Re: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
On 12/14/2011 11:18 PM, Stephen Henson via RT wrote: [peter.sylves...@edelweb.fr - Sun Dec 11 17:51:10 2011]: Enclosed two patches for head and stable to remove unnecessary code for srp and to add some comments to s_client. Applied. Steve. Thanks for the feedback. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2639] When running pkits-test.pl on 1.0.0e or trunk, three tests fail
Stephen Henson via RT r...@openssl.org writes: [...] As I indicated there were problems with the PKITS data itself, not OpenSSL. The test data has now been updated (see message from David Cooper in PKITS mailing list). Try downloading it again from NIST site. OK, thanks. I thought that might be the case (and was just reading the emails). I guess I must have committed the updated PKITS before the changes were made. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
Hi, I wish to unsubscribe from this list, but whenever I send a message with "unsubscribe openssl-dev" in the body to majord...@openssl.org, I get the following error message. Can somebody please help me out ? -- html Command 'html' not recognized. head Command 'head' not recognized. meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" Command 'meta' not recognized. /head Command '/head' not recognized. body bgcolor="#FF" text="#00" Command 'body' not recognized. font face="Courier New"unsubscribe /fontfont face="Courier Command 'font' not recognized. New"openssl-dev/font Command 'new"openssl-dev/font' not recognized. /body Command '/body' not recognized. /html Command '/html' not recognized. No valid commands found. Commands must be in message BODY, not in HEADER. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9
- Mail original - De: Manish Jain bourne.ident...@hotmail.com À: openssl-dev@openssl.org Envoyé: Jeudi 15 Décembre 2011 13:53:59 Objet: Re: [openssl.org #1794] [PATCH] SRP in OpenSSL 0.9.9 Hi, I wish to unsubscribe from this list, but whenever I send a message with unsubscribe openssl-dev in the body to majord...@openssl.org , I get the following error message. Can somebody please help me out ? -- html Command 'html' not recognized. head Command 'head' not recognized. Send your message as plain text, not html. Gilles __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
openssl-1.0.1-stable-SNAP-20111215 Fails on Windows
The subject OpenSSL version fails with the following error: rc /fotmp32dll\ssleay32.res /d SSL ms\version32.rc link /nologo /subsystem:console /opt:ref /debug /dll /out:out32dll\sslea y32.dll /def:ms/SSLEAY32.def @C:\DOCUME~1\zkrr01\LOCALS~1\Temp\nmc03520. SSLEAY32.def : error LNK2001: unresolved external symbol SRP_have_to_put_srp_use rname SSLEAY32.def : error LNK2001: unresolved external symbol SSL_CTX_set_srp_missing _srp_username_callback out32dll\ssleay32.lib : fatal error LNK1120: 2 unresolved externals LINK : fatal error LNK1141: failure during build of exports file NMAKE : fatal error U1077: 'link' : return code '0x475' Stop. InterSoft International, Inc. Voice: 888-823-1541 Fax: 866-701-1260 http://www.netterm.com http://www.securenetterm.com
Re: Block MD5 certificates
Thanks Dave. It worked fine :) Did you know how I get the digest algorithm for X.509 certificates. I saw something about OID, but I didn't find the list of valid OID and the corresponding algorithms. Thanks in advance, Tatiana 2011/12/9 Dave Thompson dthomp...@prinpay.com From: owner-openssl-...@openssl.org On Behalf Of Tatiana Evers Sent: Wednesday, 07 December, 2011 08:17 Is there any function in OpenSSL (library) to get signature algorithm from a certificate? I need to block MD5 certificates. No; a good deal of the X509_ interface dates back to early days before there was an effort to hide data structures. Just use x509-sig_alg-algorithm and maybe OBJ_obj2nid . Or, you could use FIPS mode (of a FIPS build, but the last validation is a bit out of date now; a new one is in progress but they usually take several months, sometimes many months). FIPS mode restricts algorithms to those approved by NIST, and MD5 is not among them. :-) :-( :-? __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2658] [PATCH] Add TLS/DTLS Heartbeats
This patch adds TLS/DTLS Heartbeats, as described in tools.ietf.org/html/draft-ietf-tls-dtls-heartbeat Heartbeats can be sent any time when no handshake is in progress to check the availability of the peer. The retransmission feature of DTLS is used to repeat lost Heartbeats. If no response is received, the peer is considered unavailable and an SSL timeout error occurs. Heartbeats can be sent with SSL_heartbeat() and SSL_heartbeat_pending() can be used to check if one is still in flight. The option SSL_OP_NO_HB_REQUEST can be set to not allow the peer to send HeartbeatRequests, which is useful for devices powered with a battery. This is a preliminary version, because the IANA has not yet assigned the necessary numbers for the Heartbeat protocol and the Hello extensions. Best regards Robin This patch adds TLS/DTLS Heartbeats, as described intools.ietf.org/html/draft-ietf-tls-dtls-heartbeatHeartbeats can be sent any time when no handshake is in progress to check the availability of the peer. The retransmission feature of DTLS is used to repeat lost Heartbeats. If no response is received, the peer is considered unavailable and an SSL timeout error occurs. Heartbeats can be sent withSSL_heartbeat() andSSL_heartbeat_pending() can be used to check if one is still in flight. The optionSSL_OP_NO_HB_REQUEST can be set to not allow the peer to send HeartbeatRequests, which is useful for devices powered with a battery.This is a preliminary version, because the IANA has not yet assigned the necessary numbers for the Heartbeat protocol and the Hello extensions. Best regardsRobin dtls-tls-heartbeats-1.0.1.patch Description: Binary data
Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin
It does complain! :-) Attached patch fix the problem on cygwin. Does it mean that you can in fact confirm that modified speed.c runs without hanging? Yes, modified speed.c, being compiled in the same Cygwin environment as before, runs without hanging for all hashes. Verify http://cvs.openssl.org/chngview?cn=21853. Interesting, why we do not have such effect fo ciphers and for three selected hashes For reference, I can't reproduce the problem under older Cygwin. BTW, do you get same KBps values? Before patch: ... I.e. virtually same. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2657] Win32: fail to compile - 1.0.1 snapshot 20111211
Verify http://cvs.openssl.org/chngview?cn=21845. This patch helps! It breaks GNU assembler builds, so it's reverted. Alternative solution is http://cvs.openssl.org/chngview?cn=21851. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: Block MD5 certificates
From: owner-openssl-...@openssl.org On Behalf Of Tatiana Evers
Sent: Thursday, 15 December, 2011 14:55
Thanks Dave. It worked fine :)
Apparently not completely because:
Did you know how I get the digest algorithm for X.509 certificates.
I saw something about OID, but I didn't find the list of valid OID
and the corresponding algorithms.
That field is the OID for the *signature* algorithm,
which includes (implies) the digest algorithm (except for
raw signature, which in practice X.509 certs never use).
In particular, there have long been standard OIDs for
{MD2,MD4,MD5,SHA1}-RSA SHA1-DSA SHA1-ECDSA;
recently (variousSHA2)-{RSA,DSA,ECDSA} were added.
In practice I don't think anybody used {MD2,MD4}-RSA
for certs, but if your requirement is actually to exclude
insecure digests rather than excluding MD5 in particular
you probably want to exclude those also.
The OIDs known by OpenSSL, which I think includes all
relevant standards, are in crypto/objects/objects.txt and
obj_xref.txt, from which several files including objects.h
are autogenerated. obj_xref.txt in particular contains the
mapping of (named) signature OIDs to digest + rawsign parts,
and shows that there are two standard OIDs for MD5-RSA,
and none for MD5 with anything else.
You could just compare the cert sigalg to those OIDs,
but it's a bit inconvenient to manipulate OIDs directly.
OpenSSL mostly works by mapping known OIDs to an internal
integer called NID, hence as I suggested call OBJ_obj2nid
on the sigalg from the cert, and compare the returned NID
to the NIDs you don't want and to NID_undef = unknown.
If you need to deal with certs using nonstandard sigalgs,
it'll be a little harder. But since normally the purpose
of certs is to be interoperable, anyone using a nonstandard
sigalg in a cert may be suspect anyway.
2011/12/9 Dave Thompson dthomp...@prinpay.com
Just use x509-sig_alg-algorithm and maybe OBJ_obj2nid .
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #2655] speed sha1 hang up - 1.0.1 snapshot 20111211 - Cygwin
On 16 December 2011 02:47, Andy Polyakov via RT r...@openssl.org wrote: Attached patch fix the problem on cygwin. Does it mean that you can in fact confirm that modified speed.c runs without hanging? Yes, modified speed.c, being compiled in the same Cygwin environment as before, runs without hanging for all hashes. Verify http://cvs.openssl.org/chngview?cn=21853. Works! __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
