Re: openssl update 1.0.1f to 1.0.1g broke sendmail (SSL23_GET_SERVER_HELLO:tlsv1 alert decode error)
It seams that there is another difference between the two openssl versions then only the heartbleed bugfix. err, yes. The g release is a new minor release. I'd ALWAYS advise reading the changelog before deploying. .. You'd then have seen the new features (this is why vendors such as redhat are just back porting the fix rather than pushing 1.0.1g to RH6.5 usersfor example) alan
openssl-1.0.1g release for HP-UX 11.23
Gents, is there a chance that for this release of openssl (http://hpux.connect.org.uk/hppd/hpux/Languages/openssl-1.0.1g/), also version(s) for HP-UX 11.23 (HP-UX 11iv2 for Itanium and PA-RISC 2.0) is/are going to be released? We are currently reviewing our serverfarm and do very much need the 11.23 version as well, to prevent the exploit. + Though we did read the notification (http://hpux.connect.org.uk/hppd/whats-new.html): [cid:449550405@11042014-07A2] but we urge you to provide us with the requested release(s) and/or the procedure to obtain aformentioned release(s). + We believe we are not the only organisation that still has active 11.23 host systems running and we will highly appreciate you help and assistance in this matter. Awaiting your response, + met vriendelijke groet / with Best Regards Mr. Coos Klarenbeek Systeembeheer UNIX / System Administration UNIX Dienst ICT Uitvoering / Department ICT Management Ministerie van Economische Zaken / Ministery of Economic Affairs Juliana van Stolberglaan 148 | 2595 CL | Den Haag | Flexplek 1.* Postbus 20401 | 2500 EK | Den Haag | The Netherlands T +31(0)70-7573534M +31(0)6-50805481 E c.klarenb...@dictu.nlmailto:c.klarenb...@dictu.nl (Online op ma, di, do,vr) Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is gezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. inline: Outlook.jpg
Re: Help me for ECDHE algorithm
I tried your sample code but compiler showing error like Undefined refrence to EVP_PKEY_CTX_new although i included header file openssl/evp.h. You have any idea why this errors occuring??? And by the way thanks for the help friend. -- View this message in context: http://openssl.6102.n7.nabble.com/Help-me-for-ECDHE-algorithm-tp49168p49279.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help me for ECDHE algorithm
On 11 April 2014 06:25, chetan chet...@neominds.in wrote: I tried your sample code but compiler showing error like Undefined refrence to EVP_PKEY_CTX_new although i included header file openssl/evp.h. You have any idea why this errors occuring??? And by the way thanks for the help friend. Please 1) Post the steps you are using to compile and link your application, along with the exact errors and output 2) Confirm the version of openssl and platform that you are using Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL Security Advisory
On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. Simpler still... https://gist.github.com/robstradling/10363389 It's based on what Viktor posted, but it works without patching the OpenSSL library code. Hello, I get a link error - the same es the 2nd comment mentions there; how can I fix this? Thanks, Walter -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria/EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ (+43 664 / 951 83 72)_/ _/ _/_/ smime.p7s Description: S/MIME Cryptographic Signature
Re: OpenSSL Security Advisory
The same issue when I tried to port over to windows, the ssl3_write_bytes is not exposed in the library. There doesn't seem to be an easy workaround that I can see. Steve... On Fri, Apr 11, 2014 at 7:40 AM, Walter H. walte...@mathemainzel.infowrote: On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. Simpler still... https://gist.github.com/robstradling/10363389 It's based on what Viktor posted, but it works without patching the OpenSSL library code. Hello, I get a link error - the same es the 2nd comment mentions there; how can I fix this? Thanks, Walter -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria/EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ (+43 664 / 951 83 72)_/ _/ _/_/ -- Steve Kneizys Senior Business Process Engineer Voice: (610) 256-1396 [For Emergency Service (888)864-3282] Ferrilli Information Group -- Quality Service and Solutions for Higher Education web: http://www.ferrilli.com/ http://www.figsolutions.com/ Making you a success while exceeding your expectations.
