On 09/02/2016 14:36, Rainer Jung wrote:
> Hi Steve,
>
> thanks a lot for your review and comments. More inline.
>
> Am 09.02.2016 um 13:34 schrieb Dr Stephen Henson:
>> On 09/02/2016 10:20, Rainer Jung wrote:
>>>
>>> 3) ssl_engine_ocsp.c
>>>
now inline functions. If you put that block
round an appropriate #ifdef it should be fine.
I had a quick look at the changes and did notice that some of the direct
structure access (extensions, X509_NAME) is unnecessary in existing versions of
OpenSSL. So in some cases you don't need to only u
and this was fixed in OpenSSL 0.9.7m just over 7
years ago...
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
ciphersuites using s_client like this:
openssl s_client -connect www.hostname.com:443 \
-cipher ECDHE-RSA-AES256-GCM-SHA384
If it isn't supported the connection shouldn't complete.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1
On 27/03/2014 13:01, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
On 26/03/2014 13:38, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
shen
for OCSP staping
using the 1.0.2 APIs so perhaps that can be adapted to perform a chain build
sanity check at the same time.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
On 26/03/2014 13:38, Emilia Kasper wrote:
On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
If the server is correctly configured to exclude the root then the chain
build
will fail. The root is needed
should implement the workaround suggested by Steve.
Applied to trunk as r1576741. I've tried to keep the changes to the absolute
minimum.
I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. It
doesn't crash with this fix.
Steve.
--
Dr Stephen Henson. OpenSSL Software
for the SSL_OP_NO_TICKET flag (which disables tickets) in mod_ssl
came up empty so yes that is the only way. That should also work with 2.4.x but
in both cases it requires OpenSSL 1.0.2.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
.
For 1.0.0 branches: 1.0.0k affected fixed in 1.0.0l
For 1.0.1 branches: 1.0.1d, 1.0.1e affected fixed in 1.0.0f
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
0x00010287a6f6 in ssl_get_server_send_pkey () from
/usr/local/lib/libssl.so.8
Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
On 12/03/2014 00:30, Dr Stephen Henson wrote:
The fix was applied on Feb 11 2013. That would mean that official releases
affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should
include the fix but we weren't planning to make any more 0.9.8 official
releases
though
releases
though a 0.9.8 snapshot should include the fix.
OS specific versions of OpenSSL might not have included the fix. This is the
actual diff:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829
size? If it has increased from 1024 bits
to 2048 that would have a significant effect.
OpenSSL 1.0.2 s_client can help check this, if you do:
openssl s_client -connect www.host.com:443
it says (among lots of other stuff):
Server Temp Key: DH, bits
Steve.
--
Dr Stephen Henson. OpenSSL
On 21/02/2014 13:13, Dr Stephen Henson wrote:
On 21/02/2014 13:02, Jeff Trawick wrote:
Including dev@httpd.apache.org...
Is anybody else seeing the same behavior? Looking at the documentation, 2.4.7
has gained some performance improvements, but I’m seeing something different
on
my end
module which isn't a complete version of OpenSSL.
It should point to the location the FIPS capable OpenSSL is installed instead.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
.
That works for two cases above. If however the on the fly chain building is
performed it will fail.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
On 19/02/2014 20:17, Jeff Trawick wrote:
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc
On 19/02/2014 20:17, Jeff Trawick wrote:
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
That works for two cases above. If however the on the fly chain building
is
performed it will fail.
Perhaps
On 19/02/2014 23:54, Tom Browder wrote:
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 15:08, Tom Browder wrote:
I configured httpd-2.4.7 successfully to use
On 20/02/2014 00:24, Tom Browder wrote:
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 23:54, Tom Browder wrote:
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen
On 20/02/2014 00:24, Tom Browder wrote:
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
..
checking for OpenSSL version = 0.9.7... OK
Well something is wrong there with it indicating OpenSSL version 0.9.7. If
you
intend to use the FIPS 2.0 module
this venture.
Ah... there was a recent fix for this which hasn't yet appeared in an official
OpenSSL release. This means that configuring OpenSSL with zlib wont create
correct *.pc files. The zlib-dynamic option (which links to zlib at runtime in
OpenSSL) should be OK though.
Steve.
