Re: [openssl-dev] OpenSSL patches and enhancements from Akamai
Hi Brian: Given that the subject certificate is self-signed, it means that the issuer and the subject are the same certificate. This change verifies that. -- -Todd Short // tsh...@akamai.commailto:tsh...@akamai.com // “One if by land, two if by sea, three if by the Internet. On Feb 13, 2015, at 12:54 PM, Brian Smith br...@briansmith.orgmailto:br...@briansmith.org wrote: Very cool. Short, Todd tsh...@akamai.commailto:tsh...@akamai.com wrote: * Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer Could you explain this one? It isn't necessarily the case that a self-signed subject has a self-signed issuer in PKIX, if I am understanding you correctly. Cheers, Brian ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL patches and enhancements from Akamai
* Add task for decryption of client key exchange response * Add task for generating client certificate verify message * Add task for signing of server key exchange message Can you explain this a little more? I can. I mentioned this on the -team mailing list. The idea is that an application can register callbacks so that CPU-intensive intructions, RSA and ECC ops for now, can get spun off into a separate thread. The top-level SSL_accept/connect return a new error code not ready yet and then can poll or wait for the background processor to tell the main thread it's ready, etc. Again referring to internal knowledge, this might be moot. But it might be a quick win for some of downstream distro's ... ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL patches and enhancements from Akamai
On Fri, Feb 13, 2015 at 09:05:53AM -0600, Short, Todd wrote: Hello openssl-dev: We at Akamai have a number of enhancements and fixes for OpenSSL that we would like to contribute. Before I inundate r...@openssl.orgmailto:r...@openssl.org and openssl-dev mailing lists, I am asking if there's a desire to provide the changes as one large patch file, or as separate patch files. These have yet to be merged into the latest branch and still have to be formatted to the new coding standards, so they aren't going to be posted immediately. Do not send 1 large patch. I suggest an RT ticket per issue. But you might think about spreading that out over time. * IPv6 support in s_client/s_server No need to submit this, there are already a few of those and I'm working on something more general for IPv6 support. * Add task for decryption of client key exchange response * Add task for generating client certificate verify message * Add task for signing of server key exchange message Can you explain this a little more? Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL patches and enhancements from Akamai
Hello openssl-dev: We at Akamai have a number of enhancements and fixes for OpenSSL that we would like to contribute. Before I inundate r...@openssl.orgmailto:r...@openssl.org and openssl-dev mailing lists, I am asking if there’s a desire to provide the changes as one large patch file, or as separate patch files. These have yet to be merged into the latest branch and still have to be formatted to the new coding standards, so they aren’t going to be posted immediately. A brief description of some of the patches: * More flexible configuration stanza handling * Limit memory consumption of secure BNs * Adding struct iovec variants to ssl IO (configurable, disabled by default) * IPv6 support in s_client/s_server * Increment ssl session miss counter properly * Add convenience method to set preferred cipher list * Add lookups of client sessions from a cache, if so configured * Rebranding of SSL_ERROR_WANT_X509_LOOKUP as SSL_ERROR_WANT_EVENT, making event type to wait for visible in SSL-rwstate, letting TLS_SRP have its own event type instead of piggybacking on SSL_X509_LOOKUP. * Add task for decryption of client key exchange response * Add task for generating client certificate verify message * Add task for signing of server key exchange message * Async handling of tlsext servername callback * Simplify (and improve) the X509 name parsing routine. * Add short name Email to emailAddress object (crypto/object*) * Check x509 store ref counter on free * Add --preserve-dates option to x509 app * Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer Rich Salz (and other Akamai employees) had his hand in a number of these changes. -- -Todd Short // tsh...@akamai.commailto:tsh...@akamai.com // “One if by land, two if by sea, three if by the Internet. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL patches and enhancements from Akamai
Very cool. Short, Todd tsh...@akamai.com wrote: * Check that in matching issuer/subject certs, that a self-signed subject also has a self-signed issuer Could you explain this one? It isn't necessarily the case that a self-signed subject has a self-signed issuer in PKIX, if I am understanding you correctly. Cheers, Brian ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev