Hello ,
I use openssl 1.1.1 and cannot find function :
lh_X509_NAME_free, lh_X509_NAME_insert, lh_X509_NAME_retrieve referenced in
function _SSL_load_client_CA_file in file ssl_cert.c
Please help me to solve this problem
Mark
--
openssl-users mailing list
To unsubscribe: https
On 16/10/2018 16:39, Dmitry wrote:
Hello!
I have a C++ programme, ECDSA key pair and some string to sign. The
programme generates signature and saves it into a file
(signature.bin). Then I check the validity of the signature via the
following command:
openssl dgst -verify ec_public.pem
ptoms with:
$ openssl s_client -requestCAfile bundle.pem -connect localhost:12345
Running this under a debugger the failure happens at certificate #143
because the client hello packet overflows its maximum allocation:
$6 = {
buf = 0x000100724200
staticbuf = 0x
curr =
* I want to use fips certify crypto libs. Is it possible to use crypto lib
from Openssl-fips 2.0.16 and ssl lib from Openssl1.1.1?
No, it is not possible. The current FIPS code only works with 1.0.2. The
project is working on a new FIPS module. You can find some details at the
blog
xtrabackup so the final size should be smaller for the current time.
The documentation on this by the backup software provider is very
simplistic and simply pipes the stream of data through openssl and
then gzip:
mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc
-aes-25
As with essentially all open source software, there is no warranty with OpenSSL.
Having said that, people use the OpenSSL applications for all sorts of things,
including what you are doing.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 10/10/2018 13:55, RudyAC wrote:
Hello,
when verifying a signed email with CMS_verify() the verification failed.
That is not the main problem.
My problem is that the out data is empty. Using the library I got following
error:
OpenSSL Error code all:<772382878d>
OpenSSL Error co
example.com
(b) CN=example.com
and subjectAltName = DNS:example.com, DNS:*.example.com
(c) CN=example.com
and subjectAltName = DNS:*.example.com, DNS:example.com
(d) CN=hello world
and subjectAltName = DNS:example.com, DNS:*.example.com
Thanks,
Walter
--
openssl-users mailing
hould be expected behaviour:
> * max_path_length=n (initialisation)
> * max_path_length=n-1 (first decrement)
> * max_path_length=0 (copied from root certificate constraint)
> * VERIFY(max_path_length>0) error upon preparing transition from i=1
> (Root) to i=2 (EvilCA).
>
> Open
Could that be LibreSSL? (Or some similar wrapper for OpenSSL?)
https://github.com/Ruzzz/LibreSSL
This above repo creates libraries in the named format below; to match how
Microsoft provides multiple versions of libraries.
Looks to be debug (d) and multi-thread (MT?) versions of the libraries
>This is not correct.
Thanks for the corrections, Matt.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
We disagree, and as I wrote the latest RNG code and docs, I'm biased (sic).
I'll leave on that weak pun.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On 04/10/2018 17:38, Salz, Rich wrote:
What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Simple bug, not a reason to change the algorithm.
Does not reseed.
But can be reseeded if so de
>What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other
than not being an NSA/NIST design?
Poor locking; been known to crash.
Does not reseed.
Global across the process, rather than isolated for private-key generation or
per-connection.
Mixes in getpid and time to get
On 04/10/2018 17:14, Salz, Rich via openssl-users wrote:
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
What's supposedly bad about the 1.0.x/1.1.0 OpenSS
Which version of OpenSSL are you using?
1.0.2 and 1.1.0 have a bad random number generator and must be explicitly
seeded. 1.1.1 has a good random number generator and auto-seeds.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
ion file?
>
> On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users <
> openssl-users@openssl.org> wrote:
>
> >
> >- The debug logs display two "SSL-Session" blocks in a full handshake.
> >
> > Only one "SSL-Session" block is d
nt may resume with a different session, and therefore
prevent an observer from “linking” two different activities.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
To update this thread. Please follow the commentary on the
https://github.com/OpenSC/libp11/issues/249
From: "Blumenthal, Uri - 0553 - MITLL"
Date: Friday, September 21, 2018 at 5:07 AM
To: "Paras Shah (parashah)" , "openssl-users@openssl.org"
Cc: Nicola
Subjec
I opened the issue https://github.com/openssl/openssl/issues/7258
Also, opened issue https://github.com/OpenSC/libp11/issues/249
and https://github.com/opendnssec/SoftHSMv2/issues/417
Found the root cause to be the openssl version 1.1.1 that was used to compile
the engine_pkcs11 and SoftHSM
It's hard enough for the openssl team to document the basic config/build
things, let alone all the operating systems and vendor-supplied stuff.
Perhaps a wiki page, that the community could help maintain?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/lis
if by land, two if by sea, three if by the Internet."
On Sep 17, 2018, at 4:20 PM, Neil Craig
mailto:neil.cr...@bbc.co.uk>> wrote:
Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running
t 1:04 PM, Viktor Dukhovni
mailto:openssl-us...@dukhovni.org>> wrote:
On Sep 16, 2018, at 11:44 AM, Murugaiyan Perumal via openssl-users
mailto:openssl-users@openssl.org>> wrote:
dso_dlfcn.c:84:12: fatal error: dlfcn.h: No such file or directory
# include
http://w
>The users who delay or block automatic updates tend to greatly overlap
with the users who actively block remote telemetry of their update
habits, thus skewing such statistics of "get almost full coverage within
a month or two".
But not downloads. :)
Shrug.
--
two, for example. Edge hasn't shipped TLS 1.3
yet. Safari encourages auto-update. That's most of the browser market.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Sure. I will open the issue.
From: Nicola
Date: Monday, September 17, 2018 at 10:05 PM
To: "Paras Shah (parashah)" , "openssl-users@openssl.org"
Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys
fail.
Would it be possible for you to open this a
This is factually incorrect; the TLS values are lower than the FIPS values, for
example. And also, what “everyone in the know” has always stated isn’t really
true any more.
It would be nice to keep politics out of this list.
--
openssl-users mailing list
To unsubscribe: https
I had the same doubt. I have x-posed this question on the opensc mailing list
as well.
On 9/17/18, 3:37 PM, "openssl-users on behalf of Matt Caswell"
wrote:
Perhaps the pkcs11 engine does not support ed25519 keys?
Matt
On 17/09/18 22:05, Paras Shah (par
That is not it. It results in the same error for the EC key.
It is not the URL or the ID. Because for a RSA key in the softhsm with id =
, it works fine with url containing id=%33%33
$ openssl pkey -in
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b75
I get the following error when I try to access the ed25519 key stored in
SoftHSM via the openssl engine interface using engine_pkcs11.
[]:~$ openssl pkey -in
"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%22%22;object=ed25519%2
I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to
use these keys from openssl CLI using the pkcs11 engine, it fails.
1. SoftHSM version
[]:~$ softhsm2-util --version
2.5.0rc1
2. SoftHSM token init
[]:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.
Hi,Am trying to build the openssl source for QNX 6.5/6.6 OS. I have tried to
build after the instructions given in internet.
1. QNX 6.6 build environment variable is set. 2. Executed below command.
sh-3.1$ ./Configure QNX6 shared --prefix=./qnx660/release
--openssldir=./qnx660/release
3. make
Much work for little gain and purpose.
You can mix drafts, but mixing the draft and the official version is hard,
there's too many semantic changes (e.g., around fallback vs
no-fallback-protection).
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/lis
On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote:
> On 13/09/2018 09:57, Klaus Keppler wrote:
> >Hi,
> >
> >thank you for all your responses.
> >
> >I've just tested with Firefox Nightly 64.0a1, and both s_server and our
> >own app (u
goal, as stated.--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
On Wed, Sep 12, 2018 at 03:50:17PM +0200, Klaus Keppler wrote:
> Hi,
>
> when I create a TLS-1.3-only "web" server with s_server (from OpenSSL
> 1.1.1-release), Firefox/Chrome can't access it.
