Re: [openssl-dev] How to get SSL version from SSL_SESSION using OpenSSL-1.1.x?
On Thu, May 26, 2016, at 14:52, Matt Caswell wrote: > > One of the modules maintains the server-side SSL session cache, > > comprised of SSL_SESSION objects. For debugging purposes, there's a > > tool to dump out the sessions in the cache. I had initially used > > SSL_SESSION_print() for this dump utility, but that prints out more of > > the session data (e.g. the master key) than I'd wanted. Thus I ended up > > writing my own code for printing out the fields of the SSL_SESSION which > > I thought would be of interest -- including the protocol version of the > > SSL_SESSION. > > That sounds fairly reasonable. I suggest raising a github pull request > to add the accessor (or just an issue if you prefer). Done; see: https://github.com/openssl/openssl/pull/1135 Thanks, TJ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] How to get SSL version from SSL_SESSION using OpenSSL-1.1.x?
> > I'm currently working on updating proftpd and its various modules to > > work with the changed APIs in OpenSSL-1.1.x. My current obstacle(?) is > > to determine the SSL protocol version, given an SSL_SESSION pointer. > > > > Using OpenSSL-1.0.x, I currently use: > > > > ssl_version = sess->ssl_version; > > > > However, I don't see an equivalent accessor in the 1.1.x APIs. Have I > > missed something, or does such a thing not exist yet? > > I don't think such a thing exists at the moment. Out of interest why do > you need it? One of the modules maintains the server-side SSL session cache, comprised of SSL_SESSION objects. For debugging purposes, there's a tool to dump out the sessions in the cache. I had initially used SSL_SESSION_print() for this dump utility, but that prints out more of the session data (e.g. the master key) than I'd wanted. Thus I ended up writing my own code for printing out the fields of the SSL_SESSION which I thought would be of interest -- including the protocol version of the SSL_SESSION. Cheers, TJ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] How to get SSL version from SSL_SESSION using OpenSSL-1.1.x?
I'm currently working on updating proftpd and its various modules to work with the changed APIs in OpenSSL-1.1.x. My current obstacle(?) is to determine the SSL protocol version, given an SSL_SESSION pointer. Using OpenSSL-1.0.x, I currently use: ssl_version = sess->ssl_version; However, I don't see an equivalent accessor in the 1.1.x APIs. Have I missed something, or does such a thing not exist yet? Cheers, TJ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4327] SSL_CTX_use_serverinfo_file() causes issues for SSL_CTX with multiple certs
When the SSL_CTX_use_serverinfo_file() function is used to configure custom TLS extension data (e.g. for SCT data), AND the SSL_CTX in question is configured for multiple server certificates, the SSL/TLS handshake can fail unexpectedly, and will not return the configured TLS extension data properly. See: https://github.com/openssl/openssl/issues/719 Cheers, TJ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4327 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4205] Improve the default TLS session ticket key
The default TLS session ticket key used by OpenSSL uses AES128-CBC-SHA256; considering the security offered by newer ciphersuites, the TLS session ticket key algorithm should be updated/improved, at least to AES256-CBC-SHA256. See: https://github.com/openssl/openssl/issues/514 Cheers, TJ ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: Session resumption
How long is SSL/TLS session information cached before it is invalidated (i.e. not acceptable for use in future resumption attempts)? Is this value configurable? It's configurable, yes. See the documentation for the SSL_CTX_set_timeout() function. Looks like the current timeout is 300 seconds. Cheers, TJ ~ Solitude vivifies; isolation kills. -Joseph Roux ~
PKCS#7 enveloped objects and ciphers
Hello, OpenSSL developers. I ran across an interesting thing while working with openssl-0.9.7beta2, and am wondering if it's a bug, or is intentional. I have signed some data, creating a PKCS7 signed object. I've then encrypted that signed object, creating an enveloped object. At each step in this process, I'm displaying the various attributes and structs members (in a way that unhealthily violates the opacity of objects, I admit). The interesting case is this: I write the enveloped object out via PEM_write_bio_PKCS7(), and then read it back in using PEM_read_bio_PKCS(). The enveloped object read back in seems to be same as that written out -- except that p7-d.enveloped-enc_data-cipher is NULL, where it was not NULL when being written out. I looked into the PKCS7_dataDecode() routine, to see how it decrypted an eveloped object's encrypted contents without using that cipher. It apparently does so by using p7-d.enveloped-enc_data-algorithm to get the matching(?) cipher by name. Is this use (and lack of) of that enc_data-cipher member intentional? Or perhaps this is a case specific to working with enveloped objects? Or, most likely, I am missing something. =) Cheers, TJ Absence is to love what wind is to fire: it extinguishes the small, it enkindles the great. -Comte de Bussy-Rabutin __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and PKCS#9's signingDescription
Are there any plans to add PKCS#9's signingDescription attribute to OpenSSL's repertoire? Cheers, TJ This truth - to prove, and make thine own: Thou hast been, shalt be, art, alone. -Matthew Arnold __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #268] Very minor documentation patch
In the doc/openssl.txt document in openssl-0.9.7beta2, there is a very minor mistake in an example subjectAltName line in the config file: --- openssl.txt Tue Sep 19 17:50:25 2000 +++ /home/tj/openssl.txtSun Sep 1 22:08:10 2002 @@ -344,7 +344,7 @@ Examples: -subjectAltName=email:copy,email:[EMAIL PROTECTED],URL:http://my.url.here/ +subjectAltName=email:copy,email:[EMAIL PROTECTED],URI:http://my.url.here/ subjectAltName=email:[EMAIL PROTECTED],RID:1.2.3.4 Issuer Alternative Name. The comments above say URI, but the example shows URL. Cheers, TJ ~~~ Life shrinks or expands in proportion to one's courage. -Anais Nin ~~~ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compression BIO
jaltmaWhat benefit is there to this over the ZLIB support already jaltmain the TLS transport? It was intended to be another tool in the BIO collection, for applications that would like to make use of OpenSSL, but not necessarily for TLS transport. TJ ~~~ Be glad of life for it gives you the chance to love, to work, to play, and to look at the stars. -Henry Van Dyke ~~~ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compression BIO
Hello, all. I recently finished working on a zlib-based compression filter BIO for OpenSSL, and would like to contribute this to the project. The code can be found at: http://www.castaglia.org/openssl/ and includes a README, POD, and the files themselves. My next question is: what to do with this code from here? Cheers, TJ ~~~ The worst solitude is to be destitute of sincere friendship. -Francis Bacon ~~~ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]