Re: [openssl-dev] Blog post; changing in email, crypto policy, etc

2018-01-24 Thread Steffen Nurpmeso
Viktor Dukhovni wrote: |> On Jan 24, 2018, at 9:27 AM, Michael Richardson wrote: |>> email clients are designed to handle hundreds to thousands of messages |>> a day, Github UI isn't | |Indeed email is best for informal ad-hoc back and forth

Re: [openssl-dev] Systemwide configurability of OpenSSL

2017-09-27 Thread Steffen Nurpmeso
Hello. Tomas Mraz wrote: |I would like to restart the discussion about possibilities of system- |wide configurability of OpenSSL and particularly libssl. | |Historically OpenSSL allowed only for configuration of the enabled |ciphersuites list if application called

Re: [openssl-dev] Work on a new RNG for OpenSSL

2017-08-24 Thread Steffen Nurpmeso
"Blumenthal, Uri - 0553 - MITLL" wrote: |>So I guess you want an interface that can both add things to the |> "entropy" pool, and to the "additional data" pool? It shouldn't |>be that hard, I'll try to come up with some proposal soon. | |I’d say the interface

Re: [openssl-dev] Work on a new RNG for OpenSSL

2017-08-19 Thread Steffen Nurpmeso
"Salz, Rich" wrote: |Is this new RNG object available to user programs, or do they need |to reinvent the wheel even though they definitely link against the |OpenSSL library? | |You don’t have to re-invent the wheel, but you might have to modify \ |the source ☺

Re: [openssl-dev] Work on a new RNG for OpenSSL

2017-08-19 Thread Steffen Nurpmeso
"Salz, Rich via openssl-dev" wrote: |➢ But I’d like the development team to comment on (and ideally – accept) \ |my request to add RAND_add() method to the RNG that is used in generation \ |of private keys. | |Well, I’ve been thinking about this for a bit, since you

Re: [openssl-dev] [Bug, maybe] [master] bin/* no longer find their libraries if installed in non-default locations

2017-03-02 Thread Steffen Nurpmeso
Hello. Richard Levitte wrote: |I've added a change with documentation: | |https://github.com/openssl/openssl/pull/2818 | |Please go in and comment, or if you don't have a github account, feel |free to comment here. Thank you, i have added it to my makefile 1:1. Ciao!

Re: [openssl-dev] [Bug, maybe] [master] bin/* no longer find their libraries if installed in non-default locations

2017-03-01 Thread Steffen Nurpmeso
Hello. Richard Levitte <levi...@openssl.org> wrote: |In message <20170301221703.tfwpu%stef...@sdaoden.eu> on Wed, 01 Mar \ |2017 23:17:03 +0100, Steffen Nurpmeso <stef...@sdaoden.eu> said: | |steffen> Yes, i mean, i just didn't know this, it is not mentioned anywher

Re: [openssl-dev] [Bug, maybe] [master] bin/* no longer find their libraries if installed in non-default locations

2017-03-01 Thread Steffen Nurpmeso
Hello, Richard Levitte <levi...@openssl.org> wrote: |In message <20170301165032.8jhwg%stef...@sdaoden.eu> on Wed, 01 Mar \ |2017 17:50:32 +0100, Steffen Nurpmeso <stef...@sdaoden.eu> said: | |steffen> "Salz, Rich" <rs...@akamai.com> wrote: |steffen&

Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

2017-03-01 Thread Steffen Nurpmeso
Hello again, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: |> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <stef...@sdaoden.eu> wrote: |> No, not that i know. But this -- thanks -- lead me to the |> following, which is the KISS that you want? ... |> diff --

Re: [openssl-dev] [Bug, maybe] [master] bin/* no longer find their libraries if installed in non-default locations

2017-03-01 Thread Steffen Nurpmeso
Good evening. Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: |> On Mar 1, 2017, at 11:13 AM, Steffen Nurpmeso <stef...@sdaoden.eu> wrote: |> |> $ ldd /home/steffen/usr/opt/.ssl-1.1.0/bin/openssl |> ... |> libssl.so.1.1 => not found |&g

Re: [openssl-dev] [Bug, maybe] [master] bin/* no longer find their libraries if installed in non-default locations

2017-03-01 Thread Steffen Nurpmeso
"Salz, Rich" wrote: |> This is new behaviour, until now the installation was always self-contain\ |> ed |> when configured via |> |> ./config --prefix=$(MYPREFIX) zlib-dynamic no-hw shared | |Did you install the libraries in a standard place? | |> I think this should