> According to all docs I've read so far, the TLS 1.3 implementat
On Tue, Sep 11, 2018 at 03:04:06PM -0600, The Doctor wrote:
> On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users
> wrote:
> > On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote:
> > > On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:
; > Server command: ../../util/shlib_wrap.sh ../../apps/openssl s_server
> > -max_protocol TLSv1.3 -no_comp -rev -engine ossltest -ext_cache -accept
> > [::1]:0 -cert ../../apps/server.pem -cert2 ../../apps/server.pem -naccept 1
> > -cipher AES128-SHA -ciphersuites TLS_AES_128_GCM_
>So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API
in order to use TLS 1.3 .
Yes.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.1 of our open
OpenSSL does not use *any* certificate store, on any platform, it is up to the
applications to do what they need.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS
mode (FIPS_mode_set(1)) if the FIPS registry entry
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled
is set to 1?
This is to emulate the Linux behavior - if I understand correctly, if
check something--I was wrong about something--&outlen
is not incremented inside of openssl--so you have to keep another
variable to which you add outlen and use that to set the read/write
pointer in outbuf.
--Sam
On Wed, Sep 5, 2018 at 10:04 AM Sam Habiel
mailto:sam.hab...@gmail.com>> wro
)
Result: FAIL
make[1]: *** [_tests] Error 1
make: *** [tests] Error 2
I first ran:
./Configure --prefix=/usr/local shared darwin64-x86_64-cc
enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3
then
make depend
then: make test
macOS X 10.7.5
Any suggestions?
Thanks,
James.--
openssl-users mailing
>Gotcha. In that case why does it get built on Mac? I.e., why doesn’t the build
>process exclude it automatically?
Beats me. It ends up being a zero-length object file, more or less. Perhaps
Richard Levitte knows.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/m
* Gotcha. But why doesn't it work on Mac?
The CAPI engine uses Microsoft libraries that are part of windows.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>This begs the question: what does openssl_encrypt actually do with just a
> string
of random bytes passed as the "key". I can't find anything in the OpenSSL or
PHP/openssl source code that clearly identifies any particular action
There is no such name (git gr
>The capi engine is still broken, however
That is windows-only, using the MSFT CryptoAPI.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
I am new to OpenSSL. Does anyone have any information on how to integrate
OpenSSL 1.1.x with DPDK? Intel has a video on OpenSSL 1.1.x integration using
QAT_engine for Intel QAT PCI-E card but nothing on OpenSSL using DPDK. Has
anyone done this or point me to something? What I am looking for
https://github.com/openssl/openssl/commit/327b2c01
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."
On Aug 24, 2018, at 12:18 AM, Manish Patidar
mailto:mann.pati...@gmail.com>> wrote:
Hi,
I have
Agreed, Iooked at this when creating a failover service, and trying to
replicate all the TCP and TLS data ended up using significant CPU processing
and network bandwidth that it wasn’t worth it; in addition to intrusive OpenSSL
changes.
You should try to have a way to detect and re-establish a
ay as IDs. Much better
> source of why did the wg do? than plow through the old mailing list
> archives. The IESG is actually encouraging such a use of IDs.
Yup! Internet-Draft is a fine terminus for some types of document.
Many TLS registries now have a registration policy that explicitly ca
I find it interesting that openssl 1.1.1-pre7 can not connect to a
server which has openssl 1.1.1-pre9 in place. Nor can Firefox nightly.
This is to be expected. Pre-9 implements the official RFC version of TLS 1.3,
while the earlier beta releases implement drafts. One of the major
>I want to take backup of existing ssl connection. Use this backup connection
>in other slave board. This backup include keys and sequence no, ssl version
>etc.
>Is Openssl support any api to take backup of existing ssl connection?
No. This is not currently possible, and is unli
I'm trying to build OpenSSL with FIPS module in a centos docker container. The
FIPS module builds fine but the openssl build fails with:
_USE_NODELETE -MMD -MF crypto/err/err_all.d.tmp -MT crypto/err/err_all.o -c -o
crypto/err/err_all.o crypto/err/err_all.c
crypto/err/err_all.c: In fun
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 pre release 9 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 9 has now
pdk application is responding with the correct TLS alert and it actually
block the TLS session.I have seen the correct packet in wireshark as well.I am
also putting a picture with this mail in order to see the process.
