and the library search path however that
resulted in a pile of undefined symbols.
So then I went and deleted my previous 1.1.1k libs and the openssl
binary and tried the manual link once again with success.
Not sure if anyone else runs into this but I would hope that the
previous libs would not be
Hi,
Dynamic CRL not working when signed by intermediate CA when ca-file (Trusted CA
certs bundle) includes only the intermediate CA that signed the CRL.
Causing to this the handshake is failing, is there a way to avoid in OpenSSL
1.0.2s-fips 28 May 2019?
Br, Malli
Question was how to retrieve those lists for any given certificate,
using currently supported OpenSSL APIs.
The lists of usage bits and extusage OIDs in any given certificate
are finite, even if the list of values that could be in other
certificates is infinite.
On 2021-07-16 06:44, Kyle
The cadence of 1.1.1 release is supposed to be quarterly (I seem to recall
reading that somewhere, but I can't find it)?
It has been almost 4 months since 1.1.1k (25-March-2021) was released.
Are there any plans for 1.1.1l (ell)?
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by
orporate
filter that automagically adds those.
And oh boy! openssl-users having almost 3000 subscribers, that's
quite a lot of people to chase down and ensure they have destroyed all
copies, I tell ya! "Good luck" is probably an appropriate response
;-)
Which is why I have set
On 01.07.2021 08:04, Viktor Dukhovni wrote:
> On Thu, Jul 01, 2021 at 12:36:10AM +, Konstantin Boyandin via
openssl-users wrote:
>
>> OpenSSL version: 1.1.1k.
>>
>> I noticed that
>>
>> X509 *d2i_X509(X509 **px, const unsigned char **in, long len);
&g
Hello,
OpenSSL version: 1.1.1k.
I noticed that
X509 *d2i_X509(X509 **px, const unsigned char **in, long len);
function is no longer defined in openssl/x509.h available in 1.0.x
versions, the only one available is now
X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length);
Do I
> On 28.06.2021, at 01:02, Michel wrote:
>
> Hi Mariano,
>
> My quick answer : your key file looks like an (old ?) custom *OpenSSH* format
> that *OpenSSL* cannot read natively.
> You should easily find an OpenSSH command or other free tools to converts
> between for
log in to my Google cloud instance
through browser console, and I get the following error:
"Error: Failed to read key. The key file must be ECDSA or RSA in PEM format. "
I googled how to achieve this, and tried the following on my local machine:
$ openssl rsa -in id_rsa.txt -out
On Tue, Jun 22, 2021 at 04:18:25AM +, Revestual, Raffy [AUTOSOL/PSS/MNL]
wrote:
> Also asked this question in stackoverflow.com
>
> https://urldefense.com/v3/__https://stackoverflow.com/questions/68077419/can-openssl-handle-multiple-authentication-mechanisms-on-the-same-ssl-
dpkg -S /usr/lib/x86_64-linux-gnu/libssl3.so
> libnss3:amd64: /usr/lib/x86_64-linux-gnu/libssl3.so
> something up there that should be concerning, because maybe it will cause
> confusion.
NSS is the mozilla TLS stack, used by firefox/etc.
> My newly installed openssl 3 has:
>
> %ls
On 2021-06-18 17:07, Viktor Dukhovni wrote:
On Fri, Jun 18, 2021 at 03:09:47PM +0200, Jakob Bohm via openssl-users wrote:
Now the client simply works backwards through that list, checking if
each certificate signed the next one or claims to be signed by a
certificate in /etc/certs. This
On 2021-06-18 16:23, Michael Wojcik wrote:
From: openssl-users On Behalf Of Jakob
Bohm via openssl-users
Sent: Friday, 18 June, 2021 07:10
To: openssl-users@openssl.org
Subject: Re: reg: question about SSL server cert verification
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I&#
On 2021-06-18 06:38, sami0l via openssl-users wrote:
I'm curious how exactly an SSL client verifies an SSL server's
certificate which is signed by a CA. So, during the SSL handshake,
when the server sends its certificate, will the SSL client first
checks the `Issuer`'s `CN` fiel
I'm curious how exactly an SSL client verifies an SSL server's certificate
which is signed by a CA. So, during the SSL handshake, when the server sends
its certificate, will the SSL client first checks the `Issuer`'s `CN` field
from the x509 SSL certificate that it received for example, and comp
On 2021-06-17 15:49, Viktor Dukhovni wrote:
On Sat, Jun 12, 2021 at 10:20:22PM +0200, Gaardiolor wrote:
When I compare those, they are exactly the same. But that's the thing, I
think server.sig.decrypted should be prepended with a sha256 designator
30 31 30 0d 06 09 60 86 48 01 65 03 04 02 01 0
Oops, forgot to sha1; now it works.
Am 14.06.21 um 11:20 schrieb Elmar Stellnberger via openssl-users:
I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG
and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very
short RFC).
As far as I could try it out
I wanna use the DSA signature algorithms of OpenSSL to verify RRSIG
and DNSKEY DNSSEC resource records. This is described in RFC2536 (a very
short RFC).
As far as I could try it out (see my attachement) there are two ways
to sign and verify with OpenSSL/DSA: via the EVP interface and via
Jan Schaumann via openssl-users wrote:
> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Same for TLS 1.2, btw. (I accidentally copied the
default output when writing the email.)
-Jan
Hello,
Based on https://alpaca-attack.com/, I was looking at
how a TLS connection with ALPN set to e.g., "banana"
by the client to a server that has ALPN set to "h2"
would behave. For example:
$ openssl s_server -www -accept 443 -alpn h2 \
-key /tmp/key.pem -cer
Dear team,
It would be nice if there was a user- and security-friendly best
practice document for distributions (such as Linux distributions) that
freeze on an OpenSSL release version (such as 1.1.1z) and then backport
any important fixes.
Perhaps something like the following:
1. The
er,
not all of them?
// Signing
openssl smime -binary -sign -nodetach -in file -out file.signed -inkey
key1.pem -signer cert1.pem -inkey key2.pem -signer cert2.pem
// this command fails with signer certificate not found"
openssl smime -binary -verify -nointern -noverify -certfile cert
h "default"
X509_VERIFY_PARAM
From: openssl-users On Behalf Of Graham
Leggett via openssl-users
Sent: Friday, 28 May, 2021 06:30
I am lost - I can fully understand what the code is doing, but I can’t see
why openssl only trusts certs with “anyExtendedKeyUsage”.
Interesting. I wondered if thi
I have never had a break in. The Fortinet 60E firewall does an amazing job.
I will just leave it up to Ubuntu to provide the best OpenSSL solutions. Many
people complain Ubuntu LTS is never on the latest kernel and lacks other things
the 9 month distros like 21.04 and 21.10 give you.I
cryptology.The OpenSSL
bugs state to upgrade beyond 1.1.1f.
-Original Message-
From: openssl-users On Behalf Of Mauricio
Tavares
Sent: Monday, May 31, 2021 7:45 AM
To: openssl-users@openssl.org
Subject: Re: Why can't we get a proper installation method to keep OpenSSL at
the l
Keijser
; openssl-users@openssl.org
Subject: Re: Why can't we get a proper installation method to keep OpenSSL at
the latest revision for Linux?
If you use a supported distro (i.e., one that is not out of life) then the
distro is expected to supply CVE issue fixes in form of updates.
They us
My wordpress servers are under constant attack. My Fortinet 60E firewall logs
are filled. Openssl is constantly reported on The Hacker News and other sites.
So I don't need to worry about upgrading OpenSSL in the future to 1.1.1k or
above? I can just use what the distro has to off
b.com/openssl/openssl/blob/master/crypto/x509/x509_trs.c#L72
int X509_check_trust(X509 *x, int id, int flags)
{
X509_TRUST *pt;
int idx;
/* We get this as a default value */
if (id == X509_TRUST_DEFAULT)
return obj_trust(NID_anyExtendedKeyUsage, x,
Hi,
after studying the different key generator functions more closely I came to the
conclusion that, since the Prime256 curve has a cofactor of 1, both KDF should
produce the same value and so everything has cleared up.
Kind regards,
Henning
From: openssl-users
Hi,
I'm trying to encrypt an email using the ECDH One-Pass algorithm. I've first
created an X509 certificate with an EDSA key based on the curve prime256v1.
Then, I ran this command:
openssl cms -encrypt -in Unencrypted.eml -binary -recip ecc.cer -aes256 -keyopt
ecdh_kdf_md:sha2
of
the following diagnostic commands (after Ubuntu apparently
undid your upgrade).
$ dpkg --status libssl1.1
$ dpkg --status libssl-dev
$ dpkg --status openssl
$ type openssl
$ openssl version -a
$ ls -alF /usr/lib/x86_64-linux-gnu/libssl*
$ ls -alF /usr/locallib/libssl*
Oops, my bad, should have
Long shot if someone may know. Secure heap was added long ago for private keys
for
RSA, DSA and DH however EC key generation does not seem to be included.
I see some other EC functions that use secure heap and I also noticed that the
CHANGES
file stated: "Add secure heap for storage of private k
On 2021-05-19 19:56, Michael McKenney wrote:
I installed Openssl 1.1.1k and Ubuntu 20.04 did an upgrade and
reverted it back to 1.1.1f. Usually Ubuntu upgrades don’t break it.
OpenSSL 1.1.1f 31 Mar 2020 (Library: OpenSSL 1.1.1k 25 Mar 2021)
built on: Thu Apr 29 14:11:04 2021 UTC
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 17 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 17 has now been made
Hi,
I am working with some legacy code which was written to use openssl
version 1.0.
I am trying to make it work with openssl version 1.1.1 but the following
line returns NULL.
const EVP_MD* messageDigest = EVP_get_digestbyname("sha");
I changed it to the following.
co
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 16 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 16 has now been made
Hi,
I have updated the openssl version running on the switch from 1.1.1g to
1.1.1h and eventually to 1.1.1k.
Starting 1.1.1h, I am observing that the switch hangs for a significant
amount of time (> 3 minutes) when the call RAND_write_file is invoked from
the switch software.
The same c
Dear Sir/Madam,
Greetings for the day!
We have provided an application which invokes https URL. App server used is
TOMCAT. The team who administers the application installed certificates
under CACERTS. The certificate is available in a .JKS file.
Now the application works well for some
M EDT, Jan Just Keijser
wrote:
Hi,
On 26/04/21 20:29, Robert Smith via openssl-users wrote:
Hello everyone.
I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the
following configuration flag enable-crypto-mdebug
and getting the following linker error:
Hello everyone.
I'm trying to recompile OpenSSL version 1.1.1k under Windows 10 with the
following configuration flag enable-crypto-mdebug
and getting the following linker error:
Creating library apps\openssl.lib and object apps\openssl.expopenssl.obj :
error LNK2019: unresolved ext
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 15 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 15 has now been made
I'm trying to create a certificate request with a multivalue RDN which
involves CN+UID. I achieved the encoded multi-value RDN, but I want the UID
being encoded first and then the CN. I always get the CN first, no matter
what I put in the -subj "/CN=value+UID=value" or "/UID=value+CN=value".
Changi
/implementations/rands/test_rng.c and the code to run NIST test.
Still finding it a bit difficult to wrap around these new APIs
In the old implementation using OpenSSL 1.1.1, to generate random numbers:
a> we have set the callback for custom entropy (using RAND_DRBG_set_callbacks)
for
On 2021-04-15 12:57, Michal Moravec wrote:
Follow-up on my previous email:
I modified my proof-of-problem program to load PKCS7 file into PKCS7
and convert it to CMS_ContentInfo using the BIO (See convert.c in the
attachment). It is similar to this:
handle_encrypted_content(SCEP *handle, SC
s invoked for the entropy/nonce consumption (any specific callbacks
set)? Can you please explain the steps or example of the usage?
2> Also, we need set DRBG for CAVS test (Input: EntropyInput, Nonce,
PersonalizationString, AdditionalInput, EntropyInputPR, AdditionalInput,
EntropyInputPR),
Hi,
I am getting the following warning while linking my app to openssl version
1.1.1k. Could you advise what can cause these warnings and how to resolve them?
Thanks
../../../artifacts/openssl/arm3531/lib/libcrypto.a(async_posix.o): In function
`ASYNC_is_capable':
async_posix.c:(.text
te.cpp:202:
undefined reference to `X509_set_notAfter'
Any idea?
On Friday, April 9, 2021, 04:13:32 PM EDT, Benjamin Kaduk
wrote:
They are macros now. You should still be able to build code that uses them.
-Ben
On Fri, Apr 09, 2021 at 08:03:28PM +, Robert Smith via openssl-users wrot
They are macros now. You should still be able to build code that uses them.
-Ben
On Fri, Apr 09, 2021 at 08:03:28PM +, Robert Smith via openssl-users wrote:
> Hello,
> I am porting application from openSSL version 1.0.2u to 1.1.1k and linker
> complaints that symbols X509_set_not
Hello,
I am porting application from openSSL version 1.0.2u to 1.1.1k and linker
complaints that symbols X509_set_notAfter and X509_set_notBefore are missing.
I've checked both versions 1.0.2u and 1.1.1k and I see that these symbols
really are not present in 1.1.1k.
user@ubuntu_dev_vm:~/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 14 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 14 has now been made
Hello,
I am using cross compiler toolchain (arm-hisiv200-linux-gnueabi) to compile
openssl library for arm based custom board.
I had no problems to compile version 1.1.1a, however I am having troubles to
compile versions 1.1.1i and 1.1.1k:
${LDCMD:-arm-hisiv200-linux-gnueabi-gcc} -pthread -Wa
> From: Matt Caswell
> Subject: Re: Using SSL_CTX_set_min_proto_version
> Date: April 6, 2021 at 2:13:02 PM EDT
> To: openssl-users@openssl.org
>
>
> On 06/04/2021 18:45, Tamara Kogan via openssl-users wrote:
>> Hello,
>> In our client application we are try
Hello,
In our client application we are trying to set TLS 1.2 in ClientHello message.
The OpenSSL version is 1.1.1h
We use the function
SSL_CTX_set_min_proto_version(ssl->ctx, TLS1_2_VERSION);
If I test the version right after setting it does return 1.2
SSL_CTX_get_proto_version(ssl-&
Dear Users,
I have released version 5.59 of stunnel.
### Version 5.59, 2021.04.05, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 1.1.1k.
* New features
- Client-side "protocol = ldap" support (thx to Bart
Dopheide and Seth Grover).
* Bugfixes
- The
er it describes ALL required modification?
On Monday, April 5, 2021, 03:57:36 PM EDT, Viktor Dukhovni
wrote:
> On Apr 5, 2021, at 11:16 AM, Boris Shpoungin via openssl-users
> wrote:
>
> Is there minimal requirements for Linux kernel for usage of openssl library
> versio
Hello,
Is there minimal requirements for Linux kernel for usage of openssl library
version 1.1.1?
I have old application based on Linux kernel 3.0.8 which uses openssl version
1.0.2. My question is whether it is possible to port this application to use
openssl version 1.1.1 in Linux 3.0.8
...I do actually
have Australian Department of Defence, Defence Export Control, approval
for FooStegCypher.
FooCrypt.6.0.0.Core provides you with the total peace of mind over the
SECURITY & PRIVACY of YOUR DATA.
FooCrypt.6.0.0.OpenSSL utilises OpenSSL 1.1.1(a-k) & 3.0.0.Alpha13
ail:crypto/provider_core.c:557:name=fips
00FFF2406000:error:076D:configuration file routines:(unknown
function):module initialization
error:crypto/conf/conf_mod.c:242:module=providers, value=provider_sect
retcode=-1
Version: OpenSSL 3.0.0-alpha13 11 Mar 2021
~ # ls -lrt providers/
-rwxrwxrwx
Hi All,
This is a basic question regarding FIPs algorithm code in OpenSSL 3.0, can you
kindly let me know:
1> Can you please help to understand the differences in the FIPs algorithm
implementation code vs default?
Are there additional validations performed in FIPs code?
Can
Hi All,
We build the "crypto" code in OpenSSL to generate "libcrypto.a" for MIPs
platform.
Our application links statically with "libcrypto.a" and uses the OpenSSL crypto
API's accordingly.
With this compilation model, will it be feasible to integrate with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [25 March 2021]
=
CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
Severity: High
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1k released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1k of our open
Hi All,
In OpenSSL 1.1.1 version, we were using RAND_DRBG for random number generation.
Using "RAND_DRBG_set_callbacks", we were able to call into our custom API for
entropy and nonce generation.
How can this be achieved with EVP_RAND implementation i.e. does it allow
entropy to b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 13 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 13 has now been made
make an EVP_PKEY with
> > EC group parameters at
> > https://github.com/openssl/openssl/issues/14258#issuecomment-783351031
> > but the translation to also specify OSSL_PKEY_PARAM_PRIV_KEY
> > (and possibly OSSL_PKEY_PARAM_PUB_KEY; I forget if you need
> > to pass bot
Hi Stephen :)
The API you'll want to use is EVP_PKEY_fromdata(); there's
a stubbed out example of using it to make an EVP_PKEY with
EC group parameters at
https://github.com/openssl/openssl/issues/14258#issuecomment-783351031
but the translation to also specify OSSL_PKEY_PARAM_PRI
if (calist == NULL) {
/* log error loading client CA names */
}
SSL_CTX_set_client_CA_list(server_ctx, calist);
If yes, Is it expected to do the IP or hostname validation?
Neither, authorization of the client is up to you. OpenSSL will check
the dates, validity of the signa
On Thu, Feb 25, 2021 at 03:30:43PM -0800, Frank Liu wrote:
> Looking at test cases
> https://urldefense.com/v3/__https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/test/recipes/04-test_pem.t__;!!GjvTz_vk!A42D2c2brOwptas6T1iBt9i7pMWhwehkKAmeCuILgR-6iv5n0TQPQ6tkkVgG9A$
>
&g
hat I am seeing.
Thanks,
John
On Thu, 25 Feb 2021 at 17:29, Benjamin Kaduk wrote:
> That sounds like the certificate is encoded using ASN.1 BER rules, that
> openssl
> accepts, but the python library is insisting on DER encoding (per the
> spec).
>
> -Ben
>
> On Thu, Feb 25
That sounds like the certificate is encoded using ASN.1 BER rules, that openssl
accepts, but the python library is insisting on DER encoding (per the spec).
-Ben
On Thu, Feb 25, 2021 at 05:19:32PM +, John Robson via openssl-users wrote:
> Hi all,
>
> I'm encountering an error
27;, 'illegal padding'), ('asn1 encoding routines',
> 'asn1_template_noexp_d2i', 'nested asn1 error'), ('asn1 encoding routines',
> 'asn1_template_noexp_d2i', 'nested asn1 error'), ('SSL routines',
> 'tls_proce
(thx to Martin Stein).
- Fixed a double free with OpenSSL older than 1.1.0 (thx to
Petr Strukov).
- OpenSSL DLLs updated to version 1.1.1j.
* New features
- New 'protocolHeader' service-level option to insert custom
'connect' protocol negotiation headers. This feat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 12 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 12 has now been made
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL Security Advisory [16 February 2021]
Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
Severity: Moderate
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 1.1.1j released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1j of our open
: *openssl-users-bounce on
behalf of openssl-users
*Organization: *WiseMo A/S
*Reply-To: *Jakob Bohm
*Date: *Thursday, January 28, 2021 at 21:10
*To: *openssl-users
*Subject: *Re: Encoding of AlgorithmIdentifier with NULL parameters
Also note that the official ASN.1 declaration for
wrote:
I am trying to provide a test certificate generated by
openssl-3.0.0-alpha10 to a third party certificate parser/manager.
This software expects AlgorithmIdentifier to either have parameters or
to have null encoded (05 00) parameters which seems to be missing in
the certificate.
Cer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 3.0 alpha 11 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 11 has now been made
If that is a hypothetical context, what context is the official design
goal of the OpenSSL Foundation for their validation effort?
On 2021-01-28 11:26, Tomas Mraz wrote:
This is a purely hypothetical context. Besides, as I said below - the
PKCS12KDF should not be used with modern PKCS12 files
If the context does not limit the use of higher level compositions, then
OpenSSL 3.0 provides no way to satisfy the usual requirement that a
product can be set into "FIPS mode" and not invoke the non-validated
lower level algorithms in the "default" provider.
The usual contex
ode can
be easily achieved with OpenSSL 3.0 - either by loading just the fips
and base provider, or by loading both default and fips providers but
using the "fips=yes" default property (without the "?").
The PKCS12KDF does not work because it is not an FIPS approved KDF
algorithm s
Does that mean that OpenSSL 3.0 will not have a true "FIPS mode" where
all the non-FIPS algorithms are disabled, but the FIPS-independent
schemes/protocols in the "default" provider remains available?
Remember that in other software systems, such as OpenSSL 1.0.x and MS
On 2021-01-25 17:53, Zeke Evans wrote:
Hi,
Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse,
PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips
provider. It looks like that is because they try to load PKCS12KDF
which is not implemented in the fips provider. These
X.509-conformant certificates).
>
> Thanks
>
> Regards,
> Uri
>
> > On Jan 20, 2021, at 19:26, Kaduk, Ben wrote:
> >
> > No. OpenSSL does not include any CBOR protocol support.
> > I'm also not sure what you mean by "CBOR-encoded certificate"
No. OpenSSL does not include any CBOR protocol support.