RE: OpenSSL Security Advisory
Also try your range here https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp Hth jaa -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H. Sent: Friday, April 11, 2014 7:40 AM To: openssl-users@openssl.org Subject: Re: OpenSSL Security Advisory On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. Simpler still... https://gist.github.com/robstradling/10363389 It's based on what Viktor posted, but it works without patching the OpenSSL library code. Hello, I get a link error - the same es the 2nd comment mentions there; how can I fix this? Thanks, Walter -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria/EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ (+43 664 / 951 83 72)_/ _/ _/_/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL Security Advisory
In debian I solved linking directly static library. gcc -ansi -pedantic -o heartbleed heartbleed.c -lcrypto \ /usr/lib/x86_64-linux-gnu/libssl.a Regards In data venerdì 11 aprile 2014 08:38:07, Steven Kneizys ha scritto: The same issue when I tried to port over to windows, the ssl3_write_bytes is not exposed in the library. There doesn't seem to be an easy workaround that I can see. Steve... On Fri, Apr 11, 2014 at 7:40 AM, Walter H. walte...@mathemainzel.infowrote: On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. Simpler still... https://gist.github.com/robstradling/10363389 It's based on what Viktor posted, but it works without patching the OpenSSL library code. Hello, I get a link error - the same es the 2nd comment mentions there; how can I fix this? Thanks, Walter -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria/EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ (+43 664 / 951 83 72)_/ _/ _/_/ -- -- Leonardo Secci mailto:leonardo.se...@unirel.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Error for EVP_PKEY_CTX_new()
I'm Using version 1.0.0e. Is my version of openssl is suitable for EVP_PKEY_CTX_new()?? and if not how can i upgrade my version to latest version? And by the way thanks for giving some time for me. Thanks again. -- View this message in context: http://openssl.6102.n7.nabble.com/Error-for-EVP-PKEY-CTX-new-tp49217p49283.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
EVP_ symbols all undefined
Hello, I'm trying to install openssl 1.0.1g from source on my Linux slackware server. Said config shared, then make, then make install.Apache complains that EVP_idea_cbc is undefined. nm -g says U EVP_idea_cbc meaning it's undefined. I thought it was because of the IDEA patent thing. But then I said nm -g | grep EVP - and ALL those symbols are undefined. How do I get them defined? ( in openssl.so.1.0.0 )? Thanks in advance, - Jerry Kaidor ( je...@tr2.com )
comment on donations
In a typical year the OpenSSL project receives about US$2000 in donations. This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions. For the larger donations and multiple contributors I like to send a personal note in addition to the canned response message. I apologize for not doing that this week due to the unusually large volume of E-mail correspondence (donations and otherwise). Please know that these contributions are greatly appreciated, as much for the show of support as the monetary value. 100% of all donations (minus the hefty PayPal fees) will go directly to OpenSSL team members. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
Steve, Does the Foundation have a Bitcoin address? Ryan On Fri, Apr 11, 2014 at 8:09 AM, Steve Marquess marqu...@opensslfoundation.com wrote: In a typical year the OpenSSL project receives about US$2000 in donations. This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions. For the larger donations and multiple contributors I like to send a personal note in addition to the canned response message. I apologize for not doing that this week due to the unusually large volume of E-mail correspondence (donations and otherwise). Please know that these contributions are greatly appreciated, as much for the show of support as the monetary value. 100% of all donations (minus the hefty PayPal fees) will go directly to OpenSSL team members. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
Thanks, Steve, … for your hard work, and that of the other Team Members. This week's 'excitement' illustrates how important it us to all of us. (would be great to find a way around those 'hefty PayPal fees.) Lou Picciano - Original Message - From: Steve Marquess marqu...@opensslfoundation.com To: openssl-users@openssl.org Sent: Friday, April 11, 2014 11:09:19 AM Subject: comment on donations In a typical year the OpenSSL project receives about US$2000 in donations. This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions. For the larger donations and multiple contributors I like to send a personal note in addition to the canned response message. I apologize for not doing that this week due to the unusually large volume of E-mail correspondence (donations and otherwise). Please know that these contributions are greatly appreciated, as much for the show of support as the monetary value. 100% of all donations (minus the hefty PayPal fees) will go directly to OpenSSL team members. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Error for EVP_PKEY_CTX_new()
