On Mon, Jan 11, 2010, NARUSE, Yui wrote:
(2010/01/10 23:23), Shahin Khorasani wrote:
try this
(snip)
Thanks, it works.
So I request X509_STORE_set_default_paths call this.
When this is merge, both Unix user and Windows user can use
the system's default root certificates.
I
On Mon, Jan 11, 2010, Kevin Regan wrote:
Hi Dr. Henson,
I noticed instructions in the README to send the patch to the openssl-dev
mailing list. Where can I find this request tracker?
Sending it to rt-b...@openssl.org will result in it appearing in the
request tracker. More details at:
On Tue, Jan 05, 2010, bri...@parc.com via RT wrote:
./doc/ssl/SSL_CTX_use_psk_identity_hint.pod
and
./doc/ssl/SSL_get_psk_identity.pod
have the same problem.
The problem was the bundled pod2man.pl script, that should work now.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core
On Wed, Dec 16, 2009, Peter Fry wrote:
I recently discovered that openssl doesn't use cryptodev or padlock
when compiled with the fips option (even though the engine was set..
i.e.: oepnssl speed -evp aes-128-cbc -engine padlock). It seems to me
that the engines should be used unless FIPS
On Wed, Dec 16, 2009, tushar ganguli wrote:
Hi,
I wanted to know where in the openssl source code is the subject key
identifier being generated.
Is it only the SHA1 hash (160) as mentioned in RFC3280 (4.2.1.2)?
Don't post off-topic user queries to openssl-dev.
It does use SHA1 and the
On Fri, Nov 20, 2009, Todd Short wrote:
Note: I just subscribed to the openssl-dev mailing list, please excuse me if
this has been discussed/discovered already.
It appears that DTLS handshaking was broken in 0.9.8l due to the
no-renegotiation fix. The issue appears to be as follows.
DTLS
On Thu, Nov 19, 2009, Dr. Stephen Henson wrote:
On Thu, Nov 19, 2009, Jean-Marc Desperrier wrote:
Thor Lancelot Simon wrote:
I think it's a mistake to send a fatal alert. In the past week as I've
been experimenting with this, I've encountered a number of embedded
client devices
On Thu, Nov 19, 2009, tensy joseph wrote:
Hi ALL,
I have also tested the latest snap shot of openssl . I can also experience
the same problem. It seems like now neither the normal handshake nor
renegotiation is working .
I have used to s_server and s_client to communicate the server and
On Thu, Nov 19, 2009, Thor Lancelot Simon wrote:
On Thu, Nov 19, 2009 at 02:04:43PM +0100, Dr. Stephen Henson wrote:
The version which was in 0.9.8-stable was buggy: OpenSSL tried to do an
SSLv2
compatible client hello and failed because that couldn't negotiate secure
renegotiation
On Wed, Nov 11, 2009, Tomas Hoger wrote:
This is unclear, they are banned in 0.9.8-stable, but 1.0.0beta4 seems
to allow all, even those without an extension.
Sorry about that, the port I did to 1.0.0 was broken and missed out several
changes, should be fixed by tomorrows snapshot.
Steve.
On Sun, Nov 08, 2009, David Woodhouse wrote:
I'm still trying to understand what this actually means in practice, and
who the target audience is for the various branches.
Presumably, most of the conservative OS distributions (Solaris,
Enterprise Linux distros, various BSDs) will stick with
On Sat, Nov 07, 2009, Guenter wrote:
Hi Steve,
Dr. Stephen Henson schrieb:
Oops, I forgot 0.9.8l is just 0.9.8k + the reneg patch and not 0.9.8-stable.
hmmm, that is really not what many would expect now; f.e. all folks who
reported bugs agaist 0.9.8k will now wonder why a version which
On Thu, Oct 29, 2009, dutchman1 wrote:
Hi,
I'm currently trying to authenticate a server cert with EAP-TLS and the
openssl windows libraries 0.9.8k. I'm getting the error 'unknown message
digest algorithm'. (below) The signature is encrypted with sha256 with RSA.
According to the openssl
On Tue, Oct 27, 2009, Miller, Rob (Omaha) wrote:
Hi, My question is regarding the library in FIPS mode and the FIPS_selftest
function. The current FIPS_selftest routine in 0.9.8k calls sha1, hmac,
aes, des, rsa, and dsa selftests. It doesn't call any sha256, 512 KAT
selftests and I didn't
On Sun, Oct 18, 2009, Peter Klotz wrote:
Hello
Earlier this year Number Cruncher already reported a valgrind error in
function AES_cbc_encrypt and included a two-line patch to fix it.
