Just to let you know, we found a tool to migrate RT to GitHub issues and will
be doing that shortly. This will just about double the number of open issues
we have and, unfortunately, push the existing (active ones) down a few pages.
--
openssl-users mailing list
To unsubscribe:
> My application links to OpenSSL 1.1.0 dynamically, and I would like to be able
> to determine if the CPU supports the AES-NI instruction set.
> Is there an OpenSSL API that can do this?
Look at man3/OPENSSL_ia32cap.pod ?
--
openssl-users mailing list
To unsubscribe:
>Am trying to upgrade openssl 1.0.1p to 1.0.2k and the compilation breaks with
>the below error and am using Ubuntu 10.04.1
>In file included from req.c:84:
>comp.h:28: error: redefinition of typedef 'COMP_METHOD'
>../../Build/target/usr/include/openssl/ossl_typ.h:181: error: previous
The text says Broadwell-specific
So it only affects *some* x86_64 platforms.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
From: Sandeep Umesh [mailto:sanum...@in.ibm.com]
Sent: Monday, January 30, 2017 2:14 AM
To:
> It's cargo-cult programming, most often by people who can't be bothered to
> learn the language they're using.
There are also sometimes portability issues, vendors get things wrong.
But at any rate, for this project, OpenSSL style says parens after sizeof and
says nothing at all about
> Have you considered using GMP as a big integer backed for openssl? It has
> support for several arm variants using handwritten assembly code and the
> developers go to great lengths to find optimize runtime on all supported
> platforms.
It might be interesting if we could figure out how to
Michael was kind to post some replies.
I think a better forum to discuss this is one of the following, which has more
focus on cryptographic science and less on “how do I use the CLI”
http://www.metzdowd.com/mailman/listinfo/cryptography
https://www.irtf.org/mailman/listinfo/cfrg
--
> Licensing issues are indeed thorny. Why can't openssl perform a dynamic link?
> The soversion should handle any ABI issues introduced in later versions of
> GMP.
Anything is possible; it is just code.
I don't think this is a priority for the team. A pull request ...
--
openssl-users
What version of openssl? I'm guessing 1.0.2.
Put this line inyour code
ERR_load_ERR_strings();
And youll get a more informative message.
My main guess is that your allocation for the PEM buffer is too small -- is
key/key_len pointing to a static buffer?
--
openssl-users
> After commented out the line "EVP_PKEY_CTX_set_rsa_padding(ctx,
> RSA_NO_PADDING)",? it worked well.
You need to do some reading about basic RSA cryptography. Signatures are
padded out to the keysize.
--
openssl-users mailing list
To unsubscribe:
Those are curl functions, not openssl
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
From: ghanashyam satpathy [mailto:ghanashyam.satpa...@gmail.com]
Sent: Saturday, March 25, 2017 10:05 AM
To: openssl-users@openssl.org
Subject:
> For encrypting user data such as user's password, could I use PKCS#1 or OAEP
> padding mode?
If you do not know what you are doing, use the defaults.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> Say someone would be able to gather several clear text AES keys and their
> respective asymmetrically encrypted RSA blocks. Would it weakens the security
> of the RSA key pair ? I mean could it be easier for someone using that
> information to brute force an RSA key pair ?
No
--
> However, is crypto library thread-safe?
Check out this blog entry:
https://www.openssl.org/blog/blog/2017/02/21/threads/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> It takes a long time. Is there some way to have it use all available cores
> instead of just the one?
You'll have to write the code to do that parallelism yourself.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> Are you suggesting that I should modify openssl myself to expose that
> functionality or are suggesting that there is a way to do that given the
> already
> exposed functionality? If it is the latter could you point me in the right
> direction?
OpenSSL code does not do what you want. You'll
No, the functions you want aren’t provided right now. What are you trying to
do? Why are you modifying the session, outside of the TLS protocol?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>in my case, i need to initialize the SSL , and set parameters as same
as client and server (depending on direction ) and call OpenSSL to decrypt the
data.
>>before openSSL 1.1.0 as all member variables could be set, it was easy
task,
>> now i do face issues with ssl_session
> I thought about escaping regarding DN itself (LDAP DN).
