Thanks for the report, fixed now.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On Thu Dec 10 16:28:39 2015, dan...@haxx.se wrote:
>
> In the curl project we're accessing the 'cert_info' to find the
> 'signature->algorithm' fields from the X509 and X509_CINF structs [*]
> and we
> can't build with openssl git master or the 1.1.0-pre release.
>
> How can we reach that info usin
Assigned CVE-2015-3195 and fixed now. Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.opens
On Mon Nov 30 15:25:01 2015, prasha...@ryussi.com wrote:
> Hi,
>
> We are trying to generate CMAC authentication code using EVP_aes_128_ccm
> mode. The CMAC_Final function returning the single byte hash code which
> suppose to return 16-byte hash code.
>
> We tried same algorithm with EVP_aes_128_c
On Sun Nov 29 09:04:03 2015, beld...@gmail.com wrote:
> Hello OpenSSL Team,
>
> I found out that the commit 28f4580c1e510ccf4278a20975c9bc3306f758d6 breaks
> GOST 2012 client auth processing.
>
This should be fixed by commit aa430c7467bcb7aa0a88
Steve.
--
Dr Stephen N. Henson. OpenSSL project cor
On Thu Jul 03 00:37:19 2014, jaroslav.imr...@disig.sk wrote:
> Thank you for the comment - I have moved the new field at the end of
> the TS_RESP_CTX structure.
> I have also introduced TS_SIGNING_DIGEST flag that should prevent
> binary compatibility issues when application allocates TS_RESP_CTX
>
On Wed Nov 18 15:24:50 2015, mxl...@gmail.com wrote:
> OpenSSL TSA (ts) code is still using SHA-1 message digest algorithm,
> in even two ways:
>
> * as default message digest algo in the time-stamp query (by default)
> * in the time-stamp reply/token signature (hard-coded)
>
> This pull request at
On Tue Nov 17 17:43:44 2015, ge...@redhoundsoftware.com wrote:
> When rebuilding with VS 2015 tools, the build fails when fips_premain_dso
> is executed because it does not include applink.c. The attached patch to
> mk1mf.pl fixes the makefile generation.
>
> Because static builds still build fips_
On Sun Nov 15 10:04:28 2015, beld...@gmail.com wrote:
> Hello!
>
> In the commit 5e3d21fef150f020e2d33439401da8f7e311aa24 you set
> the SSL_SSLV3 for the GOST ciphersuites. But the GOST ciphersuites are not
> usable with SSLv3, they require TLSv1.
>
> Could you turn the flag back for the GOST ciphe
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
OK thanks for the update. Ticket closed.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listi
On Mon Oct 12 01:33:17 2015, lily.zh...@emc.com wrote:
>
> I debugged our client, when calling API below, I saw the client
> prococess's CPU went to 25% in my host(my host has 8 GB RAM which is
> more powerful).
>
> We reproduce this issue in different host, CPU can rise to 25%, 66%,
> 100% (differ
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On Tue Oct 06 13:27:17 2015, noloa...@gmail.com wrote:
>
> Please update the docs to make it clear they are server-only
> functions. It might be helpful to tell users there are currently no
> client-based APIs they can use to enforce an DH minimum.
>
Well there is in the master branch through secu
On Sun Sep 27 05:11:00 2015, cber...@us.ibm.com wrote:
> How exactly do I apply this patch? The diffs.applink file should be
> input into
> what program? I tried the following which did not work:
>
The patch should be applied to OpenSSL 1.0.2d. Alternatively download the next
1.0.2 snapshot.
Stev
On Thu Sep 24 11:52:05 2015, steve wrote:
>
> I've tried a newer version of VC++ and I also get the "No Applink"
> error when
> it is trying to embed the fingerprint in libeay32.dll. I'll see if
> this can be
> fixed.
Please try the attached patch.
Steve.
--
Dr Stephen N. Henson. OpenSSL project
On Thu Sep 24 19:17:34 2015, dlmee...@gmail.com wrote:
> In a bid to use openssl's non blocking mode with bio pair, we are calling
> SSL_do_handshake to perform handshake and we would like to do callback
> based on role of SSL.
>
> and Seems that OpenSSL does not expose any APi for doing the same.
On Sun Sep 20 22:51:21 2015, steve wrote:
>
> In more detail I just tried a build from sources. I did this:
>
> set FIPSDIR=X:\some\for\fips\module\installation
> cd
> ms\do_fips
> cd
> perl Configure VC-WIN32 fips
> nmake -f ms\ntdll.mak
>
> With no problems. I'd suggest you try that as a starti
On Sat Sep 19 11:14:06 2015, steve wrote:
> On Tue Sep 15 14:33:33 2015, cber...@us.ibm.com wrote:
> > Hi,
> >
> > I'm trying to build the FIPS-140 compliant OpenSSL software on my
> > Windows 7
> > system using the Visual Studio 2015 compiler. I am using OpenSSL-
> > FIPS-
> > 2.0.10
> > and OpenS
Fixed now: the SRP logic was missing from -www so it didn't work properly.
Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing l
On Tue Sep 15 14:33:33 2015, cber...@us.ibm.com wrote:
> Hi,
>
> I'm trying to build the FIPS-140 compliant OpenSSL software on my
> Windows 7
> system using the Visual Studio 2015 compiler. I am using OpenSSL-FIPS-
> 2.0.10
> and OpenSSL-1.0.2d. I'm getting the following build error when trying
>
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
OK, thanks for the update, ticket closed.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/list
On Mon Sep 14 01:09:14 2015, leif.thures...@foxt.com wrote:
> I understand that there has been an overhaul of the TLS-PSK support.
> Is there any chance to get the SSL_use_psk_identity_hint() function
> fixed in the process?
Yes the current implementaion is just plain broken. I've applied a fix to
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
GCM is not supported for CMS enveloped data. Attempting to use it now returns
an error.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To uns
Resolving ticket: not a bug. If you have any more problems use openssl-users.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe:
Fixed now in 1.0.2, it was already fixed in master.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/ma
On Fri Sep 11 17:34:27 2015, afels...@cisco.com wrote:
> Hi,
>
> While running some tests on a module using OpenSSL, we noticed that
> when using EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_CCM_SET_IVLEN,
> length, NULL) to set the IV length, AES/CCM decryption does not seem
> to detect a bad IV length.
Fixed to use a default separator if none is specified.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org
GCM mode isn't currently supported in CMS, it was a bug that it attempted to
use it and produced incorrect results. Resolved now to return an error for GCM.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
Fixed now to SUITEB* works at the beginning of cipher string.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.open
Ancient ticket, resolved long ago. Closing.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/li
No problems reported, marking ticket as resolved.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mail
On Sat Aug 22 10:21:42 2015, alessan...@ghedini.me wrote:
> Hello,
>
> see GitHub pull request at
> https://github.com/openssl/openssl/pull/374
>
> Which adds support for Camellia GCM and adds the correspondent TLS cipher
> suites. Most of the code comes from the AES GCM implementation, so maybe
>
On Mon, Aug 17, 2015, Patil, Ashwini IN BLR STS via RT wrote:
> Hi Mr. Stephen N. Henson,
>
>
>
> Thankyou so much for the reply.
>
>
>
> We would like to use the option1 mentioned by you. But unfortunately the
> dll's were not generated, only static lib's were generated.
>
> Please guide
Done, ticket close.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On Tue Aug 04 03:24:21 2015, ashwini.vpa...@siemens.com wrote:
> Hello All,
>
> Following steps are done to check the FIPS feasibility .
>
> To check ASLR dependency the following link was referred.
> http://openssl.6102.n7.nabble.com/FIPS-Module-1-2-build-with-Visual-
> Studio-2010-fails-self-test
On Wed Aug 05 01:06:40 2015, m...@bogosian.net wrote:
> Hi Steve,
>
> I've attached three certificate collections: two that fail (where
> subject == issuer) and one that works around the problem (where
> subject != issuer).
OK thanks for the examples. The bug is that OpenSSL 1.0.2 is less strict a
On Tue Aug 04 18:25:25 2015, m...@bogosian.net wrote:
>
> Please let me know if you have any questions, and I'd be happy to
> elaborate.
>
Can you attach examples of the two certificates (EE and CA) that exhibit this
problem?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commerc
On Thu Jul 30 16:10:14 2015, hotgue...@hotmail.com wrote:
> This affects only openssl windows 64-bit binary, not openssl windows
> 32-bit binary.
>
> OS: Windows 64-bit
> OpenSSL Version: 1.0.2d 64 bit (
> https://slproweb.com/products/Win32OpenSSL.html )
>
> How to reproduce:
> using command smime
The official NULL PSK ciphersuites have now been added to the master branch.