Please see this post for reference:
http://marc.info/?l=openssl-devm=123211846607090w=2
Please send
On Sat, Oct 17, 2009, Dale R. Anderson wrote:
Howdy. Documentation only. I noticed it says 'max' instead of 'dmax'
for the member of bignum_st in bn_internal(3SSL). So I have fixed
that, and updated the listing of the structure here, which was out of
date. I provided a short description of
On Wed, Oct 14, 2009, Huang Ying wrote:
Hi, All,
We are working on AES-NI acceleration in OpenSSL. With the help of Andy,
we have pushed the AES-NI acceleration patches into OpenSSL CVS
development branch. But It seems that the patches have not been merged
by the 1.0.0 and/or 0.9.8
On Mon, Oct 12, 2009, Victor B. Wagner wrote:
2. Make X509_LOOKUP_hash_dir lookup method honour cache field in the
X509_STORE structure. (I think that it is better to make this field
a bit mask and interpret constants X509_LU_CERT and X509_LU_CRL as
bit flags, but it would conflict with
On Tue, Oct 13, 2009, Victor B. Wagner wrote:
On 2009.10.12 at 19:00:30 +0200, Dr. Stephen Henson wrote:
Well we are in the middle of a beta relase cycle so making incompatible
changes and/or major new functionality isn't an option.
Is this (#2) a major new functionality, given
On Tue, Oct 13, 2009, Victor B. Wagner wrote:
In that vein we'd need to document X509_STORE_CTX, X509_verify_cert() and
X509_VERIFY_PARAM (and related functions). Some of this could just copy and
paste or point to some existing documentation for the verify utility.
Now I'm attaching a
On Tue, Oct 13, 2009, Victor B. Wagner wrote:
--- x509_lu.c.orig 2009-10-13 17:23:48.0 +0400
+++ x509_lu.c 2009-10-13 17:24:15.0 +0400
@@ -290,7 +290,7 @@
tmp=X509_OBJECT_retrieve_by_subject(ctx-objs,type,name);
- if
On Mon, Oct 12, 2009, Victor B. Wagner wrote:
BTW, it seems that most applications which actualy use CRLs, such as
Apache, openvpn and stunnel, do implement lookup of certicate in the CRL
in its own code, not relying on X509_V_FLAG_CRL_CHECK in X509_STORE.
In some cases CRL lookup is
On Fri, Oct 09, 2009, Kirk81 wrote:
Hello,
I found your example of ECDSA_do_sign/verify very uselful.
Now I'm trying to modify the code and I would like to use an SHA-256's
message digest in your sign function. Something like:
unsigned char obuf[32];
SHA-256(data, len, obuf);
On Mon, Oct 12, 2009, Victor B. Wagner wrote:
On 2009.10.12 at 14:49:23 +0200, Dr. Stephen Henson wrote:
On Mon, Oct 12, 2009, Victor B. Wagner wrote:
BTW, it seems that most applications which actualy use CRLs, such as
Apache, openvpn and stunnel, do implement lookup
On Thu, Oct 01, 2009, joshi chandran wrote:
Hi Stephen,
I have another query ...
If i have an client application which is using a openssl 9.8k and
tries to connect to server which has older openssl 9.8d which do not
have support for tls extension. will the handshake fails in this case?
On Thu, Oct 01, 2009, joshi chandran wrote:
In OpenSSL 0.9.8j and later extension support is included by default. There
is
one extension which is sent automatically: the session ticket extension. If
you disable this with the appropriate flag then extensions will not be used.
On Mon, Sep 21, 2009, Moribius wrote:
Hello,
I need to find a key in a certificate to crypt data with it,
Firstly, I'm using X509_get_pubkey(...) function and I get my EVP_PKEY: ok
on this point, it works.
Secondly, I want to crypt my data with it, so I've to use
On Sun, Sep 13, 2009, Julia Lawall wrote:
The function ENGINE_ctrl sometimes returns 0 to indicate an error and
sometimes returns -1. In each of the cases below, the goal seems to be to
return 1 only in the case of success. Therefore the result of ENGINE_ctrl
should be tested using 0.
