Improving structure and governance
While we're still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there. Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such. Or perhaps consider adopting a large portion of their rules. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.memailto:rs...@jabber.me; Twitter: RichSalz
Re: SSL Root CA and Intermediate CA Certs.
Edward Ned Harvey (openssl) openssl-Z8efaSeK1ezqlBn2x/y...@public.gmane.org writes: From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Michael Wojcik For someone who does want more background in cryptography, I'd recommend Schneier's /Applied Cryptography/ over /Cryptography Engineering/. The latter is for people implementing cryptography, which beginners should never do. Huh - I thought Cryptography Engineering was the 3rd edition of Applied Cryptography, renamed. But now I look at it, it seems you're right, it's a different book entirely. Second edition of Practical Cryptography: https://www.schneier.com/book-practical.html However, I never got the impression that Cryptography Engineering was meant for people implementing new algorithms or anything like that. True, implementing isn't quite the right word. Using would be closer, I suspect, though that doesn't necessarily carry the notion of engineering (it's not a book about how to use PGP, or use some product that incorporates TLS). [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: patch available for CVE-2010-5298?
I believe Ben Laurie committed the fix on April 23rd: diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 96ba632..8deeab3 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1055,7 +1055,7 @@ start: { s-rstate=SSL_ST_READ_HEADER; rr-off=0; - if (s-mode SSL_MODE_RELEASE_BUFFERS) + if (s-mode SSL_MODE_RELEASE_BUFFERS s-s3-rbuf.left == 0) ssl3_release_read_buffer(s); } } Cheers! The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any review, dissemination, distribution or copying is strictly prohibited. If you have received this email message in error, please notify the sender by reply email and delete the message and any attachments. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
On 4/25/2014 3:36 PM, Salz, Rich wrote: While we’re still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there. Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such. Or perhaps consider adopting a large portion of their “rules.” As a US based organization, Apache is unsuited and (given fairly recent public news) untrusted to have any power of a project such as OpenSSL. Additionally, the Apache foundation has accumulated so many important projects over the last few years that it they are becoming a single point of failure for too many things (or too big to fail as it is called in some other sectors). Thus I think a different organization would be needed if OpenSSL were to give up its independence. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Improving structure and governance
I've been thinking that the OpenSSL Foundation really needs to do better than simply being open to individual funders. A lot of companies use the libraries, and asking for some proper do-re-mi is completely kosher. More on this later, I'm in Florida this weekend (feel sorry for me). - M On Fri, Apr 25, 2014 at 6:36 AM, Salz, Rich rs...@akamai.com wrote: While we're still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there. Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such. Or perhaps consider adopting a large portion of their rules. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz
Re: Improving structure and governance
As a US based organization, Apache is unsuited and (given fairly recent public news) untrusted to have any power of a project such as OpenSSL. Additionally, the Apache foundation has accumulated so many important projects over the last few years that it they are becoming a single point of failure for too many things (or too big to fail as it is called in some other sectors). Thus I think a different organization would be needed if OpenSSL were to give up its independence. There is a similar thread on the openssl-dev mailing list and it was mentioned there about this project: http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the So it's likely that in one way or another OpenSSL will be influenced by US based organization(s). Regards, AW __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ChaCha20/Poly1305 in OpenSSL?
According to http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html: To make this happen, [we] began implementing new algorithms -- ChaCha 20 for symmetric encryption and Poly1305 for authentication -- in OpenSSL and NSS in March 2013. But I have not been able to find its trail: $ cd openssl-git $ git pull Already up-to-date. $ grep -R -i chacha * $ grep -R -i poly1305 * $ Where are the new cipher suites located in OpenSSL? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Version Errors With libcrypto/libssl
Been doing some builds from source, following the FIPS User Guide. Builds are successful and everything appears to work fine when pointed at the new libs, but anything that launches and uses them gets an error like below: /usr/bin/python: /usr/local/ssl/lib/libcrypto.so.1.0.0: no version information available (required by /usr/bin/python) /usr/bin/python: /usr/local/ssl/lib/libssl.so.1.0.0: no version information available (required by /usr/bin/python) I thought the FIPS-capable OpenSSL was pretty much a drop in replacement for the regular OpenSSL packaged with most distributions and indeed everything appears to work on the surface despite the errors. I was just wondering if they can be safely ignored or, better yet, if there's a way to get rid of them if they aren't a real problem. Chad __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ChaCha20/Poly1305 in OpenSSL?
Hey, But I have not been able to find its trail: $ cd openssl-git $ git pull Already up-to-date. $ grep -R -i chacha * $ grep -R -i poly1305 * $ Where are the new cipher suites located in OpenSSL? $ git checkout 1.0.2-aead They are there... Just not merged into mainline. I would be also interested in knowing whether there is any ETA for that. Best regards, Piotr Sikora __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org