--
Dr Stephen Henson
capable OpenSSL this
shouldn't happen.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
On 18/02/2014 20:06, Jeff Trawick wrote:
On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson
shen...@opensslfoundation.com
mailto:shen...@opensslfoundation.com wrote:
On 02/02/2014 13:45, Kaspar Brand wrote:
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how
. With the 1.0.2 changes to
SSL_CTX_use_certificate_chain_file that would fail in 1.0.2 without that change.
On balance I think that change should go in OpenSSL. I'll hear soon enough if it
breaks anything...
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
branch from git.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
)
+ *(STACK_OF(X509) **)parg = ctx-cert-key-chain;
In theory, I cannot find an error in your change though.
Kaspar, do you have an idea?
Ugh, messed up. Should be fixed now.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount
On 02/02/2014 13:45, Kaspar Brand wrote:
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how that could be avoided. Would a way to enumerate all
certificates in an SSL_CTX structure in OpenSSL help? Something like
SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate
, yes.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
certificates in an SSL_CTX structure in OpenSSL help? Something like
SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That would
also set the current certificate at the same time in case applications wanted to
inspect the private key or chain.
Steve.
--
Dr Stephen Henson. OpenSSL
.
I wasn't sure of the details of the current implementation either. Would it be
appropriate to have SSL_CONF usable with SSLProxy* too?
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
On 05/01/2014 09:00, Kaspar Brand wrote:
On 03.01.2014 23:51, Dr Stephen Henson wrote:
On 28/12/2013 13:34, Kaspar Brand wrote:
FYI: in r1553824 (which I just committed to trunk), I'm now manually
shuffling things around to support per-cert chains - but would happily
drop the #if defined
On 28/12/2013 13:34, Kaspar Brand wrote:
On 18.11.2013 18:42, Kaspar Brand wrote:
On 18.11.2013 15:38, Dr Stephen Henson wrote:
For OpenSSL 1.0.2 this limitation is removed and you can have different
chains
for each certificate type (and for SSL structures too) and it just uses the
right
I'm not looking at the
right place in OpenSSL.
I just added it to the OpenSSL master branch. Let me know if you have any
problems. I'll backport it to 1.0.2 before release.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
. See:
http://www.openssl.org/docs/ssl/SSL_CTX_set1_verify_cert_store.html
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
it
isn't a good fit for general ENGINE configuration but it could be updated in
future to support ENGINE based private keys.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
.
The precise location depends on how OpenSSL is configured but it might for
example try to load /usr/local/ssl/engines/libpkcs11.so. If that fails you get
an error.
It's only if you want to load an ENGINE manually that you have to worry about
the dynamic ENGINE.
Steve.
--
Dr Stephen Henson. OpenSSL
party ENGINEs do
include partial support.
Completely transparent support is tricky (and in some cases impossible) due
several factors including the way PKCS#11 handles fork().
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
On 17/11/2013 15:25, Dr Stephen Henson wrote:
Evil hack workaround: create a temporary SSL structure from the SSL_CTX of
interest after you call SSL_CTX_get_certificate, call SSL_get_certificate on
it
and then free up the temp SSL structure. That *should* work on all the
versions
have support for
encrypted private keys as other applications might want to use it. The SSL_CONF
code wasn't designed exclusively for mod_ssl use: though I have to admit I was
partly thinking about how useful it could be in mod_ssl when I wrote it.
Steve.
--
Dr Stephen Henson. OpenSSL Software
on start up.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
in an HSM it may not be even possible to serialise it. The
passphrase may also be outside software control (for example entered into the
device via a pinpad).
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
On 23/10/2013 15:30, Kaspar Brand wrote:
On 22.10.2013 22:04, Dr Stephen Henson wrote:
Only bit I'm not completely sure about is the use of the SSL_CONF_CTX
structure
in modssl_ctx_t. It's done that way to avoid having to keep creating and
destroying the SSL_CONF_CTX for each directive
On 22/10/2013 20:14, Trevor Perrin wrote:
On Mon, Oct 21, 2013 at 5:45 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 21/10/2013 05:09, Trevor Perrin wrote:
BTW I've just added some experimental code to the OpenSSL master branch. It
adds
key/certificate support to SSL_CONF
certificate directives) and set it as the current
certificate, which any subsequent options will use.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
indexed as vhost? This
could contain all keys and certificates in a single buffer. Keys would be stored
in PKCS#8 format to avoid algorithm dependencies.
The auto increment feature of the i2d/d2i functions is especially designed to
support this.
Steve.