The problem is that VM1 using openssl takes 2 to 3 seconds to end the TLS
session
When you create your pull request, use the pull-down to select the right
branch. By default it picks master, which is (as you’ve seen) not always
right. You can go to your PR, “re target it” and re-open it.
From: "kgold...@us.ibm.com"
Reply-To: openssl-users
Date: Wednesday, Augus
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.0i released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.1.0i of our open
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.0.2p released
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.2p of our open
arl
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
That site can’t be reached… (at least by me, unless it requires TLSv1.3…)
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."
From: Dennis Clarke
Reply-To: "openssl-users@openssl.org"
Date: Friday, August 10, 2018 at 11:40 P
and then the official release.
We have had no discussion of changing that plan.
Matt has already prepared a PR (the number escapes me), and there are a couple
of open issues we still have to resolve. If all goes well, however, the final
beta should begin very soon.
Thanks to everyone in the O
protocol is significantly different to TLSv1.2 and below. See:
>>>
>>> https://wiki.openssl.org/index.php/TLS1.3
>>>
>>> Matt
>>>
>>
>> Right when will TLSv1.3 be officially recognised?
>
> Like I said ab
> Do you see it being of enough value to consider bringing the feature
into your roadmap.
No. At least not in my opinion.
Migrating "live" TLS connections does not seem a common situation, and is bound
to be non-portable.
--
openssl-users mailing list
To unsub
to TLBleed?
Specifically? Not much. It goes more to the general principle that systems leak
information as they do work. Ultimately it comes down to thermodynamics, and
you never bet against thermodynamics.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
--
openssl-users mailing list
* So why not just have a rule "don't litter"
Have you looked at, say, the memleak testing we do?
Thanks for the two cents.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> I never thought I'd see the day that someone would have to defend not leaking
> memory in pivotal security code like openssl however
To be accurate, it was a couple of people saying that memory leaks *on process
exit* aren’t be a big deal.
--
openssl-users mailing list
To
>What's the reason for using malloc(3) in the first place? Is this a
> limitation
of the library or just openssl cms ?
It is a limitation of the CMS command. You might look at the -stream option.
If you need more then that, well, a PR is also welcomed.
--
openssl-us
bject and load times, I am not sure, if this
Is recommended ?
I do not know if you can mix and match FIPS implementations. I know that you
cannot change anything in the OpenSSL code (for example, to call "out and over"
to someone else's implementation).
>Can your team r
>It would appear that both commands fail due to them being unable to
allocate more memory to slurp the rest of the input file's contents into.
Is this intentional behaviour?
It is a known issue.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org
On 07/27/2018 01:44 PM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Jakob Bohm
Sent: Friday, July 27, 2018 11:52
And once you have done all that work to protect the cryptographic
library, the CPU vulnerability still allows the attacker to
On 07/27/2018 09:12 AM, Michael Wojcik wrote:
We're trying to decide if we can avoid disabling hyperthreading, as our
measurements show that the performance losses (even with integer
workloads) are significant.
Might anyone be able to comment on this particular type of attack in
Op
be able to comment on this particular type of attack in
OpenSSL?
- Michael
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-preprint.pdf
Unfortunately, Intel has not provided much guidance in this area but has
indicated that software mitigation can and should be implemented by
libraries like OpenSSL. We're also not currently aware of any open CVEs
or embargos active for this particular side-channel attack.
Any he
No, you need a 1.1.1 tree.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
If RAND_MAX is a power of 2, then just ask RAND_bytes for the right number of
bytes (four for 32768) and use bit-shifting to pack the value.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* I take back my "Captain Kidd"-remark.
* No offense.
Aargh, matey. None taken.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
t been implemented. In recent releases, we added a check to
disallow AEAD ciphers, rather than failing (perhaps SILENTLY) later on.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
The ciphers are available, but the code to use things like AES-GCM never
actually worked. Or if it claimed to work, it was actually broken.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
is probably not a good place to find that info.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>where is file "libcrypto" ? In which directory of OpenSSL-1.1.1pre8 ?
It is not distributed. It is a library built as part of the compile process.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
* Up to recent time it was that Command passwd involved mcrypt. Right?
What is mcrypt? Do you mean MD5? (Probably not, but I wanted to ask.)