Re: [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

2017-03-01 Thread Steffen Nurpmeso
Sorry for the late reply, this really is a slow machine (and i cleanup again completely anything once it is installed, _and_ the tests compile a long time even if not run).. "Salz, Rich" wrote: |> I am sorry, but i have no github account. Maybe it is possible to \ |> have

[openssl-dev] [Bug, maybe] [master] bin/* no longer find their libraries if installed in non-default locations

2017-03-01 Thread Steffen Nurpmeso
Oh, hello again, now i finally have updated (without "make tests?") and it seems i now have to fill in $LD_LIBRARY_PATH to get running: $ ldd /home/steffen/usr/opt/.ssl-1.1.0/bin/openssl ... libssl.so.1.1 => not found libcrypto.so.1.1 => not found This is new behaviour, until now the

[openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

2017-03-01 Thread Steffen Nurpmeso
Hello. I am sorry, but i have no github account. Maybe it is possible to have some @bug address which creates issues automatically? I see this on ? openssl version OpenSSL 1.0.2k 26 Jan 2017 ? /home/steffen/usr/opt/.ssl-1.1.0/bin/openssl version

Re: [openssl-dev] OpenSSL version 1.1.0e published

2017-02-16 Thread Steffen Nurpmeso
FYI, and because i don't have a github account, though this could be related to ticket #1635, on a x86_64 GNU LibC based Linux via openssl: cd openssl.git &&\ if [ -f NULL ]; then git checkout `cat NULL`; fi &&\ ./config --prefix=$(MYPREFIX) zlib-dynamic no-hw

Re: [openssl-dev] [openssl.org beetle 4668] Enhancement request: website: support proper titles

2016-09-05 Thread Steffen Nurpmeso
"Salz, Rich" wrote: |> Maybe you like it. I haven't tried it, but see no reason why it |> shouldn't work. It also adjusts headline tags in secpolicy.html, \ |> which don't |> comply to the rest of the site yet. | |It's good enough. None of us our web developers. I just

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-03 Thread Steffen Nurpmeso
Rich Salz via RT wrote: |The title now has the URL. Closing. Fixed as it's gonna get :) Not on Github, but i have really cloned the repository from openssl.org (not promoted, but present) and had a short run on top what you have committed. Maybe you like it. I haven't tried

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Steffen Nurpmeso via RT
Richard Levitte via RT wrote: |On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote: |> From the documentation i cannot tell what is wrong with the |> following: |> |> echo abc > a; echo def > b; echo ghi > c |> openssl genpkey -algorithm RSA -out k.prv |> openssl pkey

Re: [openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-02 Thread Steffen Nurpmeso
Richard Levitte via RT wrote: |On Thu Sep 01 13:18:44 2016, stef...@sdaoden.eu wrote: |> From the documentation i cannot tell what is wrong with the |> following: |> |> echo abc > a; echo def > b; echo ghi > c |> openssl genpkey -algorithm RSA -out k.prv |> openssl pkey

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Steffen Nurpmeso via RT
Richard Levitte via RT wrote: |On Thu Sep 01 13:13:44 2016, stef...@sdaoden.eu wrote: |> Before sending the last message i looked around on the website (it |> has become particularly complicated to find the bug tracker), and |> looking at the "go-back" list i saw dozens of

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Steffen Nurpmeso
Richard Levitte via RT wrote: |On Thu Sep 01 13:13:44 2016, stef...@sdaoden.eu wrote: |> Before sending the last message i looked around on the website (it |> has become particularly complicated to find the bug tracker), and |> looking at the "go-back" list i saw dozens of

Re: [openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-02 Thread Steffen Nurpmeso via RT
"Salz, Rich" wrote: .. |for and fix? (I'm kinda slow sometimes) Do you know the story of the couple that had been married for decades when suddenly, at a Sunday morning breakfast, it has been revealed that she, who was given the upper half of the bread rolls for so long --

[openssl-dev] [openssl.org #4669] Enhancement request: let dgst support multiple files

2016-09-01 Thread Steffen Nurpmeso via RT
Hello. >From the documentation i cannot tell what is wrong with the following: echo abc > a; echo def > b; echo ghi > c openssl genpkey -algorithm RSA -out k.prv openssl pkey -in k.prv -pubout -out k.pub openssl dgst -sha512 -sign k.prv -out .sig a b c openssl dgst -sha512 -verify

[openssl-dev] [openssl.org #4668] Enhancement request: website: support proper titles

2016-09-01 Thread Steffen Nurpmeso via RT
Before sending the last message i looked around on the website (it has become particularly complicated to find the bug tracker), and looking at the "go-back" list i saw dozens of "OpenSSL" entries, rather than rt, "Getting started as a contributor", etc. --steffen -- Ticket here:

Re: [openssl-dev] OpenSSL version 1.1.0 published

2016-08-26 Thread Steffen Nurpmeso
Matt Caswell <m...@openssl.org> wrote: |> Matt Caswell <m...@openssl.org> wrote: |>|On 25/08/16 22:14, Steffen Nurpmeso wrote: |>|> OpenSSL <open...@openssl.org> wrote: |>|>| OpenSSL version 1.1.0 released |>|> |>|> A bit dis

Re: [openssl-dev] OpenSSL version 1.1.0 published

2016-08-26 Thread Steffen Nurpmeso
|N'morning UK. (^.^) Ok i'm awake, you've created a new branch for that. Thanks. --steffen -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] OpenSSL version 1.1.0 published

2016-08-26 Thread Steffen Nurpmeso
N'morning UK. (^.^) Matt Caswell <m...@openssl.org> wrote: |On 25/08/16 22:14, Steffen Nurpmeso wrote: |> OpenSSL <open...@openssl.org> wrote: |>| OpenSSL version 1.1.0 released |> |> A bit distressing that it is me again, as if i would have |> something to do

Re: [openssl-dev] OpenSSL version 1.1.0 published

2016-08-25 Thread Steffen Nurpmeso
Good evening. OpenSSL wrote: | OpenSSL version 1.1.0 released A bit distressing that it is me again, as if i would have something to do with that..., but: the tag is missing. |https://www.openssl.org/news/openssl-1.1.0-notes.html Looks good in Lynx! Anyway, it

[openssl-dev] [openssl.org #4627] Doc patch: fix constant names

2016-07-25 Thread Steffen Nurpmeso via RT
Against [80f397e] diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index fb39f94..7b38489 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -124,8 +124,8 @@ than the deprecated alternative commands below. =item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>,

Re: [openssl-dev] [openssl.org #4556] Unknown: mysterious perl(1) error during [master:8d054a5] installation process

2016-06-04 Thread Steffen Nurpmeso
I hope i don't "open" this one! Richard Levitte via RT wrote: |On Thu Jun 02 15:50:31 2016, stef...@sdaoden.eu wrote: |> I have never seen something like this: |> |> Parser.c: loadable library and perl binaries are mismatched (got |> handshake key 0xdb00080, needed

Re: [openssl-dev] [openssl.org #4556] Unknown: mysterious perl(1) error during [master:8d054a5] installation process

2016-06-04 Thread Steffen Nurpmeso via RT
I hope i don't "open" this one! Richard Levitte via RT wrote: |On Thu Jun 02 15:50:31 2016, stef...@sdaoden.eu wrote: |> I have never seen something like this: |> |> Parser.c: loadable library and perl binaries are mismatched (got |> handshake key 0xdb00080, needed

[openssl-dev] [openssl.org #4557] Nit: temporary files left over after [master:8d054a5] installation process

2016-06-02 Thread Steffen Nurpmeso via RT
Yep: -rw--- 1 steffen steffen 1848 Jun 2 14:46 VhXl383LiQ -rw--- 1 steffen steffen 1612 Jun 2 14:46 F1RkvxEZi0 -rw--- 1 steffen steffen 1848 Jun 2 14:46 qg_wML0XIF -rw--- 1 steffen steffen 1848 Jun 2 14:46 4MUN7KIs69 -rw--- 1 steffen steffen 1840 Jun 2

[openssl-dev] [openssl.org #4555] Enhancement request: allow installation without manuals, but anyway without HTML manuals

2016-06-02 Thread Steffen Nurpmeso via RT
Oh yes, please! --steffen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4555 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4556] Unknown: mysterious perl(1) error during [master:8d054a5] installation process

2016-06-02 Thread Steffen Nurpmeso via RT
Hello. I have never seen something like this: Parser.c: loadable library and perl binaries are mismatched (got handshake key 0xdb00080, needed 0xdb80080) This is v5.24 on a Linux system, and it flawless afaik. Thanks. --steffen -- Ticket here:

Re: [openssl-dev] simplifying rand_egd API

2016-01-14 Thread Steffen Nurpmeso
"Salz, Rich" wrote: |There are currently three functions related to the EGD: |int RAND_egd(const char *path); |int RAND_egd_bytes(const char *path, int bytes); |int RAND_query_egd_bytes(const char *path, unsigned char *buf\ |, int

[openssl-dev] [openssl.org #3954] Enhancement suggestion: extend x509(1) with -key-fingerprint

2015-07-23 Thread Steffen Nurpmeso via RT
Hello, for certificates which get renewed -- mine do twice a year, for example -- the fingerprint changes ?0[tmp]$ openssl x509 -fingerprint -noout cert.old SHA1 Fingerprint=00:10:F0:2C:EA:50:1F:11:FE:8D:CC:A0:A9:40:91:A2:D0:4D:65:4E ?0[tmp]$ openssl x509 -fingerprint -noout cert.crt

[openssl-dev] [openssl.org #3949] Bug: PKCS_final.7 not installed

2015-07-21 Thread Steffen Nurpmeso via RT
And on [1] (at least) the link Please see the list of new or open bugs and requests. leads to nowhere. Ciao, [1] http://openssl.org/support/rt.html --steffen ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] OpenSSL Security Advisory

2015-06-11 Thread Steffen Nurpmeso
Huhu!! |Fixes for this issue were developed by Emilia Käsper and Kurt Roeckx I just want to mention these «UTF-8 re-encoded as UTF-8» issues, which may be acceptable for names of males, but, but *particularly* with respect to the natural beauty of the affected person… On the other hand i

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

2015-05-20 Thread Steffen Nurpmeso
Matt Caswell m...@openssl.org wrote: |On 19/05/15 17:40, Kurt Roeckx wrote: | I think that we should just provide the SSLv23_client_method define | without the need to enable something, and I guess I missed | something during the review in that case. | |The reason you need to enable

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

2015-05-20 Thread Steffen Nurpmeso
Kurt Roeckx k...@roeckx.be wrote: |On Tue, May 19, 2015 at 08:03:05PM +0200, Steffen Nurpmeso wrote: | Steffen Nurpmeso sdao...@yandex.com wrote: ||Kurt Roeckx k...@roeckx.be wrote: |||I think that we should just provide the SSLv23_client_method define |||without the need to enable something

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

2015-05-20 Thread Steffen Nurpmeso
Salz, Rich rs...@akamai.com wrote: | c_zlib.c:113:5: warning: excess elements in struct initializer | NULL, | ^~~~ | |Are you sure you have an accurate copy of master? | |The EX_DATA was removed in 9a555706a3fb8f6622e1049ab510a12f4e1bc6a2 \ |as part of making the COMP

[openssl-dev] On SSLv23_method() drop and TLS_method() introduction

2015-05-19 Thread Steffen Nurpmeso
Hello, i've just read on the Lynx list about compilation error because of a missing SSLv23_method() and indeed [1] says it is deprecated and a new TLS_client_method() is to be used instead. Now i've searched on Gmane but i couldn't find just any word. (Let's just hope that there will be TLS

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

2015-05-19 Thread Steffen Nurpmeso
Kurt Roeckx k...@roeckx.be wrote: |I think that we should just provide the SSLv23_client_method define |without the need to enable something, and I guess I missed |something during the review in that case. Thanks for the clarification. --steffen ___

Re: [openssl-dev] On SSLv23_method() drop and TLS_method() introduction

2015-05-19 Thread Steffen Nurpmeso
Steffen Nurpmeso sdao...@yandex.com wrote: |Kurt Roeckx k...@roeckx.be wrote: ||I think that we should just provide the SSLv23_client_method define ||without the need to enable something, and I guess I missed ||something during the review in that case. | |Thanks for the clarification. Ehm

Re: [openssl-dev] Proposed cipher changes for post-1.0.2

2015-02-14 Thread Steffen Nurpmeso
Hello, Dr. Stephen Henson st...@openssl.org wrote: |On Fri, Feb 13, 2015, Viktor Dukhovni wrote: | On Fri, Feb 13, 2015 at 11:59:13AM +, Salz, Rich wrote: | Some time ago, I had submitted a patch which allows administrators, but | most importantly OS distributors to set their own strings