--
Dr Stephen Henson. OpenSSL Software
On 11/10/2013 05:14, Kaspar Brand wrote:
On 09.10.2013 15:52, Dr Stephen Henson wrote:
It's tempting to just add a directive but after some thought I think
expanding
Apache SSL_CONF handling is the way to go. This would add some future
proofing
so we don't have to go through this all again
Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
SSL_CONF handling is the way to go. This would add some future proofing
so we don't have to go through this all again in future.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
On 02/10/2013 08:35, Kaspar Brand wrote:
On 01.10.2013 12:15, Dr Stephen Henson wrote:
That's just OpenSSL internals though. To handle ServerInfo properly in
mod_ssl
IMHO you would need a new directive as there's no support for per-certificate
SSL_CONF commands: it wasn't intended to be used
On 01/10/2013 05:53, Trevor Perrin wrote:
On Sun, Sep 29, 2013 at 1:06 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote:
On 28.09.2013 18:34, Dr Stephen Henson wrote:
How about something like:
int SSL_CONF_cmd_type(SSL_CONF_CTX *cctx, const char *cmd);
which can return things like
On 01/10/2013 11:15, Dr Stephen Henson wrote:
To handle ServerInfo properly in mod_ssl
IMHO you would need a new directive as there's no support for per-certificate
SSL_CONF commands: it wasn't intended to be used like that in its current
form.
Though thinking about this some more
with ...File. We could then handle
such a case in mod_ssl as illustrated by the attached patch.
An alternative would be to specify a callback to OpenSSL which can be used to
transform a filename which is called whenever any option name requires a file.
Steve.
--
Dr Stephen Henson. OpenSSL Software
On 28/09/2013 14:56, Dr Stephen Henson wrote:
On 28/09/2013 14:42, Kaspar Brand wrote:
If the ability to specify relative path names with SSLOpenSSLConfCmd is
considered an absolutely essential feature, then OpenSSL could perhaps
standardize its option names somewhat - e.g. by always naming
if it is only used for servers you
need something like:
if (!(cctx-flags SSL_CONF_FLAG_SERVER))
return -2;
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
code for
this in 2.5-dev) can be configured using the SSLOpenSSLConfCmd directive. ECDH
curves (and many other things) can be set this way.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
,
irrespective of how OpenSSL has been compiled.
The usual way is to use no-ssl2 as an argument to Configure or config which then
adds OPENSSL_NO_SSL2 into crypto/opensslconf.h
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
of one per parent SSL_CTX. The functionality is likely to
be back ported to OpenSSL 1.0.2.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
thing bland and faceless then so be it. I think it
will be lessened as a result.
If that's sentimental then I suppose I am.
I'd like to hear other peoples opinions on this.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
it...
I was either that, bicycles or asking if someone had passed their driving test.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
and keys for server
configuration and so the data should come from trusted sources.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
setting one curve then you
might as well call SSL_CTX_set_tmp_ecdh and avoid the callback altogether.
[BTW the whole ECDH parameter passing technique is a bit broken in OpenSSL and
needs revising]
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD
On 05/02/2012 11:08, Kaspar Brand wrote:
On 04.02.2012 15:27, Dr Stephen Henson wrote:
IMHO to avoid these problems it would be better if mod_ssl could send an
arbitrary number of certificates and keys to OpenSSL and leave it to OpenSSL
to
process them in an appropriate manner.
Would
On 04/02/2012 07:32, Kaspar Brand wrote:
On 02.02.2012 15:13, Dr Stephen Henson wrote:
int SSL_CTX_config(SSL_CTX *ctx, const char *config_name);
Where config_name is a named configuration option in the OpenSSL
configuration
file. This has the substantial advantage that there would
operations (for example to detect configuration
errors) is required OpenSSL could be extended to support that.
Thoughts?
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
/e_chil.c try commenting out the line containing
ERR_load_HWCRHK_strings().
Only side effect of doing that is you will only get numerical error codes and
not error strings.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
in the OpenSSL configuration
file. This has the substantial advantage that there would
then be one configuration file format used by all OpenSSL applications.
The disadvantage is that it would look nothing like the existing Apache
configuration format.
Thoughts?
Steve.
--
Dr Stephen Henson. OpenSSL Software
be either a system wide one or
a local one dealing with mod_ssl only.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
being one of them) and will try soon to see
what I get there.
The fix in 0.9.8r, the relevant patch is here:
http://cvs.openssl.org/chngview?cn=19659
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
On 23/12/2011 07:52, Kaspar Brand wrote:
On 22.12.2011 17:53, Dr Stephen Henson wrote:
I've added a few new controls and one new function which should resolve this,
see last few commits.
I deleted a couple of functions duplicating functionality too.
Let me know if you need further details
On 22/12/2011 10:59, Kaspar Brand wrote:
On 05.08.2011 07:41, Kaspar Brand wrote:
On 03.08.2011 19:29, Dr Stephen Henson wrote:
In OpenSSL 1.0.1 (unreleased) and later there is a feature to make all SSL
related structures opaque and only allow them to be accessed through
functions
the returned value and free it with X509_free().
Note also that because you ignore return values of X509_verify_cert() you might
have a situation where the chain is not complete and so deleting the last
element will remove a non-root CA.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc
= X509_STORE_CTX_get1_chain(sctx);
which creates a STACK_OF(X509) and ups the reference count of the added
certificates so they stick around after you free the context.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen
the advantage that the chain is also checked for validity (expiry
for example) and you can't send an invalid chain and have to trace why the peer
is rejecting it with a (possibly obscure) error.
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
certificates in the chain are not CA certificates in the normal
definition (basic constraints CA=TRUE). That kind of chain cannot directly be
built up using X509_verify_cert().
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
= strlen(SSL_CIPHER_get_name(c));
-memcpy(cp, SSL_CIPHER_get_name(c), l);
+l = strlen(c-name);
+memcpy(cp, c-name, l);
Steve.
--
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com
On 03/06/2011 15:51, Petr Hracek wrote:
Dear developers,
I have tried to find out on the web what is the correct way
how to compile http2 so that it will be compliance with FIPS 140-2.
I have already build up OpenSSL libraries with FIPS and development
files as well.
I have try to run
On 17/01/2011 13:39, Joe Orton wrote:
On Sun, Jan 16, 2011 at 11:34:29AM +0100, Kaspar Brand wrote:
On 13.12.2010 15:24, Jim Jagielski wrote:
At this late in the game, I would prefer to do this post-2.3.10...
safer that way.
Polite reminder, according to [1]... :-) I feel it's important
On 31/12/2010 07:52, Kaspar Brand wrote:
On 30.12.2010 13:43, Stefan Fritsch wrote:
The latter. I suggest using ASN1_STRING_print_ex() with
ASN1_STRFLGS_RFC2253 ~ASN1_STRFLGS_ESC_MSB (will escape them as
\0).
OK, makes sense.
ASN1_STRING_print_ex escapes a whole lot of other stuff, too.
On 02/01/2011 18:42, Stefan Fritsch wrote:
On Sunday 02 January 2011, Dr Stephen Henson wrote:
There is a bug in OpenSSL currently for those options: it doesn't
escape the escape character itself (which it should treat as a
special case and always escape it if any other escaping is in
use
On 22/12/2010 15:32, Rob Stradling wrote:
On Friday 03 December 2010 10:31:24 Rob Stradling wrote:
snip
Would it be possible to make OCSP Stapling enabled by default (when the
server certificate contains an OCSP Responder URL in the AIA extension)
instead of disabled by default?
(Perhaps
On 12/12/2010 09:28, Kaspar Brand wrote:
On 11.12.2010 20:27, Jim Jagielski wrote:
I've heard no objections, so on monday (12/13) I'll start
the TR.
Is there any chance that the attached patch might make it into
2.3.10? It includes two OCSP related changes for mod_ssl:
- addresses
On 24/11/2010 07:07, Kaspar Brand wrote:
On 20.11.2010 20:24, Stefan Fritsch wrote:
On Fri, 19 Nov 2010, Joe Orton wrote:
We could support this better by having a new set of exports:
SSL_{CLIENT,SERVER}_{I,S}_UTF8DN_*(_n)?
