On Sun, Jul 06, 2014 at 10:25:19AM +0200, Andy Polyakov via RT wrote:
Running `make test` with Clang sanitizers results in some issues with
unaligned pointers surrounding some uses of buffers cast to a size_t*.
The sanitizers used were `-fsanitize=undefined -fsanitize=address`.
Those are
On Sun, Jul 06, 2014 at 05:12:42PM +0200, Andy Polyakov via RT wrote:
Running `make test` with Clang sanitizers results in some issues with
unaligned pointers surrounding some uses of buffers cast to a size_t*.
The sanitizers used were `-fsanitize=undefined -fsanitize=address`.
Those are
On Sun, Jul 06, 2014 at 06:57:57PM +0200, Andy Polyakov via RT wrote:
... So that above results
don't tell anything about benefits of STRICT_ALIGNMENT being undefined.
And it's usually around 10%. And indeed, I just measured 12.5% on my
computer. [You have to configure with no-asm, and rig
Hi,
I've been working on IPv6 support, and one of the strangest things
I find is BIO_get_accept_socket().
If bind_mode == BIO_BIND_REUSEADDR_IF_UNUSED, and bind() fails
with EADDRINUSE it creates a new socket and tries to connect
to the port it tried to bind() to, and if that fails tries to
bind
On Sat, Jul 05, 2014 at 08:13:04AM -0400, Eric Covener wrote:
On Sat, Jul 5, 2014 at 7:37 AM, Kurt Roeckx k...@roeckx.be wrote:
Does anybody have an idea why it's trying to do that, and why we
shouldn't just do SO_REUSEADDR the first time? Was there some
OS that maybe did strange things
On Sat, Jul 05, 2014 at 12:45:37PM -0400, Tim Hudson wrote:
On 5/07/2014 9:12 AM, Kurt Roeckx wrote:
On Sat, Jul 05, 2014 at 08:13:04AM -0400, Eric Covener wrote:
On Sat, Jul 5, 2014 at 7:37 AM, Kurt Roeckx k...@roeckx.be wrote:
Does anybody have an idea why it's trying to do that, and why
On Sat, Jul 05, 2014 at 02:37:49PM -0400, Tim Hudson wrote:
On 5/07/2014 2:14 PM, Kurt Roeckx wrote:
On Sat, Jul 05, 2014 at 12:45:37PM -0400, Tim Hudson wrote:
If you have SO_REUSEADDR set and a listener already in place you will
start a new listener
No you won't. You will get a bind
On Sat, Jul 05, 2014 at 02:55:36PM -0400, Tim Hudson wrote:
Some google engineering (search) will show the the variety of
confusion that this causes in cross-platform code.
Start here for some interesting reading -
On Fri, Jul 04, 2014 at 08:21:15AM +0200, Otto Moerbeek wrote:
On Thu, Jul 03, 2014 at 11:35:15PM +0200, Kurt Roeckx wrote:
On Thu, Jul 03, 2014 at 09:28:47PM +0100, Ben Laurie wrote:
On 3 July 2014 20:06, Kurt Roeckx via RT r...@openssl.org wrote:
On Thu, Jul 03, 2014 at 07:51:28PM
On Fri, Jul 04, 2014 at 08:31:41PM +0200, Robin Kohler via RT wrote:
Hi together
I have an issue with the openssl version 0.9.8y.
I would like to update the actually version 0.9.8y to 0.9.8.za, but I can't
find any patches for an ESXi 4.1 Host.
I installed a vmware patch, but the issue was
On Fri, Jul 04, 2014 at 10:50:47PM +0200, noloa...@gmail.com via RT wrote:
Updated text for the patch based on Viktor's reply to JW and JB on the list.
The updted text includes the a statement that its not possible to
determine which named matched (this may be added in the future); and
the
On Thu, Jul 03, 2014 at 08:08:52AM -0400, Hubert Kario wrote:
- Original Message -
From: Benny Baumann be...@geshi.org
To: openbsd-t...@openbsd.org, openssl-dev@openssl.org
Sent: Wednesday, 2 July, 2014 8:49:18 PM
Subject: [PATCH] LibReSSL/OpenSSL: Adjust/remove keysize
On Thu, Jul 03, 2014 at 09:13:43AM -0400, Theodore Ts'o wrote:
(Given that Microsoft has weekly patch
Tuesdays, if even slow moving *Microsoft* can turn around a security
update in a week, what's your excuse? :-)
As far as I know, patch Tuesday is the 2nd Tuesday of the month.
But wikipedia
On Thu, Jul 03, 2014 at 07:51:19PM +0200, Toralf Förster via RT wrote:
the latest git tree fro yesterday + the latest git tree of cppcheck yields
into these warning :
The 2 ifs seems to be superfluous, or ? :
The code before that is:
/* convert integer part */
do {
On Thu, Jul 03, 2014 at 07:51:28PM +0200, Toralf Förster via RT wrote:
I think cppcheck is right here in void DES_ofb64_encrypt(), line 84, 85
and 96, or ?:
The line before that:
dp=d;
l2c(v0,dp);--- Uninitialized variable: d
l2c(v1,dp);--- Uninitialized variable: d
On Thu, Jul 03, 2014 at 09:28:47PM +0100, Ben Laurie wrote:
On 3 July 2014 20:06, Kurt Roeckx via RT r...@openssl.org wrote:
On Thu, Jul 03, 2014 at 07:51:28PM +0200, Toralf Förster via RT wrote:
I think cppcheck is right here in void DES_ofb64_encrypt(), line 84, 85
and 96
On Thu, Jul 03, 2014 at 11:42:08PM +0200, Wilfried Klaebe wrote:
Am Thu, Jul 03, 2014 at 07:20:46PM +0200 schrieb Kurt Roeckx:
On Thu, Jul 03, 2014 at 08:08:52AM -0400, Hubert Kario wrote:
- Original Message -
From: Benny Baumann be...@geshi.org
To: openbsd-t...@openbsd.org
On Tue, Jul 01, 2014 at 12:25:00AM +0200, Rich Salz via RT wrote:
Unsupported platform.
Not having read the ticket, uClibc and newlib might be useful to
support if possible since they're popular for embedded devices.
Kurt
__
On Sat, Jun 28, 2014 at 06:34:01PM +0100, Dominyk Tiller wrote:
Hey all,
I wondered if you all had an opinion on disabling SSLv2 SSLv3 during
the ./configure process, and what kind of impact that'd have for
end-users and general compatibility when building against an updated
version of
On Sat, Jun 28, 2014 at 05:21:40PM +0200, Clemmer, John J CIV via RT wrote:
OpenSSL Development Team,
My attempts to compile OpenSSL v.1.0.0m on the day of its release as well as
last night both resulted in the same error, whereby INT_MAX is used before it
is declared in ssl/s3_pkt.c on
On Tue, Jun 24, 2014 at 01:05:36PM +0200, Kurt Cancemi via RT wrote:
Hello,
The attached patch fixes possible null pointers if malloc fails. This
was reported by qualitesys
(http://marc.info/?l=openssl-devm=140243635405343), and I created the
fix (no repeat of what happened last time).
I
On Sun, Jun 22, 2014 at 03:58:03PM +0200, dcrue...@qualitesys.com wrote:
ok in openssl-1.0.0-stable-SNAP-20140622
ok in openssl-1.0.1-stable-SNAP-20140622
ko in openssl-1.0.2-stable-SNAP-20140622
ko in openssl-SNAP-20140622
It should be fixed in all branches now.
Kurt
On Thu, Jun 12, 2014 at 06:00:05PM +0200, Kurt Roeckx wrote:
On Thu, Jun 12, 2014 at 02:06:53PM +0200, Florian Weimer wrote:
On 06/12/2014 01:28 PM, Salz, Rich wrote:
Since the patch for CVE-2014-0224 I've so far received 2 reports about
people getting the error: ccs received early
On Sat, Jun 14, 2014 at 04:42:19PM +, Viktor Dukhovni wrote:
On Sat, Jun 14, 2014 at 04:23:13PM +0200, Kurt Roeckx via RT wrote:
Yes. As far as I can see all reports are about 0.9.8o sending
large amounts of data to 1.0.1e.
So I can reproduce it. But I can only seem
On Thu, Jun 12, 2014 at 08:05:52PM +0200, dcrue...@qualitesys.com wrote:
Thanks Kurt
I found ssl/t1_lib.c
but not ssl/d1_both.c, ssl/s3_enc.c, ssl/sll_ciph.c, ssl/ssl_sess.c
in pull request #131
So can you make patches for those issues and then open a bug in RT
about it?
Kurt
On Thu, Jun 12, 2014 at 02:06:53PM +0200, Florian Weimer wrote:
On 06/12/2014 01:28 PM, Salz, Rich wrote:
Since the patch for CVE-2014-0224 I've so far received 2 reports about
people getting the error: ccs received early.
So they kiddies can read. We thought so, but good to have
On Tue, Jun 10, 2014 at 09:48:19PM +0200, Jonas Maebe via RT wrote:
On 13/12/13 11:54, The default queue via RT wrote:
In attachment you can find 7 patches against git master (generated via git
format-patch) to fix a number of memory leaks (in case of failures) and
missing NULL pointer
On Tue, Jun 10, 2014 at 01:03:17PM -0700, Kyle Hamilton wrote:
http://opensslrampage.org/post/88383880093
I don't know if this has in fact been given to the OpenSSL team yet. I
am not jsing, and I am not involved in the OpenBSD audit.
However, this is important. If MD5 passes, but SHA1
On Tue, Jun 10, 2014 at 10:33:32PM +0200, Kurt Roeckx wrote:
On Tue, Jun 10, 2014 at 01:03:17PM -0700, Kyle Hamilton wrote:
http://opensslrampage.org/post/88383880093
I don't know if this has in fact been given to the OpenSSL team yet. I
am not jsing, and I am not involved
On Tue, Jun 10, 2014 at 11:29:02PM +0200, dcrue...@qualitesys.com wrote:
Hello
In version openssl-1.0.h
In case of malloc error, the buffer is not tested here
I think there are already patches available for most of those
issues. See github pull request #131.
Kurt
On Sun, Jun 08, 2014 at 10:57:57PM +0200, Matt Caswell via RT wrote:
Hi Quanah
Thanks for the submission. The problem with correcting this is that
technically
it forms part of the public API (since the macro is defined in asn1.h). I
guess
there's probably not a huge risk in changing it,
On Thu, Jun 05, 2014 at 11:59:30PM +0200, Matt Caswell via RT wrote:
On Thu Jun 05 23:42:31 2014, k...@roeckx.be wrote:
We are likely to see
a lot more like this as Mike's test team get going. In unit testing
its okay
to access internal symbols.
But then you shouldn't link to the
On Thu, Jun 05, 2014 at 11:59:30PM +0200, Matt Caswell via RT wrote:
On Thu Jun 05 23:42:31 2014, k...@roeckx.be wrote:
We are likely to see
a lot more like this as Mike's test team get going. In unit testing
its okay
to access internal symbols.
But then you shouldn't link to the
On Sat, Jun 07, 2014 at 09:46:38AM -0400, Mike Bland wrote:
Why do any of the symbols need to be private? Is that degree of
encapsulation necessary, and does it really discourage irresponsible
clients? The source code is open, so people can always build their own
copy and depend on internals
On Sat, Jun 07, 2014 at 11:06:56AM -0400, Salz, Rich wrote:
And I want to reduce the number of exposed APIs.
Except that as we (hopefully) move to making struct's opaque, then we'll need
add lots of accessors. I assume you know that, but just want to make sure
folks realize it.
Those
Because of a missing include fcntl.h we don't have O_CREATE and don't create
the file with open() using mode 0600 but fall back to using fopen() with the
default umask followed by a chmod().
Problem found by Jakub Wilk jw...@debian.org.
