RE: [LibReSSL] Allow key generation to use arbitrary public exponents

[Dave Thompson]

> From: owner-openssl-...@openssl.org On Behalf Of Benny Baumann
> Sent: Sunday, August 10, 2014 08:44

> Am 09.08.2014 19:24, schrieb Annie Yousar:
> > Hi Ben, you can generate keys with arbitrary exponents using the
> > genpkey command:
> >
> > openssl genpkey -algorithm rsa \ -pkeyopt rsa_keygen_bits:16384
> > -pkeyopt rsa_keygen_pubexp:4711

> Thanks for this information. Now that you mention this: I read about
> it in the documentation. But unfortunately genpkey and genrsa produce
> slightly different output (plain RSA key vs. publicKeyInfo) - thus
> having such a -pkeyopt like interface available uniformly for genrsa,
> gendsa and ec might be useful.
> >
You can pipe genpkey alg=rsa through rsa to convert to the bare form.

gendsa or genpkey alg=dsa is only a random choice with no options.
Same for ecparam -genkey or genpkey alg=ec, and genpkey alg=dh.

*dsaparam* or genpkey-genparam alg=dsa could in principle allow selection 
of the subgroup size, but for 2 prime sizes the standard allows only one 
choice, and for the 3rd prime size the standard allows only two choices.
That hardly seems worth the bother.

genpkey-genparam alg=dh vs dhparam is the only other interesting case.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2684] [PATCH] pod2html build fix

[Rich Salz via RT]

Who is this frodo guy? :)

Fixed in post-1.0.2

commit 690a2b1fa2c8a7dba0be84dfc052d86b864bedc3
Author: Matt Caswell 
Date: Wed Aug 13 00:28:03 2014 -0400

RT1665: Fix podpath to get xref's right

In Makefile, when build manpages, put the current directory
at the start of the podpath so that cross-refs find the
local directory first.

Reviewed-by: Tim Hudson 


--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2861] [patch] Improve ability to specity req subjectAltName from the command-line

[Rich Salz via RT]

Thanks but we're not going to do this; the ENV:: construct is documented and
putting a bogus field
by default doesn't seem like a good idea.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2876] SSL reports Too many open files

[Rich Salz via RT]

Old version, not enough information to reproduce.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2514] Patch to tsget command in openssl-1.0.0d

[Rich Salz via RT]

Someone updated tsget to use the perl curl library, and the content-type is
fetched via a curl method, so this is already done. thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: If you use kerberos/ssl

[Viktor Dukhovni]

On Tue, Aug 12, 2014 at 11:17:36PM -0400, Jeffrey Altman wrote:

> > The modern way to combine Kerberos with TLS is GSSAPI with channel
> > binding.  The old crufty Kerberos support should be deleted from
> > "master".  No new features should be added to this code.
> 
> RFC 2712 is a Proposed Standard.  I agree with you wholeheartedly that
> no one should ever use it again because of its dependence on DES and
> only DES.  An Internet Draft should be submitted to the IETF TLS Working
> Group to change the status to Historic and reference RFC 6649 "Deprecate
> DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos"
> as the justification.
> 
> I also agree that OpenSSL should consider removing the functionality.
> That being said I know that there are entities that did rely upon it.
> OpenSSL does not build with this support by default and it would bad
> form to remove it from an existing release series.  Removal on the
> current master branch should not be an issue.

That's what I am proposing.  Leave it in place in 0.9.8 (almost
EOL) and 1.0.x (stable releases), but remove from "master (1.1.0-dev).

As for writing drafts to deprecate these, I am to my ears in DANE
and Opportunistic Security, so someone else will have to take that
on.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: If you use kerberos/ssl

[Jeffrey Altman]

On 8/12/2014 6:06 PM, Viktor Dukhovni wrote:
> On Tue, Aug 12, 2014 at 04:22:21PM -0400, Salz, Rich wrote:
> 
>> Can you take a look at http://rt.openssl.org/Ticket/Display.html?id=549
>> And let us know what you think?
> 
> I contribute bits of code to MIT and Heimdal Kerberos and maintain
> a Kerberos infrastructure for a living.  I would like to see OpenSSL
> remove all support for the obsolete Kerberos-V5 cipher-suites.
> 
> The modern way to combine Kerberos with TLS is GSSAPI with channel
> binding.  The old crufty Kerberos support should be deleted from
> "master".  No new features should be added to this code.

Viktor,

RFC 2712 is a Proposed Standard.  I agree with you wholeheartedly that
no one should ever use it again because of its dependence on DES and
only DES.  An Internet Draft should be submitted to the IETF TLS Working
Group to change the status to Historic and reference RFC 6649 "Deprecate
DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos"
as the justification.

I also agree that OpenSSL should consider removing the functionality.
That being said I know that there are entities that did rely upon it.
OpenSSL does not build with this support by default and it would bad
form to remove it from an existing release series.  Removal on the
current master branch should not be an issue.

Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature

[openssl.org #549] Enhancemant Request

[Rich Salz via RT]

>From Viktor:
> I contribute bits of code to MIT and Heimdal Kerberos and maintain a
> Kerberos infrastructure for a living. I would like to see OpenSSL
> remove all support for the obsolete Kerberos-V5 cipher-suites.
>
> The modern way to combine Kerberos with TLS is GSSAPI with channel
> binding. The old crufty Kerberos support should be deleted from "master".
> No new features should be added to this code.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Forcing client to send Certificate record

[Fedor Indutny]

Viktor,

Despite being a protocol violation, it is accepted by the OpenSSL's server
implementation.

But I do see now that this is indeed covered by RFC 5246. Sorry, I have
missed that line in
the Client Certificate section.


On Wed, Aug 13, 2014 at 1:48 AM, Salz, Rich  wrote:

> > There is no need for an API for a non-interoperable feature that would
> > violate the TLS protocol:
> >
> > https://tools.ietf.org/html/rfc5246#section-7.4.6
>
> Perhaps more usefully, see
> http://datatracker.ietf.org/doc/draft-thomson-tls-care/
>
> This will almost definitely be part of TLS 1.3.  Note that it's
> version-neutral, so it will probably show up in other stacks as well.
> --
> Principal Security Engineer
> Akamai Technologies, Cambridge MA
> IM: rs...@jabber.me Twitter: RichSalz
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: If you use kerberos/ssl

[Viktor Dukhovni]

On Tue, Aug 12, 2014 at 04:22:21PM -0400, Salz, Rich wrote:

> Can you take a look at http://rt.openssl.org/Ticket/Display.html?id=549
> And let us know what you think?

I contribute bits of code to MIT and Heimdal Kerberos and maintain
a Kerberos infrastructure for a living.  I would like to see OpenSSL
remove all support for the obsolete Kerberos-V5 cipher-suites.

The modern way to combine Kerberos with TLS is GSSAPI with channel
binding.  The old crufty Kerberos support should be deleted from
"master".  No new features should be added to this code.

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: Forcing client to send Certificate record

[Salz, Rich]

> There is no need for an API for a non-interoperable feature that would
> violate the TLS protocol:
> 
> https://tools.ietf.org/html/rfc5246#section-7.4.6

Perhaps more usefully, see 
http://datatracker.ietf.org/doc/draft-thomson-tls-care/

This will almost definitely be part of TLS 1.3.  Note that it's 
version-neutral, so it will probably show up in other stacks as well.
--  
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Forcing client to send Certificate record

[Viktor Dukhovni]

[ Redirecting to openssl-users ]

On Wed, Aug 13, 2014 at 01:05:24AM +0400, Fedor Indutny wrote:

> I just discovered that there is no way to force OpenSSL SSL client to send
> Certificate record if server hasn't sent CertificateRequest.

