Re: Libressl verify failure with 3.9.0

Thanks for the suggestion. The workaround does work, and creates (essentially) the same certificate, but one that does not fail verification with the new libressl. I did notice the option of not have the leading "20" for dates before 2050, but I did not know enough to try doing t

Re: Libressl verify failure with 3.9.0

On Mon, Apr 08, 2024 at 05:53:47PM -0500, Ted Wynnychenko wrote: > Thanks for the suggestion. > The workaround does work, and creates (essentially) the same certificate, > but one that does not fail verification with the new libressl. > I did notice the option of not have the

Re: Libressl verify failure with 3.9.0

> On Apr 8, 2024, at 5:44 AM, Theo Buehler wrote: > > On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote: >> Hello, >> >> I recently updated to -current (about a week ago). >> >> I see that Libressl is at 3.9.1 just now, but I hope th

Re: Libressl verify failure with 3.9.0

On Sun, Apr 07, 2024 at 04:57:24PM -0500, Ted Wynnychenko wrote: > Hello, > > I recently updated to -current (about a week ago). > > I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue > (I did not see anything in the release notes that would

Libressl verify failure with 3.9.0

Hello, I recently updated to -current (about a week ago). I see that Libressl is at 3.9.1 just now, but I hope that won't be an issue (I did not see anything in the release notes that would impact my question). --- $ openssl version LibreSSL 3.9.0 --- Over the years, I have made certificates

Libressl trust anchor problems.

hi dears ;^) I have self RootCA and Middle(Intermediate,Subordinate)CA. Then, I create the Certificate file. Now I want to install/remove the Certificate to System. Almost always. I use the trust anchor ${_cert_file_} / trust anchor --remove ${_pkcs11_id_} but, Libressl could not work

Re: can't create csr with ed 25519 on libressl 3.7.2 / OpenBSD 7.3

On Wed, Jun 14, 2023 at 03:30:10PM +0300, S V wrote: > can somebody explain why this doesn't work Yes. The answer to this kind of question is always the same: somebody has to write some code to support it. What is supported in 3.7.2 is the cryptographic primitive. More plumbing has to be added

can't create csr with ed 25519 on libressl 3.7.2 / OpenBSD 7.3

can somebody explain why this doesn't work or how to fix it ? (LibreSSL on OpenBSD 7.3) openssl genpkey -algorithm ED25519 > my.key openssl req -new -out my.csr -key my.key with this error 101242121864:error:10FFF08A:elliptic curve routines:CRYPTO_internal:invalid digest type:/usr/src/

Re: Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3

a > python version that is incompatible with LibreSSL? 3.10 from packages works well with LibreSSL. There are some small local patches to disable a couple of things which aren't supported and are not at all widely used. Python's policy for 3.10+ is essentially "don't go out of the wa

Re: Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3

: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 3.7.2. See: https://github.com/urllib3/urllib3/issues/2168 The included github link mentions that older versions of SSL are no longer usable with the urllib library but makes no mention

Re: Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3

e > about 3.10 being the new default so I ran pkg_add -u which updated python to > 3.10 and now the same scripts fail but with this error: > > ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' > module is compiled with LibreSSL 3.7.2. See: > https://github

Pkg_add Python version and LibreSSL seem to be incompatible in OpenBSD 7.3

to 3.10 and now the same scripts fail but with this error: ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with LibreSSL 3.7.2. See: https://github.com/urllib3/urllib3/issues/2168 The included github link mentions that older versions of SSL

LibreSSL/releases.html typo: wrong year

Hi, yet another typo fix. Cheers, Alex Index: releases.html === RCS file: /cvs/www/libressl/releases.html,v retrieving revision 1.98 diff -u -p -r1.98 releases.html --- releases.html 16 Mar 2023 08:28:17 - 1.98

Re: libressl vs openssl

On Fri, 2022-01-28 at 21:18 +, Stuart Henderson wrote: > On 2022-01-28, Laura Smith wrote: > > ‐‐‐ Original Message ‐‐‐ > > > > On Friday, January 28th, 2022 at 14:43, dansk puffer > > wrote: > > > > > Are there any major securit

Re: libressl vs openssl

> On Jan 28, 2022, at 11:53 AM, Laura Smith > wrote: > > ‐‐‐ Original Message ‐‐‐ > >> On Friday, January 28th, 2022 at 14:43, dansk puffer >> wrote: >> >> Are there any major security differences between libressl and openssl >

Re: libressl vs openssl

On 2022-01-28, Laura Smith wrote: > ‐‐‐ Original Message ‐‐‐ > > On Friday, January 28th, 2022 at 14:43, dansk puffer > wrote: > >> Are there any major security differences between libressl and openssl >> nowadays? From what I read the situation for open

Re: libressl vs openssl

On Fri, 28 Jan 2022 14:43:04 +, dansk puffer wrote: > Are there any major security differences between libressl and openssl > nowadays? From what I read the situation for openssl improved and > some Linux distros switched back to openssl again with mostly? > OpenBSD rema

Re: libressl vs openssl

> On Jan 28, 2022, at 9:46 AM, dansk puffer wrote: > > Are there any major security differences between libressl and openssl > nowadays? From what I read the situation for openssl improved and some Linux > distros switched back to openssl again with mostly? OpenBSD r

libressl vs openssl

Are there any major security differences between libressl and openssl nowadays? From what I read the situation for openssl improved and some Linux distros switched back to openssl again with mostly? OpenBSD remaining to use libressl.

Re: Unable to decrypt a file with LibreSSL

; > > > > As the subject reads, I am suddenly unable to decrypt a file that I > > > encrypted > > > > > > with LibreSSL. When I try, I get the following message: > > > > > > bad decrypt > > > > > > 11957684617984:error:06FFF

Re: Unable to decrypt a file with LibreSSL

On Wed, Jan 12, 2022 at 08:56:19PM +, Ricky Cintron wrote: > As the subject reads, I am suddenly unable to decrypt a file that I encrypted > with LibreSSL. When I try, I get the following message: > > bad decrypt > 11957684617984:error:06FFF064:digital envelope routines:

Re: OpenBSD Errata: September 30, 2021 (libressl)

On 2021-09-30, Sebastian Benoit wrote: > An errata patch for LibreSSL has been released for OpenBSD 6.8 and > OpenBSD 6.9. > > Compensate for the expiry of the DST Root X3 certificate. The use of an > unnecessary expired certificate in certificate chains can cause validation >

OpenBSD Errata: September 30, 2021 (libressl)

An errata patch for LibreSSL has been released for OpenBSD 6.8 and OpenBSD 6.9. Compensate for the expiry of the DST Root X3 certificate. The use of an unnecessary expired certificate in certificate chains can cause validation errors. Binary updates for the amd64, i386 and arm64 platform

Re: lighttpd vs. libressl on 6.9?

Hi Ben - thanks for replying :) ...on Mon, Aug 23, 2021 at 09:48:16AM -0400, b...@0x1bi.net wrote: > Try compiling lighthttpd by hand from the ports tree with > debug flags and run it with ktrace to see what's happening. I fear that might be more effort than I'm able to invest right now,

Re: lighttpd vs. libressl on 6.9?

Hello, Alex; Try compiling lighthttpd by hand from the ports tree with debug flags and run it with ktrace to see what's happening. I'd recommend switching to the builtin httpd if the problem persists. Ben Raskin

lighttpd vs. libressl on 6.9?

: 1 error:06FFF064:digital envelope > routines:CRYPTO_internal:bad decrypt > mod_openssl.c.3095) SSL: 1 error:1404C119:SSL routines:ST_OK:decryption > failed or bad record mac Is there any known incompatibility between lighttpd-1.4.59 and the version of LibreSSL in OpenBSD 6.9? Alex.

Recent OpenSSL and LibreSSL errata

There appears to be a bit of confusion out there. To be clear: 1. The two bugs that were fixed in OpenSSL 1.1.1k [1] were introduced well after the fork, so LibreSSL is not affected. OpenSSL have kindly given us advance access to their fixes. 2. The bug fixed in LibreSSL 3.2.5 [2] is our

Re: openssl/libressl s_client -crlf difference

On 2021-02-26, Michael W. Lucas wrote: > Hi, > > Should LibreSSL and OpenSSL be strictly command line compatible? > > The reason I ask is: using OpenSSL, I can use openssl s_client to > connect to a site like so: > > $ openssl s_client -crlf www:443 > > LibreS

openssl/libressl s_client -crlf difference

Hi, Should LibreSSL and OpenSSL be strictly command line compatible? The reason I ask is: using OpenSSL, I can use openssl s_client to connect to a site like so: $ openssl s_client -crlf www:443 LibreSSL requires I add the -connect $ openssl s_client -crlf -connect www:443 Thanks, ==ml

[www] LibreSSL 3.1.3: wrong date of release

Hi, the date of release should be updated. Cheers, Alex Index: libressl/index.html === RCS file: /cvs/www/libressl/index.html,v retrieving revision 1.104 diff -u -p -r1.104 index.html --- libressl/index.html 16 Jun 2020 02:06:47

Re: libressl handling of expired CA certificate

Stuart Henderson writes: > The same happens with 6.7 and -current. > > Hopefully this will be improved in libressl, but libressl clients > aren't the only ones who will have problems with this - if you're in > contact with the server admins I would recommend they remove the >

Re: libressl handling of expired CA certificate

rhaps the issue described was also present in LibreSSL > (on my 6.6 system this is LibreSSL 3.0.2). Although removing the expired > certificate is easy, it doesn't seem to me that it should be > necessary. If LibreSSL is behaving as intended here, please let me know. > > Will try to get a

libressl handling of expired CA certificate

ify return code: 0 (ok)). So, I thought perhaps the issue described was also present in LibreSSL (on my 6.6 system this is LibreSSL 3.0.2). Although removing the expired certificate is easy, it doesn't seem to me that it should be necessary. If LibreSSL is behaving as intended here, please l

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

What would you suggest to keep private key material in a safe place? There are rumors that even material stored as not extractable in Nitrokey Pro still can be extracted by side channels like electromagnetic emission. Would running all Internet communication end points on low powered Cortex A7

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

Some time ago Google bought 2000qbit version from D-wave and confirmed it is a quantum computer bla bla bla... but cluster consists of eight qbit blocks to build advertised capacity if I understand googles papers right. My question was about decrypting currently generated and accumulated

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On Sat, May 9, 2020 at 1:05 PM Kevin Chadwick wrote: > Careful of what sources you trust! If a processor was storing the keys used, > non > volatile then people would have found out. Software encryption wouldn't save > you > either. If there is a back door it won't have anything to do with

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On 2020-05-09 16:25, i...@aulix.com wrote: > Note: Since these MS / U.S. government keys are deeply sticking in Intel XEON > processor hardware, it doesn’t play a role, what other OS you install or boot > afterwards: Debian/UBUNTU Linux, OpenBSD, … If your software uses Intel > AES-NI hardware

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

Though I am a very noob in understanding crypto from a mathematical point of view (not just as an user of some ready program) IMHO following message can contain some truth about insecurity and intentional flaws of hardware crypto in X86 CPUs:

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On 2020-05-09 14:34, i...@aulix.com wrote: > D-waves has too uncoupled qubits if I understand it correctly, it is nothing > to do about qubits quantity as we used to think about it. Like a "cluster" of > completely isolated hosts (which is already not a cluster or course). I don't care for the

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On 2020-05-09 14:31, i...@aulix.com wrote: > guessed by quantum provided session symmetric cipher is strong enough? Quantum does not break any in use today and AES-256 symmetric is expected to be quantum resistant in any case. I personally prefer AES-256 ctr over the more complex GCM. I am not

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

D-waves has too uncoupled qubits if I understand it correctly, it is nothing to do about qubits quantity as we used to think about it. Like a "cluster" of completely isolated hosts (which is already not a cluster or course).

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

OpenSSH allows to use hybrid mode with many private keys of different type and even stored on different hardware like Nitrokey, Rutoken, etc. at the same time for a single session. E.g. 4 different private keys are required (say Nitrokey, Rutoken ECP2, Curve25519 and Postquantum one):

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

This one https://www.tomshardware.com/news/d-wave-5000-qubit-first-sale,40470.html is the most powerful 5000qbits quantum computer sells nowadays. Moreother, D-Wave opened online service to access 5000qbit remotely for solving 'special' tasks which can be accelerated using quantum architecture.

