use xupnpd2-mediaserver (http://xupnpd.org/xupnpd2_en.html) on my router to display HLS-streams on my TV. Some HLS-streams require a https-connection. I contacted the xupnpd2-author several times but I didn't get a reply. Since some days, he

Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

currently have is in Firefox:  if you turn off "Query OCSP responder servers" in Firefox then EV certificates will no longer show up with their owner/domain name. Now the question is:   does Firefox get OCSP "right" ;) ? cheers, JJK / Jan Just Keijser -- openssl-users mailing

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Hi Richard, On 04/03/19 10:27, Richard Levitte wrote: On Mon, 04 Mar 2019 10:06:54 +0100, Jan Just Keijser wrote: ... Having said that, I just created a certificate set to expire on Mar 9 2037 and it passed the following command:   c:\program files\openvpn\bin\openssl x509 -dates -subject

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

e same command on the failing certificate? HTH, JJK / Jan Just Keijser

Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Hi Matt, On 04/03/19 14:24, Matt Caswell wrote: On 04/03/2019 13:16, Jan Just Keijser wrote: On 04/03/19 10:21, Wolfgang Knauf wrote: Hi, the output is this: C:\Program Files\OpenVPN\bin>openssl.exe asn1parse -i -in ..\config\ssl_h...@l1139218.vt-security.de\l1139218

Re: AW: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

e. Also, I've thrown my own verification code against the certificate and everything checks out OK. I'll see if I can reproduce the issue in my own OpenVPN setup. HTH, JJK / Jan Just Keijser

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

  hl=2 l=  17 prim: UTCTIME   :370308132808+ OpenSSL 1.0.x groks this, 1.1+ does not. cheers, JJK / Jan Just Keijser

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

Hi all, On 06/03/19 16:36, Jakob Bohm via openssl-users wrote: On 06/03/2019 16:17, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Richard Levitte Sent: Wednesday, March 06, 2019 03:07 On Wed, 06 Mar 2019 10:52:44 +0100, Jan Just Keijser

Re: OpenVPNGui 2.4.7 fails: format error in certificate's notAfter field

cate is invalid and was always invalid, but up til now OpenSSL grokked it.  OpenSSL (and therefore OpenVPN) no longer likes your cert, so get a new one" cheers, JJK / Jan Just Keijser

Re: Reg slowness seen in openssl 1.1.1

Hi, On 10/05/19 02:29, ramakrushna mishra wrote: Hi, Could anyone please help me wth it. Following are sslc speed results for SHA1. [...] OpenSSL 1.1.0e  16 Feb 2017 type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes sha1             90515.06k   

Re: Reg slowness seen in openssl 1.1.1

On 10/05/19 03:16, ramakrushna mishra wrote: Hi , The results on a AIX machine looks more bad If I am interpreting them correctly. openssl 1.1.0e : The 'numbers' are in 1000s of bytes per second processed. type             16 bytes     64 bytes    256 bytes  1024 bytes   8192 bytes  16384

Re: OpenSSL 1.1.1 RPM for CentOS 7

On 02/07/19 23:52, Dennis Clarke wrote: On 7/2/19 12:12 PM, Karel de Henks wrote: Hi, I'm searching on the internet for an OpenSSL version 1.1.1. RPM package for CentOS 7. However, I cannot find this. Perhaps one of the users in the mailing list has this package already available. On

Re: Error building app on RHEL 7 with openssl 1.1.1

Hi Mark, On 20/07/19 00:13, Mark Richter wrote: I figured out the variant issue and built, but the tests are failing - see https://gist.github.com/sf-mrichter/2c5c653b3800708c1a67ba41e4992129. Still not sure how to link an app to the new ssl that uses libraries that were built with the

Re: Errors building 1.1.1 on RHEL 7

FWIW: I just downloaded openssl 1.1.1c, untarred it on my CentOS 7 box, then ran   ./config   make   make test The tests passed with the following output (the "ok" tests stripped out): ... ../test/recipes/05-test_md2.t .. skipped: md2 is not supported by this OpenSSL build

