https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #31 from Valentin Tyanov ---
Hey, is there a scheduled date for the January release?
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #30 from Christopher Schultz ---
(In reply to Michael Osipov from comment #28)
> (In reply to Christopher Schultz from comment #27)
> > The issue is not whether or not anyone is still using OpenSSL 1.0.2 today,
> > but whether or
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|REOPENED
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #28 from Michael Osipov ---
(In reply to Christopher Schultz from comment #27)
> (In reply to Mark Thomas from comment #23)
> > While 1.0.2 has been EOL for a while it would not surprise me at all to find
> > lots of 1.0.2
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #27 from Christopher Schultz ---
(In reply to Mark Thomas from comment #23)
> While 1.0.2 has been EOL for a while it would not surprise me at all to find
> lots of 1.0.2 generated keys and certs still in use.
+1
The issue is not
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #26 from Mark Thomas ---
Yes, this should be fixed for the next release round which is currently
scheduled for January.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #25 from Garo ---
That was fast! Does this mean that it will be fixed in an upcoming release? By
the way, thank you for being so responsive and reproducing this so quickly. (In
reply to Mark Thomas from comment #24)
> Confirmed. It
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #24 from Mark Thomas ---
Confirmed. It is a regression. OpenSSL 1.0.2 doesn't specify the PRF so the
default should apply.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #23 from Mark Thomas ---
Tomcat ships OpenSSL binaries are part of the Tomcat Native distribution. I
need to go back a bit but we have 1.0.2 binaries.
For now, this looks like a regression so I'm happy handling it here.
While
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #22 from ggar ---
(In reply to Mark Thomas from comment #21)
> The algorithm is being read as the pseudo random function and failing.
>
> I need to see if I can find (or build) an OpenSSL 1.0.2 binary.
Mark, there are several
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #21 from Mark Thomas ---
The algorithm is being read as the pseudo random function and failing.
I need to see if I can find (or build) an OpenSSL 1.0.2 binary.
--
You are receiving this mail because:
You are the assignee for the
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
Mark Thomas changed:
What|Removed |Added
Resolution|FIXED |---
Status|RESOLVED
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #19 from Michael Osipov ---
(In reply to ggar from comment #18)
> Is it expected for PEM cert/key created with OpenSSL 1.0.2zh (or any 1.0.2)
> to stop working after this change? It seems to work fine with items
> generated through
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #18 from ggar ---
Is it expected for PEM cert/key created with OpenSSL 1.0.2zh (or any 1.0.2) to
stop working after this change? It seems to work fine with items generated
through OpenSSL 1.1.1. Here's an example of the command we
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #16 from Mark Thomas ---
See https://github.com/apache/tomcat/pull/674
That should support any cert the current code supports plus the OpenSSL
defaults.
It is possible there are other combinations that need to be supported. It
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #15 from Michael Osipov ---
(In reply to Mark Thomas from comment #14)
> I have this working with the current test cases and a default OpenSSL
> self-signed key as per the original report.
>
> The code needs to be cleaned up
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #14 from Mark Thomas ---
I have this working with the current test cases and a default OpenSSL
self-signed key as per the original report.
The code needs to be cleaned up rather so I am currently expecting to commit
the fix early
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #13 from Remy Maucherat ---
(In reply to Mark Thomas from comment #12)
> I think some refactoring will be required
> for the ASN.1 parser to make it more robust.
I managed to do OCSP using it (
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #12 from Mark Thomas ---
My current assessment is that it is possible to handle this. We are going to
need to do a little more by hand. I think some refactoring will be required for
the ASN.1 parser to make it more robust.
--
You
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #11 from Mark Thomas ---
Yes. The steps to reproduce this worked perfectly. Thanks.
Currently working through the ASN.1 and relevant RFCs to see what we have and
if I can get Java to work with it.
--
You are receiving this mail
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #10 from Michael Osipov ---
(In reply to Mark Thomas from comment #9)
> I'm working on this now. I don't think I am as far forward as you. It would
> be useful if I could see that code you have so far.
>
> My current thinking is
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #9 from Mark Thomas ---
I'm working on this now. I don't think I am as far forward as you. It would be
useful if I could see that code you have so far.
My current thinking is that the PKCS8 branch in PEMFile is going to need to
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #8 from Christopher Schultz ---
I have uncommitted work locally which can read the ASN.1 and perform the
decryption, which does not fail (i.e. no exception is thrown).
But when interpreting the decrypted data as an ASN.1 stream,
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #7 from Mark Thomas ---
Is that in your pem-utils project?
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail:
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #6 from Christopher Schultz ---
It looks like handling OID 1.2.840.113549.3.7 is something I was working on a
while back in my project on GitHub. When running this through my own code, I
get some debug output saying something about
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #5 from Mark Thomas ---
We may end up supporting a subset of the OpenSSL functionality (and documenting
that).
For me the target is not to support everything OpenSSL does (although it would
be great if we could) but to support the
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #4 from Michael Osipov ---
(In reply to Mark Thomas from comment #3)
> It seems that very few (no?) users are creating keys with pass-phrases this
> way as this isn't an issue that has been reported previously and we went
> through
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #3 from Mark Thomas ---
It seems that very few (no?) users are creating keys with pass-phrases this way
as this isn't an issue that has been reported previously and we went through a
phase of getting reports of unsupported formats
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #2 from Michael Osipov ---
Switched to:
openssl genrsa -out key.crt -aes128 -passout file:key-password 4096
openssl req -x509 -key key.crt -out cert.crt -sha256 -days 5 -passout
file:key-password
Now I see:
11-Oct-2023
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
--- Comment #1 from Michael Osipov ---
This applies from Java 8 to 21.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail:
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
Michael Osipov changed:
What|Removed |Added
Summary|Tomcat or Java do not read |Tomcat and/or Java do not
32 matches
Mail list logo
