[openssl-users] openssl 1.1.1 Cannot find fucntion

Hello , I use openssl 1.1.1 and cannot find function : lh_X509_NAME_free, lh_X509_NAME_insert, lh_X509_NAME_retrieve referenced in function _SSL_load_client_CA_file in file ssl_cert.c Please help me to solve this problem Mark -- openssl-users mailing list To unsubscribe: https

Re: [openssl-users] OpenSSL occasionally generates wrong signature

On 16/10/2018 16:39, Dmitry wrote: Hello! I have a C++ programme, ECDSA key pair and some string to sign. The programme generates signature and saves it into a file (signature.bin). Then I check the validity of the signature via the following command: openssl dgst -verify ec_public.pem

Re: [openssl-users] sendmail, openssl 1.1.1, tls1.3

ptoms with: $ openssl s_client -requestCAfile bundle.pem -connect localhost:12345 Running this under a debugger the failure happens at certificate #143 because the client hello packet overflows its maximum allocation: $6 = { buf = 0x000100724200 staticbuf = 0x curr =

Re: [openssl-users] Fips lib usage in Openssl 1.1.1

* I want to use fips certify crypto libs. Is it possible to use crypto lib from Openssl-fips 2.0.16 and ssl lib from Openssl1.1.1? No, it is not possible. The current FIPS code only works with 1.0.2. The project is working on a new FIPS module. You can find some details at the blog

Re: [openssl-users] openssl commandline client use

xtrabackup so the final size should be smaller for the current time. The documentation on this by the backup software provider is very simplistic and simply pipes the stream of data through openssl and then gzip: mariabackup --user=root --backup --stream=xbstream | gzip | openssl enc -aes-25

Re: [openssl-users] openssl commandline client use

As with essentially all open source software, there is no warranty with OpenSSL. Having said that, people use the OpenSSL applications for all sorts of things, including what you are doing. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] CMS_verify provides empty output

On 10/10/2018 13:55, RudyAC wrote: Hello, when verifying a signed email with CMS_verify() the verification failed. That is not the main problem. My problem is that the out data is empty. Using the library I got following error: OpenSSL Error code all:<772382878d> OpenSSL Error co

Re: [openssl-users] Wildcard: how are they correct?

example.com (b) CN=example.com and subjectAltName = DNS:example.com, DNS:*.example.com (c) CN=example.com and subjectAltName = DNS:*.example.com, DNS:example.com (d) CN=hello world and subjectAltName = DNS:example.com, DNS:*.example.com Thanks, Walter -- openssl-users mailing

Re: [openssl-users] Path Length Constraint ignored for Root and any self-issued certificate

hould be expected behaviour: > * max_path_length=n (initialisation) > * max_path_length=n-1 (first decrement) > * max_path_length=0 (copied from root certificate constraint) > * VERIFY(max_path_length>0) error upon preparing transition from i=1 > (Root) to i=2 (EvilCA). > > Open

Re: [openssl-users] How to build libcrypto64*.lib and libssl64*.lib on Windows 64-bit?

Could that be LibreSSL? (Or some similar wrapper for OpenSSL?) https://github.com/Ruzzz/LibreSSL This above repo creates libraries in the named format below; to match how Microsoft provides multiple versions of libraries. Looks to be debug (d) and multi-thread (MT?) versions of the libraries

Re: [openssl-users] Seeding before RSA key generation

>This is not correct. Thanks for the corrections, Matt. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Seeding before RSA key generation

We disagree, and as I wrote the latest RNG code and docs, I'm biased (sic). I'll leave on that weak pun. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Seeding before RSA key generation

On 04/10/2018 17:38, Salz, Rich wrote: What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other than not being an NSA/NIST design? Poor locking; been known to crash. Simple bug, not a reason to change the algorithm. Does not reseed. But can be reseeded if so de

Re: [openssl-users] Seeding before RSA key generation

>What's supposedly bad about the 1.0.x/1.1.0 OpenSSL RNG other than not being an NSA/NIST design? Poor locking; been known to crash. Does not reseed. Global across the process, rather than isolated for private-key generation or per-connection. Mixes in getpid and time to get

Re: [openssl-users] Seeding before RSA key generation

On 04/10/2018 17:14, Salz, Rich via openssl-users wrote: Which version of OpenSSL are you using? 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. 1.1.1 has a good random number generator and auto-seeds. What's supposedly bad about the 1.0.x/1.1.0 OpenSS