That would be a TLS protocol violation.

> Would a patch that will this API hole be welcome? What API do you guys have
> in mind?

There is no need for an API for a non-interoperable feature that
would violate the TLS protocol:

https://tools.ietf.org/html/rfc5246#section-7.4.6

-- 
Viktor.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Forcing client to send Certificate record

[Fedor Indutny]

Heya!

I just discovered that there is no way to force OpenSSL SSL client to send
Certificate rercord if server hasn't sent CertificateRequest.

Would a patch that will this API hole be welcome? What API do you guys have
in mind?

Cheers,
Fedor.

[openssl.org #936] Bug in smime-command mime format

[Rich Salz via RT]

This seems to be working as desired; the content is in the first part.
If you want empty content, a detached signature, use the -content flag.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

If you use kerberos/ssl

[Salz, Rich]

Can you take a look at http://rt.openssl.org/Ticket/Display.html?id=549
And let us know what you think?

--
Principal Security Engineer
Akamai Technologies, Cambridge MA
IM: rs...@jabber.me Twitter: RichSalz

[openssl.org #3239] PATCH: formatting errors in NAME lines of two manual pages

[Rich Salz via RT]

Fixed as shown; to be released post-1.0.2
commit bebbb11d132cc149f7713d6693703f8bfae10072
Author: Ingo Schwarze 
Date: Tue Aug 12 15:47:06 2014 -0400

RT3239: Extra comma in NAME lines of two manpages

In two OpenSSL manual pages, in the NAME section, the last word of the
name list is followed by a stray trailing comma. While this may seem
minor, it is worth fixing because it may confuse some makewhatis(8)
implementations.

While here, also add the missing word "size" to the one line
description in SSL_CTX_set_max_cert_list(3).

Reviewed by: Dr Stephen Henson 

--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #1063] [Fwd: Bug#150259: openssl: should return error on invalid command]

[Rich Salz via RT]

Fixed in the rsalz-monolith branch, to be release after 1.0.2 release.
You can see it here: https://github.com/akamai/openssl/tree/rsalz-monolith/apps
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3310] Can't execute make command

[Rich Salz via RT]

File corruption seems the cause. Can't reproduce the situation.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2472] req command silently ignores digest specifier when using EC signatures (0.9.8 only)

[Rich Salz via RT]

And, perhaps the least desireable fix: not going to fix 0.9.8
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2729] Openssl exe is taking the CR as part of input (password) when we run the exe from a java/C++/command line and press "enter" key from command line

[Rich Salz via RT]

Seems like a Java issue. As a work-around, try using temp file for the
password.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2580] RE: Missing MD commands in app/openssl help

[Rich Salz via RT]

This will be in a release after 1.0.2

commit 9aaa7be8d4be38c0a13a64a0a8cf6c4774c45a0f
Author: Nick Lewis 
Date: Mon Aug 11 22:56:46 2014 -0400

PR 2580: dgst missing current SHA algorithms

Update the dgst.pod page to include SHA224...512 algorithms.
Update apps/progs.pl to add them to the digest command table.

Reviewed-by: Tim Hudson 

--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2106] s_client man page doesn't mention STARTTLS support for XMPP

[Rich Salz via RT]

Dunno who, dunno when, but someone did this fix already.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #706] PATCH suuport FreeBSD amd64

[Rich Salz via RT]

If still desired, please open a new ticket with an updated patch; the config
script is now very different.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #719] BUG: Incorrect child exit status handling in Configure 0.9.7c

[Rich Salz via RT]

Fix will be in post -1.0.2 release. Here's the commit; used die because that
also works for interrupt signals

commit cde8ad1a28cec6a950eb61d2aca616795619c8e6
Author: nnpos...@users.sourceforge.net 
Date: Mon Aug 11 23:36:27 2014 -0400