(or something similarly named)
which works the same as _DN_ but
On 29/11/2010 21:46, Guenter Knauf wrote:
Hi Steve,
ssl_util_stapling.c issues warnings / breaks when compiled with OSSL 1.0.0;
MSVC
warns:
\modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' : incompatible
types
- from 'struct stack_st_OPENSSL_STRING *' to 'struct stack_st_STRING
On 30/11/2010 00:03, Dr Stephen Henson wrote:
On 29/11/2010 21:46, Guenter Knauf wrote:
Hi Steve,
ssl_util_stapling.c issues warnings / breaks when compiled with OSSL 1.0.0;
MSVC
warns:
\modules\ssl\ssl_util_stapling.c(140) : warning C4133: '=' : incompatible
types
- from 'struct
On 25/10/2010 06:48, Ruediger Pluem wrote:
On 10/25/2010 12:14 AM, s...@apache.org wrote:
Author: sf
Date: Sun Oct 24 22:14:15 2010
New Revision: 1026906
URL: http://svn.apache.org/viewvc?rev=1026906view=rev
Log:
Make sure to always log an error if loading of CA certificates fails
On 25/06/2010 08:10, Paul Querna wrote:
Hi,
I was playing with OCSP Stapling in 2.3.6-alpha tonight, and I noticed
that in the common case path, we will always lock a global mutex.
I don't see why this is needed for the cache hit case that uses
non-SHM cache providers.
In fact,
On 11/06/2010 07:00, Ruediger Pluem wrote:
On 05/19/2010 09:20 PM, jor...@apache.org wrote:
Author: jorton
Date: Wed May 19 19:20:11 2010
New Revision: 946347
URL: http://svn.apache.org/viewvc?rev=946347view=rev
Log:
- add test for SSLRequire PeerExtList()
- test for the
On 31/05/2010 08:20, rpl...@apache.org wrote:
Author: rpluem
Date: Mon May 31 07:20:21 2010
New Revision: 949676
URL: http://svn.apache.org/viewvc?rev=949676view=rev
Log:
* Fix compiler warning about incompatible pointer type
Modified:
On 31/05/2010 22:10, Sander Temme wrote:
Please note that no released version of Apache knows how to put OpenSSL into
FIPS mode. When your Many Users run Apache in a situation with FIPS
requirements, which and whose patches do they use? Work on FIPS integration
at Apache itself stalled in
On 25/05/2010 13:45, Joe Orton wrote:
I'd like to drop support for versions of OpenSSL older than 1.0 in the
trunk mod_ssl. We have 200+ lines of compat macro junk and still six
different compiler warnings remain in a trunk build against 1.0.0.
pro: simplify code: remove
William A. Rowe Jr. wrote:
On 3/3/2010 11:50 AM, Stefan Fritsch wrote:
On Wednesday 03 March 2010, Mladen Turk wrote:
BTW, I wouldn't recommend to compile against 0.9.8m.
openssl s_client 0.9.8m block on renegotiation
Have you only tried 0.9.8l as client? It has a known bug with
Joe Orton wrote:
On Wed, Mar 03, 2010 at 06:31:36PM +, Dr Stephen Henson wrote:
Note that you don't need to abort if secure renegotiation is supported
by the client.
Is there any technical need to support client-initiated reneg? It's a
bad fit with mod_ssl.
It has been reported
All,
just to draw your attention to bug #48447. Without it OCSP stapling doesn't work
at all unless a port is explicitly stated in URLs. The fix is trivial and uses
the same technique as the regular client certificate OCSP code.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography
Jeff Trawick wrote:
On Sat, Dec 12, 2009 at 12:26 PM, Jeff Trawick traw...@gmail.com wrote:
On Thu, Dec 10, 2009 at 3:28 PM, Ruediger Pluem rpl...@apache.org wrote:
Apparently because of the fix in openssl for the TLS renegotiation issue
the following
failed tests now pop up in our test
Jean-Marc Desperrier wrote:
Dr Stephen Henson wrote:
Jean-Marc Desperrier wrote:
Joe Orton wrote:
Please file a bug and attach all of:
a) error_log output at LogLevel debug for that case
b) the config snipping that you're using for /authentication
c) the mod_ssl configuration
This is now
Jean-Marc Desperrier wrote:
Joe Orton wrote:
Please file a bug and attach all of:
a) error_log output at LogLevel debug for that case
b) the config snipping that you're using for /authentication
c) the mod_ssl configuration
This is now done in bug
Dirk-Willem van Gulik wrote:
Dirk-Willem van Gulik wrote:
Actually Steve - you may know - what besides the obvious
extendedKeyUsage=nsSGC,msSGC
in the extension file needs to go into a sub-ca below a
self-signed-root-chain to make the browsers dance ? Or have they
hardcoded in some
1 - 100 of 147 matches
Mail list logo
