On Fri, Jun 10, 2011, Ben Laurie wrote:
> Hmm. This looks like the start of a version fight between FIPS and
> non-FIPS builds!
>
The ordinals will be synced between builds so anything in 1.0.1 has the same
ordinal in head. That can be done by just copying libeay.num from 1.0.1 to
HEAD before "m
On Wed, Jun 08, 2011, Thor Lancelot Simon wrote:
> On Tue, Jun 07, 2011 at 10:58:20PM -0600, Guan Jun He wrote:
> > Hi, Openssl Developpers:
> >
> > We have a platform with cryptographic hardware,and we try to take
> > advantage
> > of the platform's hardware cryptographic features.But openSS
On Wed, Jun 01, 2011, Chenchu, Rakesh R wrote:
> Hi Steve,
>
> Also, EVP_DecryptInit_ex() expects a ENGINE *impl
>
> 271 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER
> *cipher, ENGINE *impl,
> 272const unsigned char *key, const unsigned char *iv)
> 273
On Wed, Jun 01, 2011, Chenchu, Rakesh R wrote:
> Hi Stephen,
>
> I want to understand a bit more on this padding.
>
> Why should we have to leave padding intact here?
>
It depends on whether the ciphertext uses padding or not, you have to be
consistent.
> Should the call EVP_CIPHER_CTX_init m
On Wed, Jun 01, 2011, Chenchu, Rakesh R wrote:
> Hi Dave,
>
> Thanks for the response. The OID I passed was:
> .1.3.6.1.4.1.789.1.25.1.1 or
> Something like this:
> snmpwalk -v3 -l authPriv -u snmpsha -a SHA -A otci1234 -x DES -X
> otci1234 10.72.43.201 .1.3.6.1.4.1.789.1.5.8.1.1 (It just displ
On Fri, May 27, 2011, Joakim Tjernlund wrote:
>
> SEGV backtrace:
> 417[2011-05-27 11:11:50.897]:[bt] Got signal SEGV, faulty address is (nil),
> from 0xf8bd1b0
> 418[2011-05-27 11:11:50.897]:[bt] Execution path:
> 419[2011-05-27 11:11:50.924]:[bt] /lib/libc.so.6(strcmp+0x10) [0xf8bd1b0]
> 420[2
On Wed, May 18, 2011, Henrik Grindal Bakken wrote:
> "Dr. Stephen Henson" writes:
>
> > On Mon, May 16, 2011, Henrik Grindal Bakken wrote:
> >
> >> This sounded a bit weird to me, since I've tried my best to set up
> >> my application to use o
On Mon, May 16, 2011, Henrik Grindal Bakken wrote:
>
> Hi. I'm trying to test the current CVS HEAD with
> FIPS_set_module_mode(1).
>
> It's looking fairly promising to me, but I currently have one problem:
> While performing an SSL handshake, I get
> 1208113320:error:060A80A3:digital envelope r
On Fri, May 13, 2011, The Doctor wrote:
> What is happening?
>
> No Fips in the Openssl 1.0.1 STABLe.
>
It never was in 1.0.1-stable. A bug with the snapshot generation meant that
HEAD was incorrectly being tared as 1.0.1 in shapshots in fact it was
tared as 1.0.0 and 0.9.8 too. That is fixed n
On Thu, May 12, 2011, Dr. Stephen Henson wrote:
> On Wed, May 11, 2011, The Doctor wrote:
>
> >
> > Script started on Wed May 11 22:35:28 2011
> > doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110512$ gmake
>
> Erk! The snapshots are all messed u
On Wed, May 11, 2011, The Doctor wrote:
>
> Script started on Wed May 11 22:35:28 2011
> doctor.nl2k.ab.ca//usr/source/openssl-1.0.1-stable-SNAP-20110512$ gmake
Erk! The snapshots are all messed up and are all coming from HEAD instead of
the correct branches! I'll look into it.
Steve.