On Fri, Sep 11, 2009, Lin Hwang wrote:
Hi,
I am an Openssl newby. Recently I am trying to build FIPS module and FIPS
capable lib on a Linux system.
I notice that all the fips_xxxtest programs at link time all go through
fipsld and linked with a digest. I expect
the same thing with
On Fri, Sep 11, 2009, Mark Phalan wrote:
On 09/10/09 11:56 PM, Kurt Roeckx wrote:
I understand this. I'd like to know if 0.9.8l will be ABI/API compat with
0.9.8k - or at least that it is considered a bug if they are not ABI/API
compat. I'm unclear as to what restrictions a 0.9.9x release
On Wed, Sep 09, 2009, Thor Lancelot Simon wrote:
On Sat, Aug 29, 2009 at 05:34:04PM -0400, Steve Marquess wrote:
That this wasn't the obvious approach from the very beginning speaks
worlds about the limitations of the ENGINE interface.
The actual story of why FIPS is the way it is is rather
On Tue, Sep 08, 2009, Vineet Kumar wrote:
Thanks for clarifying that, Stephen.
Never use openssl's request racket. When I go to http://rt.openssl.org and
use the Quick ticket creation option a the bottom of the page, I get an
error: No permission to create tickets in the queue 'OpenSSL-Bugs'.
On Thu, Sep 03, 2009, Mohan, Dharmendra wrote:
When can we expect OpenSSL 1.0.0 to come out of beta? I just need an
approximate period of time - 3 months, 6 months etc.
This information will be quite helpful for me so any input will be greatly
appreciated.
Most likely less than 3
On Fri, Sep 04, 2009, The Doctor wrote:
Right, I did not see this in 20090902 but
did turn up in 20090903
Fixed now. I was sure make test passed on my system.. weird.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see:
On Fri, Sep 04, 2009, Michael Txen wrote:
On Sep 4, 2009, at 5:16 PM, Stephen Henson via RT wrote:
[seggelm...@fh-muenster.de - Fri Sep 04 13:28:50 2009]:
On Sep 4, 2009, at 1:21 PM, Stephen Henson via RT wrote:
[seggelm...@fh-muenster.de - Fri Sep 04 09:39:52 2009]:
Still wrong
On Fri, Sep 04, 2009, Vineet Kumar wrote:
I noticed in GENERAL_NAME_print() code the following parsing code which has
a bug.
When my test certificate's subjectAltName has IP Address: 2001::21
[expanded out v6 style of course], then the code below ends up printing
?::21? instead of
On Tue, Aug 11, 2009, Alexei Khlebnikov wrote:
Hi,
I've found a memory leak and a potential buffer overflow in
d2i_SSL_SESSION() function. The fix is attached. Some explanations are
below.
1) First part. Memory leak. When doing simply return(NULL), SSL_SESSION
object at a pointer is
On Tue, Aug 11, 2009, The Doctor wrote:
First Time I have seem Cannot find path to openssl/engines/ .
In FreeBSD-7.2 and64 it is a show stopper. In the old
BSDI BSD/OS 4.3.X just create directory and away you go.
Suggestion:
Can the path to openssl/engines/ point ot path to
On Tue, Aug 11, 2009, Michael Txen wrote:
On Aug 11, 2009, at 7:40 PM, Stephen Henson via RT wrote:
[seggelm...@fh-muenster.de - Mon Jul 27 17:03:25 2009]:
This patch fixes the timeout handling. The method dtls1_get_timeout()
was intended to determine the next handshake message timeout when
On Tue, Aug 11, 2009, Michael Txen wrote:
On Aug 11, 2009, at 9:15 PM, Dr. Stephen Henson wrote:
Using SSL_ctrl() in a similar way to (for example)
SSL_set_tlsext_host_name().
Do you mean using SSL_ctrl() instead of DTLSv1_get_timeout()? How should
DTLSv1_handle_timeout() be handled
On Thu, Aug 06, 2009, Thomas Harning Jr. wrote:
The SMIME generation code incorrectly hard-codes the 'micalg=sha1'
parameter. This should be parametrized to use the proper
SMIME-specified algorithm name.
OpenSSL 0.9.8k
crypto/pkcs7/pk7_mime.c
~~171-176 in SMIME_write_PKCS7
On Thu, Aug 06, 2009, Alex Lam wrote:
Hi all,
Just wondering if there is any plan to release OpenSSL 0.9.8l ?