Look up the -nameopt flag in, say, x509.pod Then if you need C code, trace
through what apps/x509.c does.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
You need to learn what CBC mode is. Block ‘n’ feeds into block ‘n+1’ The
behavior you describe is not wrong.
Blocks are padded, so only read outlen bytes.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
No, you must have a chain up to a local trust anchor.
You can install the intermediate in your trust store.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
From: Lei Kong [mailto:leik...@msn.com]
Sent: Thursday, April 20, 2017 9:38 PM
> The OpenSSL documentation makes it clear
> that you must keep calling the same asynchronous function with the same
> parameters until the async job has completed.
Is there a way we can (relatively cheaply) check for that type of programming
error and return an "in progress on another op"
>#define OTEXT_AES_KEY_INIT(ctx, buf) { \
> EVP_CIPHER_CTX_init(ctx); \
> EVP_EncryptInit_ex(ctx, EVP_aes_128_ecb(), NULL, buf, ZERO_IV); \
> }
Most of the datatypes are now opaque. This means you can't have an
EVP_CIPHER_CTX object, but instead a pointer to it. Don't call
We are still reviewing several PR's from the previous code health, which was
about converting tests to use the new test framework. With this extended time
period, we'll have ended up converting almost all the tests, which is great.
We'll announce the next project toward the end of the week.
Yes there are easier ways to do this. Set up a conf file and use it (via the
-conf flag). You can use env vars, set default values, and so on. Look at the
config manpages, https://www.openssl.org/docs/manmaster/man5/
For a fuller example, see https://www.openssl.org/~rsalz/pki.tgz
PS --
Already fixed.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
No, it does not do this automatically.
if the nounce _explicit overflows or overlaps , then does openssl code
handles it (atleast by initiating renegotiation )?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> If so, would it be possible in principle to decrypt an encrypted PKCS#7
> envelope only knowing which AES key was used ?
Yes. But maybe not with the openssl api's :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> Is there a way in openssl we can extract the protocol(TLS/DTLS ) handshake
> information, like in clienthello, the protocol version, ciphersuites
> offered, Random, session id etc.
Look at the code in apps/s_client and apps/s_server and see what it prints in
various debug modes.
--
> > My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c
Gives a 403.
> > My main guess is that your allocation for the PEM buffer is too small
> > -- is key/key_len pointing to a static buffer?
>
> It points to a char string
Not sure what that means. Please post your code
After a short summer vacation, our biweekly code health Tuesday is back!
Our topic this time is ... documentation.
There have been many updates to the manpages in the past few weeks, typo fixes,
additional clarifications, and so on. We hope that folks will be emboldened to
help fill in the
> It would be nice if the OpenSSL devs ate their own dogfood and suffered
> that inefficient crap. I would wager that crap would change.
There is a price to be paid with opaque structures. In most cases the benefits
are worth it.
I'm curious why you want that. A small PR with doc and function
➢ So, in summary, do I need to ensure cert serial numbers are unique for my CA?
Why would you not? The specifications require it, but those specifications are
for interoperability. If nobody is ever going to see your certs, then who cares
what’s in them?
--
openssl-users mailing list
To
> DSA *pDSA = d2i_DSA_PUBKEY(NULL, (const unsigned char **) , dwKeySize);
Where and how is pKey set? Not that the manpage says it's incremented to point
*past* the object, so you need something like
unsigned char data = .whatever your data source is .
unsigned char *pKey
➢ Is there anyway to display the basic ASN.1 structure here so I can see
what was stored in the cert?
openssl asn1parse
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
What OpenSSL does is not necessarily obvious. The INSTALL document talks about
the no-asm configuration option. Details about what the assembler code does in
terms of optimization are only available by reading the source code comments in
the various Perl files that generate the assembler,
> May be my email subject is a little confusing. I'll put my question directly.
>
> If I configure my server with the string "HIGH+TLSv1.2:!MD5:!SHA1", will it
> support 3DES?
No, as I showed.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Please read what I wrote.
The d2i functions *modify the pointer they are given.* You have to give them a
temporary copy.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
From: Jason Qian [mailto:jq...@tibco.com]
Sent: Friday, August
> Given these supported names, what goes into the config file to create a SAN
> without having to specify it on the command line?
In the certificate extensions section you do something like:
subjectAltName = dns:www.example.com, IP:127.0.0.1
and so on. The "pki.tgz"
> And further it
> What is the procedure to get it added. RFC 4108 has been around for a while,
> as has 802.1AR-2009.
Simplest way is to (get someone to) write the code and make a github pull
requests.
Next way is to post a patch.
Next way is to open an issue and hope someone gets around to it.
> Though I
> My challenge comes to subjectAltName and its subfield
> hardwareModuleName
> per RFC 4108. I guess I am not 'getting' the subjectAltName section of
> 'man x509v3_config'.
Not all forms of SAN names are supported. If you look in
include/openssl/x509v3.h you see the following:
# define
➢ I'd just like to quickly reach out to let you know that we released a new
(open source) network engine in which we also utilize the OpenSSL library and
want to thank you for the work you put into OpenSSL.
Congratulations. Please post a link, especially since it is open source!
--
X25519 does not use DH parameters.
If you don’t set the parameters with a callback, or generate them and tell
openssl to use them, then EDH will not be used. Not that EDH is *not* the same
as ECDHE.
Don’t use DH, use X25519, for a number of reasons. Search “25519” to find more.
--
In TLS 1.3 the “time” field went away.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
If you want to use those ciphers, you need to set SECLEVEL=0 when you specify
the ciphers.
I have no idea how to do that for the OpoenSSL C# binding. Maybe post an issue
on openssl-net?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
For the elliptic curve choices, the curve picked (NIST256, NIST384, whatever)
determines the keysize.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
You know you are going from something horribly out of date to something very
out of date, right?
Can’t you at least move to 1.0.2?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> It's very well worth the effort, otherwise there's a security issue, because
> certificates can be forged.
No they cannot.
What *has* been done is a document was created with "weak spots" and another
document was created that changed those weak spots, but the digest was the
same.
This is
> I am building a server and client program. I wanted to know if the client
> intends to use a particular cipher suite ECDHE256 ECDSA 256 types and
> presents it to the server as its only ciphersuite. Then who decides the
> Diffie-hellman and EC parameters. Should the parameters be decided on
> 1. Is there any built-in OpenSSL Engine to access the TPM ?
No.
> 2. Is there any other OpenSSL Engine to access the TPM ? If Yes, How can we
>configure in OpenSSL libraries to use that engine ?
If someone has written one, and can make it available, they should post here.
I don't know
> A naïve question. A certificate that contains SAN attribute(s) – is there a
> limit on how many, say, RFC822 SAN attributes can a valid certificate have?
No.
> It’s been my understanding that a cert can contain as many SAN attributes as
> needed, but it appears that Apple believes it has to
> For AES-256 encryption, should IV be random? I am already using a random
> salt, so I was wondering if IV should be random too.
It should be non-repeating. It can just be a counter.
(Yes, I know OP didn't ask about AESGCM. But if they're coming here for advice
... )
--
openssl-users
> Does openssl provide any way to set MSG_NOSIGNAL on sendmsg (Underlying
> TCP/IP socket layer) ?
No. You will have to modify the code yourself.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
You are asking two different questions.
The certificates that the *client* sends are specified by the various “use
certficiate” API’s. No chain is built. See
doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain
file” API.
As for what the *server* does, it tries to use
> https://username:passw...@server.com
> How do I specify this username and password when using SSL_connect()?
You don't. That stuff is at the protocol level about TLS/SSL.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> My client is a custom application and as such only needs to communicate with
> specific servers for specific purposes. I think it makes sense for my client
> to only support the specific protocol that my server will use,
> ECDHE-RSA-AES128-GCM-SHA256. Does this sound reasonable or should I
I unsubscribed Ryan; he’ll have to rejoin.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> I am looking for a CA makefile to use with a openvpn tutorial I am writing
> https://github.com/Oflameo/openvpn_ws. Is there one officially endorsed
> by the openssl project?
If there were, it would be in the source distribution.
--
openssl-users mailing list
To unsubscribe:
> The __current__ code for this function returns values if the **BIGNUM is
> not NULL. Thus, it appears safe to pass in NULL for values not needed.