--
Dr Ste
On Thu, Apr 07, 2011, Laszlo Papp wrote:
> Hi,
>
> >From the code:
> http://cvs.openssl.org/fileview?f=openssl/ssl/s23_clnt.c&v=1.50
>
> I think the "if (s->s3 != NULL) check from the ssl23_get_server_hello
> method could be
> eliminated since it contains a quite redundant checking.
>
> "s->s3"
On Sun, Mar 27, 2011, Massimiliano Pala wrote:
> Hello,
>
> it seems that there are two different encoding versions when encoding
> EC keys. In particular, if using the EVP_PKEY_() the version is set to
> "0" - and that is incompatible with software other than OpenSSL.
> Here's an example:
>
> -
On Tue, Mar 22, 2011, Massimiliano Pala wrote:
> Hello Peter, all,
>
> thanks for the hint.. but I was actually looking more at a way to check if
> a certificate has been signed with one of the curves you listed. Maybe it is
> not possible, but it would be nice to be able to say "this certificate
On Mon, Mar 21, 2011, Steven M. Schweda wrote:
>Working on SNAP-20110321 on VMS, there seems to be a new, possibly
> significant compiler complaint in crypto/evp/evp_enc.c:
>
> if (i < 0)
> ^
> %CC-I-QUESTCOMPARE, In this statement, the unsigned expression "i
On Sun, Mar 20, 2011, Darryl L. Miles wrote:
>
> I have two patches ready now for fixing/providing:
> * MinGW compliation support (from cmd.exe) and another for
> * MinGW64 (cross) compilation support (from cmd.exe)
>
> This is in relation to my recent thread (of last week): "MinGW
> building
On Sat, Mar 12, 2011, Ben Laurie wrote:
> On 12/03/2011 17:27, Dr. Stephen Henson wrote:
> > OpenSSL CVS Repository
> > http://cvs.openssl.org/
> >
> >
> >
> > Server
On Thu, Mar 10, 2011, Paul Suhler wrote:
> Hi, developers.
>
> I've found some problems in fips.c when either of the above symbols is
> defined. For example, dsa.h and ecdsa.h are unconditionally included,
> but they contain #error statements triggered by the symbols. Moreover,
> symbols from t
On Tue, Mar 08, 2011, Steven M. Schweda wrote:
>There seems to be some evidence that argv[] _should_ be
> NULL-terminated, which would seem to shift the the blame for the
> misbehavior of the "apps/" programs (on Alpha with 64-bit pointers) from
> programs themselves to HP's C compiler team.
>
On Thu, Feb 24, 2011, Hanno Bck wrote:
> Hi,
>
> I was wondering if openssl CVS head is capable of doing cms signing
> with rsa pss. Seems not, openssl cms doesn't recognize the
> -sigopt rsa_padding_mode:pss
> parameter.
>
>
No it isn't currently supported. It will need some API extensions to
On Tue, Feb 22, 2011, Nilesh Vaghela wrote:
> Hi,
> I have asked this question in earlier post also and I would repeat.
>
> can I know that DTLS in 1.0.1 supports FIPS ?
> If not, do we have plans to support FIPS in future and if possible timeframe
> ?
>
> We are working with one custmomer
On Fri, Feb 18, 2011, Patrick Patterson wrote:
> Hi Steve:
>
> On 2011-02-18, at 1:29 PM, Dr. Stephen Henson wrote:
> >
> > I'm not sure what you mean by "wrapped in an explicit application tag".
>
>
> What I mean is that I have the usual enc
On Fri, Feb 18, 2011, Patrick Patterson wrote:
> Hello all:
>
> I've recently run into a situation where I need to generate a CMS
> ContentInfo Structure, but wrapped in an explicit application tag. I notice
> that with all of the great work that Steve and other's have done, that it's
> now possi
On Mon, Feb 14, 2011, Nilesh Vaghela wrote:
>
> 2. For us it is very important that we have FIPS support in Application. In
> 0.9.8 TLS we had FIPS.
> Also release notes states that FIPS support is there. But do we have FIPS for
> DTLS ?
>
FIPS 140-2 support is not in OpenSSL 1.0.0.
Steve.