PR 719: Configure not exiting with child status

If subcommand fails, just die.
Reviewed-by: Kurt Roeckx 

diff --git a/Configure b/Configure
index 3ea6ca3..b0a36a4 100755
--- a/Configure
+++ b/Configure
@@ -2038,7 +2038,7 @@ EOF
$make_targets .= " links" if $symlink;
$make_targets .= " depend" if $depflags ne $default_depflags && $make_depend;
$make_targets .= " gentests" if $symlink;
- (system $make_command.$make_targets) == 0 or exit $?
+ (system $make_command.$make_targets) == 0 or die "make $make_targets failed"
if $make_targets ne "";
if ( $fipscanisteronly )
{}

--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3490] bug report: SRP still broken in 1.0.1 snapshot

[Kurt Roeckx]

On Tue, Aug 12, 2014 at 08:22:38PM +0200, John Foley via RT wrote:
> The first chunk in the s3_lib.c patch doesn't apply.  But the second
> chunk does (shown below).  When applying this to 1.0.1 stable, it
> appears to resolve the problem.
> 
> @@ -4357,8 +4359,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s,
> STACK_OF(SSL_CIPHER) *clnt,
> emask_k = cert->export_mask_k;
> emask_a = cert->export_mask_a;
>  #ifndef OPENSSL_NO_SRP
> -   mask_k=cert->mask_k | s->srp_ctx.srp_Mask;
> -   emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask;
> +   if (s->srp_ctx.srp_Mask & SSL_kSRP)
> +   {
> +   mask_k |= SSL_kSRP;
> +   emask_k |= SSL_kSRP;
> +   mask_a |= SSL_aSRP;
> +   emask_a |= SSL_aSRP;
> +   }
>  #endif
>
>  #ifdef KSSL_DEBUG

I assumed you were talking about the 1.0.1i release and not the
current git.   When the mentioned commit got merged into the 1.0.1
branch the above part was somehow lost.  It should get added to
the 1.0.1 branch soon.


Kurt

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3490] bug report: SRP still broken in 1.0.1 snapshot

[John Foley via RT]

The first chunk in the s3_lib.c patch doesn't apply.  But the second
chunk does (shown below).  When applying this to 1.0.1 stable, it
appears to resolve the problem.

@@ -4357,8 +4359,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s,
STACK_OF(SSL_CIPHER) *clnt,
emask_k = cert->export_mask_k;
emask_a = cert->export_mask_a;
 #ifndef OPENSSL_NO_SRP
-   mask_k=cert->mask_k | s->srp_ctx.srp_Mask;
-   emask_k=cert->export_mask_k | s->srp_ctx.srp_Mask;
+   if (s->srp_ctx.srp_Mask & SSL_kSRP)
+   {
+   mask_k |= SSL_kSRP;
+   emask_k |= SSL_kSRP;
+   mask_a |= SSL_aSRP;
+   emask_a |= SSL_aSRP;
+   }
 #endif
   
 #ifdef KSSL_DEBUG

On 08/12/2014 01:43 PM, Kurt Roeckx via RT wrote:
> On Tue, Aug 12, 2014 at 01:26:30AM +0200, John Foley via RT wrote:
>> The commit into 1.0.1 didn't include the changes to s3_lib.c.  SRP is still 
>> broken on this branch.  Are there any plans to fix this?
> Can you confirm that that commit from master fixes things for you?
>
>>> On Aug 11, 2014, at 6:41 PM, "Kurt Roeckx via RT"  wrote:
>>>
 On Mon, Aug 11, 2014 at 11:09:51PM +0200, John Foley via RT wrote:
 The fix discussed in this thread appears to be incomplete:

 http://marc.info/?l=openssl-users&m=140752401023837&w=2

 This fix works for SRP cipher suites that uses RSA for DSA, which
 includes 6 of the 9 supported SRP cipher suites.  But the three SRP
 cipher suites that don't rely on a server-side certificate are still
 broken.  This problem can be recreated using these commands:
>>> I believe this is already in master in commit
>>> 9e72d496d4f9880ec98f0ed9168246e35c1c3059
>>>
>>>
>>> Kurt
>>>
>>>
>>
>> __
>> OpenSSL Project http://www.openssl.org
>> Development Mailing List   openssl-dev@openssl.org
>> Automated List Manager   majord...@openssl.org
>>
>
> .
>