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On 2020-05-09 07:41, Martin wrote: > This one > https://www.tomshardware.com/news/d-wave-5000-qubit-first-sale,40470.html > is the most powerful 5000qbits quantum computer sells nowadays. D-waves definition of qubit is different and their machines will never be capable of breaking public key

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On 2020-05-09 07:41, Martin wrote: > This one > https://www.tomshardware.com/news/d-wave-5000-qubit-first-sale,40470.html > is the most powerful 5000qbits quantum computer sells nowadays. > > Moreother, D-Wave opened online service to access 5000qbit remotely for > solving 'special' tasks which

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

On 5/8/20 3:16 PM, Martin wrote: > Which 'quantum' resistant algorithms can be used right now to prevent data > decryption in future by 'quantum' computers (when they can do this) of > currently collected data flows? this is so dumb. worry about this when there are computers which can

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

According to Damien Miller: >this is pretty much possible now, by enabling the experimental support for the XMSS PQ signature algorithm in the SSH

Re: 'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

https://www.technologyreview.com/2018/02/21/145300/serious-quantum-computers-are-finally-here-what-are-we-going-to-do-with-them/ https://www.microsoft.com/en-us/research/project/post-quantum-ssh/ https://openquantumsafe.org/ Why not to add post quantum algos to the SSH mainline to make them

'post quantum' encryption algorithm(s) in latest libressl and upcoming 6.7 to chose

Which 'quantum' resistant algorithms can be used right now to prevent data decryption in future by 'quantum' computers (when they can do this) of currently collected data flows? Martin

Re: LibreSSL performance issue

obably not. LibreSSL is intended to be portable, and the LibreSSL web site points back to the OpenBSD mailing lists: https://www.libressl.org/mail.html "See https://www.openbsd.org/mail.html for more details on posting or subscribing." So now over at https://www.openbsd.org/mail.html ... I w

Re: LibreSSL performance issue

another reason for the issue.?? I was recently trying to substitute libressl into an openssl environment.?? Performance tanked.?? Some checking showed the speed of "speed -evp aes-256-gcm" was way off.?? It looked to me like it was an issue with not using AES-NI.?? I'm not going to blam

Re: LibreSSL performance issue

he issue.?? I was recently trying to substitute libressl > >>> into an openssl environment.?? Performance tanked.?? Some checking > >>> showed the speed of "speed -evp aes-256-gcm" was way off.?? It looked > >>> to me like it was an issue with not using AES-NI.

Re: LibreSSL performance issue

On 7.1.2020 17:26, Joe Greco wrote: On Tue, Jan 07, 2020 at 09:33:46AM -0600, Edgar Pettijohn wrote: > In reality, when you dig down, often you find that there's another > reason for the issue.?? I was recently trying to substitute libressl > into an openssl environment.?? Performan

LibreSSL performance issue (was: Re: OpenBSD's extremely poor network/disk performance?)

On Tue, Jan 07, 2020 at 09:33:46AM -0600, Edgar Pettijohn wrote: > > In reality, when you dig down, often you find that there's another > > reason for the issue.?? I was recently trying to substitute libressl > > into an openssl environment.?? Performance tanked.?? Some c

Re: LibreSSL vs. OpenSSL enc command

Dieter Rauschenberger: > This was serveral years ago before Libressl was invented. Now I wanted > to decrypt the docs with: > > openssl enc -aes-256-cbc -d < FOO.aes256 > FOO > > This did not work. The password did not work anymore. The default message digest function

Re: LibreSSL vs. OpenSSL enc command

rypted several documents with > > > > openssl enc -aes-256-cbc -e < FOO > FOO.aes256 > > > > This was serveral years ago before Libressl was invented. Now I wanted > > to decrypt the docs with: > > > > openssl enc -aes-256-cbc -d < FOO.aes256 > FOO > > &g

Re: LibreSSL vs. OpenSSL enc command

On Wed, Dec 4, 2019 at 1:05 PM Dieter Rauschenberger wrote: > > i have encrypted several documents with > > openssl enc -aes-256-cbc -e < FOO > FOO.aes256 > > This was serveral years ago before Libressl was invented. Now I wanted > to decrypt the docs with: >

LibreSSL vs. OpenSSL enc command

Hi, i have encrypted several documents with openssl enc -aes-256-cbc -e < FOO > FOO.aes256 This was serveral years ago before Libressl was invented. Now I wanted to decrypt the docs with: openssl enc -aes-256-cbc -d < FOO.aes256 > FOO This did not work. The password did not wor

Re: 63 bit certificate ID is libressl affected?

On Wed, Mar 13, 2019 at 06:53:43PM -0700, William Ahern wrote: > The real issue here is that the EJBCA specification wasn't just a failure in > language precision, but was and remains entirely ill considered on this > score. If ASN.1 INTEGERs must now be 65 bits, it's a good bet that most if >

Re: 63 bit certificate ID is libressl affected?

On Wed, Mar 13, 2019 at 11:32:50PM +0100, Ingo Schwarze wrote: > Hi Tom, > > Tom Smyth wrote on Wed, Mar 13, 2019 at 08:32:20PM +: > > > Just saw the following article and i was wondering if libressl > > Might be affected by the bug also > > Top bit being set t

Re: 63 bit certificate ID is libressl affected?

2019 at 22:32, Ingo Schwarze wrote: > > Hi Tom, > > Tom Smyth wrote on Wed, Mar 13, 2019 at 08:32:20PM +: > > > Just saw the following article and i was wondering if libressl > > Might be affected by the bug also > > Top bit being set to 0 always making an effectiv

Re: Help with LibreSSL manpages

On Sunday 25 November 2018 17:36:16 Ingo Schwarze wrote: > Stephen Gregoratto wrote on Mon, Nov 26, 2018 at 12:26:21AM +1100: > > > > Would I need to fully grok the code before I could write the docs? > > Absolutely not. You could spend an infinite amount of time to > understand the code if you

Re: Help with LibreSSL manpages

Hi Stephen, Stephen Gregoratto wrote on Mon, Nov 26, 2018 at 09:24:25PM +1100: > Thanks for your response Ingo. I think I'll start with the missing > functions and go through them by order of length. Not saying "by order of length" is impossible, but keep in mind that * There are few section

Re: Help with LibreSSL manpages

Thanks for your response Ingo. I think I'll start with the missing functions and go through them by order of length. I'll try and peruse through the ports and check for any examples. Speaking of functions: I'm trying to generate a list of each function, the source file it's defined in and the

Re: Help with LibreSSL manpages

Hi Stephen, Stephen Gregoratto wrote on Mon, Nov 26, 2018 at 12:26:21AM +1100: > I've recently been getting into (re)writing my manpages using mdoc(7), > and came across Ingo's talk about mandoc/LibreSSL [1]. In it he > mentioned that there are still some functions to document and man

Help with LibreSSL manpages

Hello, I've recently been getting into (re)writing my manpages using mdoc(7), and came across Ingo's talk about mandoc/LibreSSL [1]. In it he mentioned that there are still some functions to document and many pages need a couple of goes over (specifically openssl(1)). Now I've never developed

Re: Building software that requires older libressl on snapshots

> There is a patch on rust-openssl to force the build using the latest > suppported version (see > lang/rust/patches/patch-src_vendor_openssl-sys_build_rs). Applying the patch worked > Running testsuite is usually a good method to check breakage. And the test suite passed > For me, rust FFI is

Re: Building software that requires older libressl on snapshots

On 2018-03-21, Sebastien Marie wrote: > For me, rust FFI is a bit a shame: it is a *copy* of C headers, written > and maintained in Rust language. It is good for crosscompilation (as > Rust know how to build stuff without any C headers), but it is awful to > maintain and keep

Re: Building software that requires older libressl on snapshots

On Tue, Mar 20, 2018 at 11:18:06PM -0400, Patrick Marchand wrote: > So I'm trying to build pijul (rust vcs based on patch theory) but it > requires rust-openssl, which only supports the latest release of > libressl (2.6). Is there a quick fix to build software that requires > an ol

Building software that requires older libressl on snapshots

So I'm trying to build pijul (rust vcs based on patch theory) but it requires rust-openssl, which only supports the latest release of libressl (2.6). Is there a quick fix to build software that requires an older libressl than what is currently used in snapshots? Or should I try to patch the rust

Re: LibreSSL Linux portability and OpenBSD security

On Saturday 10 February 2018 11:09:04 Kevin Chadwick wrote: > On Sat, 10 Feb 2018 16:24:38 +1100 > > > > Just in case some libressl dev doesn't want read the full thread in > > > the Alpine list, they want also a workaround for the lack of time_t > > &

Re: LibreSSL Linux portability and OpenBSD security

On Sat, 10 Feb 2018 16:24:38 +1100 > > Just in case some libressl dev doesn't want read the full thread in > > the Alpine list, they want also a workaround for the lack of time_t > > for 32bits platforms on Linux. > > We've already addressed this - a notafter that e

Re: LibreSSL Linux portability and OpenBSD security

On Saturday 10 February 2018 00:05:27 Juan Francisco Cantero Hurtado wrote: [snip] > Just in case some libressl dev doesn't want read the full thread in the > Alpine list, they want also a workaround for the lack of time_t for > 32bits platforms on Linux. We've already addressed this - a

Re: LibreSSL Linux portability and OpenBSD security

> It isn't just this. Qt 5.10 introduces new dependency on OpenSSL 1.1 > APIs for improved security, and LibreSSL does not implement those APIs > at all. The 1.1 API does not improve security. If anything, the new API requires to you repeat the same or similar arguments to many

Re: LibreSSL Linux portability and OpenBSD security

3-f0c0-73df-8f0ec7e83...@adelielinux.org> > Subject: Re: LibreSSL Linux portability and OpenBSD security > References: <slrnp7rnrq.205u@naiad.spacehopper.org> > In-Reply-To: <slrnp7rnrq.205u@naiad.spacehopper.org> > Content-Type: text/plain; charset=utf-8 > Content

Re: LibreSSL Linux portability and OpenBSD security

ust > thought I would mention it. > > To be honest, I don't even know if facilitating wider adoption of > LibreSSL hurts or benefits OpenBSD security in the end. > > The last paragraph (taken from a separate mail), may be interesting? > > I have no ide

Re: LibreSSL Linux portability and OpenBSD security

On 02/09/18 11:48, Stuart Henderson wrote: > I don't understand that, Cryptography is OK with LibreSSL. There have > been some problems at various times but they were either patched locally > or fixed upstream - we're a couple of point releases behind the latest > at the moment with

Re: LibreSSL Linux portability and OpenBSD security

Kevin Chadwick <m8il1i...@gmail.com> writes: > I wish libressl could keep the 32 bit time_t workaround til linux > kernel had fixed the problem instead of knowingly break things. Now I > don't see we have much of an option since 32 bit linux is basically > not supported by libr

Re: LibreSSL Linux portability and OpenBSD security

Thanks for the information Stu. Unfortunately I am not sure it will help in the end. Their project leader Natanael stated the following. The fact that libressl developers are not willing to workaround 32 bit linux time_t is the deal

Re: LibreSSL Linux portability and OpenBSD security

On 2018-02-09, Kevin Chadwick <m8il1i...@gmail.com> wrote: > It isn't just this. Qt 5.10 introduces new dependency on OpenSSL 1.1 > APIs for improved security, and LibreSSL does not implement those APIs > at all. btw I haven't looked at Qt but some ports are already held back in O

LibreSSL Linux portability and OpenBSD security

adoption of LibreSSL hurts or benefits OpenBSD security in the end. The last paragraph (taken from a separate mail), may be interesting? I have no idea what debian etc. are doing. http://lists.alpinelinux.org/alpine-devel/6079.html

Re: Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails

On 7 September 2017 at 16:35, Heiko <bd09c6fmxoq2...@intermezzo.net> wrote: > Hello, > > ./config for Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails on Debian > Linux: As per https://www.openssh.com/report.html this query would be better directed to the portable

Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails

Hello, ./config for Portable OpenSSH 7.5p1 with LibreSSL 2.6.1 fails on Debian Linux: checking OpenSSL header version... not found configure: error: OpenSSL version header not found. $ openssl version LibreSSL 2.6.1 I did it with this options: ./configure --without-openssl

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

ay 20 June 2017 23:26:10 Andrew Lemin wrote: >> Hi, >> >> Sadly in my testing it seems that CVE-2017-8301 ( >> http://seclists.org/oss-sec/2017/q2/145) is still broken with the >> latest LibreSSL >> (2.5.4) and OpenVPN 2.4.2. >> >> Here is someone else

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote: > Hi, > > Sadly in my testing it seems that CVE-2017-8301 ( > http://seclists.org/oss-sec/2017/q2/145) is still broken with the > latest LibreSSL > (2.5.4) and OpenVPN 2.4.2. > > Here is someone else reporting

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

On 2017-06-22, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-06-20, Andrew Lemin <andrew.le...@gmail.com> wrote: >> Has anyone else come across any issues recently with Openvpn, Libressl and >> TLS on OpenBSD 6.1? > > Yes there have been problems

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

On 2017-06-20, Andrew Lemin <andrew.le...@gmail.com> wrote: > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? Yes there have been problems reported like this: (This is from the "Investigating self-signed cert behavior change"

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

Hi, Sadly in my testing it seems that CVE-2017-8301 ( http://seclists.org/oss-sec/2017/q2/145) is still broken with the latest LibreSSL (2.5.4) and OpenVPN 2.4.2. Here is someone else reporting the same issue; https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/1358/4

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

I've just found this hint on GitHub for the Openvpn compile options for Libressl; https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995 So will try a build later tonight and share back here if that CVE is fixed. Would prefer to rebuild with the same options as the packaged binary

Libressl issue verifying self-signed certs with tls-auth and Openvpn

Hi Misc, Has anyone else come across any issues recently with Openvpn, Libressl and TLS on OpenBSD 6.1? I am using an .ovpn file with TLS auth static key and cert inline within the file, to connect to VPN service. Running openvpn binary from command line without any special params, just .ovpn

6.1 OpenSSH/LibreSSL version discrepancy

Hi, there seems to be a version info discrepancy in the OpenBSD 6.1 ANNOUNCEMENT. It states OpenSSH 7.4 and LibreSSL 2.5.3. However, in 6.1(/amd64) release fresh install, i have OpenSSH 7.5 and LibreSSL 2.5.2: $ ssh -V; openssl version OpenSSH_7.5, LibreSSL 2.5.2 LibreSSL 2.5.2

Re: openssl/libressl ocsp error in 6.1 stable

> I noticed in my logs things like this. > May 1 03:00:02 isildur openssl: vfprintf %s NULL in "%s %2d > %02d:%02d:%02d%.*s %d%s" > > It comes down to this command to fetch ocsp response: > openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert > cert.pem -url

openssl/libressl ocsp error in 6.1 stable

Hello, I noticed in my logs things like this. May 1 03:00:02 isildur openssl: vfprintf %s NULL in "%s %2d %02d:%02d:%02d%.*s %d%s" It comes down to this command to fetch ocsp response: openssl ocsp -respout ocsp.der -no_nonce -issuer chain.pem -cert cert.pem -url

Re: LibreSSL on old OpenBSD

On Sat, Aug 13, 2016, at 01:36 PM, Roderick wrote: > On Sat, 13 Aug 2016, Theo de Raadt wrote: > > > We prefer creating a world that is simpler. That is the practice > > we follow with our bodies of code. > > > > You prefer backwards compat. Fine, that is your choice. You can > > apply that

Re: LibreSSL on old OpenBSD

> But programming > is always ponderation, in many dimensions. You must decide for example > between (run) time or space (memory), between security, performance > or simplicity. Sure, with absolute goals there is no much to decide and no > much discussion, and we are finished. > Rodrigo. Total

Re: LibreSSL on old OpenBSD

On Sat, 13 Aug 2016, Theo de Raadt wrote: We prefer creating a world that is simpler. That is the practice we follow with our bodies of code. You prefer backwards compat. Fine, that is your choice. You can apply that principle in your own code. Are we finished here? It is not so simple.

Re: LibreSSL on old OpenBSD

> And if the whole is a technical progress, is a more complicated > thing. I preffer to take a constant from sys/params.h at > compile time than getting it with a call of sysconf() at run time. > The older standards arose perhaps from considerations that > today are forgotten or play no role

Re: LibreSSL on old OpenBSD

, socket and readv in the many versions of OpenBSD, as well of 4.4BSD and of FreeBSD. It seems there is till now no standard, LibreSSL will not compile in FreeBSD 10.3 out of the box (according to the man pages). It seems that you see the progress in that there is now a de jure POSIX standard

Re: LibreSSL on old OpenBSD

2016-08-12 23:28 GMT+02:00 Philip Guenther : > Yes, the previous situation with and > was confusing (code was including the wrong header and not getting the Thanks. Finally an answer after days of shouting. Best Martin

Re: LibreSSL on old OpenBSD

ized version that was expected) and there was finally a proposal to provide this functionality that was accepted for the next version of POSIX. When the existing situation is bad and there's a good direction finally settled on, moving that way is the Right Thing. Why did libressl break? Because th

  1   2   3   >