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
by sea, three if by the Internet."
On Jul 5, 2018, at 2:20 PM, Kaushal Shriyan
mailto:kaushalshri...@gmail.com>> wrote:
Hi,
Is there a way to capture SSL traffic using openssl and tcpdump or any other
utility on Linux? I look forward to hearing from you.
Best Regards,
Kaushal
--
o
As in sending a non-fatal alert? There's no API to do that. And it probably
wouldn't work anyway, as most runtimes treat any alert as fatal.
Your best bet is to implement the right callback (depends on which version of
openssl you are using) and return an error if the SNI isn
* Do you still plan to switch to Apache license for the final 1.1.1 release?
That is still our goal, as stated.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Hi,
I see that the latest pre release for 1.1.1 is still under the legacy
OpenSSL/SSLeay license.
Do you still plan to switch to Apache license for the final 1.1.1 release?
Thank you.--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>Thanks, it does not happen with mozzilla implementation
(tls13.crypto.mozilla.org), is this openssl specific or part of the
specification?
The specification allows a server to send one or more tickets, at its
discretion.
--
openssl-users mailing list
To unsubscribe: ht
>connecting s_client to s_server with TLS 1.3 seems to cause two
successive session tickets to be sent by the server (see below).
>Is this expected?
Yes.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL version 1.1.1 pre release 8 (beta)
===
OpenSSL - The Open Source toolkit for SSL/TLS
https://www.openssl.org/
OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 8 has now
I tried to modify " tls12_sigalgs" list under t1_lib.c in OpenSSL 1.0.2x
version to restrict a bunch of signature algorithms from being proposed during
Client hello message.
That did work.
Thanks.
Srivalli
On 6/19/18, 5:36 AM, "openssl-users on behalf of murugesh pitchaiah&quo
x27;t seem to be
> similar methods in 1.1.0.
I don't believe so, and it's unclear that this qualifies as a "missing
accessor" that would be eligible to get fixed in 1.1.0 as a bugfix. So
I think your main option is to move to 1.1.1, at this point.
-Ben
--
openssl-users mai
>Should I file an issue on GitHub about the missing setters?
That would be great, thanks. Glad you got something to work.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
It looks like in OpenSSL 1.1.0 I can no longer do that. There are only
functions available that return various function pointers from a
X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there
are no corresponding counterparts to set the function pointers.
This
Hi OpenSSL team,
Our team has successfully built Window dlls for OpenSSL code version 1.0.2n.
The dll names where libeay32.dll & ssleay32.dll.
They worked on Windows 7 and Windows Server 2012 OS.
Our team has built Window dlls for the OpenSSL code using version 1.1.0h.
The dll names w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
OpenSSL Security Advisory [12 June 2018]
Client DoS due to large DH parameter (CVE-2018-0732)
Severity: Low
During key agreement in a TLS handshake
Interesting. Yes, I did take a look at Cloudflare patch but wasn't sure if I
could use that.
Alright. This helps.
My only option is to upgrade to OpenSSL 1.1.0 in order to support
CHACHA+Poly1305 cipher support.
Thanks Rich.
-Srivalli
On 6/11/18, 1:40 PM, "Salz, Ri
On Jun 11, 2018, at 10:44 AM, Sandeep Deshpande
mailto:sandeep@gmail.com>> wrote:
Thanks for the reply. Our appliance is enabled in FIPS mode by default.
All these days, we were using openssh 6.2 with openssl 0.9.8.
Now we need to upgrade openssl to 1.0.2j.
But we would not like to upgrad
>Just curious, is there a possibility to patch CHACHA cipher specific
> changes to OpenSSL 1.0.2 version still and get SSL handshake succeed?
It can be done; CloudFlare posted some patches at
https://github.com/cloudflare/sslconfig/tree/master/patches but I think they
used the pr
Thanks Matt. Appreciate your answers.
Just curious, is there a possibility to patch CHACHA cipher specific changes to
OpenSSL 1.0.2 version still and get SSL handshake succeed?
I am not looking for an upgrade to OpenSSL 1.1.0 at this point. So, I am
interested to know if I can get CHACHA to
901 - 1000 of 1707 matches
Mail list logo