On Fri, Feb 04, 2011, Roumen Petrov wrote:
> Stephen Henson via RT wrote:
>>> [open...@roumenpetrov.info - Thu Feb 03 16:36:58 2011]:
>>>
>>> The mingw cross-build of current HEAD(2011-01-31) fail :
>>> WARNING: mkdef.pl doesn't know the following algorithms:
>>> NEXTPROTONEG
>>> Creatin
On Tue, Jan 11, 2011, Paul Suhler wrote:
>
>
> =
>
> Are you aware of the speed complaints and speculations about a trapdoor
> in Dual_EC_DRBG?
>
> http://en.wikipedia.org/wiki/Dual_EC_DRBG
>
Yes, I'm aware of them. The DRBG will most likely be cipher or hash based,
On Tue, Jan 11, 2011, Xiao, Ying wrote:
> Hi Steve,
>
> Sorry for the same questions asked many times by Openssl users.
>
> Will the new random number generator specified in FIPS SP80-900 be
> included or planned to be include in the openssl v1.2.2 modules. I don't
> see it in the source code.
>
On Sun, Jan 09, 2011, Andrey Kulikov wrote:
> Hello,
>
> I'm exploring how to implement custom engine, and can't undestand the
> purpose of EVP_PKEY_derive() function.
> It is possible to set pointer to it's implementation using
> EVP_PKEY_meth_set_derive() call.
>
> But it used only in *pkeyutl
On Tue, Jan 04, 2011, Andrey Kulikov wrote:
> Thanks for a explanations.
>
> Let's consider following main, using ccgost engine:
>
> main(){
>
> OPENSSL_config(NULL);
> ENGINE *e = ENGINE_by_id("gost");
> ENGINE_init(e);
> ENGINE_free(e);
> ENGINE_set_default(e, ENGINE_METHO
On Tue, Jan 04, 2011, Andrey Kulikov wrote:
> If we take a look at any ENGINE_load_XXX function, we find that they all has
> similar structure:
>
> ENGINE *toadd = engine_XXX();
> if(!toadd) return;
> ENGINE_add(toadd);
> ENGINE_free(toadd);
> ERR_clear_error();
>
> My questi
On Wed, Dec 29, 2010, Muneeswaran Raju via RT wrote:
> Hi,
>
> I haven't got any ccm support files. Can you please help me to locate the
> CCM files.
>
This was not a bug and shouldn't have been sent to the request tracker.
The CCM files are in CVS head and can be downloaded as a snapshot: th
On Thu, Dec 23, 2010, Muneeswaran Raju wrote:
> Hi,
>
> I recently downloaded the version "openssl-1.0.0c". I am not to fine AES-CCM
> encryption. Can you please help me to locate AES_CCM encryption.
>
CCM (and GCM) support is not in OpenSSL 1.0.0x, it is only currently in the
unreleased HEAD (
On Mon, Dec 06, 2010, Jean-Marc Desperrier wrote:
> OpenSSL wrote:
>> OpenSSL Ciphersuite Downgrade Attack
>> =
>>
>> A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
>> workaround allows malicous clients to modify the stored session cac
On Sat, Dec 04, 2010, Richard Levitte wrote:
> That change makes no sense to me. What is it supposed to fix, and how
> does it help ignore leading null fields?
>
Before this change there was an entry (at least on WIN32) for an ENGINE called
".dll". The reason it works is mentioned in perlfunc:
On Fri, Dec 03, 2010, Tim Hollebeek wrote:
> Are these changes outside of the "FIPS Object Module" ?
> We want to upgrade, but need to be running in FIPS mode.
>
None of the changes affect FIPS, just link with the 1.2.x module.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Co
On Thu, Nov 25, 2010, Robert Dugal wrote:
> Doesn't work. Causes a segfault in EVP_DigestUpdate() because the ctx->update
> pointer is NULL.
> This is because without type->ctx_size being nonzero the update method is not
> set in EVP_DigestInit_ex().
> See this code in EVP_DigestInit_ex()
>
Ca
On Thu, Nov 25, 2010, Robert Dugal wrote:
> I am developing an ENGINE for OpenSSL 1.0.0a and 0.9.8o. Among other things
> this engine implements digest methods like SHA1.