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3490] bug report: SRP still broken in 1.0.1 snapshot

[Kurt Roeckx via RT]

On Tue, Aug 12, 2014 at 01:26:30AM +0200, John Foley via RT wrote:
> The commit into 1.0.1 didn't include the changes to s3_lib.c.  SRP is still 
> broken on this branch.  Are there any plans to fix this?

Can you confirm that that commit from master fixes things for you?

> 
> > On Aug 11, 2014, at 6:41 PM, "Kurt Roeckx via RT"  wrote:
> > 
> >> On Mon, Aug 11, 2014 at 11:09:51PM +0200, John Foley via RT wrote:
> >> The fix discussed in this thread appears to be incomplete:
> >> 
> >> http://marc.info/?l=openssl-users&m=140752401023837&w=2
> >> 
> >> This fix works for SRP cipher suites that uses RSA for DSA, which
> >> includes 6 of the 9 supported SRP cipher suites.  But the three SRP
> >> cipher suites that don't rely on a server-side certificate are still
> >> broken.  This problem can be recreated using these commands:
> > 
> > I believe this is already in master in commit
> > 9e72d496d4f9880ec98f0ed9168246e35c1c3059
> > 
> > 
> > Kurt
> > 
> > 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   openssl-dev@openssl.org
> Automated List Manager   majord...@openssl.org
> 


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3057] [PATCH] Fix POD errors with pod2man from Perl 5.18.

[Rich Salz via RT]

already been fixed by some masked podman :)
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2820] man pages case (in)sensitivity

[Rich Salz via RT]

Fixed on HEAD; will be part of post 1.0.2 release
commit 9aaa7be8d4be38c0a13a64a0a8cf6c4774c45a0f
Author: Nick Lewis 
Date: Mon Aug 11 22:56:46 2014 -0400

PR 2580: dgst missing current SHA algorithms

Update the dgst.pod page to include SHA224...512 algorithms.
Update apps/progs.pl to add them to the digest command table.

Reviewed-by: Tim Hudson 
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2609] Bug report: req man page example mistake

[Rich Salz via RT]

Fixed in trunk, will be in post-1.0.2 release

commit 42ce91cc35610b18ebd8121d2e2efc4bc3042331
Author: Nick Urbanik 
Date: Mon Aug 11 23:15:13 2014 -0400

RT2609: Typo in EXAMPLE section of req.pod

The x509_extensions should be req_extensions in the
config example in req.pod

--
Rich Salz, OpenSSL dev team; rs...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 2/2] fix resource leak

[Ruoyu]

Signed-off-by: Ruoyu 
---
 fips/aes/fips_aesavs.c  | 1 +
 fips/des/fips_desmovs.c | 1 +
 fips/sha/fips_standalone_sha1.c | 1 +
 3 files changed, 3 insertions(+)