Re: AW: openssl and external card reader support in TLS

Hi Tobias, On 23/10/19 10:11, tobias.w...@t-systems.com wrote: Our PKCS11 module development will discontinue and therefore I can`t use it anymore, but the idea is great and very interesting. To give more details we need a callback or similar mechanism to replace the signature created in

Re: Retrieve CA for client cert from SSL*

On 24/10/19 19:55, Fen Fox wrote: Is there a way to figure out which CA the server used to validate the client certificate? on the server side?  you would have to write your own verify callback to intercept the certificate stack as it is processed. That way, you can monitor which CA

Re: SSL certificate verification

On 18/12/19 09:54, Mody, Darshan Arvindkumar (Darshan) wrote: Hi We are using SSL_CTX_use_certificate and SSL_CTX_use_certificate_chain_file APIs to load the certificates. My query is when we are loading the certificate in the Context does openssl verify the certificates for e.g. whether

Re: OpenSSL on embedded systems

On 17/02/20 11:51, Innocenti, Michele via openssl-users wrote: Hi, Which is the minimum footprint needed to use OpenSSL TLS 1.3 library in an embedded context? Which embedded OS are supported? i.e. FreeRTOS, VxWorks, Micirium uC-OS AFAICT, OpenSSL is supported on VxWorks, not on RTOS or

Re: Program works with older libssl, but not with newer

and where it is failing, but it seems the client is not sending its certificate chain to the server.  I am positive it is a programming error on my side but I will say that this problem is particularly hard to track down. JM2CW, JJK / Jan Just Keijser

Re: How to debug a TLSv1.3 protocol problem?

in my case, it does not bother to send any client-side certificate info to the server). Perhaps you are seeing something similar? If not, then sorry for the noise. HTH, JJK / Jan Just Keijser

Re: server key exchange signature behavior

Hi, see comments/questions inline On 23/06/20 14:03, Bruce Cloutier wrote: Hello, We administer a server (Windows) with a Bitnami stack for a Wordpress implementation and that uses Apache Httpd and OpenSSL. Separately I am developing the TLS ECC aspect of a controller device implementation

Re: server key exchange signature behavior

On 25/06/20 20:02, Bruce Cloutier wrote: I agree that I am not being explicit regarding my terminology. I don't mean to confuse. I just cannot get anywhere on this in a vacuum. So, I need to reach out. Specifically, the Signature covering the EC Diffe-Hellman Server Params in the

Re: Lack of documentation for OPENSSL_ia32cap_P

On 23/07/20 02:35, Jakob Bohm via openssl-users wrote: The OPENSSL_ia32cap_P variable, its bitfields and the code that sets it (in assembler) seemto have no clear documentation. Looking at x86_64cpuid.pl, I see jumps to ".Lintel" etc. being conditional on stuff other than the CPU being an

Re: private key not available for client_cert_cb

Hi, On 08/01/21 22:35, George wrote: Hi,    I have been trying to setup mutual authentication using a smart card but I can't seem to get the OpenSSL Engine to send a response back to the server containing client's certificate from the smart card. I'm using the following to configure the

Re: Random and rare Seg faults at openssl library level

Hi, On 07/01/21 23:53, Gimhani Uthpala wrote: On Thu, Jan 7, 2021 at 3:08 AM Ken Goldman > wrote: On 1/6/2021 12:10 PM, Gimhani Uthpala wrote: > I am getting seg-faults at openssl level. This only occurred very randomly and the following are stacks

Re: Random and rare Seg faults at openssl library level

Hi, On 06/01/21 18:10, Gimhani Uthpala wrote: Dear team, I'm running an application which uses openssl for secure communication between processes. I am getting seg-faults at openssl level. This only occurred very randomly and the following are stacks that seg faults  at openssl level in the

Re: Random and rare Seg faults at openssl library level

On 06/01/21 21:57, Michael Wojcik wrote: The same way you'd track down an intermittent cause of Undefined Behavior in any other program: some combination of dynamic monitoring, symbolic execution, static code analysis, source code review, testing variants, tracing, fuzzing, post-mortem

Re: TLS with Client Authentication using private key from Windows store

Hi Ferenc, On 23/11/20 13:03, Ferenc Gerlits via openssl-users wrote: Hi, I am trying to use openssl to implement a client-side TLS connection with Client Authentication on Windows, using a non-exportable private key stored in the Windows Certificate Store.  Currently, our code can use a