>
> While testing this engine I discovered memory leaks when using
> PEM_write_bio_PKCS8PrivateKey().
> I traced the leak ba
On Thu, Nov 25, 2010, Mounir IDRASSI wrote:
>
> As discovered 7 months ago, OpenSSL wrongly returns an error if the
> ServerHello is missing the Supported Point Format extension. This
> contradicts RFC 4492 that clearly states that in this case the client
> should interpret it as only uncompres
On Fri, Nov 19, 2010, Richard Levitte wrote:
> In message <20101118.230638.437297155.rich...@levitte.org> on Thu, 18 Nov
> 2010 23:06:38 +0100 (CET), Richard Levitte said:
>
> richard> I'm trying to catch up on VMS fixes, and with the 0.9.8 and 1.0.0
> richard> series, it seems pretty straightf
On Thu, Nov 18, 2010, Richard Levitte wrote:
> I'm trying to catch up on VMS fixes, and with the 0.9.8 and 1.0.0
> series, it seems pretty straightforward.
>
> With 1.0.1 (in development), it seems like things are going down,
> pretty much.
>
At least with 1.0.1 we can totally overhaul the thin
On Tue, Nov 16, 2010, Patrick Patterson wrote:
> Hi Steve:
>
> On 2010-11-16, at 7:54 AM, Dr. Stephen Henson wrote:
>
> >
> > Actually it is being set. The cms utility makes use of OpenSSL ASN1
> > diagnostic
> > printing routines you can do this:
>
On Mon, Nov 15, 2010, Patrick Patterson wrote:
> Hi Steve:
>
> On 2010-11-15, at 1:29 PM, Dr. Stephen Henson wrote:
>
> > On Mon, Nov 15, 2010, Patrick Patterson wrote:
> >>
> >> 1: Why SID isn't getting set.
> >>
> >
>
On Tue, Nov 16, 2010, Valery Blazhnov wrote:
> 15.11.2010 19:55, Dr. Stephen Henson ??:
>> On Mon, Nov 15, 2010, Valery Blazhnov wrote:
>>
>>> I need an advice on usind EVP_SignFinal function with two private key
>>> objects stored on two different to
On Mon, Nov 15, 2010, Patrick Patterson wrote:
> Hi Steve:
>
> On 2010-11-15, at 11:43 AM, Dr. Stephen Henson wrote:
>
> > On Mon, Nov 15, 2010, Patrick Patterson wrote:
> >
> > If you call CMS_dataInit() with a NULL BIO it should make use of any content
> &
On Mon, Nov 15, 2010, Valery Blazhnov wrote:
> I need an advice on usind EVP_SignFinal function with two private key
> objects stored on two different tokens. I can use two PKCS11 engine
> instances to access these objects in low-level functions. But EVP_SignFinal
> implementation uses EVP_PKE
On Mon, Nov 15, 2010, Patrick Patterson wrote:
>
> 2: How would I go about signing this structure - I already have the data I
> need in eContent, so I don't think that it would be THAT interesting to dump
> it out into a BIO just to use a higher level function? I understand the
> utility of us
On Sun, Nov 14, 2010, Andrey Kulikov wrote:
>
> When I specify -tls1 option both to s_server and s_client, everything
> become work fine, even with 1.0.0a.
>
>
> But, dear Guru, would you like be so kind to enlighten us, ignorami,
> why GOST ciphersuites don't work with SSLv3?
> Is it a OpenSSL
On Sat, Nov 13, 2010, Andrey Kulikov wrote:
> Hello,
>
> On 13 November 2010 03:33, Dr. Stephen Henson wrote:
> >
> > I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1
> > which
> > is the default for OpenSSL 1.0.1. If you include
On Sat, Nov 13, 2010, Andrey Kulikov wrote:
> Hello,
>
> On 13 November 2010 03:33, Dr. Stephen Henson wrote:
> >
> > I've just tried 1.0.1 and it does have a problem with GOST and TLS v1.1
> > which
> > is the default for OpenSSL 1.0.1. If you include
On Sat, Nov 13, 2010, Andrey Kulikov wrote:
> Sorry, previous email is about 1.0.1 latest snapshot.
