Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Moonchild via RT]

Really?

That's all we get, a one-liner, no explanation, no rationale, response?
It's not even "brand new" functionality, Camellia as a raw cipher is already
in there, the only difference is wrapping it into GCM-based suites. Patches
are available, too.

Sounds like OpenSSL isn't as open as one might think.

On 04/02/2016 05:38, Rich Salz via RT wrote:
> We're not taking on these new Camellia ciphers for now. -- Rich Salz,
> OpenSSL dev team; rs...@openssl.org
>
>
>



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

[David Woodhouse]

On Thu, 2016-02-04 at 03:04 +, Rich Salz via RT wrote:
> So guys, sorry for dropping the ball. Where are we on this now?

I see four patches still at the top of 
http://git.infradead.org/users/dwmw2/openssl.git but I've completely
forgotten.

I'll update and rebase my patches on both the OpenSSL and EDK2 side,
and take stock.

I think we also have our own implementation of TS support in EDK2, from
the 0.9.8 days when OpenSSL didn't. Qin, did you make any progress on
killing that off?

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Moonchild via RT]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Really?

That's all we get, a one-liner, no explanation, no rationale, response?
It's not even "brand new" functionality, Camellia as a raw cipher is already
in there, the only difference is wrapping it into GCM-based suites. Patches
are available, too.

Sounds like OpenSSL isn't as open as one might think.

On 04/02/2016 05:38, Rich Salz via RT wrote:
> We're not taking on these new Camellia ciphers for now. -- Rich Salz,
> OpenSSL dev team; rs...@openssl.org
> 
> 
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32)

iF4EAREIAAYFAlazIiQACgkQEguw022l8qw2wQD8CuBYlCXVKk2VUvMSxYcqnKDg
LULZr0x5hCfalVbl/cIA/3Ro3hbllmrL6RqBy6ir/l6bUSmlWnB+nG++scYIkNem
=koMx
-END PGP SIGNATURE-


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Nich Ramsey]

Moonchild: what advantages does Camellia have over AES? Sincerely asking
since I'm not familiar.

OpenSSL team: I second Moonchild's curiosity, why is there no plan for
integration when the raw cipher is already present in the code base? If
it's a lack of resources you can dedicate, would you be open to someone
outside the dev team contributing the necessary code?

Thanks in advance for your consideration,
Nich
On Feb 4, 2016 2:10 AM, "Moonchild via RT"  wrote:

> Really?
>
> That's all we get, a one-liner, no explanation, no rationale, response?
> It's not even "brand new" functionality, Camellia as a raw cipher is
> already
> in there, the only difference is wrapping it into GCM-based suites. Patches
> are available, too.
>
> Sounds like OpenSSL isn't as open as one might think.
>
> On 04/02/2016 05:38, Rich Salz via RT wrote:
> > We're not taking on these new Camellia ciphers for now. -- Rich Salz,
> > OpenSSL dev team; rs...@openssl.org
> >
> >
> >
>
>
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Nich Ramsey via RT]

Moonchild: what advantages does Camellia have over AES? Sincerely asking
since I'm not familiar.

OpenSSL team: I second Moonchild's curiosity, why is there no plan for
integration when the raw cipher is already present in the code base? If
it's a lack of resources you can dedicate, would you be open to someone
outside the dev team contributing the necessary code?

Thanks in advance for your consideration,
Nich
On Feb 4, 2016 2:10 AM, "Moonchild via RT"  wrote:

> Really?
>
> That's all we get, a one-liner, no explanation, no rationale, response?
> It's not even "brand new" functionality, Camellia as a raw cipher is
> already
> in there, the only difference is wrapping it into GCM-based suites. Patches
> are available, too.
>
> Sounds like OpenSSL isn't as open as one might think.
>
> On 04/02/2016 05:38, Rich Salz via RT wrote:
> > We're not taking on these new Camellia ciphers for now. -- Rich Salz,
> > OpenSSL dev team; rs...@openssl.org
> >
> >
> >
>
>
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

[Fedor Indutny via RT]

Thank you very much, Matt, Rich.

I will read through these docs tomorrow.

On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT  wrote:

>
>
> On 04/02/16 06:34, Salz, Rich via RT wrote:
> > It’s late and my response was incomplete.
> > The other part has already landed in master, and that's the "async
> engine" support.
>
> See:
>
> https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
> the SSL_MODE_ASYNC bit)
> https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>
> I'm working on a patch that may make some tweaks to this API, but you
> should get the idea.
>
> Matt
>
>
>

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

[Fedor Indutny]

Thank you very much, Matt, Rich.

I will read through these docs tomorrow.