---
crypto/rand/randfile.c | 1 +
1 file changed, 1
On Sun, Jun 08, 2014 at 12:01:28AM +0200, Tim Hudson via RT wrote:
Already fixed in the 1.0.1 stable branch so it is already included in
1.0.1h onwards and 1.0.1m is the current recommended version.
[...]
Can you re-run parfait against the current release version of OpenSSL
for that branch -
On Fri, Jun 06, 2014 at 01:27:02AM -0400, Mike Frysinger wrote:
On Thu 05 Jun 2014 22:53:32 Matt Caswell via RT wrote:
On Sun Apr 27 13:04:20 2014, vap...@gentoo.org wrote:
It's a standard setting that other build systems use.
Can you explain why you need this?
because people want to
On Fri, Jun 06, 2014 at 01:27:02AM -0400, Mike Frysinger wrote:
On Thu 05 Jun 2014 22:53:32 Matt Caswell via RT wrote:
On Sun Apr 27 13:04:20 2014, vap...@gentoo.org wrote:
It's a standard setting that other build systems use.
Can you explain why you need this?
because people want to
Hi,
When building the 1.0.1h release I got this error:
heartbeat_test.o: In function `set_up':
test/heartbeat_test.c:94: undefined reference to `ssl_init_wbio_buffer'
test/heartbeat_test.c:102: undefined reference to `ssl3_setup_buffers'
heartbeat_test.o: In function `set_up_dtls':
On Thu, Jun 05, 2014 at 04:43:44PM +0200,
alexander.elg...@external.t-systems.com wrote:
Hello,
it would be nice, if you remove the march=i486 for Cygwin in Configure,
Thank you!
Configure:
Cygwin, gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486
On Thu, Jun 05, 2014 at 03:01:47PM -0400, Mike Bland wrote:
On Thu, Jun 5, 2014 at 2:41 PM, Kurt Roeckx via RT r...@openssl.org wrote:
Hi,
When building the 1.0.1h release I got this error:
heartbeat_test.o: In function `set_up':
test/heartbeat_test.c:94: undefined reference
On Thu, Jun 05, 2014 at 11:34:15PM +0200, Matt Caswell via RT wrote:
On Thu Jun 05 20:41:05 2014, k...@roeckx.be wrote:
This is probably related to me not exporting those symbols as they are
marked local.
Kurt
Is this related to the way you build the Debian packages?
Yes. And this is
On Thu, Jun 05, 2014 at 11:34:15PM +0200, Matt Caswell via RT wrote:
On Thu Jun 05 20:41:05 2014, k...@roeckx.be wrote:
This is probably related to me not exporting those symbols as they are
marked local.
Kurt
Is this related to the way you build the Debian packages?
Yes. And this is
On Mon, Jun 02, 2014 at 10:38:05AM -0400, Mike Bland wrote:
It seems that the encryption algorithms themselves are relatively
well-tested; in contrast, Heartbleed was an infrastructure bug. It's
in shoring up the test coverage of the infrastructure bits where I can
be of most direct service,
On Sun, Jun 01, 2014 at 01:39:54PM -0400, Salz, Rich wrote:
Make structures opaque when possible and provide accessor functions. Within
openssl itself use macros if you want.
This has been on my list of things I want to see happen for a long time
too. Together we removing some APIs. I also
On Sun, Jun 01, 2014 at 09:04:29PM +, Viktor Dukhovni wrote:
@@ -1,21 +1,37 @@
-primes = [2, 3, 5, 7, 11]
-safe = False # Not sure if the period's right on safe primes.
+# Odd primes 13
+#
+primes = [3, 5, 7, 11, 13, 17, 19]
Maybe the comment is wrong?