Re: [openssl-users] Seeding before RSA key generation

Which version of OpenSSL are you using? 1.0.2 and 1.1.0 have a bad random number generator and must be explicitly seeded. 1.1.1 has a good random number generator and auto-seeds. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Two sessions in a single full handshake

ion file? > > On Sun, Sep 30, 2018 at 3:19 AM Salz, Rich via openssl-users < > openssl-users@openssl.org> wrote: > > > > >- The debug logs display two "SSL-Session" blocks in a full handshake. > > > > Only one "SSL-Session" block is d

Re: [openssl-users] Two sessions in a single full handshake

nt may resume with a different session, and therefore prevent an observer from “linking” two different activities. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

To update this thread. Please follow the commentary on the https://github.com/OpenSC/libp11/issues/249 From: "Blumenthal, Uri - 0553 - MITLL" Date: Friday, September 21, 2018 at 5:07 AM To: "Paras Shah (parashah)" , "openssl-users@openssl.org" Cc: Nicola Subjec

Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

I opened the issue https://github.com/openssl/openssl/issues/7258 Also, opened issue https://github.com/OpenSC/libp11/issues/249 and https://github.com/opendnssec/SoftHSMv2/issues/417 Found the root cause to be the openssl version 1.1.1 that was used to compile the engine_pkcs11 and SoftHSM

Re: [openssl-users] updating openssl on MacOS

It's hard enough for the openssl team to document the basic config/build things, let alone all the operating systems and vendor-supplied stuff. Perhaps a wiki page, that the community could help maintain? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/lis

Re: [openssl-users] Re-enable 3DES on NGINX + OpenSSL 1.1.1

if by land, two if by sea, three if by the Internet." On Sep 17, 2018, at 4:20 PM, Neil Craig mailto:neil.cr...@bbc.co.uk>> wrote: Thanks very much Matt. I have indeed built with NGINX configure opt --with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error when running

Re: [openssl-users] QNX 6.5 OpenSSL Build

t 1:04 PM, Viktor Dukhovni mailto:openssl-us...@dukhovni.org>> wrote: On Sep 16, 2018, at 11:44 AM, Murugaiyan Perumal via openssl-users mailto:openssl-users@openssl.org>> wrote: dso_dlfcn.c:84:12: fatal error: dlfcn.h: No such file or directory # include http://w

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

>The users who delay or block automatic updates tend to greatly overlap with the users who actively block remote telemetry of their update habits, thus skewing such statistics of "get almost full coverage within a month or two". But not downloads. :) Shrug. --

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

two, for example. Edge hasn't shipped TLS 1.3 yet. Safari encourages auto-update. That's most of the browser market. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

Sure. I will open the issue. From: Nicola Date: Monday, September 17, 2018 at 10:05 PM To: "Paras Shah (parashah)" , "openssl-users@openssl.org" Subject: Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail. Would it be possible for you to open this a

Re: [openssl-users] Limit the number of AES-GCM keys allowed in TLS

This is factually incorrect; the TLS values are lower than the FIPS values, for example. And also, what “everyone in the know” has always stated isn’t really true any more. It would be nice to keep politics out of this list. -- openssl-users mailing list To unsubscribe: https

Re: [openssl-users] ED25519 key with openssl engine

I had the same doubt. I have x-posed this question on the opensc mailing list as well. On 9/17/18, 3:37 PM, "openssl-users on behalf of Matt Caswell" wrote: Perhaps the pkcs11 engine does not support ed25519 keys? Matt On 17/09/18 22:05, Paras Shah (par

Re: [openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

That is not it. It results in the same error for the EC key. It is not the URL or the ID. Because for a RSA key in the softhsm with id = , it works fine with url containing id=%33%33 $ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b75

[openssl-users] ED25519 key with openssl engine

I get the following error when I try to access the ed25519 key stored in SoftHSM via the openssl engine interface using engine_pkcs11. []:~$ openssl pkey -in "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=6a160d52b750862f;token=token%202.5.0-rc1;id=%22%22;object=ed25519%2

[openssl-users] Softhsm + engine_pkcs11 + openssl with EC keys fail.

I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to use these keys from openssl CLI using the pkcs11 engine, it fails. 1. SoftHSM version []:~$ softhsm2-util --version 2.5.0rc1 2. SoftHSM token init []:~$ softhsm2-util --init-token --slot 0 --label "token 2.5.

[openssl-users] QNX 6.5 OpenSSL Build

Hi,Am trying to build the openssl source for QNX 6.5/6.6 OS. I have tried to build after the instructions given in internet.  1. QNX 6.6 build environment variable is set. 2. Executed below command.  sh-3.1$  ./Configure QNX6 shared --prefix=./qnx660/release --openssldir=./qnx660/release 3. make

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

Much work for little gain and purpose. You can mix drafts, but mixing the draft and the official version is hard, there's too many semantic changes (e.g., around fallback vs no-fallback-protection). -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/lis

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

On Thu, Sep 13, 2018 at 08:13:41PM +0200, Jakob Bohm wrote: > On 13/09/2018 09:57, Klaus Keppler wrote: > >Hi, > > > >thank you for all your responses. > > > >I've just tested with Firefox Nightly 64.0a1, and both s_server and our > >own app (u

Re: [openssl-users] License change still scheduled for 1.1.1 ?

goal, as stated.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

On Wed, Sep 12, 2018 at 03:50:17PM +0200, Klaus Keppler wrote: > Hi, > > when I create a TLS-1.3-only "web" server with s_server (from OpenSSL > 1.1.1-release), Firefox/Chrome can't access it. > According to all docs I've read so far, the TLS 1.3 implementat

Re: [openssl-users] openssl 1.1.1 and FreeBSD 11.2

On Tue, Sep 11, 2018 at 03:04:06PM -0600, The Doctor wrote: > On Tue, Sep 11, 2018 at 02:57:09PM -0500, Benjamin Kaduk via openssl-users > wrote: > > On Tue, Sep 11, 2018 at 10:48:40AM -0600, The Doctor wrote: > > > On Tue, Sep 11, 2018 at 09:33:36AM -0600, The Doctor wrote:

Re: [openssl-users] openssl 1.1.1 and FreeBSD 11.2

; > Server command: ../../util/shlib_wrap.sh ../../apps/openssl s_server > > -max_protocol TLSv1.3 -no_comp -rev -engine ossltest -ext_cache -accept > > [::1]:0 -cert ../../apps/server.pem -cert2 ../../apps/server.pem -naccept 1 > > -cipher AES128-SHA -ciphersuites TLS_AES_128_GCM_

Re: [openssl-users] openssl 1.0.2 and TLS 1.3

>So Openssh, NTPd, MOd_pagespeed have to adopt OPEnssl 1.1X API in order to use TLS 1.3 . Yes. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL version 1.1.1 published

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.1 of our open

Re: [openssl-users] Using Windows system certficate store for server authentication

OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS mode on Windows

I have a question: On Windows, should OpenSSL FIPS automatically enable FIPS mode (FIPS_mode_set(1)) if the FIPS registry entry  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to 1? This is to emulate the Linux behavior - if I understand correctly, if

Re: [openssl-users] Problems with man page code example at EVP_EncryptInit

check something--I was wrong about something--&outlen is not incremented inside of openssl--so you have to keep another variable to which you add outlen and use that to set the read/write pointer in outbuf. --Sam On Wed, Sep 5, 2018 at 10:04 AM Sam Habiel mailto:sam.hab...@gmail.com>> wro

[openssl-users] OpenSSL version 1.1.0i make test fails - 80-test_cms.t

) Result: FAIL make[1]: *** [_tests] Error 1 make: *** [tests] Error 2 I first ran: ./Configure --prefix=/usr/local shared darwin64-x86_64-cc enable-ec_nistp_64_gcc_128 no-ssl2 no-ssl3 then make depend then: make test macOS X 10.7.5 Any suggestions? Thanks, James.-- openssl-users mailing

Re: [openssl-users] Engines on Mac OS X

>Gotcha. In that case why does it get built on Mac? I.e., why doesn’t the build >process exclude it automatically? Beats me. It ends up being a zero-length object file, more or less. Perhaps Richard Levitte knows. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/m

Re: [openssl-users] Engines on Mac OS X

* Gotcha. But why doesn't it work on Mac? The CAPI engine uses Microsoft libraries that are part of windows. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Using random bytes only in openssl_encrypt versus real private key

>This begs the question: what does openssl_encrypt actually do with just a > string of random bytes passed as the "key". I can't find anything in the OpenSSL or PHP/openssl source code that clearly identifies any particular action There is no such name (git gr

Re: [openssl-users] Engines on Mac OS X

>The capi engine is still broken, however That is windows-only, using the MSFT CryptoAPI. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL Integration with DPDK

I am new to OpenSSL. Does anyone have any information on how to integrate OpenSSL 1.1.x with DPDK?  Intel has a video on OpenSSL 1.1.x integration using QAT_engine for Intel QAT PCI-E card but nothing on OpenSSL using DPDK.  Has anyone done this or point me to something? What I am looking for

Re: [openssl-users] Regarding Openssl 1.0.2p bn changes

https://github.com/openssl/openssl/commit/327b2c01 -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Aug 24, 2018, at 12:18 AM, Manish Patidar mailto:mann.pati...@gmail.com>> wrote: Hi, I have

Re: [openssl-users] Backup of existing ssl connection

Agreed, Iooked at this when creating a failover service, and trying to replicate all the TCP and TLS data ended up using significant CPU processing and network bandwidth that it wasn’t worth it; in addition to intrusive OpenSSL changes. You should try to have a way to detect and re-establish a

Re: [openssl-users] OpenSSL version 1.1.1 pre release 9 published

ay as IDs.  Much better > source of why did the wg do? than plow through the old mailing list > archives.  The IESG is actually encouraging such a use of IDs. Yup! Internet-Draft is a fine terminus for some types of document. Many TLS registries now have a registration policy that explicitly ca

Re: [openssl-users] OpenSSL 1.1.1 pre-7 or pre-8 connect to 1.1.1 pre-9 oddity?

I find it interesting that openssl 1.1.1-pre7 can not connect to a server which has openssl 1.1.1-pre9 in place. Nor can Firefox nightly. This is to be expected. Pre-9 implements the official RFC version of TLS 1.3, while the earlier beta releases implement drafts. One of the major

Re: [openssl-users] Backup of existing ssl connection

>I want to take backup of existing ssl connection. Use this backup connection >in other slave board. This backup include keys and sequence no, ssl version >etc. >Is Openssl support any api to take backup of existing ssl connection? No. This is not currently possible, and is unli

[openssl-users] error: void value not ingored as it to be crypto/err/err_all.c

I'm trying to build OpenSSL with FIPS module in a centos docker container. The FIPS module builds fine but the openssl build fails with: _USE_NODELETE -MMD -MF crypto/err/err_all.d.tmp -MT crypto/err/err_all.o -c -o crypto/err/err_all.o crypto/err/err_all.c crypto/err/err_all.c: In fun

[openssl-users] OpenSSL version 1.1.1 pre release 9 published

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 9 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 9 has now

Re: [openssl-users] TLS-Session

pdk application is responding with the correct TLS alert and it actually block the TLS session.I have seen the correct packet in wireshark as well.I am also putting a picture with this mail in order to see the process. The problem is that VM1 using openssl takes 2 to 3 seconds to end the TLS session

Re: [openssl-users] I failed to add a git pull request for openssl

When you create your pull request, use the pull-down to select the right branch. By default it picks master, which is (as you’ve seen) not always right. You can go to your PR, “re target it” and re-open it. From: "kgold...@us.ibm.com" Reply-To: openssl-users Date: Wednesday, Augus

[openssl-users] OpenSSL version 1.1.0i published

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.0i released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0i of our open

[openssl-users] OpenSSL version 1.0.2p published

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.0.2p released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2p of our open

[openssl-users] Possible bug in 1.1.1-pre8 with NSTs and PSK in initial ClientHello handshake

arl -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] About 1.0.2p version release !!

That site can’t be reached… (at least by me, unless it requires TLSv1.3…) -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." From: Dennis Clarke Reply-To: "openssl-users@openssl.org" Date: Friday, August 10, 2018 at 11:40 P

[openssl-users] TLS 1.3 and the release

and then the official release. We have had no discussion of changing that plan. Matt has already prepared a PR (the number escapes me), and there are a couple of open issues we still have to resolve. If all goes well, however, the final beta should begin very soon. Thanks to everyone in the O

Re: [openssl-users] About 1.0.2p version release !!

protocol is significantly different to TLSv1.2 and below. See: >>> >>> https://wiki.openssl.org/index.php/TLS1.3 >>> >>> Matt >>> >> >> Right when will TLSv1.3 be officially recognised? > > Like I said ab

Re: [openssl-users] ssl save/restore/migrate functionality

> Do you see it being of enough value to consider bringing the feature into your roadmap. No. At least not in my opinion. Migrating "live" TLS connections does not seem a common situation, and is bound to be non-portable. -- openssl-users mailing list To unsub

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

to TLBleed? Specifically? Not much. It goes more to the general principle that systems leak information as they do work. Ultimately it comes down to thermodynamics, and you never bet against thermodynamics. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

* So why not just have a rule "don't litter" Have you looked at, say, the memleak testing we do? Thanks for the two cents. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Initialising OpenSSL more than once - how do we handle this?

> I never thought I'd see the day that someone would have to defend not leaking > memory in pivotal security code like openssl however To be accurate, it was a couple of people saying that memory leaks *on process exit* aren’t be a big deal. -- openssl-users mailing list To

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

>What's the reason for using malloc(3) in the first place? Is this a > limitation of the library or just openssl cms ? It is a limitation of the CMS command. You might look at the -stream option. If you need more then that, well, a PR is also welcomed. -- openssl-us

Re: [openssl-users] Question on RSA/FIPS186-4.

bject and load times, I am not sure, if this Is recommended ? I do not know if you can mix and match FIPS implementations. I know that you cannot change anything in the OpenSSL code (for example, to call "out and over" to someone else's implementation). >Can your team r

Re: [openssl-users] openssl cms -decrypt failing due to malloc(3) failure

>It would appear that both commands fail due to them being unable to allocate more memory to slurp the rest of the input file's contents into. Is this intentional behaviour? It is a known issue. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

On 07/27/2018 01:44 PM, Michael Wojcik wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, July 27, 2018 11:52 And once you have done all that work to protect the cryptographic library, the CPU vulnerability still allows the attacker to

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

On 07/27/2018 09:12 AM, Michael Wojcik wrote: We're trying to decide if we can avoid disabling hyperthreading, as our measurements show that the performance losses (even with integer workloads) are significant. Might anyone be able to comment on this particular type of attack in Op

Re: [openssl-users] request for TLBleed information / non-constant-time vulnerabilities

be able to comment on this particular type of attack in OpenSSL? - Michael -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] request for TLBleed information / non-constant-time vulnerabilities

-preprint.pdf Unfortunately, Intel has not provided much guidance in this area but has indicated that software mitigation can and should be implemented by libraries like OpenSSL. We're also not currently aware of any open CVEs or embargos active for this particular side-channel attack. Any he

Re: [openssl-users] EDDSA support yet?

No, you need a 1.1.1 tree. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] conversion of RAND_bytes to rand in fips apporved way

If RAND_MAX is a power of 2, then just ask RAND_bytes for the right number of bytes (four for 32768) and use bit-shifting to pack the value. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ...

* I take back my "Captain Kidd"-remark. * No offense. Aargh, matey. None taken. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Authenticated encryption in CMS with OpenSSL

t been implemented. In recent releases, we added a check to disallow AEAD ciphers, rather than failing (perhaps SILENTLY) later on. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Authenticated encryption in CMS with OpenSSL

The ciphers are available, but the code to use things like AES-GCM never actually worked. Or if it claimed to work, it was actually broken. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Re: command passwd

is probably not a good place to find that info. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Fwd: Re: command passwd

>where is file "libcrypto" ? In which directory of OpenSSL-1.1.1pre8 ? It is not distributed. It is a library built as part of the compile process. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] command passwd

* Up to recent time it was that Command passwd involved mcrypt. Right? What is mcrypt? Do you mean MD5? (Probably not, but I wanted to ask.) -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Packet capture SSL traffic

by sea, three if by the Internet." On Jul 5, 2018, at 2:20 PM, Kaushal Shriyan mailto:kaushalshri...@gmail.com>> wrote: Hi, Is there a way to capture SSL traffic using openssl and tcpdump or any other utility on Linux? I look forward to hearing from you. Best Regards, Kaushal -- o

Re: [openssl-users] How to send alert in handshake?