>
> I just checked with 1.0.1
> ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz
>
> Results exactly the same.
> If you'll need any details - please let me know.
>
I've j
On Sat, Nov 13, 2010, Andrey Kulikov wrote:
> Sorry, previous email is about 1.0.1 latest snapshot.
>
> I just checked with 1.0.1
> ftp://ftp.openssl.org/snapshot/openssl-1.0.0-stable-SNAP-20101112.tar.gz
>
> Results exactly the same.
> If you'll need any details - please let me know.
>
Did yo
On Fri, Nov 12, 2010, Andrey Kulikov wrote:
> Hello,
>
> I'm trying to make s_server and s_client work with GOST encryption
> using ccgost engine and certificates with GOST algos.
> But it unable to work, complaining to bad mac computing.
> (If I use RSA-based certificates, everything works just
On Fri, Oct 29, 2010, Bogdan Harjoc wrote:
> Attached is a Configure patch for generating debug VC-WIN64 build
> targets (to have identical WIN64 and WIN32 targets).
>
Patch applied, thanks for the report.
Please send patches and but reports to RT in future.
Steve.
--
Dr Stephen N. Henson. Ope
On Fri, Oct 29, 2010, Bogdan Harjoc wrote:
> Attached is a minor patch that fixes debug builds with MSVC on win32.
>
A fix for this was applied to CVS a while ago which should be in snapshots and
will appear in the next release.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Co
On Wed, Nov 10, 2010, Andrey Kulikov wrote:
> Hello,
>
> I've got a problem with calculating gost-mac using Openssl 1.0.0a
> May be problem with cmd options, but I was unable to find out how to get it
> work
>
Try:
openssl dgst -engin gost -mac gost-mac -macopt key: README
Steve.
--
Dr Steph
On Wed, Nov 03, 2010, Valery Blazhnov wrote:
> Yes, but EVP_PKEY_CTX_new() may be called and is really called sometimes
> in OpenSSL functions with NULL engine. In that case ENGINE_init(e) is not
> called in int_ctx_new() but then we get engine with
> e = ENGINE_get_pkey_meth_engine(id);
> and
On Tue, Nov 02, 2010, Valery Blazhnov wrote:
> Hi,
>
> Let us see into int_ctx_new() function in the pmeth_lib.c file. We see
> there
>
> ret->engine = e;
>
> for EVP_PKEY_CTX context ret without any attempt to increase engine
> references.
It is incremented higher up int_ctx_new():
On Wed, Oct 27, 2010, Paul Suhler wrote:
> Hi, everyone.
>
> With the introduction of the EVP_PKEY_CTX_* functions in 1.0.0a, it
> appears that EVP_SignFinal() now frees the EVP_PKEY it receives as its
> first argument. In particular, the function now calls
> EVP_PKEY_CTX_free(), which calls EVP
On Mon, Oct 18, 2010, Grant Averett wrote:
>
> Even specifying a different base address doesn't fix the problem. I have a
> different default address that the DLL consistently gets relocated to but
> changing the preferred base address of libeay32 to that address still doesn't
> work. The DLL
On Sun, Oct 17, 2010, Martin Bolet wrote:
> The documentation still lists the 'openssl ts' command but I couldn't find
> it in the source code anymore.
>
It is in apps/ts.c in OpenSSL 1.0.0 and later.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now a
On Sun, Oct 17, 2010, aerow...@gmail.com wrote:
> Ugh. This is worse than I thought. It's *intermittently* failing like
> that. After a few more minutes, I tried it again, and got the expected
> output.
>
> Is there some way to specify a base address during the creation of the DLL,
> after t
On Sat, Oct 16, 2010, Grant Averett wrote:
>
> Hello, I've successfully built the validated FIPS object module and OpenSSL
> 0.9.8o on Windows with Visual Studio 2008 many times (both an x86 and x64
> version) without issue and I can successfully build both with Visual Studio
> 2010. However, th
On Wed, Oct 13, 2010, Henrik Grindal Bakken wrote:
> "Dr. Stephen Henson" writes:
>
> > On Tue, Oct 12, 2010, Hanno Bck wrote:
> >
> >> Hi,
> >>
> >> I wanted to ask if there are any plans when openssl 1.1 or at least
> >> a pre/a
On Tue, Oct 12, 2010, Hanno Bck wrote:
> Hi,
>
> I wanted to ask if there are any plans when openssl 1.1 or at least a
> pre/alpha/beta-version of it is going to be released.
>
> (the background I'm asking this is that I'm currently interested in the usage
> of RSA-PSS signatures - university
On Wed, Sep 22, 2010, Gregory Bellier wrote:
> 2010/9/22 Dr. Stephen Henson
>
> > A better way is to create a NID dynamically using OBJ_create() and use that
> > instead.
> >
> Could you be more specific and give some more details ?
>
http://www.openssl.or
On Tue, Sep 21, 2010, Gregory Bellier wrote:
> Hi all !
>
> I'm currently playing with openssl-0.9.8o to add a cipher in it (just for
> fun).
>
> I noticed in crypto/objects that 2 files (obj_dat.h and obj_mac.h) are
> automatically generated from scripts which read obj_mac.num and objects.txt.
Just to add a data point to this discussion. There is a mechanism in OpenSSL
to avoid reencoding an ASN1 structure and to just cache the received encoding.
This is currently used in a few places already for various reasons. This has
an advantage in that it makes certificate verification quicker an
On Wed, Aug 18, 2010, Kriloff wrote:
> Is there a reason why RSA_sign() blocks anything that isn't a TLS
> signature in FIPS mode?
> OpenSSH ssh_rsa_sign() function calls RSA_sign() with nid=NID_sha1 for
> key signing, but given the code in OpenSSL RSA_sign() it fails with
> "operation not allowed
On Mon, Jul 26, 2010, Rajesh Kumar wrote:
>
> We have our code directly referring to the ENGINE_load_ functions, due
> to which the linker errors are seen while using the 1.0.0a version.
>
Why do you do that instead of loading them all or referring to individual
named ENGINEs?
Steve.
--
Dr
On Mon, Jul 26, 2010, Rajesh Kumar wrote:
>
> This is Rajesh Kumar from CISCO. We are using the Openssl libraries in our
> project in the Win 32 enviroment.
>
> We were using 0.9.8l version of the library earlier. We are now trying to
> migrate to 1.0.0a version.
>
> While building the 1.0.0a v
On Mon, Jul 19, 2010, David Woodhouse wrote:
> On Mon, 2010-07-19 at 18:26 +0200, Dr. Stephen Henson wrote:
> > It should work without that if the application explicitly sets the crypto
> > ENGINE to use for example with the SSLCryptoDevice directive in mod_ssl or
> > via
&
On Mon, Jul 19, 2010, David Woodhouse wrote:
> On Mon, 2010-07-19 at 14:25 +0200, Stephen Henson via RT wrote:
> > > [miroslav.za...@skype.net - Mon Jul 19 11:07:34 2010]:
> > >
> > > Here is the backtrace. The table was not empty, this is the content:
> > >
> > > (gdb) print **table
> > > $3 =
On Wed, Jul 14, 2010, Inganti, Dheeraj wrote:
> Hi,
>
> I am trying to generate a certificate request and was trying to add
> 'otherName' type in SubjectAlternate name extension. I have below code to
> add the otherName.
>
> add_ext(exts, NID_subject_alt_name,
> "otherName:1.3.6.1.4.1.311.20.2.3
On Wed, Jul 14, 2010, aerow...@gmail.com wrote:
> The configuration, as distributed by the project, *SHOULD BE* a concern of
> the OpenSSL team. It is incompatible with RFC 5280.
>
OpenSSL 1.0 changed this to only use issuer+serial number if keyid is absent.
Steve.