On 11 April 2014 08:18, chetan chet...@neominds.in wrote: I'm Using version 1.0.0e. Is my version of openssl is suitable for EVP_PKEY_CTX_new()?? and if not how can i upgrade my version to latest version? That version should be fine. See my response to your other thread for next steps. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Secure storage of private (RSA) keys
Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds a secure arena that is used to store RSA private keys. This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appear on disk, and when possible it's also kept out of core files. This patch is a variant of what we've been using to help protect customer keys for a decade. This should really be considered more of a proof of concept than something that you want to put directly into production. It slides into the ASN1 code rather than adding a new API (OPENSSL_secure_allocate et al), the overall code isn't portable, and so on. If there is community interest, we would be happy to help work on addressing those issues. Let me restate that: *do not just take this patch and put it into production without careful review.* OpenSSL is important to us, and this is the first of what we hope will be several significant contributions in the near future. Thanks. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA diff -uNr -x'*.[oas]' openssl-1.0.1g.orig/crypto/Makefile openssl-1.0.1g/crypto/Makefile --- openssl-1.0.1g.orig/crypto/Makefile 2014-04-10 13:11:56.0 -0400 +++ openssl-1.0.1g/crypto/Makefile 2014-04-10 13:02:39.0 -0400 @@ -35,14 +35,16 @@ LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) LIBSRC=cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c cpt_err.c \ - ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c + ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fips.c o_init.c fips_ers.c \ + secure_malloc.c buddy_allocator.c LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o cpt_err.o ebcdic.o \ - uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) + uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o fips_ers.o $(CPUID_OBJ) \ + secure_malloc.o buddy_allocator.o SRC= $(LIBSRC) EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ - ossl_typ.h + ossl_typ.h secure_malloc.h HEADER=cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) ALL=$(GENERAL) $(SRC) $(HEADER) diff -uNr -x'*.[oas]' openssl-1.0.1g.orig/crypto/asn1/tasn_dec.c openssl-1.0.1g/crypto/asn1/tasn_dec.c --- openssl-1.0.1g.orig/crypto/asn1/tasn_dec.c 2014-03-17 12:14:20.0 -0400 +++ openssl-1.0.1g/crypto/asn1/tasn_dec.c 2014-04-10 16:32:23.0 -0400 @@ -169,6 +169,11 @@ int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + +int ak_is_rsa_key = 0; /* Are we parsing an RSA key? */ +int ak_is_secure_field = 0; /* should this field be allocated from the secure arena? */ +int ak_is_arena_active = 0; /* was the secure arena already activated? */ + if (!pval) return 0; if (aux aux-asn1_cb) @@ -407,6 +412,11 @@ if (asn1_cb !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; +/* Watch out for this when OpenSSL is upgraded! */ +/* We have to be sure that it-sname will still be RSA */ +if (it-sname[0] == 'R' it-sname[1] == 'S' it-sname[2] == 'A' it-sname[3] == 0) +ak_is_rsa_key = 1; + /* Get each field entry */ for (i = 0, tt = it-templates; i it-tcount; i++, tt++) { @@ -445,8 +455,30 @@ /* attempt to read in field, allowing each to be * OPTIONAL */ + +/* Watch out for this when OpenSSL is upgraded! */ +/* We have to be sure that seqtt-field_name will still be */ +/* d, p, and q */ +ak_is_secure_field = 0; +ak_is_arena_active = 0; +if (ak_is_rsa_key) +{ +/* ak_is_rsa_key is set for public keys too */ +/* however those don't have these variables */ +const char *f = seqtt-field_name; +if ((f[0] == 'd' || f[0] == 'p' || f[0] == 'q') f[1] == 0) +{ +ak_is_secure_field = 1; +ak_is_arena_active = start_secure_allocation(); +} +} + ret = asn1_template_ex_d2i(pseqval, p, len, seqtt, isopt, ctx); + +if (ak_is_secure_field !ak_is_arena_active) +stop_secure_allocation(); + if (!ret)
Re: comment on donations
On 04/11/2014 11:57 AM, Lou Picciano wrote: Thanks, Steve, … for your hard work, and that of the other Team Members. This week's 'excitement' illustrates how important it us to all of us. (would be great to find a way around those 'hefty PayPal fees.) I'm open to suggestions. Not only is PayPal a pain to deal with on the receiving end, but there are restrictions on extracting funds and I've learned that PayPal is not available in some countries. Swift/IBAN electronic bank transfers as done in most of the world are difficult here, with fees. I could set up a charge card (Visa/Mastercard) merchant account, but the recurring fees for that would eat up much of what is typically received in donations (and I don't expect the current volume of donations to continue indefinitely). I am looking into the suggestions for Bitcoin payments. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Secure storage of private (RSA) keys