Kurt
diff -uNr openssl-1.0.1g/crypto/cms/cms_lcl.h
openssl-1.0.1g-ICA/crypto/cms/cms_lcl.h
--- openssl-1.0.1g/crypto/cms/cms_lcl.h 2014-03-17 17:14:20.0
+0100
+++ openssl-1.0.1g-ICA/crypto/cms/cms_lcl.h 2014-05-23 12:01:00.0
+0200
@@ -418,7 +418,7 @@
On Sun, May 25, 2014 at 02:40:08PM +0200, Krzysztof Kwiatkowski wrote:
Hi,
In general yes, but it seems s_client (https://lwn.net/Articles/486369/)
doesn't support IPv6 (or I'm wrong?)
There is a patch for it at:
https://bugs.debian.org/589520
Kurt
On Sun, May 25, 2014 at 10:20:03PM +0200, Michael Tuexen wrote:
I'm just a bit hesitating to invest more time given that
the patch wasn't accepted the last four years... If there is interest,
I would be happy to update it to include documentation changes.
Please do update it.
Kurt
On Mon, May 12, 2014 at 11:20:19AM +0200, Otto Moerbeek wrote:
This diff contains a use before init (spotted by Miod Vallat).
Not sure want went wrong there since the original patch was
correct. I've created a new github pull request for it (#105).
Kurt
On Mon, May 12, 2014 at 11:20:19AM +0200, Otto Moerbeek wrote:
This diff contains a use before init (spotted by Miod Vallat).
Not sure want went wrong there since the original patch was
correct. I've created a new github pull request for it (#105).
Kurt
On Thu, May 01, 2014 at 01:23:51PM -0400, John Foley wrote:
I'm trying to get that information from the IronPort team. In the mean
time, this bug report appears to have some details:
https://tools.cisco.com/bugsearch/bug/CSCuo25329
It would really be nice that we can get some more
On Sun, May 04, 2014 at 06:07:23PM -0400, Geoffrey Thorpe wrote:
It's lazy-initialisation, so the context-setting (which is used in RSA and
DSA, not just DH) occurs the first time an operation is attempted on the
key. (Well, the first time an operation that needs to use the given
montgomery
On Sun, May 04, 2014 at 04:31:06PM -0400, Geoff Thorpe wrote:
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in
On Mon, May 05, 2014 at 12:36:57AM +0200, Matt Caswell via RT wrote:
This patch changes the output of pkg-config --libs libssl from:
-L/usr/local/ssl/lib -lssl -lcrypto
to:
-L/usr/local/ssl/lib -lssl
Arguably this is the strictly correct approach. However in practice I
suspect
many build
On Sat, May 03, 2014 at 01:14:47AM +0200, Matt Caswell via RT wrote:
This patch looks like a bit of a kludge to me. Release a buffer only to then
immediately set it up again. Compare with this commit on master:
https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989
On Fri, May 02, 2014 at 12:21:51PM +0200, Mechiel Lukkien wrote:
On Fri, May 02, 2014 at 11:41:46AM +0200, Mechiel Lukkien wrote:
thoughts? does conversion from uchar* to bignum, and back to uchar*
indeed strip leading zeroes?
i think the salt should always be passed around as just
On Fri, May 02, 2014 at 09:49:47AM -0400, Salz, Rich wrote:
Steve, have you considered trimming the DEFAULT cipher list?
It's currently...
#define SSL_DEFAULT_CIPHER_LIST ALL:!aNULL:!eNULL:!SSLv2
I wonder how many of these ciphers are actually ever negotiated in
real-world use.
I'm
On Fri, May 02, 2014 at 09:58:37AM -0400, John Foley wrote:
How prevalent is RC4 today?
Here is a recent link for web servers:
https://lists.fedoraproject.org/pipermail/security/2014-April/001810.html
Kurt
__
OpenSSL Project
On Fri, May 02, 2014 at 10:50:28AM -0400, Salz, Rich wrote:
How many of those sites are served by CDN's, for example?
I don't know, if you have a semi-robust way to detect that I'm willing to
implement it.
