I will check with OpenSSH team on this. Thanks for the info.
Regards,
Sravani
On Mon, Jul 10, 2017 at 12:05 PM, Jeffrey Walton wrote:
> On Mon, Jul 10, 2017 at 2:01 AM, Sravani Maddukuri via openssl-users
> wrote:
> >
> > Is there any plans in the future to get the support of OpenSSL 1.1.0 for
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Monday, July 10, 2017 13:24
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Rejecting SHA-1 certificates
>
> On Mon, Jul 10, 2017 at 08:19:11PM +0200, Niklas Keller wrote:
>
> >
Yes, MY_NID is really NID_whatever. I tried it with putting
OPENSSL_init_crypto(0, NULL); at start of my main().
Did not make any difference…
The Integer value of MY_NID will be printed out and is the correct integer
value.
And i tried another thing. I replaced the two dll-libraries with the ne
On Mon, Jul 10, 2017 at 08:19:11PM +0200, Niklas Keller wrote:
> > What's your threat model, and how does it justify this effort?
>
> The same as for browsers I guess. Could you explain why browsers and Java
> disable SHA1, but it's not worth for me doing so?
The browsers and Java do this becaus
On Mon, Jul 10, 2017 at 10:22 AM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:
>
> > On Jul 10, 2017, at 1:12 PM, Niklas Keller wrote:
> >
> > It's very well worth the effort, otherwise there's a security issue,
> because certificates can be forged.
>
> Collision attacks don't directly le
2017-07-10 19:30 GMT+02:00 Michael Wojcik :
> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
> Behalf Of Niklas Keller
> > Sent: Monday, July 10, 2017 11:12
> > To: openssl-users@openssl.org
> > Subject: Re: [openssl-users] Rejecting SHA-1 certificates
>
>
> > It's very well w
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Niklas Keller
> Sent: Monday, July 10, 2017 11:12
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Rejecting SHA-1 certificates
> It's very well worth the effort, otherwise there's a security issue, bec
> On Jul 10, 2017, at 1:12 PM, Niklas Keller wrote:
>
> It's very well worth the effort, otherwise there's a security issue, because
> certificates can be forged.
Collision attacks don't directly lead to certificate forgery. There are
no known 2nd-preimage attacks on SHA-1.
The previous MD5
>
> > On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote:
> >
> >
> > What's the best way / a working way to reject weak signature schemes in
> OpenSSL 1.0.{1,2}?
>
> Most CAs have stopped issuing SHA-1 certificates. Any old ones will
> expire over the
> next year or two. While Google has demonstr
> On Jul 10, 2017, at 3:45 AM, Niklas Keller wrote:
>
>
> What's the best way / a working way to reject weak signature schemes in
> OpenSSL 1.0.{1,2}?
Most CAs have stopped issuing SHA-1 certificates. Any old ones will expire
over the
next year or two. While Google has demonstrated a SHA-1
Ok, found what happened.
For a reason that remains gloomy to me (I think this is undocumented from
POCO), POCO adds the following dependencies to the vcxproj file:
ws2_32.lib;iphlpapi.lib;libeay32.lib;ssleay32.lib;%(AdditionalDependencies)
I have removed those dependencies and it looks to be ok n
X25519 does not use DH parameters.
If you don’t set the parameters with a callback, or generate them and tell
openssl to use them, then EDH will not be used. Not that EDH is *not* the same
as ECDHE.
Don’t use DH, use X25519, for a number of reasons. Search “25519” to find more.
--
openssl-us
Hi All,
In case no dh params are set and ECDHE-ECDSA type cipher is used, what is
the default size of DH params (what modulus) used on TLS handshake. I see
that X25519 EC is getting used but I am not sure about DH parameters in
that case
Thanks
Best Regards,
Neetish
--
openssl-users mailing list
Morning,
I'm currently trying to reject certificate chains which rely on MD5 and
SHA-1 for signatures. I found SSL_get0_verified_chain which could be used
to walk the chain and reject if there's any MD5 / SHA-1 certificate in
there, except for the last one, which is trusted because of the public k
14 matches
Mail list logo