Yes. That's true for many "get" functions.
> However, the documentation is silent on this behavior.
>
> If this behavior is guaranteed, it would
> I thought RDRAND was disabled as the default random engine since
> 1.0.1f. Has that changed in OpenSSL 1.1.0?
No. Do "git grep ENGINE_set_default_RAND"
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> From [this][1] link I can see that TLS1.2 does not have 3DES in their
> available
> cipher list. So I guess it does not support?
Right:
; ./apps/openssl ciphers -v HIGH+TLSv1.2:!MD5:!SHA1 | grep DES
; ./apps/openssl ciphers -v TLSv1.2:!MD5:!SHA1 | grep DES
; ./apps/openssl ciphers -v TLSv1.2
> > Generating a 2048 bit ED25519 private key
>
> Wait, 2048 bit ED25519 key?
Looks like a printf bug :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
We don't add features to released versions, just bug-fixes. Ladar has posted a
patch for 1.0.2 for those do-it-yourselfers who are so inclined.
The 'master' branch, which will become 1.1.1 at some point, can do it:
; sh /tmp/x
Generating a 2048 bit ED25519 private key
writing new private key to
https://www.openssl.org/~rsalz/pki.tgz but only a root and end-entity. Adding
an intermediate should not be incredible difficult :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
A reminder: After a short summer vacation, our biweekly code health Tuesday is
back!
Our topic this time is … documentation.
There have been many updates to the manpages in the past few weeks, typo fixes,
additional clarifications, and so on. We hope that folks will be emboldened to
help
> Looking at the man page for dsa it doesn't seem that the order of arguments
> is critical as long, of course, as each arg that takes a value has an
> approriate entry.
You mean flags and values, like "-foo" and "-bar asdf" ? Yes, the order of
flags does not matter, except in some special
> declare -x organizationalUnitName=""
> routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:151:minsize=1
You are setting an empty OU. You should not set it and see if that works
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> There’s no such requirement. It MUST be at most 20 octets long.
>
>> - Serial numbers contain cryptographically strong random bits, currently
at
>> least 64 random bits, though it is best if the entire serial number looks
>> random from the outside. This is not implemented by
>So we will have to wait for the next release or build our own...
Yes, as always. Features go into the next release; fixes into existing ones.
>Will there be some option to control the behavior?
Yes, like –rand_serial or some such in the ca and x509 commands.
--
openssl-users
> > SHA256 is not listed as a valid hash.
>Many more X.509 digest algorithms are supported in this context
>than (sadly) are listed in the manpage. Perhaps there should
> be a command that lists all supported x.509 hash algorithms,
>and the documentation for commands that
> And the manpages should say things like “any supported digest” and such.
The picture is a lot more complex I'm sorry to say...
You’re right. Thanks.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
If you generate 19 bytes or RAND output, it will never exceed 20 bytes encoded.
OpenSSL will be generating 159 bits of RAND output, so that it will never
exceed 20 bytes encoded. The command-line RAND program is bytes, the C API is
bits.
--
openssl-users mailing list
To unsubscribe:
/17, 10:45 AM, "Salz, Rich via openssl-users"
<openssl-users@openssl.org> wrote:
https://cabforum.org/2016/07/08/ballot-164/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl
https://cabforum.org/2016/07/08/ballot-164/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
This has been a long email thread. Can you open a github issue and summarize
the improvements you think we should make?
Thanks.
And thanks for your patience!
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 2) Why isn't it listed in the manpages?
Many fucntions aren't documented. We're all working on it.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Doesn’t seem to be supported in openssl.
Whats the equivalant of
That attribute is not currently supported.
Someone would have to write ASN1 parsing code. There are examples all over the
place within OpenSSL; see the various d2i_XXX and i2d_XXX functions. There are
macro/define’s available to make the job easier. But, it is not really
documented.
Maybe
> I am trying to compile / install a utility from Source on CentOS that
> utilizes OpenSSL 1.1.0 (latest version) . However, I get the following error:
> configure: WARNING: Cannot find SSL_CTX_get0_param in libssl library. TLS
> hostname verification will not be available.