--
Dr Stephen N. Henson. Ope
On Tue, Jul 13, 2010, aerow...@gmail.com wrote:
> The biggest features that OpenSSL needs right now (and please note that
> these are my opinions, as I'm not a member of the OpenSSL development team)
> are TLS 1.1 (RFC 4346) and TLS 1.2 (RFC 5246) support. Secure
> renegotiation indication is
On Thu, Jul 01, 2010, Rahul Srinivas wrote:
> Hi,
>
> Are there any plans to include SRP support (RFC 5054) in OpenSSL ? I saw
> that a patch was available at
> http://rt.openssl.org/Ticket/Display.html?id=1794 .
>
It is likely to be included at some point. That is a complex contribution
which
On Wed, Jun 16, 2010, Richard Levitte wrote:
> In message <20100615164403.ga38...@openssl.org> on Tue, 15 Jun 2010 18:44:03
> +0200, "Dr. Stephen Henson" said:
>
> If that piece of code is such a small source of entropy, it's quite
> possible we can rem
On Mon, Jun 14, 2010, Nicholas Maniscalco wrote:
> William A. Rowe Jr. wrote:
>> On 6/14/2010 7:59 PM, Nicholas Maniscalco wrote:
>>> Is using OpenSSL built with the PURIFY flag considered "secure"?
>>> I ask because I came across this comment, in md_rand.c:
>>>
>>> #ifndef PURIFY /* purify compla
On Sat, Jun 12, 2010, Ben Laurie wrote:
> OpenSSL CVS Repository
> http://cvs.openssl.org/
>
>
> Server: cvs.openssl.org Name: Ben Laurie
> Root: /v/openssl/cvs Email: b.
D-Controllers ["we can use SW raid"] or TPM modules ["noone uses them
> anyway"]).
>
Erm, I didn't mention TPMs. The email below was misquoted.
>
>
> > On Thu, 2010-06-03 at 18:04 +0200, Dr. Stephen Henson wrote:
> >> If you mean private key se
On Thu, Jun 03, 2010, Martin Gwerder wrote:
>
> This modification of the OpenSSL library would allow to make the
> certificates more secure and allow applications without (!) any code
> modification (just by linking against the CSP capable OpenSSL library) to
> support the CSP.
>
I'm more than
On Wed, Jun 02, 2010, Arunkumar Manickam wrote:
> Hi,
>
> with openssl 1.0, x509_vfy.c, check_cert function loops in to issue
> callback get_crl on a condition ctx->current_reasons != CRLDP_ALL_REASONS .
>
> Can some one explain what is the use of CRLDP_ALL_REASONS and who should set
> ctx->cur
On Mon, May 24, 2010, Sander Temme wrote:
>
> On May 21, 2010, at 5:58 PM, Dr. Stephen Henson wrote:
>
> > On Fri, May 21, 2010, Sander Temme wrote:
> >
> <..>
> >> What would be best?
> >>
> >
> > Unfortunately there is no way
On Fri, May 21, 2010, Sander Temme wrote:
> Folks,
>
> I have been working for several days to track down an issue where Apache
> segfault on startup, most of the time, but ONLY on Red Hat and ONLY when the
> CHIL engine is enabled.
>
> I'm working with OpenSSL, Apache and APR HEAD on an up-t
On Tue, May 18, 2010, Martin Kaiser wrote:
> Hello Steve, all,
>
> Thus wrote Stephen Henson via RT (r...@openssl.org):
>
> > OpenSSL doesn't claim binary compatibility across major version changes:
> > in general recompiling source against different major versions is
> > recommended.
>
> > Acc
On Thu, May 06, 2010, Eric Murray wrote:
>
>
> How do you point to a dir (hashed by c_rehash)
> of trusted CA files (for clients verifying
> server certs) in openssl.cnf? Is it the 'certs' directive?
>
You can't. Currently there is no option to do that. In future a configuration
module might
On Mon, May 03, 2010, Steven M. Schweda wrote:
> > http://antinode.info/ftp/openssl/1_0_0/test/
>
>Now contains some new and updated files to add a helper program for
> the perl system() function on VMS systems.
>
Is there any way to redirect standard output and error to different fil
On Mon, May 03, 2010, Steven M. Schweda wrote:
> > [...] (One might question the cleverness of that stuff
> > being case-sensitive, of course.)