Closing ticket.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
T
On Tue Jun 23 20:09:36 2015, giuseppe.dang...@kdab.com wrote:
> Il 22/06/2015 23:14, Stephen Henson via RT ha scritto:
> >>
> >
> > I'm currently looking at the OpenSSL PSK code. I'll look into
> > incopoorating
> > your changes (in a modified form) a
On Mon Jun 29 14:27:18 2015, meiss...@suse.de wrote:
> Hi,
>
> I am debugging a testsuite error in the perl Net-SSLeay module, which
> got introduced between 1.0.2a
> and 1.0.2c.
>
> The test code looks like this:
>
> ... private key in $pk ...
>
> ok(my $alg2 = Net::SSLeay::EVP_get_cipherbyname("D
On Mon Jun 22 20:07:43 2015, david.von.ohe...@siemens.com wrote:
> Hi OpenSSL maintainers,
>
> I tried checking the status of the EVP_get_digestbynid issue via
> http://rt.openssl.org/Install/index.html
> but the server appears currently misconfigured:
> > Config file /etc/request-tracker4/RT_SiteC
On Sun Jun 21 19:00:55 2015, giuseppe.dang...@kdab.com wrote:
> Yet another version after some refactorings that landed in master.
>
> Please, pretty please, with sugar on top, could anyone review this code
> so that it can get merged?
>
> It's becoming a difficult exercise to keep track of upstrea
Committed now. Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo
On Wed Apr 29 00:34:11 2015, noloa...@gmail.com wrote:
> Is there any progress on this?
>
See SSL_COMP_free_compression_methods().
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
OK thanks for the update, ticket resolved.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/lis
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On Wed Apr 08 17:20:33 2015, khova...@gmail.com wrote:
> Hi,
>
> I am using FreeBSD 8.2, 32bits i386, OpenSSL package:
> openssl-1.0.1_18 SSL and crypto library
>
> During certificate generation, I found the bug:
> If request CA-lifespan too long, then expiration date drops into far
> past, and
> C
OK thanks for confirming that. Ticket resolved.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailma
On Fri Mar 20 13:20:07 2015, alessan...@ghedini.me wrote:
>
> Months have passed and I haven't received a reply yet (even worse, the
> recent
> obfuscation of the OCSP structures in 6ef869d7d0a9d made it impossible
> to
> workaround the issue as curl has been doing [0]), so I thought I'd add
> some
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
Fixed, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl
On Sat Mar 14 05:46:12 2015, santosh.r...@ca.com wrote:
> Thanks Steve,
> For your valued information.
> After executing the steps
> suggested fips module is building fine.
> But when I build the
> openssl0.9.8.ze with fips flag.
> make is success.
> But make test is
> failing.. with Below error.
>
On Fri Mar 13 21:00:30 2015, santosh.r...@ca.com wrote:
> Thank you Stephen,
>
> Since the product is already build on
> openssl.0.9.8.r, and if we upgrade it to openssl0.1.1l then there
> could be lot of change in terms of API what our product use.
Well if you'd used any OpenSSL 0.9.8 using
./co
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On Thu Mar 12 22:16:37 2015, santosh.r...@ca.com wrote:
> Hi
>
> I have downloaded the openssl 0.9.8zd source.
> And I tried below steps to get it install.
>
> 1. ./config fipscanisterbuild
>
> I did not get any configuration error.
>
> 2. make
>
> I got the below linker error.
>
>
>
> make[2]: Ent
On Sat, Mar 07, 2015, Allauddin Ahmad via RT wrote:
> Dear Concerned:
>
> Can you please confirm that OpenSSL branch 0.9.7 branch is not affected by:
>
As Viktor mentioned 0.9.7 is no longer being maintained.
However the following two issues will be present in 0.9.7:
>
> *RSA silent
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On Wed Feb 18 21:12:09 2015, laurenz.a...@wien.gv.at wrote:
> I ran into this problem while connecting to a PostgreSQL server
> (PostgreSQL uses OpenSSL
> for SSL support) with a Java client using
> the PostgreSQL JDBC driver (which uses
> the Java Secure Socket
> Extension which is part of Oracle'
On Wed Feb 18 21:12:22 2015, stuart.k...@netiq.com wrote:
>
> Trying to build FIPS capable OpenSSL on HP-UX ia64
>
> Using openssl-fips-2.0.9.tar.gz and openssl-1.0.1l.tar.gz.