On Thu, Feb 4, 2016 at 4:29 AM, Matt Caswell via RT  wrote:

>
>
> On 04/02/16 06:34, Salz, Rich via RT wrote:
> > It’s late and my response was incomplete.
> > The other part has already landed in master, and that's the "async
> engine" support.
>
> See:
>
> https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
> https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
> the SSL_MODE_ASYNC bit)
> https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html
>
> I'm working on a patch that may make some tweaks to this API, but you
> should get the idea.
>
> Matt
>
>
>
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Moonchild via RT]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 04/02/2016 11:18, Nich Ramsey via RT wrote:
> Moonchild: what advantages does Camellia have over AES? Sincerely asking 
> since I'm not familiar.

It's comparable to AES in terms of how it can theoretically be broken with
algebra, as well as its processing capabilities, but as far as I know there
are no known successful attacks that weaken it, and the closest anyone has
come to attacking it has been against a reduced/non-full version of the
128-bit strength cipher that still required 2^116 encryptions and the same
amount of plaintexts. The full one has never budged. That alone would make
it a very desirable cipher.
Unless, of course, you have a personal grudge against ciphers not coming
from American soil (it's a Japanese-origin cipher).
See also my rationale in my original post on this topic about international
diversity with strong, modern encryption. Camellia is widely-adopted in a
whole range of security applications.

There are plenty of RFCs about Camellia, but in this context most notably
RFC6367 proposing exactly this for inclusion in TLS with GCM.

RFC5932 is a standards document describing Camellia in TLS as a whole.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32)

iF4EAREIAAYFAlazMLsACgkQEguw022l8qy+KwD9H3Rm0qaXxcts49jvKuL54frb
rzpF/WlvtiMlYDNXgEUA/1k9HjoEbLp9THY3nrHZ4Rx0wXcgT0O4b/817Cr+3iJM
=JoAw
-END PGP SIGNATURE-


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3095] Incorrect result in HMAC functions when key is null

[Emilia Käsper via RT]

Fixed in master now, commit b1413d9bd9d823ca1ba2d6cdf4849e635231

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4290] HMAC_Init_ex() return bug

[Matt Caswell via RT]

On Wed Feb 03 18:32:20 2016, mikkrat...@gmail.com wrote:
> I built it using cocoapods, the OpenSSL headers show 1.0.2f.
> I’ll try to make some sample program tomorrow.
>
>
> > On 3 veebr 2016, at 18:27, Salz, Rich via RT  wrote:
> >
> >> I’m running OS X 10.11.3 and OpenSSL 1.0.206
> >
> > I cannot reproduce this. Did you build from source, or is that a
> > vendor-provided version? The ".206" isn't part of our release
> > naming. Did you mean 1.0.2f? Do you have a sample program to show
> > the error?
> >
> >

Please do as it looks like someone else has a similar problem. It's not quite
the same (different HMAC function) but still in HMAC and very similar symptoms:
https://github.com/openssl/openssl/issues/607

I can't reproduce it though, and the diagnosis in the above github issue
doesn't look right.

One other question: are you using FIPS mode, or standard OpenSSL?

Matt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3830] [PATCH] Fix test execution on Windows

[Richard Levitte via RT]

I just tried this and can't verify this, it works beautifully and as intended
when I try. The issue appears to be a non-issue, as the command should create
the serial file and therefore not require its presence beforehand. See
'-CAcreateserial'.

Cheers,
Richard

Vid Sat, 02 May 2015 kl. 06.05.21, skrev gunna...@exchange.microsoft.com:
> Hello,
>
> Summary: fix test case execution on Windows so that all the tests will
> be run.
>
> Additional data:
>
> 1) Operating systems affected: all versions of Windows.
>
> 2) OpenSSL versions affected: all versions running on Windows.
>
> Thank you,
> Gunnar Kudrjavets


--
Richard Levitte
levi...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

[Woodhouse, David via RT]

On Thu, 2016-02-04 at 03:04 +, Rich Salz via RT wrote:
> So guys, sorry for dropping the ball. Where are we on this now?

I see four patches still at the top of 
http://git.infradead.org/users/dwmw2/openssl.git but I've completely
forgotten.

I'll update and rebase my patches on both the OpenSSL and EDK2 side,
and take stock.

I think we also have our own implementation of TS support in EDK2, from
the 0.9.8 days when OpenSSL didn't. Qin, did you make any progress on
killing that off?