Re: private key not available for client_cert_cb

Hi, On 14/12/20 08:08, George wrote: Hi,    I'm new to OpenSSL and am trying to set up mutual authentication in a client. The client is setup with OpenSSL 1.0.2u. and the client's certificate + private key is stored on a Smart Card.  When the client receives a certificate request from the

Re: private key not available for client_cert_cb

line first - much easier to test & debug. JJK On 2020-12-17 3:22 a.m., Jan Just Keijser wrote: Hi, On 16/12/20 20:26, George wrote: Hi,    I've been looking at the code in the pppd EAP-TLS patch, but I can't seem to load the engine with the pkcs11 DLL. It is failing with the error: e

Re: private key not available for client_cert_cb

.4.11\\src\\pkcs11.dll" -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program Files (x86)\HID Global\ActivClient\\acpkcs211.dll" and then try out certain operations, like encrypt/decrypt or simply use the command   speed and watch for any errors - that should giv

Re: private key not available for client_cert_cb

_info = pkey_identifier; HTH, JJK On 2020-12-19 8:05 p.m., Jan Just Keijser wrote: I'd say no engine/pkcs11 module should trigger exceptions - that's an error in the pkcs11 module. Something you can try is this: run the 'openssl.exe' command: openssl engine -t dynamic -pre "SO_PATH:C:\

Re: private key not available for client_cert_cb

*;type=private;pin-value=123456" -keyform engine -in req2.pem -out cert2.pem Thanks, George On 2020-12-18 3:40 a.m., Jan Just Keijser wrote: Hi, On 18/12/20 06:21, George wrote: Hi,    I'm able to setup the engine now, but as soon as I attempt to execute the command

Re: private key not available for client_cert_cb

Hi, On 14/12/20 21:01, George wrote: Ok, so I am not actually going to populate EVP_PKEY with a private key in the callback function: int (*client_cert_cb)(SSL *ssl, X509 **x509, *EVP_PKEY **pkey*)? Instead, I will call EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,

Re: private key not available for client_cert_cb

0| and load that (see the EAP-TLS code for an example or read https://stackoverflow.com/questions/41119744/pkcs11-engine-for-openssl for a similar question). HTH, JJK On 2020-12-15 4:38 a.m., Jan Just Keijser wrote: Hi, On 14/12/20 21:01, George wrote: Ok, so I am not actually going to p

Re: private key not available for client_cert_cb

Hi, On 05/01/21 07:39, George wrote: Hi,     I was looking at the  code in https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c and realized I forgot to call ENGINE_ctrl_cmd(...) to setup "LOAD_CERT_CTRL". However, when I do this, the callback function is no longer being called

Re: UI_METHOD functions not being invoked for smart card

On 26/01/21 05:28, George wrote: Hi,     I'm trying to get OpenSSL 1.0.2u with the FIPS Object Module 2.0.16  in Windows 10 to prompt the user for a smart card's PIN number every time the application is launched. However, I cannot seem to get it to work. My UI_METHOD callback functions are

Re: OpenSSL 1.1.1g Windows build slow rsa tests

is/her code runs blazingly fast on his/her Core i7 bla bla but when deploying it on a cheaper runtime device performance is terrible. Note that no-asm + OPENSSL_ia32cap=0 should not have any effect compared to "no-asm". JM2CW, JJK / Jan Just Keijser

Re: Compile opensslß1.1.1k on CentOS8

Hi, On 07/06/21 20:26, Lothar Belle wrote: Hi, recently I compiled openssl-1.1.1k on CentOS-8 but when I am using libcrypto.so.1.1 I get errors like: libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b Obviously RedHat added additional features into there own libraries,

Re: OpenSSL version 3.0.0-beta1 published

?  is this on the TODO list for the OpenSC/pkcs11 team?  If I wanted to try to refactor the opensc-pkcs11 module, how would I start? thanks for all your hard work, JJK / Jan Just Keijser