>
>
> Looks like the symbols "AES_decrypt" and "AES_encrypt" were renamed to
> "fips_aes_decrypt" and "fips_aes_encrypt" re
Now fixed. Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/ope
On Thu Jan 22 22:48:19 2015, shane.bre...@securitease.com wrote:
> t1_lib.o t1_lib.c
> t1_lib.c: In function ‘tls1_get_curvelist’:
> t1_lib.c:473:17: error: invalid type argument of unary ‘*’ (have
> ‘size_t’)
> *pcurveslen = sizeof(fips_curves_default);
> ^
Fixed now, thanks for the report.
Stev
On Mon Jan 19 16:19:50 2015, rob.stradl...@comodo.com wrote:
>
> Steve, while you're there...
>
> I've been caught out a few times in the past because the 'x509'
> utility
> displays the "outer" signature algorithm in the place where it should
> display the "inner" signature algorithm. This is fine
On Mon Jan 19 14:40:32 2015, steve wrote:
>
> The problem is that the two fields containing the signature algorithm
> do not match.
>
The current 'x509' utility can't show this difference (I have an option I'm
testing which will). It is possible to use the cms command diagnostic output
though:
op
On Mon Jan 19 09:30:24 2015, a.you...@informatik.hu-berlin.de wrote:
>
> RFC 4055 as well as RFC 5754 do not make this difference, both say:
> When any of these four object identifiers appears within an
> AlgorithmIdentifier, the parameters MUST be NULL. Implementations
> MUST accept the parameters
On Mon Jan 19 04:49:27 2015, u...@mit.edu wrote:
>
> Does the consensus on the list agree with my statement of the problem,
> and the proposed fix? I hope we all agree that semantically
> parameter list presented as ASN.1 NULL is equivalent to an empty
> parameter list, and should be treated as suc
On Sun Jan 18 12:58:26 2015, u...@mit.edu wrote:
>
> Probable cause: certificate decoder either fails to encode ASN.1 NULL
> for "signature algorithm parameters” when it should, or encodes an
> explicit ASN.1 NULL when it shouldn’t. As a result, the comparison
> code ASN1_TYPE_cmp in crypto/asn1/a_
On Fri Dec 26 12:19:01 2014, sameerpjo...@gmail.com wrote:
> Hi,
>
> I see a problem in OpenSSL code and want to confirm if this has been
> already reported as a bug or not.
>
> If the server sends CertificateRequest during TLS handshake in case of
> TLS1.2, the Client processes this request in met
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/ma
Ticket resolved. Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.
On Fri Dec 12 17:52:22 2014, sdao...@yandex.com wrote:
> Hello,
>
> while following Rich Salz's suggestion to make use of
> CONF_modules_load_file() i stumbled personally over the
> restriction that only a global openssl.cnf seems to be supported.
> There is no support for automatic loading of a $H
On Mon Dec 08 20:20:44 2014, sdao...@yandex.com wrote:
> Hello,
>
> and finally i propose three new values for the "Protocol" slot of
> SSL_CONF_CTX_cmd(): OLDEST, NEWEST and VULNERABLE.
>
Just to add my 2p to this thread which seems to have veered into rather
different territory...
I don't think
On Mon Dec 08 19:58:31 2014, sdao...@yandex.com wrote:
> Commit [45f55f6] (Remove SSLv2 support, 2014-11-30) completely
> removed SSLv2 support and the commit message states "The only
> support for SSLv2 left is receiving a SSLv2 compatible client
> hello".
>
> If people start using SSL_CONF_CTX as
On Mon Dec 01 10:43:36 2014, ar...@maven.pl wrote:
>
> Some web browsers (google chrome for example) do support Authority
> Information
> Access for fetching intermediate certificates.
>
> openssl library (client side) unfortunately seems to be not able to do
> that.
>
> So this is feature request
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.ope
Applied now. Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.o
Fixed now, thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.ope
On Thu Oct 16 14:22:19 2014, yoi_no_myou...@yahoo.co.jp wrote:
> Hello,
>
> I'd like to build openssl-1.0.1j with "no-ssl3", but can not.