Short of giving out customer lists :) I don't. I suppose you could do a DNS
On Fri, May 02, 2014 at 06:53:06PM +, mancha wrote:
Kurt Roeckx via RT rt at openssl.org writes:
There is a potentional patch for this in libresll, you can see it
at:
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit
/lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21
On Mon, Apr 14, 2014 at 09:52:32PM +0200, Maria Moskaleva via RT wrote:
Hello! Make fails, wihle I'm trying build the openssl library.
http://screeny.ru/534bd10369000fff1f0225ce
Why have I problem with md2test.c? (m2test.c:1: parse error before '.'
token)
What should I do? Thanks in advance!
On Sat, Apr 05, 2014 at 05:42:16PM +0200, noloa...@gmail.com via RT wrote:
A question using PKCS5_PBKDF2_HMAC was recently asked on Stack
Overflow. Currently, there is no documentation on the function.
The PKCS5_PBKDF2_HMAC.pod is new. It is based on the documentation for
EVP_BytesToKey.
On Wed, Apr 23, 2014 at 06:29:26PM +0200, John-Mark Gurney via RT wrote:
diff --git a/apps/speed.c b/apps/speed.c
index 9232418..f70fd3e 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1126,9 +1126,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,\n);
On Thu, May 01, 2014 at 12:29:58PM +0200, Marcus Meissner via RT wrote:
Hi,
SUSE has received a bugreport from a user, that the padding extension
change breaks IronPort SMTP appliances.
There might a RT on this already, not sure.
https://bugzilla.novell.com/show_bug.cgi?id=875639
On Thu, May 01, 2014 at 01:35:19PM +0200, Hanno Böck wrote:
Maybe this should teach us a lesson: Adding more and more Workarounds
for broken stuff isn't the way to go forward. The way to go forward is
to fix broken stuff.
The problem isn't always to fix the broken stuff but ussually to get
On Thu, May 01, 2014 at 02:45:19PM +0200, Hanno Böck wrote:
On Thu, 1 May 2014 14:29:44 +0200
Kurt Roeckx k...@roeckx.be wrote:
On Thu, May 01, 2014 at 01:35:19PM +0200, Hanno Böck wrote:
Maybe this should teach us a lesson: Adding more and more
Workarounds for broken stuff isn't
On Tue, Apr 15, 2014 at 05:29:02PM +0200, janmus.chan via RT wrote:
*How does the openssl-1.0.1 support the **Beyond BA22 Embedded Processor ?*
I still got a compiler error ~
Please help me,
thank you!!
You will need to provide more details about your build environment
and the error you get.
On Sun, Apr 13, 2014 at 12:21:14PM +0200, Julien Nabet via RT wrote:
Hello,
I runned cppcheck (a static analyzer) on openssl master sources
(cppcheck and openssl git updated today).
Even if cppcheck is mainly for C++ and reports false positives
sometimes, I found some reports which might
On Wed, Apr 16, 2014 at 12:42:22PM +0200, Stephen Henson via RT wrote:
The -debug_decrypt option is currently simply undocumented due to an omission
which I will shortly correct. It will remain supported for the foreseeable
future.
So this was fixed in commit
to a bug on the client side
Reply-To:
In-Reply-To:
2a0efb9c05d0164e98f19bb0af3708c7120c61f...@usmbx1.msg.corp.akamai.com
On Sat, Apr 26, 2014 at 01:16:08PM -0400, Salz, Rich wrote:
If the API requires the same buffer and count, then perhaps the SSL structure
should hold those values, and
to a bug on the client side
Reply-To:
In-Reply-To:
2a0efb9c05d0164e98f19bb0af3708c7120c61f...@usmbx1.msg.corp.akamai.com
On Sat, Apr 26, 2014 at 01:16:08PM -0400, Salz, Rich wrote:
If the API requires the same buffer and count, then perhaps the SSL structure
should hold those values, and
There are already several copies of this patch.
Kurt
On Sun, Apr 27, 2014 at 01:04:01PM +0200, Chris Rorvick via RT wrote:
Signed-off-by: Chris Rorvick ch...@rorvick.com
---
Compiling SSL_CONF_cmd.pod with pod2man(1) fails with the following
error:
POD document had syntax errors at
-DO_GNU_APP=LDFLAGS=$(CFLAGS) -Wl,-rpath,$(LIBRPATH)
+DO_GNU_APP=LDFLAGS=$(LDFLAGS) $(CFLAGS)
Shouldn't that be this?