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation




smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2664] config does not allow disabling npn

[Rich Salz via RT]

fixed in master:
; ./config no-npn
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring OpenSSL version 1.1.0-pre3-dev (0x0x1013L)
* Unsupported options: no-npn


--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2664

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2918] [PATCH] Testcase for GOST R 34.11-94 (openssl/engines/ccgost/gosthash.c)

[Rich Salz via RT]

GOST is now a separately-maintained engine.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2918

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2638] s_client -servername BLAH not honoured with -starttls xmpp

[Rich Salz via RT]

the -xmpphost flag does what you want. In next release.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2638

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3121] Request concerning revoke system for openSSL

[Rich Salz via RT]

There is no defect here.
Or at least not enough information.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=3121

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

[Richard Levitte via RT]

 Doesn't seem that way. Not present on VMS, and I can't find it on MDSN either.
Vid Thu, 04 Feb 2016 kl. 21.05.13, skrev rsalz:
> is strcasestr common?

--
Richard Levitte
levi...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2712

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

[Rich Salz via RT]

is strcasestr common?
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2712

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1596] wrong AKI in cert

[Viktor Dukhovni via RT]

When a certificate is re-signed via "x509 -signkey" while keeping the
existing extensions (i.e. without "-clrext"), the (unwritten) expectation
is that that all that's being changed is the validity dates, and the
previous certificate content remains unchanged.  Yes, the issuer is updated
to match the subject if they are not already the same, and the key is replaced
with the new key if different, but otherwise the certificate remains the same.

This is useful for extending the dates of existing self-signed certificates with
as little change as possible.

What this means in practice is that if something other than just the dates
is changing, one really should use "-clrext" and specify the new desired
extensions.

For example ("bash" inline file syntax):

  $ openssl x509 -clrext \
-in old-cert.pem -out new-cert.pem -signkey key.pem \
-extfile <(printf "%s\n%s\n" \
"subjectKeyIdentifier = hash" \
"authorityKeyIdentifier = keyid:always"
)

In such cases one of course also needs to specify any other
desired extensions.

Now it may be argued that a more complicated strategy is possible,
in which:

  * It is determined whether the original certificate is self-signed
  * If so whether the new key is the original signer

and if either condition fails then, while retaining all other extensions
the subject key identifier and authority key identifier extensions are
dropped and regenerated as specified in the extant configuration.

Logic of that complexity is not in place, and it is not entirely clear
that its absence is a bug in the code, rather than a matter of incomplete
documentation of the limitations of this feature.

My take is that this is best addressed at the documentation level, but if
someone is really keen to try to make the code automatically perform the
right extension surgery, a pull request on Github might be the way to go.

-- 
Viktor.


-
http://rt.openssl.org/Ticket/Display.html?id=1596

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1596] wrong AKI in cert

[Viktor Dukhovni]

When a certificate is re-signed via "x509 -signkey" while keeping the
existing extensions (i.e. without "-clrext"), the (unwritten) expectation
is that that all that's being changed is the validity dates, and the
previous certificate content remains unchanged.  Yes, the issuer is updated
to match the subject if they are not already the same, and the key is replaced
with the new key if different, but otherwise the certificate remains the same.

This is useful for extending the dates of existing self-signed certificates with
as little change as possible.

What this means in practice is that if something other than just the dates
is changing, one really should use "-clrext" and specify the new desired
extensions.

For example ("bash" inline file syntax):

  $ openssl x509 -clrext \
-in old-cert.pem -out new-cert.pem -signkey key.pem \
-extfile <(printf "%s\n%s\n" \
"subjectKeyIdentifier = hash" \
"authorityKeyIdentifier = keyid:always"
)

In such cases one of course also needs to specify any other
desired extensions.

Now it may be argued that a more complicated strategy is possible,
in which:

  * It is determined whether the original certificate is self-signed
  * If so whether the new key is the original signer

and if either condition fails then, while retaining all other extensions
the subject key identifier and authority key identifier extensions are
dropped and regenerated as specified in the extant configuration.

Logic of that complexity is not in place, and it is not entirely clear
that its absence is a bug in the code, rather than a matter of incomplete
documentation of the limitations of this feature.

My take is that this is best addressed at the documentation level, but if
someone is really keen to try to make the code automatically perform the
right extension surgery, a pull request on Github might be the way to go.

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2887] [PATCH] decode more message/content types in apps

[Rich Salz via RT]

fixed in master for next release with commit 7429b39. thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2887
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4288] [BUG] Xmm7 register is cobbered in aesni_gcm_decrypt on win64

[Kurt Roeckx via RT]

Fixed.


Kurt



-
http://rt.openssl.org/Ticket/Display.html?id=4288

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

[David Woodhouse via RT]

On Tue, 2015-12-08 at 12:56 +, Salz, Rich via RT wrote:
> I think that instead of the #ifdef being removed, the if() test
> should be removed.  
> This was my mistake.

What was the verdict here?

I'm trying to update my builds, as promised this morning. But EDK2 has
updated to 1.0.2e and in doing so, has grown a new patch for this
regression.