>
>
> ./Configure --prefix=/opt/local/openssl solaris-x86-cc threads shared
> zlib no-ssl3
>
> Got message:
>
> --- from here, message ---
>
> Since you've disab
On Wed Oct 08 19:12:41 2014, tm...@redhat.com wrote:
> When connecting to a virtual, SNI defined host openssl selects SHA1
> digest instead of SHA512, as it does for the default host.
>
The cause is that some negotiated parameters are wiped when SSL_set_SSL_CTX is
called. Try the attached patch.
On Thu Sep 04 23:19:14 2014, rsalz wrote:
> openssl uses time_t for its internal time value.
> On a platform where time_t is 32 bits, the maximum time value is sometime in
> the year 2038
Actually this is no longer the case. There was a time_t depencency in OpenSSL
0.9.8 and earlier which caused o
On Fri Aug 22 21:00:55 2014, tris...@saticed.me.uk wrote:
> I have the global sign new and old CA certs in a single file.
> Successful verification seems to depend on the order of the
> certificates in the file:
>
> $ cat globalsign_new.pem globalsign_old.pem > test.pem
> $ openssl s_client -connec
On Tue Aug 26 21:00:02 2014, rsalz wrote:
> It would be fairly easy to address just the exponent issue. Add
> #define DH_FLG_NIST_EXP_LENGTH 0x01
> int DH_generate_key_ex(DH* dh, unsigned long flags)
> {
> if (flags & DH_FLG_NIST_EXP_LENGTH)
> dh->length = calc_nist_length(dh);
> return DH_generate
As indicated in message thread in openssl-dev this is now resolved.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project
On Sat Aug 09 05:36:56 2014, rsalz wrote:
> Thomas and Stephen, can you review the history of this and decide?
Closing ticket. This was resolved long ago by the option
SSL_OP_LEGACY_SERVER_CONNECT
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now availabl
On Thu Aug 07 23:31:24 2014, dan...@haxx.se wrote:
>
> I can't agree with that since I believe exit() is not a business a
> library
> should do almost no matter what, but clearly you think otherwise.
>
I'm just explaining the "logic" behind that behaviour. It was written over 10
years ago and some
On Thu Aug 07 20:35:50 2014, steve wrote:
>
> The whole point of OPENSSL_config() is that it is a minimal function
> that just
> tries to load configuration modules and is better than nothing if the
> application cannot include appropriate error handling. It has no idea
> what an
> application cons
On Thu Aug 07 19:33:55 2014, dan...@haxx.se wrote:
> Hi
>
> As OpenSSL is a library, it should only ever use exit in the case of
> sever
> problems and not just for "mere" run-time problems.
>
> OPENSSL_config() is documented to be strongly recommended but yet it
> calls
> exit(1) if it fails to pa
On Tue Aug 05 09:18:02 2014, jan.hy...@acision.com wrote:
> Hello,
>
> OpenSSL (1.0.1h and older) contains following problematic part of code
> in
> /crypto/bio/bss_dgram.c, dgram_sctp_read():
>
Are you explicitly enabling SCTP support with "enable-sctp" or does the default
version of OpenSSL have
Well the error message is telling you it doesn't like a line in the
configuration file. From that error message it is putting something like:
subjectAltName = 192168113.1
in there which is invalid syntax. The correct syntax is described here:
https://www.openssl.org/docs/apps/x509v3_config.html#
Fixed now (duplicate of PR#3176).
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.ope
Fixed now. Locking now doesn't depend on FIPS mode. Thanks for the report.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project
Fixed now.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
Development Ma
On Fri Jul 25 12:22:51 2014, david.winger...@navigant.com wrote:
> This was present only since the new binaries provided to address heart
> bleed there are others having challenges with this. It seems
> somehow related to vmware possibly here is the original thread.
>
> https://forum.filezilla-
> p
On Mon Jul 21 20:29:47 2014, v...@v13.gr wrote:
>
> I'm not sure whether this change is needed at all as there's no
> justification
> for it.
The justification is in RFC3280 et al:
"The UTF8String encoding [RFC 2279] is the preferred encoding, and all
certificates issued after December 31, 2003 M
On Sat Jul 19 09:14:36 2014, noloa...@gmail.com wrote:
> According to RFC 5915 (http://tools.ietf.org/html/rfc5915):
>
> ECPrivateKey ::= SEQUENCE {
> version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
> privateKey OCTET STRING,
> parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
> publicKe
Now applied to master branch. Many thanks for your contribution.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project
101 - 200 of 998 matches
Mail list logo