I'm also not sure what you mean by "CBOR-encoded certificate"; I don't
know of any such thing other than
https://datatracker.ietf.org/doc/draft-mattsson-cose-cbor-cert-compress/
which is very much still a wor
ck with the Finished-based channel bindings; the exporter
> > interface is a new protocol mechanism and the whole protocol/ecosystem has
> > to be expecting to use it.
>
> Right. So we have implementations out there using it; will the OpenSSL
> project consider promoting it to suppor
On Mon, Jan 11, 2021 at 09:26:30PM +, Jeremy Harris wrote:
> On 11/01/2021 08:20, Benjamin Kaduk wrote:
> > Current recommendations are not to use the finished message as the channel
> > binding but instead to define key exporter label for the given usage
> > (see
> > https://urldefense.com/v3
On Sun, Jan 10, 2021 at 02:44:38PM +, Jeremy Harris wrote:
> Hi,
>
> What is the status of SSL_get_finidhed() / SSL_get_peer_finished() ?
>
> I do not find them documented at
>
> https://urldefense.com/v3/__https://www.openssl.org/docs/manmaster/man3/__;!!GjvTz_vk!FUYwEktTkE4ZmFeJKSFeBQe32
On 2021-01-07 18:05, Ken Goldman wrote:
On 1/7/2021 10:11 AM, Michael Wojcik wrote:
$ cat /etc/redhat-release && openssl version
CentOS Linux release 7.9.2009 (Core)
OpenSSL 1.0.2k-fips 26 Jan 2017
Ugh. Well, OP should have made that clear in the original message.
And this is on
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
OpenSSL version 3.0 alpha 10 released
=
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 3.0 is currently in alpha.
OpenSSL 3.0 alpha 10 has now been made
erent computer with OpenSSL 1.1.1i for root CA key
generation and intermediate CA signing, not WSL.
I'm trying to sign the intermediate certificate, but I get this error:
$ openssl ca -batch -in subca.req -extensions v3_subca -config ca.conf
Using configuration from ca.conf
Error Loading extensi
KEY public/private
keypair and then overrides it with the server public key, so the
generation was a waste anyway. Instead, it should create a
parameters-only EVP_PKEY.
(This is a consequence of OpenSSL using the same type for empty key,
empty key with key type, empty key with key type + parameters,
Hi all,
I've been tasked with making some modifications to OpenSSL 1.1.1 in order
to bring it into compliance with FIPS 140-2. One of the items on the to-do
list was to implement the required key agreement scheme assurances
specified in NIST SP.800-56Ar3 Section 9. This involves performing
Hi all,
According to the manpage at
https://www.openssl.org/docs/man1.1.0/man3/BIO_s_file.html the macro BIO_tell()
casts to int:
/opt/local/include//openssl/bio.h:# define BIO_tell(b)
(int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)
What happens if the file being parsed is larger than can fit in
From: Narayana, Sunil Kumar
Sent: Thursday, December 17, 2020 8:17 AM
To: Sands, Daniel ; openssl-users@openssl.org
Subject: [EXTERNAL] RE: DH_compute_key () - replacement in 3.0
Hi,
For the equivalent replacement of DH_compute_key in 3.0, we
tried to perform the steps
version. Note that the inputs are same in both scenario.
The generated key should be random. So unless you seed your PRNG with a
constant value, you should always generate a different public/private keypair.
Between OpenSSL versions, the PRNG may have changed, so I would not depend on
them to
Hello, everyone!
I'm creating a p12 bundled certificate (I used it for Android phone). Used both
easyrsa command and, alternatively, openssl command as shown in many manuals,
like this:
openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name
"name" -out cli
We do have generated the key using EVP_PKEY_gen as suggested in earlier emails,
but since this was a non-ephemeral and we wanted to store the key in "raw"
octet bytes, so we did extracted the whole DH priv/pub key pair out from the
key generated via EVP_PKEY_gen ( using as suggested…
EVP_PKEY
to exactly replace this we are generating “pubparam_key/priparam_key” using
bn_publicKey/dh->priv_key as below
OSSL_PARAM_BLD *pubparamsbld = NULL, priparamsbld = NULL;
OSSL_PARAM *pubparams = NULL, priparams = NULL;
EVP_PKEY *pubparam_key = NULL, *priparam_key = NULL;
EVP_PKEY_CTX *pubctx =
301 - 400 of 1707 matches
Mail list logo