So when part of my patch series¹ replaces the existing patch against
1.0.2e with a cleaner patch including all the bug-fixes that have
already gone upstream into HEAD, this needs a "proper" fix...

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation


¹ http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/16d175c127ac1e


-
http://rt.openssl.org/Ticket/Display.html?id=4175

Please log in as guest with password guest if prompted



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Salz, Rich via RT]

I missed a link: https://github.com/openssl/openssl/issues/320

Nobody is pressuring us.  I am sure you mean that in a kind and concerned way, 
and are not trying to be insulting.

If you can find someone on the openssl-dev team who is willing to take on the 
work, then it could go into OpenSSL.  Otherwise, consider implementing it as an 
external engine (like GOST), or do your own downstream fork.



-
http://rt.openssl.org/Ticket/Display.html?id=4075

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

[David Woodhouse]

On Tue, 2015-12-08 at 12:56 +, Salz, Rich via RT wrote:
> I think that instead of the #ifdef being removed, the if() test
> should be removed.  
> This was my mistake.

What was the verdict here?

I'm trying to update my builds, as promised this morning. But EDK2 has
updated to 1.0.2e and in doing so, has grown a new patch for this
regression.

So when part of my patch series¹ replaces the existing patch against
1.0.2e with a cleaner patch including all the bug-fixes that have
already gone upstream into HEAD, this needs a "proper" fix...

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation


¹ http://git.infradead.org/users/dwmw2/edk2.git/commitdiff/16d175c127ac1e


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Openssl SNAP 20160204 development

[Kurt Roeckx]

On Thu, Feb 04, 2016 at 06:39:19AM -0700, The Doctor wrote:
> All right, I can compile,but
> 
> test/recipes/70-test_sslcertstatus.t
> 
> is hang in an infinite loop.
> 
> Any explanation?

That's an issue I'm not aware of yet, nor did I see it in any of
our automated test runs.  Can you give some more information about
it?


Kurt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

[Short, Todd via RT]

OpenSSL is generally able to compile with the musl C library (same idea as 
uClibc):

OpenSSL 1.0.2f:
./config
make depend
CC=/usr/local/bin/musl-gcc ./config
make

./config is run twice, because "make depend" fails since domd can’t find the 
makedepend command after CC is set to musl-gcc. However, after running ./config 
a second time (to update the CC), the make succeeds. openssl loads and run. If 
musl is configured with --disable-shared, then it does not require any dynamic 
executables.

master:
CC=/usr/local/bin/musl-gcc ./config
make depend
make
"make depend" succeeds in master, even after CC is set to musl-gcc. But linking 
fails due to setcontext, getcontext and makecontext being undefined. They 
appear to be used by the async code; there doesn’t seem to be a way to turn off 
async (or force NULL async). I looked in the musl library, and there are 
declarations of these functions()s, but no definitions.

A maintainer of the musl library has indicated that these are deprecated Posix 
APIs. Might there be a way to disable the use of these APIs, and permit only 
async_none so that these other libraries (uClibc and musl) could be used 
instead?

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Feb 3, 2016, at 9:00 PM, Salz, Rich via RT 
> wrote:

This might be interesting to support, but unfortunately nobody looked at the
bug in years and the build process has changed a great deal. If you could
re-integrate this against what's in master, we'd look at it. If that's too much
work, I understand. We don't have/use this particular run-time environment.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



-
http://rt.openssl.org/Ticket/Display.html?id=1979

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

[Salz, Rich via RT]

>  Doesn't seem that way. Not present on VMS, and I can't find it on MDSN
> either.

So what I'd have to do is downcase the string and do strstr on all lowercase.  
Might be reasonable




-
http://rt.openssl.org/Ticket/Display.html?id=2712

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2712] Be more liberal when trying to recognize the XMPP starttls headers

[Salz, Rich]

>  Doesn't seem that way. Not present on VMS, and I can't find it on MDSN
> either.

So what I'd have to do is downcase the string and do strstr on all lowercase.  
Might be reasonable


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

[Matt Caswell]

On 04/02/16 05:49, Rich Salz via RT wrote:
> currently in master, planned for 1.1 scheculed for april 2017

That would be April 2016!!

Matt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3003] Enhancement Request - RFC6698 (DANE) TLSA Support

[Matt Caswell via RT]

On 04/02/16 05:49, Rich Salz via RT wrote:
> currently in master, planned for 1.1 scheculed for april 2017

That would be April 2016!!

Matt


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

[Matt Caswell via RT]

On 04/02/16 06:34, Salz, Rich via RT wrote:
> It’s late and my response was incomplete.
> The other part has already landed in master, and that's the "async engine" 
> support.

See:

https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
the SSL_MODE_ASYNC bit)
https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html

I'm working on a patch that may make some tweaks to this API, but you
should get the idea.

Matt


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

[Matt Caswell]

On 04/02/16 06:34, Salz, Rich via RT wrote:
> It’s late and my response was incomplete.
> The other part has already landed in master, and that's the "async engine" 
> support.

See:

https://www.openssl.org/docs/manmaster/crypto/ASYNC_start_job.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_mode.html (i.e.
the SSL_MODE_ASYNC bit)
https://www.openssl.org/docs/manmaster/ssl/SSL_waiting_for_async.html

I'm working on a patch that may make some tweaks to this API, but you
should get the idea.

Matt
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2212] Override DH bits restriction

[Rich Salz via RT]

Five years without commentary. Unlikely to happen, closing ticket. please
re-open if still an issue.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2212

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2195] [PATCH] Set default field separator in do_name_ex() ("nameopt" switch)

[Rich Salz via RT]

This was fixed. Doc not being fixed, please suggest changes.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2195

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2285] [patch] use winsock2.h

[Rich Salz via RT]

I forget which ticket had it, but we already had some of this discussion and
the code we have is correct.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2285

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

[Short, Todd via RT]

FYI: The rational for why these APIs are deprecated.
http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html#tag_03_356_08

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



-
http://rt.openssl.org/Ticket/Display.html?id=1979

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Salz, Rich]

> If you see ways in which the code in proposed pull requests is
> unmaintainable, share them.

Nobody on the team is able to take the time to do it.  
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Kurt Roeckx]

On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote:
> Really?
> 
> That's all we get, a one-liner, no explanation, no rationale, response?
> It's not even "brand new" functionality, Camellia as a raw cipher is already
> in there, the only difference is wrapping it into GCM-based suites. Patches
> are available, too.

I think the concerns are:
- Nobody else seems to be using Camellia
- We don't have a constant time implementation of it
- For processors that have AESNI, it's slower than AES
- Adding more ciphers to the default list will just increase the
  client hello and not change anything.

That being said, I don't think there should be a problem adding
the support.  I'm just not sure about enabling it by default.


Kurt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Hubert Kario]

On Thursday 04 February 2016 13:08:15 Salz, Rich via RT wrote:
> > That's all we get, a one-liner, no explanation, no rationale,
> > response?
> Take a look at some of the discussion here:
>   https://github.com/openssl/openssl/pull/154
>   https://github.com/openssl/openssl/pull/148

You mean the "Many thanks for your patch. Applied"? :>

If you see ways in which the code in proposed pull requests is 
unmaintainable, share them.

Saying "we may not have resources later" is unconvincing. Especially 
given that we're talking just about a new mode created by combining 
already implemented cipher and integrity mechanism. Mode necessary to 
support an ENISA recommended cipher in TLSv1.3.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Kurt Roeckx via RT]

On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote:
> Really?
> 
> That's all we get, a one-liner, no explanation, no rationale, response?
> It's not even "brand new" functionality, Camellia as a raw cipher is already
> in there, the only difference is wrapping it into GCM-based suites. Patches
> are available, too.

I think the concerns are:
- Nobody else seems to be using Camellia
- We don't have a constant time implementation of it
- For processors that have AESNI, it's slower than AES
- Adding more ciphers to the default list will just increase the
  client hello and not change anything.

That being said, I don't think there should be a problem adding
the support.  I'm just not sure about enabling it by default.


Kurt



-
http://rt.openssl.org/Ticket/Display.html?id=4075

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Openssl SNAP 20160204 development

[The Doctor]

All right, I can compile,but

test/recipes/70-test_sslcertstatus.t

is hang in an infinite loop.

Any explanation?
-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! 
http://www.fullyfollow.me/rootnl2k  Look at Psalms 14 and 53 on Atheism
Broadcasting the truth for 25 years
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Moonchild via RT]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 04/02/2016 14:08, Salz, Rich via RT wrote:
> 
>> That's all we get, a one-liner, no explanation, no rationale,
>> response?
> 
> Take a look at some of the discussion here: 
> https://github.com/openssl/openssl/pull/374 
> https://github.com/openssl/openssl/pull/154 
> https://github.com/openssl/openssl/pull/148

None of these have any discussion. 148 and 154 are dupes and got merged. 374
was closed because nobody bothered to give it any attention and the dev got
tired of rebasing when there was no indication that it would ever get
attention. What did you expect, that someone would just keep working on
something for naught?

So, basically, you ignored someone long enough that they dropped it.

Once again, no explanation is given, no rationale.
Are you being put under pressure by someone? Should someone make a sane fork
of OpenSSL instead? Or can we just actually work together to improve a lib
here? Seriously.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (MingW32)

iF4EAREIAAYFAlazVn8ACgkQEguw022l8qx3rgEAndOysatLhd3j5LxxIdhfMiAS
I3ZEyMQQxgewPU60CQ8A/2vkByqPlDCrHITP3+ZQTh/ffwOgMlNugvqGjDW0s2BE
=qACi
-END PGP SIGNATURE-



-
http://rt.openssl.org/Ticket/Display.html?id=4075

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Salz, Rich via RT]

> That's all we get, a one-liner, no explanation, no rationale, response?

Take a look at some of the discussion here:
https://github.com/openssl/openssl/pull/374
https://github.com/openssl/openssl/pull/154
https://github.com/openssl/openssl/pull/148

I would suggest that if you want to continue the discussion, do it on 
openssl-dev with a new subject line (so it doesn't get threaded into this RT 
ticket)


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2256] CVS HEAD: question: must this be hardcoded '8' or is it 'md_len' in disguise? :-S

[Matt Caswell via RT]

The length is specified by the standards and is less than the digest length.
Closing this ticket.

Matt


-
http://rt.openssl.org/Ticket/Display.html?id=2256

Please log in as guest with password guest if prompted
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

[Woodhouse, David via RT]

On Thu, 2016-02-04 at 03:04 +, Rich Salz via RT wrote:
> So guys, sorry for dropping the ball. Where are we on this now?

Going backwards. I don't seem to be able to configure with
'no-ui no-engines' any more. :)

-- 
David WoodhouseOpen Source Technology Centre
david.woodho...@intel.com  Intel Corporation



-
http://rt.openssl.org/Ticket/Display.html?id=3964

Please log in as guest with password guest if prompted



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Blumenthal, Uri - 0553 - MITLL]

On 2/4/16, 12:10 , "openssl-dev on behalf of Kurt Roeckx via RT"
 wrote:

>On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote:
>> Really?
>> 
>> That's all we get, a one-liner, no explanation, no rationale, response?
>> It's not even "brand new" functionality, Camellia as a raw cipher is
>>already
>> in there, the only difference is wrapping it into GCM-based suites.
>>Patches
>> are available, too.
>
>I think the concerns are:
>- Nobody else seems to be using Camellia

I thought it’s used pretty widely in Asia.

>- We don't have a constant time implementation of it

Something to write in the documentation - not everybody needs to worry
about this (contrary to what some academia publications seemed to imply).

>- For processors that have AESNI, it's slower than AES

So…? 

People who want to use it, most likely do it for reasons other than speed.

>- Adding more ciphers to the default list will just increase the
>  client hello and not change anything.

???

>That being said, I don't think there should be a problem adding
>the support.  I'm just not sure about enabling it by default.

Enabling by default probably is unnecessary, IMHO.


smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Nich Ramsey via RT]

I'm new to implementing crypto, but this seems like a great learning
opportunity.

What's the best way for me to get ramped up through self-study? I'm
interested in the Camellia cipher, and contributing meaningful additions to
the OpenSSL library.

Moonchild: thank you for your detailed explanation of the Camellia cipher.
This seems like a worthwhile cause, since having many alternative, strong
cipher suites is of great benefit.

Kurt: I agree with you, until there are more people using Camellia it
shouldn't be on by default. It would be nice to have the option to manually
enable it though, especially for people like Moonchild that have a special
need/affinity for the cipher.

Thanks to everyone for continued discussion on this topic.

Nich
On Feb 4, 2016 9:11 AM, "Kurt Roeckx via RT"  wrote:

> On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote:
> > Really?
> >
> > That's all we get, a one-liner, no explanation, no rationale, response?
> > It's not even "brand new" functionality, Camellia as a raw cipher is
> already
> > in there, the only difference is wrapping it into GCM-based suites.
> Patches
> > are available, too.
>
> I think the concerns are:
> - Nobody else seems to be using Camellia
> - We don't have a constant time implementation of it
> - For processors that have AESNI, it's slower than AES
> - Adding more ciphers to the default list will just increase the
>   client hello and not change anything.
>
> That being said, I don't think there should be a problem adding
> the support.  I'm just not sure about enabling it by default.
>
>
> Kurt
>
>
>
> -
> http://rt.openssl.org/Ticket/Display.html?id=4075
>
> Please log in as guest with password guest if prompted
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>


-
http://rt.openssl.org/Ticket/Display.html?id=4075

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

[Nich Ramsey]

I'm new to implementing crypto, but this seems like a great learning
opportunity.

What's the best way for me to get ramped up through self-study? I'm
interested in the Camellia cipher, and contributing meaningful additions to
the OpenSSL library.

Moonchild: thank you for your detailed explanation of the Camellia cipher.
This seems like a worthwhile cause, since having many alternative, strong
cipher suites is of great benefit.

Kurt: I agree with you, until there are more people using Camellia it
shouldn't be on by default. It would be nice to have the option to manually
enable it though, especially for people like Moonchild that have a special
need/affinity for the cipher.

Thanks to everyone for continued discussion on this topic.

Nich
On Feb 4, 2016 9:11 AM, "Kurt Roeckx via RT"  wrote:

> On Thu, Feb 04, 2016 at 10:10:06AM +, Moonchild via RT wrote:
> > Really?
> >
> > That's all we get, a one-liner, no explanation, no rationale, response?
> > It's not even "brand new" functionality, Camellia as a raw cipher is
> already
> > in there, the only difference is wrapping it into GCM-based suites.
> Patches
> > are available, too.
>
> I think the concerns are:
> - Nobody else seems to be using Camellia
> - We don't have a constant time implementation of it
> - For processors that have AESNI, it's slower than AES
> - Adding more ciphers to the default list will just increase the
>   client hello and not change anything.
>
> That being said, I don't think there should be a problem adding
> the support.  I'm just not sure about enabling it by default.
>
>
> Kurt
>
>
>
> -
> http://rt.openssl.org/Ticket/Display.html?id=4075
>
> Please log in as guest with password guest if prompted
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] Evolution of build refactoring

[Richard Levitte]

Hi,

some time ago, I announced the refactor-build branch on github.  It
has gone through a bit of rearrangement, and the commits that lay out
the ground have made it into master by now.  The rest is still going
through internal review.

Meanwhile, I would very much  like to hear from Cygwin folks, Mwing
folks and VMS folks, the first two because I'm not sure I got the
quirks needed right, and regarding VMS, this is the only way there
will be a build of upcoming 1.1, so it's rather crucial to get things
right there.

That branch lives as a github pull request (mostly to get travis to
try building it), https://github.com/openssl/openssl/pull/623, the
branch itself is found here:
https://github.com/levitte/openssl/tree/refactor-build

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

[Jeremy Farrell via RT]

On 04/02/2016 16:45, Short, Todd via RT wrote:
> FYI: The rational for why these APIs are deprecated.
> http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html#tag_03_356_08

That's the superseded POSIX.1-2001 standard, where these functions were 
made obsolescent. They're no longer part of POSIX at all, having been 
removed in POSIX.1-2008. See 
http://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xsh_chap01.html#tag_22_01_01_05

Regards,
  jjf

-- 
J. J. Farrell
w: +44 161 493 4838



-
http://rt.openssl.org/Ticket/Display.html?id=1979

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2281] Bug in 1.0.0: SSL_new() leaks s->param if s->method->ssl_new() fails

[Rich Salz via RT]

this is fixed in master.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2281

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2496] [PATCH] Fix compile problems when various ciphers are disabled

[Rich Salz via RT]

most of this is fixed in master, maybe all. if there are still issues, please
open a new ticket.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2496

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2460] OCSP server uses only IP6

[Rich Salz via RT]

i think --
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2460

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2287] A bug of PKCS8?

[Rich Salz via RT]

An old unsuppported release. Please open a new ticket if this is still an issue
with the current release(s).

thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2287

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2402] PATCH: config and Configure for Xcode Awareness

[Rich Salz via RT]

Please open a new ticket (and patch or GitHub PR) against master if this is
still an issue. I don't think it is.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2402

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2386] Bug Report and Patch: Incompatible types in SKM_ASN1_SET_OF_d2i

[Rich Salz via RT]

fixed some time ago. works in 1.0.2 and fixed even better in next release :)
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2386

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2449] [BUG] openssl 1.0.0d warnings during build and ACCVIO on OpenVMS

[Rich Salz via RT]

VMS support is back in master (openssl 1.1)
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2449

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2406] Argument type warning on i2d_ASN1_SET

[Rich Salz via RT]

fixed some time ago, works in current release(s).

--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2406

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2493] [PATCH] Engines: Eliminate the unneccesary null check

[Rich Salz via RT]

sureware engine is no longer supported.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2493

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2460] OCSP server uses only IP6

[Kurt Roeckx via RT]

On Thu, Feb 04, 2016 at 08:07:15PM +, Rich Salz via RT wrote:
> i think --

I'm not sure what you think.  But all the apps currently only
create 1 socket, which on some OSes could mean that it's IPv6 (or
IPv4) only.  It needs more work.


Kurt



-
http://rt.openssl.org/Ticket/Display.html?id=2460

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2460] OCSP server uses only IP6

[Salz, Rich via RT]

> I'm not sure what you think.  But all the apps currently only create 1 socket,
> which on some OSes could mean that it's IPv6 (or
> IPv4) only.  It needs more work.

Yes, I meant to close the window not the ticket :)  Re-opened.



