Re: [openssl-dev] Renegotiation ticket 3712

2017-04-03 Thread Matt Caswell
On 03/04/17 11:24, Mody, Darshan (Darshan) wrote: > Thanks Matt, > > Just another query. Is the issue addressed in the latest openssl 1.1.0? My answer was for 1.1.0 (as was your original question)? In any case it is not addressed in any OpenSSL version. Matt > > Regards > Darshan > >

Re: [openssl-dev] In ssl3_write_bytes, some checks related to hanlding write failure are missing

2017-04-03 Thread Matt Caswell
On 31/03/17 18:54, Raja ashok wrote: > Hi All, > > > > In ssl3_write_bytes, if (len < tot) we are returning failure with > SSL_R_BAD_LENGTH error. In this place I hope we should set “tot” back to > “s->s3->wnum”. Otherwise when application calls back SSL_write with > correct buffer, it causes

Re: [openssl-dev] Renegotiation ticket 3712

2017-04-03 Thread Mody, Darshan (Darshan)
Matt, I was under impression that issue would have been addressed in latest openssl version 1.1.0. In case of high traffic and high secure networks, one of the best way to validate the long-lived connection is to do renegotiation (unless negotiated protocol is TLS 1.3 still in draft phase).

[openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

2017-04-03 Thread Benjamin Kaduk via openssl-dev
Hi all, We noticed that the depth limit check seems to behave differently between 1.0.2 and 1.1.0. In particular, with a (1.1.0) openssl/test$ ../util/shlib_wrap.sh ../apps/openssl s_server -port 8080 -cert certs/ee-cert.pem -certform PEM -key certs/ee-key.pem -keyform PEM -no-CApath -CAfile

Re: [openssl-dev] verify depth behavior change from 1.0.2 to 1.1.0?

2017-04-03 Thread Viktor Dukhovni
> On Apr 3, 2017, at 4:26 PM, Benjamin Kaduk wrote: > > There was a fair amount of churn in x509_vfy.c with the inclusion > of the DANE stuff and whatnot, so it's not immediately clear to me > when this change actually happened. I think there are good > arguments for the

Re: [openssl-dev] Renegotiation ticket 3712

2017-04-03 Thread Salz, Rich via openssl-dev
> The issue is fairly time sensitive and leads to non-deterministic outcome. > > Hence I was expecting the issue to be addressed with openssl version 1.1.0 > due to major overhaul of state machine and internals. Perhaps a more accurate way to say it is "I was hoping ..." :) If this is

Re: [openssl-dev] Renegotiation ticket 3712

2017-04-03 Thread Mody, Darshan (Darshan)
Thanks Matt, Just another query. Is the issue addressed in the latest openssl 1.1.0? Regards Darshan -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Matt Caswell Sent: Monday, April 03, 2017 2:53 PM To: openssl-dev@openssl.org Subject: Re: