On Mon, Jan 06, 2014 at 05:38:27PM -0500, Dave Thompson wrote:
>
> > When only certificate 2 and 1 are send, I the verififcation is
> > succesful because it's now trying to find the issuer of 2, being
> > 3, and does find that in my CApath.
> >
> Are you sure the '3' in your truststore is the sam
On Mon, Jan 06, 2014, Dave Thompson wrote:
> > From: owner-openssl-dev On Behalf Of Kurt Roeckx via RT
> > Sent: Monday, January 06, 2014 04:22
>
> > I received an smime signed email but I had a problem verifying the
> > signature. What I get was 3 certificates in the chain, but it
> > didn't lo
Hello,
Thank you for releasing 1.0.0l and 1.0.1f.
I tested them right away (that I haven't done for more than a year) found
that there are needed some changes in order to make the it work under
OpenVMS.
1. I have tested for the very first time with HP C V7.3-020 on OpenVMS IA64
V8.4 and f
1.3.6.1.4.1.22232.15.0: Curve25519 (That's out of my arc)
X coordinate is an OCTET STRING.
Y coordinate is a 0-byte OCTET STRING (since it's not defined as optional
in ASN.1, it must be present -- but how can you compress what doesn't
exist?)
When does the Point Compression patent expire, anyway
> From: owner-openssl-dev On Behalf Of Kurt Roeckx via RT
> Sent: Monday, January 06, 2014 04:22
> I received an smime signed email but I had a problem verifying the
> signature. What I get was 3 certificates in the chain, but it
> didn't look for the certificate in my CApath.
>
> The orders of
Hi,
The OpenSSL status page, https://openssl.org/news/status.html, is a bit
out of date. According to it, the next minor releases are 0.9.8x,
1.0.0j, and 1.0.1c.
--
Iain Morgan
__
OpenSSL Project
On Mon, Jan 06, 2014, Kurt Roeckx wrote:
> So the 1.0.1f released fixed 3 CVEs. The links on
> http://www.openssl.org/news/vulnerabilities.html
> suggest that the following commits are needed:
> CVE-2013-4353:
> 197e0ea817ad64820789d86711d55ff50d71f631
>
> CVE-2013-6450:
> 34628967f1e65dc8f34e00
So the 1.0.1f released fixed 3 CVEs. The links on
http://www.openssl.org/news/vulnerabilities.html
suggest that the following commits are needed:
CVE-2013-4353:
197e0ea817ad64820789d86711d55ff50d71f631
CVE-2013-6450:
34628967f1e65dc8f34e000f0f5518e21afbfc7b
CVE-2013-6449:
ca989269a2876bae79393bd
On Mon, Jan 06, 2014 at 01:10:59PM +0100, Stephen Henson via RT wrote:
> On Mon Jan 06 10:22:17 2014, anthony.miness...@gmail.com wrote:
> > commit 20b82b514d81a64f5b240788e5051167456af379 on dec 20th creates an
> > issue where NULL can be passed to EVP_MD_CTX_destroy
> >
>
> Commit a6c62f0c25a756
Ok, thanks. What previous versions would have been affected by that
vulnerability?
Erik
On 06 Jan 2014, at 11:30 AM, Dr. Stephen Henson wrote:
> On Mon, Jan 06, 2014, ET wrote:
>
>> Also, the release notes list:
>>
>> * Fix for TLS record tampering bug CVE-2013-4353
>>
>> But the list o
On Mon, Jan 06, 2014, ET wrote:
> Ok, thanks. What previous versions would have been affected by that
> vulnerability?
>
The vulnerabilities list has been updated now.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl
Also, I apologize if I'm missing something, but the release notes state: "Fix
for TLS record tampering bug CVE-2013-4353." I can't find any mention of that
CVE anywhere. The linked OpenSSL vulnerabilities list doesn't include it and
neither does NVD
(http://web.nvd.nist.gov/view/vuln/detail?vul
Also, the release notes list:
* Fix for TLS record tampering bug CVE-2013-4353
But the list of OpenSSL vulnerabilities linked from there does not mention this
anywhere...
Erik Tkal
et...@me.com
uʍop ǝpısdn ǝɹɐ noʎ sıɥʇ pɐǝɹ uɐɔ noʎ ɟı
On 06 Jan 2014, a
On Mon, Jan 06, 2014, ET wrote:
> Also, the release notes list:
>
> * Fix for TLS record tampering bug CVE-2013-4353
>
> But the list of OpenSSL vulnerabilities linked from there does not mention
> this anywhere...
>
The list hasn't been updated yet. You can get details from the CHANGES ent
The sylpheed mailer uses SSLv23_client_method to establish the imap/smtp
connections. My mailserver seems to understand only SSLv3. If I connect
manually using the commandline client, sslv2 fails while sslv3 seems to
work.
The sslv2 output is as follows:
$ openssl s_client -ssl2 -connect mailbox.r
On Mon, Jan 06, 2014, Daniel Kahn Gillmor wrote:
> On 01/06/2014 09:49 AM, OpenSSL wrote:
>
> >OpenSSL version 1.0.1f released
> >===
> [...]
> >The OpenSSL project team is pleased to announce the release of
> >version 1.0.1f of our open source toolkit
On 01/06/2014 09:49 AM, OpenSSL wrote:
>OpenSSL version 1.0.1f released
>===
[...]
>The OpenSSL project team is pleased to announce the release of
>version 1.0.1f of our open source toolkit for SSL/TLS. For details
>of changes and known issues see t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.0l released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.0l of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.1f released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.1f of our open source
On Mon Jan 06 10:22:17 2014, anthony.miness...@gmail.com wrote:
> commit 20b82b514d81a64f5b240788e5051167456af379 on dec 20th creates an
> issue where NULL can be passed to EVP_MD_CTX_destroy
>
Commit a6c62f0c25a756c263a80ce52afbae888028e986 was applied to the OpenSSL
repository before 20b82b514d8
commit 20b82b514d81a64f5b240788e5051167456af379 on dec 20th creates an
issue where NULL can be passed to EVP_MD_CTX_destroy
Specifically d1_both.c:221
EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
Doing a DTLS negotiation between FreeSWITCH and Google Chrome using WebRT
This is a patch for bug #977. Since this is the first time I've
attempted to contribute to OpenSSL, I lay out the problem, underlying
bug and fix in some detail below. Apologies if I labor the obvious.
The symptoms:
s_client and some other apps can fail to verify certificates when they
should ha
Hi,
I received an smime signed email but I had a problem verifying the
signature. What I get was 3 certificates in the chain, but it
didn't look for the certificate in my CApath.
The orders of the certs as shown by pkcs7 -print_certs was:
2
3
1
Where 1 was the end user certificate, 2 is the is
23 matches
Mail list logo
