Victor
I am still have issues with
the default ECDH parameters in 1.0.0c.
The key generation with NIST Prime-Curve P-192 crashes.
static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
{
int i;
BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
for (i = (top); i != 0; i--)
*_tmp1++ = *_tmp2++; //There is a problem here
}
Marcus
----- Original Message -----
From: "Victor Duchovni" <victor.ducho...@morganstanley.com>
To: <openssl-users@openssl.org>
Sent: Friday, December 03, 2010 8:06 AM
Subject: Re: OpenSSL 1.0.0c released
On Fri, Dec 03, 2010 at 09:50:49AM -0500, Erik Tkal wrote:
That's a pretty bold statement and doesn't always apply in a product
environment.
I have a production environment. The non-security issues in the unpatched
1.0.0b release create substantial interoperability issues with servers
and clients that support EECDH key agreement. These issues are more
severe than the CVEs fixed in either 1.0.0b or 1.0.0c. Therefore, if you
have deployed 1.0.0b, you really must IMHO upgrade to 1.0.0c.
I have not deployed 1.0.0b (because of the pending issues); I'm still
at 1.0.0a and have to decide whether to patch the vulnerabilities,
or risk updating OpenSSL completely and retesting all of its consumers.
Starting with 1.0.0, the stable release gets no new features, just bug
fixes, so backporting just the CVE patches is not necessary, you can
just deploy 1.0.0c shared libraries (and include files) in the locations
where your previously had 1.0.0a libraries (and include files).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
