On Tue, Jul 29, 2014, Kurt Roeckx wrote:
On Tue, Jul 29, 2014 at 10:56:14AM +0100, Rob Stradling wrote:
On 27/07/14 14:30, Stephen Henson via RT wrote:
On Mon Jul 21 20:29:47 2014, v...@v13.gr wrote:
I'm not sure whether this change is needed at all as there's no
justification for it.
On Thu, Jul 24, 2014, Hubert Kario wrote:
I have 4 key pairs:
* CA1
* CA2
* subCA
* server
the CA1 and CA2 are self signed root CAs
subCA has two certificates, one signed by CA1 and one signed by CA2
server has a certificate signed by subCA (server.pem file)
and also has
On Sat, Jul 19, 2014, Jeff Trawick wrote:
This reduces the number of build problems on Windows+MSVC with the master
branch. I don't know if the 1.0.2 branch was affected by the missing
entries; it does build in the presence of these minor changes.
I don't know if other fields have to be
On Sun, Jul 13, 2014, Dr. Stephen Henson wrote:
On Sat, Jul 12, 2014, Jitendra Lulla wrote:
Also the changes I am proposing may not be acceptable for similar reasons.
It may be that your implementation of an AF_ALG EVP_CIPHER for XTS can be
changed so it works with unmodified OpenSSL
On Sun, Jul 13, 2014, Andy Polyakov wrote:
Also the changes I am proposing may not be acceptable for similar reasons.
It may be that your implementation of an AF_ALG EVP_CIPHER for XTS can be
changed so it works with unmodified OpenSSL. The OpenSSL XTS implementation
is a software
On Sun, Jul 13, 2014, Matt Caswell wrote:
On 13/07/14 22:28, Dr. Stephen Henson wrote:
The separate problem is that the OP has written an ENGINE that supports XTS
mode and the requested patch was to make XTS mode work in the ENGINE. I'm
suggesting that the OPs ENGINE implementation
On Mon, Jun 30, 2014, Huzaifa Sidhpurwala wrote:
Hi Peter,
Are you facing any issues similar to
http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=3272 ?
or are just commenting on the previous GCM fix?
A quick look at the EVP_AES_XTS_CTX suggests that the only pointer in
On Mon, Jun 30, 2014, Dr. Stephen Henson wrote:
On Mon, Jun 30, 2014, Huzaifa Sidhpurwala wrote:
Hi Peter,
Are you facing any issues similar to
http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=3272 ?
or are just commenting on the previous GCM fix?
A quick look
On Mon, Jun 30, 2014, Hubert Kario wrote:
As far as misconfigured servers go, single DES and export grade ciphers
are much, much more common problem at 20% and 15% respectively.
The security levels code also addresses that. By default any ciphersuite
offering below 80 bits of equivalent
On Mon, Jun 30, 2014, Huzaifa Sidhpurwala wrote:
On Mon, Jun 30, 2014 at 5:01 PM, Dr. Stephen Henson st...@openssl.org
wrote:
On Mon, Jun 30, 2014, Huzaifa Sidhpurwala wrote:
Hi Peter,
Are you facing any issues similar to
http://rt.openssl.org/Ticket/Display.html?user
On Sat, Jun 28, 2014, Dominyk Tiller wrote:
I wondered if you all had an opinion on disabling SSLv2 SSLv3 during
the ./configure process, and what kind of impact that'd have for
end-users and general compatibility when building against an updated
version of OpenSSL.
There are several
On Sat, Jun 28, 2014, Jeremy Farrell wrote:
From: Hanno Böck [mailto:ha...@hboeck.de]
Sent: Saturday, June 28, 2014 10:36 PM
On Sat, 28 Jun 2014 20:05:21 +0200
Kurt Roeckx k...@roeckx.be wrote:
If you make such a patch, I might disable SSLv3 support in Debian,
but that's
On Thu, Jun 12, 2014, Viktor Dukhovni wrote:
When I compile Postfix against OpenSSL 1.0.2-beta or earlier, and
configure the SMTP server to not have any certificates, the Postfix
client and server happily negotiate a suitable aNULL ciphersuite
(e.g. AECDH-AES256-SHA).
When I compile
On Thu, Jun 12, 2014, Viktor Dukhovni wrote:
On Thu, Jun 12, 2014 at 08:59:27PM +0200, Dr. Stephen Henson wrote:
When I compile against master, with the same configuration, I get
on the server:
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read
On Wed, Jun 11, 2014, Andy Schmidt wrote:
I am getting the same error on Win 8.1 32 bit with Visual Studio 2008 when
issuing 'ms\do_fips'.
You shouldn't be calling ms\do_fips from OpenSSL 0.9.8 only from the validated
module tarball.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core
On Tue, Jun 10, 2014, John Foley wrote:
Can we imply from this commit that the 1.0.2 release is imminent? If
not, can anyone provide a rough estimate on when 1.0.2 will be released
(1 month, 3 months, 6 months from now)?
A 1.0.2-beta2 release will happen shortly (the next day or so). So
On Fri, Jun 06, 2014, Matt Caswell wrote:
On 6 June 2014 08:27, Zhong Chen zc...@sonicwall.com wrote:
We are using openssl 1.0.0 as a server. Looking at the diff between 1.0.0m
and 1.0.0k, same patch is applied to s3_srvr.c and s3_pkt.c. I want to
confirm this is just for precaution, or
On Thu, Jun 05, 2014, Green, Gatewood wrote:
Openssl-0.9.8za will not build in FIPS mode. The openssl-fips-1.2(.4) seems
to be missing the symbol BN_consttime_swap.
Fixed now. Workaround is to compile with no-ec: the EC algorithsm aren't
approved for FIPS operation for the FIPS capable
On Fri, Jun 06, 2014, Zoltan Arpadffy wrote:
Hi,
the 1.0.0m fails to build on OpenVMS Alpha architecture.
OPENSSL_assert(s-s3-wnum INT_MAX);
^
%CC-E-UNDECLARED, In this statement, INT_MAX is not declared.
at line number 586 in file
On Fri, Jun 06, 2014, Mike Bland wrote:
__func__ is defined in C99. What version of the SGI C compiler are you
using? According to the following, as of version 7.4, the -c99 flag
should enable this to compile:
http://www.sgi.com/products/software/irix/tools/c.html
Note that VC++ under
On Thu, Jun 05, 2014, OpenSSL wrote:
OpenSSL Security Advisory [05 Jun 2014]
Resend: first version contained characters which could cause signature
failure.
Oops, something else to add to the list of things to double check before
making a
On Tue, May 27, 2014, Dmitry Belyavsky wrote:
Hello,
I think it is not to be closed, the leak occurs.
Have you tried this with a recent version of OpenSSL? I can no longer produce
a memory leak mentioned in PR#2745.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Sun, Jun 01, 2014, Viktor Dukhovni wrote:
On Sun, Jun 01, 2014 at 07:18:18PM +0200, Stephen Henson via RT wrote:
I've updated OpenSSL so the padding extension is no longer used by default
and
the option SSL_OP_TLSEXT_PADDING enables it (it is part of the SSL_OP_ALL).
This resolves
On Sun, Jun 01, 2014, Viktor Dukhovni wrote:
On Sun, Jun 01, 2014 at 07:47:30PM +0200, Dr. Stephen Henson wrote:
Thanks. In particular, since SSL_OP_ALL is a compile-time constant,
applications compiled with older releases will not send the extension
by default. Only applications
On Sun, Jun 01, 2014, Kurt Roeckx wrote:
On Sun, Jun 01, 2014 at 01:39:54PM -0400, Salz, Rich wrote:
Make structures opaque when possible and provide accessor functions. Within
openssl itself use macros if you want.
This has been on my list of things I want to see happen for a long time
On Sun, Jun 01, 2014, Richard Moore wrote:
On 1 June 2014 19:38, Dr. Stephen Henson st...@openssl.org wrote:
On Sun, Jun 01, 2014 at 01:39:54PM -0400, Salz, Rich wrote:
Make structures opaque when possible and provide accessor functions.
Within openssl itself use macros if you want
On Tue, May 27, 2014, Ben Laurie wrote:
Nice idea.
It inspired my son, Felix, and I to think about a related idea:
generate random numbers which are inherently coprime to small primes.
Felix went on to implement the idea, and include benchmarks and tests.
Not finished - while
On Thu, May 15, 2014, Dmitry Belyavsky wrote:
Hello,
I'm sorry, we should make extra checks to be sure that it is not our fault.
Oh do you mean this isn't a bug and we can close the ticket?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now
On Thu, May 08, 2014, Viktor Dukhovni wrote:
On Thu, May 08, 2014 at 09:48:43AM +0200, Stephan M?hlstrasser via RT wrote:
I posted this test case for function X509_check_akid() on the
openssl-users mailing list, but got no reaction, therefore I'm
submitting it now as a defect for
On Thu, May 08, 2014, Stephan Mhlstrasser wrote:
Am 08.05.14 16:15, schrieb Dr. Stephen Henson:
Well technically AKID should only be used as a hint (various PKIX list
discissions have confirmed this). In that sense OpenSSL is already too
strict: if AKID completely mismatches it will decide
On Thu, May 08, 2014, Viktor Dukhovni wrote:
On Thu, May 08, 2014 at 05:12:07PM +0200, Dr. Stephen Henson wrote:
I don't understand the usefulness of the AKID then. If it's only a
hint and can't even be used to exclude certain certificates as
issuers, what is it good
On Thu, May 08, 2014, MichaelM wrote:
We want to read the public key of certificates created with an RSA PSS key.
Using 'openssl x509 -inform DER -in test.cer -text' returns
...
Subject Public Key Info:
Public Key Algorithm: rsassaPss
Unable to
On Mon, May 05, 2014, Kurt Roeckx wrote:
On Sun, May 04, 2014 at 06:07:23PM -0400, Geoffrey Thorpe wrote:
It's lazy-initialisation, so the context-setting (which is used in RSA and
DSA, not just DH) occurs the first time an operation is attempted on the
key. (Well, the first time an
On Fri, Apr 25, 2014, Jeff Trawick wrote:
Note: Glance at
http://wiki.openssl.org/index.php/Main_Page#Feedback_and_Contributions for
some context.
Anyway, about that section in README:
openssl-bugs is dead, right? (instead:
https://www.openssl.org/support/rt.html)
It still works but
On Sun, Apr 27, 2014, Weibin Yao wrote:
Is it accessable for read (rt.openssl.org) ? I can't access it and
don't know where to register.
Read access is possible through the guest account:
https://www.openssl.org/support/rt.html
Steve.
--
Dr Stephen N. Henson. OpenSSL project core
On Thu, Apr 24, 2014, Dmitry Belyavsky wrote:
So whether there is a way to test that error in cert verification aborts
the connection in case of bad cert using s_server/s_client pair?
Try the -verify_return_error option.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Wed, Apr 23, 2014, Steve Marquess wrote:
On 04/23/2014 01:30 PM, Hanno Böck wrote:
Hi,
... Basically, what bothers me most is that right now it seems to
me the openssl project is unresponsive. There are people out there
who want to improve things. There are people who want to
On Sun, Apr 20, 2014, Martin Millnert wrote:
after debugging some OCSP responses, I realized OCSP servers such as
ocsp2.globalsign.com (e.g. http://ocsp2.globalsign.com/gsalphasha2g2 for
AlphaSSL) which uses cloudflare, are denying queries from openssl
My post, e.g:
POST /gsalphasha2g2
On Fri, Apr 18, 2014, Fedor Indutny wrote:
Hello devs!
It has just caught my attention that `SSL_get_peer_cert_chain` does
not contain `SSL_get_peer_certificate`'s value for server, but it does for
client.
Would you mind accepting patch for fixing it?
The problem is that that
On Mon, Apr 07, 2014, Steffen Nurpmeso wrote:
OpenSSL open...@openssl.org wrote:
| OpenSSL version 1.0.1g released
| ===
Forgot to git(1) tag OpenSSL_1_0_1g?
Didn't get round to pushing the tag. Should be fixed now.
Steve.
--
Dr Stephen N. Henson.
On Mon, Apr 07, 2014, Steven M. Schweda wrote:
OpenSSL version 1.0.1g released
A relatively recent change to the VMS builders causes trouble for
folks who lack the latest compiler. Using HP C V7.3-009 on OpenVMS
Alpha V8.3 or HP C V7.3-019 on OpenVMS IA64 V8.3-1H1, for example:
On Tue, Apr 01, 2014, Viktor Dukhovni wrote:
On Tue, Apr 01, 2014 at 05:03:32PM -0400, Salz, Rich wrote:
I, for one, would not want OpenSSL to employ such a complex
and fragile mechanism.
Yeah, it's kinda gross and clunky. On the other hand, it's really
all we have right now, and
On Tue, Apr 01, 2014, Viktor Dukhovni wrote:
What were your plans for X509_VERIFY_PARAM_ID_st for DANE? That's
where the TLSA records were going to be right?
If you post a note about the approach you want to take with extending
X509_VERIFY_PARAM_ID_st I can provide a more complete patch.
On Fri, Mar 28, 2014, Hubert Kario wrote:
Currently OpenSSL sorts ciphers according to key size first, then key
exchange
and finally the mac used.
This does not result in a list sorted by strength (as the documentation would
suggests). Ciphers using 3DES use 168 bit key but because of
On Fri, Mar 14, 2014, Nikos Mavrogiannopoulos wrote:
On Thu, 2014-03-13 at 22:52 +0100, Stephen Henson via RT wrote:
On Thu Mar 13 20:12:38 2014, d...@fifthhorseman.net wrote:
This is a hard-coded patch to make OpenSSL clients reject connections
which use DHE handshakes with 1024 bits.
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 05:57:42PM +0100, Dr. Stephen Henson wrote:
In the new Fedora we will try system-wide configuration parameters for
all crypto libraries (patch [0] was along that line), so such a change
is very good news. It would
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 05:23:45PM +, Tim Hollebeek wrote:
Windows XP is no longer a supported operating system. If you
require compatibility with it, use a non-default cipher suite. It
really is time for RC4-SHA1 to go away.
That's
On Fri, Mar 28, 2014, Dr. Stephen Henson wrote:
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 05:57:42PM +0100, Dr. Stephen Henson wrote:
In the new Fedora we will try system-wide configuration parameters for
all crypto libraries (patch [0] was along
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 06:57:34PM +0100, Dr. Stephen Henson wrote:
Well what goes in each security level is up for discussion and can be
changed.
So perhaps session tickets can be allowed at somewhat higher levels?
Certainly. Nothing
On Fri, Mar 28, 2014, Viktor Dukhovni wrote:
On Fri, Mar 28, 2014 at 07:27:59PM +0100, Dr. Stephen Henson wrote:
One possibility I'd considered is to move levels 1 and above along one. Then
you'd have...
Level 0: anything goes.
Level 1: almost anything goes but stupid stuff like DH
On Fri, Mar 28, 2014, Jeff Trawick wrote:
I think these functions are all new with 1.0.2, but maybe some aren't...
If so, was there a missing step to get them exported or set the linkage?
mod_ssl from httpd trunk fails like this:
Linking C shared library mod_ssl.so
Creating library
On Thu, Mar 27, 2014, Salz, Rich wrote:
I am not an OpenSSL developer, but it seems to me that system default
cipherlists are not a good idea.
+1
I'd rather see the ability to add a new section openssl.cnf, like
[ cipher-profile ]
redhat-recommended = AES256-CGM-SHA384
On Tue, Mar 25, 2014, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based distributions as
well, correct?
Yes that's correct but we weren't planning on making any more 0.9.8 releases.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Wed, Mar 26, 2014, Viktor Dukhovni wrote:
On Tue, Mar 25, 2014 at 09:23:58PM +, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Isn't this an ECDSA issue? I thought that EC algorithms are by
default
On Fri, Mar 14, 2014, Sunil wrote:
I have OpenSSL 1.0.1f built with OpenSSL-FIPS-2.0.5 using VS2012 and I have
gone past the issue with fingerprint mismatch using the compiler flag
/DYNAMICBASE:no for both MFLAGS and LFLAGS. However, when using the tool
openssl.exe (with OPENSSL_FIPS=1 in the
On Sat, Mar 15, 2014, Sunil wrote:
I had some issues when compiling without the no-asm option; this can
probably be fixed with configuring the right paths. I haven't dug into
getting the performance gain since I was focused on resolving the bad
record mac error. If it seems related to the
On Fri, Mar 14, 2014, Leon Brits wrote:
Hi,
I have a problem with Thunderbird which works via the cryptoki to our device
which makes use of OpenSSL.
Thunderbird passes ciphertext which falls exactly on the blocksize boundary.
I translate the cryptoki DecryptUpdate() call to the OpenSSL
On Thu, Mar 13, 2014, Kurt Roeckx wrote:
On Thu, Mar 13, 2014 at 03:13:01PM -0400, Daniel Kahn Gillmor wrote:
In theory, users of OpenSSL as a TLS client are already able to query
the size of the DH key exchange for any given connection, and can choose
to terminate it if they object to the
On Mon, Mar 03, 2014, Roumen Petrov wrote:
Hello,
It seems me logic verification logic for X.509 certificates is
changed in a minor release.
$ cd BUILDDIR/test
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ openssl verify certCA.ss; echo $?
certCA.ss: C = AU, O = Dodgy Brothers, CN =
On Sat, Mar 01, 2014, Roumen Petrov wrote:
According the current version scheme 1.0.2 retain binary
compatibility. In this case is expected external application linked
1.0.1 to work with 1.0.2 without modification.
It seems to me now FIPS build retain binary but lost functional
On Mon, Feb 24, 2014, Zoltan Arpadffy wrote:
Hello,
On OpenVMS does not build that smooth as expected.
Please, find attached the patch needed to build on IA64 or Alpha platform.
NOTE: This patch contains a very dirty #define that should not be needed,
but for some reason in v3_scts.c
On Mon, Feb 24, 2014, Zoltan Arpadffy wrote:
NOTE: This patch contains a very dirty #define that should not be needed,
but for some reason in v3_scts.c BN_ULLONG is not defined.
Please, see the comments in the patch.
Hmm... is BN_ULLONG used elsewhere for that build? I'd rather we found a
On Thu, Jan 30, 2014, Salz, Rich wrote:
Has anyone thought about how to increase the SSL options? Looking at the
#define's for SSL_OP_... it seems that all 32bits are taken.
One err option is to use the mode value which alhough not originally
intended for that use has many free bits.
On Sun, Jan 19, 2014, Daniel Kahn Gillmor via RT wrote:
Hi Stephen--
On Thu 2014-01-02 16:36:39 -0500, Stephen Henson via RT wrote:
On Mon Dec 30 22:47:32 2013, d...@fifthhorseman.net wrote:
I don't mean to be impatient -- if it's just a matter of playing catchup
over the close of the
On Sun, Jan 19, 2014, Daniel Kahn Gillmor wrote:
If you think i'm misunderstanding the OpenSSL release process, i'd be
very happy to get constructive feedback or pointers to documentation
that would help me understand it better.
A brief description of the versioning scheme is at:
On Thu, Jan 16, 2014, Florian Weimer wrote:
The additional resolution of a tick counter might make reseeding
after fork unnecessary, but it's difficult to be sure. Something
not based on timing information looks desirable to me.
I should point out that the aim of the current code is not
On Wed, Jan 15, 2014, Leon Brits wrote:
Hi all,
I am required to implement the four DRBGs specified in SP 800-90 (HASH,
HMAC, CTR, DUAL_EC). I previously received help from this group on that and
it works just fine. The client however also required the following ...and
ANS X9.62-2005
On Wed, Jan 15, 2014, Florian Weimer wrote:
Commit 3cd8547a2018ada88a4303067a2aa15eadc17f39 mixed the current
time into the randomness pool each time RAND_bytes is called. As
the resolution of gettimeofday() is limited, I propose to reseed the
PRNG each time a PID change is detected.
I
On Sat, Jan 11, 2014, Zoltan Arpadffy wrote:
Thank you Steve.
I keep in mind:
- use gnu diff
- send patch as attachment.
Could you please resend the original patches as attachements?
Thanks,
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now
On Sat, Jan 11, 2014, Zoltan Arpadffy wrote:
SYSTEM@ia64$ mc dka0:utilgdiff.exe -u [.ssl]ssl-lib.com;1
[.ssl]ssl-lib.com;4
--- [.ssl]ssl-lib.com;1 Mon Jan 6 16:00:58 2014
+++ [.ssl]ssl-lib.com;4 Mon Jan 6 22:03:46 2014
@@ -214,7 +214,7 @@
$! Define The Different SSL library Files.
$!
On Wed, Jan 08, 2014, Abdul Anshad wrote:
Hello All,
I noticed in trying to build OpenSSL 1.0.0l that, Configure doesn't accept
the fips and --with-fipsdir= arguments. But, the OpenSSl 1.0.1f and OpenSSL
0.9.8y accepts the same.
Does that mean that the OpenSSL 1.0.0l wont support fips
On Wed, Jan 08, 2014, yaber...@ca.ibm.com wrote:
Hi,
I've recently seen OpenSSL 1.0.1f and 1.0.0l releases which fix some
security issues.