Hello! On Fri, Apr 11, 2014 at 01:22:21PM -0400, Salz, Rich wrote: Akamai Technologies is pleased to offer the following patch to OpenSSL. It adds a secure arena that is used to store RSA private keys. This arena is mmap'd, with guard pages before and after so pointer over- and under-runs won't wander into it. It's also locked into memory so it doesn't appear on disk, and when possible it's also kept out of core files. This patch is a variant of what we've been using to help protect customer keys for a decade. Have you thought about mprotecting the guard pages with mprotect(PROT_NONE) so the application crashes in case of a stray memory access? Thanks, Hannes __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Secure storage of private (RSA) keys
Have you thought about mprotecting the guard pages with mprotect(PROT_NONE) so the application crashes in case of a stray memory access? Yes, rats. My message implied that we do that. And I then posted the wrong version of the code. :( Here's the right version of cmm_init. /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA void * cmm_init(int size, int mem_min_unit, int overrun_bytes) { int i; size_t pgsize = (size_t)sysconf(_SC_PAGE_SIZE); size_t aligned = (pgsize + size + (pgsize - 1)) ~(pgsize - 1); mem_arena_size = size; Mem_min_unit = mem_min_unit, Overrun_bytes = overrun_bytes; /* make sure mem_arena_size and Mem_min_unit are powers of 2 */ assert(mem_arena_size 0); assert(mem_min_unit 0); assert(0 == ((mem_arena_size-1)mem_arena_size)); assert(0 == ((Mem_min_unit-1)Mem_min_unit)); cmm_bittable_size = (mem_arena_size/Mem_min_unit) * 2; i = cmm_bittable_size; cmm_max_free_lists = -1; while(i) { i=1; cmm_max_free_lists++; } cmm_free_list = malloc(cmm_max_free_lists * sizeof(void *)); assert(cmm_free_list); memset(cmm_free_list, 0, cmm_max_free_lists*sizeof(void *)); cmm_bittable = malloc(cmm_bittable_size3); assert(cmm_bittable); memset(cmm_bittable, 0, cmm_bittable_size3); cmm_bitmalloc = malloc(cmm_bittable_size3); assert(cmm_bitmalloc); memset(cmm_bitmalloc, 0, cmm_bittable_size3); cmm_arena = mmap(NULL, pgsize + mem_arena_size + pgsize, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, 0, 0); assert(MAP_FAILED != cmm_arena); mprotect(cmm_arena, pgsize, PROT_NONE); mprotect(cmm_arena + aligned, pgsize, PROT_NONE); set_bit(cmm_arena, 0, cmm_bittable); cmm_add_to_list(cmm_free_list[0], cmm_arena); /* first bit means that table is in use, multi-arena management */ /* SETBIT(cmm_bittable, 0); */ return cmm_arena; }
Re: comment on donations
On Fri, Apr 11, 2014 at 1:23 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 04/11/2014 11:57 AM, Lou Picciano wrote: Thanks, Steve, ... for your hard work, and that of the other Team Members. This week's 'excitement' illustrates how important it us to all of us. (would be great to find a way around those 'hefty PayPal fees.) I'm open to suggestions. Not only is PayPal a pain to deal with on the receiving end, but there are restrictions on extracting funds and I've learned that PayPal is not available in some countries. Swift/IBAN electronic bank transfers as done in most of the world are difficult here, with fees. I could set up a charge card (Visa/Mastercard) merchant account, but the recurring fees for that would eat up much of what is typically received in donations (and I don't expect the current volume of donations to continue indefinitely). I am looking into the suggestions for Bitcoin payments. -Steve M. I am not familiar with Bitcoin, but work in the ecommerce industry (particularly in the risk mitigation technology side of things at the application and business logic level). There is a huge variation in the fees charged by processing banks, both between banks and, for any given bank, the risk the bank perceives to be inherent either in the vendor's industry or inherent in the vendor itself. I have seen setup fees as low as a few hundred US$, and higher than US$1,000. There is similar variation in monthly fees. I can't recommend a processing bank with low fees as I am normally working to provide support for high risk merchants (so I normally see the higher end of the range of fees). And, per transaction fees can vary from a few pennies per transaction up to $0.50 or $0.60 per transaction. And on top of that, they take a percentage of the volume (I have seen a range from less than 5% to well over 10%). With an annual volume of about US$2,000, I could see the monthly fees alone taking 50% to 60% of your gross. With such low volume, I wonder if it is worth it, over just asking supporters to send a check or money order. Have you checked out Google and Amazon's payment services? I have heard they exist, but haven't checked them out for cost (I may do so, and soon, as the Canadian bank's support for ecommerce leaves everything to be desired: try finding any documentation for their API, or even if they have such an API, for any of the big 5 in Canada). Cheers Ted Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
On Fri, Apr 11, 2014 at 2:20 PM, Ted Byers r.ted.by...@gmail.com wrote: Have you checked out Google and Amazon's payment services? I have heard they exist, but haven't checked them out for cost (I may do so, and soon, as the Canadian bank's support for ecommerce leaves everything to be desired: try finding any documentation for their API, or even if they have such an API, for any of the big 5 in Canada). Cheers Ted Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. My curiosity being piqued, I took a look, and both Google and Amazon have the same transaction fees as Paypal ($0.30 per transaction, and 2.9% of the volume), and, Amazon HAS NO SETUP, MONTHLY, CANCELLATION, or FRAUD PROTECTION FEES. That makes tham a bargain. And guess what I just found. ;-) Amazon has special discounts for icropayments and nonproft organizations. I do not know if you're a 501(c)3 non-profit, but if you are, then your rate would be 2.2%, along with the $0.30 per transaction. Check it out on https://payments.amazon.com/business/pricingPlan, and links on that page. But, if you can live with $0.30 per transaction, and 2.9% volume (or 2.2% if you're a 501(c)3 organization), then Amazon may be an excellent alternative to Paypal. I just learned, to my chagrin, that Google has shut down their checkout service, and passed that business off to Braintree (https:///www.braintreepayments.com/google-checkout?partner_source=google-checkout, whose fees are 2.7% and $0.30 per transaction AND NO OTHER FEES. Braintree may thus also be an excellent alternative to Paypal. I know nothing of Braintree's reputation, but Amazon's reputation is outstanding. Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
remove On Fri, Apr 11, 2014 at 2:20 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Apr 11, 2014 at 1:23 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 04/11/2014 11:57 AM, Lou Picciano wrote: Thanks, Steve, ... for your hard work, and that of the other Team Members. This week's 'excitement' illustrates how important it us to all of us. (would be great to find a way around those 'hefty PayPal fees.) I'm open to suggestions. Not only is PayPal a pain to deal with on the receiving end, but there are restrictions on extracting funds and I've learned that PayPal is not available in some countries. Swift/IBAN electronic bank transfers as done in most of the world are difficult here, with fees. I could set up a charge card (Visa/Mastercard) merchant account, but the recurring fees for that would eat up much of what is typically received in donations (and I don't expect the current volume of donations to continue indefinitely). I am looking into the suggestions for Bitcoin payments. -Steve M. I am not familiar with Bitcoin, but work in the ecommerce industry (particularly in the risk mitigation technology side of things at the application and business logic level). There is a huge variation in the fees charged by processing banks, both between banks and, for any given bank, the risk the bank perceives to be inherent either in the vendor's industry or inherent in the vendor itself. I have seen setup fees as low as a few hundred US$, and higher than US$1,000. There is similar variation in monthly fees. I can't recommend a processing bank with low fees as I am normally working to provide support for high risk merchants (so I normally see the higher end of the range of fees). And, per transaction fees can vary from a few pennies per transaction up to $0.50 or $0.60 per transaction. And on top of that, they take a percentage of the volume (I have seen a range from less than 5% to well over 10%). With an annual volume of about US$2,000, I could see the monthly fees alone taking 50% to 60% of your gross. With such low volume, I wonder if it is worth it, over just asking supporters to send a check or money order. Have you checked out Google and Amazon's payment services? I have heard they exist, but haven't checked them out for cost (I may do so, and soon, as the Canadian bank's support for ecommerce leaves everything to be desired: try finding any documentation for their API, or even if they have such an API, for any of the big 5 in Canada). Cheers Ted Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Heart bleed with 0.9.8 and 1.0.1
HiI am having 0.9.8 open ssl libraries in my server and 1.0.1 in my client.Am I venerable to heart bleed attach?Regards,Vishnu. -- View this message in context: http://openssl.6102.n7.nabble.com/Heart-bleed-with-0-9-8-and-1-0-1-tp49300.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
Re: OpenSSL Security Advisory
Thanks Leonardo! On 11/04/14 13:54, Leonardo Secci wrote: In debian I solved linking directly static library. gcc -ansi -pedantic -o heartbleed heartbleed.c -lcrypto \ /usr/lib/x86_64-linux-gnu/libssl.a Regards In data venerdì 11 aprile 2014 08:38:07, Steven Kneizys ha scritto: The same issue when I tried to port over to windows, the ssl3_write_bytes is not exposed in the library. There doesn't seem to be an easy workaround that I can see. Steve... On Fri, Apr 11, 2014 at 7:40 AM, Walter H. walte...@mathemainzel.infowrote: On 10.04.2014 13:16, Rob Stradling wrote: On 09/04/14 20:43, Salz, Rich wrote: Can you please post a good and a bad server example. I have tested a lot of servers, including 'akamai.com', and they all show HEARTBEATING at the end: Look at Victor's recent post about how to patch openssl/s_client to make your own test. That's the simplest. Simpler still... https://gist.github.com/robstradling/10363389 It's based on what Viktor posted, but it works without patching the OpenSSL library code. Hello, I get a link error - the same es the 2nd comment mentions there; how can I fix this? Thanks, Walter -- Mit freundlichen Grüßen, Best regards, Mes salutations distinguées, Ing. Walter Höhlhubmer _/ _/ _/_/ _/ _/ _/_/ Lederergasse 47a/7 _/ _/ _/_/ A-4020 Linz a. d. Donau _/ _/ _/ _/_/_/_/ Austria/EUROPE _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ (+43 664 / 951 83 72)_/ _/ _/_/ -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
It is well deserved. You must look at how much of the internet and our existing computing architecture relies on the good will of others. It is almost all of it. Progress cannot happen without openness and honesty, which you all have shown in spades. Everyone everywhere has come together to quickly and efficiently address the issue. No blame, no outrage, just good will. Its one of the biggest items to bring the community together across backgrounds and understanding that information security has ever seen. Very encouraging indeed! Also, just kind of a case in point when it comes to software development in generalnothing is perfect. As pretty much everyone knows who has ever worked in software or hardware development knows, bulletproof /iceproof / dustproof/waterproof/ etc. just does not exist. Personally, I am so glad for you guys getting what is deserved and a pat on the back for doing the right thing. The value of open source has never been higher. Stacy Wylie stacydevino.com Android and Mobile Design guru On Apr 11, 2014 10:19 AM, Steve Marquess marqu...@opensslfoundation.com wrote: In a typical year the OpenSSL project receives about US$2000 in donations. This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions. For the larger donations and multiple contributors I like to send a personal note in addition to the canned response message. I apologize for not doing that this week due to the unusually large volume of E-mail correspondence (donations and otherwise). Please know that these contributions are greatly appreciated, as much for the show of support as the monetary value. 100% of all donations (minus the hefty PayPal fees) will go directly to OpenSSL team members. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Do I have to regenerate my own CA certificate because of Heartbleed???
Dear, I have a CA implemented in a Debian Wheezy server and the versión of Openssl (1.0.1) is affected by the Hearthbleed vulnerability at time to generate our own CA certificate and the requested certificates for all the web servers from our company. I've just upgrade the openssl version, but do I have to regenerate my CA certificate created with the former openssl version because of the Hearthbleed vulnerability ??? Thanks a lot, JeLo
RE: Do I have to regenerate my own CA certificate because of Heartbleed???
Ø do I have to regenerate my CA certificate created with the former openssl version because of the Hearthbleed vulnerability ??? There should never be any reason for your web server to read the private key of the CA. So, no. -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: comment on donations
Honoring Reply-to ... Steve, please let me know what you learn. I'm going thru similar things with Network Time Foundation because of the recent DDoS issue involving NTP. Our donations bump after that issue was much smaller than yours, but at least we got a few more donations :) -- Harlan Stenn st...@ntp.org http://networktimefoundation.org - be a member! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
On Fri, Apr 11, 2014 at 2:20 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Apr 11, 2014 at 1:23 PM, Steve Marquess marqu...@opensslfoundation.com wrote: ... Have you checked out Google and Amazon's payment services? I have heard they exist, but haven't checked them out for cost (I may do so, and soon, as the Canadian bank's support for ecommerce leaves everything to be desired: try finding any documentation for their API, or even if they have such an API, for any of the big 5 in Canada). Google Wallet (I think that's what it was called) sucked from my past experience. Failed authorizations gave ambiguous or incorrect reasons; and once a transaction was corrected, there was no way to resubmit or re-try the transaction. There were a few times my transaction was blocked due to DLP. Once I called the bank and cleared it, I had to submit a new transaction because the previous could not be re-tried. Then, the new transaction caused the past transaction to be re-tried, so I'd end up with two orders. Then there was no way to contact a real person at Google to fix it (only self-help crap). Its been my experience that Amazon is better. I've gotten the books and hardware I've purchased through them. But I never experienced Google-like problems with Amazon, so I don't know Amazon reacts to adverse events like stalled transactions (perhaps that speaks volumes in itself). Your mileage may vary. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
Thanks Jeff, On Fri, Apr 11, 2014 at 4:54 PM, Jeffrey Walton noloa...@gmail.com wrote: On Fri, Apr 11, 2014 at 2:20 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Apr 11, 2014 at 1:23 PM, Steve Marquess marqu...@opensslfoundation.com wrote: ... Have you checked out Google and Amazon's payment services? I have heard they exist, but haven't checked them out for cost (I may do so, and soon, as the Canadian bank's support for ecommerce leaves everything to be desired: try finding any documentation for their API, or even if they have such an API, for any of the big 5 in Canada). Google Wallet (I think that's what it was called) sucked from my past experience. Failed authorizations gave ambiguous or incorrect reasons; and once a transaction was corrected, there was no way to resubmit or re-try the transaction. There were a few times my transaction was blocked due to DLP. Once I called the bank and cleared it, I had to submit a new transaction because the previous could not be re-tried. Then, the new transaction caused the past transaction to be re-tried, so I'd end up with two orders. Then there was no way to contact a real person at Google to fix it (only self-help crap). This is good to know. It is hardly the first transaction processing service that lI have encountered that leaves something to be desired. I wonder, now, if Braintree is better (at least they appear to have real people that can be contacted). Its been my experience that Amazon is better. I've gotten the books and hardware I've purchased through them. But I never experienced Google-like problems with Amazon, so I don't know Amazon reacts to adverse events like stalled transactions (perhaps that speaks volumes in itself). Yes, it does. On the down side, though, as a vendor, the customers from whom you can accept payment are limited to those who have Amazon accounts (unless I misunderstood some of their documentation), but if they have an easy means for your other customers to create Amazon accounts, that may not be a significant gotcha. One of the things I occasionally have to do is connect my systems to processors we haven't dealt with before, and every one of them has an issue or three that, shall we say, makes life interesting. You wouldn't believe the amount of extra code I have had to write to deal properly with deficiencies in the processor's services. :-( Your mileage may vary. Jeff Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
donation update
Donations are up to a total of about US$4200 for the week. I'd like to give special thanks to John(JT) Olds for a donation of US$1000 on behalf of: https://www.spacemonkey.com/blog/posts/heartbleeding-openssl-checklist May their server be hammered with traffic like ours was earlier this week. To the multiple people with suggestions on a replacement for PayPal, many thanks and I'll go through them as soon as I can and figure out what makes the most sense. At this point in time we are not authorizing anyone to collect any funding on our behalf. Some dubious offers we've received are obviously suspect, others will need to be carefully vetted. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Disable SSLv2
I want to disable SSv2 support in OpenSSL and use the flag -DOPENSSL_NO_SSL2 when configuring OpenSSL. It builds fine and passes all tests during 'make test' phase. However there a quite a few of SSLv2 tests and they all seem to have passed, or at least do not indicate 'not supported' errors. === Test log test sslv2 Available compression methods: 1: zlib compression TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 1 handshakes of 256 bytes done test sslv2 with server authentication Available compression methods: 1: zlib compression server authentication depth=1 /C=AU/O=Dodgy Brothers/CN=Dodgy CA depth=0 /C=AU/O=Dodgy Brothers/CN=Brother 1/CN=Brother 2 TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 1 handshakes of 256 bytes done test sslv2 with client authentication Available compression methods: 1: zlib compression client authentication depth=1 /C=AU/O=Dodgy Brothers/CN=Dodgy CA depth=0 /C=AU/O=Dodgy Brothers/CN=Brother 1/CN=Brother 2 TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 1 handshakes of 256 bytes done test sslv2 with both client and server authentication . === Is this expected response of the tests? Alex
Re: comment on donations
On 04/11/2014 14:46, Ted Byers r.ted.by...@gmail.com wrote: And guess what I just found. ;-) Amazon has special discounts for icropayments and nonproft organizations. I do not know if you're a 501(c)3 non-profit, but if you are, then your rate would be 2.2%, along with the $0.30 per transaction. Check it out on https://payments.amazon.com/business/pricingPlan, and links on that page. PayPal also has a non-profit rate; our parent-teacher organization qualified for it. Same 2.2% + $0.30. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
On Fri, Apr 11, 2014 at 6:50 PM, Geoffrey Coram gjco...@gmail.com wrote: On 04/11/2014 14:46, Ted Byers r.ted.by...@gmail.com wrote: And guess what I just found. ;-) Amazon has special discounts for icropayments and nonproft organizations. I do not know if you're a 501(c)3 non-profit, but if you are, then your rate would be 2.2%, along with the $0.30 per transaction. Check it out on https://payments.amazon.com/business/pricingPlan, and links on that page. PayPal also has a non-profit rate; our parent-teacher organization qualified for it. Same 2.2% + $0.30. Interesting. Are there setup or monthly fees for a vendor to worry about? The prices you mention are certainly competitive. What is your experience with the quality of their service? Are there any gotchas to worry about? What is it about their terms of service that make them less than optimal? Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