Re: openssl verify question

Hi, On 12/06/21 22:20, Gaardiolor wrote: Hello, My openssl-1.0.2k-21.0.1.el7_9.x86_64 verify fails with HSM-signed certificates. The HSM is causing other issues and is likely misbehaving, I think this is a HSM bug. I'm sure I'm using the correct server.crt and rootca.crt. $ openssl verify

Re: Why can't we get a proper installation method to keep OpenSSL at the latest revision for Linux?

there that are vulnerable ;) I run several public Wordpress sites on CentOS 7 and have locked them down quite rigorously - I have not had any breakins for the past 7 years or so, whilst relying fully on the RH/CentOS-supplied openssl library. HTH, JJK *From:*Jan Just Keijser *Sent:* Monday, May

Re: How to set the different parameters of X509_STORE_CTX structure.

Hi, On 26/05/21 10:15, Kumar Mishra, Sanjeev wrote: Hi, I am upgrading the code of OpenSSL 1.0 to 3.0. I am not getting some API for setting some parameter of X509_STORE_CTX structure as it is opaque in 3.0. For example the code is like - X509_STORE_CTX  *ctx;

Re: Why can't we get a proper installation method to keep OpenSSL at the latest revision for Linux?

On 30/05/21 14:05, Michael McKenney wrote: Why can't we get a proper installation method to keep OpenSSL at the latest revision for Linux? My biggest compliant with Linux is it is so difficult to get best practice installations for services like OpenSSL. Ubuntu is still on 1.1.1f.    I

Re: Compilation issues

On 29/06/21 11:58, david raingeard wrote: Hello, Technically, why prevents openssl 1.1.1g from compiling correctly on some operating systems like Solaris 2.6, CentOS 7.8,... ? you will have to provide more details - openssl 1.1.1g compiles just fine on CentOS 7 (7.9 in my case). Can't talk

Re: client certificate error

Hi, On 30/06/21 15:22, Paulo Wollny wrote: Hi, thank you for the answer. can you please point the right direction for solution, please? try  http://httpd.apache.org/userslist.html Regarding the "look suspicious - it means your client is connecting from 127.0.0.1 and your server is also

Re: client certificate error

Hi, On 30/06/21 00:23, Paulo Wollny wrote: Dear @ll My environment: OpenSSL 1.1.1f  31 Mar 2020 Ubuntu 20.04 Server version: Apache/2.4.41 (Ubuntu) Server built:   2021-06-17T18:27:53 My problem: connecting to a secure server requiring client certificate, i get the following error when

Re: Compilation issues

Hi, On 29/06/21 18:31, david raingeard wrote: Ok, here it is. It compiled mostly ok (some fixes for solaris 2.6, like inttypes.h instead of stdint). The test suite fails (dubious error). *Tls 1.2 works* just fine (*openssl s_client -connect google.com:443 -tls1_2

Re: installing OpenSSL 1.1.1 on RedHat 6.x

On 08/07/21 18:55, Tim Culhane wrote: Hi, We have a customer who is running our product on a RedHat 6.x server. Our product uses OpenSSL 1.1.1 to handle secure connections. Initial testing by the customer is showing segmentation faults in OpenSSL during the handshake process. We have

Re: Version compatibility issues - Re: openssl development work / paid

Just for the record: On 26/03/21 09:51, Embedded Devel wrote: i now have a second developer looking at this, so hoping he can sort it all out. [...] I was that second developer and even though 'Embedded Devel' listed this as "paid" work and even though he made repeated promises about

Re: Linker failure after compilation with "enable-crypto-mdebug"

Hi, On 26/04/21 20:29, Robert Smith via openssl-users wrote: Hello everyone. I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the following configuration flag enable-crypto-mdebug and getting the following linker error:  Creating library apps\openssl.lib and object

Re: Linker failure after compilation with "enable-crypto-mdebug"

8, 2021, 06:51:36 AM EDT, Jan Just Keijser wrote: Hi, On 26/04/21 20:29, Robert Smith via openssl-users wrote: Hello everyone. I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the following configuration flag enable-crypto-mdebug and getting the following linker error:

Re: Version compatibility issues - Re: openssl development work / paid

have now received. I am also glad to report that - after more emails back and forth - he is now able to continue with the development of his application. JJK / Jan Just Keijser On 03/05/21 09:20, Jan Just Keijser wrote: Just for the record: On 26/03/21 09:51, Embedded Devel wrote: i now have

Re: Version compatibility issues - Re: openssl development work / paid

First of all, apologies to this mailing list for making you part of this. I will reply one more time , then take this discussion off-list. On 04/05/21 07:24, Embedded Devel wrote: On 5/3/21 2:20 PM, Jan Just Keijser wrote: Just for the record: On 26/03/21 09:51, Embedded Devel wrote: i now

Re: Version compatibility issues - Re: openssl development work / paid - SSL now FIXED

On 28/03/21 15:20, Yassine Chaouche wrote: Le 3/26/21 à 12:35 PM, Embedded Devel a écrit : This has now been fixed SSL is working In a few hours ? Yup, took me about 4 hours to understand the problem and get a working fix - there wasn't much wrong with the code itself, but I suspect a

Re: Compute HMAC using nCipher ENGINE and HSM-based symmetric key

Hi, On 30/03/21 20:58, Ron Kundla wrote: Hello! I have a requirement to generate a HMAC value using a secret/symmetric key inside the HSM. I have seen examples that use public/private keys to do such a thing, but nothing that would use an AES or a nCipher-specific HMAC key. Does OpenSSL

Re: Why does OpenSSL report google's certificate is "self-signed"?

t would be bad, but I normally remove the trust anchor from the webserver certificate chain nevertheless.  It could very well be that I'm not the only web admin that follows their advice in this respect. JM2CW, JJK / Jan Just Keijser

Re: Why does OpenSSL report google's certificate is "self-signed"?

, JJK / Jan Just Keijser On 1/4/21 5:43 pm, Jan Just Keijser wrote: On 31/03/21 19:43, Michael Wojcik wrote: From: openssl-users On Behalf Of Viktor Dukhovni Sent: Wednesday, 31 March, 2021 10:31 To:openssl-users@openssl.org Subject: Re: Why does OpenSSL report google's certificate is "

Re: Porting to version 1.1.1 with old Linux kernel 3.0.8

On 05/04/21 17:16, Boris Shpoungin via openssl-users wrote: Hello, Is there minimal requirements for Linux kernel for usage of openssl library version 1.1.1? I have old application based on Linux kernel 3.0.8 which uses openssl version 1.0.2. My question is whether it is possible to port

Re: Porting to version 1.1.1 with old Linux kernel 3.0.8

On 05/04/21 22:07, Boris Shpoungin via openssl-users wrote: Thank you for response. Could you suggest best approach for porting application from 1.0.2 to 1.1.1? So far I've found good manual which describes required modifications:

Re: X509_sign_ctx and ENGINE

Hi, On 13/04/21 17:05, Ron Kundla wrote: Hello, I am trying to adapt a piece of software to use an nCipher HSM using OpenSSL 1.1.1j along with the nfkm.dll engine library from nCipher. One function uses X509_sign_ctx() to calculate a SHA256 digest and sign a X509 certificate using RSA-PSS. I

Re: Query reg. using certificates bigger than 4k for EAP-TLS

Hi Vishal, On 20/10/21 13:34, Vishal Sinha wrote: Hi Matt The certificate is not large as such. But since it's a chain, the overall size crosses 4k. We used BIO_set_write_buffer_size() API to increase the size from 4k to 8k of the BIO buffer in SSL context. just out of curiosity: does

Re: Doubt regarding ssl options

. Thus, this is not affected by any calls to SSL_CTX_set_min_proto_version or SSL_set_min_proto_version. However, the above is safe in terms of "it works with buggy servers" as well as safe in terms of "the connection *will* use tls 1.2+ if I call SSL_{ctx_}set_min_proto_version" so why change? Hope this clarifies things, JJK / Jan Just Keijser

Re: client/server communication with OpenSSL && with passwords or passphrase

s+certificates to the Java-based client and import it into the Java keystore. That can be done using the PKCS12 format, as I believe you can load a Java keystore in that format, e.g. |KeyStore ks = KeyStore.getInstance("pcks12");| see https://www.baeldung.com/java-keystore for an example.