-
http://rt.openssl.org/Ticket/Display.html?id=2460

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2521] Enhancement Request

[Rich Salz via RT]

you can build/install the docs locally ...

--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2521

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2532] [PATCH] Fix insufficient privilege checking

[Rich Salz via RT]

This is interesting, although unfortunately it's been years since we looked at
it and it is out of date.

Rather than replacing all the getenv() calls, a simple wrapper like
OPENSSL_safe_getenv() that includes the issetguid test seems a lot cleaner. And
the config changes needed to be ported up to master.

If anyone does that and makes a PR on github, we'll review it. Closing this for
now.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2532

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2554] Patch: AF_ALG dynamic engine for linux >= 2.6.38

[Rich Salz via RT]

support for this is in-progress for 1.1
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2554

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2536] Memory leak in d2i_RSA_PUBKEY() (concise test code included)

[Rich Salz via RT]

The d2i routines move the pointer to the next thing. So you have do save key,
pass in a copy, and then delete the original key.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2536

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #2571] OCSP send request fails if OCSP server with vhost or reverse proxy

[Rich Salz via RT]

As listed in the ticket, the -host heade can be used to do what you need. Open
a new ticket if the docs need more explanation; thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org


-
http://rt.openssl.org/Ticket/Display.html?id=2571

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2532] [PATCH] Fix insufficient privilege checking

[Viktor Dukhovni]

> On Feb 4, 2016, at 3:37 PM, Rich Salz via RT  wrote:
> 
> Rather than replacing all the getenv() calls, a simple wrapper like
> OPENSSL_safe_getenv() that includes the issetguid test seems a lot cleaner. 
> And
> the config changes needed to be ported up to master.

Where available, this should use the native safe getenv() interface, rather
than just do issetugid() directly:

   http://man7.org/linux/man-pages/man3/getenv.3.html

-- 
Viktor.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2532] [PATCH] Fix insufficient privilege checking

[Viktor Dukhovni via RT]

> On Feb 4, 2016, at 3:37 PM, Rich Salz via RT  wrote:
> 
> Rather than replacing all the getenv() calls, a simple wrapper like
> OPENSSL_safe_getenv() that includes the issetguid test seems a lot cleaner. 
> And
> the config changes needed to be ported up to master.

Where available, this should use the native safe getenv() interface, rather
than just do issetugid() directly:

   http://man7.org/linux/man-pages/man3/getenv.3.html

-- 
Viktor.


-
http://rt.openssl.org/Ticket/Display.html?id=2532

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2752] objects.txt - update of extended key usage

[Annie Yousar via RT]

Am 04.02.2016 um 02:25 schrieb Rich Salz via RT:
> I'm going to add these:
> id-kp 21 : secureShellClient : SSH Client
> id-kp 22 : secureShellServer : SSH Server
> I also found 22-26 from RFC 6495. Any others?
>
> ___
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
What about the following OIDs?
Sorry for not using the syntax of objects.txt.
Regards
/Ann.

1 3 6 1 5 5 7 11 2 : id-qcs-pkixQCSyntax-v2 : QC Syntax version 2 (RFC 3739)
1 2 840 113549 1 9 16 2 47 : signingCertificateV2 : S/MIME Attribute
SigningCertificate V2 (RFC 5032)
2 23 140 1 2 2 : CABF-baseline_req : CAB Forum Baseline Requirements
(verified identity)
1 0 14888 3 0 5 : id-dswa-dl-EC-KCDSA : Korean EC-KDSA
1 0 14888 3 0 6 : id-dswa-dl-EC-GDSA : German EC-GDSA
1 0 14888 3 0 9 : id-dswa-dl-EC-RDSA : Russian EC-RDSA
1 0 14888 3 0 11 : id-dswa-dl-EC-SDSA : Schnorr EC-SDSA
1 0 14888 3 0 12 : id-dswa-dl-EC-FSDSA : Full Schnorr EC-FSDSA
2 16 840 1 101 3 4 2 4 5 : sha512-224
2 16 840 1 101 3 4 2 4 6 : sha512-256
2 16 840 1 101 3 4 2 4 7 : sha3-224
2 16 840 1 101 3 4 2 4 8 : sha3-256
2 16 840 1 101 3 4 2 4 9 : sha3-384
2 16 840 1 101 3 4 2 4 10 : sha3-512
2 16 840 1 101 3 4 2 4 11 : shake128
2 16 840 1 101 3 4 2 4 12 : shake256
1 2 250 1 223 101 256 1 : frp256v1 : ANSSI 256 bit elliptic curve
1 2 156 197 10045 3 1 1 : sm2GB192 : OSCCA elliptic prime curve with 192 bit
1 2 156 197 10045 3 1 7 : sm2GB256 : OSCCA elliptic prime curve with 256 bit





___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev