Re: ECDHE problem with 1.0.2-dev
On Fri, Nov 01, 2013, Piotr Sikora wrote: > Hey, > > > I think it's a bug in OpenSSL 1.0.2. It shouldn't break anything that works > > in > > previous versions, at least not without a very good reason. > > > > I'll look into it. > > I already reported / patched this a while ago (with no response): > https://rt.openssl.org/Ticket/Display.html?id=3103 > Oops sorry missed that. > > It's the preferred way as it just does the right thing. > > It always choses the strongest curve supported by both sides, which > isn't always preferred (IMHO). > It picks the highest preference curve supported by both sides, which is usually the strongest curve but it doesn't have to be. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3103] [PATCH] Set TLS EC curve_id from EC group alone.
On Fri Aug 02 10:23:33 2013, pi...@cloudflare.com wrote: > Hello, > attached patch fixes the issue with dropped support for EC cipher > suites in software that uses SSL_OP_SINGLE_ECDH_USE after upgrading to > OpenSSL-1.0.2+. > Fixed now, thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: ECDHE problem with 1.0.2-dev
Hey, > I think it's a bug in OpenSSL 1.0.2. It shouldn't break anything that works in > previous versions, at least not without a very good reason. > > I'll look into it. I already reported / patched this a while ago (with no response): https://rt.openssl.org/Ticket/Display.html?id=3103 > It's the preferred way as it just does the right thing. It always choses the strongest curve supported by both sides, which isn't always preferred (IMHO). Best regards, Piotr Sikora __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: ECDHE problem with 1.0.2-dev
On Fri, Nov 01, 2013, Rob Stradling wrote: > Hi. When I build the latest development version of httpd or nginx > against the OpenSSL_1_0_2-stable branch, the ECDHE-RSA and > ECDHE-ECDSA ciphers don't work. With both webservers, I can get > these ciphers to work by either... > 1. Deleting: SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); > or > 2. Adding: SSL_CTX_set_ecdh_auto(ctx, 1); > > Should it still be possible to manually configure ECDH keys using > SSL_CTX_set_tmp_ecdh() in 1_0_2? > If so, any ideas why it isn't working? Is there a bug in > OpenSSL_1_0_2-stable? Or are both httpd and nginx doing something > wrong? > I think it's a bug in OpenSSL 1.0.2. It shouldn't break anything that works in previous versions, at least not without a very good reason. I'll look into it. > Or, is "SSL_CTX_set_ecdh_auto(ctx, 1);" the only supported way of > doing it in 1_0_2? > It's the preferred way as it just does the right thing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
ECDHE problem with 1.0.2-dev
Hi. When I build the latest development version of httpd or nginx against the OpenSSL_1_0_2-stable branch, the ECDHE-RSA and ECDHE-ECDSA ciphers don't work. With both webservers, I can get these ciphers to work by either... 1. Deleting: SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); or 2. Adding: SSL_CTX_set_ecdh_auto(ctx, 1); Should it still be possible to manually configure ECDH keys using SSL_CTX_set_tmp_ecdh() in 1_0_2? If so, any ideas why it isn't working? Is there a bug in OpenSSL_1_0_2-stable? Or are both httpd and nginx doing something wrong? Or, is "SSL_CTX_set_ecdh_auto(ctx, 1);" the only supported way of doing it in 1_0_2? Thanks. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3151] Bug report: openssl-1.0.1e-28.fc19.i686 on Fedora 19: OPENSSL_ia32_cpuid() misdetects RDRAND instruction on old Cyrix M II i686 CPU
On Čt, 2013-10-31 at 22:05 +0100, Kurt Roeckx wrote: > On Mon, Oct 28, 2013 at 09:33:05AM +0100, Andre Robatino via RT wrote: > > I have an old i686 machine with a Cyrix M II CPU running Fedora 19. The > > latest version of openssl (openssl-1.0.1e-28.fc19.i686) doesn't work > > properly with it due to OPENSSL_ia32_cpuid() misdetecting the RDRAND > > instruction (see https://bugzilla.redhat.com/show_bug.cgi?id=1022346 ). > > All previous versions (up to openssl-1.0.1e-4.fc19.i686) worked > > properly. I was advised to create an upstream ticket. The listed bug > > report contains /proc/cpuinfo output and a gdb stack trace. > > This is a duplicate of ticket #3005 > > This has been fixed after the 1.0.1e release in: > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5702e965d759dde8a098d8108660721ba2b93a7d > > But if -4 worked and -28 fails, you really should look what > fedora changed between those releases. The -4 worked because the RDRAND engine was erroneously completely disabled in the Fedora build. Only after the enablement of it the bug in the CPU detection could manifest. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org