As in sending a non-fatal alert? There's no API to do that. And it probably wouldn't work anyway, as most runtimes treat any alert as fatal. Your best bet is to implement the right callback (depends on which version of openssl you are using) and return an error if the SNI isn

Re: [openssl-users] License change still scheduled for 1.1.1 ?

* Do you still plan to switch to Apache license for the final 1.1.1 release? That is still our goal, as stated. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] License change still scheduled for 1.1.1 ?

Hi, I see that the latest pre release for 1.1.1 is still under the legacy OpenSSL/SSLeay license. Do you still plan to switch to Apache license for the final 1.1.1 release? Thank you.-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Double TLS 1.3 session ticket?

>Thanks, it does not happen with mozzilla implementation (tls13.crypto.mozilla.org), is this openssl specific or part of the specification? The specification allows a server to send one or more tickets, at its discretion. -- openssl-users mailing list To unsubscribe: ht

Re: [openssl-users] Double TLS 1.3 session ticket?

>connecting s_client to s_server with TLS 1.3 seems to cause two successive session tickets to be sent by the server (see below). >Is this expected? Yes. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL version 1.1.1 pre release 8 published

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL version 1.1.1 pre release 8 (beta) === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.1 is currently in beta. OpenSSL 1.1.1 pre release 8 has now

Re: [openssl-users] Regarding to disable some signature algorithm in client hello message

I tried to modify " tls12_sigalgs" list under t1_lib.c in OpenSSL 1.0.2x version to restrict a bunch of signature algorithms from being proposed during Client hello message. That did work. Thanks. Srivalli On 6/19/18, 5:36 AM, "openssl-users on behalf of murugesh pitchaiah&quo

Re: [openssl-users] Access clienthello in openssl1.1.0

x27;t seem to be > similar methods in 1.1.0. I don't believe so, and it's unclear that this qualifies as a "missing accessor" that would be eligible to get fixed in 1.1.0 as a bugfix. So I think your main option is to move to 1.1.1, at this point. -Ben -- openssl-users mai

Re: [openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

>Should I file an issue on GitHub about the missing setters? That would be great, thanks. Glad you got something to work. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

It looks like in OpenSSL 1.1.0 I can no longer do that. There are only functions available that return various function pointers from a X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there are no corresponding counterparts to set the function pointers. This

[openssl-users] Windows 7 cryptbase.dll failing to load

Hi OpenSSL team, Our team has successfully built Window dlls for OpenSSL code version 1.0.2n. The dll names where libeay32.dll & ssleay32.dll. They worked on Windows 7 and Windows Server 2012 OS. Our team has built Window dlls for the OpenSSL code using version 1.1.0h. The dll names w

[openssl-users] OpenSSL Security Advisory

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 OpenSSL Security Advisory [12 June 2018] Client DoS due to large DH parameter (CVE-2018-0732) Severity: Low During key agreement in a TLS handshake

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

Interesting. Yes, I did take a look at Cloudflare patch but wasn't sure if I could use that. Alright. This helps. My only option is to upgrade to OpenSSL 1.1.0 in order to support CHACHA+Poly1305 cipher support. Thanks Rich. -Srivalli On 6/11/18, 1:40 PM, "Salz, Ri

Re: [openssl-users] Error compiling openssh with openssl

On Jun 11, 2018, at 10:44 AM, Sandeep Deshpande mailto:sandeep@gmail.com>> wrote: Thanks for the reply. Our appliance is enabled in FIPS mode by default. All these days, we were using openssh 6.2 with openssl 0.9.8. Now we need to upgrade openssl to 1.0.2j. But we would not like to upgrad

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

>Just curious, is there a possibility to patch CHACHA cipher specific > changes to OpenSSL 1.0.2 version still and get SSL handshake succeed? It can be done; CloudFlare posted some patches at https://github.com/cloudflare/sslconfig/tree/master/patches but I think they used the pr

Re: [openssl-users] OpenSSL patch for CHACHA cipher support in OpenSSL 1.0.2

Thanks Matt. Appreciate your answers. Just curious, is there a possibility to patch CHACHA cipher specific changes to OpenSSL 1.0.2 version still and get SSL handshake succeed? I am not looking for an upgrade to OpenSSL 1.1.0 at this point. So, I am interested to know if I can get CHACHA to

<    5   6   7   8   9   10   11   12   13   14   >