Your vulnerabilities page state it only affect some 1.0.0* and 1.0.1*
releases.
However, when I look at these URLs, I'm under the impression it also
On Mon, Jan 06, 2014, Daniel Kahn Gillmor wrote:
On 01/06/2014 09:49 AM, OpenSSL wrote:
OpenSSL version 1.0.1f released
===
[...]
The OpenSSL project team is pleased to announce the release of
version 1.0.1f of our open source toolkit for
On Mon, Jan 06, 2014, ET wrote:
Also, the release notes list:
* Fix for TLS record tampering bug CVE-2013-4353
But the list of OpenSSL vulnerabilities linked from there does not mention
this anywhere...
The list hasn't been updated yet. You can get details from the CHANGES entry
for
On Mon, Jan 06, 2014, ET wrote:
Ok, thanks. What previous versions would have been affected by that
vulnerability?
The vulnerabilities list has been updated now.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see:
On Mon, Jan 06, 2014, Kurt Roeckx wrote:
So the 1.0.1f released fixed 3 CVEs. The links on
http://www.openssl.org/news/vulnerabilities.html
suggest that the following commits are needed:
CVE-2013-4353:
197e0ea817ad64820789d86711d55ff50d71f631
CVE-2013-6450:
On Mon, Jan 06, 2014, Dave Thompson wrote:
From: owner-openssl-dev On Behalf Of Kurt Roeckx via RT
Sent: Monday, January 06, 2014 04:22
I received an smime signed email but I had a problem verifying the
signature. What I get was 3 certificates in the chain, but it
didn't look for the
On Sat, Jan 04, 2014, Daniel Shaul via RT wrote:
Hello OpenSSl team,
Do you know when a fix for CVE-2013-6449 is going to be released? Also, do
you know if the OpenSSL FIPS package is affected?
Please don't use the RT address for general queries.
To answer your questions. A release is
On Sat, Jan 04, 2014, Kurt Roeckx wrote:
On Sat, Jan 04, 2014 at 11:25:27AM +0100, Matijs van Zuijlen via RT wrote:
It looks like OpenSSL 1.0.2 will no longer provide the constant
SSL_OP_MSIE_SSLV2_RSA_PADDING in its header files
On Thu, Jan 02, 2014, Salz, Rich wrote:
So Curve25519 needs a standard OID and some notes on the format to use for
ASN.1. Does such a thing exist?
I don't think so. Perhaps the TLS list is the place to discuss this? Should
we (I?) start a thread there on a proposal to fit Curve25519
On Thu, Jan 02, 2014, Daniel Kahn Gillmor wrote:
On 01/02/2014 08:50 AM, Salz, Rich wrote:
[Dr. Stephen Henson wrote:]
So Curve25519 needs a standard OID and some notes on the format to use for
ASN.1. Does such a thing exist?
I don't think so.
yes, i mentioned it up-thread
On Tue, Dec 17, 2013, Ron Barber via RT wrote:
On 12/16/13, 6:40 PM, Stephen Henson via RT r...@openssl.org wrote:
Yes, please print out the entire s-s3-handshake_dgst array instead of
just
the first element. That is:
s-s3-handshake_dgst[0]
s-s3-handshake_dgst[1]
.. up to ...
On Wed, Dec 11, 2013, Tomas Mraz wrote:
On Út, 2013-12-10 at 14:45 +0100, Dr. Stephen Henson wrote:
On Mon, Dec 09, 2013, geoff_l...@mcafee.com wrote:
Shouldn't the code read:
if (!FIPS_mode())
CRYPTO_w_[un]lock(CRYPTO_LOCK_RAND);
Note the '!' operator
On Wed, Dec 11, 2013, Ben Laurie wrote:
On 11 December 2013 08:55, Tomas Mraz tm...@redhat.com wrote:
On Út, 2013-12-10 at 14:45 +0100, Dr. Stephen Henson wrote:
On Mon, Dec 09, 2013, geoff_l...@mcafee.com wrote:
Shouldn't the code read:
if (!FIPS_mode
On Mon, Nov 18, 2013, Nimit Gupta wrote:
Hi,
I am unable to build openssl with fips, please let me know what am I
missing.
Openssl version: openssl-SNAP-20131115
Below are the steps I followed.
./config fipscanisterbuild no-asm
make
make install
Are you doing the above in the
On Sat, Nov 09, 2013, Christian Heimes wrote:
Am 10.10.2013 13:58, schrieb Dr. Stephen Henson:
I think you should be using CertGetCertificateContextProperty with a
propid of
CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like
these might be aliased as I think
On Sun, Nov 10, 2013, Dr. Stephen Henson wrote:
I've finally had a chance to check out some of these suggested methods of
retrieving the trust settings.
Everything I've tried so far just returns a copy of the certificate's extended
key usage extension in various forms. This is useless
On Thu, Nov 07, 2013, Marcelo Cerri wrote:
Hi, any news on that?
On Tue, Oct 29, 2013 at 05:01:03PM -0200, Marcelo Cerri wrote:
In some platforms, such as POWER, char is defined as unsigned. This
patch fix a problem when comparing a char to -1.
Signed-off-by: Marcelo Cerri
On Thu, Nov 07, 2013, Salz, Rich wrote:
I think a better way to do this would be to have a config param that set the
minimum acceptable size. I.e., a #define
I think the best option is to have a compile time default with a runtime
override for this and other related issues. The idea being
On Wed, Nov 06, 2013, Rob Stradling wrote:
These 2 #defines exist for SSL_CTX-extra_certs:
SSL_CTX_add_extra_chain_cert
SSL_CTX_get_extra_chain_certs
SSL_CTX_clear_extra_chain_certs
In 1.0.2-dev, the #defines such as SSL_CTX_add0_chain_cert allow me
to specify different chains for
On Fri, Nov 01, 2013, Rob Stradling wrote:
Hi. When I build the latest development version of httpd or nginx
against the OpenSSL_1_0_2-stable branch, the ECDHE-RSA and
ECDHE-ECDSA ciphers don't work. With both webservers, I can get
these ciphers to work by either...
1. Deleting:
On Fri, Nov 01, 2013, Piotr Sikora wrote:
Hey,
I think it's a bug in OpenSSL 1.0.2. It shouldn't break anything that works
in
previous versions, at least not without a very good reason.
I'll look into it.
I already reported / patched this a while ago (with no response):
On Tue, Oct 29, 2013, ?? ??? wrote:
Hi all!
I've noticed that SSL_CTX_add_extra_chain_cert (actually
ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes
X509 cert to context's cert stack. This means that I'm unable to free
original certificate because double memory
On Tue, Oct 29, 2013, Daniel Kahn Gillmor wrote:
On 10/29/2013 02:03 PM, Dr. Stephen Henson wrote:
On Tue, Oct 29, 2013, ?? ??? wrote:
I've noticed that SSL_CTX_add_extra_chain_cert (actually
ss3_ctx_ctrl (..., SSL_CTRL_EXTRA_CHAIN_CERT, ..., ...)) just pushes
X509 cert
On Tue, Oct 29, 2013, Salz, Rich wrote:
You don't and shouldn't free it: it will be free when the SSL_CTX it is
added to is freed.
In other words, if you want a local copy, bump the refcount for yourself.
Right?
Yes. Unfortunately there isn't a function that does that at present and
On Wed, Oct 09, 2013, Brad House wrote:
On 10/9/13 12:14 PM, Dr. Stephen Henson wrote:
Before I get flooded with suggestions.. I know how to get a Windows
certificate into an X509 structure: I wrote the CAPI engine code that does
it.
What I don't know (and which no thread I've read helps
On Mon, Oct 07, 2013, nehakochar wrote:
I solved it. It was an issue with the way my application had to use the
OpenSSL globals for appropriate application threading environment.
Thank you Steve for answering my questions promptly.
Thank you for the update. I'm very relieved it isn't a
On Tue, Oct 08, 2013, Perrow, Graeme wrote:
Thanks for your response. I did not know this functionality was in OpenSSL,
so this may make my work much easier. I have two further questions:
1. Is there any documentation anywhere on this engine? All I've found is a
few previous postings on
On Wed, Oct 09, 2013, Frank Gross wrote:
To use Windows keystore in openssl, I did following:
At application startup, I use the windows API to get all trusted
certificates from Key store. Then for each of them, I create the
openssl X509 one via d2i_X509() and register it into the openssl
On Mon, Sep 30, 2013, nehakochar wrote:
It should never happen in practice unless something bad has happened such
as
memory corruption. For example there is a variable which simulates a
failure
of the test which might be overwritten if something writes over memory.
It is not memory
101 - 200 of 1282 matches
Mail list logo