+DO_GNU_APP=LDFLAGS=$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)
But then I think think that we shouldn't have rpaths in the first
place, so I wouldn't have a problem with removing the
On Sun, Apr 27, 2014 at 01:16:33PM +0100, Matt Caswell wrote:
On 27 April 2014 12:09, Kurt Roeckx k...@roeckx.be wrote:
There are already several copies of this patch.
Do you have the ref numbers? I can get this committed quickly, and
I'll close them all off in one go.
This is RT #3303
On Sat, Apr 26, 2014 at 11:29:39AM +0100, Ben Laurie wrote:
Is there an easy way to fix that? That is, I would expect it to show
me as the committer and the original author as the author.
That is how it should always work, and I'm not sure why you would
see anything else. git really keeps the
On Sat, Apr 26, 2014 at 11:39:13AM +0100, Ben Laurie wrote:
On 24 April 2014 19:54, Kurt Roeckx k...@roeckx.be wrote:
On Thu, Apr 24, 2014 at 06:31:34PM +0100, Ben Laurie wrote:
Note that this is just how to help me, not a consensus view from the
whole team, though I have no doubt much
There is a potentional patch for this in libresll, you can see it
at:
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=e76e308f1fab2253ab5b4ef52a1865c5ffecdf21
Kurt
On Mon, Apr 21, 2014 at 05:40:09PM +0200, David Ramos via RT wrote:
Hello,
Our UC-KLEE tool found a
Libressl has a patch for this at:
http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=cb8b51bf2f6517fe96ab0d20c4d9bba2eef1b67c
I believe that patch is not really the correct fix.
My understanding is that tot is what is already written, and
that len is until where we want to
On Sat, Apr 26, 2014 at 10:59:07AM -0400, Theodore Ts'o wrote:
On Sat, Apr 26, 2014 at 11:29:39AM +0100, Ben Laurie wrote:
I just noticed that if I merge a pull request, then both author and
committer are set to whoever made the pull request.
Are you using github, or git using its standard
On Thu, Apr 24, 2014 at 06:31:34PM +0100, Ben Laurie wrote:
Note that this is just how to help me, not a consensus view from the
whole team, though I have no doubt much of it will be helpful to the
team, too.
1. Triage RT (https://rt.openssl.org/).
RT has been neglected for a long time.
On Mon, Apr 14, 2014 at 11:51:53AM +0200, Tom Swirly via RT wrote:
Hello. This is a small feature request that's applicable to all operating
systems.
*The problem.*
The version numbers for OpenSSL appear in the header opensslv.h as macro
symbols:
OPENSSL_VERSION_NUMBER
That's also in github pull request #50
Kurt
On Sun, Apr 13, 2014 at 12:20:37PM +0200, Ben Noordhuis via RT wrote:
Add the =back that was making pod2man abort. Fixes the `make install`
target, it was failing at the install_docs sub-target.
---
doc/ssl/SSL_CONF_cmd.pod | 2 ++
1 file
On Fri, Apr 11, 2014 at 10:26:08AM +0100, Matt Caswell wrote:
On 11 April 2014 00:00, Steve Marquess marqu...@opensslfoundation.com wrote:
With the very, very important caveat that I'm not one of the people who
directly carry this burden:
There is certainly room for improvement in the
On Thu, Apr 10, 2014 at 09:20:57PM +0400, Loganaden Velvindron wrote:
Please find it here:
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index b9e45c7..61b017f 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1334,8 +1334,6 @@ start:
{
s-rstate=SSL_ST_READ_HEADER;
rr-off=0;
Hi,
I've seen many examples of patches being submitted but never
getting applied. For some problems there are actually multiple
people submitting a patch for the same issue, and none of them
getting applied.
What is the problem getting them applied? Not enough people to do
the reviewing?
