Re: [openssl.org #3152] AutoReply: Segfault in d1_pkt.c in FIPS mode

Hi! I would like to close this since it's not a bug. Best regards, Fredrik Jansson On Mon, Oct 28, 2013 at 9:33 AM, The default queue via RT r...@openssl.orgwrote: Greetings, This message has been automatically generated in response to the creation of a trouble ticket regarding:

Re: OpenSSL client DH group limits

We noticed the same thing and would also recommend that the openssl client reject small DH groups. This would complement the strong validity checks that openssl already by e.g. checking primality and rejecting invalid public keys. On the precise number of minimum bits, please note that IIS

[openssl.org #3160] [PATCH 1/2] disambiguate SSL_R_NO_PEM_EXTENSIONS from SSL_R_INVALID_SERVERINFO_DATA

Somehow, both SSL_R_NO_PEM_EXTENSIONS and SSL_R_INVALID_SERVERINFO_DATA were assigned reason code 389. This patch uses the next available number (393) for SSL_R_NO_PEM_EXTENSIONS to disambiguate the two reason codes. --- ssl/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[openssl.org #3161] [PATCH 2/2] Avoid deprecated defined(@array) in mkerr.pl

Without these changes, running util/mkerr.pl on modern perl (5.18.1) produces the following deprecation warnings: defined(@array) is deprecated at util/mkerr.pl line 792. (Maybe you should just omit the defined()?) defined(@array) is deprecated at util/mkerr.pl line 800. (Maybe

[openssl.org #3162] enhancement request - PSK AES algorithms available in FIPS mode

Hi! I would like to request the following algorithms to be available in FIPS mode: TLS1_TXT_PSK_WITH_AES_128_CBC_SHA TLS1_TXT_PSK_WITH_AES_256_CBC_SHA Please see the DTLS PSK in FIPS mode discussion on then openssl-users list. Attached is a patch for s3_lib.c that makes the said algorithms

Need get() and clear() functions for chain_certs in 1.0.2-dev

These 2 #defines exist for SSL_CTX-extra_certs: SSL_CTX_add_extra_chain_cert SSL_CTX_get_extra_chain_certs SSL_CTX_clear_extra_chain_certs In 1.0.2-dev, the #defines such as SSL_CTX_add0_chain_cert allow me to specify different chains for different certificate types, but AFAICT there are

Re: Need get() and clear() functions for chain_certs in 1.0.2-dev

On Wed, Nov 06, 2013, Rob Stradling wrote: These 2 #defines exist for SSL_CTX-extra_certs: SSL_CTX_add_extra_chain_cert SSL_CTX_get_extra_chain_certs SSL_CTX_clear_extra_chain_certs In 1.0.2-dev, the #defines such as SSL_CTX_add0_chain_cert allow me to specify different chains for

[openssl.org #2771] [BUG] Openssl 1.0.1 times out when connecting to Outlook Exchange 2007

On Thu Mar 29 21:17:31 2012, steve wrote: A temporary workaround for this is to apply these two patches to OpenSSL 1.0.1: http://cvs.openssl.org/chngview?cn=22286 http://cvs.openssl.org/chngview?cn=22306 And recompile OpenSSL with -DOPENSSL_NO_TLS1_2_CLIENT (e.g. supplied as a command line

Re: OpenSSL client DH group limits

On 11/06/2013 05:08 AM, Karthikeyan Bhargavan wrote: On the precise number of minimum bits, please note that IIS uses a static 768-bit Diffie Hellman prime, specifically Group 1 from IKEv2 (rfc5996, appendix B.1)/ I suspect a number of other servers may do the same; hence the numbers you see