Most likely, the
> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
> it uses PEM_read_bio_X509
>
> When these APIs are used, can the OpenSSL stack detect updated files on
> disk and reload them without any intervention from the application?
No, it's a load and use the current
> The openssl program will use the wrong libssl.so and libcrypto.so.
Yes, got it.
But that's small potatoes compared to everyone else finding the wrong shared
library, and just saying "use rpath" doesn't help all those others.
--
openssl-users mailing list
To unsubscribe:
> We still don't know what use case is being represented by omitting the
> RPATH in the OpenSSL build.
Because only one program, apps/openssl, presumably needs rpath. But that
doesn't solve the problem for *external applications* that need to find OpenSSL
in a different place, does it?
--
> The results are both functional, but the v102l build is missing
> sha{224|256|384|512} digests
Right; those digests are not in 1.0.2
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> with a host device which will be ported with FIPS compliant OpenSSL library.
> Our embedded device will be using ECDSA (FIPS 186-3) and ECDH (FIPS
> SP800-56A) by calling APIs of ATECC508A SDK. Is there any compatibility
> issue?
There shouldn't be. But interop is a hard thing, and a
> Appending a note that, for a full change log, [DO THIS], would probably be
> well received.
https://github.com/openssl/openssl/pull/3606
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Dennis,
Feel free to not read any documentation you find superfluous :)
Too much information is not something people often say about OpenSSL. We
believe many people find the current file useful. To wit, you are the first
person to raise this issue that I can recall in over 20 years.
--
By default, TLS only does server-side verification. If you are using client
certificates, you will have to write some code for your application.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
--
openssl-users mailing list
To
> Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
> previous connection attempt failed for reasons other than TLS? If, say, the
> initial connection attempt failed at the TCP level? That sounds a little
> strange
> to me.
Yes they do.
There are many badly written clients
> What I find surprising is the rate of these errors. For every 100 legitimate
> HTTP requests that make it to Nginx, I get 2.5 “inappropriate fallback” SSL
> errors. That's a lot of noise.
>
> I guess I'll have to adjust my expectations.
That's not out of line with other measurements I've been
In 1.1.0 the default digest changed from MD5 to SHA256. So use the "-digest
md5" flag to read or write data from older releases.
--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richs...@jabber.at Twitter: RichSalz
--
openssl-users mailing list
To unsubscribe:
> It is quite likely that your version of wireshark does not know how to
> properly decode the TLS 1.3 ServerHello.
Please see https://www.ietf.org/mail-archive/web/tls/current/msg22333.html for
information about downloading an early release of wireshark.
--
openssl-users mailing list
To
It’s disabled by default. Servers that want to use server-side session caching
have to call an API to turn it on
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> I am quoting a line from Network Security with OpenSSL book (O'Reilly Media)
That book is 15 years old. Throw it out.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> Is there a recommendation for a newer book?
Many people like the Feisty Duck book(s). See if others on this list say
anything.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
It's been awhile since we did a code health Tuesday and we're overdue for one
next week.
Our online FAQ is really old; it's outdated and incorrect. We haven't fully
figured out how much of the older versions and older platforms we should
document.
So, let's fix it. Move anything older than
> Make that N processes, and understand why this should be a FAQ.
Have no problem with adding to the FAQ.
It's likely to be our next code-health target :)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> While the process is still fresh in my head, I was wondering if the community
> would benefit in having some documentation on the process to follow and
> issues that may arise? Possibly add this into the OpenSSL wiki?
This would be a great idea.
--
openssl-users mailing list
To unsubscribe:
I can point you to https://github.com/richsalz/pki-webpage But it is *not
official* and may not work for what you want.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> Please excuse what is a simple question: what is the proper way to clean up
> in the parent and child when writing a forking server using OpenSSL?
It's not simple.
Can you have the parent just do socket stuff, and then accept/fork and have the
child do all the OpenSSL calls?
Having two
> So the CHANGES file isn't really "changes".
The full list of everything that has changed can be found via git logs. As
Matt said, we only put particularly significant items in the CHANGES file.
--
openssl-users mailing list
To unsubscribe:
1 - 100 of 453 matches
Mail list logo