diff --git a/fips/aes/fips_aesavs.c b/fips/aes/fips_aesavs.c
index fecaf99..d979548 100644
--- a/fips/aes/fips_aesavs.c
+++ b/fips/aes/fips_aesavs.c
@@ -918,6 +918,7 @@ int main(int argc, char **argv)
if (proc_file(rfn, rspfile))
{
printf(">>> Processing failed for: %s <<<\n", rfn);
+   fclose(fp);
return 1;
}
}
diff --git a/fips/des/fips_desmovs.c b/fips/des/fips_desmovs.c
index 2bbeb53..82a0f0f 100644
--- a/fips/des/fips_desmovs.c
+++ b/fips/des/fips_desmovs.c
@@ -690,6 +690,7 @@ int main(int argc, char **argv)
if (tproc_file(rfn, rspfile))
{
printf(">>> Processing failed for: %s <<<\n", rfn);
+   fclose(fp);
return -1;
}
}
diff --git a/fips/sha/fips_standalone_sha1.c b/fips/sha/fips_standalone_sha1.c
index 80ccae4..d15dd6e 100644
--- a/fips/sha/fips_standalone_sha1.c
+++ b/fips/sha/fips_standalone_sha1.c
@@ -167,6 +167,7 @@ int main(int argc,char **argv)
for(i=0 ; i < 20 ; ++i)
printf("%02x",md[i]);
printf("\n");
+   fclose(f);
}
 #endif
 return 0;
-- 
1.8.3.2

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 1/2] fix variable not initialized

[Ruoyu]

Signed-off-by: Ruoyu 
---
 crypto/dso/dso_beos.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/dso/dso_beos.c b/crypto/dso/dso_beos.c
index 553966e..b5e8084 100644
--- a/crypto/dso/dso_beos.c
+++ b/crypto/dso/dso_beos.c
@@ -112,7 +112,7 @@ DSO_METHOD *DSO_METHOD_beos(void)
 
 static int beos_load(DSO *dso)
{
-   image_id id;
+   image_id id = 0;
/* See applicable comments from dso_dl.c */
char *filename = DSO_convert_filename(dso, NULL);
 
-- 
1.8.3.2

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3490] bug report: SRP still broken in 1.0.1 snapshot

[John Foley (foleyj)]

The commit into 1.0.1 didn't include the changes to s3_lib.c.  SRP is still 
broken on this branch.  Are there any plans to fix this?

> On Aug 11, 2014, at 6:41 PM, "Kurt Roeckx via RT"  wrote:
> 
>> On Mon, Aug 11, 2014 at 11:09:51PM +0200, John Foley via RT wrote:
>> The fix discussed in this thread appears to be incomplete:
>> 
>> http://marc.info/?l=openssl-users&m=140752401023837&w=2
>> 
>> This fix works for SRP cipher suites that uses RSA for DSA, which
>> includes 6 of the 9 supported SRP cipher suites.  But the three SRP
>> cipher suites that don't rely on a server-side certificate are still
>> broken.  This problem can be recreated using these commands:
> 
> I believe this is already in master in commit
> 9e72d496d4f9880ec98f0ed9168246e35c1c3059
> 
> 
> Kurt
> 
> 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

[Abdul Anshad]

Thank you for the response.

I already have a SHA-256 self signed certificate with a bit size 2048 
but still ended up with the same error.


I used the following command to create the self signed certificate.

$ openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -keyout 
/etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt


$ openssl x509 -noout -text -in /etc/pki/tls/certs/localhost.crt | grep 
"Signature Algorithm"

Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption

$ openssl version
OpenSSL 1.0.1i-fips 6 Aug 2014


Any suggestions ?

Regards,
Abdul

On 12-Aug-14 3:02 AM, Kurt Cancemi wrote:

Your using a SHA-1 signed certificate, the current FIPS standard
mandates a SHA-256 (SHA-2) signed certificate with a bit size >= 2048.

---
Kurt Cancemi
https://www.x64Architecture.com


On Mon, Aug 11, 2014 at 5:24 AM, Abdul Anshad  wrote:

Hello All,

I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i, when I try
to start the http server with FIPS mode i get the following error.

[Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232: suEXEC
mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec)
[Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885: FIPS mode
failed
[Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library Error:
error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA
SHA1 X931)
[Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312: Fatal error
initialising mod_ssl, exiting.
AH00016: Configuration Failed

Could somebody help me out with this issue ? Thanks in advance.

--
Regards,
Abdul


---
This email is free from viruses and malware because avast! Antivirus
protection is active.
http://www.avast.com

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org




---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org