On Thu, Apr 10, 2014 at 04:40:13PM -0400, Steve Marquess wrote:
On 04/10/2014 03:22 PM, Kurt Roeckx wrote:
Hi,
I've seen many examples of patches being submitted but never
getting applied. For some problems there are actually multiple
people submitting a patch for the same issue
On Thu, Apr 03, 2014 at 02:33:17PM +0300, Costas Stasimos wrote:
Hello!
I use openssl-1.0.1e in a debian system and i try to make some scenarios
with TLSv1.2 using the applications s_server and s_client.
Is that the version from debian, or are you building your own
version?
There was a
On Mon, Mar 31, 2014 at 01:09:12PM +, Viktor Dukhovni wrote:
On Mon, Mar 31, 2014 at 08:49:37AM -0400, Hubert Kario wrote:
There is no benefit in excluding RC4-SHA1 from the default list.
When servers support stronger algorithms, those will be negotiated.
All you get by exclusing
On Sun, Mar 30, 2014 at 11:20:23AM +0200, Matthieu Patou via RT wrote:
Hello,
Got those kind of messages when compiling openssl 1.0.1:
cbc128.c:175:6: warning: dereferencing type-punned pointer will break
strict-aliasing rules [-Wstrict-aliasing]
I see those warnings with gcc 4.7 but with
On Thu, Mar 27, 2014 at 05:20:06PM +, Viktor Dukhovni wrote:
What would an O/S distribution do with SYSTEM that would make it
better than DEFAULT or ALL?
You really do not want to use DEFAULT. And some people even set
it to ALL having no idea what that does.
We either need sane defaults,
I've uploaded it to debian experimental, and so far got an error
on powerpc:
gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DB_ENDIAN -DTERMIO
-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
This is a duplicate of #2592, and looks exactly like the patch
I've made and is part of a github pull request.
Kurt
On Fri, Feb 14, 2014 at 04:37:03PM +0100, Tomas Mraz via RT wrote:
'openssl req -newkey rsa' ignores keylen set in the openssl config file
in the req section. It also
On Mon, Jan 13, 2014 at 05:25:55PM +0100, Jeff Hodges via RT wrote:
We've been testing clients using OpenSSL against
https://howsmyssl.com/a/check and noticed that those using
the OpenSSL_add_all_algorithms() have insecure export cipher suites
included by default. These cipher suites are using
Hi,
I received an smime signed email but I had a problem verifying the
signature. What I get was 3 certificates in the chain, but it
didn't look for the certificate in my CApath.
The orders of the certs as shown by pkcs7 -print_certs was:
2
3
1
Where 1 was the end user certificate, 2 is the is
On Mon, Jan 06, 2014 at 01:10:59PM +0100, Stephen Henson via RT wrote:
On Mon Jan 06 10:22:17 2014, anthony.miness...@gmail.com wrote:
commit 20b82b514d81a64f5b240788e5051167456af379 on dec 20th creates an
issue where NULL can be passed to EVP_MD_CTX_destroy
Commit
So the 1.0.1f released fixed 3 CVEs. The links on
http://www.openssl.org/news/vulnerabilities.html
suggest that the following commits are needed:
CVE-2013-4353:
197e0ea817ad64820789d86711d55ff50d71f631
CVE-2013-6450:
34628967f1e65dc8f34e000f0f5518e21afbfc7b
CVE-2013-6449:
On Mon, Jan 06, 2014 at 05:38:27PM -0500, Dave Thompson wrote:
When only certificate 2 and 1 are send, I the verififcation is
succesful because it's now trying to find the issuer of 2, being
3, and does find that in my CApath.
Are you sure the '3' in your truststore is the same as the
On Sat, Jan 04, 2014 at 11:25:27AM +0100, Matijs van Zuijlen via RT wrote:
It looks like OpenSSL 1.0.2 will no longer provide the constant
SSL_OP_MSIE_SSLV2_RSA_PADDING in its header files
(http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=dece3209f299ebcd82414868ee39b2c6feb3be0a).
301 - 400 of 571 matches
Mail list logo