If so, do we know when?
I'd like to stay with the 0.9.8 branch, but I do see some fixes double
committed from the 1.0.0 branch.
OpenSSL 0.9.8 will still be maintained but it
On Sun, Jul 26, 2009, Ben Laurie wrote:
+#if 0 /* not (yet?) used */
static struct {
int id;
int nid;
@@ -163,6 +164,7 @@
{ CRYPTO_SHA1, NID_sha1, 20},
{ 0,NID_undef, 0},
On Mon, Jul 27, 2009, David McCullough wrote:
Jivin Dr. Stephen Henson lays it down ...
On Sun, Jul 26, 2009, Ben Laurie wrote:
+#if 0 /* not (yet?) used */
static struct {
int id;
int nid;
@@ -163,6 +164,7
On Thu, Jul 23, 2009, Doug Claar wrote:
The current spec file doesn't support x86_64, nor rpmbuild 4.1 and
above. These two changes fix both problems.
I've applied your fix to 0.9.8, 1.0 and HEAD. Please send any reports to RT in
future, thanks.
Steve.
--
Dr Stephen N. Henson. OpenSSL
On Fri, Jul 24, 2009, Gilles PION via RT wrote:
I'm sorry to insist but, to be sure, I've just downloaded the most recent
source tarball (http://www.openssl.org/source/openssl-1.0.0-beta3.tar.gz)
and the extra $ is *still* present in the Makefile: (line 451):
dummytest$(EXE_EXT):
On Wed, Jul 22, 2009, Guenter wrote:
Hi,
in addition to the issue below I see another one when I try to build
with ASM support: although the *.asm files get generated, the mk1mf.pl
script seems no longer to put the asm objects nor the asm build rules
into the generated makefile ...
I've
On Mon, Jul 20, 2009, Guenter wrote:
HI Steve,
Dr. Stephen Henson schrieb:
OpenSSL version 1.0.0 Beta 3
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
OpenSSL is currently in a release cycle. The second beta
Andy Polyakov
Ralf S. Engelschall Richard Levitte Geoff Thorpe
Dr. Stephen Henson Bodo Möller Ulf Möller
Lutz JänickeNils Larsch
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
iQEVAwUBSl3P+qLSm3vylcdZAQKRCAf/dlT14CzAcTz4E2kpTYvDhYTnSFYuU9DJ
On Wed, Jul 15, 2009, Sander Temme wrote:
On Jul 15, 2009, at 4:57 AM, Dr. Stephen Henson wrote:
Please download and test them as soon as possible. This new OpenSSL
Mac OS X 10.5.7 on Intel.
./Configure --prefix=/UserData/asf/openssl-1.0.0b3 shared threads
zlib-dynamic darwin64-x86_64
On Fri, Jun 26, 2009, David Woodhouse wrote:
On Tue, 2009-06-02 at 13:40 +0200, Stephen Henson via RT wrote:
[dw...@infradead.org - Sun May 31 22:08:11 2009]:
It's possible for multiple certificates to have the same subject name,
and if that happens then ssl3_output_cert_chain() may
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You may have noticed that our website has a new look. That's because we've
finally set up a proper legal structure to handle, in a more formal way,
the sponsorship and consultancy support that sustains the OpenSSL
project. Such financial support is
On Tue, Jun 16, 2009, David McCullough wrote:
Hi openssl-devs,
Just wanted to query the best openssl version for basing patches on.
I have a number of patches relating to the ocf-linux project and other
embedded linux work that I'd like to post for review and/or inclusion.
I am
On Mon, Jun 15, 2009, Kyle Hamilton wrote:
These scripts pull the latest version of the Mozilla-approved CAs.
OpenSSL is not in the business of making CA certificates available,
but having the ability to do this in the stock package might be very
good for the users. (Make sure that such a
On Mon, Jun 15, 2009, Emanuele Cesena wrote:
Hi all,
I was trying curl/libcurl compiled against OpenSSL 0.9.9.
I noticed a very strange behaviour that I was able to workaround with a
couple of sleep().