>
>I believe that I shall. Realizing that leaving "VMS" in the subject
> line will probably cause this inquiry to sink without trace, I continue,
>
On Thu, Apr 29, 2010, Modem Man wrote:
> wait a minute...
>
> ms\nt.mak (and compareable ntdll.mak) with original .pl file:
> CFLAG= /MTd /Od -DDEBUG -D_DEBUG -DOPENSSL_THREADS -DDSO_WIN32 -W3 -WX
> -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN
> -DL_ENDIAN -D_CRT_SECURE
On Wed, Apr 28, 2010, Modem Man wrote:
> Stephen Henson via RT schrieb:
> >> [mounir.idra...@idrix.net - Mon Apr 26 20:18:42 2010]:
> >>
> >> Hi,
> >>
> >> This patch adds the /Zi switch to CFLAG in the debug configuration in
> >> order to permit stepping inside OpenSSL code during debug sessions
On Tue, Apr 27, 2010, William Rowe wrote:
> http://openssl.org/docs/fips/fipsnotes.html
>
> contains a spurious reference to
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1058.pdf,
> which was
> supposed to link to 140sp1051.pdf.
Thanks for reporting that. Fixed now.
Steve.
On Wed, Apr 14, 2010, Phillip Hellewell wrote:
> I've noticed when calling PEM_read_bio_X509() on a bogus file it has to read
> *the entire file* before it fails and returns NULL, whereas other functions
> like d2i_PKCS7_bio and d2i_PKCS12_bio() fail after reading just a small
> amount.
>
> Can w
On Tue, Apr 13, 2010, Richard Levitte wrote:
> Steven, I've made a number of changes in the 1.0.0 branch, all
> according to what I received from you a couple of weeks ago.
>
> It builds and seems to test fine for me, but I haven't checked
> everything and I'm sure there are things I have missed.
On Mon, Apr 12, 2010, Klaus Heinrich Kiwi wrote:
> On Fri, 9 Apr 2010 11:58:57 -0300
> Klaus Heinrich Kiwi wrote:
>
> > Is there a way to register a RSA dynamic engine that would only
> > support e.g. RSA512 to RSA2048, leaving RSA4096 for OpenSSL to deal
> > with?
> >
> > I noted that ENGINE_s
On Thu, Apr 08, 2010, NormW via RT wrote:
> Hi,
> If I try to build for win32 I do:
>
> > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
>
> then (via ms\do_nasm.bat)
> > perl util\mkfiles.pl >MINFO
> > perl util\mk1mf.pl dll nasm VC-WIN32 >ms\ntdll.mak
>
> I get ms\ntdll.mak that include
On Thu, Apr 08, 2010, Valery Blazhnov wrote:
> I got an error using ccgost engine to generate MAC value with command:
>
> openssl dgst -mac gost-mac -binary -macopt
> hexkey:313233343536373839303132333453637383930313233343536373839303132 -out
> mac.bin data.bin
>
> Error setting context
> 1424:e
On Tue, Mar 30, 2010, Jeff Davey wrote:
> doing ./config no-comp ; make on OpenSSL 0.9.8n I get this:
>
> gcc -I../crypto -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -m64
> -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_BN_ASM_MONT
> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAE
On Tue, Mar 30, 2010, Arpadffy Zoltan wrote:
> Hello,
>
> I am happy that 1.0.0 is released. Thank you all for the hard work and time
> spent for the community.
>
> I was really hoping and looking for a VMS ready 1.0.0 release. Some of us
> have sent many patches, suggestions - unfortunately, n
On Mon, Mar 29, 2010, Tanguy Fautre wrote:
>
> - The documentation about the lock callback is deeply buried and not clear.
> Such an important point as thread-safety should surely be one of the first
> documented points instead of being buried and scattered in the
> documentation.
>
Erm it is f
On Mon, Mar 29, 2010, Susumu Sai wrote:
> When I use FIPS capable OpenSSL through Java JNI, I got error:
> "3392:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint
> does not match nonpic relocated:.\fips\fips.c:236"
> which means it failed the base address check.
> Based on O
401 - 500 of 1465 matches
Mail list logo