At both ftp://ftp.openssl.org/source/ and
http://openssl.org/source, the openssl-0.9.8f.tar.gz.sha1
file does not match the actual SHA1 checksum of
openssl-0.9.8f.tar.gz. (The MD5 sum is ok.)
Also, the openssl-0.9.8f.tar.gz.asc file is a binary PGP
signature and not, as the name implies, an
Your statement is actually correct. Nevertheless it does not seem to be
useful to create
a new release (0.9.8g) just to correct an informational version number
code. It also
would not be a good idea to create a new tarball with the same name but
just a new
version number code.
We have therefore
I have made the following modifications to the download area (not
tracked by CVS, so the
action is not logged via openssl-cvs) at Wed Oct 17, 2007, 09:30 CEST
(07:30GMT):
* updated openssl-0.9.8f.tar.gz.sha1
* created new openssl-0.9.8f.tar.gz.asc with my (Lutz Jaenicke) personal
key matching
On Wed 07-10-17 09:55, Lutz Jaenicke via RT wrote:
According to our records, your request has been resolved. If you have any
further questions or concerns, please respond to this message.
The ftp site looks ok, but the http server still has
the binary openssl-0.9.8f.tar.gz.asc, linked from
Grr. The OpenSSL web site is some (semi-)automatic thing that is updated
in a magic way. Probably only Ralf Engelschall fully understands how
this works :-)
I have made sure the correct files are linked now.
Best regards,
Lutz
Hello Andy,
On Saturday, October 13, 2007 at 13:13:22 +0200, Andy Polyakov via RT wrote:
this was eventually fixed. thanks for report. a.
This syntax error problem is still present in latest 0.9.7m release, but
is indeed fixed in the CVS 0.9.7 branch. And it never impacted the 0.9.8
branch
I found this problem originally when trying to use OpenSSH linked
against the new OpenSSL. I get the following error:
$ ssh -V
OpenSSL version mismatch. Built against 90805f, you have 908070
openssh-4.7p1/entropy.c has the following code:
/*
Hi,
I want to know if an ocsp revocation check works with openssl if I'm using a
proxy?
Thanks,
Christian Wiesbauer
I would hope the web site is some semi-automatic thing.
I should also note that since MD5 has an easy
hash-collision-generation function against it, the contents of the
openssl-0.9.8f file that was available there that didn't match the
sha1 should be evaluated and diffed.
I think this should be
I would hope the web site is some semi-automatic thing.
I should also note that since MD5 has an easy
hash-collision-generation function against it, the contents of the
openssl-0.9.8f file that was available there that didn't match the
sha1 should be evaluated and diffed.
I think this should be
Starting with OpenSSL 0.9.8f, ssl3_get_client_hello() no longer tests whether
the client proposed a
previous session_id before trying to process it. In previous releases, a new
session was always
created if no previous session was proposed (i.e. if j==0 at ssl\s3_srvr.c:746)
On Wed, Oct 17, 2007 at 02:25:13PM +0200, [EMAIL PROTECTED] via RT wrote:
I found this problem originally when trying to use OpenSSH linked
against the new OpenSSL. I get the following error:
$ ssh -V
OpenSSL version mismatch. Built against 90805f, you have 908070
[...]
So OpenSSH stops
[EMAIL PROTECTED] - Wed Oct 17 18:11:27 2007]:
Starting with OpenSSL 0.9.8f, ssl3_get_client_hello() no longer tests
whether the client proposed a
previous session_id before trying to process it. In previous releases,
a new session was always
created if no previous session was proposed
Hi Lutz,
Apologies, I should have included a stack trace with the bug report.
FYI - attached is a Windows/Apache 2.2.6/OpenSSL 0.9.8f VC8 stack trace.
The problem is not Windows-specific. I observe it on several platforms.
This patch seems to correct the problem by checking for a zero-length
The code was changed when TLS ticket support was added. In that case a
zero length session ID can result in a resumed session based on the
ticket. It didn't catch the case where ticket resumtion failed and the
session legth was zero.
This patch should fix it:
Yes - the patch at http://cvs.openssl.org/chngview?cn=16691
corrects the problem.
Tested with Apache 2.2.6 on Windows and Debian 4.0.
-tom-
Stephen Henson via RT wrote:
The code was changed when TLS ticket support was added. In that case a
zero length session ID can result in a resumed
16 matches
Mail list logo