On 04/11/2014 06:50 PM, Geoffrey Coram wrote: On 04/11/2014 14:46, Ted Byers r.ted.by...@gmail.com wrote: And guess what I just found. ;-) Amazon has special discounts for icropayments and nonproft organizations. I do not know if you're a 501(c)3 non-profit, but if you are, then your rate would be 2.2%, along with the $0.30 per transaction. Check it out on https://payments.amazon.com/business/pricingPlan, and links on that page. PayPal also has a non-profit rate; our parent-teacher organization qualified for it. Same 2.2% + $0.30. The OpenSSl Software Foundation is *not* a 501(c)(3) corporation (aka non-profit). That was on advice of our attorneys and accountants when it was first created. Non-profit status is really only meaningful to individual (1040) taxpayers in the U.S. On the flip side maintaining a 501(c)(3) is more expensive in paperwork costs. With donations normally only yielding a few thousand dollars annually (and much of that from outside the U.S. at that) there was no net gain from a formal non-profit status. As much as I like our attorneys and accountants we want funding to support OpenSSL and not the legal and accounting professions. If there was enough money at stake then I would run not walk to said attorney and accountants and pay them to create/convert an appropriate non-profit legal entity. I don't see that making financial sense though, even with the recent boost in donations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL Security Advisory
On 11/04/2014 10:38 PM, Steven Kneizys wrote: The same issue when I tried to port over to windows, the ssl3_write_bytes is not exposed in the library. There doesn't seem to be an easy workaround that I can see. The work around is trivial if you wanted to do that. Change to use the SSL_get_ssl_method function. This line: if (ssl3_write_bytes(v_ssl, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding) = 0) Simply becomes: if (SSL_get_ssl_method(v_ssl)-ssl_write_bytes(v_ssl, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding) = 0) Tim.
Re: Do I have to regenerate my own CA certificate because of Heartbleed???
You do not have to regenerate the CA key or certificate. You do have to regenerate the web server keys and certificates. https://www.cloudflarechallenge.com/heartbleed has had multiple people independently obtain their private key. -Kyle H On Fri, Apr 11, 2014 at 12:59 PM, Jeronimo L. Cabral jelocab...@gmail.com wrote: Dear, I have a CA implemented in a Debian Wheezy server and the versión of Openssl (1.0.1) is affected by the Hearthbleed vulnerability at time to generate our own CA certificate and the requested certificates for all the web servers from our company. I’ve just upgrade the openssl version, but do I have to regenerate my CA certificate created with the former openssl version because of the Hearthbleed vulnerability ??? Thanks a lot, JeLo __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
Teach me to ask a question without reading the entire thread. At what point would the break-even cost make sense to form a non-profit entity? -Kyle H On Fri, Apr 11, 2014 at 8:46 PM, Kyle Hamilton aerow...@gmail.com wrote: Is OpenSSL Software Foundation, Inc. a tax-exempt organization? -Kyle H On Fri, Apr 11, 2014 at 8:09 AM, Steve Marquess marqu...@opensslfoundation.com wrote: In a typical year the OpenSSL project receives about US$2000 in donations. This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions. For the larger donations and multiple contributors I like to send a personal note in addition to the canned response message. I apologize for not doing that this week due to the unusually large volume of E-mail correspondence (donations and otherwise). Please know that these contributions are greatly appreciated, as much for the show of support as the monetary value. 100% of all donations (minus the hefty PayPal fees) will go directly to OpenSSL team members. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: comment on donations
Is OpenSSL Software Foundation, Inc. a tax-exempt organization? -Kyle H On Fri, Apr 11, 2014 at 8:09 AM, Steve Marquess marqu...@opensslfoundation.com wrote: In a typical year the OpenSSL project receives about US$2000 in donations. This week we have received roughly 200 donations totaling nearly US$3000. Amounts have ranged between $0.02 and $300, and I notice that some individuals have made multiple contributions. For the larger donations and multiple contributors I like to send a personal note in addition to the canned response message. I apologize for not doing that this week due to the unusually large volume of E-mail correspondence (donations and otherwise). Please know that these contributions are greatly appreciated, as much for the show of support as the monetary value. 100% of all donations (minus the hefty PayPal fees) will go directly to OpenSSL team members. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org