Re: [openssl-dev] Proposed cipher changes for post-1.0.2

2015-02-13 Thread Steffen Nurpmeso
Hello, Nikos Mavrogiannopoulos n...@redhat.com wrote: |On Thu, 2015-02-12 at 18:39 +0100, Steffen Nurpmeso wrote: | And i want to point to OPENSSL_config(3) which states for a longer | time duration: | |It is strongly recommended that all new applications call

Re: [openssl-dev] Proposed cipher changes for post-1.0.2

2015-02-12 Thread Steffen Nurpmeso
Oh, this thread is about the OpenSSL configuration package that Rich Salz promised!.. Daniel Kahn Gillmor d...@fifthhorseman.net wrote: |On Wed 2015-02-11 10:15:11 -0500, Salz, Rich wrote: | Note that for most applications the correct approach to configuring | ciphersuites should be to start

Re: [openssl-dev] [openssl-announce] OpenSSL version 1.0.2 released

2015-01-23 Thread Steffen Nurpmeso
Daniel Kahn Gillmor d...@fifthhorseman.net wrote: |On Fri 2015-01-23 06:19:14 -0500, Steffen Nurpmeso wrote: | brings. (Myself even starves for documentation [coverage] | improvements.) | |fwiw, OpenSSL documentation is pretty easy to read and to edit. If you |notice that things

Re: [openssl-dev] [openssl-announce] OpenSSL version 1.0.2 released

2015-01-23 Thread Steffen Nurpmeso
Hello, Thanks for OpenSSL first. And again when you can read this. Matt Caswell m...@openssl.org wrote: |On 22/01/15 22:34, Steffen Nurpmeso wrote: | Since noone else seems to say a word. | I personally didn't understand at all why v1.0.2 when its | end-of-life is in sight already. | |From

Re: [openssl-dev] [openssl-announce] OpenSSL version 1.0.2 released

2015-01-23 Thread Steffen Nurpmeso
Daniel Kahn Gillmor d...@fifthhorseman.net wrote: |On Fri 2015-01-23 06:19:14 -0500, Steffen Nurpmeso wrote: | brings. (Myself even starves for documentation [coverage] | improvements.) | |fwiw, OpenSSL documentation is pretty easy to read and to edit. If you |notice that things

Re: [openssl-dev] [openssl-announce] OpenSSL version 1.0.2 released

2015-01-22 Thread Steffen Nurpmeso
Since noone else seems to say a word. I personally didn't understand at all why v1.0.2 when its end-of-life is in sight already. Now you have to continue to track three active branches. But this is your problem of course. What i _really_ don't understand is why 1.0.2 is delivered with false

[openssl-dev] There is no SSL_CTX_get_ciphers() (and .._get_cipher_list())

2014-12-16 Thread Steffen Nurpmeso
I wonder about this interface oddity. There is int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); int SSL_set_cipher_list(SSL *ssl, const char *str); but only STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl); const char *SSL_get_cipher_list(const SSL *ssl, int priority);

Re: [openssl-dev] [openssl.org #3633] Enhancement request: CONF_modules_load_file(): please add a CONF_MFLAGS_LOAD_USER_FILE

2014-12-16 Thread Steffen Nurpmeso via RT
Stephen Henson via RT r...@openssl.org wrote: All i can parse from your answer is that the statement that is long in OpenSSL documentation and was referred to by Rich Salz (unless i'm mistaken) in a different #issue, namely the following paragraph from OPENSSL_config(3): It is strongly

[openssl-dev] [openssl.org #3632] Enhancement request: CONF_modules_load_file(): please include filename in error message

2014-12-12 Thread Steffen Nurpmeso via RT
So i follow Rich Salz and am adding support for SSL_CONF_modules_load_file() (but i'm still wondering a bit why i do that) and while testing (with v1.0.2 beta4) i see messages like error:02001002:system library:fopen:No such file or directory error:0200100D:system library:fopen:Permission

[openssl-dev] [openssl.org #3633] Enhancement request: CONF_modules_load_file(): please add a CONF_MFLAGS_LOAD_USER_FILE

2014-12-12 Thread Steffen Nurpmeso via RT
Hello, while following Rich Salz's suggestion to make use of CONF_modules_load_file() i stumbled personally over the restriction that only a global openssl.cnf seems to be supported. There is no support for automatic loading of a $HOME/.openssl.cnf on top of the global version. And whereas

[openssl-dev] [openssl.org #3634] Docfix: doc/apps/enc.pod says aes-[128|192|256] but means aes[..]

