Hey guys,
1.0.2-stable and master are currently broken when building with
-DOPENSSL_NO_SRTP.
Attached patches fix that.
Best regards,
Piotr Sikora
OpenSSL_1_0_2__Fix-build-with-DOPENSSL_NO_SRTP.patch
Description: Binary data
OpenSSL_master__Fix-build-with-DOPENSSL_NO_SRTP.patch
Description
connections
that were using SSLv2 ClientHello (hence reusing the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.
Reported by Yichun Zhang (agentzh).
Signed-off-by: Piotr Sikora pi...@cloudflare.com
---
ssl/s3_both.c | 1 +
1 file
the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.
Reported by Yichun Zhang (agentzh).
Signed-off-by: Piotr Sikora pi...@cloudflare.com
---
ssl/s3_both.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
of the CDN.
For Amazon, you can distinguish S3 from CloudFront by looking for at
the HTTP headers:
- X-Amz-Cf-Id,
- Via: ... .cloudfront.net (CloudFront),
- X-Cache: ... from cloudfront.
Best regards,
Piotr Sikora
__
OpenSSL Project
Hey Andy,
Some kind of deja vu here. I remember I was looking at this and drew
some conclusion... I think it was addressed and commit
b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 actually mentions this ticket.
Can you confirm?
Yes, it's been fixed by this commit.
Best regards,
Piotr Sikora
://rt.openssl.org/Ticket/Display.html?id=3265 (guest:guest)
Best regards,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
.
Best regards,
Piotr Sikora
openssl_1_0_1__disable_rc4.patch
Description: Binary data
openssl_1_0_2__disable_rc4.patch
Description: Binary data
, as well when it's acting as a
server.
The OS is Linux 3.9.x and we are using relatively recent OpenSSL-1.0.2
checkout (commit: 5ff68e8f6dac3b0d8997b8bc379f9111c2bab74f).
Let me know if you need any more details.
Best regards,
Piotr Sikora
--- sha1_block_data_order_avx ---
(gdb) bt
#0
Hey guys,
could you please look into it? Right now, this is show-stopper for
adding ALPN support for nginx.
Attached patches against current master and OpenSSL_1_0_2-stable branch.
Best regards,
Piotr Sikora
Fix-compilation-with-no-nextprotoneg-master.patch
Description: Binary data
Fix
Hey Steve,
It picks the highest preference curve supported by both sides, which is
usually the strongest curve but it doesn't have to be.
Oh, cool! Thanks for clarifying that, I somehow missed the new
functions to set the curves list before.
Best regards,
Piotr Sikora
the preferred way as it just does the right thing.
It always choses the strongest curve supported by both sides, which
isn't always preferred (IMHO).
Best regards,
Piotr Sikora
__
OpenSSL Project http
on NPN code).
Also, I wanted to make sure that SSL_select_next_proto() is not part
of NPN and that it will be available going forward.
Best regards,
Piotr Sikora
Fix-build-with-OPENSSL_NO_NEXTPROTONEG.patch
Description: Binary data
Hey Mark,
ALPN support is already in the mainline:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691
Best regards,
Piotr Sikora
__
OpenSSL Project
to disable NPN with
no-npn (as described in CHANGES), which obviously didn't do much
good... no-nextprotoneg works fine, though :)
Best regards,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
to disable NPN with
no-npn (as described in CHANGES), which obviously didn't do much
good... no-nextprotoneg works fine, though :)
Best regards,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
(ctx, SSL_OP_SINGLE_ECDH_USE);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
The solution is to use only EC group and don't require EC key
to be already generated.
Signed-off-by: Piotr Sikora pi...@cloudflare.com
---
ssl/t1_lib.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/ssl
,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
) !defined(OPENSSL_NO_ALPN)
+#error Cannot define both NPN and ALPN
+#endif
We simply cannot drop support for NPN (i.e. SPDY) just to add support for ALPN.
IMHO, the correct solution would be to always prefer and offer ALPN,
unless client announced only NPN support in Client Hello.
Best regards,
Piotr
be
used. I want to have a library that supports both, not either-or.
Best regards,
Piotr Sikora
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev
Hey,
Yes, supporting both at runtime would be best. But having a compile-time
option now, and defaulting to NPN should keep this from being a blocking
issue with the patch, correct?
It would also make it kind of useless, at least from my
non-authoritative point of view.
Best regards,
Piotr
parameter:
$ echo -n 12345 | openssl dgst -sha1 -hex
(stdin)= 8cb2237d0679ca88db6464eac60da96345513964
$ echo -n 12345 | openssl dgst -sha1 -hex
(stdin)= 10298ad22a68325ec5b2a69f209cac87135a5884
Best regards,
Piotr Sikora
__
OpenSSL
21 matches
Mail list logo