On Jul 12, 2011, at 11:20 PM, Yogesh Chopra wrote: > Hi, > There was recently a FIPS capable openssl-1.0.1-stable release > (link below released). > > ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-2011MMDD.tar.gz > > Can you advise if 1.0.1-stable would have the relevant patches or its > best to checkout 1.0.0-stable and apply #2550 and #2555?. The patches from #2550, #2555 and #2559 haven't been committed to the tree yet. So you need to patch the sources manually.
You can see what is applied at http://cvs.openssl.org/timeline Best regards Michael > > Thanks, > -Yogi > > On Fri, Jul 8, 2011 at 12:05 AM, Robin Seggelmann > <seggelm...@fh-muenster.de> wrote: >> Hi Yogesh, >> >> The patch was created for the development version in the CVS, you can't use >> this patch for 1.0.0d without at least patch #2506 previously applied. So >> you either have to check out the 1.0.0-stable repository and apply the not >> yet applied patches #2550 and #2555 or you can use the cumulative patch for >> 1.0.0d from our website sctp.fh-muenster.de, which includes all patches >> since the last release. >> >> I hope 1.0.0e will be released anytime soon, with the latest patches >> included. Makes things a lot easier. >> >> Best regards >> Robin >> >> >> On Jul 6, 2011, at 11:29 PM, Yogesh Chopra wrote: >> >>> Hi, >>> I am using openssl-1.0.0d and have been applying patches provided >>> earlier and was able to apply this patch cleanly but it fails >>> compilation. The "listen" comes up as a undeclared identifier. Can >>> you recheck the patch?. >>> >>> Thanks, >>> -Yogi >>> >>> On Wed, Jul 6, 2011 at 11:41 AM, Robin Seggelmann via RT <r...@openssl.org> >>> wrote: >>>> This patch fixes that the server increases the expected handshake sequence >>>> number while listening for new connections, although its supposed to not >>>> change its state. The server also reflects the record sequence numbers of >>>> ClientHellos in its HelloVerifyRequest and ServerHello messages now to >>>> remain stateless, as described in >>>> http://tools.ietf.org/html/draft-ietf-tls-rfc4347-bis-06. >>>> >>>> Thanks to Yogesh Chopra for providing hints! >>>> >>>> Best regards >>>> Robin >>>> >>>> >>>> >>>> >>>> --- ssl/d1_srvr.c 25 May 2011 14:29:55 -0000 1.20.2.18 >>>> +++ ssl/d1_srvr.c 6 Jul 2011 10:06:25 -0000 >>>> @@ -167,6 +167,8 @@ >>>> s->in_handshake++; >>>> if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); >>>> >>>> + s->d1->listen = listen; >>>> + >>>> if (s->cert == NULL) >>>> { >>>> SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET); >>>> @@ -276,6 +278,12 @@ >>>> >>>> s->init_num=0; >>>> >>>> + /* Reflect ClientHello sequence to remain >>>> stateless while listening */ >>>> + if (listen) >>>> + { >>>> + memcpy(s->s3->write_sequence, >>>> s->s3->read_sequence, sizeof(s->s3->write_sequence)); >>>> + } >>>> + >>>> /* If we're just listening, stop here */ >>>> if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A) >>>> { >>>> >>>> >>>> >>>> >>>> >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> Development Mailing List openssl-dev@openssl.org >>> Automated List Manager majord...@openssl.org >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