2014-12-12 Thread Steffen Nurpmeso via RT
..so that even after OpenSSL_add_all_algorithms(3) EVP_get_cipherbyname(3) fails to load aes-128 as an alias for aes-128-cbc. --steffen diff --git a/doc/apps/enc.pod b/doc/apps/enc.pod index 41791ad..88e8b79 100644 --- a/doc/apps/enc.pod +++ b/doc/apps/enc.pod @@ -282,7 +282,7 @@ authentication

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-11 Thread Steffen Nurpmeso via RT
Hello, Stephen Henson via RT r...@openssl.org wrote: |On Mon Dec 08 19:58:31 2014, sdao...@yandex.com wrote: | If people start using SSL_CONF_CTX as they are supposed to with | v1.0.2, then it can be expected that users start using strings | like, e.g. (from my thing), | | set

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso via RT
Salz, Rich via RT r...@openssl.org wrote: | Personally i am willing to put enough trust in the OpenSSL team *even | insofar* as i now do 'set ssl-protocol=ALL,-VULNERABLE' | and leave the task of deciding what is VULNERABLE up to you. | |That is not a responsibility we want. No how, no way.

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso via RT
Yoav Nir ynir.i...@gmail.com wrote: | On Dec 9, 2014, at 1:24 PM, Steffen Nurpmeso via RT r...@openssl.org \ | wrote: | Salz, Rich rs...@akamai.com wrote: ||I think magic names -- shorthands -- are a very bad idea. \ | | I _completely_ disagree. | || They are point-in-time statements

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso via RT
Salz, Rich via RT r...@openssl.org wrote: | Y causes a ciphersuite (or TLS version) to be dropped into VULNERABLE, |I am more concerned about the case where a common crypto type \ |is broken, and zillions (a technical term :) of websites are \ |now at-risk because there wasn't an immediate

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso via RT
Salz, Rich via RT r...@openssl.org wrote: | I'd love to see a version of bettercrypto.org that only \ | has to say to configure | OpenSSL version 1.0.3 and higher, you should use the string BEST_PRACTICE | |That can happen but not by embedding magic strings into code. See But isn't TLSv1.2

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-11 Thread Steffen Nurpmeso
Hello, Stephen Henson via RT r...@openssl.org wrote: |On Mon Dec 08 19:58:31 2014, sdao...@yandex.com wrote: | If people start using SSL_CONF_CTX as they are supposed to with | v1.0.2, then it can be expected that users start using strings | like, e.g. (from my thing), | | set

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso via RT
Hi. Richard Moore richmoor...@gmail.com wrote: | Programs which use the OpenSSL library generally just want to flip a | switch and know that they've turned on security, instead of trying to |My experience suggests that while that might be what some developers want, |that's not what users

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Salz, Rich via RT r...@openssl.org wrote: | Personally i am willing to put enough trust in the OpenSSL team *even | insofar* as i now do 'set ssl-protocol=ALL,-VULNERABLE' | and leave the task of deciding what is VULNERABLE up to you. | |That is not a responsibility we want. No how, no way.

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Yoav Nir ynir.i...@gmail.com wrote: | On Dec 9, 2014, at 1:24 PM, Steffen Nurpmeso via RT r...@openssl.org \ | wrote: | Salz, Rich rs...@akamai.com wrote: ||I think magic names -- shorthands -- are a very bad idea. \ | | I _completely_ disagree. | || They are point-in-time statements

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Salz, Rich via RT r...@openssl.org wrote: | Y causes a ciphersuite (or TLS version) to be dropped into VULNERABLE, |I am more concerned about the case where a common crypto type \ |is broken, and zillions (a technical term :) of websites are \ |now at-risk because there wasn't an immediate

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Salz, Rich via RT r...@openssl.org wrote: | I'd love to see a version of bettercrypto.org that only \ | has to say to configure | OpenSSL version 1.0.3 and higher, you should use the string BEST_PRACTICE | |That can happen but not by embedding magic strings into code. See But isn't TLSv1.2

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Hi. Richard Moore richmoor...@gmail.com wrote: | Programs which use the OpenSSL library generally just want to flip a | switch and know that they've turned on security, instead of trying to |My experience suggests that while that might be what some developers want, |that's not what users

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso via RT
Salz, Rich via RT r...@openssl.org wrote: | So you want a separate openssl-conf package. Fine, then provide it and | give an easy mechanism for applications to hook into it. | And for users to be able to overwrite system defaults. | But this has not that much to do with #3627. | |Yes it

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-11 Thread Steffen Nurpmeso via RT
Dr. Stephen Henson st...@openssl.org wrote: |On Thu, Dec 11, 2014, Steffen Nurpmeso via RT wrote: | are hard (not only to parse) for users but there is a lot of | information for good in very few bytes; sad is | | Received SIGPIPE during IMAP operation | IMAP write error: error:

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Salz, Rich via RT r...@openssl.org wrote: | So you want a separate openssl-conf package. Fine, then provide it and | give an easy mechanism for applications to hook into it. | And for users to be able to overwrite system defaults. | But this has not that much to do with #3627. | |Yes it

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-11 Thread Steffen Nurpmeso
Dr. Stephen Henson st...@openssl.org wrote: |On Thu, Dec 11, 2014, Steffen Nurpmeso via RT wrote: | are hard (not only to parse) for users but there is a lot of | information for good in very few bytes; sad is | | Received SIGPIPE during IMAP operation | IMAP write error: error:

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-11 Thread Steffen Nurpmeso
Stephen Henson via RT r...@openssl.org wrote: |On Mon Dec 08 20:20:44 2014, sdao...@yandex.com wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |Just to add my 2p to this thread which seems to have veered into

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-10 Thread Steffen Nurpmeso via RT
Richard Moore richmoor...@gmail.com wrote: |On 8 December 2014 at 19:20, Steffen Nurpmeso via RT r...@openssl.org wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |In Qt we've added an enum value for TLS versions

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-10 Thread Steffen Nurpmeso via RT
Richard Moore richmoor...@gmail.com wrote: |On 9 December 2014 at 11:35, Steffen Nurpmeso sdao...@yandex.com wrote: | Richard Moore richmoor...@gmail.com wrote: ||On 8 December 2014 at 19:20, Steffen Nurpmeso via RT r...@openssl.org | wrote: || and finally i propose three new values

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-10 Thread Steffen Nurpmeso via RT
Kurt Roeckx via RT r...@openssl.org wrote: |On Mon, Dec 08, 2014 at 08:20:44PM +0100, Steffen Nurpmeso via RT wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |I actually find the option unfortunate and I think

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-10 Thread Steffen Nurpmeso via RT
Kurt Roeckx via RT r...@openssl.org wrote: |On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote: | set ssl-protocol=ALL,-SSLv2 | | This results in the obvious problem that when they (get) | upgrade(d) their OpenSSL library they will see a completely | intransparent

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-10 Thread Steffen Nurpmeso via RT
|Kurt Roeckx via RT r...@openssl.org wrote: ||been one that sets the minimum and maximum version. But I think ||we're too late 1.0.2 process to still change this. Attached a git format-patch MBOX for 1.0.2 (on top of [6806b69]). It boils anything down into two changesets (SSL_CONF_CTX and

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-10 Thread Steffen Nurpmeso via RT
Salz, Rich rs...@akamai.com wrote: |I think magic names -- shorthands -- are a very bad idea. \ I _completely_ disagree. | They are point-in-time statements whose meaning evolves, \ |if not erodes, over time. Because i don't think that a normal user, or even normal administrators and

Re: [openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-09 Thread Steffen Nurpmeso
Kurt Roeckx via RT r...@openssl.org wrote: |On Mon, Dec 08, 2014 at 07:58:31PM +0100, Steffen Nurpmeso via RT wrote: | set ssl-protocol=ALL,-SSLv2 | | This results in the obvious problem that when they (get) | upgrade(d) their OpenSSL library they will see a completely | intransparent

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-09 Thread Steffen Nurpmeso
Kurt Roeckx via RT r...@openssl.org wrote: |On Mon, Dec 08, 2014 at 08:20:44PM +0100, Steffen Nurpmeso via RT wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |I actually find the option unfortunate and I think

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-09 Thread Steffen Nurpmeso
Richard Moore richmoor...@gmail.com wrote: |On 8 December 2014 at 19:20, Steffen Nurpmeso via RT r...@openssl.org wrote: | and finally i propose three new values for the Protocol slot of | SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. | |In Qt we've added an enum value for TLS versions

Re: [openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-09 Thread Steffen Nurpmeso
Richard Moore richmoor...@gmail.com wrote: |On 9 December 2014 at 11:35, Steffen Nurpmeso sdao...@yandex.com wrote: | Richard Moore richmoor...@gmail.com wrote: ||On 8 December 2014 at 19:20, Steffen Nurpmeso via RT r...@openssl.org | wrote: || and finally i propose three new values