Curl fails to connect with:
curl: (52) SSL read: error:140943F2:SSL
On Sat, Jun 13, 2009, Guenter wrote:
Now due to a couple of recent changes I see that currently all 3
branches HEAD, 1_0_0 and 0_9_8 are broken for NetWare, and one of these
breaks is that compilation for CLIB does no longer work without having
BN_LLONG defined with 0_9_8 branch:
d1_pkt.c:
On Sat, May 30, 2009, Guenter wrote:
Hi,
Ger Hobbelt schrieb:
It's advised to register this at the OpenSSL issue tracker by
forwarding this to r...@openssl.org
It's no guarantee to get serviced pronto, but at least it'll get the
attention of the core devs when they have time.
(The
On Mon, May 25, 2009, Peter Waltenberg wrote:
Up to the OpenSSL team. I'm happy to do any maintenance required, but it's
up to them to merge it - or not.
Given that there are a number of people using the patch now and AES-GCM is
needed for new TLS modes, I'd hope it gets merged.
I had a
On Sun, May 24, 2009, Martin Kaiser wrote:
Hello Steve,
Thus wrote Dr. Stephen Henson (st...@openssl.org):
The best approach IMHO is to have a new pss public key algorithm to handle
the case of PSS only keys and pass the ASN1 structures down to the specific
method API via the ctrl
On Tue, May 26, 2009, Peter Waltenberg wrote:
AES-CCM also has it's own quirks which would bite if you ever wanted to
have it FIPS certified and it was used via a generic upper layer API.
By specification it's not supposed to produce decrypted output if the hash
fails which breaks the
On Fri, May 22, 2009, Martin Kaiser wrote:
Dear all,
I'm working on support for X.509 certificates with RSASSA-PSS signatures
according to PKCS1 #2.1 and RFC 4055. As I would like to come up with
something that can be included in the main tree, I'm sending this
mail to ask for your advice
On Thu, May 21, 2009, Marc Rios Valles wrote:
Hi to everybody!
I'm working in a project that needs to have a daemon that offers ocsp
responder
service.
I'm running the server as is indicated in the openssl web page:
The ocsp utility in server mode is designed for test purposes only.
On Sat, May 16, 2009, Michael Txen wrote:
Dear all,
we will revise this patch on Monday. Please do not commit.
I need to play with the IP_MTU option on a Linux system
and have a discussion with Robin.
It has already been committed but that can be reverted. I've reopened the
ticket.
Can
On Wed, Apr 22, 2009, The Doctor wrote:
Now we are on to Beta 2 , Great News.
When should expecting:
BetaX
RCX
and
the
release?
No, just BetaX (for some value of X) then release.
Also what errors or issues are we looking for in this beta?
The usual. Compilation
On Wed, Apr 22, 2009, Brad House wrote:
First, an overview...
Solaris 9, gcc 4.1.2, binutils 2.18, gnu make 3.80, fails while
assembling aes-sparcv9.s ... A similar system, with the same version of gcc,
binutils, and gnu make, but running Solaris 8 does _not_ exhibit
this behavior. Both
On Sat, Apr 18, 2009, anoopg wrote:
Hi,
I want to use the OpenSSL source code for SMIME implementation.I
downloaded the latest complete trunk of openSSL source code
(openssl-1.0.0-beta1.tar.gz ) and then built it and installed the
binaries.Build is through but, I am not able to find
On Sun, Apr 19, 2009, anoopg wrote:
Hello Dr. Henson ,
Thanks a lot for your reply.Actually, I want to extract the CMS
functionalities for SMIME using the OpenSSL source code.As you said, the CMS
structures are opaque and not exposed in public headers. I think in that
case,it must be
On Thu, Apr 16, 2009, Ouaknine, Keren wrote:
Hello,
Mazal-tov for getting Beta out. I am interested in the implementation of the
null-ciphers (when the encryption is mandatory, and clear-text used). This is
part of RFC 4785, which I didn't see in the log changes of openssl 1.0 beta.
Any
On Tue, Apr 14, 2009, Atti wrote:
First of all, I wanna apologize if I didn't reply correctly, I didn't
receive any e-mail, and I have no idea how to do it properly.
Second, sorry for not giving details, I saw the same error reported in one
of the mailing lists. One of them is here:
On Tue, Apr 14, 2009, Atti wrote:
Hy, I'm having some troubles with OpenSSL's older versions, so i decided to
rebuild the new one (1.0.0) on WIN32. I hoped this bug of some sort will
be fixed, because it was there for some time now, but it still gives the
same errors. I won't paste the errors
On Tue, Apr 07, 2009, Darryl Miles wrote:
With the announcement of OpenSSL 1.0.0 on the way, may I attempt to get
some attention on this issue for which:
* a patch exists
* a test case exists (that exposes the problem, that verifies the fix
doesn't break anything)
* multiple users
On Thu, Apr 02, 2009, Eric Norman wrote:
On Apr 2, 2009, at 3:13 PM, Kyle Hamilton wrote:
I'd prefer that IBM release whatever library they're using to identify
and handle Julian days. ;)
In case y'all didn't know, converting to/from Julian days is simple. See
On Fri, Apr 03, 2009, Tim Rice wrote:
On Fri, 3 Apr 2009, Stephen Henson via RT wrote:
[...@multitalents.net - Fri Apr 03 09:08:23 2009]:
OpenSSL_1_0_0-stable and HEAD use socklen_t.
Some platforms do not have the socklen_t data type.
I propose the following patch (also
On Thu, Apr 02, 2009, Michael Txen wrote:
Regarding gettimeofday(): It is pretty common on Unix
systems, not sure about Windows. But we can use any
other function which allows us to get the current time.
Any preferences?
Well basically anything that works on all the plethora of platforms
On Wed, Apr 01, 2009, Michael Txen wrote:
Dear OpenSSL Project Team,
are the DTLS related patches sent by Robin incorporated?
The patches have been reviewed by the original author of
the DTLS implementation and his comments have been incorporated.
We also have successfully done an intop
On Sun, Mar 29, 2009, Goetz Babin-Ebell wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Dr. Stephen Henson wrote:
Hello Steve,
did you see some pigs flying around your house ? ;-)
| Log:
| Nothing to see here... move along
Four horseman rode past asking where the pig
On Thu, Mar 26, 2009, Greaney, Kevin wrote:
Hi,
In the past, when new releases have been announced,
and particularly those related to a Security Advisory, there
have been diffs of the modules that changed. These were very
helpful in patching older versions of openssl in situations
On Wed, Mar 25, 2009, Ilya O. wrote:
Hello.
I would like to ask is there any chance that patch [1] would be
applied to upstream?
I need some extra X509 certificate fields in my project, but keeping
local openssl fork isn't thing that I would like to do.
[1]
On Mon, Mar 09, 2009, Rob Austein via RT wrote:
any chance of getting this trivial fix included sometime soon?
At Wed, 12 Nov 2008 10:36:45 +0100 (CET), OpenSSL RT wrote:
i2r_address() doesn't handle the all-zeros IPv6 address correctly
(prints : when should print ::).
Trivial
On Sun, Mar 08, 2009, Jurko Gospodneti? wrote:
Hi.
It is moderated and I just did not find time to work through the
moderation queue from Friday evening till now.
Cool. Thank you for the explanation, and sorry for the noise.
And on a related note - I have questions related to your
On Mon, Mar 02, 2009, Kurt Roeckx wrote:
Can some comment on this:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0653
Is this still a problem in 0.9.8 versions?
It was addressed in OpenSSL 0.9.5.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL
On Mon, Feb 16, 2009, Maxim Masiutin wrote:
Hello All,
I'm trying to use Diffie-Hellman implementation from OpenSSL 0.9.8j to
implement this algorithm for X.509 certificate to be used for S/MIME in
The Bat! email client (www.ritlabs.com)
Unfortunately, OpenSSL only generates
On Mon, Feb 16, 2009, Maxim Masiutin wrote:
I have a hardware token that uses static-static DH with elliptic curves (I
cannot change anything in this token and cannot force it to use Elgamal).
The mode of operation of this token is very similar to X9.42 DH, so I wanted
to implement all
On Thu, Feb 12, 2009, RussMitch wrote:
No, the test/fips_test_suite does not run correctly, here's the results:
FIPS-mode test application
1. Non-Approved cryptographic operation test...
a. Included algorithm (D-H)...successful
On Thu, Feb 12, 2009, JXu wrote:
Hi Guys,
I try to make openssl fips build under windows, In visual studio 2005
command prompt, I did following step:
1) go to c:\openssl-fips-1.2.0, type
perl Configure no-asm VC-WIN32
ms\do_fips
That's a violation of the security
/opt/local/bin/perl crypto/objects/objxref.pl crypto/objects/obj_xref.h
[...]
Ah! Now that line could make a difference. Please copy obj_xref.h somewhere
from a virgin tarball and compare it with its contents after that command.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys:
On Tue, Feb 10, 2009, Kyle Hamilton wrote:
*** virgin/crypto/objects/obj_xref.h 2009-02-10 05:01:06.0 -0800
--- openssl-SNAP-20090207/crypto/objects/obj_xref.h 2009-02-10
[snipped]
Ah, that explains it. The top level Makefile call to objxref.pl was breaking
it. I've just committed
with the following command-line: ./config
--prefix=$HOME/ossl --openssldir=$HOME/ossl
-Kyle H
-- Forwarded message --
From: Dr. Stephen Henson st...@openssl.org
Date: Sat, Feb 7, 2009 at 2:30 AM
Subject: Re: Openssl-SNAP still erroring out
To: openssl-dev@openssl.org
On Fri, Feb 06, 2009, Kyle Hamilton wrote:
This does not appear on MacOSX 10.5.6 (with 0.9.8-stable-SNAP-20090206).
./config threads shared no-sse2 enable-whrlpool enable-montasm
enable-capieng enable-cms enable-seed enable-tlsext enable-camellia
enable-rfc3779 enable-mdc2 enable-rc5
On Fri, Feb 06, 2009, The Doctor wrote:
Right
in the tests we run into
There should be a 2 sequences of .'s and some +'s.
There should not be more that at most 80 per line
This could take some time.
Generating a 512 bit RSA private key
..
.
On Tue, Jan 27, 2009, Ilya O. wrote:
Hello.
I've discovered that openssl (at least 0.9.8j and 0.9.8i) fails po
parse certificate if it has PostalCode encoded as NumericString (and
this is allowed thing according to RFC3280).
The error log reads following
{{{
unable to load certificate
On Wed, Jan 28, 2009, Dr. Stephen Henson wrote:
On Tue, Jan 27, 2009, Ilya O. wrote:
Hello.
I've discovered that openssl (at least 0.9.8j and 0.9.8i) fails po
parse certificate if it has PostalCode encoded as NumericString (and
this is allowed thing according to RFC3280
On Mon, Jan 19, 2009, Emanuele Cesena wrote:
Hi all,
I'd like to add a new elliptic curve to the internal list of OpenSSL but
I have some troubles defining objects.
I added the parameters in crypto/ec/ec_curve.c as well as the entry in
the list curve_list (I tested them with ectest.c,
On Wed, Jan 14, 2009, Thomas Jarosch wrote:
Hello together,
I recently upgraded from openssl 0.9.8i to openssl 0.9.8j
and now I can't connect to our servers:
# openssl version
OpenSSL 0.9.8j 07 Jan 2009
# openssl s_client -ssl3 -connect www.intra2net.com:443
CONNECTED(0003)
On Wed, Jan 14, 2009, Brad House wrote:
On Wednesday, 14. January 2009 11:29:07 Dr. Stephen Henson wrote:
# openssl s_client -ssl3 -connect update.intranator.com:443
CONNECTED(0003)
31738:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1060:SSL alert
On Fri, Jan 09, 2009, Vineet Kumar wrote:
Before taking in the patch for the recent security advisory for
vulnerability CVE-2008-5077, I want to verify its authenticity using GPG.
However, I get this:
***
% (gpg --list-keys 89A36572 /dev/null 21 || gpg --recv-keys 89A36572)
gpg
On Thu, Jan 08, 2009, Brad House wrote:
What I've narrowed it down to is this ...
Command run:
./openssl s_client -no_ssl2 -connect igusprodb.globalpay.com:443
Tested versions:
OpenSSL 0.9.8h - good
OpenSSL 0.9.8i - good
OpenSSL 0.9.8j-stable-SNAP-20081123 - good
OpenSSL 0.9.8j release
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [07-Jan-2009]
Incorrect checks for malformed signatures
- ---
Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a
. Engelschall Ben Laurie Andy Polyakov
Dr. Stephen Henson Richard Levitte Geoff Thorpe
Lutz JänickeBodo Möller
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSWSno6LSm3vylcdZAQL8mwf+MAu3Y4wHeEJHhd8t0NaN7fE73ZRV8ht6
, in a note from Dr. Stephen Henson, it was mentioned that for
openssl-0.9.8j :
This is the first full release of OpenSSL that can link against the
validated FIPS module version 1.2
but there is no mention in either of the INSTALL files (openssl-0.9.8j nor
openssl-fips-1.2) on how to do
501 - 600 of 1282 matches
Mail list logo