[openssl-dev] [openssl.org #3624] Unify SSL_CONF_* interface to be SSL_CONF_CTX_*, with patch against [master/33d5ba8]

2014-12-08 Thread Steffen Nurpmeso via RT
Does: - Fixes a typo in s_client.pod (2x in the). - Changes .pod to reflect reality: it is SSL_CONF_CTX_finish(), not SSL_CONF_finish(). - While here it seems best to change the remaining SSL_CONF_cmd(), SSL_CONF_cmd_argv() and SSL_CONF_cmd_value_type() to have a SSL_CONF_CTX_ prefix,

Re: [openssl-dev] [openssl.org #3624] Unify SSL_CONF_* interface to be SSL_CONF_CTX_*, with patch against [master/33d5ba8]

2014-12-08 Thread Steffen Nurpmeso via RT
Oh yes: and on top of that former patch there really where also dangling SSL_CTX_cmd() use cases in .pod files, which are thus and finally changed to SSL_CONF_CTX_cmd via the attached patch, too. Thank you. --steffen diff --git a/doc/ssl/SSL_CONF_CTX_cmd.pod b/doc/ssl/SSL_CONF_CTX_cmd.pod index

[openssl-dev] [openssl.org #3625] Enhancement request: user convenience for SSL_CONF_CTX with SSLv2

2014-12-08 Thread Steffen Nurpmeso via RT
Commit [45f55f6] (Remove SSLv2 support, 2014-11-30) completely removed SSLv2 support and the commit message states The only support for SSLv2 left is receiving a SSLv2 compatible client hello. If people start using SSL_CONF_CTX as they are supposed to with v1.0.2, then it can be expected that

[openssl-dev] [openssl.org #3627] Enhancement request: add more Protocol options for SSL_CONF_CTX

2014-12-08 Thread Steffen Nurpmeso via RT
Hello, and finally i propose three new values for the Protocol slot of SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE. I included OLDEST for completeness sake, NEWEST is in effect what i've always forced for my thing whenever possible, and encouraged users to use themselve, but of course it

Re: [PATCH] Add API to set minimum and maximum protocol version.

2014-12-05 Thread Steffen Nurpmeso
|What is the SECLEVEL you refer to? I had a quick look at SSL_CONF API |pointed out by Stephen.[.] | I did too. Attached a doc patch (against 1.0.2) to match code reality. Fixes linking for me. --steffen diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index

Re: [PATCH] Add API to set minimum and maximum protocol version.

2014-12-04 Thread Steffen Nurpmeso
Hello, Dr. Stephen Henson st...@openssl.org wrote: |On Thu, Dec 04, 2014, Tomas Hoger wrote: | On Wed, 3 Dec 2014 22:55:06 +0100 Kurt Roeckx wrote: | Maybe applications may benefit from an API where they can pass string | set by the end user and let OpenSSL parse version number from that. |

Re: Could ASN1_TIME_print() become documented?

2014-11-18 Thread Steffen Nurpmeso
i wrote: |until now when i printed certificate chains (in verbose mode) |i used a brute simple hand driven function that dealt with |ASN1_UTCTIME. Today i connected to a server where one of the |certificates in the chain used ASN1_GENERALIZEDTIME, which |resulted in the -- faulty -- message:

Re: Could ASN1_TIME_print() become documented?

2014-11-18 Thread Steffen Nurpmeso
Salz, Rich rs...@akamai.com wrote: |Please send this to r...@openssl.org so it doesn't get lost. Nah, that is quite ridiculuous, is it; i read this as it is fine to use the function, though. Thanks, --steffen __ OpenSSL Project

Could ASN1_TIME_print() become documented?

2014-11-17 Thread Steffen Nurpmeso
Hello, until now when i printed certificate chains (in verbose mode) i used a brute simple hand driven function that dealt with ASN1_UTCTIME. Today i connected to a server where one of the certificates in the chain used ASN1_GENERALIZEDTIME, which resulted in the -- faulty -- message:

Re: OpenSSL version 1.0.1g released

2014-04-07 Thread Steffen Nurpmeso
OpenSSL open...@openssl.org wrote: | OpenSSL version 1.0.1g released | === Forgot to git(1) tag OpenSSL_1_0_1g? --steffen __ OpenSSL Project